Re: [c-nsp] 7600 ES card and module
Hello, On Tue, 17 Nov 2009, nm...@guesswho.com wrote: Does anybody have good/bad experience with a 7600-ES20-10G3CXL in a 7606 with 720-3bxl? We have 2 routers in this configuration. The only difference that the chassics are 7609. We're running MPLS/VPLS with ES20 cards without any problem for more than a year. Why do you need such smart and expensive cards to conect to other provider? What functionality do you need? Also I am trying to figure out if the XFP-10GLR-OC192SR module will work with this. Am I reading this correctly that this module is supported for both POS and regular 10G Ethernet? Seems like that. I've never use it in POS mode but in Eth mode it works good with ES20 cards. -- Dmitry Valdov CCIE #15379 (RS and SP) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FABRIC-3-ERR_HANDLE
'Exec-on' commands are sent via IPC over the switch fabric and
'attach' sessions go over the mbus.
Eninja
On Nov 17, 2009, at 8:02 PM, Aaron dudep...@gmail.com wrote:
So, what is the difference in output from doing exec-on vs attach?
You are still connecting via the same method.
On Mon, Nov 16, 2009 at 14:07, e ninja eni...@gmail.com wrote:
Antonio,
You should *never* troubleshoot fabric errors with *any* exec-on
commands.
They run over the fabric that may or may not be compromised.
1. Are any other LCs apart from slot 6 reporting CRC errors?
2. grab two sh contr fia from the RP and an attach to all the
LCs and
send over.
Eninja
On Mon, Nov 16, 2009 at 4:15 AM, Antonio Soares
amsoa...@netcabo.pt wrote:
Hello group,
I have a 12k reporting this:
%FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error
from slot 6
In one week, i have 4 of these messages.
Slot 6 is a SIP-601 containing 2 x SPA-10G.
What could be the problem ?
The show controllers fia do not show any problem.
The execute-on slot 6 show controllers fia show this:
Switch cards present: 0x1F
Switch cards monitored: 0x1F
0 1 2 3 4
los0 0 0 0 0
state OffOffOffOffOff
crc16 53989 0 0 0 0
xor error0 0 0 0
cell drops1020 1020 1020 1020
IOS=c12kprp-p-mz.120-32.SY6.bin
Thanks.
Regards,
Antonio Soares, CCIE #18473 (RS)
amsoa...@netcabo.pt
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI(3) code status?
Here is some BAD on SXI3 ... with redundant supervisor, SSH breaks upon supervisor switchover. -andrew On Tue, Nov 17, 2009 at 11:34 AM, Jeff Fitzwater jf...@princeton.edu wrote: The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It did however work in SXI, which we are running now. The other flavors are not supported. Jeff On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: Release 12.2(33)SXH and later releases do not support the following hardware: These Ethernet Switching Modules: –WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ –WS-X6248A-TEL 48-port 10/100TX RJ-21 –WS-X6248-RJ-45 48-port 10/100TX RJ-45 –WS-X6248-TEL 48-port 10/100TX RJ-21 –WS-X6324-100FX-SM 24-port 100FX Ethernet –WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ –WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 –WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ Now, the caveat is that they did not actually remove the hardware support for some of these until SXI1, so while the release notes say one thing, the actual support varies. You will see something like this in 'show power': 4 WS-X6248A-TEL 112.98 2.69 - - on off (not supported) 8 WS-X6248-RJ-45 112.98 2.69 - - on off (not supported) It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I can't recall if that was the case for SXI2/2a/or 1. - Jared On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: Jared, After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. Do you have a URL or can you be more specific? Thanks in advance! Jared Mauch wrote: SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. I strongly recommend using it over prior versions of SXI. Due to the removal of hardware support we replaced the older 63xx/62xx series cards. - Jared On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. Rubens On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater jf...@princeton.edu wrote: I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. Does anyone else have GOOD or BAD new on SXI(3)? Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- -andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI(3) code status?
Define breaks. Breaks as in your ssh connection drops and you have to login again, or breaks as in your ssh connection drops and the ssh service doesn't restart? andrew wrote: Here is some BAD on SXI3 ... with redundant supervisor, SSH breaks upon supervisor switchover. -andrew On Tue, Nov 17, 2009 at 11:34 AM, Jeff Fitzwater jf...@princeton.edu wrote: The 6324 100 MM is supported but did not come online in SXI 1, 2 , 2A. It did however work in SXI, which we are running now. The other flavors are not supported. Jeff On Nov 17, 2009, at 12:12 PM, Jared Mauch wrote: Release 12.2(33)SXH and later releases do not support the following hardware: These Ethernet Switching Modules: –WS-X6024-10FL-MT 24-port 10BASE-FL MT-RJ –WS-X6248A-TEL 48-port 10/100TX RJ-21 –WS-X6248-RJ-45 48-port 10/100TX RJ-45 –WS-X6248-TEL 48-port 10/100TX RJ-21 –WS-X6324-100FX-SM 24-port 100FX Ethernet –WS-X6224-100FX-MT 24-port 100FX Ethernet Multimode MT-RJ –WS-X6316-GE-TX 16-port Gigabit Ethernet RJ-45 –WS-X6416-GE-MT 16-Port Gigabit Ethernet MT-RJ Now, the caveat is that they did not actually remove the hardware support for some of these until SXI1, so while the release notes say one thing, the actual support varies. You will see something like this in 'show power': 4WS-X6248A-TEL 112.98 2.69 - - onoff (not supported) 8WS-X6248-RJ-45 112.98 2.69 - - onoff (not supported) It does appear the WS-X6324-100FX-MM card does power on for SXI3, but I can't recall if that was the case for SXI2/2a/or 1. - Jared On Nov 17, 2009, at 12:05 PM, Chris Phillips wrote: Jared, After quickly glancing at the release notes, I was unable to find anything about the removal of hardware support for the 63xx series cards. Do you have a URL or can you be more specific? Thanks in advance! Jared Mauch wrote: SXI3 has a number of bug fixes for our network, including one that would cause the next-hop to be populated as 'drop' in hardware. I strongly recommend using it over prior versions of SXI. Due to the removal of hardware support we replaced the older 63xx/62xx series cards. - Jared On Nov 17, 2009, at 10:22 AM, Rubens Kuhl wrote: SXI2a running fine with MPLS, QoS, SVIs (no BFD on those... :-(), OSPF, BGP. PFC3C-only, no WAN cards/modules, no DFC. Rubens On Tue, Nov 17, 2009 at 12:51 PM, Jeff Fitzwater jf...@princeton.edu wrote: I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. Does anyone else have GOOD or BAD new on SXI(3)? Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Chris Phillips Director of Network Engineering Peering Coordinator WBS Connect cphill...@wbsconnect.com (866) WBS-CONX (720) 259-8361 - direct (303) 968-4383 - mobile www.wbsconnect.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BDF over port-channels?
That is what I was looking for. do you use it in 7600 and/or 7200? El mar, 17-11-2009 a las 22:16 +, Abidin Kahraman escribió: BFD over port-channel is supported on SRD1. HTH Abidin On 17 Nov 2009, at 17:35, Tassos Chatzithomaoglou wrote: According to Cisco: http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_bfd.html#wp1054055 For the following Cisco IOS Releases, BFD on PortChannel is not a supported configuration: 12.2SXF, 12.2SRC, and 12.2SRB. Also there is CSCek67622: BFD should not be configurable on etherchannel intf Symptoms: The bfd interval command is accepted on EtherChannel and EtherChannel member interfaces. Conditions: This symptom is observed on a Cisco router while BFD is not supported on EtherChannels. Workaround: Do not enter the bfd interval command on EtherChannel and EtherChannel member interfaces. It's still not clear whether it's supported on SRD (and ES cards) or will be supported in the future... -- Tassos luismi wrote on 17/11/2009 14:20: I wrote it in a previous email but here is again :D 7200 npe-g2 and 7600 rsp720-pfc3 I am using 12.2SRC but it is not supported there an I would like to know if it is supported in another train. El mar, 17-11-2009 a las 11:09 +0100, Gert Doering escribió: Hi, On Tue, Nov 17, 2009 at 11:01:48AM +0100, luismi wrote: I see a message like BDF not supported over port-channels in my routers. Which IOS version is that? On what platform? You could be a bit more proactive in your questions... this makes it much easier to give meaningful responses, really... :-) gert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Tassos ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI(3) code status?
We upgraded tonight one of our boxes to SXI3. The WS-X6324-100FX-MM works with this version of code! hth, Reinhold On Tue, Nov 17, 2009 at 09:51:01AM -0500, Jeff Fitzwater wrote: I have been running the SXI(3) on a test router with 100M MM 6324, which it did not recognize in previous versions, and so far no complaints but then again it's not in a real world yet. Does anyone else have GOOD or BAD new on SXI(3)? Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS XR version you use
Hi. I look for a good choice of XR to upgrade to from 3.5. In terms of features there are no mandatory ones that could drive us to do 3.8 instead of 3.6 Does anyone of you use 3.8 in a production environment? Please share any thoughts on this. We are using 3.5.4 (CRS and XR12k) and do plan a move to 3.6.3 on both platforms. XR 3.8 didn't give us any needed features either, and the lower exposure in the wild made the choice of 3.6 rather easy. -- Pelle ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA IPSec weirdness
Hello all,
recently I got issue with L2L IPSec tunnel on one of our ASA firewalls.
The problem is that when remote site initiates the connection, ASA
negotiates the assotiation as thought it is an VPN Client (ipsec-ra is
also configured on same firewall).
Not working association (asa is responder):
Crypto map tag: VPNClientMap, seq num: 1, local addr: x.x.x.x
...
inbound esp sas:
spi: 0xCD25D187 (3441807751)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2709, crypto-map: VPNClientMap
Working association (asa is initiator):
Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x
...
inbound esp sas:
spi: 0xF9214935 (4179708213)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2710, crypto-map: outside_map
ASA configuration looks like this:
crypto dynamic-map VPNClientMap 1 set transform-set ESP-3DES-SHA
crypto dynamic-map VPNClientMap 1 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer a.a.a.a
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 65535 ipsec-isakmp dynamic VPNClientMap
I have tried everything that I could think of - xauth disabling (which i
think is default on asa), upgrading router asa software, ... Nothing
worked and disabling the vpn clients is not an option for me :/ .
Anyone stumbled across something similar in the past and was able to fix
it? Thanks for any pointers.
Best regards,
Jan Gregor
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Flow Control
Dear all i have 5 giga ethernet interfaces connected via port channel to WiMAX ASN gateway the device is cisco CISCO7606-S with IOS c7600s72033-advipservicesk9-mz.122-33.SRB2.bin when i issue the command sh run int po20 interface Port-channel20 switchport switchport access vlan 20 switchport trunk encapsulation dot1q switchport mode access flowcontrol receive on flowcontrol send on end sh int po20 | inc flow input flow-control is off, output flow-control is off does that mean that the other device dont support flow control ? or i need something else to enable flow control ? because i suffer from overruns on the port channel ? is that the problem ? Thanks in advance _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 32-bit ASN for 7200 G2?
I'm researching IOS versions for upgrading our transit routers to support 32-bit ASNs, and it seems that I need to use basically the absolute latest 12.4T release (12.4.24T) to get that support. I can't get it in 12.2S or 12.4 mainline at all. Is that really the case? What does everyone else use on their G2/7201s? This is just for BGP internet peering connections and OSPF. Nothing at all fancy, I just don't like the bleeding edge :-) Thanks, Howie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPSec weirdness
Jan,
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jan Gregor
Sent: Wednesday, November 18, 2009 5:28 AM
Hello all,
recently I got issue with L2L IPSec tunnel on one of our ASA firewalls.
The problem is that when remote site initiates the connection, ASA
negotiates the assotiation as thought it is an VPN Client (ipsec-ra is
also configured on same firewall).
Not working association (asa is responder):
Crypto map tag: VPNClientMap, seq num: 1, local addr: x.x.x.x
...
inbound esp sas:
spi: 0xCD25D187 (3441807751)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2709, crypto-map: VPNClientMap
Working association (asa is initiator):
Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x
...
inbound esp sas:
spi: 0xF9214935 (4179708213)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2710, crypto-map: outside_map
ASA configuration looks like this:
crypto dynamic-map VPNClientMap 1 set transform-set ESP-3DES-SHA
crypto dynamic-map VPNClientMap 1 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer a.a.a.a
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 65535 ipsec-isakmp dynamic VPNClientMap
Are you sure they are landing on your tunnel with the right address? The fact
that it's hitting your dyn map makes me think they are coming from another
address. Do you have control of the remote end, do you know what type of
device it is? Can you enable some isakmp debugs to capture more traffic. As
the responder, you'll be able to gather the most useful debug, you should be
able to figure out what's going with a debug cry isa 255.
-ryan
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32-bit ASN for 7200 G2?
Hi, You can wait a couple of weeks and get the feature on 12.2SRE. 32-bit ASN should be around on 12.0S images aswell. Cheers, Paolo On Wed, Nov 18, 2009 at 10:46:52AM +, Howard Jones wrote: I'm researching IOS versions for upgrading our transit routers to support 32-bit ASNs, and it seems that I need to use basically the absolute latest 12.4T release (12.4.24T) to get that support. I can't get it in 12.2S or 12.4 mainline at all. Is that really the case? What does everyone else use on their G2/7201s? This is just for BGP internet peering connections and OSPF. Nothing at all fancy, I just don't like the bleeding edge :-) Thanks, Howie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPN traffic
Dear all, In trying to troubleshoot VPN traffic on a Cisco ASA 5520, is it possible to debug the actual traffic in the tunnel. Scenario: Site to site tunnel comes up but either side cannot reach the remote nodes beyond the firewalls. Regards, Richard ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] vlan across a routed link
i work in a university which has three campuses. on each campuse, there is one cisco 6509 switch as a core switch. all other switches (L2) are in vtp client except the core switches. the campuses are connected with a routed link. so, one campuse, has 10.128.0.0/16 subnet and the others have a subnet of 10.129.0.0/16 and 10.130.0.0/16. rip v2 is used on the intercampuse links to advertise individaul vlans. here is my problem. i'm asked to create a vlan with a subnet id of 192.168.1.0/24. but computers in this vlan are located in the 10.128.0.0/16 campuse and 10.130.0.0/16 campuse.the link between the 10.128.0.0/16 and 10.130.0.0/16 is not trunk it is routed with ip address. so can any body suggest me how to implement such senario which allows one vlan (in this case 192.168.1.0/24) to be visible from the two campuses? i.e to propage that specific valn across a routed link not a trunk link. thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN traffic
Hi, -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Mikisa Richard Sent: Wednesday, November 18, 2009 7:40 AM Dear all, In trying to troubleshoot VPN traffic on a Cisco ASA 5520, is it possible to debug the actual traffic in the tunnel. Scenario: Site to site tunnel comes up but either side cannot reach the remote nodes beyond the firewalls. Can you describe your scenario in a little more detail? Is the firewall inline with all traffic? If it's not, you're probably hitting a routing issue. With just informational level buffer logging, you should be able to see why the traffic might be failing. If you want to process the traffic through your ACLs and watch for hits there, you can disable sysopt permit-vpn. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Community Problem (I think)
Hi, Are you using soft-reconfigure on the routers? That will cause this kind of behavior. // Olof On Wed, Nov 18, 2009 at 8:05 AM, Ben Steele illcrit...@gmail.com wrote: As Hobbs mentioned do a sh ip bgp neighbor your bgp peer and look for the prefix activity part which will tell you about prefixes that didn't get sent to that peer for various reasons. Have you looked at the communities attached to the prefixes you have learnt from your other peer that you aren't advertising?, do they have either no-advertise/no-export/local-as etc. on them? is the peer your receiving the feed from iBGP or eBGP? and is the peer your sending them to iBGP or eBGP? On Wed, Nov 18, 2009 at 5:40 PM, Skeeve Stevens ske...@eintellego.netwrote: But, the router isn't even sending them to the next router... between tagging them and re-sending them, they just aren't there so I would assume the neighbour they are being sent to is nothing to do with it? ...Skeeve -- Skeeve Stevens, CEO/Technical Director eintellego Pty Ltd - The Networking Specialists ske...@eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- NOC, NOC, who's there? Not sure off-hand, but you can do show ip bgp neighbor and far down in the output you will see a section showing stats about why prefixes were dropped (route-map, dist-list, etc). What does it say? ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vlan across a routed link
teklay gebremichael wrote: i work in a university which has three campuses. on each campuse, there is one cisco 6509 switch as a core switch. all other switches (L2) are in vtp client except the core switches. the campuses are connected with a routed link. so, one campuse, has 10.128.0.0/16 subnet and the others have a subnet of 10.129.0.0/16 and 10.130.0.0/16. rip v2 is used on the intercampuse links to advertise individaul vlans. here is my problem. i'm asked to create a vlan with a subnet id of 192.168.1.0/24. but computers in this vlan are located in the 10.128.0.0/16 campuse and 10.130.0.0/16 campuse.the link between the 10.128.0.0/16 and 10.130.0.0/16 is not trunk it is routed with ip address. so can any body suggest me how to implement such senario which allows one vlan (in this case 192.168.1.0/24) to be visible from the two campuses? i.e to propage that specific valn across a routed link not a trunk link. thanks You will need to convert the link from routed to switchport. That is, transform this: interface Gi1/1 ip address a.b.c.d ...to: interface Gi1/1 switchport switchport mode trunk switchport trunk native vlan 4000 switchport trunk allowed vlan yourvlan,4000 int Vlan4000 ip address a.b.c.d ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] snmpwalk for switch port status
Here's a version in perl that runs on windows or *nix. Net::SNMP required.
I have an older version using net::snmp::info that reads more cleanly,
but had trouble getting that module to work under ActiveState perl at
my current job.
--
Eric
[ begin paste ]-
use Net::SNMP;
$ARGC = $#ARGV + 1;
if ($ARGC != 2) {
die \nUsage: deadports.pl hostname num_days\n\n;
}
$pulldays = $ARGV[1];
$hostname = $ARGV[0];
$community = 'CHANGEME';
print Unused Port report on $hostname for $pulldays days.;
## set up SNMP session
my ($session, $error) = Net::SNMP-session(
-version = 'snmpv2c',
-translate = '0',
-hostname = $hostname,
-community = $community,
-port = 161
);
if (!defined($session)) {
printf(ERROR: %s.\n, $error);
exit 1;
}
## OIDs
my $sysUpTime = '1.3.6.1.2.1.1.3.0';
my $sysName = '1.3.6.1.2.1.1.5.0';
my $oid_ifTable = '1.3.6.1.2.1.2.2';
my $oid_ifIndex = '1.3.6.1.2.1.2.2.1.1';
my $oid_ifdescr = '1.3.6.1.2.1.2.2.1.2.';
my $oid_ifoperstatus= '1.3.6.1.2.1.2.2.1.8.';
my $oid_iflastchange= '1.3.6.1.2.1.2.2.1.9.';
my $oid_ifadminstatus = '1.3.6.1.2.1.2.2.1.7.';
## Counters
$tot_ports = 0;
$pull_ports = 0;
##
# these subs go gather the data basic.
# get_sysuptime has a print at the end as well.
##
get_sysuptime;
## can't run a report for more days that we have uptime
if (($uptime/864) $pulldays) {
print Sorry, the Device hasn't been up $pulldays days yet.\n\n;
exit 0;
}
get_ifindex;
##
# for each interface returned by get_ifindex, gather detail data
# and print out the status if it's a candidate to be pulled
##
foreach $ifindex(@ifindexes) {
@args = ($oid_ifdescr . $ifindex, $oid_ifoperstatus . $ifindex,
$oid_ifadminstatus . $ifindex, $oid_iflastchange . $ifindex);
#print @args\n;
my $result = $session-get_request(
-varbindlist = \...@args
);
my $desc = $result-{$oid_ifdescr . $ifindex};
my $operstatus = $result-{$oid_ifoperstatus . $ifindex};
my $lastchange = $result-{$oid_iflastchange . $ifindex};
my $adminstatus = $result-{$oid_ifadminstatus . $ifindex};
my $status_time_days = ($uptime - $lastchange) / 864;
$tot_ports++;
## are we a pull candidate? if ifoperstatus 2 == down we are
if ($operstatus == '2' $status_time_days = $pulldays) {
$pull_ports++;
$rounded_days = sprintf(%.2f, $status_time_days);
if ($adminstatus == '1' ) {
print $desc has been down for $rounded_days days \n;
}
if ($adminstatus == '2' ) {
print $desc is ADMINDOWN and has been down for $rounded_days days \n;
}
## die if we see a negative number
if ($rounded_days 0) {
die \nUh-oh...Looks like we've actually been up more than 498
days.\nThat rocks, but is unfortunate for our purposes.\nReboot this
gear and try again later.\n;
}
}
}
## done. go home.
print \nTotal interfaces found: $tot_ports\nPorts Unsed for the last
$pulldays Days: $pull_ports;
$session-close;
exit 0;
##
# subs below here
##
sub get_ifindex {
my $tbl_ifIndex = $session-get_table(
-baseoid = $oid_ifIndex
);
if (!defined($tbl_ifIndex)) {
printf(ERROR: %s.\n, $session-error);
$session-close;
exit 1;
}
foreach $key (keys %$tbl_ifIndex) {
#print $key = $$tbl_ifIndex{$key}\n;
push (@ifindexes, $$tbl_ifIndex{$key});
}
@ifindexes = sort(@ifindexes);
}
sub get_sysuptime {
my $result = $session-get_request(
-varbindlist = [$sysUpTime]
);
$uptime = $result-{$sysUpTime};
my $result = $session-get_request(
-varbindlist = [$sysName]
);
$sysname = $result-{$sysName};
printf(\nDevice'%s' has been up for %.2f days\n\n,
$sysname, $uptime/864
);
}
--[ end paste ]
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Community Problem (I think)
On Tue, Nov 17, 2009 at 11:40 PM, Skeeve Stevens ske...@eintellego.netwrote: But, the router isn't even sending them to the next router... between tagging them and re-sending them, they just aren't there so I would assume the neighbour they are being sent to is nothing to do with it? Between tagging them and re-sending them is exactly where this command can be useful :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vlan across a routed link
teklay gebremichael wrote: i work in a university which has three campuses. on each campuse, there is one cisco 6509 switch as a core switch. all other switches (L2) are in vtp client except the core switches. the campuses are connected with a routed link. so, one campuse, has 10.128.0.0/16 subnet and the others have a subnet of 10.129.0.0/16 and 10.130.0.0/16. rip v2 is used on the intercampuse links to advertise individaul vlans. here is my problem. i'm asked to create a vlan with a subnet id of 192.168.1.0/24. but computers in this vlan are located in the 10.128.0.0/16 campuse and 10.130.0.0/16 campuse.the link between the 10.128.0.0/16 and 10.130.0.0/16 is not trunk it is routed with ip address. so can any body suggest me how to implement such senario which allows one vlan (in this case 192.168.1.0/24) to be visible from the two campuses? i.e to propage that specific valn across a routed link not a trunk link. thanks You will need to convert the link from routed to switchport. That is, transform this: right, but think about the implications before doing so. You will extend your spanning tree domain over all the different sites, so this just asks for disaster to happen. And don't mention hey, I only do this for a single Vlan. Once you start offering this service, users will ask for it, and you end up doing this for many. Please consider technologies for this where you don't need to extend spanning tree. for example L2VPN (EoMPLS, VPLS), or loop-free topologies using VSS where you can disable STP between campuses.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP primer recco
Internet Routing Architectures by Halabi. Eric :) I enjoyed the O'Reilly BGP book - has always served me well. Jeff Bacon wrote: Hi folks - Need to learn BGP. Cisco-focused ok. Looking for the right book to buy. Willing to buy 2-3 to get the right one. I know the very fundamentals of BGP, and conversant in most other IOS topics (route-maps and route redist, weights, IGPs). I can set up a basic neighbor and get IBGP vs EBGP, but need to understand community strings and weighting in BGP-world - used to an EIGRP/OSPF world primarily. Goal is to know how to effectively multi-home our enterprise (3 offices, 4 ISPs, we have an assigned ASN and /24), including redirecting inet traffic between the sites over our private WAN links. Not looking to run a tier-1 ISP or anything like that. (Yes, I know it can be a rats-nest to multi-home. My needs are limited; also, it isn't just for the public internet, I also need to present multi-home over BGP to trading partners from our multiple sites over multiple links. I intend to keep the two routing domains separate tho.) So essentially I need BGP for non-dummies that is also a good reference book. (Yes, I also have the mandatory on-call friend-who-does-this-for-a-living to pester, but he does it for a living for someone else, and I want him to remain a friend. :) ) Thanks, -bacon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vlan across a routed link
whats wrong in extending your spanning-tree domain, as long as numbers of nodes are not too many? People are using trunk links between different sites across the world in an enterprise environment, and this is for what you use a trunk link. I would prefer the usage of trunk links and routed VLAN interfaces over EoMPLS and VPLS. (keeping in mind the throughput issues on EoMPLS, mtu problems and overall network complexity) Regards, Masood teklay gebremichael wrote: i work in a university which has three campuses. on each campuse, there is one cisco 6509 switch as a core switch. all other switches (L2) are in vtp client except the core switches. the campuses are connected with a routed link. so, one campuse, has 10.128.0.0/16 subnet and the others have a subnet of 10.129.0.0/16 and 10.130.0.0/16. rip v2 is used on the intercampuse links to advertise individaul vlans. here is my problem. i'm asked to create a vlan with a subnet id of 192.168.1.0/24. but computers in this vlan are located in the 10.128.0.0/16 campuse and 10.130.0.0/16 campuse.the link between the 10.128.0.0/16 and 10.130.0.0/16 is not trunk it is routed with ip address. so can any body suggest me how to implement such senario which allows one vlan (in this case 192.168.1.0/24) to be visible from the two campuses? i.e to propage that specific valn across a routed link not a trunk link. thanks You will need to convert the link from routed to switchport. That is, transform this: right, but think about the implications before doing so. You will extend your spanning tree domain over all the different sites, so this just asks for disaster to happen. And don't mention hey, I only do this for a single Vlan. Once you start offering this service, users will ask for it, and you end up doing this for many. Please consider technologies for this where you don't need to extend spanning tree. for example L2VPN (EoMPLS, VPLS), or loop-free topologies using VSS where you can disable STP between campuses.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] snmpwalk for switch port status
Seeing this script reminded me of a pet peeve I have with Cisco. Why oh
why did they use a 32-bit int for the uptime of the switch and port, and
use 1/100th second resolution, so after 497 days the counter rolls over
back to 0? Was a 64 bit int (or 1/10 a second resolution) not good
enough? :)
The chassis knows the real uptime (a 'show ver' shows it), why not
expose that value to SNMP, and the same for the port last changed state?
Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlo...@exempla.org
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Eric Hoelzle
Sent: Wednesday, November 18, 2009 7:26 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] snmpwalk for switch port status
Here's a version in perl that runs on windows or *nix. Net::SNMP
required.
I have an older version using net::snmp::info that reads more cleanly,
but had trouble getting that module to work under ActiveState perl at
my current job.
--
Eric
[ begin paste ]-
use Net::SNMP;
$ARGC = $#ARGV + 1;
if ($ARGC != 2) {
die \nUsage: deadports.pl hostname num_days\n\n;
}
$pulldays = $ARGV[1];
$hostname = $ARGV[0];
$community = 'CHANGEME';
print Unused Port report on $hostname for $pulldays days.;
## set up SNMP session
my ($session, $error) = Net::SNMP-session(
-version = 'snmpv2c',
-translate = '0',
-hostname = $hostname,
-community = $community,
-port = 161
);
if (!defined($session)) {
printf(ERROR: %s.\n, $error);
exit 1;
}
## OIDs
my $sysUpTime = '1.3.6.1.2.1.1.3.0';
my $sysName = '1.3.6.1.2.1.1.5.0';
my $oid_ifTable = '1.3.6.1.2.1.2.2';
my $oid_ifIndex = '1.3.6.1.2.1.2.2.1.1';
my $oid_ifdescr = '1.3.6.1.2.1.2.2.1.2.';
my $oid_ifoperstatus= '1.3.6.1.2.1.2.2.1.8.';
my $oid_iflastchange= '1.3.6.1.2.1.2.2.1.9.';
my $oid_ifadminstatus = '1.3.6.1.2.1.2.2.1.7.';
## Counters
$tot_ports = 0;
$pull_ports = 0;
##
# these subs go gather the data basic.
# get_sysuptime has a print at the end as well.
##
get_sysuptime;
## can't run a report for more days that we have uptime
if (($uptime/864) $pulldays) {
print Sorry, the Device hasn't been up $pulldays days yet.\n\n;
exit 0;
}
get_ifindex;
##
# for each interface returned by get_ifindex, gather detail data
# and print out the status if it's a candidate to be pulled
##
foreach $ifindex(@ifindexes) {
@args = ($oid_ifdescr . $ifindex, $oid_ifoperstatus . $ifindex,
$oid_ifadminstatus . $ifindex, $oid_iflastchange . $ifindex);
#print @args\n;
my $result = $session-get_request(
-varbindlist = \...@args
);
my $desc = $result-{$oid_ifdescr . $ifindex};
my $operstatus = $result-{$oid_ifoperstatus . $ifindex};
my $lastchange = $result-{$oid_iflastchange . $ifindex};
my $adminstatus = $result-{$oid_ifadminstatus . $ifindex};
my $status_time_days = ($uptime - $lastchange) / 864;
$tot_ports++;
## are we a pull candidate? if ifoperstatus 2 == down we are
if ($operstatus == '2' $status_time_days = $pulldays) {
$pull_ports++;
$rounded_days = sprintf(%.2f, $status_time_days);
if ($adminstatus == '1' ) {
print $desc has been down for $rounded_days days \n;
}
if ($adminstatus == '2' ) {
print $desc is ADMINDOWN and has been down for $rounded_days days
\n;
}
## die if we see a negative number
if ($rounded_days 0) {
die \nUh-oh...Looks like we've actually been up more than 498
days.\nThat rocks, but is unfortunate for our purposes.\nReboot this
gear and try again later.\n;
}
}
}
## done. go home.
print \nTotal interfaces found: $tot_ports\nPorts Unsed for the last
$pulldays Days: $pull_ports;
$session-close;
exit 0;
##
# subs below here
##
sub get_ifindex {
my $tbl_ifIndex = $session-get_table(
-baseoid = $oid_ifIndex
);
if (!defined($tbl_ifIndex)) {
printf(ERROR: %s.\n, $session-error);
$session-close;
exit 1;
}
foreach $key (keys %$tbl_ifIndex) {
#print $key = $$tbl_ifIndex{$key}\n;
push (@ifindexes, $$tbl_ifIndex{$key});
}
@ifindexes = sort(@ifindexes);
}
sub get_sysuptime {
my $result = $session-get_request(
-varbindlist = [$sysUpTime]
);
$uptime = $result-{$sysUpTime};
my $result = $session-get_request(
-varbindlist = [$sysName]
);
$sysname = $result-{$sysName};
printf(\nDevice'%s' has been up for %.2f days\n\n,
$sysname, $uptime/864
);
}
--[ end paste ]
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] snmpwalk for switch port status
If you have CLI access as well, you can get the box uptime that way and do some math. In my world, 500 days uptime is an exception so a reboot is acceptable. Scripts like this are usually for access layer capacity planning or cleanup. -- Eric On Wed, Nov 18, 2009 at 10:53 AM, Matlock, Kenneth L matlo...@exempla.org wrote: Well, what I meant.. :) They COULD expose a NEW OID for those values :) I agree that their hands are tied as far as the RFC, but that doesn't preclude a new OID tree. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: Howard Jones [mailto:ho...@thingy.com] Sent: Wednesday, November 18, 2009 8:42 AM To: Matlock, Kenneth L Cc: Eric Hoelzle; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] snmpwalk for switch port status Matlock, Kenneth L wrote: Seeing this script reminded me of a pet peeve I have with Cisco. Why oh why did they use a 32-bit int for the uptime of the switch and port, and use 1/100th second resolution, so after 497 days the counter rolls over back to 0? Was a 64 bit int (or 1/10 a second resolution) not good enough? :) The chassis knows the real uptime (a 'show ver' shows it), why not expose that value to SNMP, and the same for the port last changed state? Because then it would not be following RFC 1907/3418, which specify it's a 32-bit int. It's not Cisco's fault (leaving aside that they are one of the authors of RFC 1907 :-) ). You wouldn't want Cisco to not follow standards, would you? ;-) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] snmpwalk for switch port status
And that's what I resorted to using (CLI access using expect, and then pipe it to another script to parse it) Unfortunately in my world, 500 days uptime is on the low side. We have multiple chassis that have been up and running (and stable) for 6+ years uptime now (and yes, we've mitigated the security issues on the code revisions we're running). I manage the network for 3 hospitals, and 30+ clinics, so as you can imagine getting a downtime to 'upgrade' the code is problematic (let alone the whole testing/validation process). It's a lot more complicated to parse the CLI output, instead of just getting a single value via SNMP. Doable? Yes. More work than necessary? Yes. :) Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: Eric Hoelzle [mailto:eric.hoel...@gmail.com] Sent: Wednesday, November 18, 2009 9:04 AM To: Matlock, Kenneth L Cc: Howard Jones; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] snmpwalk for switch port status If you have CLI access as well, you can get the box uptime that way and do some math. In my world, 500 days uptime is an exception so a reboot is acceptable. Scripts like this are usually for access layer capacity planning or cleanup. -- Eric On Wed, Nov 18, 2009 at 10:53 AM, Matlock, Kenneth L matlo...@exempla.org wrote: Well, what I meant.. :) They COULD expose a NEW OID for those values :) I agree that their hands are tied as far as the RFC, but that doesn't preclude a new OID tree. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: Howard Jones [mailto:ho...@thingy.com] Sent: Wednesday, November 18, 2009 8:42 AM To: Matlock, Kenneth L Cc: Eric Hoelzle; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] snmpwalk for switch port status Matlock, Kenneth L wrote: Seeing this script reminded me of a pet peeve I have with Cisco. Why oh why did they use a 32-bit int for the uptime of the switch and port, and use 1/100th second resolution, so after 497 days the counter rolls over back to 0? Was a 64 bit int (or 1/10 a second resolution) not good enough? :) The chassis knows the real uptime (a 'show ver' shows it), why not expose that value to SNMP, and the same for the port last changed state? Because then it would not be following RFC 1907/3418, which specify it's a 32-bit int. It's not Cisco's fault (leaving aside that they are one of the authors of RFC 1907 :-) ). You wouldn't want Cisco to not follow standards, would you? ;-) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP primer recco
I second that. I also recommend Routing TCP/IP Volume 2 by Jeff Doyle and Jennifer DeHaven Caroll. Published by Cisco Press. -Juuso On Wed, Nov 18, 2009 at 3:49 PM, Eric Gauthier e...@roxanne.org wrote: Internet Routing Architectures by Halabi. Eric :) I enjoyed the O'Reilly BGP book - has always served me well. Jeff Bacon wrote: Hi folks - Need to learn BGP. Cisco-focused ok. Looking for the right book to buy. Willing to buy 2-3 to get the right one. I know the very fundamentals of BGP, and conversant in most other IOS topics (route-maps and route redist, weights, IGPs). I can set up a basic neighbor and get IBGP vs EBGP, but need to understand community strings and weighting in BGP-world - used to an EIGRP/OSPF world primarily. Goal is to know how to effectively multi-home our enterprise (3 offices, 4 ISPs, we have an assigned ASN and /24), including redirecting inet traffic between the sites over our private WAN links. Not looking to run a tier-1 ISP or anything like that. (Yes, I know it can be a rats-nest to multi-home. My needs are limited; also, it isn't just for the public internet, I also need to present multi-home over BGP to trading partners from our multiple sites over multiple links. I intend to keep the two routing domains separate tho.) So essentially I need BGP for non-dummies that is also a good reference book. (Yes, I also have the mandatory on-call friend-who-does-this-for-a-living to pester, but he does it for a living for someone else, and I want him to remain a friend. :) ) Thanks, -bacon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP primer recco
And of course, Routing and the Internet. - Original Message - From: Juuso Lehtinen juuso.lehti...@gmail.com To: Eric Gauthier e...@roxanne.org Cc: Jeff Bacon ba...@walleyesoftware.com; cisco-nsp@puck.nether.net Sent: Wednesday, November 18, 2009 9:16 AM Subject: Re: [c-nsp] BGP primer recco I second that. I also recommend Routing TCP/IP Volume 2 by Jeff Doyle and Jennifer DeHaven Caroll. Published by Cisco Press. -Juuso On Wed, Nov 18, 2009 at 3:49 PM, Eric Gauthier e...@roxanne.org wrote: Internet Routing Architectures by Halabi. Eric :) I enjoyed the O'Reilly BGP book - has always served me well. Jeff Bacon wrote: Hi folks - Need to learn BGP. Cisco-focused ok. Looking for the right book to buy. Willing to buy 2-3 to get the right one. I know the very fundamentals of BGP, and conversant in most other IOS topics (route-maps and route redist, weights, IGPs). I can set up a basic neighbor and get IBGP vs EBGP, but need to understand community strings and weighting in BGP-world - used to an EIGRP/OSPF world primarily. Goal is to know how to effectively multi-home our enterprise (3 offices, 4 ISPs, we have an assigned ASN and /24), including redirecting inet traffic between the sites over our private WAN links. Not looking to run a tier-1 ISP or anything like that. (Yes, I know it can be a rats-nest to multi-home. My needs are limited; also, it isn't just for the public internet, I also need to present multi-home over BGP to trading partners from our multiple sites over multiple links. I intend to keep the two routing domains separate tho.) So essentially I need BGP for non-dummies that is also a good reference book. (Yes, I also have the mandatory on-call friend-who-does-this-for-a-living to pester, but he does it for a living for someone else, and I want him to remain a friend. :) ) Thanks, -bacon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 1721 NAT (possibly) debugging
Here's my scenario as I understand it (i've inherited this w/ no option to ask the prior involved parties sadly). We are a VOIP service provider. We have a commercial customer with a 1721 onsite. The 1721 was provided, configured and left onsite. We setup NAT, and enough QoS for the VOIP to play nice on their network (it's not huge by any means). We did not do any port forwarding or special configuration beyond again the bare essentials to get them functional. Fast forward a few months. This same customer is attempting to demo some video teleconferencing via the same router / connection. What they claim happens is that when initiating a call from the inside out to a remote site, the video works fine. When initiating from the remote site into the office where this 1721 sits, a connection is never completed. Now, we did not forward any ports, but upon closer inspection of the 1721 it seems their consultant at some point has (we were not aware that they were given the credentials to the router, that has been rectified). What I am looking for is a way to troubleshoot this, I am not a NAT person in the cisco world, so where to begin debugging or the like is what I'm looking for. Below are the exact instructions from the vendor for required port forwarding and then what i think are the relevant config snippets (of note - the public IP in the port forwarding is the same for every line and most of the private side IPs are the same too - its generally just for one device). Any assistance would be greatly appreciated. I do have to go over their config with them on their device also just to verify they're using the right info. thanks tim 1.1. Forward port 1720 TCP to the private IP of the LifeSize system. 1.2. Forward TCP ports 60,000 and 60,001 to the private IP of the LifeSize system. If you have other services on these ports, you can forward any other 2 TCP ports in the 60,000 - 64,999 range. 1.3. Forward UDP ports 60,000 to 60,007 to the private IP of the LifeSize system. If you have other services on these ports, you can forward any other 8 UDP ports in the 60,000 - 64,999 range. (NOTE: 2 TCP and 8 UDP is the minimum number of ports required for a single point-to-point H.323 video call.) Cisco IOS Software, C1700 Software (C1700-IPBASEK9-M), Version 12.4(23), RELEASE SOFTWARE (fc1) Cisco 1721 (MPC860P) processor (revision 0x100) with 58441K/7095K bytes of memory. Processor board ID FOC0711072N (2350872456), with hardware revision MPC860P processor: part number 5, mask 2 1 FastEthernet interface 1 Serial interface WIC T1-DSU 32K bytes of NVRAM. 16384K bytes of processor board System flash (Read/Write) interface FastEthernet0 ip address 192.168.x.x 255.255.255.0 ip nat inside interface Serial0 ip address x.x.x.x 255.255.255.252 ip nat outside ip nat inside source list 100 interface Serial0 overload ip nat inside source static tcp z.z.z.z 443 v.v.v.v 443 extendable ip nat inside source static tcp y.y.y.y 1720 v.v.v.v 1720 extendable ip nat inside source static tcp z.z.z.z 3389 v.v.v.v 3389 extendable ip nat inside source static tcp y.y.y.y 6 v.v.v.v 6 extendable ip nat inside source static udp y.y.y.y 6 v.v.v.v 6 extendable ip nat inside source static tcp y.y.y.y 60001 v.v.v.v 60001 extendable ip nat inside source static udp y.y.y.y 60001 v.v.v.v 60001 extendable ip nat inside source static tcp y.y.y.y 60002 v.v.v.v 60002 extendable ip nat inside source static udp y.y.y.y 60002 v.v.v.v 60002 extendable ip nat inside source static tcp y.y.y.y 60003 v.v.v.v 60003 extendable ip nat inside source static udp y.y.y.y 60003 v.v.v.v 60003 extendable ip nat inside source static tcp y.y.y.y 60004 v.v.v.v 60004 extendable ip nat inside source static udp y.y.y.y 60004 v.v.v.v 60004 extendable ip nat inside source static tcp y.y.y.y 60005 v.v.v.v 60005 extendable ip nat inside source static udp y.y.y.y 60005 v.v.v.v 60005 extendable ip nat inside source static tcp y.y.y.y 60006 v.v.v.v 60006 extendable ip nat inside source static udp y.y.y.y 60006 v.v.v.v 60006 extendable ip nat inside source static tcp y.y.y.y 60007 v.v.v.v 60007 extendable ip nat inside source static udp y.y.y.y 60007 v.v.v.v 60007 extendable ip nat inside source static tcp y.y.y.y 60008 v.v.v.v 60008 extendable ip nat inside source static udp y.y.y.y 60008 v.v.v.v 60008 extendable ip nat inside source static tcp y.y.y.y 60009 v.v.v.v 60009 extendable ip nat inside source static udp y.y.y.y 60009 v.v.v.v 60009 extendable ip nat inside source static tcp y.y.y.y 60010 v.v.v.v 60010 extendable ip nat inside source static udp y.y.y.y 60010 v.v.v.v 60010 extendable ip nat inside source static tcp y.y.y.y 60011 v.v.v.v 60011 extendable ip nat inside source static udp y.y.y.y 60011 v.v.v.v 60011 extendable ip nat inside source static tcp y.y.y.y 60012 v.v.v.v 60012 extendable ip nat inside source static udp y.y.y.y 60012 v.v.v.v 60012 extendable ip nat inside source static tcp y.y.y.y 60013 v.v.v.v 60013
Re: [c-nsp] Router advice
Ed W wrote: Greetings, I've been out of the market on the latest Cisco routers for a while and I'm looking for some info about a router to use in a small co-located environment. Basic requirements: 2 Copper FastE/GigE 50-75 Mbps throughput HSRP NetFlow Basic ACLs/null routing for Bogons, etc. No dynamic routing No NAT/PAT Preferably 1U More than 2 FE interfaces, IPv6 support and room to grow into a BGP session or two would be nice, but not required. Traffic will be mostly HTTP/HTTPS, Mail (IMAP, POP, SMTP) and some VOIP channels mixed in (G711 G729) My first thought after some research was a 2800 series, but NetFlow seems like a possible red flag. The 2800's support netflow just fine, but you won't get that kind of performance out of a 2811 (fastest 1U), nor anything else in the 2800 line over a handful of single large packet flows. 3845 *maybe* depending on features, but it's 3U. If you need 1U then go for a 7201 which is basically a 1U 7200VXR NPE-G2. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Issues with Cisco Catalyst 4900M
Hi all, Anybody out there running into CPU exhaustion issues on this box (or a non-fixed-configuration Sup6E, ...), linked to the low priority management process and its dependencies? I'm specifically tracking CSCta54369 (High CPU caused due to K5AclCamStatsMan hw process) along with CSCta77487 (High cpu in K5L3 review jobs with incomplete arps and big routing table). Cisco's troubleshooting guide[1] provides an interesting top-level overview of the architecture, though stops short of dispensing meaningful configuration pointers, assuming they exist. I've got a TAC case going, meanwhile any clues and/or experiences from the field, on- or off-list, would be greatly appreciated. :-) Thanks in advance, -a [1] http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Issues with Cisco Catalyst 4900M
Not specifically seeing these issues, but I have at least one 4900M and a few 4500 Sup6E's running 12.2(52/53)SG that are experiencing CPU issues. When configured with sub-second OSPF hello timers, they drop adjacencies when I copy a file (ftp/tftp) to bootflash. High CPU utilization in the Exec/Virtual Exec process. I suspect something is messed up with the scheduling/prioritization of processes. This may be causing the issues that you're seeing as well. BTW -- the OSPF issue is bug id CSCsw84727. Cisco says it's fixed in 12.2(52 and 53)SG, but it's obviously not. Still waiting on resolution for this one. Adam Rothschild wrote: Hi all, Anybody out there running into CPU exhaustion issues on this box (or a non-fixed-configuration Sup6E, ...), linked to the low priority management process and its dependencies? I'm specifically tracking CSCta54369 (High CPU caused due to K5AclCamStatsMan hw process) along with CSCta77487 (High cpu in K5L3 review jobs with incomplete arps and big routing table). Cisco's troubleshooting guide[1] provides an interesting top-level overview of the architecture, though stops short of dispensing meaningful configuration pointers, assuming they exist. I've got a TAC case going, meanwhile any clues and/or experiences from the field, on- or off-list, would be greatly appreciated. :-) Thanks in advance, -a [1] http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Issues with Cisco Catalyst 4900M
Just a quick follow-up on this one (took me a while to find the email). Cisco's response: CSCsw84727 not present in 12.2(52)SG. As the fix was non trivial, it is undergoing testing. It will be in Fall08 SG4 (12.2.(50)SG4). And in the Zanzibar release 12.2.(54)SG. James Slepicka wrote: Not specifically seeing these issues, but I have at least one 4900M and a few 4500 Sup6E's running 12.2(52/53)SG that are experiencing CPU issues. When configured with sub-second OSPF hello timers, they drop adjacencies when I copy a file (ftp/tftp) to bootflash. High CPU utilization in the Exec/Virtual Exec process. I suspect something is messed up with the scheduling/prioritization of processes. This may be causing the issues that you're seeing as well. BTW -- the OSPF issue is bug id CSCsw84727. Cisco says it's fixed in 12.2(52 and 53)SG, but it's obviously not. Still waiting on resolution for this one. Adam Rothschild wrote: Hi all, Anybody out there running into CPU exhaustion issues on this box (or a non-fixed-configuration Sup6E, ...), linked to the low priority management process and its dependencies? I'm specifically tracking CSCta54369 (High CPU caused due to K5AclCamStatsMan hw process) along with CSCta77487 (High cpu in K5L3 review jobs with incomplete arps and big routing table). Cisco's troubleshooting guide[1] provides an interesting top-level overview of the architecture, though stops short of dispensing meaningful configuration pointers, assuming they exist. I've got a TAC case going, meanwhile any clues and/or experiences from the field, on- or off-list, would be greatly appreciated. :-) Thanks in advance, -a [1] http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router advice
I don't know if the 7201 will accept PVDMs, so if you need to do voice xcoding on your box that may be a show stopper. According to Cisco's marketing speak the new 2900s will do up to 75Mbps with services such as security, mobility, WAN Optimization However it is 2U. -mtw -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Wednesday, November 18, 2009 12:54 PM To: 'Scott Granados'; Ed W; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router advice The 7201 is 1RU. It's basically an NPE-G2 shoehorned into a 1RU chassis. -b -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Wednesday, November 18, 2009 12:50 PM To: Ed W; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router advice I'm thinking 7200 series makes sense for you although I believe they are more than 1U. - Original Message - From: Ed W ed.whitesell+li...@gmail.com To: cisco-nsp@puck.nether.net Sent: Wednesday, November 18, 2009 12:09 PM Subject: [c-nsp] Router advice Greetings, I've been out of the market on the latest Cisco routers for a while and I'm looking for some info about a router to use in a small co-located environment. Basic requirements: 2 Copper FastE/GigE 50-75 Mbps throughput HSRP NetFlow Basic ACLs/null routing for Bogons, etc. No dynamic routing No NAT/PAT Preferably 1U More than 2 FE interfaces, IPv6 support and room to grow into a BGP session or two would be nice, but not required. Traffic will be mostly HTTP/HTTPS, Mail (IMAP, POP, SMTP) and some VOIP channels mixed in (G711 G729) My first thought after some research was a 2800 series, but NetFlow seems like a possible red flag. I'd be open to hearing about other vendors' options that meet the requirements (offlist of course), but no Build Your Own/Quagga options. Thanks, Ed ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router advice
Ivan wrote: You may also want to check out the new ISR models (ISR G2 http://www.cisco.com/go/isrg2). I get the impression from reading about the new universal image that they phone home for license keys before it will activate features. Is this accurate? ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router advice
You may also want to check out the new ISR models (ISR G2 http://www.cisco.com/go/isrg2). Ivan Seth Mattinen wrote: Ed W wrote: Greetings, I've been out of the market on the latest Cisco routers for a while and I'm looking for some info about a router to use in a small co-located environment. Basic requirements: 2 Copper FastE/GigE 50-75 Mbps throughput HSRP NetFlow Basic ACLs/null routing for Bogons, etc. No dynamic routing No NAT/PAT Preferably 1U More than 2 FE interfaces, IPv6 support and room to grow into a BGP session or two would be nice, but not required. Traffic will be mostly HTTP/HTTPS, Mail (IMAP, POP, SMTP) and some VOIP channels mixed in (G711 G729) My first thought after some research was a 2800 series, but NetFlow seems like a possible red flag. The 2800's support netflow just fine, but you won't get that kind of performance out of a 2811 (fastest 1U), nor anything else in the 2800 line over a handful of single large packet flows. 3845 *maybe* depending on features, but it's 3U. If you need 1U then go for a 7201 which is basically a 1U 7200VXR NPE-G2. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router advice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Seth Mattinen wrote: Ivan wrote: You may also want to check out the new ISR models (ISR G2 http://www.cisco.com/go/isrg2). I get the impression from reading about the new universal image that they phone home for license keys before it will activate features. Is this accurate? ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ What if the device is not connected to the internet? Manolo -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLBG2oAAoJEOcnyWxdB1IrmboIAMPjIzElaklqYAmweAjN5MSU 6Ga27JDll+/nZF73cjZlP6ZtgEvhi3zDGnPYjUr4Tjl1qdi8Tn1I6lq67XbxuKue sRte3bBSvghF70MF4W9ctlbJbxIbhY+HLHDA5A1tLkZ65fliDaFgF6Y4XjHFSscm wnMY+EEZVvPTUJjIniUGlFAQj4Cn4TBPtOsRvvImdvJrPnF2uuMuDWOY7ucn62pL EVqZEwrJU23KkTzAguiHjoqoNdS6nhDmUOPrmiRWNgtjdsew97ewQui5EJsRpRC2 2NR0iYERLPUI3ao27lcpVJnzKJMjg97uJ5m+boHdcOxzMhdBK1mATCerAhrAHEY= =pLJa -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need a suggestion for a good lab switch
On Wed, 2009-11-18 at 11:40 -0800, Scott Granados wrote: I have a lab that uses a Foundry 4802 for routing / switching. This item is ready to end its lease and I need to replace it with something more current. I'm looking for 48 ports of preferably 10/100/1000 ethernet, layer 3 routing capability (mostly static routing) and spanning tree support. Good multicast support would be a requirement as well. Which Cisco products would folks suggest would fit the bill? Any pointers would be appreciated. Also, in parallel with this and to save list traffic is there a good general product card type page that shows the various Cisco products, a brief explaination of their configurations / options and model number? Is there a central spot with all that in one place? I appreciate the pointers. The 3560 seems to fit this bill. AFAIK it's the smallest switch to support L3 forwarding. We have used them extensively as OSPF access routers with no problems. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI(3) code status?
Hi, On Wed, Nov 18, 2009 at 03:39:44PM -0500, Tim Durack wrote: SXI3 has also removed patching ability: Installer/patching capability is removed starting from some of the new images in SXI. Installer patching support will continue on SXH and SXF. For Cisco IOS 12.2(33)SXI3, ION patching is no longer supported. Hooray. There goes the hope that ION will eventually fulfill the original promise BGP bug? no problem, install patch, restart bgpd, no reboot needed... Would be even better if Cisco admitted defeat and ported NX-OS to C6K... Indeed. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpxpgt3we2lU.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI(3) code status?
On Wednesday 18 November 2009 06:40:39 pm Daniska, Tomas wrote: Which one that was? We've been hit by a bug when using TAC+ out of a VRF. Initial user authentication is OK, but the subsequent enable auth outgoing packets do not have the proper VRF set and go out the GRT instead. Funny enough, the return packet returns via the VRF and the box eats it. In our case, using TACACS+ also, initial user authentications works fine, but the switch refuses to authenticate against the regular enable password and instead chooses the fallback password. In all honesty, we didn't debug this for too long because we only have 4 units in operation (core), were too busy with other stuff, and we could just work around it by adjusting RANCID's .cloginrc details (which were the most important). The issue is fixed in SXI2a (perhaps even earlier, in later versions post SXH3), and we didn't do anything to our TACACS+ backend. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vlan across a routed link
On Wednesday 18 November 2009 10:39:42 pm Oliver Boehmer (oboehmer) wrote: Please consider technologies for this where you don't need to extend spanning tree. for example L2VPN (EoMPLS, VPLS), or loop-free topologies using VSS where you can disable STP between campuses.. Or just IP, if all locations are being connected to forward IP traffic. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vlan across a routed link
On Wednesday 18 November 2009 11:10:22 pm mas...@nexlinx.net.pk wrote: whats wrong in extending your spanning-tree domain, as long as numbers of nodes are not too many? You can't know that the number of nodes or VLAN's won't grow. And chances are, they will. People are using trunk links between different sites across the world in an enterprise environment, and this is for what you use a trunk link. Fair point. Digressing a little from the OP's post, control planes for Ethernet in the LAN (and small WAN) have different characteristics from various points of view when considered for large scale, probably Metro deployments. I would prefer the usage of trunk links and routed VLAN interfaces over EoMPLS and VPLS. YMMV, but the performance of IP and EoMPLS shouldn't be that different since it's all done in hardware. VPLS is a little more complex by its nature. (keeping in mind the throughput issues on EoMPLS, mtu problems and overall network complexity) I'm not sure increased MTU requirements makes a network any more complex. Besides, in a campus LAN/WAN with your own fibre, you can control the MTU on each of the links, which is great. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS XR version you use
3.6.2 (only on CRS) so far. We upgraded 3-4 months back on Cisco AS recommendation. No added features needed for 3.8. -FJ On Wed, Nov 18, 2009 at 4:11 PM, Per Carlson per...@gmail.com wrote: Hi. I look for a good choice of XR to upgrade to from 3.5. In terms of features there are no mandatory ones that could drive us to do 3.8 instead of 3.6 Does anyone of you use 3.8 in a production environment? Please share any thoughts on this. We are using 3.5.4 (CRS and XR12k) and do plan a move to 3.6.3 on both platforms. XR 3.8 didn't give us any needed features either, and the lower exposure in the wild made the choice of 3.6 rather easy. -- Pelle ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
