[c-nsp] Idle sessions on 12.2(33)SR cause high CPU
Hi, As a result of issues at an exchange point over the last few days, a number of us (ISPs) have noticed an issue with BGP sessions sitting in the Idle state, because the other end is shut down. Basically, it appears that on Sup720s at least, once you reach a critical number of sessions in Idle (More than 5, less than 20) the CPU usage increases to 30%, all down to the BGP Router process. 30ish sessions down and it's up to 50% - we've had ours up to 70% as a result of this, although I don't know how many sessions were down at that point. This behaviour has been confirmed on 12.2(33)SRC4 and 12.2(33)SRD2, with other possible reports on SXF, SRC3, SRC5 and also on CRS-1s. Has anyone seen this before and know if it's a known issue with a BugID associated? A workaround is to apply neigh x.x.x.x transport connection passive but this clearly isn't optimal. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU
Yes I've experienced this on a 7600 running 12.2(33)SRC3. I have experienced it a number of times too, one of which was the XP issue you mention. You don't want too many people configuring passive sessions as having that on both ends is equally as bad as shutting down the session. --Dan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Zoe O'Connell Sent: 11 December 2009 10:20 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU Hi, As a result of issues at an exchange point over the last few days, a number of us (ISPs) have noticed an issue with BGP sessions sitting in the Idle state, because the other end is shut down. Basically, it appears that on Sup720s at least, once you reach a critical number of sessions in Idle (More than 5, less than 20) the CPU usage increases to 30%, all down to the BGP Router process. 30ish sessions down and it's up to 50% - we've had ours up to 70% as a result of this, although I don't know how many sessions were down at that point. This behaviour has been confirmed on 12.2(33)SRC4 and 12.2(33)SRD2, with other possible reports on SXF, SRC3, SRC5 and also on CRS-1s. Has anyone seen this before and know if it's a known issue with a BugID associated? A workaround is to apply neigh x.x.x.x transport connection passive but this clearly isn't optimal. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ This email has been scanned for all viruses. Please consider the environment before printing this email. The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound. KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE. 118288 - KCOM Group UK Directory Enquiries. Calls will cost no more than 49p connection + 14p per minute including VAT from a KC or BT landline. Call charges from mobiles and other networks may vary. If you are calling from a mobile you will now receive your requested number via text message. You will not be charged for the text message. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Pagent IOS
luismi wrote: Not Found The requested URL /matrix was not found on this server. Bah. Stupid apache... http://external.net.ic.ac.uk/matrix/ It's really nothing special, just an example of a running dbeacon install. The dbeacon homepage is here: http://fivebits.net/proj/dbeacon/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DSL signals vs DOCSIS
I understand that they use different frequency ranges, but why can't the DSL freqencies be converted and sent over fiber somewhere between the CPE and the DSLAM ? On Thu, Dec 10, 2009 at 11:41 PM, Dmitry Kiselev dmi...@dmitry.net wrote: Hello! On Thu, Dec 10, 2009 at 08:48:27PM -0800, Yuri Bank wrote: Why can't DSL signals pass through fiber optics, yet we have HFC networks that obviously have no issues going from copper to fiber. The modulation techniques DOCSIS and DSL use are similar, so what prevents this from working with DSL? Is it that the RF is to weak and the conversion process messes up the signal? It is becouse very different frequency ranges: DSL 0.02-1.1 MHz for both up and downstreams DOCSIS 16-30 MHz for upstream 50-800 MHz for downstream -- Dmitry Kiselev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DSL signals vs DOCSIS
On Fri, 11 Dec 2009, Yuri Bank wrote: I understand that they use different frequency ranges, but why can't the DSL freqencies be converted and sent over fiber somewhere between the CPE and the DSLAM ? Why would you want to run DSL when you have fiber? -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ip verify header drop-tiny-fragment command
Hi all, Can anyone tell me the impact of configure ip verify header drop-tiny-fragment in a router running 12.2src5? The routers is running several VRFs, and I don't if this command applies to all vrfs. Neither I found documentation how can I see that the command is doing what is expected, or if it has dependencies... Any idea? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip verify header drop-tiny-fragment command
It is 7200 :] El vie, 11-12-2009 a las 13:57 +0100, luismi escribió: Hi all, Can anyone tell me the impact of configure ip verify header drop-tiny-fragment in a router running 12.2src5? The routers is running several VRFs, and I don't if this command applies to all vrfs. Neither I found documentation how can I see that the command is doing what is expected, or if it has dependencies... Any idea? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DSL signals vs DOCSIS
Yuri, If you have fiber between the CPE and the DSLAM, then you do not need DSL... You just deliver FTTH (Fiber to the Home). If you have fiber for only part of the way, then you deploy a mini-DSLAM (which is what is being done in many places), and then use the fiber for upstream connectivity for the the mini-DSLAM. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Yuri Bank Sent: Friday, December 11, 2009 14:46 To: Yuri Bank; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DSL signals vs DOCSIS I understand that they use different frequency ranges, but why can't the DSL freqencies be converted and sent over fiber somewhere between the CPE and the DSLAM ? On Thu, Dec 10, 2009 at 11:41 PM, Dmitry Kiselev dmi...@dmitry.net wrote: Hello! On Thu, Dec 10, 2009 at 08:48:27PM -0800, Yuri Bank wrote: Why can't DSL signals pass through fiber optics, yet we have HFC networks that obviously have no issues going from copper to fiber. The modulation techniques DOCSIS and DSL use are similar, so what prevents this from working with DSL? Is it that the RF is to weak and the conversion process messes up the signal? It is becouse very different frequency ranges: DSL 0.02-1.1 MHz for both up and downstreams DOCSIS 16-30 MHz for upstream 50-800 MHz for downstream -- Dmitry Kiselev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DSL signals vs DOCSIS
On Fri, Dec 11, 2009 at 04:46:24AM -0800, Yuri Bank wrote: I understand that they use different frequency ranges, but why can't the DSL freqencies be converted and sent over fiber somewhere between the CPE and the DSLAM ? They could be. Do you think installing devices to do that at the point where the fiber meets the copper would be cheaper or better than installing small DSLAMs at the point where the fiber meets the copper? If so, why? -- Brett ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS Upgrade to SXI3
We're contemplating on upgrading our SUP 720 3BXL from 12.2(18)SXF15a native IOS to 12.2(33)SXI3 modular IOS but I read from the releasenotes that the Install command has been deprecated. On Cisco's Safe Harbor IOS Release, they have tested and recommend upgrading to modular 12.2(33)SXI3. There's no explanation on why they deprecated the install command and I'm waiting for our Cisco SE response. I'd appreciate any feedback from those people who have upgraded to SXI3, in modular or otherwise. Thanks, Noel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPV6
It's been a while since I worked with IPV6 and I am now once again plunging myself into this feckless world and was wondering if a couple of holes had now been plugged. What is the accepted way in IPV6 land to dish out IPV6 DNS server addresses (am I correct in saying that if you make use of NDP, you would still have to manually configure DNS servers)? The other hole, as was, is the lack of IPV6 help address functionality on Cisco routers (well 6500s at least): if I were to go down the route of using DHCP for IPV6, how could I use a central server without this helper functionality? Ta. Michael -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS Upgrade to SXI3
Hi Noel, From what I remember of recent discussions on here, modular is to be avoided. It has no benefit (there have not been any patches) and is not used as much so not tested by real life use. Ian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Bautista, Noel Sent: 11 December 2009 15:45 To: cisco-nsp@puck.nether.net Subject: [c-nsp] IOS Upgrade to SXI3 We're contemplating on upgrading our SUP 720 3BXL from 12.2(18)SXF15a native IOS to 12.2(33)SXI3 modular IOS but I read from the releasenotes that the Install command has been deprecated. On Cisco's Safe Harbor IOS Release, they have tested and recommend upgrading to modular 12.2(33)SXI3. There's no explanation on why they deprecated the install command and I'm waiting for our Cisco SE response. I'd appreciate any feedback from those people who have upgraded to SXI3, in modular or otherwise. Thanks, Noel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ Atos Origin and Atos Consulting are trading names used by the Atos Origin group. The following trading entities are registered in England and Wales: Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380). The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983 This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information. If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. Atos Origin therefore can accept no liability for any errors or their content. Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. ___ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6
Well you can use Stateless DHCP for handing out DNS,SIP,NTP,etc.. , and there is the following command for DHCP relay services under the interface config: ipv6 dhcp relay destination X:X:X:X::X From: michael.rob...@manchester.ac.uk Date: Fri, 11 Dec 2009 15:52:09 + To: cisco-nsp@puck.nether.net Subject: [c-nsp] IPV6 It's been a while since I worked with IPV6 and I am now once again plunging myself into this feckless world and was wondering if a couple of holes had now been plugged. What is the accepted way in IPV6 land to dish out IPV6 DNS server addresses (am I correct in saying that if you make use of NDP, you would still have to manually configure DNS servers)? The other hole, as was, is the lack of IPV6 help address functionality on Cisco routers (well 6500s at least): if I were to go down the route of using DHCP for IPV6, how could I use a central server without this helper functionality? Ta. Michael -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/171222984/direct/01/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS Upgrade to SXI3
Hi On Fri, Dec 11, 2009 at 03:52:54PM +, Mackinnon, Ian wrote: From what I remember of recent discussions on here, modular is to be avoided. It has no benefit (there have not been any patches) and is not used as much so not tested by real life use. Well, in theory it should at least have the benefit of proper memory protection between processes, and thus, less likely to crash the whole box if a process does stupid things. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpzpyNnYW33c.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS Upgrade to SXI3
2009/12/11 Bautista, Noel nbauti...@cts.ucla.edu: I'd appreciate any feedback from those people who have upgraded to SXI3, in modular or otherwise. Death of a Sup720-3B prompted me to jump from SXD3 to SXI3 on the replacement. Took my config and retained desired function with no issues. Running EIGRP to my distribution, OSPF with some very HA servers, FWSM on 3.2(13) and one VRF-Lite instance to separate the L3 across the FWSM. Will be running BGP in the VRF in the new year. We're a Campus network and are seldom bitten by bugs as our change delta is small by comparison to SPs that turn up and down customers regularly. I'll 2nd Ian in saying that the collective wisdom of this list has made me disregard modular IOS as a production-ready technology. Cheers -- Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS Upgrade to SXI3
-Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: 11 December 2009 16:07 To: Mackinnon, Ian Cc: Bautista, Noel; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IOS Upgrade to SXI3 Hi On Fri, Dec 11, 2009 at 03:52:54PM +, Mackinnon, Ian wrote: From what I remember of recent discussions on here, modular is to be avoided. It has no benefit (there have not been any patches) and is not used as much so not tested by real life use. Well, in theory it should at least have the benefit of proper memory protection between processes, and thus, less likely to crash the whole box if a process does stupid things. Interesting, so given the email earlier today by somebody experiencing BGP problems at a well known IX with lots of sessions where the other end is shut down, would this have still been an issue? It's been a while since I looked at modular, but is there not a large IOS process that is most things in one place anyway? Ian ___ Atos Origin and Atos Consulting are trading names used by the Atos Origin group. The following trading entities are registered in England and Wales: Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380). The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983 This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information. If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. Atos Origin therefore can accept no liability for any errors or their content. Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. ___ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
Howdy all, Last night I had an interesting encounter on one of my 6509s /w SUP7203-BXL. This switch has 3x iBGP sessions with full internet tables and is also running OSPF. Two of the three iBGP sessions randomly dropped with: %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time expired) 0 bytes, I also noticed that during this period OSPF dropped with Neighbor Down: Dead timer expired and then re-established, and then failed again, and re-established, and failed again, and so-on, and so-on. I checked the physical interfaces between this 6500 and the two GSR 12000s it peers with and there were no errors, there was also no obvious spike in traffic that would account for latency that might cause the hold timers to expire. I remember when this system first came online it took a really long time for it to download the full internet tables from the upstream GSRs and also during that time there was a lot of CPU time being eaten up, I am wondering if maybe the first session failing caused sort of a 'performance' domino effect which then caused everything else to fail, the issue eventually corrected itself and stabilized. This particular box is running 12.2(18)SXF17 so I am less likely to believe it is a software bug. Does anyone have any tips on both how I can avoid the hold timer issue altogether and also how I can make it so that if a session does go down and re-establish it doesn't totally nail the CPU while it's trying to re-establish/download the routes? A long time ago I also read that increasing the MTU on both ends of a circuit can make BGP tables download faster, I don't know if that's true or not, has anyone else found that? thanks, -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3560g PoE issue
Hi, I am observing the problem with 48 ports 3560G in LAN infrastructure. We have alcatel IP phone which are connected to 3560G switches. Sometimes these IP phone are not getting power up , after restarting the switch IP phone gets power up. As per cisco theory it's deliver average 7.7w on all 48 ports or 15.4 w on 24 ports. i tried shut, no shut after IP phones gets power down, also tries to allocate 10-14w power on that particular interface, but no use. What could be the issue ? Regards, Nilesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EIGRP route knob tuning
Anyone know what Cisco's plans for the metrics in EIGRP? 10GE has the bandwidth set at max and the delay set to minimum, so how are they going to handle 40GB and 100GB? Is there any whitepapers posted? I ran into this a while looking at our core routing. The SVI on a 6500 is set to a bandwidth equal to a gig-e interface, so we had some inefficient routing given that we had 10GE layer 3 connections to our distribution. Some routes were heading to the distribution and back rather than across the Layer 2 trunk because the Layer 2 trunk SVI had lower bandwidth. Adjusting the SVI to the max (same as a 10GB interface) fixed the problem. What happens when 100GB uplinks appear? Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS Upgrade to SXI3
Hi, On Fri, Dec 11, 2009 at 04:12:59PM +, Mackinnon, Ian wrote: Well, in theory it should at least have the benefit of proper memory protection between processes, and thus, less likely to crash the whole box if a process does stupid things. Interesting, so given the email earlier today by somebody experiencing BGP problems at a well known IX with lots of sessions where the other end is shut down, would this have still been an issue? I'm not really sure what is happening there - but I doubt that modular would help much with a process is burning CPU needlessly. It's been a while since I looked at modular, but is there not a large IOS process that is most things in one place anyway? I'm not exactly sure how it works. There's different kinds of processes, some of them having sub-processes. The one that has BGP in it is iprouting.iosproc. All the old IOS stuff seems to be ios-base. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgppEx97tOKTu.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6
Michael Robson wrote: It's been a while since I worked with IPV6 and I am now once again plunging myself into this feckless world and was wondering if a couple of holes had now been plugged. What is the accepted way in IPV6 land to dish out IPV6 DNS server addresses (am I correct in saying that if you make use of NDP, you would still have to manually configure DNS servers)? The other hole, as was, is the lack of IPV6 There are 4 methods: * Don't use IPv6 DNS - use IPv4 DNS servers (via DHCPv4 or other). I believe this is pretty common * Static config of IPv6 DNS servers, possibly using an anycast address (I seem to recall there are products which try a well-known DNSv6 address, but I can't remember what products, and what address) * Advertisment in RA packets - RFC 5006. I think support for this on IOS is pretty thin - I'm fairly sure 6500s don't support it and don't have it roadmapped (sigh) * DHCPv6 help address functionality on Cisco routers (well 6500s at least): if I were to go down the route of using DHCP for IPV6, how could I use a central server without this helper functionality? 6500s running SXI have gained the DHCPv6 relay support. Sadly, it doesn't interoperate with 6vPE (which we use) so I've only tested it lightly, but it more or less worked. Of course, many clients don't support DHCPv6 (e.g. WinXP) so you may still need a solution for those. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6
On Fri, 11 Dec 2009, Michael Robson wrote: It's been a while since I worked with IPV6 and I am now once again plunging myself into this feckless world and was wondering if a couple of holes had now been plugged. What is the accepted way in IPV6 land to dish out IPV6 DNS server addresses (am I correct in saying that if you make use of NDP, you would still have to manually configure DNS servers)? Use DHCPv6 or if your clients are supporting you can distibute DNS information via RAs. Support for adding DNS info to RA is not implemented on cisco routers yet. The other hole, as was, is the lack of IPV6 help address functionality on Cisco routers (well 6500s at least): if I were to go down the route of using DHCP for IPV6, how could I use a central server without this helper functionality? No DHCPv6 helper functionality, but DHCPv6 relay functionality, however I don't know the implementation status on various cisco boxes. Regards, Janos Mohacsi ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU
Yes, SRC3 has a known bug related to memory leaks on idle/active BGP peers: CSCsy58115 Bug Details Continuous BGP mem increase with non established neighbors Symptom: In a router running BGP the BGP Router process may hold increased amounts of memory over time without freeing any memory. This may also be seen from the output of show proc mem sort and in the output of show ip bgp sum or show ip bgp vpnv4 all sum and looking at the number of BGP attributes which may be increasing over time in relation to the BGP prefixes and paths which may remain roughly the same. Conditions: Some BGP neighbors are not in established state and exchanging prefixes. The issue is observed on all platforms running 12.2(31)SB14 12.2(33)SB1b 12.2(33)SB2 12.2(33.05.14)SRB 12.2(33.02.09)SRC 12.2(33)SRC3 12.4(20)T2 12.4(22)T1 12.2(33)SXI or later releases. Workaround: Remove the configuration lines related to the inactive neighbors (neighbors in Idle or Active states). On Fri, Dec 11, 2009 at 6:52 AM, Daniel Holme daniel.ho...@kcom.com wrote: Yes I've experienced this on a 7600 running 12.2(33)SRC3. I have experienced it a number of times too, one of which was the XP issue you mention. You don't want too many people configuring passive sessions as having that on both ends is equally as bad as shutting down the session. --Dan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Zoe O'Connell Sent: 11 December 2009 10:20 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU Hi, As a result of issues at an exchange point over the last few days, a number of us (ISPs) have noticed an issue with BGP sessions sitting in the Idle state, because the other end is shut down. Basically, it appears that on Sup720s at least, once you reach a critical number of sessions in Idle (More than 5, less than 20) the CPU usage increases to 30%, all down to the BGP Router process. 30ish sessions down and it's up to 50% - we've had ours up to 70% as a result of this, although I don't know how many sessions were down at that point. This behaviour has been confirmed on 12.2(33)SRC4 and 12.2(33)SRD2, with other possible reports on SXF, SRC3, SRC5 and also on CRS-1s. Has anyone seen this before and know if it's a known issue with a BugID associated? A workaround is to apply neigh x.x.x.x transport connection passive but this clearly isn't optimal. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ This email has been scanned for all viruses. Please consider the environment before printing this email. The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound. KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE. 118288 - KCOM Group UK Directory Enquiries. Calls will cost no more than 49p connection + 14p per minute including VAT from a KC or BT landline. Call charges from mobiles and other networks may vary. If you are calling from a mobile you will now receive your requested number via text message. You will not be charged for the text message. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP route knob tuning
We encountered same thing as we deployed 10G links. It was definitely an EIGRP learning experience. We found docs out there that describe changing K values to ignore bandwidth and then manipulate delay in order to achieve optimal routing. When you do this the protocol is supposed to be more OSPF like in the sense that the only value factoring into the equation is a cumulative cost of sorts. This sounded scary to me so we opted for your solution. We set the edge SVI's to maximum bandwidth so they would never be considered in the minimum bandwidth calculation, and then we make sure the SVI's on our L2 trunks are set to the same BW as the underlying link 1G or 10G... -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew Huff Sent: Friday, December 11, 2009 10:36 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EIGRP route knob tuning Anyone know what Cisco's plans for the metrics in EIGRP? 10GE has the bandwidth set at max and the delay set to minimum, so how are they going to handle 40GB and 100GB? Is there any whitepapers posted? I ran into this a while looking at our core routing. The SVI on a 6500 is set to a bandwidth equal to a gig-e interface, so we had some inefficient routing given that we had 10GE layer 3 connections to our distribution. Some routes were heading to the distribution and back rather than across the Layer 2 trunk because the Layer 2 trunk SVI had lower bandwidth. Adjusting the SVI to the max (same as a 10GB interface) fixed the problem. What happens when 100GB uplinks appear? Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS Upgrade to SXI3
On Fri, Dec 11, 2009 at 11:40 AM, Gert Doering g...@greenie.muc.de wrote: Hi, On Fri, Dec 11, 2009 at 04:12:59PM +, Mackinnon, Ian wrote: Well, in theory it should at least have the benefit of proper memory protection between processes, and thus, less likely to crash the whole box if a process does stupid things. Interesting, so given the email earlier today by somebody experiencing BGP problems at a well known IX with lots of sessions where the other end is shut down, would this have still been an issue? I'm not really sure what is happening there - but I doubt that modular would help much with a process is burning CPU needlessly. It's been a while since I looked at modular, but is there not a large IOS process that is most things in one place anyway? I'm not exactly sure how it works. There's different kinds of processes, some of them having sub-processes. The one that has BGP in it is iprouting.iosproc. All the old IOS stuff seems to be ios-base. We've been running 12.2SX Modular IOS on a set of SUP720s for over a year. It hasn't done us any good. Still suffer from memory/cpu issues. Modular will burn at least an extra 10% cpu, and won't give any observable benefits. With the removal of install/patching in SXI3, we have decided to move back to monolithic. Cisco doesn't appear to have the engineering resources and/or will-power to move IOS into the 20th Century (pre-emptive multitasking with memory and process containment.) It is more beneficial for them to sell you new products with better versions of IOS. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP route knob tuning
It makes perfect sense, but was quite a shock when it dawned on me what was happening. I made about the same changes you described and everything works fine now. However, it won't work at all when 40GB/100GB interfaces begin shipping. Or even if you wanted to make the bandwidth correct on aggregated 10gb trunks. I assume Cisco will have to come up with some new EIGRP version that's backward compatible which will encapsulate the old metrics within a new larger field. Anyone here anything about this yet from Cisco? Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Murphy, William [mailto:william.mur...@uth.tmc.edu] Sent: Friday, December 11, 2009 12:42 PM To: Matthew Huff; cisco-nsp@puck.nether.net Subject: RE: EIGRP route knob tuning We encountered same thing as we deployed 10G links. It was definitely an EIGRP learning experience. We found docs out there that describe changing K values to ignore bandwidth and then manipulate delay in order to achieve optimal routing. When you do this the protocol is supposed to be more OSPF like in the sense that the only value factoring into the equation is a cumulative cost of sorts. This sounded scary to me so we opted for your solution. We set the edge SVI's to maximum bandwidth so they would never be considered in the minimum bandwidth calculation, and then we make sure the SVI's on our L2 trunks are set to the same BW as the underlying link 1G or 10G... -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew Huff Sent: Friday, December 11, 2009 10:36 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EIGRP route knob tuning Anyone know what Cisco's plans for the metrics in EIGRP? 10GE has the bandwidth set at max and the delay set to minimum, so how are they going to handle 40GB and 100GB? Is there any whitepapers posted? I ran into this a while looking at our core routing. The SVI on a 6500 is set to a bandwidth equal to a gig-e interface, so we had some inefficient routing given that we had 10GE layer 3 connections to our distribution. Some routes were heading to the distribution and back rather than across the Layer 2 trunk because the Layer 2 trunk SVI had lower bandwidth. Adjusting the SVI to the max (same as a 10GB interface) fixed the problem. What happens when 100GB uplinks appear? Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS Upgrade to SXI3
We normally try to use Safe Harbor Recommended IOS and for quite some time Cisco has recommended to upgrade to a modular Release. We first tried the modular in 12.2(18)SXF7 but we backed out because of numerous problems. A Cisco SE mentioned in his presentation that at some point Cisco will only be releasing modular IOS. Safe Harbor seems to indicate this direction since they stopped testing Native IOS and recommending Modular IOS as shown from the link below. Which is why I'm looking at modular SXI3 but the install command has been deprecated. Now, it seems that Cisco is going away from Modular?? I've been testing Native IOS 12.2(33)SXI3 in our lab network running OSPF and BGP in v4 and v6 and so far it seems stable. Thanks, Noel Safe Harbor Release http://www.cisco.com/en/US/customer/solutions/ns340/ns414/ns504/networking_solutions_products_genericcontent0900aecd80694a2a.html -Original Message- From: Mackinnon, Ian [mailto:ian.mackin...@atosorigin.com] Sent: Friday, December 11, 2009 7:53 AM To: Bautista, Noel; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] IOS Upgrade to SXI3 Hi Noel, From what I remember of recent discussions on here, modular is to be avoided. It has no benefit (there have not been any patches) and is not used as much so not tested by real life use. Ian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Bautista, Noel Sent: 11 December 2009 15:45 To: cisco-nsp@puck.nether.net Subject: [c-nsp] IOS Upgrade to SXI3 We're contemplating on upgrading our SUP 720 3BXL from 12.2(18)SXF15a native IOS to 12.2(33)SXI3 modular IOS but I read from the releasenotes that the Install command has been deprecated. On Cisco's Safe Harbor IOS Release, they have tested and recommend upgrading to modular 12.2(33)SXI3. There's no explanation on why they deprecated the install command and I'm waiting for our Cisco SE response. I'd appreciate any feedback from those people who have upgraded to SXI3, in modular or otherwise. Thanks, Noel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ Atos Origin and Atos Consulting are trading names used by the Atos Origin group. The following trading entities are registered in England and Wales: Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380). The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983 This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information. If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. Atos Origin therefore can accept no liability for any errors or their content. Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. ___ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU
Hi, On Fri, Dec 11, 2009 at 10:19:40AM +, Zoe O'Connell wrote: critical number of sessions in Idle (More than 5, less than 20) the CPU we even saw it with 2 IDLE sessions (after a reboot) where the CPU went to 50% permanently. only a shutdown of that IDLE session helped. point. This behaviour has been confirmed on 12.2(33)SRC4 and 12.2(33)SRD2, with other possible reports on SXF, SRC3, SRC5 and also on 12.2(33)SRA4 was/ is on that box. br marco ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA 5520, unable to find matching cert with digital key usage
Hi, I'm getting the following error and I've popped it in to do a search but I'm not finding much and not understanding what I did find. The background: I am using ASA 5520 hardware. I am trying to create a trust point for certificate based authentication. I create the enrollment request with out issue, submit it to our CA server and receive the new cert. I've generated the keys and everything happens error free until I go to import the new cert. I first authenticate the trust point with the CA cert which seems to be error free but when I do a #crypto ca import trust-point-name certificate and paste the cert I receive the can't find certificate with digital key usage error. When googling all it says is to set key options but doesn't explain what that means or what options. What am I missing? Any pointers would be greatly appreciated. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520, unable to find matching cert with digital key usage
Scott, Does your trustpoint have the key you generated the CSR with defined as follows: crypto ca trustpoint samplecompany enrollment terminal fqdn asa.samplecompany.com subject-name CN=asa,O=sample.com,C=US,St=California,L=SanFran keypair mykeypairname ignore-ipsec-keyusag ignore-ssl-keyusage crl configure -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Friday, December 11, 2009 1:12 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA 5520,unable to find matching cert with digital key usage Hi, I'm getting the following error and I've popped it in to do a search but I'm not finding much and not understanding what I did find. The background: I am using ASA 5520 hardware. I am trying to create a trust point for certificate based authentication. I create the enrollment request with out issue, submit it to our CA server and receive the new cert. I've generated the keys and everything happens error free until I go to import the new cert. I first authenticate the trust point with the CA cert which seems to be error free but when I do a #crypto ca import trust-point-name certificate and paste the cert I receive the can't find certificate with digital key usage error. When googling all it says is to set key options but doesn't explain what that means or what options. What am I missing? Any pointers would be greatly appreciated. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5520, unable to find matching cert with digital key usage
Hi, I only have the items as far as keypair=name.key. I used the configuring ASA with microsoft CA and digital certs example on the Cisco site. Didn't list any of the other options. I did figure out this error though, the problem was with the CA server. It was injecting my username in instead of the fqdn and the data I provided in the request. Now I'm struggling with a group 1 configured for group 2 error but I think I understand what that is. Thanks for the response Scott - Original Message - From: andymro...@yahoo.com To: 'Scott Granados' gsgrana...@comcast.net; cisco-nsp@puck.nether.net Sent: Friday, December 11, 2009 3:21 PM Subject: RE: [c-nsp] ASA 5520,unable to find matching cert with digital key usage Scott, Does your trustpoint have the key you generated the CSR with defined as follows: crypto ca trustpoint samplecompany enrollment terminal fqdn asa.samplecompany.com subject-name CN=asa,O=sample.com,C=US,St=California,L=SanFran keypair mykeypairname ignore-ipsec-keyusag ignore-ssl-keyusage crl configure -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Friday, December 11, 2009 1:12 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA 5520,unable to find matching cert with digital key usage Hi, I'm getting the following error and I've popped it in to do a search but I'm not finding much and not understanding what I did find. The background: I am using ASA 5520 hardware. I am trying to create a trust point for certificate based authentication. I create the enrollment request with out issue, submit it to our CA server and receive the new cert. I've generated the keys and everything happens error free until I go to import the new cert. I first authenticate the trust point with the CA cert which seems to be error free but when I do a #crypto ca import trust-point-name certificate and paste the cert I receive the can't find certificate with digital key usage error. When googling all it says is to set key options but doesn't explain what that means or what options. What am I missing? Any pointers would be greatly appreciated. Thank you Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] vlan access-map
Dear All, currently, I need make a lab for my BSMSN, since I use dynamips with C3640 are limited command for switch. I need your oppinion. does anyone know vlan access-map under c3640 in dynamips/dynagen? Thanks for help Regards , -Suryantofang- Fly Higher - Run Faster http://suryantofang.wordpress.com Akses email lebih cepat. Yahoo! menyarankan Anda meng-upgrade browser ke Internet Explorer 8 baru yang dioptimalkan untuk Yahoo! Dapatkan di sini! http://downloads.yahoo.com/id/internetexplorer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560g PoE issue
Nilesh Sawant wrote: Hi, I am observing the problem with 48 ports 3560G in LAN infrastructure. We have alcatel IP phone which are connected to 3560G switches. Sometimes these IP phone are not getting power up , after restarting the switch IP phone gets power up. As per cisco theory it's deliver average 7.7w on all 48 ports or 15.4 w on 24 ports. i tried shut, no shut after IP phones gets power down, also tries to allocate 10-14w power on that particular interface, but no use. What could be the issue ? Not sure about Alcatel, but we have seen a similar issue with some Polycom phones. The Polycom phones have the capability of adding sidecar units with additional display and buttons for DSS/BLF and the like. Even with no sidecars installed, the phones default to having the sidecar power enabled and as such request the full 15.4 watts from the switch. The Cisco switch will detect the requested power as 15.4 and deny power to additional phones once the aggregate power limit is reached based on this calculation. A configuration setting on the phone allows one to disable sidecar power and once this is done the phone requests a more reasonable six watts. In this mode all ports can be used. Keep in mind that TTBOMK power calculations in the switch are done by layer 2 messages indicating desired power from the connected device and not by an ammeter in the switch measuring actual power consumption. Check your Alcatel phones and see if they are capable of powering accessories that you aren't using. If so and you can disable this capability the phones may then negotiate with the switch to deliver less power and allow the use of more/all ports. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/