Re: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
Drew Weaver wrote: Howdy all, Last night I had an interesting encounter on one of my 6509s /w SUP7203-BXL. This switch has 3x iBGP sessions with full internet tables and is also running OSPF. Two of the three iBGP sessions randomly dropped with: %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time expired) 0 bytes, I also noticed that during this period OSPF dropped with Neighbor Down: Dead timer expired and then re-established, and then failed again, and re-established, and failed again, and so-on, and so-on. I checked the physical interfaces between this 6500 and the two GSR 12000s it peers with and there were no errors, there was also no obvious spike in traffic that would account for latency that might cause the hold timers to expire. I remember when this system first came online it took a really long time for it to download the full internet tables from the upstream GSRs and also during that time there was a lot of CPU time being eaten up, I am wondering if maybe the first session failing caused sort of a 'performance' domino effect which then caused everything else to fail, the issue eventually corrected itself and stabilized. This particular box is running 12.2(18)SXF17 so I am less likely to believe it is a software bug. Does anyone have any tips on both how I can avoid the hold timer issue altogether I dont think your issue is bgp and it's hold time - if ospf session drops then so will BGP session. Are you sure your upstream GSR's did not fail-over? If so NSF might help you http://www.cisco.com/en/US/partner/docs/ios/iproute/configuration/guide/irp_bgp_adv_features_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1056241 If you have unstable IGP, try to figure out why, if you cant, dampen. If that doesnt help, disable next-hop address tracking http://www.cisco.com/en/US/partner/docs/ios/iproute/configuration/guide/irp_bgp_adv_features_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1056441 Regards Dave and also how I can make it so that if a session does go down and re-establish it doesn't totally nail the CPU while it's trying to re-establish/download the routes? A long time ago I also read that increasing the MTU on both ends of a circuit can make BGP tables download faster, I don't know if that's true or not, has anyone else found that? thanks, -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
Hi, I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a site-to-site tunnel. Last night, I got the tunnel up. But after applying a acl to the 6500, the tunnel went down and stayed down. Removing configuration just to get the tunnel up again and continue trying to get the interesting traffic through as intended, the tunnel never comes up. The remote device is a ASA 5505, where I haven't touched anything since this failure started. From what I can get out of all this, looking at logs and crypto statistics. The traffic never gets to the module in slot 8. show crypto sessions - nothing show crypto isakmp sa - nothing show crypto ipsec sa - nothing I can still use packet-tracer on the asa as I could before and the flow is created, but nothing ends up in the 6500 logs. debug crypto isakmp and debug crypto ipsec is both enabled without anything being logged. Any ideas are most welcome. Guess I have missed something obvious but right now I just can't figure out what it is. This it the configuration from the 6500. crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key SECRETKEY address peer ip no-xauth ! crypto isakmp client configuration group GROUP1 key KEY dns 172.16.9.2 domain i.company.com pool vpn acl 101 crypto isakmp profile ikepro match identity group GROUP1 client authentication list userlist isakmp authorization list grouplist client configuration address respond client configuration group GROUP1 crypto isakmp profile site-to-site keyring default match identity address peer ip 255.255.255.255 keepalive 60 retry 5 ! ! crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac ! crypto ipsec profile ipsecpro set transform-set 3dessha ! ! crypto dynamic-map dynmap 10 set transform-set 3dessha set isakmp-profile ikepro crypto dynamic-map dynmap 15 set peer 76.238.146.205 set transform-set 3dessha set isakmp-profile site-to-site crypto dynamic-map dynmap 20 set transform-set 3dessha set isakmp-profile ikepro ! ! crypto map vpnmap engine slot 8 crypto map vpnmap 10 ipsec-isakmp dynamic dynmap and then on VLAN 8 where the traffic is suppose to come in: interface Vlan8 ip address ip 255.255.255.248 ip nat outside standby 8 ip standby ip standby 8 priority 115 standby 8 preempt standby 8 name standby name crypto map vpnmap redundancy standby name end Best regards, .pelle ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7200 for BGP
Hi all, I use the 3 7200 to connect to upstreams Cisco 7206VXR (NPE-G1) processor (revision B) with 229376K/32768K bytes of memory. Max CPU usage:28% Cisco 7204VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of memory. Max CPU usage: 75% Cisco 7206VXR (NPE400) processor (revision A) with 229376K/32768K bytes of memory. Max CPU usage: 45% BGP is used with upstreams but I don't receive full BGP table. Do these boxes have enough resources to handle the full BGP table? Regards. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 OIR logging for transceivers
Hi Brian, I have never seen any event (OIR or any other kind) generated when plugging/unplugging the SFPs on any Cisco switches. The way I check this is with usual 'show int status' or simply 'show int x/y' after making the physical change. Of course if the interface is up, then you will get normal LINEPROTO-5-UPDOWN and LINK-3-UPDOWN message provided you have the 'logging event link-status' command under interface config. This is specific to 6500 though, all other switch models log LINK UP/DOWN by default. -pavel skovajsa On Tue, Dec 15, 2009 at 3:00 AM, Brian Spade bitkr...@gmail.com wrote: Hi, I am doing some testing and can't seem to get the Catalyst 6509 to log an insertion or removal of a SFP. Is this supported? I have 'logging buffered 2' configured but don't get a log when I insert/remove an SFP on a SUP-720-3B. Thanks, /bs ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
Do you have the inside and outside vlan for your ipsec traffic configured with a crypto connect? eg interface Vlan7 description outside:encrypted traffic no ip address crypto engine subslot 8/0 crypto connect vlan8 ! interface Vlan8 description inside:cleartext traffic ip address xxx crypto map xxx crypto engine subslot 8/0 Regards, Lee On Tue, Dec 15, 2009 at 6:46 AM, Pär Åslund psl...@gmail.com wrote: Hi, I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a site-to-site tunnel. Last night, I got the tunnel up. But after applying a acl to the 6500, the tunnel went down and stayed down. Removing configuration just to get the tunnel up again and continue trying to get the interesting traffic through as intended, the tunnel never comes up. The remote device is a ASA 5505, where I haven't touched anything since this failure started. From what I can get out of all this, looking at logs and crypto statistics. The traffic never gets to the module in slot 8. show crypto sessions - nothing show crypto isakmp sa - nothing show crypto ipsec sa - nothing I can still use packet-tracer on the asa as I could before and the flow is created, but nothing ends up in the 6500 logs. debug crypto isakmp and debug crypto ipsec is both enabled without anything being logged. Any ideas are most welcome. Guess I have missed something obvious but right now I just can't figure out what it is. This it the configuration from the 6500. crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key SECRETKEY address peer ip no-xauth ! crypto isakmp client configuration group GROUP1 key KEY dns 172.16.9.2 domain i.company.com pool vpn acl 101 crypto isakmp profile ikepro match identity group GROUP1 client authentication list userlist isakmp authorization list grouplist client configuration address respond client configuration group GROUP1 crypto isakmp profile site-to-site keyring default match identity address peer ip 255.255.255.255 keepalive 60 retry 5 ! ! crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac ! crypto ipsec profile ipsecpro set transform-set 3dessha ! ! crypto dynamic-map dynmap 10 set transform-set 3dessha set isakmp-profile ikepro crypto dynamic-map dynmap 15 set peer 76.238.146.205 set transform-set 3dessha set isakmp-profile site-to-site crypto dynamic-map dynmap 20 set transform-set 3dessha set isakmp-profile ikepro ! ! crypto map vpnmap engine slot 8 crypto map vpnmap 10 ipsec-isakmp dynamic dynmap and then on VLAN 8 where the traffic is suppose to come in: interface Vlan8 ip address ip 255.255.255.248 ip nat outside standby 8 ip standby ip standby 8 priority 115 standby 8 preempt standby 8 name standby name crypto map vpnmap redundancy standby name end Best regards, .pelle ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7200 for BGP
hi R. The G2 will certainly handle it, but I would look into the reason for having 75%, that sounds really bad. For the G1 and NPE400, I'd say you definitely need more memory - 512 MB or 1G to be fine. This is what Cisco says: The amount of memory required to store BGP routes depends on many factors, such as the router, the number of alternate paths available, route dampening, community, the number of maximum paths configured, BGP attributes, and VPN configurations. Without knowledge of these parameters it is difficult to calculate the amount of memory required to store a certain number of BGP routes. Cisco typically recommends a minimum of 512 MB of RAM in the router to store a complete global BGP routing table from one BGP peer. However, it is important to understand ways to reduce memory consumption and achieve optimal routing without the need to receive the complete Internet routing table. See this document for the details about the memory consumpsion - http://www.cisco.com/en/US/customer/tech/tk365/technologies_tech_note09186a0080094a83.shtml The rule of thumb is 1k of prefixes = 1M of RAM, but this is too generic and little conservative. On Tue, Dec 15, 2009 at 1:19 PM, RAZAFINDRATSIFA Rivo Tahina r.tah...@moov.mg wrote: Hi all, I use the 3 7200 to connect to upstreams Cisco 7206VXR (NPE-G1) processor (revision B) with 229376K/32768K bytes of memory. Max CPU usage:28% Cisco 7204VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of memory. Max CPU usage: 75% Cisco 7206VXR (NPE400) processor (revision A) with 229376K/32768K bytes of memory. Max CPU usage: 45% BGP is used with upstreams but I don't receive full BGP table. Do these boxes have enough resources to handle the full BGP table? Regards. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 OIR logging for transceivers
We use rancid and show inentory raw command 2x an hour to log approx when an SFP was inserted/removed... Best way I've found to do it... It also nabs your serial numbers. -- Tim On Mon, Dec 14, 2009 at 8:00 PM, Brian Spade bitkr...@gmail.com wrote: Hi, I am doing some testing and can't seem to get the Catalyst 6509 to log an insertion or removal of a SFP. Is this supported? I have 'logging buffered 2' configured but don't get a log when I insert/remove an SFP on a SUP-720-3B. Thanks, /bs ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7200 for BGP
I use the 3 7200 to connect to upstreams Cisco 7206VXR (NPE-G1) processor (revision B) with 229376K/32768K bytes of memory. Max CPU usage:28% Cisco 7204VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of memory. Max CPU usage: 75% Cisco 7206VXR (NPE400) processor (revision A) with 229376K/32768K bytes of memory. Max CPU usage: 45% BGP is used with upstreams but I don't receive full BGP table. Do these boxes have enough resources to handle the full BGP table? Definitely not with 256M RAM nowadays... Here is a 7200 with 256M RAM and iomem set to 32. It's doing _nothing_ but holding BGP (even CEF is disabled) and even that required filtering some networks. 7200bgp#show ver | i memory|image System image file is disk0:c7200-ik9s-mz.124-12c.bin Cisco 7206VXR (NPE300) processor (revision D) with 262144K/32768K bytes of memory. 7200bgp#show ip bgp summ | b ^N NeighborVAS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.3.55 4 65500 5316679430 123858300 6d13h 297067 7200bgp#show ip cef %CEF not running 7200bgp#show mem summ HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 6412F210 183306880 182614184 692696 688748 252588 I/O 200033554432 3220256303341762670238426239804 Transient 6F0016777216 17436167597801669422416752696 Filter applied to make it fit in memory but get as close to full memory utilization: ip prefix-list dropnets seq 5 permit 128.0.0.0/4 le 32 ! route-map rs65500-in deny 5 match ip address prefix-list dropnets ! route-map rs65500-in permit 10 HTH, Cory ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
Hi Lee, No, I don't have it configured with crypto connect. From what I read so far, I don't need that for site-to-site ipsec? The asa in the remote office can ping the remote peer ip configured on the 6500. Just seems like bad magic for me right now that for some reason the traffic doesn't seem to reach the IPSEC module. Extra, forgot to show the configuration of the interfaces on module 8 - WS-SVC-IPSEC-1 Current configuration : 243 bytes ! interface GigabitEthernet8/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 8 switchport mode trunk mtu 4500 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk end interface GigabitEthernet8/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan none switchport mode trunk mtu 4500 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk end Best regards, .pelle On Tue, Dec 15, 2009 at 1:30 PM, Lee ler...@gmail.com wrote: Do you have the inside and outside vlan for your ipsec traffic configured with a crypto connect? eg interface Vlan7 description outside:encrypted traffic no ip address crypto engine subslot 8/0 crypto connect vlan8 ! interface Vlan8 description inside:cleartext traffic ip address xxx crypto map xxx crypto engine subslot 8/0 Regards, Lee On Tue, Dec 15, 2009 at 6:46 AM, Pär Åslund psl...@gmail.com wrote: Hi, I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a site-to-site tunnel. Last night, I got the tunnel up. But after applying a acl to the 6500, the tunnel went down and stayed down. Removing configuration just to get the tunnel up again and continue trying to get the interesting traffic through as intended, the tunnel never comes up. The remote device is a ASA 5505, where I haven't touched anything since this failure started. From what I can get out of all this, looking at logs and crypto statistics. The traffic never gets to the module in slot 8. show crypto sessions - nothing show crypto isakmp sa - nothing show crypto ipsec sa - nothing I can still use packet-tracer on the asa as I could before and the flow is created, but nothing ends up in the 6500 logs. debug crypto isakmp and debug crypto ipsec is both enabled without anything being logged. Any ideas are most welcome. Guess I have missed something obvious but right now I just can't figure out what it is. This it the configuration from the 6500. crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key SECRETKEY address peer ip no-xauth ! crypto isakmp client configuration group GROUP1 key KEY dns 172.16.9.2 domain i.company.com pool vpn acl 101 crypto isakmp profile ikepro match identity group GROUP1 client authentication list userlist isakmp authorization list grouplist client configuration address respond client configuration group GROUP1 crypto isakmp profile site-to-site keyring default match identity address peer ip 255.255.255.255 keepalive 60 retry 5 ! ! crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac ! crypto ipsec profile ipsecpro set transform-set 3dessha ! ! crypto dynamic-map dynmap 10 set transform-set 3dessha set isakmp-profile ikepro crypto dynamic-map dynmap 15 set peer 76.238.146.205 set transform-set 3dessha set isakmp-profile site-to-site crypto dynamic-map dynmap 20 set transform-set 3dessha set isakmp-profile ikepro ! ! crypto map vpnmap engine slot 8 crypto map vpnmap 10 ipsec-isakmp dynamic dynmap and then on VLAN 8 where the traffic is suppose to come in: interface Vlan8 ip address ip 255.255.255.248 ip nat outside standby 8 ip standby ip standby 8 priority 115 standby 8 preempt standby 8 name standby name crypto map vpnmap redundancy standby name end Best regards, .pelle ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VSS/12.2(33)SXI2a High interrupt load on SP
Hi, wonder if anyone came to this... XX-sp#sh proc cpu CPU utilization for five seconds: 100%/88%; one minute: 100%; five minutes: 100% and lasts for a week or two already. It's in ios-base, TID 6 XX-sp#sh proc cpu det 12311 CPU utilization for five seconds: 99%/82%; one minute: 100%; five minutes: 100% PID/TID 5Sec1Min 5Min Process Prio STATE CPU 1231196.2% 97.2%97.0% ios-base 37d06h 0.0%1.9% 2.8% [dead threads] 1 0.0%0.6% 0.7% 10 Receive 45.837 2 0.1%0.0% 0.0%5 Ready 36m47s 4 0.0%0.3% 0.8% 10 Receive 8.353 5 0.0%0.0% 0.0% 11 Nanosleep 5m54s 6 77.7% 84.2%84.7% 21 Intr 20d22h I cannot come to any source of this, no log messages indicating an event that would cause this. The only thing I have noticed is that IBC port on the SP is seeing unusually high number of inband interrupts: XX-sp#sh clock 14:31:51.917 GMT Tue Dec 15 2009 XX-sp#sh ibc | i inter 3699589169 inband interrupts 1194856 total tx interrupts set mistral tx interrupt inconsisteny occured 0 times 0 total packets dropped on throttled interfaces (0 low, 0 medium, 0 high) XX-sp#sh clock 14:32:04.201 GMT Tue Dec 15 2009 XX-sp#sh ibc | i inter 3700120842 inband interrupts 1195039 total tx interrupts set mistral tx interrupt inconsisteny occured 0 times 0 total packets dropped on throttled interfaces (0 low, 0 medium, 0 high) XX-sp# which gives 40k interrupts per seconds constantly - no wonder the SP CPU is that busy. This, however, does not seem being related to IBC traffic: XX-sp#sh ibc load 30 Interface information: Interface IBC0/0/0(idb 0x60011A70) Hardware is Mistral IBC (revision 5) 0 minute rx rate 359000 bits/sec, 213 packets/sec 0 minute tx rate 49 bits/sec, 466 packets/sec and the RP does not seem sending much traffic over IBC as well: XX#sh ibc load 30 Interface information: Interface IBC0/0(idb 0x60011A70) Hardware is Mistral IBC (revision 5) 0 minute rx rate 2276000 bits/sec, 523 packets/sec 0 minute tx rate 10 bits/sec, 137 packets/sec Does anyone have any hints before I proceed to TAC? Getting the SR queued is complicated for me with this customer as they have support bought via a different organization and it takes three human hops to open a ticket. Through India... aww thx! -- Tomas Daniska systems engineer Soitron, a.s. Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 All generalizations are false, including this one. -- Mark Twain ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
On Tue, Dec 15, 2009 at 8:45 AM, Pär Åslund psl...@gmail.com wrote: Hi Lee, No, I don't have it configured with crypto connect. From what I read so far, I don't need that for site-to-site ipsec? All the docs I read talked about the bump in the wire encryption. Somehow or other you have to get the traffic going thru the ipsec card the only way I know of is to use the 'crypto connect' command or the much-discouraged-in-the-docs switchport trunk allowed vlan add NNN on the ipsec card ports. But I never did dynamic crypto maps, so maybe they do some extra magic? The asa in the remote office can ping the remote peer ip configured on the 6500. Just seems like bad magic for me right now that for some reason the traffic doesn't seem to reach the IPSEC module. A fun thing about the 6500 ipsec card is that traffic not matching the crypto map goes through unaltered whereas a real router would drop the traffic. If your ASA has a 192.168.1.1 address and the 6500 vlan 8 ip address is 192.168.1.2 it wouldn't surprise me that the asa can ping the 6500. Another fun thing about the 6500 ipsec card is that routing happens only on the cleartext traffic. By the time the traffic comes out of the ipsec card all the routing decisions have been made :( For example, say you're putting traffic for 10.10.10.0/24 in the IPSec tunnel and the tunnel endpoint is 192.168.1.1. If the route for 10.10.10.0/24 is out vlan10 and the route for 192.168.1.1 is out vlan 8 it ain't gonna work. I ended up adding a static route for 10.10.10.0/24 pointing to 192.168.1.1 as a work-around. Then again, I haven't had anything to do with a 6500 ipsec card for over a year so maybe they've fixed some of the weirdness that I had to deal with. Extra, forgot to show the configuration of the interfaces on module 8 - WS-SVC-IPSEC-1 Current configuration : 243 bytes ! interface GigabitEthernet8/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 8 switchport mode trunk mtu 4500 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk end interface GigabitEthernet8/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan none switchport mode trunk mtu 4500 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk end What I ended up with was interface GigabitEthernet8/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 550,551,702 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet8/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 551,703 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! Looking at it now, having vlan 551 on G8/0/1 and 2 seems wrong.. but it did work. We moved all our ipsec tunnels over to asrs a while back, so nothing I need to do about it now :) Regards, Lee Best regards, .pelle On Tue, Dec 15, 2009 at 1:30 PM, Lee ler...@gmail.com wrote: Do you have the inside and outside vlan for your ipsec traffic configured with a crypto connect? eg interface Vlan7 description outside:encrypted traffic no ip address crypto engine subslot 8/0 crypto connect vlan8 ! interface Vlan8 description inside:cleartext traffic ip address xxx crypto map xxx crypto engine subslot 8/0 Regards, Lee On Tue, Dec 15, 2009 at 6:46 AM, Pär Åslund psl...@gmail.com wrote: Hi, I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a site-to-site tunnel. Last night, I got the tunnel up. But after applying a acl to the 6500, the tunnel went down and stayed down. Removing configuration just to get the tunnel up again and continue trying to get the interesting traffic through as intended, the tunnel never comes up. The remote device is a ASA 5505, where I haven't touched anything since this failure started. From what I can get out of all this, looking at logs and crypto statistics. The traffic never gets to the module in slot 8. show crypto sessions - nothing show crypto isakmp sa - nothing show crypto ipsec sa - nothing I can still use packet-tracer on the asa as I could before and the flow is created, but nothing ends up in the 6500 logs. debug crypto isakmp and debug crypto ipsec is both enabled without anything being logged. Any ideas are most welcome. Guess I have missed something obvious but right now I just can't figure out what it is. This it the configuration from the 6500. crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key SECRETKEY address peer ip no-xauth ! crypto isakmp client configuration group GROUP1 key KEY dns 172.16.9.2 domain i.company.com pool vpn acl
[c-nsp] Jay Shao is out of the office.
I will be out of the office starting 12/15/2009 and will not return until 12/16/2009. I will respond to your message when I return. Please contact with net...@dtcc.com for any production issues BR_ FONT size=2BR DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email./FONT ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv6 nd ra suppress broken on SXI3?
We recently upgraded one of our routers to 12.2(33)SXI3 (from SXF). Soon after the upgrade one of our customers complained that he started to see RA messages. From the beginning on his interface we have ipv6 nd ra suppress, I added ipv6 nd ra mtu suppress, but the customer says he still sees that. Has anyone seen broken ra suppression on SXI3? -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7600/RSP720 + SIP-400
Can someone with a SIP-400 module execute the sh platform hardware capacity system command and send me the output? I would prefer people with 7600/RSP720. -- Tassos ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Password Recovery for CISCO IGX
Hi Does anyone know of a way to recover/reset the password on a Cisco IGX. I have found nothing when searching Cisco.com. Any assistance is greatly appreciated. Rgds Phil Bartlett Comtek Network Systems (UK) Ltd === DDI: - +44 1244 283 054 Switchboard: - +44 8454 501 626 Fax: - +44 8454 501 627 SIP/VOIP:- sip:3...@comtek.co.uk AOL: - philatcomtek Number One For Networking Spares, Repairs Rentals ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600/RSP720 + SIP-400
At 18:49 15/12/2009 +0200, Tassos Chatzithomaoglou wrote: Can someone with a SIP-400 module execute the sh platform hardware capacity system command and send me the output? I would prefer people with 7600/RSP720. Not a RSP720 but close: petach-tikva-gp#sh platform hardware capacity system System Resources PFC operating mode: PFC3BXL Supervisor redundancy mode: administratively sso, operationally sso Switching resources: Module Part number Series CEF mode 1WS-X6582-2PA CEF256 CEF 2WS-X6582-2PA CEF256 CEF 3WS-X6582-2PA CEF256 CEF 4WS-X6582-2PA CEF256 CEF 7WS-SUP720-3BXLsupervisor CEF 9WS-X6748-GE-TXCEF720 dCEF 10 WS-X6704-10GE CEF720 CEF 11 7600-SIP-400 CEF256 CEF -Hank -- Tassos ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Loopback/VLAN question
I have several uniquely numbered 802.1q tagged links coming into a Cisco 7609-S (12.2(33)SRB3) on a single physical port. I would like to use the same group of subnets for each VLAN and I tried using loopbacks but it doesn't work. Any ideas on what I'm doing wrong? interface Loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip address a.b.c.1 255.255.255.0 ip address a.b.d.1 255.255.255.0 secondary ip address a.b.e.1 255.255.255.0 secondary ip helper-address w.x.y.z arp timeout 300 interface Vlan10 ip unnumbered loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip helper-address w.x.y.z interface Vlan11 ip unnumbered loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip helper-address w.x.y.z interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10, 11 switchport mode trunk end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback/VLAN question
On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote: I have several uniquely numbered 802.1q tagged links coming into a Cisco 7609-S (12.2(33)SRB3) on a single physical port. I would like to use the same group of subnets for each VLAN and I tried using loopbacks but it doesn't work. Any ideas on what I'm doing wrong? Use BVI's, not loopbacks. Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: t...@lava.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback/VLAN question
On Tue, 2009-12-15 at 08:30 -1000, Antonio Querubin wrote: On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote: I have several uniquely numbered 802.1q tagged links coming into a Cisco 7609-S (12.2(33)SRB3) on a single physical port. I would like to use the same group of subnets for each VLAN and I tried using loopbacks but it doesn't work. Any ideas on what I'm doing wrong? Use BVI's, not loopbacks. I don't think using BVIs on a L3 switch will do much good; if it would work (can they do anything but fallback bridging?) it would probably be very bad performance wise. As for the original question, I wouldn't have thought a PFC3B could do such a thing, but one can never know. I suppose it _has_ to work like that? -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback/VLAN question
Frank, Can you please explain what do you want to achieve? I think this should be done in a different way. Also, what HW do you have? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Frank Bulk - iName.com Sent: Tuesday, December 15, 2009 20:19 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Loopback/VLAN question I have several uniquely numbered 802.1q tagged links coming into a Cisco 7609-S (12.2(33)SRB3) on a single physical port. I would like to use the same group of subnets for each VLAN and I tried using loopbacks but it doesn't work. Any ideas on what I'm doing wrong? interface Loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip address a.b.c.1 255.255.255.0 ip address a.b.d.1 255.255.255.0 secondary ip address a.b.e.1 255.255.255.0 secondary ip helper-address w.x.y.z arp timeout 300 interface Vlan10 ip unnumbered loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip helper-address w.x.y.z interface Vlan11 ip unnumbered loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip helper-address w.x.y.z interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10, 11 switchport mode trunk end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback/VLAN question
It's my understanding that BVIs on the 7600-platform only bridge non-IP traffic, so that wouldn't work. Frank -Original Message- From: Antonio Querubin [mailto:t...@lava.net] Sent: Tuesday, December 15, 2009 12:30 PM To: Frank Bulk - iName.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Loopback/VLAN question On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote: I have several uniquely numbered 802.1q tagged links coming into a Cisco 7609-S (12.2(33)SRB3) on a single physical port. I would like to use the same group of subnets for each VLAN and I tried using loopbacks but it doesn't work. Any ideas on what I'm doing wrong? Use BVI's, not loopbacks. Antonio Querubin 808-545-5282 x3003 e-mail/xmpp: t...@lava.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback/VLAN question
I have 5 remote sites where I'm doing FTTH and transporting the traffic over a third-party transport gear to our HQ. Each site-HQ link is a separate VLAN and uniquely numbered. My preference is to burn up only one port on the Cisco 7609-S (RSP720-3C with WS-X6748-DFC3C) and transport gear by trunking the traffic between the two boxes. But I don't want to have a separate IP address pool (with associated static IP /24 and web filter /24) for each remote site. I would like each remote site to use the same address pool. So I'm looking for something like IRB. SiteA SiteB SiteC SiteD SiteE | | | | | VLAN1 VLAN2 VLAN3 VLAN4 VLAN5 | | | | | = | 802.1q tagged (1 thru 5) | 7609-S | DHCP server I could use the transport gear's VLAN-translation and drop off each site into their own physical port on the 7609-S but have it be the same VLAN, but that's burning more ports on both boxes than what I would like. But perhaps I have to use separate IP address pools for each remote site. That would have the benefit of reducing the L3-broadcast traffic. Frank -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Tuesday, December 15, 2009 1:32 PM To: frnk...@iname.com; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Loopback/VLAN question Frank, Can you please explain what do you want to achieve? I think this should be done in a different way. Also, what HW do you have? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Frank Bulk - iName.com Sent: Tuesday, December 15, 2009 20:19 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Loopback/VLAN question I have several uniquely numbered 802.1q tagged links coming into a Cisco 7609-S (12.2(33)SRB3) on a single physical port. I would like to use the same group of subnets for each VLAN and I tried using loopbacks but it doesn't work. Any ideas on what I'm doing wrong? interface Loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip address a.b.c.1 255.255.255.0 ip address a.b.d.1 255.255.255.0 secondary ip address a.b.e.1 255.255.255.0 secondary ip helper-address w.x.y.z arp timeout 300 interface Vlan10 ip unnumbered loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip helper-address w.x.y.z interface Vlan11 ip unnumbered loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip helper-address w.x.y.z interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10, 11 switchport mode trunk end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 OIR logging for transceivers
Thanks Pavel and Tim for the quick answer. I must be losing my mind... I thought I saw this logged before. /bs ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback/VLAN question
Frank, The right way to solve it would be to use the ES20 (or more actually the more recent ES+) modules. This would allow you to create a separate EVC/EFP (service-instance) per site, using whatever VLAN IDs (even reusing them, or using QinQ) and then bridge-domain them all to the same central global bridge VLAN, which would be the Layer 3 service endpoint (for DHCP). Use the right tools for the job Anyway, with your setup, if this is not becoming a big service (which would then make sense to invest in new HW), then maybe you should just break them into separate L3 domains. Another option is to use the MetroE model of uPE and nPE, where a uPE is used for some parts of the service. This could be a L2 switch (CPE? ME3400-2CS) to do the VLAN translation... Hope this helps. Arie -Original Message- From: Frank Bulk - iName.com [mailto:frnk...@iname.com] Sent: Tuesday, December 15, 2009 21:56 To: Arie Vayner (avayner); cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Loopback/VLAN question I have 5 remote sites where I'm doing FTTH and transporting the traffic over a third-party transport gear to our HQ. Each site-HQ link is a separate VLAN and uniquely numbered. My preference is to burn up only one port on the Cisco 7609-S (RSP720-3C with WS-X6748-DFC3C) and transport gear by trunking the traffic between the two boxes. But I don't want to have a separate IP address pool (with associated static IP /24 and web filter /24) for each remote site. I would like each remote site to use the same address pool. So I'm looking for something like IRB. SiteA SiteB SiteC SiteD SiteE | | | | | VLAN1 VLAN2 VLAN3 VLAN4 VLAN5 | | | | | = | 802.1q tagged (1 thru 5) | 7609-S | DHCP server I could use the transport gear's VLAN-translation and drop off each site into their own physical port on the 7609-S but have it be the same VLAN, but that's burning more ports on both boxes than what I would like. But perhaps I have to use separate IP address pools for each remote site. That would have the benefit of reducing the L3-broadcast traffic. Frank -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Tuesday, December 15, 2009 1:32 PM To: frnk...@iname.com; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Loopback/VLAN question Frank, Can you please explain what do you want to achieve? I think this should be done in a different way. Also, what HW do you have? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Frank Bulk - iName.com Sent: Tuesday, December 15, 2009 20:19 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Loopback/VLAN question I have several uniquely numbered 802.1q tagged links coming into a Cisco 7609-S (12.2(33)SRB3) on a single physical port. I would like to use the same group of subnets for each VLAN and I tried using loopbacks but it doesn't work. Any ideas on what I'm doing wrong? interface Loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip address a.b.c.1 255.255.255.0 ip address a.b.d.1 255.255.255.0 secondary ip address a.b.e.1 255.255.255.0 secondary ip helper-address w.x.y.z arp timeout 300 interface Vlan10 ip unnumbered loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip helper-address w.x.y.z interface Vlan11 ip unnumbered loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip helper-address w.x.y.z interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10, 11 switchport mode trunk end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 OIR logging for transceivers
7600 SRD3 offer it: %TRANSCEIVER-DFC1-6-INSERTED: transceiver module inserted in GigabitEthernet1/8 %TRANSCEIVER-DFC1-6-REMOVED: Transceiver module removed from GigabitEthernet1/8 -- Tassos Brian Spade wrote on 15/12/2009 21:56: Thanks Pavel and Tim for the quick answer. I must be losing my mind... I thought I saw this logged before. /bs ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Controllers for a VWIC2-1MFT-T1/E1
I have a 2811 which I am trying to set up an ATM T-1 on. T-1 card and AIM are detected: Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory. 2 FastEthernet interfaces 1 Gigabit Ethernet interface 1 Channelized (E1 or T1)/PRI port 1 ATM/Voice AIM The VWIC2-1MFT-T1/E1 came in a bundle with the AIM module. I get this when I boot: ! card type command needed for slot/vwic-slot 0/0, but the controllers command is not there to configure this card: yourname(config)#con? config-register configuration connect control-plane What am I missing ? -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwa...@nmcourts.gov ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Controllers for a VWIC2-1MFT-T1/E1
Hey JAmes,
did you try card type command under global config?
card type {t1 | e1} subslot
http://www.cisco.com/en/US/docs/routers/access/1700/1721/software/feature/guide/t1e11721.html#wp64656
Regards,
On Tue, Dec 15, 2009 at 5:31 PM, james edwards
lists.james.edwa...@gmail.com wrote:
I have a 2811 which I am trying to set up an ATM T-1 on. T-1 card and AIM
are detected:
Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.
2 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Channelized (E1 or T1)/PRI port
1 ATM/Voice AIM
The VWIC2-1MFT-T1/E1 came in a bundle with the AIM module. I get this when
I boot:
! card type command needed for slot/vwic-slot 0/0,
but the controllers command is not there to configure this card:
yourname(config)#con?
config-register configuration connect control-plane
What am I missing ?
--
James H. Edwards
Senior Network Systems Administrator
Judicial Information Division
jedwa...@nmcourts.gov
___
cisco-nsp mailing list cisco-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Controllers for a VWIC2-1MFT-T1/E1
I believe the command you're looking for is... Router(config)#card type t1 0 0 Steve M. Gerteisen Senior Network Analyst BAE Systems -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of james edwards Sent: Tuesday, December 15, 2009 2:31 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Controllers for a VWIC2-1MFT-T1/E1 I have a 2811 which I am trying to set up an ATM T-1 on. T-1 card and AIM are detected: Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory. 2 FastEthernet interfaces 1 Gigabit Ethernet interface 1 Channelized (E1 or T1)/PRI port 1 ATM/Voice AIM The VWIC2-1MFT-T1/E1 came in a bundle with the AIM module. I get this when I boot: ! card type command needed for slot/vwic-slot 0/0, but the controllers command is not there to configure this card: yourname(config)#con? config-register configuration connect control-plane What am I missing ? -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwa...@nmcourts.gov ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Does the entire BGP routing table for IPv6 fit on a Cisco 2600 with 64 MB of DRAM?
The tunnel is up against HE's TunnelBroker service. The Cisco 2600 is reporting just 612 KB in use. Frank C2600#sh bgp summary BGP router identifier a.b.c.d, local AS number 53347 BGP table version is 2299, main routing table version 2299 2269 network entries using 301777 bytes of memory 2269 path entries using 163368 bytes of memory 1749 BGP path attribute entries using 104940 bytes of memory 1706 BGP AS-PATH entries using 41812 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 611897 total bytes of memory BGP activity 2271/2 prefixes, 2272/3 paths, scan interval 60 secs NeighborVAS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 2001:470:1F03:10C::1 4 69391923 26 229900 00:22:06 2269 C2600# -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Frank Bulk - iName.com Sent: Monday, December 07, 2009 2:58 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Does the entire BGP routing table for IPv6 fit on a Cisco 2600 with 64 MB of DRAM? Does the entire BGP routing table for IPv6 (almost 2500 entries) fit on a Cisco 2600 with 64 MB of DRAM running 12.3(26)? I am planning to use this box for an IPv6-in-IPv4 tunneling appliance, but not sure if it can hold the whole table. Regards, Frank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EEM BGP
I've been having some issues with BGP peers dropping/flapping and tried to come up with a little EEM applet that would not only down a peer based on syslog entries but bring it back up. The bringing down part is easy and tested to work great. But I'm having a hard time with the bringing up part. Essentially I want to say, after x minutes, no shut the peer if you see the shut/BGP peer down/another arbitary message in the syslog. Any ideas? EEM 2.2 and/or 3.0 are fine. Thanks! tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SSL cert for tools.cisco.com revoked?
Apologies if this is off-topic... Is anyone else seeing Peer's Certificate has been revoked. while attempting to access tools.cisco.com? Currently using Firefox. I found a Windows PC, and it seems that MSIE care even after enabling CRL checking. I can only visit the site in Firefox if I disable OCSP. I verified the problem using OpenSSL command line tools. Verisign OCSP server claims the certificate is revoked as of Dec 15 17:43:33 2009 GMT. Reason unspecified. The certificate is valid from 2009-12-08 to 2010-12-08, so maybe there was some problem while updating the certificate and they had to throw it out and start over. Accidental discosure or compromise of the private key? $ openssl s_client -CApath /etc/ssl/certs -showcerts \ -connect tools.cisco.com:443 /dev/null tools-cisco-com.chain depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 verify return:1 depth=0 /C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ATS/CN=tools.cisco.com verify return:1 DONE # put the three certs in the chain into separate files $ cp tools-cisco-com.chain tools-cisco-com.chain.1 $ cp tools-cisco-com.chain tools-cisco-com.chain.2 $ cp tools-cisco-com.chain tools-cisco-com.chain.3 $ vim tools-cisco-com.chain.? $ openssl ocsp -issuer tools-cisco-com.chain.2 \ -cert tools-cisco-com.chain.1 -url http://ocsp.verisign.com WARNING: no nonce in response Response Verify Failure 8966:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate tools-cisco-com.chain.1: revoked This Update: Dec 15 17:47:45 2009 GMT Next Update: Jan 8 04:59:50 2010 GMT Reason: unspecified Revocation Time: Dec 15 17:43:33 2009 GMT -- - Tim Utschig t...@tetro.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] https://tools.cisco.com/ certificate revoked?
Hi, Am I the only one hit by the HTTPS certificate for tools.cisco.com having been revoked? FF 3.5 won't access the pages, instead returning sec_error_revoked_certificate. I can connect with OpenSSL s_client manually. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EEM BGP
Tony, An easy trick is to insert a delay in your script that does the shut, and then after the delay to do the unshut. As there is no wait action in older EEM codes, you can use a trick with a ping that would never be answered, and a long timeout value. event manager applet delay event syslog pattern xxx maxrun 630 action 1.0 cli command ping 1.1.1.1 repeat 1 timeout 600 Does it work for you? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Varriale Sent: Tuesday, December 15, 2009 23:11 To: cisco-nsp@puck.nether.net Subject: [c-nsp] EEM BGP I've been having some issues with BGP peers dropping/flapping and tried to come up with a little EEM applet that would not only down a peer based on syslog entries but bring it back up. The bringing down part is easy and tested to work great. But I'm having a hard time with the bringing up part. Essentially I want to say, after x minutes, no shut the peer if you see the shut/BGP peer down/another arbitary message in the syslog. Any ideas? EEM 2.2 and/or 3.0 are fine. Thanks! tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SSL cert for tools.cisco.com revoked?
On Tue, 2009-12-15 at 12:42 -0800, Tim Utschig wrote: Apologies if this is off-topic... Is anyone else seeing Peer's Certificate has been revoked. while attempting to access tools.cisco.com? Hadn't seen your message when I posted mine, but yes I see the exact same thing. Thanks for the tip on disabling OCSP; I know it's technically a really bad idea (don't do this at home) but I kinda needed to look up a bug. I'll change my password when the certificate mess is over and hope for the best. :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Controllers for a VWIC2-1MFT-T1/E1
you're missing the command card type t1 0 0 Until you do that, the router doesn't know whether it's a T1 or an E1. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com - Original Message From: james edwards lists.james.edwa...@gmail.com To: cisco-nsp@puck.nether.net Sent: Tue, December 15, 2009 3:31:23 PM Subject: [c-nsp] Controllers for a VWIC2-1MFT-T1/E1 I have a 2811 which I am trying to set up an ATM T-1 on. T-1 card and AIM are detected: Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory. 2 FastEthernet interfaces 1 Gigabit Ethernet interface 1 Channelized (E1 or T1)/PRI port 1 ATM/Voice AIM The VWIC2-1MFT-T1/E1 came in a bundle with the AIM module. I get this when I boot: ! card type command needed for slot/vwic-slot 0/0, but the controllers command is not there to configure this card: yourname(config)#con? config-register configuration connect control-plane What am I missing ? -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwa...@nmcourts.gov ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] https://tools.cisco.com/ certificate revoked?
I was getting that as well. Works now. tv - Original Message - From: Peter Rathlev pe...@rathlev.dk To: cisco-nsp cisco-nsp@puck.nether.net Sent: Tuesday, December 15, 2009 3:29 PM Subject: [c-nsp] https://tools.cisco.com/ certificate revoked? Hi, Am I the only one hit by the HTTPS certificate for tools.cisco.com having been revoked? FF 3.5 won't access the pages, instead returning sec_error_revoked_certificate. I can connect with OpenSSL s_client manually. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EEM BGP
No, I haven't as I couldn't figure out how to get that delay to work. Let me put this up in the lab and see what happens. Thanks! tv - Original Message - From: Clyde Wildes cwil...@progrizon.com To: 'Tony Varriale' tvarri...@comcast.net; cisco-nsp@puck.nether.net Sent: Tuesday, December 15, 2009 3:31 PM Subject: RE: [c-nsp] EEM BGP Tony, Have you considered using EEM multiple event support: event manager applet t1 description Test applet to demonstrate event correlation event tag e1 syslog pattern syslog msg 1 pattern event tag e2 syslog pattern syslog msg 2 pattern trigger delay 10.0 correlate event e1 or event e2 action 001 syslog msg applet t1 triggered 10 seconds after either of syslog message 1 or 2 occur ! Thanks, Clyde Wildes Progrizon, Inc. www.progrizon.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Varriale Sent: Tuesday, December 15, 2009 1:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EEM BGP I've been having some issues with BGP peers dropping/flapping and tried to come up with a little EEM applet that would not only down a peer based on syslog entries but bring it back up. The bringing down part is easy and tested to work great. But I'm having a hard time with the bringing up part. Essentially I want to say, after x minutes, no shut the peer if you see the shut/BGP peer down/another arbitary message in the syslog. Any ideas? EEM 2.2 and/or 3.0 are fine. Thanks! tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SSL cert for tools.cisco.com revoked?
On Tue, Dec 15, 2009 at 12:42:25PM -0800, Tim Utschig wrote: I found a Windows PC, and it seems that MSIE care even after enabling CRL checking. Insert doesn't before care. MSIE users will not notice this security issue. Even after checking the box Check for server certificate revocation* under Tools - Internet Options - Advanced, and rebooting, MSIE (7.0.5730.13 at least, I'm not interested in spending time checking other versions of a browser I avoid using) still doesn't bother checking Verisign's OCSP server. -- - Tim Utschig t...@tetro.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EEM BGP
Tony, Have you considered using EEM multiple event support: event manager applet t1 description Test applet to demonstrate event correlation event tag e1 syslog pattern syslog msg 1 pattern event tag e2 syslog pattern syslog msg 2 pattern trigger delay 10.0 correlate event e1 or event e2 action 001 syslog msg applet t1 triggered 10 seconds after either of syslog message 1 or 2 occur ! Thanks, Clyde Wildes Progrizon, Inc. www.progrizon.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Varriale Sent: Tuesday, December 15, 2009 1:11 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EEM BGP I've been having some issues with BGP peers dropping/flapping and tried to come up with a little EEM applet that would not only down a peer based on syslog entries but bring it back up. The bringing down part is easy and tested to work great. But I'm having a hard time with the bringing up part. Essentially I want to say, after x minutes, no shut the peer if you see the shut/BGP peer down/another arbitary message in the syslog. Any ideas? EEM 2.2 and/or 3.0 are fine. Thanks! tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback/VLAN question
Looks like I will be creating separate L3 domains. ARIN, here I come. =) Thanks again to this group for this helpful information. Frank -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Tuesday, December 15, 2009 2:14 PM To: frnk...@iname.com; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Loopback/VLAN question Frank, The right way to solve it would be to use the ES20 (or more actually the more recent ES+) modules. This would allow you to create a separate EVC/EFP (service-instance) per site, using whatever VLAN IDs (even reusing them, or using QinQ) and then bridge-domain them all to the same central global bridge VLAN, which would be the Layer 3 service endpoint (for DHCP). Use the right tools for the job Anyway, with your setup, if this is not becoming a big service (which would then make sense to invest in new HW), then maybe you should just break them into separate L3 domains. Another option is to use the MetroE model of uPE and nPE, where a uPE is used for some parts of the service. This could be a L2 switch (CPE? ME3400-2CS) to do the VLAN translation... Hope this helps. Arie -Original Message- From: Frank Bulk - iName.com [mailto:frnk...@iname.com] Sent: Tuesday, December 15, 2009 21:56 To: Arie Vayner (avayner); cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Loopback/VLAN question I have 5 remote sites where I'm doing FTTH and transporting the traffic over a third-party transport gear to our HQ. Each site-HQ link is a separate VLAN and uniquely numbered. My preference is to burn up only one port on the Cisco 7609-S (RSP720-3C with WS-X6748-DFC3C) and transport gear by trunking the traffic between the two boxes. But I don't want to have a separate IP address pool (with associated static IP /24 and web filter /24) for each remote site. I would like each remote site to use the same address pool. So I'm looking for something like IRB. SiteA SiteB SiteC SiteD SiteE | | | | | VLAN1 VLAN2 VLAN3 VLAN4 VLAN5 | | | | | = | 802.1q tagged (1 thru 5) | 7609-S | DHCP server I could use the transport gear's VLAN-translation and drop off each site into their own physical port on the 7609-S but have it be the same VLAN, but that's burning more ports on both boxes than what I would like. But perhaps I have to use separate IP address pools for each remote site. That would have the benefit of reducing the L3-broadcast traffic. Frank -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Tuesday, December 15, 2009 1:32 PM To: frnk...@iname.com; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Loopback/VLAN question Frank, Can you please explain what do you want to achieve? I think this should be done in a different way. Also, what HW do you have? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Frank Bulk - iName.com Sent: Tuesday, December 15, 2009 20:19 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Loopback/VLAN question I have several uniquely numbered 802.1q tagged links coming into a Cisco 7609-S (12.2(33)SRB3) on a single physical port. I would like to use the same group of subnets for each VLAN and I tried using loopbacks but it doesn't work. Any ideas on what I'm doing wrong? interface Loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip address a.b.c.1 255.255.255.0 ip address a.b.d.1 255.255.255.0 secondary ip address a.b.e.1 255.255.255.0 secondary ip helper-address w.x.y.z arp timeout 300 interface Vlan10 ip unnumbered loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip helper-address w.x.y.z interface Vlan11 ip unnumbered loopback 2 ip dhcp relay information trusted ip dhcp relay information option-insert none ip dhcp relay information policy-action keep ip helper-address w.x.y.z interface GigabitEthernet1/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10, 11 switchport mode trunk end ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS Upgrade to SXI3
On Fri, Dec 11, 2009 at 07:44:33AM -0800, Bautista, Noel wrote: We're contemplating on upgrading our SUP 720 3BXL from 12.2(18)SXF15a native IOS to 12.2(33)SXI3 modular IOS but I read from the releasenotes that the Install command has been deprecated. On Cisco's Safe Harbor IOS Release, they have tested and recommend upgrading to modular 12.2(33)SXI3. There's no explanation on why they deprecated the install command and I'm waiting for our Cisco SE response. I'd appreciate any feedback from those people who have upgraded to SXI3, in modular or otherwise. We upgraded three core routers to monolithic 12.2(33)SXI3 on Sunday, Dec 13. One of the upgraded routers started throwing SNMP input queue errors after several hours of runtime. All three routers are polled by the same servers asking for the same OIDs, but only one of the upgraded routers has thrown any SNMP errors: Dec 14 14:19:50: %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full SNMP graphing stopped working coincident with these error msgs. In an attempt to clear the errors we applied these commands that were found when looking for info on this error: snmp-server view public-view iso included snmp-server view public-view ciscoMemoryPoolMIB excluded Roughly coincident with applying those snmp config lines the SP CPU went to 100 percent load, where it has remained stuck ever since. RP CPU is running normally. We have opened a TAC case, run a number of debugs, removed all SNMP commands, etc. But the SP CPU is still pegged and we haven't been able to find a smoking gun. The biggest process load on the SP appears to be from an Async write process: NOCA9-sp#show proc cpu | exc 0.00 Load for five secs: 100%/13%; one minute: 99%; five minutes: 99% Time source is hardware calendar, 10:46:59.677 CST Mon Dec 14 2009 CPU utilization for five seconds: 100%/13%; one minute: 99%; five minutes: 99% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 42 52936 2280 23217 0.63% 0.07% 0.01% 0 Per-minute Jobs 9351573408 1269609 40621 67.46% 65.15% 64.79% 0 Async write proc 111 2197532 3855803569 1.91% 1.88% 1.91% 0 slcp process We ran debug on SNMP packets and requests and found that the SNMP traffic consists of well-behaved SNMP queries from just our set of servers, polling only the MIB vars needed and there are no high quantities of requests. Meanwhile, there are an insane number of VeryBig buffers on the RP and equally insane numbers of Medium buffers on the SP being created: RP VeryBig buffers, 4520 bytes (total 1013, permanent 10, peak 1016 @ 14:51:06): 12 in free list (0 min, 100 max allowed) 584335 hits, 21308 misses, 15077 trims, 16080 created 14417 failures (0 no memory) SP Medium buffers, 256 bytes (total 30359, permanent 3000, peak 30359 @ 00:00:00): 66 in free list (64 min, 3000 max allowed) 1659825 hits, 9193 misses, 33 trims, 27392 created 0 failures (0 no memory) Other than this, we have not been able to find any other useful info. Also, we have been seeing errors on a port-channel associated with one of the other routers that was upgraded to SXI3. There have been bursts of errors received on the upstream router from the upgraded router on the two 10GigE ints that make up the port channel. As far as we can tell these ints were running clean until SXI3 was loaded, but we're still investigating this issue. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurg...@its.utexas.edu / 512.475.9265 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback/VLAN question
On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote: Looks like I will be creating separate L3 domains. If you can live with knowing what part of the IP pool belongs in what vlan then you can (this works with static addresses (no dhcp) anyway) route the individual parts of the unnumbered subnets to the vlan interface in question. A static route to an interface means the ARP(s) will be done on that interface, so in conjunction with local-proxy-arp (which you seem to have missed in your conf?) you can do this: int lo20 ip addr 192.168.1.1 255.255.255.0 int vlan10 ip unnumbered lo20 ip local-proxy-arp int vlan20 ip unnumbered lo20 ip local-proxy-arp ip route 192.168.1.0 255.255.255.128 vlan10 ip route 192.168.1.128 255.255.255.128 vlan10 Now you've split this subnet into two vlans and there is still full communication between them. How this interacts with dhcp, I don't know. You should try your original conf with added ip local-proxy-arp anyway. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
