Re: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea?
On Tue, Jan 26, 2010 at 7:06 AM, Sven 'Darkman' Michels s...@darkman.dewrote: Now the problem: ping from 6509: c6509#ping ip xx.xx.xx.13 repeat 5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds: ..!.! Your basic PVLAN configuration looks good. Try disabling ARP inspection, DHCP snooping, and ip verify unicast. Enabling extra features often break things, so I think it is best for you to test with the simplest config. If that doesn't do it, try upgrading code to at least SXF. You could also perhaps try pinging from a host behind the 6500 instead of pinging from the 6500 management interface itself (though you SHOULD be able to ping from the router, and I can on my PVLANs). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Busting up VLANs and bridging
On Thu, Jan 28, 2010 at 6:44 PM, Security Team ci...@peakpeak.com wrote: What is the right way to combine IP layer 3 traffic so that it can go to multiple VLANs? I'm working with a Catalyst 65xx setup. For example, I am starting from a working setup that looks something like this: interface GigabitEthernet4/1 speed auto switchport switchport access vlan 247 ! interface GigabitEthernet4/2 speed auto switchport switchport access vlan 248 ! interface Vlan247 ip address 192.168.247.1 255.255.255.0 ! interface Vlan248 ip address 192.168.248.1 255.255.255.0 Now, if I wanted to actually have a server 192.168.247.36 in Vlan247, but I want to make that server become a bridge so that I can give it other IP addresses in other blocks how would I do that? So let's say the *.247.36 IP of the server is working, but I want to change my setup so that the server also has 192.168.248.64/29 on it (i.e. I am busting up the .248. Netblock from a /24 to smaller blocks that will be on different servers). How would I go about doing this? In general, you should not try to break up a larger subnet that is already on another interface unless you remove the larger subnet from the existing interface. Having more specifics carved out of a subnet on an interface is messy and just a bad idea. However, it can be done. ip route 192.168.248.64 255.255.255.248 192.168.247.36 Then, on your server 192.168.248.36, bring up a secondary IP 192.168.248.65 mask 255.255.255.248. It should just work. Some might ask, How will other servers on VLAN 248 reach 192.168.24.65? Won't they think it is local and try to ARP it with a broadcast on VLAN 248? Yes, they will. However, because the 6500 has a more specific route leading elsewhere and proxy ARP isn't disabled, the 6500 will answer ARPs on VLAN 248 for 192.168.248.64/29 IPs with the 6500's own MAC. Hosts on VLAN 248 will then send packets destined for that smaller subnet to the router, which will then forward it on to follow the static route out VLAN 247. You can also do this to route /32s elsewhere. Just configure the secondary IP on the server with a netmask of 255.255.255.255. Windows won't let you enter an interface IP with a /32 mask, but most/all Unix systems will. If you need to do it for a short term problem, fine, but I really suggest you rethink what you are trying to do if this is something you want permanent. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Card Throughput - 6148A-GE-TX
On Fri, Jan 29, 2010 at 11:01 AM, Paul Stewart p...@paulstewart.org wrote: We are aware of what the entire card is capable of (2 Gb/s), but is there any way to see how much is being utilized from within IOS itself? We can start counting up all the ports but is there an easier way? ;) Relating to this, is the card limited to 2Gb/s total or 1Gb/s per half? We have a situation with a couple of these cards where they are pushing the potential limits and we want to make sure.. Each range of 8 ports (1-8, 9-16, 17-24, 25-32, 33-40, 41-48) has an ASIC. Each ASIC can do a max of 1 Gb in each direction. If all ports on a group of 8 were to upload and download, their combined throughput would be 1 Gb upload and 1 Gb download. If all ports on the card were to upload and download at the same time, the combined throughput would be 6 Gb upload and 6 Gb download (1 Gb per group with 6 groups). For details, including counters for dropped packets due to this issue: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801751d7.shtml#ASIC ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600 Rate Limiting Output
On 31 Jan 2010, at 03:18, Kevin Warwashana wrote: I was able to use the below configuration and it appears to max out the connection pretty close to 26mb. I did have to tinker with the queue size since the default (3300+) would allow traffic to exceed and a size of 5 didn't seem to work very well. policy-map 26MB-OUTPUT class class-default shape average 2600 queue-limit 100 packets bandwidth 26000 You mentioned configure a shaper at class-default, with an attached service-policy which I believe would be adding a service policy to the policy map, but got: What I meant was this: policy-map RJS-TEST class class-default shape average 3000 service-policy RJS-CHILD-TEST ! policy-map RJS-CHILD-TEST class class-default police cir 2600 conform-action transmit exceed-action drop ! Which is something that one can apply on SIP-400: 7600#sh run int giga1/0/0.4011 Building configuration... Current configuration : 239 bytes ! interface GigabitEthernet1/0/0.4011 encapsulation dot1Q 4011 ip address 192.168.88.42 255.255.255.0 ip vrf forwarding RJS-TEST shutdown service-policy input POLICY-SET-IP-DSCP-DEFAULT service-policy output RJS-TEST end Out of interest - what IOS are you running on the 7600 in question? Kind regards, Rob -- Rob Shakir r...@eng.gxn.net Network Development EngineerGX Networks/Vialtus Solutions ddi: +44208 587 6077mob: +44797 155 4098 pgp: 0xc07e6deb nic-hdl: RJS-RIPE This email is subject to: http://www.vialtus.com/disclaimer.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Card Throughput - 6148A-GE-TX
Matt Buford wrote: Each range of 8 ports (1-8, 9-16, 17-24, 25-32, 33-40, 41-48) has an ASIC. Each ASIC can do a max of 1 Gb in each direction. If all ports on a group of 8 were to upload and download, their combined throughput would be 1 Gb upload and 1 Gb download. If all ports on the card were to upload and download at the same time, the combined throughput would be 6 Gb upload and 6 Gb download (1 Gb per group with 6 groups). I've also heard that there's a 1Gbps limit on EtherChannels - apparently EtherChannel packets have to be sent to each ASIC, so building any EtherChannels on the card could be detrimental. pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Policer on c4503
On Fri, Jan 29, 2010 at 10:42:27AM +0300, Mikisa Richard wrote: Hi all, Any ideas why the Policer policy below does not work. Intention is for me to lock down traffic to 3Mbps both ways on interface g3/11. !! class-map match-all ROKE-LIMIT match access-group name ROKE-SLAP ! policy-map POLICY-ROKE class ROKE-LIMIT police 300 bps 3 byte conform-action transmit exceed-action drop ! interface GigabitEthernet3/11 description link to ROKE no switchport ip address x.x.x.x service-policy input POLICY-ROKE service-policy output POLICY-ROKE Looks like the correct thing, assuming the access-group traffic is being matched. Do you have 'qos' enabled? Its off by default on the 4500. Just a simple 'qos' as a config option in this platform. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QoS for MetroEthernet
Hello, I'm facing a strange problem I think that is a QoS configuration, I've tried some conf without success. The situation is as follows: Actually I have a 1Mbps Serial link between two remote branchs and one application in particular: a SQL client/server application that works fine. (there are other apps but is not relevant now). We've contracted a MetroEthernet Link at 1Mbps between the same branchs (in order to replace the current serial link) In each site I put a router after migrate the SQL app didn't work (it got suck for a long time). Therefore I decided raise a GRE tunnel between both sites, applied QoS conf, adjust the tcp mss without success, all working well (additional apps and voice traffic) but SQL app didn't work. I don't know what's happenning with this app, but if you have faced the same problem, or I need take special considerations for MetroEthernel Link please your comments will be appreciated. I paste my conf: ! ! policy-map child13 class VOIP-TRAFFIC priority 200 class DATA-IMPORTANT bandwidth percent 60 class class-default fair-queue policy-map tunnel13 class class-default shape average 1024000 service-policy child13 ! ! ! interface Tunnel13 bandwidth 1000 ip address 10.1.13.1 255.255.255.0 ip tcp adjust-mss 1440 load-interval 30 qos pre-classify tunnel source 172.21.1.17 tunnel destination 172.21.1.19 service-policy output tunnel13 ! interface FastEthernet0/0 description LAN interface ip address 172.16.96.6 255.255.252.0 no ip unreachables no ip proxy-arp load-interval 30 speed 100 full-duplex ! interface FastEthernet0/1 description MAN interface bandwidth 3000 ip address 172.21.1.17 255.255.255.248 no ip proxy-arp load-interval 30 speed 100 full-duplex -- Omar E.P.T - Certified Networking Professionals make better Connections! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS for MetroEthernet
Hi Omar, No you definively should not take any special considerations for Metro link - you are the end customer the service is transparent to you - it moves packets back and forth. Therefore it is hard to tell what is the actual problem. It is easy to troubleshoot though - sniff it: a) sniff the SQL activity with Serial link b) sniff the SQL activity with Metro link c) compare and find out what types of packets do not get on the other side. There could be number of things that can go wrong - like service provider maximum MTU, certain TOS values being dropped etc. etc. -pavel p.s. For sniffing we usually use Wireshark. On Sun, Jan 31, 2010 at 5:31 PM, omar parihuana omar.parihu...@gmail.com wrote: Hello, I'm facing a strange problem I think that is a QoS configuration, I've tried some conf without success. The situation is as follows: Actually I have a 1Mbps Serial link between two remote branchs and one application in particular: a SQL client/server application that works fine. (there are other apps but is not relevant now). We've contracted a MetroEthernet Link at 1Mbps between the same branchs (in order to replace the current serial link) In each site I put a router after migrate the SQL app didn't work (it got suck for a long time). Therefore I decided raise a GRE tunnel between both sites, applied QoS conf, adjust the tcp mss without success, all working well (additional apps and voice traffic) but SQL app didn't work. I don't know what's happenning with this app, but if you have faced the same problem, or I need take special considerations for MetroEthernel Link please your comments will be appreciated. I paste my conf: ! ! policy-map child13 class VOIP-TRAFFIC priority 200 class DATA-IMPORTANT bandwidth percent 60 class class-default fair-queue policy-map tunnel13 class class-default shape average 1024000 service-policy child13 ! ! ! interface Tunnel13 bandwidth 1000 ip address 10.1.13.1 255.255.255.0 ip tcp adjust-mss 1440 load-interval 30 qos pre-classify tunnel source 172.21.1.17 tunnel destination 172.21.1.19 service-policy output tunnel13 ! interface FastEthernet0/0 description LAN interface ip address 172.16.96.6 255.255.252.0 no ip unreachables no ip proxy-arp load-interval 30 speed 100 full-duplex ! interface FastEthernet0/1 description MAN interface bandwidth 3000 ip address 172.21.1.17 255.255.255.248 no ip proxy-arp load-interval 30 speed 100 full-duplex -- Omar E.P.T - Certified Networking Professionals make better Connections! ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS for MetroEthernet
Hi Pavel, Unfortunately I'm in a remote location but I'm thinking about install a WireShark in a client PC. Rgds. Thanks. On Sun, Jan 31, 2010 at 12:34 PM, Pavel Skovajsa pavel.skova...@gmail.comwrote: Hi Omar, No you definively should not take any special considerations for Metro link - you are the end customer the service is transparent to you - it moves packets back and forth. Therefore it is hard to tell what is the actual problem. It is easy to troubleshoot though - sniff it: a) sniff the SQL activity with Serial link b) sniff the SQL activity with Metro link c) compare and find out what types of packets do not get on the other side. There could be number of things that can go wrong - like service provider maximum MTU, certain TOS values being dropped etc. etc. -pavel p.s. For sniffing we usually use Wireshark. On Sun, Jan 31, 2010 at 5:31 PM, omar parihuana omar.parihu...@gmail.com wrote: Hello, I'm facing a strange problem I think that is a QoS configuration, I've tried some conf without success. The situation is as follows: Actually I have a 1Mbps Serial link between two remote branchs and one application in particular: a SQL client/server application that works fine. (there are other apps but is not relevant now). We've contracted a MetroEthernet Link at 1Mbps between the same branchs (in order to replace the current serial link) In each site I put a router after migrate the SQL app didn't work (it got suck for a long time). Therefore I decided raise a GRE tunnel between both sites, applied QoS conf, adjust the tcp mss without success, all working well (additional apps and voice traffic) but SQL app didn't work. I don't know what's happenning with this app, but if you have faced the same problem, or I need take special considerations for MetroEthernel Link please your comments will be appreciated. I paste my conf: ! ! policy-map child13 class VOIP-TRAFFIC priority 200 class DATA-IMPORTANT bandwidth percent 60 class class-default fair-queue policy-map tunnel13 class class-default shape average 1024000 service-policy child13 ! ! ! interface Tunnel13 bandwidth 1000 ip address 10.1.13.1 255.255.255.0 ip tcp adjust-mss 1440 load-interval 30 qos pre-classify tunnel source 172.21.1.17 tunnel destination 172.21.1.19 service-policy output tunnel13 ! interface FastEthernet0/0 description LAN interface ip address 172.16.96.6 255.255.252.0 no ip unreachables no ip proxy-arp load-interval 30 speed 100 full-duplex ! interface FastEthernet0/1 description MAN interface bandwidth 3000 ip address 172.21.1.17 255.255.255.248 no ip proxy-arp load-interval 30 speed 100 full-duplex -- Omar E.P.T - Certified Networking Professionals make better Connections! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Omar E.P.T - Certified Networking Professionals make better Connections! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 2000 vs Catalyst 4948 for access layer
On 29/01/2010, at 6:54 AM, Livio Zanol Puppim wrote: Can anyone please tell me the advantages of using Nexus 2000 over Catalyst 4948 as access layers switches? Using Nexus 2000, I have to use at least 2 ports at my Nexus 5000, that could be used by servers with 10GbE/FCoE servers. The N2K does no local switching so if you have any east-west traffic between ports on the same switch you'll be better served by a more traditional access switch. Naturally the N2K offers centralised management etc etc but that may or may not be of interest depending on the size of your deployment. David ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Policer on c4503
Hi all, UPDATE: Turned out the policer was fine. Just a small tweak on the ACL got it to work. Otherwise grateful for all the help Richard On 1/31/2010 6:39 PM, Doug McIntyre wrote: On Fri, Jan 29, 2010 at 10:42:27AM +0300, Mikisa Richard wrote: Hi all, Any ideas why the Policer policy below does not work. Intention is for me to lock down traffic to 3Mbps both ways on interface g3/11. !! class-map match-all ROKE-LIMIT match access-group name ROKE-SLAP ! policy-map POLICY-ROKE class ROKE-LIMIT police 300 bps 3 byte conform-action transmit exceed-action drop ! interface GigabitEthernet3/11 description link to ROKE no switchport ip address x.x.x.x service-policy input POLICY-ROKE service-policy output POLICY-ROKE Looks like the correct thing, assuming the access-group traffic is being matched. Do you have 'qos' enabled? Its off by default on the 4500. Just a simple 'qos' as a config option in this platform. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
