Re: [c-nsp] ASR etherchannel
roddy.strac...@staff.netspace.net.au (Roddy Strachan) wrote: Currently we run two ASR 1004¹s in an LNS environment, we are about to reach the maximum of 1GB on the port into our core network, so I¹m thinking of ways to give us more bandwidth. One way that came to mind was using etherchannel/port-channel. I¹ve set this up using a 7301 to our core quite well and it seems to work. Has anyone had any experience with the ASR side of things? Yes. It simply doesn't work. (It being a dot1q trunk to a pair of 3750s in my case) Lucky me only had to put two VLANs on that bundle, so I could disentangle (but lost redundancy, of course). That's 12.2(33)XNC1t, btw. I haven't reported that bug yet, because I though why should it always be me?, but I have not heard of a fix yet. Yours, Elmar. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Tarig Hamdi is out of the office.
I will be out of the office starting 02/08/2010 and will not return until 02/15/2010. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 6506 ACL problem
Dear All, We are facing problem in Cisco 6506 equipment regarding ACL's. It has occured 3 times that ACL's that are being implement on device stops working for 1,2 minute. Appreciate if you can suggest any solution to this problem. Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PGM and multicast
Is there anyone here using multicast and PGM? We have several multicast services -video and audio streams- and sometimes we use to have incidents because the service is not ok, and we would like to deploy PGM to have more control. So, my questions are... Is possible to manage the rx buffer of the multicast in a router to add a delay (around 2secs) to avoid disruptions while the PGM is asking for the packet lost to the other hop? Windows XP looks to support PGM, what about linux? any experience? Any commercial encoder with PGM support there? Is possible to collect information throught snmp about PGM stats? (I asked this to create alarms in nagios as well some graphics :) Any other comments would be welcome too. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6506 ACL problem
On Mon, 8 Feb 2010, Muhammad Jawwad Paracha wrote: Dear All, We are facing problem in Cisco 6506 equipment regarding ACL's. It has occured 3 times that ACL's that are being implement on device stops working for 1,2 minute. Hello, I think that I recently saw somewhere to prefer named ACLs instead of numeric because numeric are merged line by line while named when you press ^Z Regards, John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] eBGP multihop, CE default route, using PBR instead of dynamic routing?
Hi We have an MPLS customer who is running IS-IS on their LAN, and then redistributing that into BGP to our core. This was the original standard setup: PEebgp-CEebgp-CUSOMERISIS So that worked just fine, but the customer wanted the IS-IS metric to be injected into BGP MED. This can be done, but with the setup above, MED is only sent to the CE router, after that its removed. So what we did was to setup eBGP multihop from the PE directly to the customers router. We then used BGP on the CE to the customers router, and from the CE to PE we used a default route. Now, this site is the customers HUB site so somewhere in their LAN, they have an Internet breakout. So the customer is injecting a default route from their router, into the MPLS. So what happened now is when another stanard site in the MPLS tried to reach the internet, we had a loop between the PE and CE. Cause the PE will send it to the CE, and the CE will have a static default route back to the PE. So to fix this, I skipped the default static route on the CE, and enabled eBGP between the PE and CE. That way the CE have full knowledge about each sides. However, this is not an optimal soultion, I dont want to have 2 BGP peerings on the PE. So, what I came up with, and this is where I would like your input on. In my lab, I have the same setup, so I removed all the static routes and dynamic routing on the CE. So basically everyting is broken, because the CE doesnt know where to send the traffic to. I then configured policy based routing, and created an ACL permit all traffic, and created 2 route-maps, that matches on the ACL, and sets the next hop. I then applied the route-maps to each interface on the CE. So, when traffic coming into the CE from the PE, I match on everything, and set the next hop to the customers router. And vice versa in the other direction. I tested it and it worked, and it has no dynamic routing what so ever. But this is just in the Lab, I really cant say what will happen in the live network. Have anyone done anything similar? Will PBR eat up all the CPU process? Any other problems that may occur? I mean, all I want to do on the CE is shuffle the traffic from one interface to another. Thanks Regards Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2811 login issues
I have a 2811 that stopped accepting logins from its FastEthernet interface last week out of the blue. When this happened there were no config changes, router reboots, etc. It has a Multilink bundle unnumbered via that FastEthernet interface and it *does* accept logins from this direction. Config is simple, a default route via FA and a /24 via MU. A few other odd symptoms: - 'copy tftp flash' will work for about 12 seconds and then begin to timeout. - telnetting from the router to anywhere immediately gives Destination unreachable; gateway or host down without even really trying. What's even more strange is that everything works fine the first 5-10 minutes after a reboot. It was running 12.4(15)XY1 and I was able to get it to 12.4(15)XY3 to see if it was a bug. It's running XY for support for its HWIC-4T1/E1. In an attempt to rule out an upstream routing problem I've added its default gateway (3.89) to the login ACL and it gives the same symptoms when connecting from there. It seems to be completely dropping packets vs rejecting them as it still does if you connect from an IP not on that ACL. 'debug ip packet' shows this when connecting via telnet or ssh: Feb 8 07:45:25.892 CDT: IP: s=10.170.8.18 (FastEthernet0/0), d=10.170.3.90, len 60, rcvd 2 Feb 8 07:45:25.892 CDT: IP: s=10.170.8.18 (FastEthernet0/0), d=10.170.3.90, len 60, stop process pak for forus packet Thoughts? --Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] eBGP multihop, CE default route, using PBR instead of dynamic routing?
What kind of devices are you using? The device will probably make more difference than anything else with regards to PBR. I would say generally having the two BGP peering connections is one solution to the ebgp multihop problem. Another solution would be to use a tunnel (prob GRE) between the customer router to your PE through the CE, and run ebgp directly over the tunnel interfaces, but you still need to know how to get to the endpoints. What about using static MEDs? More information on what they want to accomplish by using MEDs would be useful as well. Phil On Feb 8, 2010, at 8:55 AM, Roger Wiklund wrote: Hi We have an MPLS customer who is running IS-IS on their LAN, and then redistributing that into BGP to our core. This was the original standard setup: PEebgp-CEebgp-CUSOMERISIS So that worked just fine, but the customer wanted the IS-IS metric to be injected into BGP MED. This can be done, but with the setup above, MED is only sent to the CE router, after that its removed. So what we did was to setup eBGP multihop from the PE directly to the customers router. We then used BGP on the CE to the customers router, and from the CE to PE we used a default route. Now, this site is the customers HUB site so somewhere in their LAN, they have an Internet breakout. So the customer is injecting a default route from their router, into the MPLS. So what happened now is when another stanard site in the MPLS tried to reach the internet, we had a loop between the PE and CE. Cause the PE will send it to the CE, and the CE will have a static default route back to the PE. So to fix this, I skipped the default static route on the CE, and enabled eBGP between the PE and CE. That way the CE have full knowledge about each sides. However, this is not an optimal soultion, I dont want to have 2 BGP peerings on the PE. So, what I came up with, and this is where I would like your input on. In my lab, I have the same setup, so I removed all the static routes and dynamic routing on the CE. So basically everyting is broken, because the CE doesnt know where to send the traffic to. I then configured policy based routing, and created an ACL permit all traffic, and created 2 route-maps, that matches on the ACL, and sets the next hop. I then applied the route-maps to each interface on the CE. So, when traffic coming into the CE from the PE, I match on everything, and set the next hop to the customers router. And vice versa in the other direction. I tested it and it worked, and it has no dynamic routing what so ever. But this is just in the Lab, I really cant say what will happen in the live network. Have anyone done anything similar? Will PBR eat up all the CPU process? Any other problems that may occur? I mean, all I want to do on the CE is shuffle the traffic from one interface to another. Thanks Regards Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] weird issue with IBM blade cente switch 3012
Hi guys, I have to configure several Cisco 3012 switches for a project and i'm kind of stuck with an issue I can't really figure out. This is the situation. I have a two 6509s core to which i'm connecting 12 3012s. most of them work fine but with 3 of them i'm not able to ping each other (through 2 vlan interfaces on same vlan). trunks are configured between them, spanning tree runnign as it should, vlan allowed on trunk, I even see each other through CDP. let's say 6509 side is A and 3012 is B. situation #1: when you ping B from A, B have correct entries in the arp and mac-add tables (for A), A doesn't have them for B. A still unable to ping B situation #2 when you ping A from B, B is not able to resolve A's mac-add so arp entry for A is incomplete. but the curious thing is that even when B has A mac-add (situation A) it's not able to ping A. debug commands show encapsulation failure (as it should with an regular incomplete entry). nothing on the log. masks verified as the same. Also tried creating all over again with different secuence (VLAN, int VLAN, trunk) with same results. And, the most weird thing of all: it works on some switches with the exact same config and layout!! comments, sugestions, ideas on what to do next? any help will be highly appreciatted alejandro wainshtok ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Routing between site to site VPNs
Hello, We would like to know if it is possible to forward traffic between site-to-site VPNs that are established in the same physical interface of a router? ¿And in a firewall? Jonathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Routing between site to site VPNs
Hello Jonathan: That should be possible. See http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml about Intra-interface communications for the PIX/ASA. I'm not sure if the same exists for routers, however. Mike -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Jonathan Soler (Europe) Sent: Monday, February 08, 2010 8:27 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Routing between site to site VPNs Hello, We would like to know if it is possible to forward traffic between site-to-site VPNs that are established in the same physical interface of a router? ¿And in a firewall? Jonathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ISR IPS module
Has anyone used these cards on ISRs? https://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/product_data_sheet0900aecd806c4e2a_ps2641_Products_Data_Sheet.html Any opinions? How effective is it? Is it worth using? Also, what is your opinion on doing IPS without the hardware card on an ISR? My experience is it boggs down the router too much and you have to be so careful about what to include in scanning that it wasn't worth the effort. But that was before Cisco changed the signature format and how it scanned traffic at around 12.4(11)T. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] show stats question
Can anyone confirm the command below, the Chars/in/out reference, are the results listed in bytes? I'm unable to find this command documented anywhere on CCO to get a better description of the command and its output. The 6509 “show stats” command gives the following information: Vlan2 Switching pathPkts In Chars In Pkts Out Chars Out Processor 143421650437 2492 166010 Route cache 534 55212 149 11166 Distributed cache7169590 60901486898831508 9040962158 Total7184466 60918543388834149 9041139334 Thanks, Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Routing between site to site VPNs
If you use a Cisco Router you can have a site-to-site VPN with multiple 'tunnel' interfaces on the router, which might all make use of the same physical interface. These work just like regular interfaces as far as routing is concerned and you can easily route between them. Regards, Andrew Gabriel. On Mon, Feb 8, 2010 at 11:02 PM, Michael K. Smith - Adhost mksm...@adhost.com wrote: Hello Jonathan: That should be possible. See http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtmlabout Intra-interface communications for the PIX/ASA. I'm not sure if the same exists for routers, however. Mike -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Jonathan Soler (Europe) Sent: Monday, February 08, 2010 8:27 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Routing between site to site VPNs Hello, We would like to know if it is possible to forward traffic between site-to-site VPNs that are established in the same physical interface of a router? ¿And in a firewall? Jonathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] weird issue with IBM blade cente switch 3012
Have you moved the switch modules within the IBM chassis? If so you could try putting them back in the original locations. We've had similar connectivity issues when we'd swapped modules around in the chassis, I think it was related to the MM not liking that serial number appearing on a different slot. Regards, Matt On Mon, Feb 8, 2010 at 3:47 PM, Alex Wa awain...@yahoo.com wrote: Hi guys, I have to configure several Cisco 3012 switches for a project and i'm kind of stuck with an issue I can't really figure out. This is the situation. I have a two 6509s core to which i'm connecting 12 3012s. most of them work fine but with 3 of them i'm not able to ping each other (through 2 vlan interfaces on same vlan). trunks are configured between them, spanning tree runnign as it should, vlan allowed on trunk, I even see each other through CDP. let's say 6509 side is A and 3012 is B. situation #1: when you ping B from A, B have correct entries in the arp and mac-add tables (for A), A doesn't have them for B. A still unable to ping B situation #2 when you ping A from B, B is not able to resolve A's mac-add so arp entry for A is incomplete. but the curious thing is that even when B has A mac-add (situation A) it's not able to ping A. debug commands show encapsulation failure (as it should with an regular incomplete entry). nothing on the log. masks verified as the same. Also tried creating all over again with different secuence (VLAN, int VLAN, trunk) with same results. And, the most weird thing of all: it works on some switches with the exact same config and layout!! comments, sugestions, ideas on what to do next? any help will be highly appreciatted alejandro wainshtok ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] weird issue with IBM blade cente switch 3012
Matt, I'll need to ask the IBM guys if they did so. I received the switches in their current positions. Thanks, Alejandro Wainshtok --- On Mon, 2/8/10, Matt Bennett unixh...@gmail.com wrote: From: Matt Bennett unixh...@gmail.com Subject: Re: [c-nsp] weird issue with IBM blade cente switch 3012 To: Alex Wa awain...@yahoo.com Cc: cisco-nsp@puck.nether.net Date: Monday, February 8, 2010, 10:40 AM Have you moved the switch modules within the IBM chassis? If so you could try putting them back in the original locations. We've had similar connectivity issues when we'd swapped modules around in the chassis, I think it was related to the MM not liking that serial number appearing on a different slot. Regards, Matt On Mon, Feb 8, 2010 at 3:47 PM, Alex Wa awain...@yahoo.com wrote: Hi guys, I have to configure several Cisco 3012 switches for a project and i'm kind of stuck with an issue I can't really figure out. This is the situation. I have a two 6509s core to which i'm connecting 12 3012s. most of them work fine but with 3 of them i'm not able to ping each other (through 2 vlan interfaces on same vlan). trunks are configured between them, spanning tree runnign as it should, vlan allowed on trunk, I even see each other through CDP. let's say 6509 side is A and 3012 is B. situation #1: when you ping B from A, B have correct entries in the arp and mac-add tables (for A), A doesn't have them for B. A still unable to ping B situation #2 when you ping A from B, B is not able to resolve A's mac-add so arp entry for A is incomplete. but the curious thing is that even when B has A mac-add (situation A) it's not able to ping A. debug commands show encapsulation failure (as it should with an regular incomplete entry). nothing on the log. masks verified as the same. Also tried creating all over again with different secuence (VLAN, int VLAN, trunk) with same results. And, the most weird thing of all: it works on some switches with the exact same config and layout!! comments, sugestions, ideas on what to do next? any help will be highly appreciatted alejandro wainshtok ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISR IPS module
On 2010-02-08 18:55, Jay Nakamura wrote: Any opinions? How effective is it? Is it worth using? It is a appliance on a card, so it is as effective as the real box, however with less performance due to slower CPU. Also, what is your opinion on doing IPS without the hardware card on an ISR? My experience is it boggs down the router too much and you have to be so careful about what to include in scanning that it wasn't worth the effort. But that was before Cisco changed the signature format and how it scanned traffic at around 12.4(11)T. Performance should be better at 12.4(15)T and later, but as You said, doing inspection on a traffic requires a lot of CPU cycles. CPUs driving ISRs are in that term a lot slower than the x86-family CPUs driving addon modules so the outcome is obvious. -- Everything will be okay in the end. | Łukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Routing between site to site VPNs
You will have to supply more information on what exactly you are trying to do here. The Physical interface is transparent to the routing process except for linking the tunnel to it. You may require some *route maps* if you are trying to achieve something non basic. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3560G as WAN-aggregation-layer
Greetings. I know this is going to sound pretty, well, lame. But... I currently have a couple of routers (a 7204/NPE-G1 and a 3845) front-ending my WAN connections, which are all metro Ethernet, mostly gig ports which are policed at some CIR, or 100Mbit. The routers are big, expensive, and really don't do much - oh, someday I would like to do some QoS...someday. So, there is this pile of 3560Gs in the corner. I've had less-than-impressive experiences with them as server-farm access switches, which is why they are there. However, I'm thinking that for handling a handful (4-6) of Gig-Es/100Ms which are mostly not running at capacity, as long as I distribute the ports out amongst the port ASICs (so each line has the full 2Mbit TX buffer of the port ASIC to itself), and as long as I don't do something stupid like put all 4 ports of a 4-port etherchannel in ports 1-4, they ought to be fine. The switches don't need to do much - pass the traffic, run EIGRP, a little light QoS. Our route table is tiny, relatively. Am I going to regret this? Conversely, how much can I really expect out of an NPE-G1? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Using switchport 802.1q for a point-to-point instead of routed /30
Rick Kunkel wrote: Hello all... The connection between the two location is ethnernet, and the hardware is (well, will be as soon as we upgrade out of a 7200) a 6509 on either side, and I think it'd be pretty cool to run an 802.1q trunk between them using 6509 switchports instead of routed ports. However, I've got some problems, or at least I'm having trouble wrapping my brain around some things... 1. In the interests of keeping things simple, is it a bad idea to use an 802.1q trunk for backbone connectivity? One thing to consider is contention for the link among the VLANs. You'll want some form of QoS and/or rate limiting to ensure that a particular VLAN can't choke the link. 2. I'd normally set up this kind of point-to-point link using a /30, using interfaces in routed mode, and assigning the addresses to the interfaces on each end of the link. If using and 802.1q trunk with interafaces in switchport mode, would it be advisable to use loopback interfaces for these addresses instead? 3. I'm used to having the customer's gateway set on that Gigabit subinterface, as above. But if I want this customer to have their stuff on the same VLAN in both locations, AFAIK, I should set switchport access VLAN 80 on both their access ports. I'm then stuck figuring out where to put the gateway address for their IP space. Again, would loopback interfaces be good candidates for this? Or perhaps a VLAN interface, as weird as that seems to me? A VLAN interface is what I would use here. You're providing a layer 2 connection between the two customer locations so their IP-layer addresses won't show up in your routing table at all. The VLAN interface is needed as the gateway, with whatever subnet mask is appropriate for the customer's network needs. See below for why this may not be a good idea. 4. My motivation for doing any of this in the first place, as opposed to a simple /30 point-to-point interface, is to allow customers to have access to layer 2 across our network, whether it be for internal use or for purchasing third-party connectivity. Is it acceptable to use our single point-to-point ethernet for this, or should I be using a separate network for this entirely? As a rule, a hybrid solution with layer 2 across the customer endpoints with a layer 3 gateway to the Internet on a VLAN interface doesn't scale very well. If the customer wants their own firewall there are issues. It isn't unusual for them to have a lot of internal traffic (file server, etc.) with lower Internet needs. Metering this for billing can be an issue. What we usually do in this scenario is to provide a layer 2 VLAN bridge on one VLAN for the customer's internal network. Then, on a separate VLAN, provide Internet access to one location. The customer can then put their own NAT firewall between the two VLANs. For scaling among more than two customer locations and cutting down broadcast noise, consider MPLS with a VRF per customer and offer them a private routed layer 3 network. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Load-sharing with two links to the same ISP
hi Matthew, Keeping the current internet full feed in view its around 300k routes and sup720-3BXL should support 1million routes (its cisco though :p). So even if you terminate the links on 2 different edges coming from the same AS it should work fine. If you are trying bgp bestpath as-path multipath-relax kindly share the outcomes because in my opinion it is used to load share between different as-path. I have never tried it before. Regards, Aftab A. Siddiqui On Tue, Feb 9, 2010 at 12:59 AM, Matthew Melbourne m...@melbourne.org.ukwrote: Thanks for the pointers towards eBGP Multipath. Can I check that this still works if two links are terminated on different edge routers (though with iBGP between the edge routers). I assume this will use additional TCAM resources (Sup720-3BXL) in maintaining two routes per prefix, which could be significant for a full BGP feed? Cheers, Matt -Original Message- From: Erik Cuevas [mailto:ecue...@fxcm.com] Sent: 05 February 2010 12:33 To: Matthew Melbourne Subject: RE: [c-nsp] Load-sharing with two links to the same ISP Did you check out BGP multipath? http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 .shtml or is the AS Path is different try... bgp bestpath as-path multipath-relax(its hidden) -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew Melbourne Sent: Friday, February 05, 2010 6:33 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Load-sharing with two links to the same ISP Hi, What techniques are available to load-share traffic on two links (of equal bandwidth) to the same ISP (same AS) given that BGP only enters the best path into the RIB? We could announce our prefixes over both links, but splitting the preferred path announcements over the two links, either using MED or ISP communities, but this only really addresses inbound traffic. More of an issue is trying to load-share outbound traffic; we assume we'll learn the same set of prefixes over both links from the same ISP - one technique may be to simple split the IPv4 address space in half and local-pref accordingly to prefer one link or the other depending on the destination IP prefix? Cheers, Matt -- Matthew Melbourne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.733 / Virus Database: 271.1.1/2669 - Release Date: 02/05/10 07:35:00 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
