Re: [c-nsp] Policy-routing for a protocol
Hi, On Mon, Mar 08, 2010 at 04:54:56PM -0500, Church, Charles wrote: Outbound seems a bit trickier. Seems like I need to policy route the traffic, matching on the source address of the VTC gear. The next hop is what I'm getting stuck on, since I could be black-holing VTC traffic if that BGP peer was down, but the interface was up (it's metro ethernet, local link doesn't guarantee BGP is up). There is a 'verify-availability' option, but seems to be tied to CDP, and upstream uses Juniper. On the 7200, you could set the next-hop to an address that is learned via BGP from the neighbour in question. So: the ISP will announce 10.0.0.1 to you on the 10m link (any prefix will do, but your router needs to prefer it via the 10m link - either not visible on the other link at all or force it via local-pref). Your route-map will direct the packets via set next-hop 10.0.0.1. If the BGP route goes down, you router needs a floating static route (ip route 10.0.0.1 255.255.255.255 otherlink 240) that will get installed if nothing else is there - fallback to 50m link. Caveats: - Traffic to 10.0.0.1 will always go to the 10m link, so pick something that will not attract lots of traffic :-) - you need a somewhat recent IOS to support recursive next-hop resolution for policy-routing. I'm not sure when it got added, I think it was 12.3, but it could have been 12.4 - some years ago, in any case, so no need for bleeding-edge stuff - on hardware-forwarding plattforms like the 6500 and 7600, the hardware cannot do this, so you fall back to software-forwarding. No problem for your 7200, but I just want to point it out. Alternative approaches could be the use of VRFs for routing-table isolation, but I think this would be more complicated and won't give you more benefits. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpN8T5YfQCAl.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Incorrect bandwidth
Hi, I have an 2621XM running c2600-ik9s-mz.123-22a.bin and I noticed something strange. Reports were showing utilisation of more than 100%. This can be true in some cases but for E1 interfaces I always thought that the router calculates the correct bw depending on the number of channels used. e.g router#sh run int s0/0:0 Building configuration... Current configuration : 318 bytes ! interface Serial0/0:0no bandwidth configured description ** To PE *** no ip address encapsulation frame-relay IETF tx-ring-limit 2 tx-queue-limit 2 frame-relay lmi-type ansi max-reserved-bandwidth 100 service-policy input IN-S0/0:0 service-policy output OUT-S0/0:0 end ! router#sh interface Serial0/0:0 Serial0/0:0 is up, line protocol is up Hardware is PowerQUICC Serial description ** To PE *** MTU 1500 bytes, BW 1984 Kbit, DLY 2 usec, bw 1984 kbps reliability 255/255, txload 6/255, rxload 56/255 Encapsulation FRAME-RELAY IETF, loopback not set output omitted Timeslot(s) Used:1-31, SCC: 0, Transmitter delay is 0 flags number of timeslots used But the bandwidth calculated for the sub-interface has a different value: rotuer#sh run int s0/0:0.101 Building configuration... Current configuration : 175 bytes ! interface Serial0/0:0.101 point-to-point also no bw statement description Primary VPN WAN Link ip unnumbered Loopback10 ip flow ingress no cdp enable frame-relay interface-dlci 101 ! rotuer#sh interface Serial0/0:0.101 Serial0/0:0.101 is up, line protocol is up Hardware is PowerQUICC Serial Description: Primary VPN WAN Link Interface is unnumbered. Using address of Loopback10 MTU 1500 bytes, BW 1024 Kbit, DLY 2 usec, bw 1024 kbps reliability 255/255, txload 4/255, rxload 32/255 Encapsulation FRAME-RELAY IETF Last clearing of show interface counters never Any ideas if this is a bug? Am I missing something here? Thanks in advance Nasir Shaikh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSec crypto map on MPLS enabled interface?
I the tried changing the ISAKMP profile VRF, et voila, it worked. :-) I have reloaded the box to make sure it's not just good luck that it works now. It seems to work fine after a reload, with MPLS on the core facing interfaces. Interesting. Are the packets arriving at the box labelled? FWIW our tunnel outer are not in a VRF i.e. in the default VRF, so this wasn't our issue. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Spanning-Tree vs. EoMPLS links in SXI2?
Hi, maybe a stupid question: are there any issues known with Rapid-PVSTP, EoMPLS links, and IOS SXI2? We just had a nice problem due to a broadcast loop which should have been broken by STP in the first place, but wasn't - and investigation afterwards showed an EoMPLS link that just refuses to forward STP packets. Here's the setup (simplified): R1 ==(trunk)== R2 --(MPLS cloud)-- R3 ==(trunk)== R4 the trunk carries about 100+ VLANs, so R2 and R3 are setup to do port-mode EoMPLS: interface GigabitEthernet2/21 mtu 1504 no ip address udld port disable xconnect 1.2.3.68 11310002 encapsulation mpls end Spanning-Tree is active, because of redundancy requirements - the connection between R1 and R4 must not fail if R2 or R3 fail. So there is a second trunk, and second EoMPLS link (not shown above). What I can see when I do show spanning-tree vlan 2800 on R1, it claims this bridge is the root - and if I ask R4, R4 also claims this bridge is the root. If I flap the trunk link, I see both sides go through the standard STP cycle (blocking/learning/forwarding), but no rapid-STP exchange takes place. We have a number of similar links in our network, and never experienced any problem with STP over port-mode EoMPLS (nor with STP over subif EoMPLS either). The only thing that's unique about this particular link is that R3 is running SXI2, and all other (working) EoMPLS things are on SXH3a, SXI, or SXI2a. I'll open a TAC case for this, of course, but if one of you has come across that and knows which IOS versions are problematic, that would be appreciated. (NB: if one of you has a better suggestion to do redundant trunks for about 100-200 VLANs between R1 and R4 that does not require STP, let me know. Routed link redundancy is not possible, as there are devices to the left and right of R1 and R4 that need to be in the same L2 domain. Depending on link state of R1-R2 is also not good enough, as R2 might have some issues leading to end-to-end failure...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgphFLsgG14bl.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPLS on Cisco7600 Platform
On Tue, 9 Mar 2010, Anthony Gown - Comm-AG Networks P/L wrote: HI, Anyone running VPLS on Cisco7600; need some assistance spec'ing the hardware and identifying the correct IOS to use. Correct IOS is the SR train, howver for VPLS you need either SIP/SPA cards or ES(+) cards. backbone-facing, to be exact -- deejay ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSec crypto map on MPLS enabled interface?
On Tue, 2010-03-09 at 10:49 +, Phil Mayers wrote: I the tried changing the ISAKMP profile VRF, et voila, it worked. :-) I have reloaded the box to make sure it's not just good luck that it works now. It seems to work fine after a reload, with MPLS on the core facing interfaces. Interesting. Are the packets arriving at the box labelled? Yes, though just with the VPN label because of penultimate hop popping. And the encrypted traffic leaves the box tagged too. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA output of show dhcpd binding - odd hardware address?
Greetings all: Running 8.2(1) on an ASA 5505 and am curious if anyone can tell me what the +.12 is after the MAC address bound to 172.20.48.37? Diane-VPN# show dhcpd binding IP address Hardware addressLease expirationType 172.20.48.36 0019.6983.7339 536677 secondsAutomatic 172.20.48.370100.0874.255f.12 537139 secondsAutomatic The Cisco 8.2 command reference sample command sample output shows a similar example but with a .43 at the end of the MAC address with no explanation of the suffix. Last I checked MAC addresses were 12 characters not 14? Many thanks again, Jeff Wojciechowski LAN, WAN and Telephony Administrator Midland Paper Company 101 E Palatine Rd Wheeling, IL 60090 * tel: 847.777.2829 Ê fax: 847.403.6829 e-mail: jeff.wojciechow...@midlandpaper.commailto:jeff.wojciechow...@midlandpaper.com http://www.midlandpaper.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] N1KV woes
Hi everyone, Not sure how many folks have experience with the Nexus 1000v, but wanted to throw this out to the group to see if anyone has conquered this before. I am fresh out of ideas, and the TAC rep I am talking with right now is scratching his head in confusion as well. Version is 4.0(4)SV1.2 I'm trying to get my SVS connection working so I can proceed with my VEM installs, but seeing this when I attempt to connect: N1KV-VSM1(config-svs-conn)# connect Note: Command execution in progress..please wait Note: Command execution in progress..please wait Note: Command execution in progress..please wait Note: Command execution in progress..please wait Note: Command execution in progress..please wait Note: Command execution in progress..please wait Note: Command execution in progress..please wait ERROR: [VMWARE-VIM] Operation could not be completed due to connection failure.Connection timed out. connect failed in tcp_connect() Seems to indicate that I have no IP connectivity to the host at all, which is false. I can ping it, telnet to 3389/tcp, and I can also telnet to 443 from my VSM's default gateway. If I browse to https://vcenterserver from my desktop, I get a vSphere page. No ports being filtered between VSM and VCenter server. Here's my SVS config, svs-domain domain id 91 control vlan 1 packet vlan 1 svs mode L3 interface mgmt0 svs connection VC protocol vmware-vim remote ip address my vcenter server port 443 vmware dvs datacenter-name OH Datacenter Hopefully someone else has experienced this/resolved it. Thanks, Ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MAC Address 'static' and HSRP failover
Hi, Was hoping someone could help. It’s a relatively set up but Im having a few issues. In a nut shell, we have 2 routers connecting to two provider routers via a switch. Each router pair are running HSRP for redundancy. Switches are configured to connect devices over a single VLAN. The issue we’re having is when the provider router fails over to the secondary by downing the upstream WAN interface (which its tracking). The Provider sees this HSRP fail over but were unable to ping the gateway. The config is pretty vanilla but the one thing that is really strange is the fact that both switches are learning the virtual MAC and neither is purged during failover. In previous configs port-security has caused the MAC addresses to be learnt “dynamically” and obviously the virtual MAC is only seen from the active router. In this set up both switches are learning the virtual Mac from both upstream routers and then ‘statically’ assigning them rather than dynamic which I believe is causing issues. Its almost behaving as though its configured for sticky which isn’t in the config? Has anyone seen this behaviour before .. Im assuming its not default? Both switches are WS-C2960-24TT-L running 12.2(44)SE6. We have this configured on 3550s with no issues. Thanks. Mark. SW01#sh mac address-table | i 0/5 200.0c07.ac01STATIC Fa0/1 Virtual learnt from both – STATIC?? 2000026.cbfb.1031STATIC Fa0/1 SW02#sh mac address-table | i 0/4 200.0c07.ac01STATIC Fa0/1 Virtual learnt from both – STATIC?? 2000026.cbfb.1075STATIC Fa0/1 **SWITCHPORT CONFIG CONNECTING TO PROVIDER ROUTERS** SW01#sh run int fa0/1 interface FastEthernet0/1 description Provider Primary RTR” switchport access vlan 200 switchport mode access switchport nonegotiate switchport port-security maximum 2 switchport port-security speed 100 duplex full no cdp enable spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable spanning-tree guard root end SW02#sh run int fa0/1 interface FastEthernet0/1 description Provider Secondary RTR switchport access vlan 200 switchport mode access switchport nonegotiate switchport port-security maximum 2 switchport port-security speed 100 duplex full no cdp enable spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable spanning-tree guard root SW02#sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --- Fa0/1 22 0 Shutdown --- Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 8192 _ Get the latest jobs delivered. Sign up for SEEK Jobmail. http://clk.atdmt.com/NMN/go/157639755/direct/01/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] N7K tcam handling
Anyone know if the N7K handles tcam exhaustion more gracefully than the 6500? (If you've lived through that experience, you'll know why I'm asking.) Docs suggest the N7K is generally smarter about handling tcam than the 6500. Or maybe NX-OS is smarter. Heres an idea for Cisco: how about porting NX-OS to the 6500? Or release a new Sup that makes the C6K an N6.5K? I think you would make a lot of customers happy. -- Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] N7K tcam handling
On Mar 9, 2010, at 11:01 PM, Tim Durack wrote: Anyone know if the N7K handles tcam exhaustion more gracefully than the 6500? (If you've lived through that experience, you'll know why I'm asking.) Yes, it does, due to the EARL8. NetFlow works well, uRPF modes are flexible on a per-interface basis, ACLs don't have to be as convoluted, et. al. Docs suggest the N7K is generally smarter about handling tcam than the 6500. Right, because of EARL8. Or maybe NX-OS is smarter. NX-OS is great, but it's the hardware which makes the differences you cite. Heres an idea for Cisco: how about porting NX-OS to the 6500? Wouldn't make much difference with regards to the things you cite, with the current 6500 hardware. Or release a new Sup that makes the C6K an N6.5K? I think you would make a lot of customers happy. Let your Cisco account team know this. ; --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] N7K tcam handling
Hi Tim, please see inline below: At 08:01 AM 3/9/2010, Tim Durack clamored: Anyone know if the N7K handles tcam exhaustion more gracefully than the 6500? (If you've lived through that experience, you'll know why I'm asking.) Yes, it does. I say that because n7k will reject your configuration if it won't fit within the constraints of the hw resources. C6K will instead punt to software to let the RP CPU enforce the ACL (and you can probably guess the result - inband saturated CPU pegged). Other improvements on n7k WRT ACLs: - we rarely merge polices, the ACL TCAM is carved bank-wise mostly on a per feature basis (you can chain the banks if you have enormous ACLs) - also, we don't try a bunch of different merge strategies to try to make things fit, driving up the CPU util - we have a verify/commit option using config sessions, ie, you make all your ACL changes in a scratch area, then use the verify cmd to make sure it will fit in the hardware. Only then do you commit it. - we have atomic ACL commits, ie, non traffic disruptive by default (versus a default result (deny by default) on c6k while the old entries are removed the new installed). Docs suggest the N7K is generally smarter about handling tcam than the 6500. Or maybe NX-OS is smarter. (IMHO,) yes, both. :P Heres an idea for Cisco: how about porting NX-OS to the 6500? No committed plans. Or release a new Sup that makes the C6K an N6.5K? C6K will continue to evolve and they do have a roadmap to a new sup fabric. Hope that helps, Tim I think you would make a lot of customers happy. -- Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] N7K tcam handling
On Tue, Mar 9, 2010 at 12:10 PM, Tim Stevenson tstev...@cisco.com wrote: Yes, it does. I say that because n7k will reject your configuration if it won't fit within the constraints of the hw resources. C6K will instead punt to software to let the RP CPU enforce the ACL (and you can probably guess the result - inband saturated CPU pegged). Other improvements on n7k WRT ACLs: - we rarely merge polices, the ACL TCAM is carved bank-wise mostly on a per feature basis (you can chain the banks if you have enormous ACLs) - also, we don't try a bunch of different merge strategies to try to make things fit, driving up the CPU util - we have a verify/commit option using config sessions, ie, you make all your ACL changes in a scratch area, then use the verify cmd to make sure it will fit in the hardware. Only then do you commit it. - we have atomic ACL commits, ie, non traffic disruptive by default (versus a default result (deny by default) on c6k while the old entries are removed the new installed). Good to know. I was actually thinking more along the lines of: BGP peering, missing max-prefix, provider dumps 300k routes on me. What does the N7K do? (Unfortunately I know what a 6500 does.) Heres an idea for Cisco: how about porting NX-OS to the 6500? No committed plans. Too bad. Or release a new Sup that makes the C6K an N6.5K? C6K will continue to evolve and they do have a roadmap to a new sup fabric. Good. Hopefully it will have a 2010 generation CPU rather than something closer to Y2K. Cisco is a business and has to make decisions accordingly. However, based on market penetration of the 6500, I would suggest Cisco is missing a big opportunity to sell a lot of Sup/Linecard upgrades to lots of loyal customers. Hope that helps, Tim I think you would make a lot of customers happy. -- Tim: ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. -- Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MAC Address 'static' and HSRP failover
On Tue, 2010-03-09 at 23:05 +1030, mark walters wrote: [...] The config is pretty vanilla but the one thing that is really strange is the fact that both switches are learning the virtual MAC and neither is purged during failover. In previous configs port-security has caused the MAC addresses to be learnt “dynamically” and obviously the virtual MAC is only seen from the active router. In this set up both switches are learning the virtual Mac from both upstream routers and then ‘statically’ assigning them rather than dynamic which I believe is causing issues. [...] SW01#sh run int fa0/1 interface FastEthernet0/1 description Provider Primary RTR” switchport access vlan 200 switchport mode access switchport nonegotiate switchport port-security maximum 2 switchport port-security speed 100 duplex full no cdp enable spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable spanning-tree guard root end [...] As far as I remember, enabling port-security on a port always forces learned MAC addresses to be sticky, i.e. recorded as STATIC. It should clear if the port goes down, but not otherwise. Any special reason for using port-security here? It doesn't really give you more security. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA output of show dhcpd binding - odd hardware address?
There isn't a .12 appended to the end. It's actually the '01' at the front that was prepended. I think it has something to do with bootp clients vs. DHCP clients that causes the '01' to show up. I believe '01' indicates ethernet, if memory serves me correctly. Chuck Church Network Planning Engineer, CCIE #8776 Southcom Harris IT Services 1210 N. Parker Rd. Greenville, SC 29609 Office: 864-335-9473 Cell: 864-266-3978 E-mail: charles.chu...@harris.com Southcom E-mail: charles.church@hq.southcom.mil -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Wojciechowski Sent: Tuesday, March 09, 2010 10:05 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA output of show dhcpd binding - odd hardware address? Greetings all: Running 8.2(1) on an ASA 5505 and am curious if anyone can tell me what the +.12 is after the MAC address bound to 172.20.48.37? Diane-VPN# show dhcpd binding IP address Hardware addressLease expirationType 172.20.48.36 0019.6983.7339 536677 secondsAutomatic 172.20.48.370100.0874.255f.12 537139 secondsAutomatic The Cisco 8.2 command reference sample command sample output shows a similar example but with a .43 at the end of the MAC address with no explanation of the suffix. Last I checked MAC addresses were 12 characters not 14? Many thanks again, Jeff Wojciechowski LAN, WAN and Telephony Administrator Midland Paper Company 101 E Palatine Rd Wheeling, IL 60090 * tel: 847.777.2829 Ê fax: 847.403.6829 e-mail: jeff.wojciechow...@midlandpaper.commailto:jeff.wojciechow...@midlandpaper.c om http://www.midlandpaper.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSec crypto map on MPLS enabled interface?
-Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Rathlev Sent: March-09-10 7:36 AM To: Phil Mayers Cc: cisco-nsp Subject: Re: [c-nsp] IPSec crypto map on MPLS enabled interface? On Tue, 2010-03-09 at 10:49 +, Phil Mayers wrote: I the tried changing the ISAKMP profile VRF, et voila, it worked. :-) I have reloaded the box to make sure it's not just good luck that it works now. It seems to work fine after a reload, with MPLS on the core facing interfaces. Interesting. Are the packets arriving at the box labelled? Yes, though just with the VPN label because of penultimate hop popping. And the encrypted traffic leaves the box tagged too. Saw the same thing on a 7600 w/ vpn module. Due to penultimate hop popping the packets were unlabled and because isis mpls were configured on the tunnel interface traffic wouldn't egress properly without explicit null on the decapsulating node. Also found this configuration works with SRE code. Tim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] N7K tcam handling
Hi Tim, Sorry about that, assumed you were talking about ACL TCAM, but you are referring to FIB TCAM. In the scenario you mention, prefixes are installed in the FIB TCAM on a first come first served basis. Packets not matching a prefix in the FIB TCAM are punted to the CPU, but such traffic is heavily rate limited (to protect the inband/CPU), so your routing will be considerably hosed. Obviously we syslog such events. As you probably know, n7k today has a 128K FIB TCAM, inadequate to hold full routes anyway. Near-term we will have an XL card that holds 900K prefixes. In that case, you should not run out of FIB TCAM in the case you describe, but as always, you should be sure not to miss configuring route limits filters to avoid issues, that's clearly best practice. Hope that helps, Tim At 09:31 AM 3/9/2010, Tim Durack clamored: Good to know. I was actually thinking more along the lines of: BGP peering, missing max-prefix, provider dumps 300k routes on me. What does the N7K do? (Unfortunately I know what a 6500 does.) Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Incorrect bandwidth
On Tue, Mar 9, 2010 at 03:26, nasir.sha...@bt.com wrote: Hi, I have an 2621XM running c2600-ik9s-mz.123-22a.bin and I noticed something strange. Reports were showing utilisation of more than 100%. This can be true in some cases but for E1 interfaces I always thought that the router calculates the correct bw depending on the number of channels used. e.g router#sh run int s0/0:0 Building configuration... Current configuration : 318 bytes ! interface Serial0/0:0 no bandwidth configured description ** To PE *** no ip address encapsulation frame-relay IETF tx-ring-limit 2 tx-queue-limit 2 frame-relay lmi-type ansi max-reserved-bandwidth 100 service-policy input IN-S0/0:0 service-policy output OUT-S0/0:0 end ! router#sh interface Serial0/0:0 Serial0/0:0 is up, line protocol is up Hardware is PowerQUICC Serial description ** To PE *** MTU 1500 bytes, BW 1984 Kbit, DLY 2 usec, bw 1984 kbps reliability 255/255, txload 6/255, rxload 56/255 Encapsulation FRAME-RELAY IETF, loopback not set output omitted Timeslot(s) Used:1-31, SCC: 0, Transmitter delay is 0 flags number of timeslots used But the bandwidth calculated for the sub-interface has a different value: rotuer#sh run int s0/0:0.101 Building configuration... Current configuration : 175 bytes ! interface Serial0/0:0.101 point-to-point also no bw statement description Primary VPN WAN Link ip unnumbered Loopback10 ip flow ingress no cdp enable frame-relay interface-dlci 101 ! rotuer#sh interface Serial0/0:0.101 Serial0/0:0.101 is up, line protocol is up Hardware is PowerQUICC Serial Description: Primary VPN WAN Link Interface is unnumbered. Using address of Loopback10 MTU 1500 bytes, BW 1024 Kbit, DLY 2 usec, bw 1024 kbps reliability 255/255, txload 4/255, rxload 32/255 Encapsulation FRAME-RELAY IETF Last clearing of show interface counters never Any ideas if this is a bug? Am I missing something here? Thanks in advance Nasir Shaikh I would guess that your 31 channel E1 was upgraded sometime along the way from a 16 channel service (16x64=1024). The bandwidth of the sub-interface was assigned when it was created and would not dynamically adjust after more channels were assigned to the main interface. Andy gawul00+c...@gmail.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] N7K tcam handling
On Tue, Mar 9, 2010 at 1:59 PM, Tim Stevenson tstev...@cisco.com wrote: As you probably know, n7k today has a 128K FIB TCAM, inadequate to hold full routes anyway. Near-term we will have an XL card that holds 900K prefixes. In that case, you should not run out of FIB TCAM in the case you describe, but as always, you should be sure not to miss configuring route limits filters to avoid issues, that's clearly best practice. Hope that helps, Tim Yes, thanks. -- Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA output of show dhcpd binding - odd hardware address?
The heading of the column is incorrect. It says Hardware address, but what is really being presented is the DHCP Client Identifier (if sent), or hardware address. If you would like this changed, please open a TAC case and let me know the case number. There is a bug for this, but it was closed, as there wasn't customer demand to change it. Sincerely, David. Church, Charles wrote: There isn't a .12 appended to the end. It's actually the '01' at the front that was prepended. I think it has something to do with bootp clients vs. DHCP clients that causes the '01' to show up. I believe '01' indicates ethernet, if memory serves me correctly. Chuck Church Network Planning Engineer, CCIE #8776 Southcom Harris IT Services 1210 N. Parker Rd. Greenville, SC 29609 Office: 864-335-9473 Cell: 864-266-3978 E-mail: charles.chu...@harris.com Southcom E-mail: charles.church@hq.southcom.mil -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Wojciechowski Sent: Tuesday, March 09, 2010 10:05 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA output of show dhcpd binding - odd hardware address? Greetings all: Running 8.2(1) on an ASA 5505 and am curious if anyone can tell me what the +.12 is after the MAC address bound to 172.20.48.37? Diane-VPN# show dhcpd binding IP address Hardware addressLease expirationType 172.20.48.36 0019.6983.7339 536677 secondsAutomatic 172.20.48.370100.0874.255f.12 537139 secondsAutomatic The Cisco 8.2 command reference sample command sample output shows a similar example but with a .43 at the end of the MAC address with no explanation of the suffix. Last I checked MAC addresses were 12 characters not 14? Many thanks again, Jeff Wojciechowski LAN, WAN and Telephony Administrator Midland Paper Company 101 E Palatine Rd Wheeling, IL 60090 * tel: 847.777.2829 Ê fax: 847.403.6829 e-mail: jeff.wojciechow...@midlandpaper.commailto:jeff.wojciechow...@midlandpaper.c om http://www.midlandpaper.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] N7K tcam handling
- Original Message - From: Tim Stevenson tstev...@cisco.com To: Tim Durack tdur...@gmail.com Cc: cisco-nsp@puck.nether.net Sent: Tuesday, March 09, 2010 12:59 PM Subject: Re: [c-nsp] N7K tcam handling Hi Tim, Sorry about that, assumed you were talking about ACL TCAM, but you are referring to FIB TCAM. In the scenario you mention, prefixes are installed in the FIB TCAM on a first come first served basis. Packets not matching a prefix in the FIB TCAM are punted to the CPU, but such traffic is heavily rate limited (to protect the inband/CPU), so your routing will be considerably hosed. Obviously we syslog such events. As you probably know, n7k today has a 128K FIB TCAM, inadequate to hold full routes anyway. Near-term we will have an XL card that holds 900K prefixes. In that case, you should not run out of FIB TCAM in the case you describe, but as always, you should be sure not to miss configuring route limits filters to avoid issues, that's clearly best practice. Hope that helps, Tim And I believe you are going to allow configurable allocation between ipv4 and ipv6 space. tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] N7K tcam handling
Hi Tony, The FIB TCAM is already dynamically allocated as of 4.2 (ie, no static/fixed allocation, blocks of various width entries grow/shrink as necessary). At the control plane, you can control the max prefixes for each, which naturally limits the h/w consumption to those numbers as well. Hope that helps, Tim At 11:28 AM 3/9/2010, Tony Varriale clamored: snip And I believe you are going to allow configurable allocation between ipv4 and ipv6 space. tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstev...@cisco.com Routing Switching CCIE #5561 Technical Marketing Engineer, Cisco Nexus 7000 Cisco - http://www.cisco.com IP Phone: 408-526-6759 The contents of this message may be *Cisco Confidential* and are intended for the specified recipients only. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] N7K tcam handling
Hi, On Tue, Mar 09, 2010 at 11:01:47AM -0500, Tim Durack wrote: Heres an idea for Cisco: how about porting NX-OS to the 6500? Or release a new Sup that makes the C6K an N6.5K? I think you would make a lot of customers happy. Seconded. Wanna-have! (Only positive words in here!!) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpivEmkwENzc.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] N7K tcam handling
Hi, On Tue, Mar 09, 2010 at 09:10:55AM -0800, Tim Stevenson wrote: C6K will continue to evolve and they do have a roadmap to a new sup fabric. new sup and fabric is nice and dandy, but working OS with modularity, memory protection and all the 21st century stuff (= NX-OS :) ) would be much more appreciated. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgppEbO4LVzKt.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSR: Failed to Allocate MBUS Channel / Fabric Handing Faield: Invalid bandwidth mode.
Bharath, You didn't send the requested sh contr fia from the attach sessions to the LCs. Anyhow, the error messages below indicate your fabric bandwidth mode is invalid. This should be corrected. Remember, the 12012 can operate in full and quarter (with only Eng 0 LCs support) bandwidth. See http://bit.ly/ce3Dx7 for more on troubleshooting the switch fabric. /eninja On Mon, Mar 8, 2010 at 5:39 PM, bharath kondi bluffmaster4hea...@gmail.comwrote: Hi Eninja, Thanks for your reply. Kindly check the below finding from the router you asked for. I didn't do anything, i just leave it lyk that for 45 mins after i loose connection. After 45 mins i got the connection back, but all the LC's are restarted according to log. Thanks and Best Regards, Bharath #show controllers fia Fabric configuration: 2.4Gbps bandwidth, nonredundant fabric Master Scheduler: Slot 17 Fab epoch no 128Halt count 0 From Fabric FIA Errors --- redund fifo parity 0 redund overflow 0 cell drops 0 crc32 lkup parity 0 cell parity 0 crc32 0 Switch cards present0x001ESlots 17 18 19 20 Switch cards monitored 0x001ESlots 17 18 19 20 Slot: 16 17 18 19 20 Name:csc0 csc1 sfc0 sfc1 sfc2 los0 0 0 0 0 state OffOffOffOffOff crc16 0 0 0 0 0 To Fabric FIA Errors --- sca not pres 0 req error 0 uni fifo overflow 0 grant parity 0 multi req 0 uni fifo undrflow 0 cntrl parity 0 uni req 0 crc32 lkup parity 0 multi fifo 0 empty dst req 0 handshake error 0 cell parity 0 #show controllers errors SCASCASCAXBAR CLKFPGA LC_ENA BP_FRC LC_PRE SEL_IDL CLKSTS SLOT0 OK OK OK OK OK SLOT1 OK OK OK OK OK SLOT3 OK OK OK OK OK SLOT5 OK OK OK OK OK SLOT7 OK OK OK OK OK SLOT8 OK OK OK OK OK SLOT10 OK OK OK OK OK Fabric error handling : enabled ~~` Current log: *Mar 8 01:48:27.698: %FABRIC-0-OPERATIONAL: Fabric handling failed: Invalid bandwidth mode *Mar 8 01:51:32.238: %FABRIC-0-OPERATIONAL: Fabric handling failed: Self ping failed after fab reconfiguration *Mar 8 01:53:56.426: %FABRIC-0-OPERATIONAL: Fabric handling failed: Invalid bandwidth mode *Mar 8 01:59:06.061: %FABRIC-0-OPERATIONAL: Fabric handling failed: Invalid bandwidth mode On Tue, Mar 9, 2010 at 5:06 AM, Eninja eni...@gmail.com wrote: Bharath, Your logs below suggest that these chain of events started with fabric/active RP problems. What does a 'sh contr fia' look like from the RP and an attach session to all LCs? Also, what do the logs say now? Finally, what changes were made to this device prior to all the errors? /Eninja On Mar 8, 2010, at 2:48 PM, bharath kondi bluffmaster4hea...@gmail.com wrote: HI Everyone, Good day to you. I have some issues with our GSR 12012 router, kindly check the below log. This log is taken just before i lost connection to my router. Can anyone tell me what is wrong with our router. I am also attaching the log after I hard reboot the GSR. Once i hard reboot, everything back to normal for some time only, after 45 mins again i lost connectivity and all the BGP sessions went down, but the physical interfaces are UP connecting to other switches directly. The second time i hard reset and i got connectivity but after 20 mins i lost connection. This time i didn't hard reboot, i am waited for more than 30mins, then automatically i got the connection back and untill now it is working fine. I am attaching the logg after i got the connection automatically without reboot the router. Kindly please help me, i will be very much thankful to you guys. ~~~ *This is the first log before i loose connection my router:* SEC 1:*Mar 8 00:00:38.447: %RP-3-FABRIC_UNI: Unicast send timed out (0) *Mar 8 00:00:39.887: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up *Mar 8 00:00:43.683: %RP-3-FABRIC_UNI: Unicast send timed out (0) *Mar 8 00:01:09.799: %RP-3-FABRIC_UNI: Unicast send timed out (1) *Mar 8 00:01:10.619: %FABRIC-3-ERR_HANDLE: Reconfigure all fabric cards due to RP SWITCHOVER PING ERROR error from slot 1 *Mar 8
Re: [c-nsp] Spanning-Tree vs. EoMPLS links in SXI2?
On Tue, 2010-03-09 at 21:26 +0100, Gert Doering wrote: On cisco.com, I found configuration options for 12.0S on GSRs to enable/disable forwarding of VTP, STP, CDP individually (l2protocol stp ...), but that's not available on SXI2. There seems to be a l2protocol-tunnel proto interface config command, but it's only for switchports. As I have understood the way the PFC does EoMPLS port-mode, it simply forwards any incoming frame without discrimination. It should (AFAIK) not discern between data, CDP, UDLD, STP or whatever. It sure does sound like a bug, an SXI2 specific bug. We currently don't have any available switches to test anything on, though I would've like to see if I could reproduce. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SXI4 release date?
Hi folks, Anybody heard anything as to when SXI4 will be made available? We're currently debating deploying a dev image due to a bug in SXI3 affecting VSS operation, but if it's coming Real Soon Now, we may just stay with the devil we know. Thanks in advance, --Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI4 release date?
I hear that it's supposed to be at some point in April. I'm sitting on a CSM sync bug in SXI3 that is supposed to be fixed in 4. On 2010-03-09, at 5:13 PM, Adam Korab adam.ko...@gmail.com wrote: Hi folks, Anybody heard anything as to when SXI4 will be made available? We're currently debating deploying a dev image due to a bug in SXI3 affecting VSS operation, but if it's coming Real Soon Now, we may just stay with the devil we know. Thanks in advance, --Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] changing password on catos
Hello, I was trying to change the password on catos, and this is how the device responded. I want to know whether this (Usage: set password) is just a warning or the password has never been changed!!. Since i use tacacs and the device is in a remote place, i cant test the POLR right now. 6509 (enable) set password testpass Usage: set password 6509 (enable) set enablepass testpass Usage: set enablepass 6509 (enable) 6509 (enable) sony ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] changing password on catos
Hi, On Wed, Mar 10, 2010 at 12:16 PM, Sony Scaria sony.sca...@gmail.com wrote: I was trying to change the password on catos, and this is how the device responded. I want to know whether this (Usage: set password) is just a warning or the password has never been changed!!. Since i use tacacs and the device is in a remote place, i cant test the POLR right now. If memory serves, CatOS wants the password to be entered interactively, e.g.: set password blah set enablepass secret123 Just press ENTER after 'set password' and see what happens. cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] rtmcmd.sh generates errors
On 03/06/2010 04:32 AM, Abdel Bidar wrote: Hi Guys, I would like to use mrtg to report on our SCE. I have followed Cisco documentation. When I run the script rtmcmd.sh I get some errors. Have someone had the same issues ? I am running on Linux server. Thanks Regards Abdel Manager_server:/mrtg/bin# ./rtmcmd.sh --sce=22.20.135.7 --pqb-sce 22.20.135.7 -U admin -P Mario22 --source-dir=/mrtg/templates --dest-dir=/mrtg/output -c ./rtmcmd.cfg connecting to 22.20.135.7 ... done retrieving service configuration from SCE ... done disconnecting from device ... done loading user configuration from file 'rtmcmd.cfg' ... done processing templates from '/mrtg/templates' to '/mrtg/output' ... Mar 5, 2010 6:45:48 PM freemarker.log.JDK14LoggerFactory$JDK14Logger error SEVERE: Expression colorList[serviceCounter_index] is undefined on line 99, column 52 in common/bw_per_service.ftl. The problematic instruction: -- == ${colorList[serviceCounter_index]} [on line 99, column 50 in common/bw_per_service.ftl] in user-directive drawReport [on line 2, column 1 in common/report_page_bottom.ftl] in include report_page_bottom.ftl [on line 113, column 1 in common/bw_per_service.ftl] in include ../common/bw_per_service.ftl [on line 8, column 1 in report-cgi/link1_down_bw.cgi.ftl] -- Java backtrace for programmers: -- freemarker.core.InvalidReferenceException: Expression colorList[serviceCounter_index] is undefined on line 99, column 52 in common/bw_per_service.ftl. Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trade marks of British Sky Broadcasting Group plc and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky Interactive Limited (Registration No. 3554332), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the c! ompanies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- In the RTM templates folder, locate the file \templates\common\common_report_include.ftl. -- Paste the following code at the end of this file: #assign colorList=[CC, 66, 00CC00, CC00CC, 996600, CC, 00, FF6600, FF66FF, CCFF00, 99CC00, CC, FF0033, FF99FF, 99, 33FF00, FF, CC0033, 66CC00, FF, 33, 00FF99, 9933CC, FFCC33, 336600, 3300FF, 66, 663300, 0033FF, 00FF33, 99, 99CCFF, 00, 33, 33CCFF, 00, CC0099, 66CCFF, 00, CC, 00FF66, 993300, FF, 33, 66, 33, 33, CC00FF, 66, 66FFCC, FF, 009933, 99, 99, FF00FF, 66, 00, 33, CC33FF, CC9900, 66FF99, 0033CC, 990033, 99FFCC, FF33FF, FFCC00, 33CC99, 33, CC33CC, CCFF33, 003300, 00, 9933FF, 00, 99, FF, 33CC33, CC3300, CC99FF, 66FF33, 003366, 9966FF, 99FF33, FF3300, 3366CC, CCFF66, FF, 336633, 99, 6600FF, 006633, 00, 9900CC, 99FF00, 00CC99, 990066, FF99CC, 33CC00, 3300CC, CC, CCFFCC, 00CC33, 993366, 99, 009900, 990099, FF, 339933, CC0066, 66, 006600, 993399, 33FFCC, FF9900, 330033, 3399FF, CCFF99, 66, 00CCFF, FFCC66, 330066, 6699FF, 66FF00, 99, CC, FF, 33FF33, 6633FF, FFCC99] / -- run RTMCMD again. -- С уважением, Пономарев Алексей Дирекция по спец. проектам ОАО Деловая сеть - Иркутск +7 3952 510506 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco VPN Client Assigns Incorrect Default Gateway
Hi Guys, I am hoping someone may be able to help me out here. I am trying to assign a block of IP Addresses to my VPN clients (specifically the subnet 192.168.254.0/24) that is not on use on the internal network. For some reason the clients are assigned a default gateway even though this is not configured. Is there a way to make sure the VPN client does not assign a default gateway? I assumed if I was tunnelling all traffic then the default gateway would not be required? The reason I ask this is because the VPN client just seems to assign a random default gateway and as a result routing does not work. See below for config. username vpntest password encrypted username vpntest attributes vpn-group-policy vpntest ! group-policy vpntest internal group-policy vpntest attributes banner value Welcome to Test * dns-server value x.x.x.x vpn-idle-timeout none vpn-session-timeout none vpn-tunnel-protocol IPSec default-domain value xxx ! tunnel-group vpngroup type ipsec-ra tunnel-group vpngroup general-attributes address-pool new default-group-policy vpntest tunnel-group vpngroup ipsec-attributes pre-shared-key * ! ip local pool new 192.168.254.1-192.168.254.254 mask 255.255.255.0 ! Any thoughts? Thanks, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3560 leaking broadcasts
Hi folks, Has anyone ever seen broadcasts leaking from an SVI into a layer 3 interface on a 3560? We've got a managed Ethernet link between a 3560G-48TS (Auckland, 12.2(50)SE1 IP Services) and a 3750G-24TS (Sydney, 12.2(53)SE IP Services) configured as a /31 layer 3 interface on both sides. The link runs OSPF in area 64, and PIM sparse mode. Both Sydney and Auckland have a number of SVIs. [Hosts] -- VLAN 11 -- SVI11[Sydney]L3 -- /31 link -- L3[Auckland] Sydney config: interface GigabitEthernet1/0/25 description Auckland:Gi0/47 no switchport ip address x.x.x.193 255.255.255.254 no ip redirects no ip proxy-arp ip pim sparse-mode ip ospf cost 50 speed nonegotiate priority-queue out service-policy input SET-DSCP-TRUST Auckland config: interface GigabitEthernet0/47 description Sydney:Gi1/0/25 no switchport ip address x.x.x.192 255.255.255.254 no ip redirects no ip proxy-arp ip pim sparse-mode ip ospf cost 200 speed 100 duplex full priority-queue out service-policy input SET-DSCP-TRUST On the Auckland 3560, OSPF constantly reports a mismatched area ID, even though the area 64 session is up. PIM shows two neighbors, even though its a point to point link. The IP address listed in both messages is the Sydney 3750's Vlan11 address. Mar 10 19:53:14.662 NZDT: %OSPF-4-ERRRCV: Received invalid packet: mismatch area ID, from backbone area must be virtual-link but not found from x.x.x.138, GigabitEthernet0/47 Auckland#show ip pim nei PIM Neighbor Table Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority, P - Proxy Capable, S - State Refresh Capable Neighbor InterfaceUptime/ExpiresVer DR Address Prio/Mode x.x.x.138 GigabitEthernet0/47 02:25:20/00:01:20 v21 / S P x.x.x.193 GigabitEthernet0/47 02:25:21/00:01:37 v21 / DR S P Some debugging revealed something odd - when performing 'show mac- address ' on the internally assigned VLAN for Gi1/0/25 on Sydney, I see MAC addresses listed against VLAN 11. Sydney#show vlan int usage VLAN Usage 1006 GigabitEthernet1/0/3 1007 GigabitEthernet1/0/25 Sydney#show mac- vlan 1007 Mac Address Table --- VlanMac Address TypePorts --- - All0100.0ccc.STATIC CPU All0100.0ccc.cccdSTATIC CPU All0180.c200.STATIC CPU All0180.c200.0001STATIC CPU All0180.c200.0002STATIC CPU All0180.c200.0003STATIC CPU All0180.c200.0004STATIC CPU All0180.c200.0005STATIC CPU All0180.c200.0006STATIC CPU All0180.c200.0007STATIC CPU All0180.c200.0008STATIC CPU All0180.c200.0009STATIC CPU All0180.c200.000aSTATIC CPU All0180.c200.000bSTATIC CPU All0180.c200.000cSTATIC CPU All0180.c200.000dSTATIC CPU All0180.c200.000eSTATIC CPU All0180.c200.000fSTATIC CPU All0180.c200.0010STATIC CPU All..STATIC CPU 110012.80bf.1718DYNAMIC Gi1/0/24 110012.80bf.1743DYNAMIC Gi1/0/24 110015.c695.b495DYNAMIC Gi1/0/1 110015.c6fa.1e35DYNAMIC Gi1/0/24 Total Mac Addresses for this criterion: 24 Sydney#show run int vlan11 Building configuration... Current configuration : 185 bytes ! interface Vlan11 description ASA Network ip address x.x.x.138 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip pim sparse-mode ip ospf cost 5 end I quickly threw it together in the lab and couldn't ping between a host on the VLAN and Auckland, so suspect its broadcast/multicast traffic only. Hunting around the network, this appears to happen on every 3560, 3560E, and 3750 I could find. 6500 Sup720 doesn't seem to be impacted. Other than the error message (which is uncommon, most links are in the same OSPF area) and the PIM neighbors (new rollout), I can't see anything thats actually causing a problem. Although I'm concerned if there's a broadcast storm, we may exhaust bandwidth on routed links. So, has anyone seen this before? Is it a bug or design limitation on the 3560/3750 platform? Is there any other way to make layer 3 interfaces work other than a hardware upgrade? Thanks, - I. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/