Re: [c-nsp] ASA NAT problem
Hi Eric, http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#problem Simple nslookup will do the trick. Are you by any chance using the internal DNS server? ASA needs to inspect the DNS query response message in order to rewrite the address field with the internal IP address value (10.1.1.6 in this case). HTH, Andrew On Apr 29, 2010, at 11:45 PM, Eric Magutu wrote: Hi, Apologies for the cross posting. I have a problem with a NAT on my network. A private IP has been NATed to a public IP on my network. The public IP can't be reached from within my network but it can from outside. I have tried to implement dns doctoring with no success. This is what I have added in my config static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255 dns policy-map type inspect dns preset_dns_map parameters message-length maximum 2048 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect http inspect icmp inspect dns preset_dns_map ! service-policy global_policy global How do I verify that the dns rewrite is actually taking place? Is there something wrong with my config? -- Regards, Eric Magutu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPLS with L3VPN access
Pshem, This is supported on 7600 with ES20/ES+/SIP modules (which are required for VPLS). Basically you can xconnect a SVI (either to VPLS or a point to point PW) and then configure different L3 features on it: IP address and IP VRF ACLs PBR Routing protocols, OSPF, RIP, EIGRP,ISIS, BGP Netflow QoS Policing for SVI IP unnumbered Mcast routing, IGMP, PIM HSRP/VRRP/GLBP This can allow really interesting topologies with HSRP across the MPLS core etc. 7200 in general does not support VPLS. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pshem Kowalczyk Sent: Friday, April 30, 2010 07:57 To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPLS with L3VPN access Hi, I'm trying to get answer to the following question, and so far cisco website hasn't been very helpful (most probably because I don't know the cisco term for the feature). Is it possible on cisco software platforms (like 72xx) to configure a VPLS and somehow connect it to a L3VPN (on the same PE)? If not on the software ones - then what devices would support that? I'm not talking about mass deployment (1 or two AC per PE, handful of PEs). kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SCE 8000 with 2*SCM-E
I cannot find protocol pack for 3.6. It is required to upgrade from 3.5.5 as Iunderstood. Does anyone have the solutiopn for this problem? 2010/4/23 Ruslan Pustovoytov ru...@inbox.ru Mikhail, I have no 3.5.5 soft. Our cisco partner give me release notes for 3.6.0 where cisco announce 30gig performance and 16M flows for 2 SCME So, I do not see any reason to stay on 3.5.5 Did it work on SCOS 3.5.5 or only in 3.6? On 22 April 2010 17:16, Ruslan Pustovoytov ru...@inbox.ru mailto: ru...@inbox.ru wrote: Yes. Did anyone try 2 SCME-E modules in one cassis with new software? On 22 April 2010 15:41, Ruslan Pustovoytov ru...@inbox.ru mailto:ru...@inbox.ru mailto:ru...@inbox.ru mailto:ru...@inbox.ru wrote: We test this release in production from 20 april. I see that bypass do not work if I take out any optics from SIP. It work only when I reload SCE or take out SIP from chassis. But I have no big experience with SCE. Did anybody try this release in production? 2010/4/17 Yann Gauteron ygaute...@gmail.com mailto:ygaute...@gmail.com mailto:ygaute...@gmail.com mailto:ygaute...@gmail.com 3.6 is out since Tuesday this week :-) 2010/3/18 Mikhail Schedrin msched...@gmail.com mailto:msched...@gmail.com mailto:msched...@gmail.com mailto:msched...@gmail.com Sorry that I didn't answer so much time. As I got to know from cisco engineers 2 SCMs are supported only by software 3.6 that hasn't released yet. I did open TAC case, they don't know that 2 SCMs are not suported by 3.5.5. They also do not have 2 SCMs in a lab to test it :( On 3 March 2010 19:17, Ghattas Jacob gates...@gmail.com mailto:gates...@gmail.com mailto:gates...@gmail.com mailto:gates...@gmail.com wrote: Mikhail, Be sure both sce have the same pkg installed before you insert the second one to the sce. Which version are you running as it should be 3.6 and higher... Jacob On Wed, Mar 3, 2010 at 5:17 PM, Arie Vayner (avayner) avay...@cisco.commailto: avay...@cisco.com mailto:avay...@cisco.com mailto:avay...@cisco.comwrote: Mikhail, I recommend you open a TAC case, as this could be a hardware problem, but it requires some debugging... Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net mailto:cisco-nsp-boun...@puck.nether.net mailto: cisco-nsp-boun...@puck.nether.net mailto:cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net mailto:cisco-nsp-boun...@puck.nether.net mailto: cisco-nsp-boun...@puck.nether.net mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mikhail Schedrin Sent: Wednesday, March 03, 2010 11:46 To: cisco-nsp@puck.nether.net mailto:cisco-nsp@puck.nether.net mailto:cisco-nsp@puck.nether.net mailto:cisco-nsp@puck.nether.net Subject: [c-nsp] SCE 8000 with 2*SCM-E Hi. Does anybody have the experince of using SCE8000 with two SCM-E modules? We got the second SCM-E couple of days ago and SCE always boots in recovery mode, when I install the second module. I could not find any
Re: [c-nsp] Weird Web Browsing Issues On ADSL Circuit
Hi, sounds more like an MTU issue to me. Best regards, Jan On 04/29/2010 11:54 PM, Joel M Snyder wrote: I have an ADSL customer who uses a Cisco 1841 CPE for Bonded ADSL. Circuit has worked perfectly for the past one year, but all of a sudden, out of nowhere, web browsing suddenly stopped working! yesterday 99% of the time when we see this symptom (especially since you said it works fine for a minute or two), it's because some malware on the customer side is filling up the NAT table. Sniff the incoming packets or look at the session table on the CPE or both. Alternatively, have the customer unplug everything but a single device (like a known-good laptop) and see if the problem does not come back after a reboot. jms signature.asc Description: OpenPGP digital signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPLS with L3VPN access
Phsem, 7200 supports only the control plane part of VPLS (for example doing BGP RR for VPLS auto discovery) but no data plane for VPLS. Arie -Original Message- From: Pshem Kowalczyk [mailto:pshe...@gmail.com] Sent: Friday, April 30, 2010 12:34 To: Arie Vayner (avayner) Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VPLS with L3VPN access Hi, According to the feature navigator bgp signalled vpls is on 7200 since 12.2(33)SRC (I haven't tested it yet). kind regards Pshem On 30 April 2010 21:11, Arie Vayner (avayner) avay...@cisco.com wrote: Pshem, This is supported on 7600 with ES20/ES+/SIP modules (which are required for VPLS). Basically you can xconnect a SVI (either to VPLS or a point to point PW) and then configure different L3 features on it: IP address and IP VRF ACLs PBR Routing protocols, OSPF, RIP, EIGRP,ISIS, BGP Netflow QoS Policing for SVI IP unnumbered Mcast routing, IGMP, PIM HSRP/VRRP/GLBP This can allow really interesting topologies with HSRP across the MPLS core etc. 7200 in general does not support VPLS. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pshem Kowalczyk Sent: Friday, April 30, 2010 07:57 To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPLS with L3VPN access Hi, I'm trying to get answer to the following question, and so far cisco website hasn't been very helpful (most probably because I don't know the cisco term for the feature). Is it possible on cisco software platforms (like 72xx) to configure a VPLS and somehow connect it to a L3VPN (on the same PE)? If not on the software ones - then what devices would support that? I'm not talking about mass deployment (1 or two AC per PE, handful of PEs). kind regards Pshem ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Native VLAN and DHCP
Chris, To my understanding, this should work... Are you sure the AP is sending the DHCP request untagged? BTW, you mentioned the AP is acting as DHCP *server* - is it server or client? I would suggest that you just SPAN the port of the AP and put a sniffer on it so you can see what is going on during the boot up process. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Chris Gotstein Sent: Friday, April 30, 2010 00:33 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Native VLAN and DHCP I've got a WS-C3560G-24TS switch doing L3. We are running multiple VLANs, each VLAN has it's own subnet, and the clients are getting their IP addresses from a MS DHCP server using ip helper-address command for each VLAN interface. Problem: Setting up HP access points and controller. Want to use VLAN 3 as the native VLAN for the HP APs. Port that the AP is connected to is configured as the following: interface GigabitEthernet0/13 description Connect to HP AP switchport trunk encapsulation dot1q switchport trunk native vlan 3 switchport trunk allowed vlan 3,10,20,25,100 switchport mode trunk The controller is acting as the DHCP server, which is also on VLAN 3. But when the AP boots up, it takes a long time for it to get an IP address, and when it does finally get one, it's from a random VLAN of the listed allowed VLANs, and not from VLAN 3. I'm not sure if i'm missing something or if i'm just unable to use the native vlan command in this fashion. Any advice? Thanks. -- Chris Gotstein, Sr Network Engineer, UP Logon/Computer Connection UP http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP for Managers Book
Hi, I would be conducting a 1-day BGP training course for senior technology/IT personnel of a big telco in my country. My attendees include managers, senior managers, general manager, and possibly the CIO. The course should not have anything configuration. The course is expected to provide them authoritative instruction on the operation of the protocol, feature concepts, attributes and how they are used to effect policies and requirements, and other considerations. Doing the above is not my problem. However, they also want me to recommend a BGP book written specifically for technology managers. The book should not have a lot of pages. Have you found any BGP publication that was useful for such purpose? Thanks. Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Native VLAN and DHCP
According to HP, the dhcp request is untagged. I will try running a sniffer to see what's going on. The controller is acting as the DHCP server on vlan 3 just for the APs. I had also tried using the MS DHCP server for the APs, but that had the same results as well. On 4/30/2010 6:04 AM, Arie Vayner (avayner) wrote: Chris, To my understanding, this should work... Are you sure the AP is sending the DHCP request untagged? BTW, you mentioned the AP is acting as DHCP *server* - is it server or client? I would suggest that you just SPAN the port of the AP and put a sniffer on it so you can see what is going on during the boot up process. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Chris Gotstein Sent: Friday, April 30, 2010 00:33 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Native VLAN and DHCP I've got a WS-C3560G-24TS switch doing L3. We are running multiple VLANs, each VLAN has it's own subnet, and the clients are getting their IP addresses from a MS DHCP server using ip helper-address command for each VLAN interface. Problem: Setting up HP access points and controller. Want to use VLAN 3 as the native VLAN for the HP APs. Port that the AP is connected to is configured as the following: interface GigabitEthernet0/13 description Connect to HP AP switchport trunk encapsulation dot1q switchport trunk native vlan 3 switchport trunk allowed vlan 3,10,20,25,100 switchport mode trunk The controller is acting as the DHCP server, which is also on VLAN 3. But when the AP boots up, it takes a long time for it to get an IP address, and when it does finally get one, it's from a random VLAN of the listed allowed VLANs, and not from VLAN 3. I'm not sure if i'm missing something or if i'm just unable to use the native vlan command in this fashion. Any advice? Thanks. -- Chris Gotstein Sr Network Engineer UP Logon/Computer Connection UP 500 N Stephenson Ave Iron Mountain, MI 49801 Phone: 906-774-4847 Fax: 906-774-0335 ch...@uplogon.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPLS with L3VPN access
Just for completeness, here is the link for the feature in the release notes: http://www.cisco.com/en/US/docs/ios/12_2sr/release/notes/122SRrn.html#wp 3970796 Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Arie Vayner (avayner) Sent: Friday, April 30, 2010 12:12 To: Pshem Kowalczyk; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VPLS with L3VPN access Pshem, This is supported on 7600 with ES20/ES+/SIP modules (which are required for VPLS). Basically you can xconnect a SVI (either to VPLS or a point to point PW) and then configure different L3 features on it: IP address and IP VRF ACLs PBR Routing protocols, OSPF, RIP, EIGRP,ISIS, BGP Netflow QoS Policing for SVI IP unnumbered Mcast routing, IGMP, PIM HSRP/VRRP/GLBP This can allow really interesting topologies with HSRP across the MPLS core etc. 7200 in general does not support VPLS. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pshem Kowalczyk Sent: Friday, April 30, 2010 07:57 To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPLS with L3VPN access Hi, I'm trying to get answer to the following question, and so far cisco website hasn't been very helpful (most probably because I don't know the cisco term for the feature). Is it possible on cisco software platforms (like 72xx) to configure a VPLS and somehow connect it to a L3VPN (on the same PE)? If not on the software ones - then what devices would support that? I'm not talking about mass deployment (1 or two AC per PE, handful of PEs). kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip directed-broadcast access-list
I had Wireshark running on my laptop during testing. It can be calculated from the number of PC's you're trying to wake up on that subnet and the number of attempts your management software will do to wake them up. -saxon On 30 April 2010 07:59, Michael Costello coste...@lafayette.edu wrote: on 04/29/2010 06:21 PM Saxon Jones said the following: I've had no problems enabling this on Catalyst 6500 sup720-10G's running 12.2(33)SXH5 for the same purpose as you. We also use it on Catalyst 3750G's running 12.2(52)SE with equally good results. I've done no load testing of it, though, we just have our normal rush of WoL packets (generally 2 subnets per switch with 50-100 packets for each). Thanks! How did you get those numbers? Netflow? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip directed-broadcast access-list
on 04/29/2010 06:21 PM Saxon Jones said the following: I've had no problems enabling this on Catalyst 6500 sup720-10G's running 12.2(33)SXH5 for the same purpose as you. We also use it on Catalyst 3750G's running 12.2(52)SE with equally good results. I've done no load testing of it, though, we just have our normal rush of WoL packets (generally 2 subnets per switch with 50-100 packets for each). Thanks! How did you get those numbers? Netflow? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ouch 7204vxr reloaded
How far apart are these issues geographically? Honestly it sounds like you are just having stuff break. It happens. I've had weeks like that were stuff that has ran for years with out issue starts to fail. None of the problems you are having are never been seen before. I've had a disk array controller with block errors. I've had a interface go whacked and routers restart. It happens. On Thu, Apr 29, 2010 at 8:25 PM, Mike mike-cisconspl...@tiedyenetworks.com wrote: This is becomming a crisis. The logical problem soliving procedure here is producing no leads or answers, I just have stuff thats beginning to die and experience 'never been seen before' malfunctions all across the network. From today, I have: An adtran ta5000 in a telco collocation space, suddenly experience the sudden restart of a single (adsl) card. No reason given. A customer router (soekris engineering SBC) had an ethernet port simply lock up and require a power cycle. A disk array controller in my noc suddenly threw up disk block errors ALL of these have _nothing_ in common. No mains power, no network connections, nothing. They are further physically seperated by substantial distance and administrative domains. So every day now I am experiencing these exceptional 'never in a lifetime' events. I am beginning to think there's something envionmental happening that is having a wide area of effect, maybe like an exceptional elctromagnetic or alpha partical storm of some kind? I can't possibly be the only one here. Mike- eNinja wrote: Let's apply logic... 1 - What changed prior to the 'events'? 2 - What's common to all the impacted devices experiencing the 'events'? Location, vendor, etc 3 - Which other devices could be experiencing similar 'events' but aren't. Eninja ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 5xxx VPC peer keepalives
- Original Message - From: Church, Charles charles.chu...@harris.com To: nsp-cisco cisco-nsp@puck.nether.net Sent: Wednesday, April 28, 2010 12:35 PM Subject: [c-nsp] Nexus 5xxx VPC peer keepalives Anyone, Coming up on a design issue with our upcoming first deployment of Nexus 5010s and 5020s in a new datacenter. It's recommended in the following doc to use the mgmt0 interface for peer keepalive messages: http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/Cisco_Nexus_5000_Series_NX-OS__chapter8.html#concept_47F7274E5FDA489884D0488BC491B066 We're doing a true out of band management approach on this new network, so the mgmt0 interfaces all home back to an OOB switch/router (4507) which houses the NMS gear, etc. My concern is that a reload (or failure of some type) on this OOB switch could cause a 'dual active' situation on all the Nexus pairs of devices . (6 pairs of 5010s, and the pair of 5020s that aggregate the 5010 pairs). I don't think I want that to happen. So the alternative seems to be a back to back non-VPC-peer link between the two devices using a VLAN interface, but I hate the idea of using a 10 gig port just for keepalives. There are what appears to be additional copper mgmt ports on the boxes, but they're covered up, and not in the CLI. Any way to utilize those? Any other possibilities I'm overlooking? Or am I stuck getting 1 gig copper SFPs and crossover cables for keepalives? Thanks, Chuck There are specific rules and actions that are taken when specific failures occur and it's important to understand them. Also, if this is your first go at this, I would highly recommend testing the scenarios so you can get comfortable. Part of the value in Nexus is the vPC. Unless you have a very specific reason that is broken by the vPC, get comfortable with it. The dual active scenario isn't that bad. Oddly enough, I was testing a 350mbps multicast stream in a similiar environment today. 2 5ks that were dual active - workstation on a single attached 2k. The keepalive link was down between those 5ks and had connection to network via peer link only. The 2nd 5k had only 1 uplink to 7k-1. The source of the multicast was on a 2k hanging off 7k-2 and a separate set of 5ks. All multicast packets were received and in order (reliable multicast testing with sequencing). tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ouch 7204vxr reloaded
Joseph Jackson wrote: How far apart are these issues geographically? Honestly it sounds like you are just having stuff break. It happens. I've had weeks like that were stuff that has ran for years with out issue starts to fail. None of the problems you are having are never been seen before. I've had a disk array controller with block errors. I've had a interface go whacked and routers restart. It happens. Blocks apart and 30 miles or more. I've been running this network for the past 8 years and also have had 'stuff break', but never on the scale or frequency as what is happening now. The types of issues are simply unbelivable - a 7200 pairity error, following a disk raid controller error, following peculiuer ethernet interface errors on several devices resulting in lockups, following adsl cards in a telco facillity restarting, following 'burnt out' microwave point to point transceiver, following locked up for 45 minutes access point that came back and never hiccuped again its all too unbelivable to me. This has all happened in the space of 4 days, there is something more than 'shit happens' at work here. Mike- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ouch 7204vxr reloaded
We can't help unless you post some data or logs. Richard Golodner Sent via BlackBerry from T-Mobile -Original Message- From: Mike mike-cisconspl...@tiedyenetworks.com Date: Fri, 30 Apr 2010 10:02:14 To: Joseph Jacksonrecou...@gmail.com Cc: Cisco-nspcisco-nsp@puck.nether.net Subject: Re: [c-nsp] ouch 7204vxr reloaded Joseph Jackson wrote: How far apart are these issues geographically? Honestly it sounds like you are just having stuff break. It happens. I've had weeks like that were stuff that has ran for years with out issue starts to fail. None of the problems you are having are never been seen before. I've had a disk array controller with block errors. I've had a interface go whacked and routers restart. It happens. Blocks apart and 30 miles or more. I've been running this network for the past 8 years and also have had 'stuff break', but never on the scale or frequency as what is happening now. The types of issues are simply unbelivable - a 7200 pairity error, following a disk raid controller error, following peculiuer ethernet interface errors on several devices resulting in lockups, following adsl cards in a telco facillity restarting, following 'burnt out' microwave point to point transceiver, following locked up for 45 minutes access point that came back and never hiccuped again its all too unbelivable to me. This has all happened in the space of 4 days, there is something more than 'shit happens' at work here. Mike- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ouch 7204vxr reloaded
Where is 'here'? Where are these equipment located (geographically)? You still need to research what changed in the locale, atmosphere, network, environment etc. prior to these events occuring. Stay calm, the answer is out there ;-) eninja On Apr 30, 2010, at 3:25 AM, Mike mike- cisconspl...@tiedyenetworks.com wrote: This is becomming a crisis. The logical problem soliving procedure here is producing no leads or answers, I just have stuff thats beginning to die and experience 'never been seen before' malfunctions all across the network. From today, I have: An adtran ta5000 in a telco collocation space, suddenly experience the sudden restart of a single (adsl) card. No reason given. A customer router (soekris engineering SBC) had an ethernet port simply lock up and require a power cycle. A disk array controller in my noc suddenly threw up disk block errors ALL of these have _nothing_ in common. No mains power, no network connections, nothing. They are further physically seperated by substantial distance and administrative domains. So every day now I am experiencing these exceptional 'never in a lifetime' events. I am beginning to think there's something envionmental happening that is having a wide area of effect, maybe like an exceptional elctromagnetic or alpha partical storm of some kind? I can't possibly be the only one here. Mike- eNinja wrote: Let's apply logic... 1 - What changed prior to the 'events'? 2 - What's common to all the impacted devices experiencing the 'events'? Location, vendor, etc 3 - Which other devices could be experiencing similar 'events' but aren't. Eninja ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Dropping tcp session due to Invalid Flags
All, I've recently migrated my Cisco 2821 routers to 15.1T. It works good except one thing. For some connections I get messages like this: Apr 29 13:29:57 10.0.143.254 11979: rtr02.tu: [sys...@9 s_sn=11979 s_id=rtr02.dc3:514 s_tc=3542767 s_dc=0]: 011979: Apr 29 14:29:56.363 MDT: %FW-6-DROP_PKT: Dropping tcp session 143.127.138.33:8085 143.127.138.34:179 on zone-pair zp-out-self class cls_permitbpg due to Invalid Flags with ip ident 0 In this 143.127.138.34 is my router and 143.127.138.33 an upstream router and BGP neighbor. In this particular case BGP is up, I should mention. I do see those messages for other connections, too, not related to BGP. I'm running ZBF. Here are the related parts of config. - ... class-map type inspect match-all cls_permitbpg match access-group name acl_permitbgp ... policy-map type inspect pol-permit class type inspect cls_encrypt pass log class type inspect cls_permittoself inspect class type inspect cls_permitbpg inspect class type inspect cls_denytoself pass log class class-default drop log ... zone-pair security zp-out-self source out-zone destination self service-policy type inspect pol-permit ... ip access-list extended acl_permitbgp permit tcp host 143.127.138.33 eq bgp host 143.127.138.34 permit tcp host 143.127.138.33 host 143.127.138.34 eq bgp --- Note about this config: I don't see matches against first rule (odd in case of BGP), I do see matches against second rule and those packets are logged as being dropped (odd!). BGP is up (according to 'show ip bgp'). I have another example with a different set of ports. Any help is appreciated! Thank you! -- Ivan Poddubnyy Sr. Systems Administrator Symantec Corporation / EHG ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA NAT problem
- Original Message - From: Eric Magutu emag...@gmail.com To: cisco-nsp@puck.nether.net; Cisco certification ci...@groupstudy.com Sent: Thursday, April 29, 2010 11:45 PM Subject: [c-nsp] ASA NAT problem Hi, Apologies for the cross posting. I have a problem with a NAT on my network. A private IP has been NATed to a public IP on my network. The public IP can't be reached from within my network but it can from outside. I have tried to implement dns doctoring with no success. This is what I have added in my config static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255 dns policy-map type inspect dns preset_dns_map parameters message-length maximum 2048 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect http inspect icmp inspect dns preset_dns_map ! service-policy global_policy global How do I verify that the dns rewrite is actually taking place? Is there something wrong with my config? -- Regards, Eric Magutu Actually, it sounds like the problem is that you don't have multiple DNS servers and/or split dns. You shouldn't be able to access the public IP from inside. If you are inside, that's what you access. tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ouch 7204vxr reloaded
FWIW - I ran into something like this on a couple of sites next to a Navy base many years ago. The issues coincided with tests of the ship-board long-range radar. The only way we could tell is by being on site and watching as the dish swept and following it was the path of devastation... My point - there may be a commonality that is not obvious. Look for something that could generate a sizable EM field in someplace near the centre of the issues. Could be a lot of different things, don't rule out even the slightly outlandish. Good luck Brian On 10-04-30 10:02 AM, Mike mike-cisconspl...@tiedyenetworks.com wrote: Joseph Jackson wrote: How far apart are these issues geographically? Honestly it sounds like you are just having stuff break. It happens. I've had weeks like that were stuff that has ran for years with out issue starts to fail. None of the problems you are having are never been seen before. I've had a disk array controller with block errors. I've had a interface go whacked and routers restart. It happens. Blocks apart and 30 miles or more. I've been running this network for the past 8 years and also have had 'stuff break', but never on the scale or frequency as what is happening now. The types of issues are simply unbelivable - a 7200 pairity error, following a disk raid controller error, following peculiuer ethernet interface errors on several devices resulting in lockups, following adsl cards in a telco facillity restarting, following 'burnt out' microwave point to point transceiver, following locked up for 45 minutes access point that came back and never hiccuped again its all too unbelivable to me. This has all happened in the space of 4 days, there is something more than 'shit happens' at work here. Mike- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] nexus 5xx vpc peer keepalives
Tony, Read this as well ( it talks about NOT using the mgmt0 for peer keep alives ) - we are trying this too http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/Cisco_Nexus_5000_Series_NX-OS__chapter8.html After figure 6, step 3 there is this text ; Note VLAN 900 must not be trunked across the vPC peer-link because it carries the vPC peer-keepalive messages. There must be an alternative path between switches NX-5000-1 and NX-5000-2 for the vPC peer-keepalive messages. The problem we are encountering is that if we drop the peer vlan from the 5k to 5k link then we get weird errors as well. I will STRONGLY suggest that you test any possible failure scenario that you can think of. Are you using the 5Ks/ FEXs in dual homed fashion ? I have an open case with Cisco on the use of Message: 7 Date: Fri, 30 Apr 2010 10:45:52 -0500 From: Tony Varriale tvarri...@comcast.net To: nsp-cisco cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Nexus 5xxx VPC peer keepalives Message-ID: 25315f3d0266408e937bfbd541923...@flamdt01 Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original - Original Message - From: Church, Charles charles.chu...@harris.com To: nsp-cisco cisco-nsp@puck.nether.net Sent: Wednesday, April 28, 2010 12:35 PM Subject: [c-nsp] Nexus 5xxx VPC peer keepalives Anyone, Coming up on a design issue with our upcoming first deployment of Nexus 5010s and 5020s in a new datacenter. It's recommended in the following doc to use the mgmt0 interface for peer keepalive messages: http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/Cisco_Nexus_5000_Series_NX-OS__chapter8.html#concept_47F7274E5FDA489884D0488BC491B066 We're doing a true out of band management approach on this new network, so the mgmt0 interfaces all home back to an OOB switch/router (4507) which houses the NMS gear, etc. My concern is that a reload (or failure of some type) on this OOB switch could cause a 'dual active' situation on all the Nexus pairs of devices . (6 pairs of 5010s, and the pair of 5020s that aggregate the 5010 pairs). I don't think I want that to happen. So the alternative seems to be a back to back non-VPC-peer link between the two devices using a VLAN interface, but I hate the idea of using a 10 gig port just for keepalives. There are what appears to be additional copper mgmt ports on the boxes, but they're covered up, and not in the CLI. Any way to utilize those? Any other possibilities I'm overlooking? Or am I stuck getting 1 gig copper SFPs and crossover cables for keepalives? Thanks, Chuck There are specific rules and actions that are taken when specific failures occur and it's important to understand them. Also, if this is your first go at this, I would highly recommend testing the scenarios so you can get comfortable. Part of the value in Nexus is the vPC. Unless you have a very specific reason that is broken by the vPC, get comfortable with it. The dual active scenario isn't that bad. Oddly enough, I was testing a 350mbps multicast stream in a similiar environment today. 2 5ks that were dual active - workstation on a single attached 2k. The keepalive link was down between those 5ks and had connection to network via peer link only. The 2nd 5k had only 1 uplink to 7k-1. The source of the multicast was on a 2k hanging off 7k-2 and a separate set of 5ks. All multicast packets were received and in order (reliable multicast testing with sequencing). tv -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 89, Issue 102 ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nexus 5xx vpc peer keepalives
Scott, -Original Message- Sent: Friday, April 30, 2010 6:36 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] nexus 5xx vpc peer keepalives Tony, Read this as well ( it talks about NOT using the mgmt0 for peer keep alives ) - we are trying this too http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/Cisco_ Nexus_5000_Series_NX-OS__chapter8.html After figure 6, step 3 there is this text ; Note VLAN 900 must not be trunked across the vPC peer-link because it carries the vPC peer-keepalive messages. There must be an alternative path between switches NX-5000-1 and NX-5000-2 for the vPC peer-keepalive messages. The problem we are encountering is that if we drop the peer vlan from the 5k to 5k link then we get weird errors as well. I have mine configured on the management VRF and haven't run into any issues, I believe that is the recommended configuration. Check out the design guides as well, if you're aren't using mgmt0, Cisco suggests using an SVI and a separate port. Are you using a vPC to handle the peer-keepalive traffic? I would imagine that's where the issue is stemming from if you are. This is the document I was looking for on the original thread, but applies to your scenario as well. I thought I had remembered it saying that back to back is okay for testing, but should not be used for production. Look for vPC config best practices: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572829-01_Design_N5K_N2K_vPC_DG.pdf HTH, -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nexus 5xx vpc peer keepalives
- Original Message - From: scott owens scottowen...@gmail.com To: cisco-nsp@puck.nether.net Sent: Friday, April 30, 2010 5:35 PM Subject: [c-nsp] nexus 5xx vpc peer keepalives Tony, Read this as well ( it talks about NOT using the mgmt0 for peer keep alives ) - we are trying this too http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/Cisco_Nexus_5000_Series_NX-OS__chapter8.html After figure 6, step 3 there is this text ; Note VLAN 900 must not be trunked across the vPC peer-link because it carries the vPC peer-keepalive messages. There must be an alternative path between switches NX-5000-1 and NX-5000-2 for the vPC peer-keepalive messages. The problem we are encountering is that if we drop the peer vlan from the 5k to 5k link then we get weird errors as well. I will STRONGLY suggest that you test any possible failure scenario that you can think of. Are you using the 5Ks/ FEXs in dual homed fashion ? I have an open case with Cisco on the use of It's possible you may have read this incorrectly? The keep alive link should never been in the same VRF as your default VRF. Therefore, it should never be going across your peer link. Also, the linked document talks about using mgmt0. We recommend that you configure the vPC peer-keepalive link on the Cisco Nexus 5000 Series switch to run in the management VRF using the mgmt 0 interfaces. If you configure the default VRF, ensure that the vPC peer link is not used to carry the vPC peer-keepalive messages. Try not to over complicate this. It's really simple actually...and it works well. tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nexus 5xx vpc peer keepalives
- Original Message - From: scott owens scottowen...@gmail.com To: cisco-nsp@puck.nether.net Sent: Friday, April 30, 2010 5:35 PM Subject: [c-nsp] nexus 5xx vpc peer keepalives Tony, Read this as well ( it talks about NOT using the mgmt0 for peer keep alives ) - we are trying this too http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/Cisco_Nexus_5000_Series_NX-OS__chapter8.html After figure 6, step 3 there is this text ; Note VLAN 900 must not be trunked across the vPC peer-link because it carries the vPC peer-keepalive messages. There must be an alternative path between switches NX-5000-1 and NX-5000-2 for the vPC peer-keepalive messages. The problem we are encountering is that if we drop the peer vlan from the 5k to 5k link then we get weird errors as well. I will STRONGLY suggest that you test any possible failure scenario that you can think of. Are you using the 5Ks/ FEXs in dual homed fashion ? I have an open case with Cisco on the use of I didn't respond to all of your questions comments. We never put the keepalive vlan across the peer link. It's always in its own VRF in whatever fashion/implementation on the 5k and 7k. If you have an OOB network that requires the 5k mgmt0 ports to be used there, burn one of 1-8 on a 5010 or one of 1-16 on a 5020 as a gig port and do another VRF specially for the peer link. Done. Yes, most of our customers are dual connected. We've done a lot of testing. But, we have not done what you have. It's not the recommended practice, it's not the correct design and no one around Cisco supports it. So, we don't implement that way. I know the docs (all 1 of them) may seem confusing and contradictory. But, if you follow above you shouldn't have any issues. tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/