[c-nsp] CRC fixing
hi, heavy CRC error generating on serial link, anyone can tell me reason ?? solution ?? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] show interface summary cisco
show interface summary cisco need description ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRC fixing
On 7/8/10 11:57 PM, vijay gore wrote: hi, heavy CRC error generating on serial link, anyone can tell me reason ?? solution ?? Most likely physical layer issues. Wet copper cable pairs (T-1), dirty fiber (optical), etc. Can you be more specific as to the nature of the link such as speed, internal cable or purchased WAN link from a carrier, etc.? You'll likely have to take it out of service and run loopback tests to isolate and repair the problem. If this is a new circuit turn-up it could be a configuration issue such as framing, linecode, clocking, etc. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRC fixing
2 options, Faulty serial port or issue with the link (have the provider check it) You see the crc's on both sides? - more likely link issue First check is ask the provider to loop the link facing your equipment and see if you still have the errors cisco-nsp-boun...@puck.nether.net wrote on 09/07/2010 08:57: hi, heavy CRC error generating on serial link, anyone can tell me reason ?? solution ?? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RFC 4797 Support?
You can do mpls on a gre tunnel, just configure the tunnel interface for mpls and watch out for mtu issues... And remember, that command ip tcp adjust-mss doesn't work on labeled packets :( So, you have to put it on only-IP-in/out interfaces,not on interfaces enabled for mpls. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] show interface summary cisco
See http://lmgtfy.com/?q=show+interface+summary+cisco cisco-nsp-boun...@puck.nether.net wrote on 09/07/2010 08:59: show interface summary cisco need description ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cheapest Cisco desktop switch that supports Q-in-Q/802.1Q VLAN encapsulation/double-tagged VLANs/Stacked VLANs
QinQ config from one of our ME3400: Cisco IOS Software, ME340x Software (ME340x-METROIPACCESSK9-M), Version 12.2(53)SE, RELEASE SOFTWARE (fc2) Switch Ports Model SW VersionSW Image -- - - ---- *1 26ME-3400-24TS-A 12.2(53)SEME340x-METROIPACCESSK9-M interface FastEthernet0/20 port-type nni switchport access vlan 100 switchport mode dot1q-tunnel no cdp enable sh system mtu System MTU size is 1900 bytes System Jumbo MTU size is 2000 bytes Jon Harald Bøvre Fra: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] p#229; vegne av Frank Bulk - iName.com [frnk...@iname.com] Sendt: 9. juli 2010 05:09 Til: sth...@nethelp.no Kopi: cisco-nsp@puck.nether.net Emne: Re: [c-nsp] Cheapest Cisco desktop switch that supports Q-in-Q/802.1Q VLAN encapsulation/double-tagged VLANs/Stacked VLANs Thanks for explaining the semantical differences. What I'm looking to do is the termination -- wouldn't the ME3400 do the trick? Frank -Original Message- From: sth...@nethelp.no [mailto:sth...@nethelp.no] Sent: Thursday, July 08, 2010 3:56 AM To: frnk...@iname.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cheapest Cisco desktop switch that supports Q-in-Q/802.1Q VLAN encapsulation/double-tagged VLANs/Stacked VLANs What is the cheapest Cisco desktop switch that supports Q-in-Q? Is it the ME-3400G-2CS-A? We prefer the encapsulation dot1q x second-dot1q y approach. Your last sentence doesn't make sense here. Q-in-Q generally refers to *tunneling* one VLAN trunk through an L2 network by adding an extra VLAN tag in front of the existing VLAN tag. encapsulation dot1q x second-dot1q y is used to *terminate* a dual tagged VLAN connection (typically an IP termination). This is very different from *tunneling*. So - do you want tunneling or termination? I don't believe there are any Cisco desktop switches which can IP terminate a dual tagged VLAN connection. There are, of course, plenty of desktop switches which will do 802.1Q tunneling. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cheapest Cisco desktop switch that supports Q-in-Q/802.1Q VLAN encapsulation/double-tagged VLANs/Stacked VLANs
Thanks for explaining the semantical differences. What I'm looking to do is the termination -- wouldn't the ME3400 do the trick? No, the ME3400 cannot terminate dual tagged VLANs (encapsulation dot1q x second-dot1q y). Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] (off-topic?) Firefox ubuntu CPU issues when entering at tools.cisco.com to see the SRs
Well, first of all sorry if this email is considered an off-topic subject. In the other hand I can't see a better place to talk about this. I use ubuntu 10.04 64bits, firefox 3.6.6 and java 6.20. I enter at tools.cisco.com to manage the SRs and when I entered in one of them the firefox lauchs java because the Cisco guys configured something in the background to work with java (upload file form as an example). Issues with this... - CPU goes up -and also the temp of the laptop :-/- because the java makes firefox to demmand a lot of CPU. I took note about it because with just one tab getting access to tools.cisco.com I got that behaviour, the rest of the webpages I use to use don't have this behaviour in my laptop. - Quickjava add-on for firefox doesn't work in my laptop so I dont know how to avoid to load java in that website - Noscript add-on for firefox gives me more problems than solutions Solution/Workaround: - Kill firefox process and start again, loosing all the tabs and sometimes sessions... :-/ Horrible experience. - Use Opera, so far it is working ok. So, my questions to share here... Is there anyone here having the same problems? or at least similar? Is there anyone here from Cisco who could forward this to the proper persons as feedback? Is there anyway to avoid java in the site tools.cisco.com to avoid my firefox to become unstable? PD: I have issues with JAVA and Webex too x- but I think it is because java here is 64bits and it is not webex friendly. Anyway I use a VM to avoid problems. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] pvlan (Private Vlan) setup question
So I have two 3750 (no stackwise) that uplink to a 6509. I have setup pvlans on both 3750's and they are working as expected. I cannot ping servers on the same 3750 switch. But of course if the servers try to communicate with another server on the OTHER 3750 switch, the ping is successful (traveling via the uplink to distribution). I know that pvlans only work local to the switch it is configured on. So I need a way to block that 3750-to-3750 communication on the distribution layer. My distribution switch is a 6509 (sup720). I was hoping to see if I could use 'switchport protected' as a quick one liner so that each downlink to the 3750's would not be able to communicate. But that is only on the 3550, I think. Any ideas? 3750 config: ! vlan 666 name isolated-vlan private-vlan isolated ! vlan 810 name promiscous-vlan private-vlan primary private-vlan association 666 ! interface GigabitEthernet2/0/30 description xxx switchport private-vlan host-association 810 666 switchport mode private-vlan host spanning-tree portfast ! interface GigabitEthernet2/0/31 description xxx switchport private-vlan host-association 810 666 switchport mode private-vlan host spanning-tree portfast ! interface TenGigabitEthernet2/0/1 description Uplink to 6509 switchport private-vlan mapping 810 666 switchport mode private-vlan promiscuous speed nonegotiate spanning-tree guard loop Now if I use pvlans on the 6509, those downlinks would have to be promiscous ports I think. And that probably would achieve the 3750-3750 blocking that I want. Any thoughts? p.s. I would rather not use VACL's as that could get administratively tiring. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] (off-topic?) Firefox ubuntu CPU issues when entering at tools.cisco.com to see the SRs
On 09/07/10 12:39, LM wrote: Well, first of all sorry if this email is considered an off-topic subject. In the other hand I can't see a better place to talk about this. I use ubuntu 10.04 64bits, firefox 3.6.6 and java 6.20. I enter at tools.cisco.com to manage the SRs and when I entered in one of them the firefox lauchs java because the Cisco guys configured something in the background to work with java (upload file form as an example). So, my questions to share here... Is there anyone here having the same problems? or at least similar? Yes, I get exactly the same thing. Java: write once, crash anywhere I've given up on Cisco's website, and will be telling them that when we move our business to another vendor. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] (off-topic?) Firefox ubuntu CPU issues when entering at tools.cisco.com to see the SRs
Don't feel lonesome, every advance in their website technology is a deterrent to getting anything done. They can stick all the flashy videos they like in the sales pages, but please downgrade all the support pages to HTML 1.0 :-) or Gopher... or FTP... Jeff :-) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pvlan (Private Vlan) setup question
Had the same problem a few years ago. Was solved using a separate vlan for each switch (we had 3500XL CPE) Scale to a few hundred CPE switches Support for ip unnumbered from SXF 6500 Int vl 100 Ip add 10.10.10.1 255.255.255.0 Int vlan 200 Desc CPE switch 1 Ip unnumbered vlan 100 Ip local proxy-arp (ip proxy-arp local??) Int vlan 201 Desc CPE switch 2 Ip unnumbered vlan 100 Ip local proxy-arp (ip proxy-arp local??) 3750 Use ordinary private vlan config, using separate vlan on each switch Jon Harald Bøvre -Opprinnelig melding- Fra: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] På vegne av Erik Witkop Sendt: 9. juli 2010 14:35 Til: cisco-nsp@puck.nether.net Emne: [c-nsp] pvlan (Private Vlan) setup question So I have two 3750 (no stackwise) that uplink to a 6509. I have setup pvlans on both 3750's and they are working as expected. I cannot ping servers on the same 3750 switch. But of course if the servers try to communicate with another server on the OTHER 3750 switch, the ping is successful (traveling via the uplink to distribution). I know that pvlans only work local to the switch it is configured on. So I need a way to block that 3750-to-3750 communication on the distribution layer. My distribution switch is a 6509 (sup720). I was hoping to see if I could use 'switchport protected' as a quick one liner so that each downlink to the 3750's would not be able to communicate. But that is only on the 3550, I think. Any ideas? 3750 config: ! vlan 666 name isolated-vlan private-vlan isolated ! vlan 810 name promiscous-vlan private-vlan primary private-vlan association 666 ! interface GigabitEthernet2/0/30 description xxx switchport private-vlan host-association 810 666 switchport mode private-vlan host spanning-tree portfast ! interface GigabitEthernet2/0/31 description xxx switchport private-vlan host-association 810 666 switchport mode private-vlan host spanning-tree portfast ! interface TenGigabitEthernet2/0/1 description Uplink to 6509 switchport private-vlan mapping 810 666 switchport mode private-vlan promiscuous speed nonegotiate spanning-tree guard loop Now if I use pvlans on the 6509, those downlinks would have to be promiscous ports I think. And that probably would achieve the 3750-3750 blocking that I want. Any thoughts? p.s. I would rather not use VACL's as that could get administratively tiring. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pvlan (Private Vlan) setup question
pvlans do not work only local. just configure the uplink to 6509 as regular trunk, and allow 810,666. And you should configure the vlans on 6509 as private also (as you configure them on 3750) John On Fri, 9 Jul 2010, Erik Witkop wrote: So I have two 3750 (no stackwise) that uplink to a 6509. I have setup pvlans on both 3750's and they are working as expected. I cannot ping servers on the same 3750 switch. But of course if the servers try to communicate with another server on the OTHER 3750 switch, the ping is successful (traveling via the uplink to distribution). I know that pvlans only work local to the switch it is configured on. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pvlan (Private Vlan) setup question
Thanks John. That seems viable. My only concern is if I have more and more customers coming into distribution, the config could get hairy. I was hoping I could make a different isolated vlan on the second 3750 switch. And then I was hoping that a ping from isolated vlan to isolated vlan from switch to switch would fail. But I was wrong, it is somehow pinging even after I changed the isolated vlan on the second 3750 from 666 to 667. Am I wrong is thinking that it should not ping? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cheapest Cisco desktop switch that supports Q-in-Q/802.1Q VLAN encapsulation/double-tagged VLANs/Stacked VLANs
So it sounds like if an end-customer wants an *untagged* port off of an SP switch that there aren't any/many options to deliver double-tagged traffic to that SP switch. Sounds like we can have double-tagged traffic between the core and distribution, but when we bring it to the edge we need to take strip off the outer tag. |core | || (double tagged) | distribution | | (single tagged) | Edge | SP switch at customer premise | (untagged) customer -Original Message- From: sth...@nethelp.no [mailto:sth...@nethelp.no] Sent: Friday, July 09, 2010 3:45 AM To: frnk...@iname.com Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cheapest Cisco desktop switch that supports Q-in-Q/802.1Q VLAN encapsulation/double-tagged VLANs/Stacked VLANs Thanks for explaining the semantical differences. What I'm looking to do is the termination -- wouldn't the ME3400 do the trick? No, the ME3400 cannot terminate dual tagged VLANs (encapsulation dot1q x second-dot1q y). Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pvlan (Private Vlan) setup question
Thanks John. That seems viable. My only concern is if I have more and more customers coming into distribution, the config could get hairy. I was hoping I could make a different isolated vlan on the second 3750 switch. And then I was hoping that a ping from isolated vlan to isolated vlan from switch to switch would fail. But I was wrong, it is somehow pinging even after I changed the isolated vlan on the second 3750 from 666 to 667. Am I wrong is thinking that it should not ping? I'm a bit confused. Normally, if you have a private vlan (a primary vlan and an isolated one) that spans multiple switches, you should not be able to ping from switch to switch. In your configuration, you had configured the uplink ports as promiscuous, instead of regular trunk, that's why you could ping each other. In the case where your edge switch does not support private vlans (eg 3550 29xxXL etc), I think that you could use a feature on 4500 switches called private vlan trunk (haven't tested it). Another option is to configure a separate vlan for each edge switch, configure the ports on the edge switch as switchport protected, and then use cables on the 65xx to connect the edge VLAN to private-isolated ports on the same 65xx (kind of ugly, but it works), or use the trick that Jon Harald Bøvre suggested. Regards, John___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pvlan (Private Vlan) setup question
On Fri, Jul 9, 2010 at 8:29 AM, Erik Witkop ewit...@gmail.com wrote: Thanks John. That seems viable. My only concern is if I have more and more customers coming into distribution, the config could get hairy. I was hoping I could make a different isolated vlan on the second 3750 switch. And then I was hoping that a ping from isolated vlan to isolated vlan from switch to switch would fail. But I was wrong, it is somehow pinging even after I changed the isolated vlan on the second 3750 from 666 to 667. Am I wrong is thinking that it should not ping? If you don't tag between the distribution and access layer, you can pass pvlans around (as the only VLAN on the cable) but you have to do it non-redundantly. On the other hand, if you tag between the access and distribution layer, you can carry the pvlan (and other VLANs) on the same cable and include redundant uplinks. Sample: distribution2: vlan 101 name backups-primary private-vlan primary private-vlan association 102 ! vlan 102 name backups-isolated private-vlan isolated ! interface GigabitEthernet1/1 description distribution1 switchport switchport trunk encapsulation dot1q ! interface GigabitEthernet1/2 description access1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 101,102 distribution1: vlan 101 name backups-primary private-vlan primary private-vlan association 102 ! vlan 102 name backups-isolated private-vlan isolated ! interface GigabitEthernet1/1 description distribution2 switchport switchport trunk encapsulation dot1q ! interface GigabitEthernet1/2 description access1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 101,102 access1: vlan 101 name backups-primary private-vlan primary private-vlan association 102 ! vlan 102 name backups-isolated private-vlan isolated ! interface GigabitEthernet1/1 description distribution1 uplink switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 101,102 ! interface GigabitEthernet1/2 description distribution2 uplink switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 101,102 ! interface GigabitEthernet1/3 description server1 switchport switchport private-vlan host-association 101 102 switchport mode private-vlan host no ip address spanning-tree portfast With this configuration, you can connect any number of access switches to your distribution switches and the pvlan you have created will properly enforce communication rules between host or promiscuous ports connected to any switch within the network. I use this heavily for providing secure backups to thousands of servers throughout my datacenters. Servers can connect their backups NIC to any port on any switch and we simply set the pvlan on that port. The server will then only be able to communicate with the promiscuous ports (which also can be located anywhere within the network). Typically a network consists of ~20 access switches plus 2 distribution switches. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pvlan (Private Vlan) setup question
Ok, that makes sense. Thanks John. I will setup the trunks and give it a whirl. Thanks for taking the time to help! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pvlan (Private Vlan) setup question
Wow, thanks Matt. This is great. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] (off-topic?) Firefox ubuntu CPU issues when entering at tools.cisco.com to see the SRs
At least on MacOS it asks if I want to give the applet access to the computer and I say NO. You might want to try firefox 4.0b1 and see if it is better. Jared Mauch On Jul 9, 2010, at 8:59 AM, Jeff Kell jeff-k...@utc.edu wrote: Don't feel lonesome, every advance in their website technology is a deterrent to getting anything done. They can stick all the flashy videos they like in the sales pages, but please downgrade all the support pages to HTML 1.0 :-) or Gopher... or FTP... Jeff :-) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] (off-topic?) Firefox ubuntu CPU issues when entering at tools.cisco.com to see the SRs
On 09/07/10 16:11, Jared Mauch wrote: At least on MacOS it asks if I want to give the applet access to the computer and I say NO. When I do that, it seems to spin in a loop, then again prompts me. Grumble. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] (off-topic?) Firefox ubuntu CPU issues when entering at tools.cisco.com to see the SRs
On Jul 9, 2010, at 11:13 AM, Phil Mayers wrote: On 09/07/10 16:11, Jared Mauch wrote: At least on MacOS it asks if I want to give the applet access to the computer and I say NO. When I do that, it seems to spin in a loop, then again prompts me. Grumble. I have to say no 3X then it finally goes away. The other solution would be just turning off java. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PFC for iSCSI on Nexus
Hello, Based on what I've read PFC (Priority Flow Control) just does a pause type functionality on a more granular level, per CoS instead of a per link. I was wondering if you could configure PFC policy for iSCSI on the Cisco Nexus 5000s or is that only hard written for only FCoE? Not sure how that would work with the TCP transmit queues but should create a lossless functionality for iSCSI. Anyone has a Nexus 5000 and played around with the PFC configuration? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] (off-topic?) Firefox ubuntu CPU issues when entering at tools.cisco.com to see the SRs
Nice to see that I am not alone with problems at cisco.com. I can't understand how is possible to make so ticket website so bad. El 09/07/10 14:47, Phil Mayers escribió: On 09/07/10 12:39, LM wrote: Well, first of all sorry if this email is considered an off-topic subject. In the other hand I can't see a better place to talk about this. I use ubuntu 10.04 64bits, firefox 3.6.6 and java 6.20. I enter at tools.cisco.com to manage the SRs and when I entered in one of them the firefox lauchs java because the Cisco guys configured something in the background to work with java (upload file form as an example). So, my questions to share here... Is there anyone here having the same problems? or at least similar? Yes, I get exactly the same thing. Java: write once, crash anywhere I've given up on Cisco's website, and will be telling them that when we move our business to another vendor. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPN/VRF/NAT problem
I've got a VPN setup something like: Remote site --- Third Party Network --- Cisco 2811 --- Internet | | | |--- VPN ---| VRF X | ^ 10.x.y.zNAT to a.b.c.d The remote site is accessing a private network on the 2811 in VRF X. It's doing so using an IPSEC tunnel across the Internet via an untrusted third party network. All IP traffic leaving the remote site is pushed through the IPSEC tunnel and emerges in VRF X. Everything works as expected, except... Traffic egressing VRF X onto the Internet is not getting NATed. It's emerging with a 10.x.y.z address. We have other links in this VRF delivered via VPDN which do not have this problem. Their traffic is NATed correctly. The external interface on the 2811 is configured with 'ip nat outside'. The VPDN interfaces have 'ip nat inside'. I suspect the issue is arising as the traffic emerging from the VPN tunnel is not being considered for NAT. I'm NATing with: ip nat pool cust-X a.b.c.d a.b.c.d netmask 255.255.255.128 ip nat inside source list cust-X pool cust-X mapping-id 10 vrf X overload Am I missing something? Is there some way for me to tell the 2811 that traffic coming out of the tunnel is on the inside? (might match-in-vrf help?) Thanks in advance, -Ronan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN/VRF/NAT problem
Not completely sure I am clear on the config you are using but if the vpn tunnel is a crypto-map on a physical interface then that interface needs to be ip nat inside or if doing GREoIPSEC then the GRE tunnel interface needs to be ip nat inside. NAT will only consider packets for translation if they cross both a nat inside and outside interface. -Ben On Jul 9, 2010, at 12:39 PM, Ronan Mullally wrote: I've got a VPN setup something like: Remote site --- Third Party Network --- Cisco 2811 --- Internet | | | |--- VPN ---| VRF X | ^ 10.x.y.zNAT to a.b.c.d The remote site is accessing a private network on the 2811 in VRF X. It's doing so using an IPSEC tunnel across the Internet via an untrusted third party network. All IP traffic leaving the remote site is pushed through the IPSEC tunnel and emerges in VRF X. Everything works as expected, except... Traffic egressing VRF X onto the Internet is not getting NATed. It's emerging with a 10.x.y.z address. We have other links in this VRF delivered via VPDN which do not have this problem. Their traffic is NATed correctly. The external interface on the 2811 is configured with 'ip nat outside'. The VPDN interfaces have 'ip nat inside'. I suspect the issue is arising as the traffic emerging from the VPN tunnel is not being considered for NAT. I'm NATing with: ip nat pool cust-X a.b.c.d a.b.c.d netmask 255.255.255.128 ip nat inside source list cust-X pool cust-X mapping-id 10 vrf X overload Am I missing something? Is there some way for me to tell the 2811 that traffic coming out of the tunnel is on the inside? (might match-in-vrf help?) Thanks in advance, -Ronan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] (off-topic?) Firefox ubuntu CPU issues when entering at tools.cisco.com to see the SRs
Hi, On Fri, Jul 09, 2010 at 07:13:08PM +0200, LM wrote: I can't understand how is possible to make so ticket website so bad. Year-long dedication. It's not like you can build such a high-quality web site over night. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpr5e1ETsio7.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] (off-topic?) Firefox ubuntu CPU issues when entering at tools.cisco.com to see the SRs
On 7/9/2010 3:58 PM, Gert Doering wrote: Hi, On Fri, Jul 09, 2010 at 07:13:08PM +0200, LM wrote: I can't understand how is possible to make so ticket website so bad. Year-long dedication. It's not like you can build such a high-quality web site over night. And new bells, whistles, and must-have gadgets, widgets, and plugins appear everyday, or get javascript-enabled overnight, or whatever... Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Zone Based Firewall default-class
I have a strange problem with ZBFW or I am just missing something obvious. 3845 running 12.4(24)T advipservices I am trying to apply a firewall rule between two entities. Since I am not 100% sure what all traffic is passing through the two, I wanted to write rules for what I know and pass anything I don't know but log it so I can find out if that's suppose to be there or not. policy-map type inspect InPMAP class type inspect GeneralInCMAP inspect class class-default pass log policy-map type inspect OutPMAP class type inspect GeneralOutCMAP inspect class class-default pass log zone security Inside zone security Other zone-pair security Other-to-Inside source Other destination Inside service-policy type inspect InPMAP zone-pair security Inside-to-Other source Inside destination Other service-policy type inspect OutPMAP However, once I apply the zone, I get this Jul 9 15:04:51 192.168.1.253 266: Jul 9 15:04:50 EDT: %FW-6-LOG_SUMMARY: 5 packets were dropped from 192.168.1.143:1888 = 172.16.20.24:1433 (target:class)-(Inside-to-Other:class-default) Jul 9 15:04:51 192.168.1.253 267: Jul 9 15:04:50 EDT: %FW-6-LOG_SUMMARY: 5 packets were passed from 172.16.20.24:1433 = 192.168.1.102:2583 (target:class)-(Other-to-Inside:class-default) So, one direction, it's passing traffic as intended but the other direction it's dropping it on class-default What am I doing wrong? Or do I need to create a class-map that allows everything and pass it in that class? Is this a bug? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] (off-topic?) Firefox ubuntu CPU issues when entering at tools.cisco.com to see the SRs
LM asturlui...@gmail.com wrote: Nice to see that I am not alone with problems at cisco.com. I can't understand how is possible to make so ticket website so bad. Do you not have 'web monkeys' where you work? If so, then are you hiring? ;) Cheers -- Alexander Clouter .sigmonster says: Causes moderate eye irritation. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco L2tpv3
Hi, I am currently trying to provide one of our clients a vlan over a PPP link as per their request of only a layer 2 connection. The connection would be like 3750g -- 7200 -- 1841 where the 7200 and 1841 is a ppp link. In doing some research, we found L2TPv3 to be a viable option. However, I am having trouble keeping the tunnel up and sending traffic over it. At the moment I am trying to configure only a simple layer 2 tunnel on test devices: 2 1841 routers, Version 12.4(15)T12, Advanced Services. I am currently using these 2 sites as reference: http://prakashkalsaria.wordpress.com/2010/05/11/l2tpv3-over-hdlc-l2tpv3-over-ppp/, http://www.informit.com/library/content.aspx?b=Troubleshooting_VPNsseqNum=44 On the other hand I was also recently informed that there may be too much overhead in a layer 2 tunnel. If that is the case, what is the more viable option for this setup? I have attached the debug output from the tunnels as well. Any assistance would be appreciated. Router#show l2tun L2TP Tunnel and Session Information Total tunnels 1 sessions 1 LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/ Count VPDN Group 33146 0wsccrp 10.1.1.11 l2tp_default_cl LocID RemID TunID Username, Intf/ State Last Chg Uniq ID Vcid, Circuit 2130 0 33146 101, Se0/0/0 wt-cc 00:00:04 1 Router#show l2tun L2TP Tunnel and Session Information Total tunnels 1 sessions 0 LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/ Count VPDN Group 33146 0shutdn 10.1.1.10 l2tp_default_cl Router#show l2tun %No active L2TP tunnels
Re: [c-nsp] Zone Based Firewall default-class
Maybe class-default only allow traffic initiate from the zone and not return traffic? Check your log again... Try your Or, and try upgrade to T3 see if that makes a different. -- Luan Nguyen Chesapeake NetCraftsmen, LLC. -- -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura Sent: Friday, July 09, 2010 4:08 PM To: cisco-nsp Subject: [c-nsp] Zone Based Firewall default-class I have a strange problem with ZBFW or I am just missing something obvious. 3845 running 12.4(24)T advipservices I am trying to apply a firewall rule between two entities. Since I am not 100% sure what all traffic is passing through the two, I wanted to write rules for what I know and pass anything I don't know but log it so I can find out if that's suppose to be there or not. policy-map type inspect InPMAP class type inspect GeneralInCMAP inspect class class-default pass log policy-map type inspect OutPMAP class type inspect GeneralOutCMAP inspect class class-default pass log zone security Inside zone security Other zone-pair security Other-to-Inside source Other destination Inside service-policy type inspect InPMAP zone-pair security Inside-to-Other source Inside destination Other service-policy type inspect OutPMAP However, once I apply the zone, I get this Jul 9 15:04:51 192.168.1.253 266: Jul 9 15:04:50 EDT: %FW-6-LOG_SUMMARY: 5 packets were dropped from 192.168.1.143:1888 = 172.16.20.24:1433 (target:class)-(Inside-to-Other:class-default) Jul 9 15:04:51 192.168.1.253 267: Jul 9 15:04:50 EDT: %FW-6-LOG_SUMMARY: 5 packets were passed from 172.16.20.24:1433 = 192.168.1.102:2583 (target:class)-(Other-to-Inside:class-default) So, one direction, it's passing traffic as intended but the other direction it's dropping it on class-default What am I doing wrong? Or do I need to create a class-map that allows everything and pass it in that class? Is this a bug? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 5266 (20100709) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5266 (20100709) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 5266 (20100709) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Exit from OADM TL1 telnet session
Daniel D Jones ddjo...@riddlemaster.org wrote: I'm SSH'd into a Sun server, and then telnetting from there, and I can't even Ctrl-Z, Ctrl-C, or Ctrl-X out. I've even tried Ctrl-Shift-6 X without any success. The only way I can get out of the session is to kill the SSH session to the Sun server. Surely I'm missing something? Sun's telnet used Ctrl-] (Control Right-Bracket) as the escape character, by default. You can press Ctrl-] and then give the quit command to telnet, to break the connection. -- David DeSimone == Network Admin == f...@verio.net I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it. -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 10 gig ethernet interface up, line protocol down on VSL connection
Anyone, Ran into a weird issue today with a re-build of a VSS pair. A botched IOS upgrade forced me to rebuild the pair. Was going ok, but I'm having trouble getting the VSL link up between the two. Switch 2 had the port channel for the VSL link up/up, but on switch 1, it stays up/down. Adding a second 10 gig link to the port channel on each side resulted in both up/up on switch 2, and both up/down on switch 1. It was working a month ago in a lab, the lab guys upgrading to SXI4 killed the config. I'm starting from scratch. I ran out of time today, didn't get a chance to see if the ints would come up if the 'switch virtual link 1' command wasn't on there, or check the logs. Using 2 ints should have ruled out bad X2 modules. Just wondering if anyone has seem something similar with VSS. Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PFC for iSCSI on Nexus
Tom, iSCSI runs atop of TCP. generally speaking, the TCP state machine uses packet drop (lost segments) to tune its transmit rate to the capabilities of the network end-to-end. PFC will essentially provide a no-drop environment which while in face value may seem to be beneficial in reality it will impair the goodput that is possible with many TCP stacks. TCP is not really tuned for situations where there is no-drop but variable latency as a result of PFC. where PFC is likely to be beneficial is if you are using a storage protocol which is not based on TCP. e.g. NFS with UDP. cheers, lincoln. On 10/07/2010, at 2:54 AM, Tom wrote: Hello, Based on what I've read PFC (Priority Flow Control) just does a pause type functionality on a more granular level, per CoS instead of a per link. I was wondering if you could configure PFC policy for iSCSI on the Cisco Nexus 5000s or is that only hard written for only FCoE? Not sure how that would work with the TCP transmit queues but should create a lossless functionality for iSCSI. Anyone has a Nexus 5000 and played around with the PFC configuration? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/