Re: [c-nsp] Mysterious GRE tunnel flap
I'll take a wild guess here. Since you're sourcing the tunnel with the hsrp ip, and you don't have a standby priority set it means that there is another device competing on the IP address. Could it be that for some strange reason the hsrp is fluctuating between them and this causes the tunnel to be unstable? Can you check the HSRP events and see what happens? Also, as I said, try to take off the keepalive on the tunnel and set a higher standby priority to one of the devices, just to see if it helps. HTH Ziv From: Quinn Kuzmich [mailto:lostinmos...@gmail.com] Sent: Thursday, July 22, 2010 7:08 PM To: Gert Doering Cc: Ziv Leyes; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Mysterious GRE tunnel flap Ok, here's the config for one of the two routers - they have the same basic HSRP config so if one is wrong, so is the other. Remember, the other end of the tunnel is NOT exhibiting the problem at all. ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname rem16-miramar-r2 ! boot-start-marker boot-end-marker ! logging count logging message-counter syslog logging buffered 51200 no logging console ! no aaa new-model ip source-route ! ! ! ! no ip cef ip domain lookup source-interface FastEthernet0/0 ip domain name cell2.psap.bc.local ip multicast-routing no ipv6 cef ntp server 10.3.0.1 multilink bundle-name authenticated ! ! archive log config hidekeys ! ! ip tftp source-interface FastEthernet0/0 ! track 1 interface Serial0/1/0 ip routing ! ! ! ! interface Tunnel16 description *** TUNNEL FOR VSS 16 (Multicast only) *** ip address 10.250.16.1 255.255.255.252 ip pim query-interval 1 ip pim state-refresh origination-interval 4 ip pim dense-mode ip tcp adjust-mss 1436 no ip mroute-cache keepalive 1 1 tunnel source 10.16.15.254 tunnel destination 10.3.15.254 ! interface FastEthernet0/0 description *** BACKROOM *** ip address 10.16.15.252 255.255.240.0 ip access-group 100 out ip helper-address 10.3.0.1 ip pim dr-priority 255 ip pim query-interval 1 ip pim state-refresh origination-interval 4 ip pim dense-mode no ip mroute-cache speed 100 full-duplex keepalive 1 standby delay minimum 45 reload 60 standby 1 ip 10.16.15.254 standby 1 timers 1 3 standby 1 preempt delay minimum 15 reload 15 sync 15 standby 1 track Serial0/1/0 ! interface FastEthernet0/1 description *** CROSSOVER R2 R1 *** ip address 10.252.216.2 255.255.255.0 ip hello-interval eigrp 2604 1 ip hold-time eigrp 2604 2 speed 100 full-duplex keepalive 1 ! interface Serial0/1/0 ip address 10.252.16.2 255.255.255.252 ip hello-interval eigrp 2604 1 ip hold-time eigrp 2604 3 keepalive 4 no fair-queue service-module t1 timeslots 1-24 ! router eigrp 2604 passive-interface FastEthernet0/0 network 10.16.0.0 0.0.15.255 network 10.252.0.0 0.0.255.255 no auto-summary eigrp stub connected ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.252.216.1 240 ! ! no ip http server ip dns server ip mroute 10.0.0.0 255.0.0.0 10.250.16.2 ! ip access-list standard AllSites permit 10.0.0.0 ip access-list standard MyRemoteSite permit 10.16.0.0 0.0.15.255 ! logging source-interface FastEthernet0/0 logging server-arp logging 10.4.0.1 access-list 100 deny udp 10.4.0.0 0.0.15.255 any gt 5000 access-list 100 permit ip any any access-list 101 deny udp 10.3.0.0 0.0.15.255 any gt 5000 access-list 101 permit ip any any ! route-map REM-LEAK-LIST permit 10 match ip address AllSites match interface FastEthernet0/1 ! route-map REM-LEAK-LIST permit 20 match ip address MyRemoteSite match interface Serial0/1/0 ! ! ! control-plane ! ! ! line con 0 login local line aux 0 line vty 0 4 exec-timeout 0 0 login local transport input telnet line vty 5 15 exec-timeout 0 0 login transport input telnet This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NX-OS - Fabric Path
I've seen the same as well. In my case, I noticed 'ip host' commands and a default route in the management vrf that I hadn't created. Both referenced 10.x addresses. I didn't notice any nasty traffic on the management network. After seeing Chuck Church's note, I pulled a fresh 5020 from its carton for testing. The only packets that came out of the management interface were CDP messages, and those didn't indicate any configured addresses. No IP traffic was generated. I didn't proceed past the initial configuration dialog (a password prompt, i think?) because it wasn't my switch, and I didn't want to screw up somebody else's workflow. /chris From: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] On Behalf Of Charles Spurgeon [c.spurg...@mail.utexas.edu] Sent: Saturday, July 24, 2010 6:57 PM To: Church, Charles Cc: Lincoln Dale; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NX-OS - Fabric Path Thanks for posting this. I am seeing the same thing and since I know that I am the only person with access to the switches I was wondering where those addrs had come from. I am building the lab config and no one else knows which console TS lines I was using or which ints. I have two new 5020s running 4.2(1)N1(1) that were unboxed a week and a half ago and set up in the lab area. I got a chance to work on them today and when looking at the config one of them had mgmt0 configured with 10.1.1.61 and the other had mgmt0 configured with 10.1.1.63. Both of them had the management vrf default route pointed to 10.1.1.1. I am the only person working on these switches and I bypassed the setup config when they were powered up. I did NOT configure them with these addrs. Nor were they connected to any live network that had access to any DHCP server. I have no idea where they got this config. Probably a leftover from mfg testing? Their mgmt0 ints were not connected to the same VLAN and I didn't see an ARP storm. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurg...@its.utexas.edu / 512.475.9265 On Mon, Jul 19, 2010 at 10:35:56PM -0400, Church, Charles wrote: Just be careful about connecting the mgmt0 interfaces to anything prior to configuring them. The default IP address of 10.1.1.50 on them (at least on the 4.2 5000s) will cause a spectacular ARP storm when they conflict with each other, like when you attach several unconfigured ones to the same network. Several thousand PPS, eventual reloads, etc. Our installation guys got ahead of the config guys in our new DC, nice little mess it made. Not sure why they put a default address on them, hope it's something they correct in the future. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Manu Chao Sent: Monday, July 19, 2010 7:17 PM To: Peter Rathlev Cc: Lincoln Dale; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NX-OS - Fabric Path Yes, but Nexus hardware is the right platform if you don't want to loose any packet in your DC ;) On Tue, Jul 20, 2010 at 12:56 AM, Peter Rathlev pe...@rathlev.dk wrote: On Tue, 2010-07-20 at 08:29 +1000, Lincoln Dale wrote: right now the hardware is using a frame format that is not that of what TRILL uses (and as such we're using a Cisco-defined ethertype), however the hardware is capable of supporting standards-based TRILL as and when the standard is finalised ratified. Would that hardware happen be the EARL8? And would there be any chance that us old skool Cat6500 guys get to share to thrill of TRILL (or similar)? :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] High SNMP ENGINE CPU usage on VXR 7206
Hi All, Please help me on the below issue I am facing right now with my Cisco VXR 7206 router. There is a high CPU utilization on SNMP ENGINE, please help me if you are already faced the issue. I give all the information below from our router GW-04-KLS-MY#spc sor CPU utilization for five seconds: 14%/11%; one minute: 82%; five minutes: 95% PID Runtime(uS) Invoked uSecs 5Sec 1Min 5Min TTY Process 46 1822872000 151714 12015 1.19% 1.21% 1.21% 0 Per-Second Jobs 82 416772000 2669605156 0.31% 0.34% 0.28% 0 IP Input 42 18154 41557 4368 0.15% 0.11% 0.11% 0 Net Background 182 464000 22116 20 0.07% 0.00% 0.00% 0 AAA SEND STOP EV 104 330 211609 15 0.07% 0.04% 0.05% 0 CEF: IPv4 proces 227 3314562112 899029 18018 0.07% 65.34% 78.33% 0 SNMP ENGINE 23318388000 1139739 16 0.07% 0.11% 0.10% 0 OSPF-1 Hello 78 764000 4157320 0 0.07% 0.01% 0.00% 0 IPAM Manager 7449116000 499965 98 0.07% 0.04% 0.04% 0 ADJ resolve proc ~~~ GW-04-KLS-MY#sh ver Cisco IOS Software, 7200 Software (C7200-SPSERVICESK9-M), Version 15.0(1)M2 ~~~ GW-04-KLS-MY#sh run | be snmp-server snmp-server community public RO snmp-server contact V Telecoms Bhd(n...@vtelecoms.com.my) snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps bgp snmp-server enable traps config snmp-server enable traps entity snmp-server enable traps l2tun session ! ! control-plane ! ! ! ! ! gatekeeper shutdown ~ GW-04-KLS-MY#spc his GW-04-KLS-MY 11:07:15 PM Sunday Jul 25 2010 UTC 12111212 333458459444 100 90 80 70 60 50 40 30 * * 20 ** * ** 10 0511223344556 05050505050 CPU% per second (last 60 seconds) 11 1 11 1 1 11 22900990990090909009 87900990990090909099890877887888766577787776 100 **#*#*###* 90 *# 80 *# 70 *# 60 ## 50 ## 40 ## 30 **## 20 10 0511223344556 05050505050 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1 1 11 0995099435654434540049 096365745354096402119434633856741677070053 100 *** *** ** 90 ##* ##* ** * 80 ##* ##* ** * 70 ##* ##* ** * 60 ### ### ** ** * 50 ### * * ### ** * 40 ###*###*** 30 ###*###*** 20 ###*** 10 ## 051122334455667.. 0505050505050 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% ~ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High SNMP ENGINE CPU usage on VXR 7206
On Sun, 2010-07-25 at 23:13 +0800, bharath kondi wrote: Please help me on the below issue I am facing right now with my Cisco VXR 7206 router. There is a high CPU utilization on SNMP ENGINE, please help me if you are already faced the issue. I give all the information below from our router Is it affecting the performance of the router at all? What SNMP traffic is there to and from the router? Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NX-OS - Fabric Path
Hmmm. When I looked at the 'show accounting log' on one of mine, I did see a couple other 10.1.1.x addresses other than the .50 when mine arrived. I didn't capture it, but they did have early dates which I believe were before we received them. Does seem like some test addresses. I have the same 10.1.1.1 VRF 0/0 route as well. Chuck -Original Message- From: Charles Spurgeon [mailto:c.spurg...@mail.utexas.edu] Sent: Saturday, July 24, 2010 6:57 PM To: Church, Charles Cc: Manu Chao; Peter Rathlev; Lincoln Dale; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NX-OS - Fabric Path Thanks for posting this. I am seeing the same thing and since I know that I am the only person with access to the switches I was wondering where those addrs had come from. I am building the lab config and no one else knows which console TS lines I was using or which ints. I have two new 5020s running 4.2(1)N1(1) that were unboxed a week and a half ago and set up in the lab area. I got a chance to work on them today and when looking at the config one of them had mgmt0 configured with 10.1.1.61 and the other had mgmt0 configured with 10.1.1.63. Both of them had the management vrf default route pointed to 10.1.1.1. I am the only person working on these switches and I bypassed the setup config when they were powered up. I did NOT configure them with these addrs. Nor were they connected to any live network that had access to any DHCP server. I have no idea where they got this config. Probably a leftover from mfg testing? Their mgmt0 ints were not connected to the same VLAN and I didn't see an ARP storm. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurg...@its.utexas.edu / 512.475.9265 On Mon, Jul 19, 2010 at 10:35:56PM -0400, Church, Charles wrote: Just be careful about connecting the mgmt0 interfaces to anything prior to configuring them. The default IP address of 10.1.1.50 on them (at least on the 4.2 5000s) will cause a spectacular ARP storm when they conflict with each other, like when you attach several unconfigured ones to the same network. Several thousand PPS, eventual reloads, etc. Our installation guys got ahead of the config guys in our new DC, nice little mess it made. Not sure why they put a default address on them, hope it's something they correct in the future. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Manu Chao Sent: Monday, July 19, 2010 7:17 PM To: Peter Rathlev Cc: Lincoln Dale; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NX-OS - Fabric Path Yes, but Nexus hardware is the right platform if you don't want to loose any packet in your DC ;) On Tue, Jul 20, 2010 at 12:56 AM, Peter Rathlev pe...@rathlev.dk wrote: On Tue, 2010-07-20 at 08:29 +1000, Lincoln Dale wrote: right now the hardware is using a frame format that is not that of what TRILL uses (and as such we're using a Cisco-defined ethertype), however the hardware is capable of supporting standards-based TRILL as and when the standard is finalised ratified. Would that hardware happen be the EARL8? And would there be any chance that us old skool Cat6500 guys get to share to thrill of TRILL (or similar)? :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High SNMP ENGINE CPU usage on VXR 7206
On 7/25/10, bharath kondi bluffmaster4hea...@gmail.com wrote: Hi All, Please help me on the below issue I am facing right now with my Cisco VXR 7206 router. There is a high CPU utilization on SNMP ENGINE, please help me if you are already faced the issue. I give all the information below from our router You can try adding this bit see if it helps: snmp-server view noload internet included snmp-server view noload internet.6.3.16 excluded snmp-server view noload atEntry excluded snmp-server view noload ipRouteEntry excluded snmp-server view noload ipNetToMediaEntry excluded no snmp-server community public RO snmp-server community public view noload RO Regards, Lee GW-04-KLS-MY#spc sor CPU utilization for five seconds: 14%/11%; one minute: 82%; five minutes: 95% PID Runtime(uS) Invoked uSecs 5Sec 1Min 5Min TTY Process 46 1822872000 151714 12015 1.19% 1.21% 1.21% 0 Per-Second Jobs 82 416772000 2669605156 0.31% 0.34% 0.28% 0 IP Input 42 18154 41557 4368 0.15% 0.11% 0.11% 0 Net Background 182 464000 22116 20 0.07% 0.00% 0.00% 0 AAA SEND STOP EV 104 330 211609 15 0.07% 0.04% 0.05% 0 CEF: IPv4 proces 227 3314562112 899029 18018 0.07% 65.34% 78.33% 0 SNMP ENGINE 23318388000 1139739 16 0.07% 0.11% 0.10% 0 OSPF-1 Hello 78 764000 4157320 0 0.07% 0.01% 0.00% 0 IPAM Manager 7449116000 499965 98 0.07% 0.04% 0.04% 0 ADJ resolve proc ~~~ GW-04-KLS-MY#sh ver Cisco IOS Software, 7200 Software (C7200-SPSERVICESK9-M), Version 15.0(1)M2 ~~~ GW-04-KLS-MY#sh run | be snmp-server snmp-server community public RO snmp-server contact V Telecoms Bhd(n...@vtelecoms.com.my) snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps bgp snmp-server enable traps config snmp-server enable traps entity snmp-server enable traps l2tun session ! ! control-plane ! ! ! ! ! gatekeeper shutdown ~ GW-04-KLS-MY#spc his GW-04-KLS-MY 11:07:15 PM Sunday Jul 25 2010 UTC 12111212 333458459444 100 90 80 70 60 50 40 30 * * 20 ** * ** 10 0511223344556 05050505050 CPU% per second (last 60 seconds) 11 1 11 1 1 11 22900990990090909009 87900990990090909099890877887888766577787776 100 **#*#*###* 90 *# 80 *# 70 *# 60 ## 50 ## 40 ## 30 **## 20 10 0511223344556 05050505050 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1 1 11 0995099435654434540049 096365745354096402119434633856741677070053 100 *** *** ** 90 ##* ##* ** * 80 ##* ##* ** * 70 ##* ##* ** * 60 ### ### ** ** * 50 ### * * ### ** * 40 ###*###*** 30 ###*###*** 20 ###*** 10 ## 051122334455667.. 0505050505050 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU%
[c-nsp] PBR
Hi - I'm struggling to get PBR working on a 2811, wonder if someone can show me with where I'm being special. The 2811 has two connections coming in on ATM0/2/0 (binding to Di1) and ATM0/3/0 (binding to Di0). I've got a small gaggle of VLANs. I'm trying to get VLAN10 sending/receiving everything over Di1 and everything else over Di0. If I do ip route 0.0.0.0 0.0.0.0 Dialer0, everything goes over Di0, as expected. If I cancel that and change it to ip route 0.0.0.0 0.0.0.0 Dialer1, then everything goes via that. So, I know that my connections are good. It's something internal I'm not getting right. So, to start setting this up - everything is currently running over Dialer0. ATM0/2/0 is up over Di1, but there's no route for it. VLAN10 is 192.168.10.0/24, so creating an access list as per this: ip access-list extended Network10 permit tcp any 192.168.10.0 0.0.0.255 permit tcp 192.168.10.0 0.0.0.255 any Then... route-map PBR_Network10 permit 10 match ip address Network10 set interface Dialer1 interface Fa0/0.10 description Network10Uplink ip policy route-map PBR_Network10 ip route 0.0.0.0 0.0.0.0 Dialer1 10 As I understand it, this should work - however, from the outside, trying to ping the address of Di1 results in no replies. Also, VLAN10 can't route over the connection, instead still routing over Di0. What am I doing wrong? Thanks! Gary ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PBR
Depending on the IOS you may need a numbered ACL instead of a named one. It's an IOS quirk, a little like VRF-aware NAT requiring a route-map sometimes :-) --Dan Holme On 25 Jul 2010, at 20:38, Gary Smith li...@l33t-d00d.co.uk wrote: Hi - I'm struggling to get PBR working on a 2811, wonder if someone can show me with where I'm being special. The 2811 has two connections coming in on ATM0/2/0 (binding to Di1) and ATM0/3/0 (binding to Di0). I've got a small gaggle of VLANs. I'm trying to get VLAN10 sending/receiving everything over Di1 and everything else over Di0. If I do ip route 0.0.0.0 0.0.0.0 Dialer0, everything goes over Di0, as expected. If I cancel that and change it to ip route 0.0.0.0 0.0.0.0 Dialer1, then everything goes via that. So, I know that my connections are good. It's something internal I'm not getting right. So, to start setting this up - everything is currently running over Dialer0. ATM0/2/0 is up over Di1, but there's no route for it. VLAN10 is 192.168.10.0/24, so creating an access list as per this: ip access-list extended Network10 permit tcp any 192.168.10.0 0.0.0.255 permit tcp 192.168.10.0 0.0.0.255 any Then... route-map PBR_Network10 permit 10 match ip address Network10 set interface Dialer1 interface Fa0/0.10 description Network10Uplink ip policy route-map PBR_Network10 ip route 0.0.0.0 0.0.0.0 Dialer1 10 As I understand it, this should work - however, from the outside, trying to ping the address of Di1 results in no replies. Also, VLAN10 can't route over the connection, instead still routing over Di0. What am I doing wrong? Thanks! Gary ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PBR
On 7/25/10 12:38 PM, Gary Smith wrote: So, to start setting this up - everything is currently running over Dialer0. ATM0/2/0 is up over Di1, but there's no route for it. VLAN10 is 192.168.10.0/24, so creating an access list as per this: ip access-list extended Network10 permit tcp any 192.168.10.0 0.0.0.255 permit tcp 192.168.10.0 0.0.0.255 any Then... route-map PBR_Network10 permit 10 match ip address Network10 set interface Dialer1 interface Fa0/0.10 description Network10Uplink ip policy route-map PBR_Network10 ip route 0.0.0.0 0.0.0.0 Dialer1 10 As I understand it, this should work - however, from the outside, trying to ping the address of Di1 results in no replies. Also, VLAN10 can't route over the connection, instead still routing over Di0. What am I doing wrong? Your access list matches TCP. Your ping is ICMP. If you want all traffic on that interface to go via PBR change the ACL to match IP and not TCP. As you're matching on source IP you can use a standard ACL. If everything coming in on Fa0/0.10 is to go to dialer1, you may not need a match statement in the route-map at all. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PBR
On Sun, 2010-07-25 at 20:38 +0100, Gary Smith wrote: ip access-list extended Network10 permit tcp any 192.168.10.0 0.0.0.255 permit tcp 192.168.10.0 0.0.0.255 any [...] As I understand it, this should work - however, from the outside, trying to ping the address of Di1 results in no replies. Also, VLAN10 can't route over the connection, instead still routing over Di0. What am I doing wrong? The access list matches only TCP traffic? -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PBR
Peter Rathlev wrote: The access list matches only TCP traffic? You should've included the line about me doing something incredibly stupid in your quote. Thanks for the suggestions so far everyone - going to give them a bash and hopefully get it working. Cheers, Gary ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mysterious GRE tunnel flap
There's nothing under the HSDP events. The other router has a higher priority over 100 set on it's interface. On Sun, Jul 25, 2010 at 12:26 AM, Ziv Leyes z...@gilat.net wrote: I'll take a wild guess here. Since you're sourcing the tunnel with the hsrp ip, and you don't have a standby priority set it means that there is another device competing on the IP address. Could it be that for some strange reason the hsrp is fluctuating between them and this causes the tunnel to be unstable? Can you check the HSRP events and see what happens? Also, as I said, try to take off the keepalive on the tunnel and set a higher standby priority to one of the devices, just to see if it helps. HTH Ziv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] using the first and last ip address of a range /24 in a local pool
I even attempted to reproduce the problem with an XP (SP2) workstation on a .255 myself, no success. Initiating and receiving connections from other XP workstations worked just fine, on- and off-net. Try connecting from a XP workstation to a .255 target address that is on a class C address. It will fail every time - doesn't even attempt to send the packet. That is the buggy behaviour in question. XP assumes that the remote endpoint has a classful subnet mask whereas it shouldn't actually care. B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NX-OS - Fabric Path
seems like manufacturing may have skipped a write erase step. i'll pass the clue bat along. cheers, lincoln. On 26/07/2010, at 1:55 AM, Church, Charles wrote: Hmmm. When I looked at the 'show accounting log' on one of mine, I did see a couple other 10.1.1.x addresses other than the .50 when mine arrived. I didn't capture it, but they did have early dates which I believe were before we received them. Does seem like some test addresses. I have the same 10.1.1.1 VRF 0/0 route as well. Chuck -Original Message- From: Charles Spurgeon [mailto:c.spurg...@mail.utexas.edu] Sent: Saturday, July 24, 2010 6:57 PM To: Church, Charles Cc: Manu Chao; Peter Rathlev; Lincoln Dale; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NX-OS - Fabric Path Thanks for posting this. I am seeing the same thing and since I know that I am the only person with access to the switches I was wondering where those addrs had come from. I am building the lab config and no one else knows which console TS lines I was using or which ints. I have two new 5020s running 4.2(1)N1(1) that were unboxed a week and a half ago and set up in the lab area. I got a chance to work on them today and when looking at the config one of them had mgmt0 configured with 10.1.1.61 and the other had mgmt0 configured with 10.1.1.63. Both of them had the management vrf default route pointed to 10.1.1.1. I am the only person working on these switches and I bypassed the setup config when they were powered up. I did NOT configure them with these addrs. Nor were they connected to any live network that had access to any DHCP server. I have no idea where they got this config. Probably a leftover from mfg testing? Their mgmt0 ints were not connected to the same VLAN and I didn't see an ARP storm. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurg...@its.utexas.edu / 512.475.9265 On Mon, Jul 19, 2010 at 10:35:56PM -0400, Church, Charles wrote: Just be careful about connecting the mgmt0 interfaces to anything prior to configuring them. The default IP address of 10.1.1.50 on them (at least on the 4.2 5000s) will cause a spectacular ARP storm when they conflict with each other, like when you attach several unconfigured ones to the same network. Several thousand PPS, eventual reloads, etc. Our installation guys got ahead of the config guys in our new DC, nice little mess it made. Not sure why they put a default address on them, hope it's something they correct in the future. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Manu Chao Sent: Monday, July 19, 2010 7:17 PM To: Peter Rathlev Cc: Lincoln Dale; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NX-OS - Fabric Path Yes, but Nexus hardware is the right platform if you don't want to loose any packet in your DC ;) On Tue, Jul 20, 2010 at 12:56 AM, Peter Rathlev pe...@rathlev.dk wrote: On Tue, 2010-07-20 at 08:29 +1000, Lincoln Dale wrote: right now the hardware is using a frame format that is not that of what TRILL uses (and as such we're using a Cisco-defined ethertype), however the hardware is capable of supporting standards-based TRILL as and when the standard is finalised ratified. Would that hardware happen be the EARL8? And would there be any chance that us old skool Cat6500 guys get to share to thrill of TRILL (or similar)? :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] using the first and last ip address of a range /24 in a local pool
I even attempted to reproduce the problem with an XP (SP2) workstation on a .255 myself, no success. Initiating and receiving connections from other XP workstations worked just fine, on- and off-net. Try connecting from a XP workstation to a .255 target address that is on a class C address. It will fail every time - doesn't even attempt to send the packet. That is the buggy behaviour in question. XP assumes that the remote endpoint has a classful subnet mask whereas it shouldn't actually care. B. Wrong, running XP SP2 D:\Trackingtracert 192.0.2.255 Tracing route to 192.0.2.255 over a maximum of 30 hops 1 1 ms 1 ms 1 ms stealth-10-32-254-25.cisco.com [10.32.254.25] 2 *** Request timed out. 3 *** Request timed out. 4 *** Request timed out. Next hop has uRPF and BOGON Filtering D:\Trackingtracert 220.1.1.255 Tracing route to softbank220001001255.bbtec.net [220.1.1.255] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms stealth-10-32-254-25.cisco.com [10.32.254.25] 2 2 ms 2 ms 2 ms 192.168.66.1 3 3 ms 4 ms20 ms 192.168.255.25 4 2 ms 2 ms 2 ms 192.168.255.9 515 ms14 ms13 ms dsl092-168-001.wdc2.dsl.speakeasy.net [66.92.168.1] 620 ms13 ms12 ms 220.ge-0-1-0.cr2.wdc1.speakeasy.net [69.17.83.45] 716 ms12 ms12 ms 10gigabitethernet2-2.core1.ash1.he.net [206.223.115.37] 896 ms98 ms99 ms 10gigabitethernet1-4.core1.pao1.he.net [72.52.92.29] 9 210 ms 193 ms 206 ms SoftbankTelecom.10gigabitethernet2-2.core1.pao1.he.net [216.218.244.234] 10 193 ms 193 ms 193 ms sto-gw2-pos2-0.gw.odn.ad.jp [210.142.163.169] 11 197 ms 197 ms 197 ms STOrw-51T2-1.nw.odn.ad.jp [143.90.33.90] 12 193 ms 194 ms 193 ms STOrz-02So0-0-0.nw.odn.ad.jp [143.90.144.126] 13 201 ms 201 ms 200 ms 238.143090232.odn.ne.jp [143.90.232.238] 14 David -- http://dcp.dcptech.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] using the first and last ip address of a range /24 in a local pool
On Tue, Jul 20, 2010 at 8:16 AM, Tassos Chatzithomaoglou ach...@forthnet.gr wrote: Has anyone met any issues with .0 and .255 as host addresses? I've tried it before and found that apart from some broken implementations, the biggest issue seemed to be certain Internet banking sites that seemed to view traffic from addresses ending in .0 or .255 as invalid. Discussions with the banks in questions were not that fruitful, so we just treat each assignment as a /24 and leave out the .0 and .255 addresses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High SNMP ENGINE CPU usage on VXR 7206
Further to this, a good start would be to put an ACL on your snmp-server to only permit hosts that require access. You may also want to block/slow SNMP on certain interfaces that don't have any reason to be sending it. Oliver -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Hicks Sent: Monday, 26 July 2010 1:49 AM To: bharath kondi Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] High SNMP ENGINE CPU usage on VXR 7206 On Sun, 2010-07-25 at 23:13 +0800, bharath kondi wrote: Please help me on the below issue I am facing right now with my Cisco VXR 7206 router. There is a high CPU utilization on SNMP ENGINE, please help me if you are already faced the issue. I give all the information below from our router Is it affecting the performance of the router at all? What SNMP traffic is there to and from the router? Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High SNMP ENGINE CPU usage on VXR 7206
Control plane policing is an option. ~Sony Sent from BlackBerry® wireless -Original Message- From: bharath kondi bluffmaster4hea...@gmail.com Sender: cisco-nsp-boun...@puck.nether.net Date: Sun, 25 Jul 2010 23:13:23 To: cisco-nsp@puck.nether.net Subject: [c-nsp] High SNMP ENGINE CPU usage on VXR 7206 Hi All, Please help me on the below issue I am facing right now with my Cisco VXR 7206 router. There is a high CPU utilization on SNMP ENGINE, please help me if you are already faced the issue. I give all the information below from our router GW-04-KLS-MY#spc sor CPU utilization for five seconds: 14%/11%; one minute: 82%; five minutes: 95% PID Runtime(uS) Invoked uSecs 5Sec 1Min 5Min TTY Process 46 1822872000 151714 12015 1.19% 1.21% 1.21% 0 Per-Second Jobs 82 416772000 2669605156 0.31% 0.34% 0.28% 0 IP Input 42 18154 41557 4368 0.15% 0.11% 0.11% 0 Net Background 182 464000 22116 20 0.07% 0.00% 0.00% 0 AAA SEND STOP EV 104 330 211609 15 0.07% 0.04% 0.05% 0 CEF: IPv4 proces 227 3314562112 899029 18018 0.07% 65.34% 78.33% 0 SNMP ENGINE 23318388000 1139739 16 0.07% 0.11% 0.10% 0 OSPF-1 Hello 78 764000 4157320 0 0.07% 0.01% 0.00% 0 IPAM Manager 7449116000 499965 98 0.07% 0.04% 0.04% 0 ADJ resolve proc ~~~ GW-04-KLS-MY#sh ver Cisco IOS Software, 7200 Software (C7200-SPSERVICESK9-M), Version 15.0(1)M2 ~~~ GW-04-KLS-MY#sh run | be snmp-server snmp-server community public RO snmp-server contact V Telecoms Bhd(n...@vtelecoms.com.my) snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps bgp snmp-server enable traps config snmp-server enable traps entity snmp-server enable traps l2tun session ! ! control-plane ! ! ! ! ! gatekeeper shutdown ~ GW-04-KLS-MY#spc his GW-04-KLS-MY 11:07:15 PM Sunday Jul 25 2010 UTC 12111212 333458459444 100 90 80 70 60 50 40 30 * * 20 ** * ** 10 0511223344556 05050505050 CPU% per second (last 60 seconds) 11 1 11 1 1 11 22900990990090909009 87900990990090909099890877887888766577787776 100 **#*#*###* 90 *# 80 *# 70 *# 60 ## 50 ## 40 ## 30 **## 20 10 0511223344556 05050505050 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1 1 11 0995099435654434540049 096365745354096402119434633856741677070053 100 *** *** ** 90 ##* ##* ** * 80 ##* ##* ** * 70 ##* ##* ** * 60 ### ### ** ** * 50 ### * * ### ** * 40 ###*###*** 30 ###*###*** 20 ###*** 10 ## 051122334455667.. 0505050505050 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% ~ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] using the first and last ip address of a range /24 in a local pool
Try connecting from a XP workstation to a .255 target address that is on a class C address. It will fail every time Wrong, running XP SP2 D:\Trackingtracert 192.0.2.255 Traceroute is not actually connecting. Try getting IE (or any other browser) to connect to a host with an address like that. The packets never leave the source. We had to change a customer implementation because Macs and other sensible OS could connect but Windows XP hosts (many of them - all running SP3) could not. And if you read the Microsoft technote about it, they will tell you it doesn't work for everything XP SP3 and earlier and it is fixed in Vista. B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/