[c-nsp] 10Gig DWDM fluctuating
I am trying to find out what is causing my link to go down either the transmit power or a receive power. Below are the parameters of link having a connectivity issue of DWDM transmission. The problem is sometimes it works and sometime it does not and transmission guys keep insisting that your transmit power is low. Now the question is if the transmit power is low, can you increase it for a particular link. Physical interface: xe-4/2/0Laser bias current: 33.111 mALaser output power : 0.4410 mW / -3.56 dBmModule temperature : 30 degrees C / 86 degrees FLaser rx power: 0.2516 mW / -5.99 dBmI have another link over same DWDM transmission which is working quite fine for days. The following are the parameters for that link.Physical interface: xe-4/3/0Laser bias current : 32.748 mALaser output power: 0.5060 mW! / -2.96 dBmModule temperature: 31 degrees C / 88 degrees FLaser rx power: 0.2538 mW / -5.96 dBmI would appreciate it if someone can describe it in detail that what could be the reason causing this link to fluctuate randomly. ThanksAndrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OpenSource Cisco Monitoring Tool
What do you want to do or monitor? All of the usual open source tools work great with that ... be it RTG , mrtg, smokeping, fping netdisco etc Alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Odd error after Interface flap [GSR/Engine 5]
I have seen the same messages recently on several slots after TE tunnels flap, but they caused a lot of issues (FIA errors, CEF disable and so on). %EE48-3-QM_SANITY_WARNING: Few free buffers(0) are available in ToFab FreeQ pool# 3 %EE48-3-QM_SANITY_WARNING: Few free buffers(0) are available in ToFab FreeQ pool# 1 %EE48-3-QM_SANITY_WARNING: Few free buffers(0) are available in ToFab FreeQ pool# 1 ... %EE48-3-QM_SANITY_WARNING: ToFab FreeQ buffers depleted. Recarving the ToFab buffers %EE192-3-BM_QUIESCE: Rx FIM/LIM failed to go idle. Value: 0x5000 -Traceback= 400312FC 4063DD24 4063DE50 40648B48 40648BAC 40636B08 40B13274 403CAC4C 40107ED4 400AF4A0 400DB2F4 400DB2E0 The version is 12.0(33)S6 and the modules are Engine 5... It seems a bug. What would cause this? I guess there are mulitple aspects here: a) Something causes the buffers to be depleted b) QM-sanity kicks in, notices that something is really wrong and tries to remedy the lack of buffers by re-carving the pool c) re-carving causes CEF issues Are you able to reproduce the issue? If so, it might make sense to a) try to disable qm sanity check and see if it makes a difference (no hw-module slot n qm-sanity both), I somehow would expect you to see other problems with traffic not going through, and b) work with TAC on finding the cause why buffers are not freed up, and root cause of FIA/CEF errors when re-carving the buffer (it doesn't surprise me, but this should not happen). oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] problem with 7609
Hi, Experts , I need advise , I've problem with my 7609-S with IOS 12.3(33) SRB1, after applying 'ip policy route-map' to TenGig interfece, my RSP720 crashed Hardware details : Mod Ports Card Type Model Serial No. --- - -- -- --- 10 4-subslot SPA Interface Processor-400 7600-SIP-400 JAE 24 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SAL 3 48 CEF720 48 port 1000mb SFP WS-X6748-SFP SAL 40 4-subslot SPA Interface Processor-400 7600-SIP-400 JAE 52 Route Switch Processor 720 (Active)RSP720-3CXL-GE JAE 7 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL 80 4-subslot SPA Interface Processor-400 7600-SIP-400 JAE 90 4-subslot SPA Interface Processor-400 7600-SIP-400 JAE All four SIP-400 are disabled - 'PwrDown' state. Interface are nothing fancy : interface TenGigabitEthernet2/1 ip address X.X.248.202 255.255.255.252 no ip proxy-arp no ip redirects no ip unreachables logging event link-status end And route-map ; route-map RTR01-NH, permit, sequence 10 Match clauses: ip address (access-lists): 102 Set clauses: ip next-hop verify-availability X.X.32.34 10 track 1 [up] Policy routing matches: 0 packets, 0 bytes Extended IP access list 102 10 permit ip any X.X.120.0 0.0.0.127 Traffic with destination IP in access-list 102 , goes to other gateway . After applying 'ip policy route-map RTR01-NH' to Te2/1 RSP crashed . After switchover backup RSP crashed after EARL tried to recover hardware problem . Second crash : Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 12.2(33)SR C2, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 18-Sep-08 03:16 by prod_rel_team *Jul 20 15:56:26.628: %SSH-5-ENABLED: SSH 2.0 has been enabled *Jul 20 13:55:44.575: %SYS-SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debug ging output. Firmware compiled 07-Jul-08 00:53 by integ Build [100] *Jul 20 13:56:16.711: %SPANTREE-SP-5-EXTENDED_SYSID: Extended SysId enabled for type vlan *Jul 20 13:56:16.903: SP: SP: Currently running ROMMON from S (Gold) region *Jul 20 13:56:21.902: %C7600_PWR-SP-4-PSCOMBINEDMODE: power supplies set to combined mode. *Jul 20 13:56:26.448: %SYS-SP-5-RESTART: System restarted -- Cisco IOS Software, c7600rsp72043_sp Software (c7600rsp72043_sp-ADVIPSERVICESK9-M), Version 12.2(33)SR C2, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 18-Sep-08 03:46 by prod_rel_team *Jul 20 13:56:27.504: %OIR-SP-6-INSPS: Power supply inserted in slot 1 *Jul 20 13:56:27.508: %C7600_PWR-SP-4-PSOK: power supply 1 turned on. *Jul 20 13:56:27.568: %OIR-SP-6-INSPS: Power supply inserted in slot 2 *Jul 20 13:56:27.572: %C7600_PWR-SP-4-PSOK: power supply 2 turned on. *Jul 20 13:56:30.160: %C7600_PWR-SP-4-DISABLED: power to module in slot 1 set off (admin request) *Jul 20 13:56:31.200: %C7600_PWR-SP-4-DISABLED: power to module in slot 4 set off (admin request) *Jul 20 15:56:34.884: %DIAG-SP-6-RUN_MINIMUM: Module 5: Running Minimal Diagnostics... *Jul 20 15:56:39.652: %OIR-6-REMCARD: Card removed from slot 1, interfaces disabled *Jul 20 15:56:39.660: %SPA_OIR-6-OFFLINECARD: SPA (SPA-1XOC48POS/RPR) offline in subslot 1/0 *Jul 20 15:56:39.660: %OIR-6-REMCARD: Card removed from slot 4, interfaces disabled *Jul 20 15:56:39.664: %SPA_OIR-6-OFFLINECARD: SPA (SPA-1XOC48POS/RPR) offline in subslot 4/0 *Jul 20 15:56:39.664: %OIR-6-REMCARD: Card removed from slot 8, interfaces disabled *Jul 20 15:56:39.668: %SPA_OIR-6-OFFLINECARD: SPA (SPA-1XOC48POS/RPR) offline in subslot 8/0 *Jul 20 15:56:39.668: %OIR-6-REMCARD: Card removed from slot 9, interfaces disabled *Jul 20 15:56:39.668: %SPA_OIR-6-OFFLINECARD: SPA (SPA-1XOC48POS/RPR) offline in subslot 9/0 *Jul 20 15:56:39.312: %DIAG-SP-6-DIAG_OK: Module 5: Passed Online Diagnostics *Jul 20 15:56:40.088: %OIR-SP-6-INSCARD: Card inserted in slot 5, interfaces are now online *Jul 20 15:56:57.504: %PFREDUN-SP-6-ACTIVE: Standby initializing for SSO mode [..] *Jul 20 15:57:31.817: %FABRIC-SP-5-CLEAR_BLOCK: Clear block option is off for the fabric in slot 6. *Jul 20 15:57:31.901: %FABRIC-SP-5-FABRIC_MODULE_BACKUP: The Switch Fabric Module in slot 6 became +standby *Jul 20 15:57:32.653: %DIAG-SP-6-RUN_MINIMUM: Module 6: Running Minimal Diagnostics... *Jul 20 15:57:33.173: %DIAG-SP-6-DIAG_OK: Module 6: Passed Online Diagnostics *Jul 20 15:57:34.593: %OIR-SP-6-INSCARD: Card inserted in slot 6, interfaces are now online *Jul 20 15:57:58.997: %DIAG-SP-6-RUN_MINIMUM: Module 7: Running Minimal Diagnostics... *Jul 20 15:58:07.981:
Re: [c-nsp] Match-in-VRF
Was hoping someone could advise with regards to what the NAT keywords match-in-vrf achieves? We typically use this in production. However, Ive just been labbing NAT config using VRF lite and it doesnt appear to change behaviour and Cisco literature is unclear. With or without it, translations occur in the relevant VRF. not an expert, but do you use overlapping pools between vrfs? If you are not, you don't need match-in-vrf.. take a look at http://docwiki.cisco.com/wiki/Category:NAT oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10Gig DWDM fluctuating
I am trying to find out what is causing my link to go down either the transmit power or a receive power. Below are the parameters of link having a connectivity issue of DWDM transmission. The problem is sometimes it works and sometime it does not and transmission guys keep insisting that your transmit power is low. Now the question is if the transmit power is low, can you increase it for a particular link. Physical interface: xe-4/2/0Laser bias current: 33.111 mALaser output power : 0.4410 mW / -3.56 dBmModule temperature : 30 degrees C / 86 degrees FLaser rx power : 0.2516 mW / -5.99 dBmI have another link over same DWDM transmission which is working quite fine for days. The following are the parameters for that link.Physical interface: xe-4/3/0Laser bias current : 32.748 mALaser output power: 0.5060 ! mW! / -2.96 dBmModule temperature: 31 degrees C / 88 degrees FLaser rx power: 0.2538 mW / -5.96 dBmI would appreciate it if someone can describe it in detail that what could be the reason causing this link to fluctuate randomly. ThanksAndrew Why are you asking about what appears to be Juniper equipment on a Cisco list? Btw, your transmit and receive signal levels seem completely normal. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco3750 %AAA-3-BADMETHOD
All, Running a C3750 48TS on 12.2(35)SE2 . Used very simple AAA method for authentication with radius, 4 lines of AAA. Happened to log into router today only to notice that i can't configure device, my credentials don't match and i have this in the log %AAA-3-BADMETHOD This entry is on AUG 2nd, and the last NVRAM change was done on July29th - and it was simple vlan addition. The most alarming problem was when i did a SHOW RUN, there were almost 20 AAA commands that myself or the 29th UPDATED CONFIG did not add. On Aug 2nd the log does not show any user access just the above with a bunch of memory dumps, as it appears. Unfortunately i did not grab the LOG itself. ugg. Issue, i figured by rebooting the last NVRAM change on JULY 29th i would regain my original config from the 29th and remove these randomly issued commands. This is a remote router fyi: router did not respond well to reload and did not come back. Oh and on reboot i did NOT save changes to Config preserving July 29th NVRAM change. Has anyone Seen such wierd oddity? I have to repeat, the logs do not indicate user Access to the box, which the box does log, on Aug 2nd, just the above error with 2 full log lines full of what appears to be a memory dump of some sort. And lastly Cisco's website shows this for the Above error: AAA-3-BADMETHOD : Cannot process [chars] method [int] ExplanationA method list function has encountered a method list that was unknown or that could not be processed. Recommended ActionCopy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information. Wow, thats helpful ;-) Much regards Chris -- //CL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS Release 15.0S for the Cisco 7600 and Cisco 10000 series routers
On 04/08/2010 12:54, Antonio Soares wrote: Cisco IOS Release 15S initiates a consolidated support strategy to provide greater consistency in new feature release and rebuild schedules and to simplify the software selection process. The release numbering has changed from 12.2SR to 15S to support this strategy and simplified software selection process. Not really - this is just a name change. Everything else appears to be the same (i.e. supported platforms, etc). My understanding of 15.0 was that the original plan was that there was going to be just two trains: the T and the M. Now there's S, and a bunch of short-lived trains, too. That's good: soon, it'll be just like the old days of 12.4! :-) Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS Release 15.0S for the Cisco 7600 and Cisco 10000 series routers
Hi, On Wed, Aug 04, 2010 at 12:54:47PM +0100, Antonio Soares wrote: Cisco IOS Release 15S initiates a consolidated support strategy to provide greater consistency in new feature release and rebuild schedules and to simplify the software selection process. The release numbering has changed from 12.2SR to 15S to support this strategy and simplified software selection process. Yes, especially given the observation that 15.0S seems to be just a renamed 12.2SR, and does not have the 15.0M feature set... Seems too many customers have complained that they do not want this old 12.2 software on their routers, so they can get new 15.0 now. (Only for 7600, of course. Let's see how 6500-new-numbers will look like. 15.0R maybe, to make the confusion complete?) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpuIBvM5EeMl.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS Release 15.0S for the Cisco 7600 and Cisco 10000 series routers
Yes very interested. Thus 7200 will get out of the picture, because the SR train is used on the 7200 series with NPE-G2 in many small size service providers, and since 15.0s will be available for 7600 and 1 only, any small size SP should move to ASR1002. On Wed, Aug 4, 2010 at 2:54 PM, Antonio Soares amsoa...@netcabo.pt wrote: This seems interesting: Cisco IOS Release 15S initiates a consolidated support strategy to provide greater consistency in new feature release and rebuild schedules and to simplify the software selection process. The release numbering has changed from 12.2SR to 15S to support this strategy and simplified software selection process. http://www.cisco.com/en/US/docs/ios/15_0s/release/notes/15_0s_rn.html Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Best Regards, Mounir Mohamed, CCIE No.19573 (RS, SP) Senior Network Engineer, Core Team. NOOR Data Networks, SAE Mobile# +2-010-2345-956 http://mounirmohamed.wordpress.com http://www.linkedin.com/in/mounirmohamed ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OpenSource Cisco Monitoring Tool
I love NMIS :D El 04/08/10 05:01, ar escribió: Hi. Aside from Nagios, any other opensource monitoring tool you are using that greatly works for cisco especially 7600 series? thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS Release 15.0S for the Cisco 7600 and Cisco 10000 series routers
On 04/08/2010 13:35, Gert Doering wrote: Seems too many customers have complained that they do not want this old 12.2 software on their routers, so they can get new 15.0 now. unscrambling the egg is hard. Nick /me goes shopping ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus1000v: Mgmt Port
Hello, I am setting up a pair of Nexus 1000v switches. As per the Cisco documentation, I have the management port in my system-uplink port-group. However, currently, this management port is in the same production VLAN as most of our servers. I would rather have the management in an separate VLAN for security and reliability reasons. Also, as I cannot assign a VLAN to both the system-uplink and the data-uplink port-group, this means all of the server traffic will be using the system-uplink port-group. This does not sound logical. My question is: 1. Does the management port have to be in the same VLAN as the VM Host server? 2. If is does, what are the implications of putting the management port on the data-uplink port-group? 3. OR, if (1) is YES, then what do you think about putting the VM Hosts (ESXI) on a separate VLAN than the virtual servers? Thank you for your help, -- Christina ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Recommended 1Gb SFP for ~115km?
Hello, Any pointers on real world experience on this topic would greatly be appreciated. What are people using successfully out there as far as third party SFP's go to hit a distance of approximately 115km? This would be for a Catalyst 6506. Cisco's solution was a much more costly EDFA solution, but I see plenty of vendors that make SFP's for Gigabit Ethernet that range from 115km to 150km and more. I know these are not supported by Cisco and TAC won't troubleshoot if they are in the switch. I'm willing to work around that should I need TAC assistance on the switch. What works well for a single wavelength solution at this distance without having to switch to DWDM? This circuit will have duplex fibers. Thanks! -Vinny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS Release 15.0S for the Cisco 7600 and Cisco 10000 series routers
Hi, On Wed, Aug 04, 2010 at 02:34:06PM +0100, Nick Hilliard wrote: /me goes shopping Any interesting IOS versions in your basket? (Needs Java, of course) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpIooNl9Ci0s.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] AIR-WLC4402-50-K9 config
I am trying to console in to this new wireless controller and i have done everything the manual said but after it passed all the self test it got stuck rc=0. Has anybody work with that before if so did you ran into the same problem? How did you get passed it ? Cryptographic library self-testpassed! XML config selected Validating XML configuration Cisco is a trademark of Cisco Systems, Inc. Software Copyright Cisco Systems, Inc. All rights reserved. Cisco AireOS Version 6.0.196.0 Initializing OS Services: ok Initializing Serial Services: ok Initializing Internal Interfaces: ok Initializing Network Services: ok Starting ARP Services: ok Starting Trap Manager: ok Starting Network Interface Management Services: ok Starting System Services: ok Starting FIPS Features: ok : Not enabled Starting Fastpath Hardware Acceleration: ok Starting Switching Services: ok Starting QoS Services: ok Starting Policy Manager: ok Starting Data Transport Link Layer: ok Starting Access Control List Services: ok Starting System Interfaces: ok Starting Client Troubleshooting Service: ok Starting Management Frame Protection: ok Starting Certificate Database: ok Starting VPN Services: ok Starting LWAPP: ok Starting CAPWAP: ok Starting LOCP: ok Starting Security Services: ok Starting Policy Manager: ok Starting Authentication Engine: ok Starting Mobility Management: ok Starting Virtual AP Services: ok Starting AireWave Director: ok Starting Network Time Services: ok Starting Cisco Discovery Protocol: ok Starting Broadcast Services: ok Starting Logging Services: ok Starting DHCP Server: ok Starting IDS Signature Manager: ok Starting RFID Tag Tracking: ok Starting Power Supply and Fan Status Monitoring Service: ok Starting Mesh Services: ok Starting TSM: ok Starting CIDS Services: ok Starting Ethernet-over-IP: ok Starting DTLS server: enabled in CAPWAP Starting FMC HS: ok Starting WIPS: ok Starting SSHPM LSC PROV LIST: ok Starting RRC Services: ok Starting Management Services: Web Server: ok CLI: ok Secure Web: Web Authentication Certificate not found (error). If you cannot access management interface via HTTPS please reconfigure Virtual Interface. (Cisco Controller) Welcome to the Cisco Wizard Configuration Tool Use the '-' character to backup Would you like to terminate autoinstall? [yes]: AUTO-INSTALL: starting now... rc = 0 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Anyone else seeing downloads not working
Same experience here, with non-Java option in FF. I get redirected back to the auth/login page each time. Clearing cisco.com cookies solves it... until the next time. - Marty On 7/27/2010 7:34 AM, Aled Morris wrote: I see this often (every couple of months) and have to clear my cookies for cisco.com sites to get it to work again. Firefox fwiw Aled ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OpenSource Cisco Monitoring Tool
We use opennms and love it's trap handling capabilities. On 08/03/2010 09:55 PM, Jimmy Stewpot wrote: Check out zenoss http://www.zenoss.com/ - Original Message - From: arar_...@yahoo.com To: cisco-nsp@puck.nether.net Sent: Wednesday, 4 August, 2010 1:01:05 PM Subject: [c-nsp] OpenSource Cisco Monitoring Tool Hi. Aside from Nagios, any other opensource monitoring tool you are using that greatly works for cisco especially 7600 series? thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20100804-asa http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Revision 1.0 For Public Release 2010 August 04 1600 UTC (GMT) +- Summary === Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities as follows: * Three SunRPC Inspection Denial of Service Vulnerabilities * Three Transport Layer Security (TLS) Denial of Service Vulnerabilities * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Note: The Cisco Firewall Services Module (FWSM) is affected by the SunRPC DoS vulnerabilities. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml Affected Products = Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple vulnerabilities. Affected versions of Cisco ASA Software will vary depending on the specific vulnerability. Vulnerable Products +-- For specific version information, refer to the Software Versions and Fixes section of this advisory. SunRPC Inspection Denial of Service Vulnerabilities ~~~ Three denial of service (DoS) vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, issue the show service-policy | include sunrpc command and confirm that output, such as what is displayed in the following example, is returned. ciscoasa# show service-policy | include sunrpc Inspect: sunrpc, packet 0, drop 0, reset-drop 0 The following configuration commands are used to enable SunRPC inspection in the Cisco ASA. class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... ! service-policy global_policy global Transport Layer Security (TLS) Denial of Service Vulnerabilities Three DoS vulnerabilities exist in the Cisco ASA security appliances that can be triggered by a series of crafted TLS packets. A successful attack may result in a sustained DoS condition. Versions 7.2.x, 8.0.x, 8.1.x, 8.2.x, and 8.3.x are affected by one or more of these vulnerabilities. A Cisco ASA device configured for any of the following features is affected: * Secure Socket Layer Virtual Private Network (SSL VPN) * When the affected device is configured to accept Cisco Adaptive Security Device Manager (ASDM) connections * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access when using HTTPS SSL VPN (or WebVPN) is enabled with the enable interface name command in webvpn configuration mode. SSL VPN is disabled by default. The following configuration snippet provides an example of a SSL VPN configuration. webvpn enable outside ... ASDM access is affected by three of these vulnerabilities. To use ASDM, the HTTPS server must be enabled to allow HTTPS connections to the Cisco ASA. The server can be enabled using the http server enable [port] command. The default port is 443. To specify hosts that can access the HTTP server internal to the security appliance, use the http command in global configuration mode. The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature was introduced in Cisco ASA version 8.0(2) and is disabled by default. To determine if the TLS Proxy for Encrypted Voice Inspection feature is enabled on the device, use the show tls-proxy command, as shown in the following example: ciscoasa# show tls-proxy Maximum number of sessions: 1200 TLS-Proxy 'sip_proxy': ref_cnt 1, seq# 3 Server proxy: Trust-point: local_ccm Client proxy: Local dynamic certificate issuer: LOCAL-CA-SERVER Local dynamic certificate key-pair: phone_common Cipher suite: aes128-sha1 aes256-sha1 Run-time proxies: Proxy 0xcbae1538: Class-map: sip_ssl, Inspect: sip
[c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module Advisory ID: cisco-sa-20100804-fwsm Revision 1.0 For Public Release 2010 August 04 1600 UTC (GMT) +- Summary === Multiple vulnerabilities exist in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers that may cause the Cisco FWSM to reload after processing crafted SunRPC or certain TCP packets. Repeated exploitation could result in a sustained DoS condition. Cisco has released free software updates that address these vulnerabilities. Workarounds are available for the vulnerabilities disclosed in this advisory. Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml Note: The Cisco ASA 5500 Series Adaptive Security Appliances are affected by the SunRPC inspection vulnerabilities described in this advisory. A separate Cisco Security Advisory has been published to disclose this and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances. The advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml Affected Products = Vulnerable Products +-- The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is affected by multiple vulnerabilities. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. SunRPC Inspection Denial of Service Vulnerabilities ~~~ Cisco FWSM Software version 3.x and 4.x are affected by these vulnerabilities only if SunRPC inspection is enabled. SunRPC inspection is enabled by default. To check if SunRPC inspection is enabled, use the show service-policy | include sunrpc command and confirm that the command returns output, as shown in the following example: fwsm#show service-policy | include sunrpc Inspect: sunrpc , packet 0, drop 0, reset-drop 0 Alternatively, a device that has SunRPC inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sunrpc ... ! service-policy global_policy global Note: The Cisco ASA 5500 Series Adaptive Security Appliances are affected by the SunRPC inspection vulnerabilities described in this advisory. A separate Cisco Security Advisory has been published to disclose this and other vulnerabilities that affect the Cisco ASA 5500 Series Adaptive Security Appliances. The advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml TCP Denial of Service Vulnerability ~~~ Cisco FWSM Software version 3.x and 4.x are affected by this vulnerability when configured in multi-mode (with virtual firewalls) and with any of the following features: * ASDM Administrative Access * Telnet * SSH To verify if the FWSM is running in multiple mode, use the show mode command, as shown in the following example: FWSM(config)#show mode Security context mode: multiple The flash mode is the SAME as the running mode. The following commands are used to enable the HTTPS server and allow only hosts on the inside interface with an address in the 192.168.1.0 /24 network to create ASDM, SSH or Telnet connections: asa(config)# http server enable asa(config)# http 192.168.1.0 255.255.255.0 inside asa(config)# telnet 192.168.1.0 255.255.255.0 inside asa(config)# ssh 192.168.1.0 255.255.255.0 inside Determining Software Versions ~ To determine the version of Cisco FWSM Software that is running, issue the show module command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub modules are installed on the system. The following example shows a system with a Cisco FWSM (WS-SVC-FWM-1) installed in slot 2: switchshow module Mod Ports Card Type Model Serial No. --- - -- -- --- 1 16 SFM-capable 16 port 1000mb GBICWS-X6516-GBIC SAL06334NS9 26 Firewall ModuleWS-SVC-FWM-1 SAD10360485 38 Intrusion Detection System WS-SVC-IDSM-2 SAD0932089Z 44 SLB Application Processor Complex WS-X6066-SLB-APC SAD093004BD 52 Supervisor Engine 720 (Active) WS-SUP720-3B SAL0934888E Mod MAC addresses
Re: [c-nsp] Recommended 1Gb SFP for ~115km?
On 04/08/2010 15:30, Abello, Vinny wrote: Any pointers on real world experience on this topic would greatly be appreciated. What are people using successfully out there as far as third party SFP's go to hit a distance of approximately 115km? This would be for a Catalyst 6506. Cisco's solution was a much more costly EDFA solution, but I see plenty of vendors that make SFP's for Gigabit Ethernet that range from 115km to 150km and more. I know these are not supported by Cisco and TAC won't troubleshoot if they are in the switch. I'm willing to work around that should I need TAC assistance on the switch. What works well for a single wavelength solution at this distance without having to switch to DWDM? This circuit will have duplex fibers. This isn't really a Cisco question, but 115km takes a little bit of care. First, you need an accurate attenuation measurement for both strands of the link - you can assume C band (1550). Once you have this measurement, you will then be in a position to buy a transceiver which will fit your requirements. You can estimate the attenuation on the link, but this can cause problems if the estimation is wrong (which can happen if the fibre is duff quality). You should also expect to have a chromatic dispersion penalty; this will remove a couple of dB from your link budget. Once you've taken into account these things + any patching loss and all that, you'll end up with a link budget figure. Add on a couple of dB to this for leg-room and this will be your operating optical attenuation budget. This budget will enable you to pin down what sort of SFPs might actually work on your link. Also make sure that the electrical output from the SFP port on the Cisco box is compatible with the electrical power requirements of the SFP. In all likelihood, you're going to end up purchasing DWDM SFPs. Get a good quality third party transceiver (Finisar, Opnext, etc) - they are worth the expense. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco3750 %AAA-3-BADMETHOD
Never saw this before, we saw here error cosmetic AAA messages over 3750G and 12.2.44SE1 and SE2 Not this one. El 04/08/10 14:07, Chris Lane escribió: All, Running a C3750 48TS on 12.2(35)SE2 . Used very simple AAA method for authentication with radius, 4 lines of AAA. Happened to log into router today only to notice that i can't configure device, my credentials don't match and i have this in the log %AAA-3-BADMETHOD This entry is on AUG 2nd, and the last NVRAM change was done on July29th - and it was simple vlan addition. The most alarming problem was when i did a SHOW RUN, there were almost 20 AAA commands that myself or the 29th UPDATED CONFIG did not add. On Aug 2nd the log does not show any user access just the above with a bunch of memory dumps, as it appears. Unfortunately i did not grab the LOG itself. ugg. Issue, i figured by rebooting the last NVRAM change on JULY 29th i would regain my original config from the 29th and remove these randomly issued commands. This is a remote router fyi: router did not respond well to reload and did not come back. Oh and on reboot i did NOT save changes to Config preserving July 29th NVRAM change. Has anyone Seen such wierd oddity? I have to repeat, the logs do not indicate user Access to the box, which the box does log, on Aug 2nd, just the above error with 2 full log lines full of what appears to be a memory dump of some sort. And lastly Cisco's website shows this for the Above error: AAA-3-BADMETHOD : Cannot process [chars] method [int] ExplanationA method list function has encountered a method list that was unknown or that could not be processed. Recommended ActionCopy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information. Wow, thats helpful ;-) Much regards Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Anyone else seeing downloads not working
On Wednesday, August 04, 2010 10:51:54 pm ma...@martyadkins.com wrote: Same experience here, with non-Java option in FF. I get redirected back to the auth/login page each time. Clearing cisco.com cookies solves it... until the next time. Here too, but only on Firefox. Not seeing the problem with Safari (don't have IE to test). Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS Release 15.0S for the Cisco 7600 and Cisco 10000 series routers
It would be nice if the feature navigator worked for 15.0(1)S. Manually comparing release notes is a pain :( LR Mack McBride Network Architect Viawest, Inc -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gert Doering Sent: Wednesday, August 04, 2010 6:36 AM To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco IOS Release 15.0S for the Cisco 7600 and Cisco 1 series routers Hi, On Wed, Aug 04, 2010 at 12:54:47PM +0100, Antonio Soares wrote: Cisco IOS Release 15S initiates a consolidated support strategy to provide greater consistency in new feature release and rebuild schedules and to simplify the software selection process. The release numbering has changed from 12.2SR to 15S to support this strategy and simplified software selection process. Yes, especially given the observation that 15.0S seems to be just a renamed 12.2SR, and does not have the 15.0M feature set... Seems too many customers have complained that they do not want this old 12.2 software on their routers, so they can get new 15.0 now. (Only for 7600, of course. Let's see how 6500-new-numbers will look like. 15.0R maybe, to make the confusion complete?) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco3750 %AAA-3-BADMETHOD
Hi Chris The first thing that popped into my mind was partial nvram failure. If my understanding of that badmethod error description is correct, then its talking about the methods you can configure for aaa - radius, local, tacacs etc.. If you look where that is stored in the config, it is right around the logins. Also, there might be a side effect of this error that a user's local credentials won't work as there is no usable aaa policy (ie. no default behaviour). It's only one theory though :) Cheers Heath On 4 August 2010 13:07, Chris Lane clane1...@gmail.com wrote: All, Running a C3750 48TS on 12.2(35)SE2 . Used very simple AAA method for authentication with radius, 4 lines of AAA. Happened to log into router today only to notice that i can't configure device, my credentials don't match and i have this in the log %AAA-3-BADMETHOD This entry is on AUG 2nd, and the last NVRAM change was done on July29th - and it was simple vlan addition. The most alarming problem was when i did a SHOW RUN, there were almost 20 AAA commands that myself or the 29th UPDATED CONFIG did not add. On Aug 2nd the log does not show any user access just the above with a bunch of memory dumps, as it appears. Unfortunately i did not grab the LOG itself. ugg. Issue, i figured by rebooting the last NVRAM change on JULY 29th i would regain my original config from the 29th and remove these randomly issued commands. This is a remote router fyi: router did not respond well to reload and did not come back. Oh and on reboot i did NOT save changes to Config preserving July 29th NVRAM change. Has anyone Seen such wierd oddity? I have to repeat, the logs do not indicate user Access to the box, which the box does log, on Aug 2nd, just the above error with 2 full log lines full of what appears to be a memory dump of some sort. And lastly Cisco's website shows this for the Above error: AAA-3-BADMETHOD : Cannot process [chars] method [int] ExplanationA method list function has encountered a method list that was unknown or that could not be processed. Recommended ActionCopy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information. Wow, thats helpful ;-) Much regards Chris -- //CL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco3750 %AAA-3-BADMETHOD
Chris - on second thought, when you say the 'memory dump' was in the log, are you talking about your console session or actual log file / syslog? I was assuming you might have seen it in the nvram config if you did a show conf. If its the actual syslog then I think you should consider a potential dos / compromise / other crazy bug. Any other odd behaviour on the network lately? On 4 August 2010 13:07, Chris Lane clane1...@gmail.com wrote: All, Running a C3750 48TS on 12.2(35)SE2 . Used very simple AAA method for authentication with radius, 4 lines of AAA. Happened to log into router today only to notice that i can't configure device, my credentials don't match and i have this in the log %AAA-3-BADMETHOD This entry is on AUG 2nd, and the last NVRAM change was done on July29th - and it was simple vlan addition. The most alarming problem was when i did a SHOW RUN, there were almost 20 AAA commands that myself or the 29th UPDATED CONFIG did not add. On Aug 2nd the log does not show any user access just the above with a bunch of memory dumps, as it appears. Unfortunately i did not grab the LOG itself. ugg. Issue, i figured by rebooting the last NVRAM change on JULY 29th i would regain my original config from the 29th and remove these randomly issued commands. This is a remote router fyi: router did not respond well to reload and did not come back. Oh and on reboot i did NOT save changes to Config preserving July 29th NVRAM change. Has anyone Seen such wierd oddity? I have to repeat, the logs do not indicate user Access to the box, which the box does log, on Aug 2nd, just the above error with 2 full log lines full of what appears to be a memory dump of some sort. And lastly Cisco's website shows this for the Above error: AAA-3-BADMETHOD : Cannot process [chars] method [int] ExplanationA method list function has encountered a method list that was unknown or that could not be processed. Recommended ActionCopy the error message exactly as it appears on the console or in the system log, contact your Cisco technical support representative, and provide the representative with the gathered information. Wow, thats helpful ;-) Much regards Chris -- //CL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Match-in-VRF
This limits the scope of a NAT rule/translation to the VRF specified in the NAT rule. The most common issue is that outside NATs were always global, even if you specified a VRF. You could not re-use the same translated address (pool) for another VRF / different real address... Essentially this command ensures you have real per-VRF inside and outside translations which means you can re-use real and NAT'd addresses on a per VRF basis without any issues. This is now the default/native behavior of IOS XE. There is no match-in-vrf on that platform because it is not needed. From: Oliver Boehmer (oboehmer) oboeh...@cisco.com To: David Warner davidwarner1...@yahoo.com.au; cisco-nsp@puck.nether.net Sent: Wed, August 4, 2010 3:25:32 AM Subject: Re: [c-nsp] Match-in-VRF Was hoping someone could advise with regards to what the NAT keywords match-in-vrf achieves? We typically use this in production. However, Ive just been labbing NAT config using VRF lite and it doesnt appear to change behaviour and Cisco literature is unclear. With or without it, translations occur in the relevant VRF. not an expert, but do you use overlapping pools between vrfs? If you are not, you don't need match-in-vrf.. take a look at http://docwiki.cisco.com/wiki/Category:NAT oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS Release 15.0S for the Cisco 7600 and Cisco 10000 series routers
This is disgusting, specially if your 7200 is at 15% of capacity working perfectly. El 04/08/10 14:40, Mounir Mohamed escribió: Yes very interested. Thus 7200 will get out of the picture, because the SR train is used on the 7200 series with NPE-G2 in many small size service providers, and since 15.0s will be available for 7600 and 1 only, any small size SP should move to ASR1002. On Wed, Aug 4, 2010 at 2:54 PM, Antonio Soaresamsoa...@netcabo.pt wrote: This seems interesting: Cisco IOS Release 15S initiates a consolidated support strategy to provide greater consistency in new feature release and rebuild schedules and to simplify the software selection process. The release numbering has changed from 12.2SR to 15S to support this strategy and simplified software selection process. http://www.cisco.com/en/US/docs/ios/15_0s/release/notes/15_0s_rn.html Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Forwarding bandwidth vs. Switching bandwidth
Need some help deciphering Cisco marketing-speak. In the data sheet for the Catalyst 2960S, they list: Forwarding Bandwidth 88 Gbps 20 Gbps for FlexStack Stacking Switching Bandwidth 176 Gbps http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/product_data_sheet0900aecd80322c0c.html Can anyone explain the difference? Google only returns links to the data sheet itself or a couple of forum threads asking the same question. Thanks, Brian -- Brian C Landers http://www.packetslave.com/ CCIE #23115 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Forwarding bandwidth vs. Switching bandwidth
Classic marketeer speak. 88 * 2 = 176 They count each frame as in comes in and again as it goes out. Chris On Wed, Aug 4, 2010 at 1:11 PM, Brian Landers br...@bluecoat93.org wrote: Need some help deciphering Cisco marketing-speak. In the data sheet for the Catalyst 2960S, they list: Forwarding Bandwidth 88 Gbps 20 Gbps for FlexStack Stacking Switching Bandwidth 176 Gbps http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/product_data_sheet0900aecd80322c0c.html Can anyone explain the difference? Google only returns links to the data sheet itself or a couple of forum threads asking the same question. Thanks, Brian -- Brian C Landers http://www.packetslave.com/ CCIE #23115 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Forwarding bandwidth vs. Switching bandwidth
On 04/08/2010 19:11, Brian Landers wrote: Need some help deciphering Cisco marketing-speak. In the data sheet for the Catalyst 2960S, they list: Forwarding Bandwidth 88 Gbps 20 Gbps for FlexStack Stacking Switching Bandwidth 176 Gbps 88Gbps forwarding bandwidth full duplex == 176Gbps bandwidth half duplex. I.e. it will switch in both directions at the same time. I always buy switches which operate in both directions at the same time. Don't you? The 20Gbps flexstack bandwidth refers to the dual 10G stacking ports. If you google for flexstack 2960, the first entry is a white paper on how 2960S FlexStack works. It notes mid-way down: The FlexStack links are full duplex 10Gbps Ethernet links. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-578928.html Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 10GBase-LX4 and OM2 fibre -- MCP?
Hi all, I'm not very fibre-savvy, so if anybody could help me, I'd very much appreciate it! I have two Cisco 6500s about 250 meters apart in two separate buildings. Between those two buildings I have OM2 grade fibre. and both Cisco have an 10GBase-LX4 X2 interface. When I measure the fibre end-to-end it has about 1,9dB attenuation in the 1300nm spectrum but when I connect the fibre to the interface, I don't get link-up. A little troubleshooting pointed me to mode conditioning patches (a piece of SM and MM welded together) but I find it very hard to believe that this patch will solve my problem. Before I invest 800$ for 2 patch-fibers, Is this the way I should go, or am I overlooking anything? Thanks in advance, Dirk-Jan van Helmond ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10GBase-LX4 and OM2 fibre -- MCP?
On Wed, 4 Aug 2010, Cisco NSP wrote: A little troubleshooting pointed me to mode conditioning patches (a piece of SM and MM welded together) but I find it very hard to believe that this patch will solve my problem. Is this the page you're referring to? http://www.cisco.com/en/US/prod/collateral/modules/ps5455/product_bulletin_c25-530836.html -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10GBase-LX4 and OM2 fibre -- MCP?
On Wed, 4 Aug 2010, Cisco NSP wrote: Hi all, I'm not very fibre-savvy, so if anybody could help me, I'd very much appreciate it! I have two Cisco 6500s about 250 meters apart in two separate buildings. Between those two buildings I have OM2 grade fibre. and both Cisco have an 10GBase-LX4 X2 interface. From what I recall, the recommended maximum distance on 10GBASE-LX4 on OM3 fiber is 300 meters. When I measure the fibre end-to-end it has about 1,9dB attenuation in the 1300nm spectrum but when I connect the fibre to the interface, I don't get link-up. That is well within the published link budget for the LX4 spec. Are you sure that 1. both X2 modules are functional and 2. all of your jumpers and connectors are in good shape (clean end faces, no kinks/micro-bends), etc? A little troubleshooting pointed me to mode conditioning patches (a piece of SM and MM welded together) but I find it very hard to believe that this patch will solve my problem. A mode-conditioning patch can extend the distance and reduce the dispersion penalty you pay on multimode fiber by admitting only one mode of light into the fiber from the transmit side of the optics at each end. Do you have any singlemode fiber between the buildings, or do you just have OM2 grade multimode? jms Before I invest 800$ for 2 patch-fibers, Is this the way I should go, or am I overlooking anything? Thanks in advance, Dirk-Jan van Helmond ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Forwarding bandwidth vs. Switching bandwidth
It's really quite simple: 48x1G downlinks + 2x10G uplinks + 2x10G stacking = 88G non-blocking 88G x marketing = 176G -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Forwarding bandwidth vs. Switching bandwidth
Yes, like a 2GB circuit, in reality is 1Gb bidirectional. That funny marketing math. if (marketing=true) then (throughput=unidirectional-rate*2) On 08/04/2010 01:39 PM, Asbjorn Hojmark - Lists wrote: It's really quite simple: 48x1G downlinks + 2x10G uplinks + 2x10G stacking = 88G non-blocking 88G x marketing = 176G -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10GBase-LX4 and OM2 fibre -- MCP?
Thanks for all the responses. Unfortunately there is no single-mode fiber between the buildings. I'm much more familiar with 10GBase-SR and 10GBase-LR and I would have liked to use it instead. But we have to work with the current cabling. I've checked the orientation of the TX/RX both ways and both didn't work. I can try to clean the faces again, but the 1.9dB attenuation seems a good indication to me that the fibre itself is ok. Mack, I'm not aware that the X2-LX4 interface was not supported on the 6500. Do you have an url confirming this? FWIW, the optic is placed in a VS-S720-10G-3C supervisor (port Te5/4). Regards, Dirk-Jan van Helmond On Wed, Aug 4, 2010 at 6:40 PM, Justin M. Streiner strei...@cluebyfour.orgwrote: On Wed, 4 Aug 2010, Cisco NSP wrote: Hi all, I'm not very fibre-savvy, so if anybody could help me, I'd very much appreciate it! I have two Cisco 6500s about 250 meters apart in two separate buildings. Between those two buildings I have OM2 grade fibre. and both Cisco have an 10GBase-LX4 X2 interface. From what I recall, the recommended maximum distance on 10GBASE-LX4 on OM3 fiber is 300 meters. When I measure the fibre end-to-end it has about 1,9dB attenuation in the 1300nm spectrum but when I connect the fibre to the interface, I don't get link-up. That is well within the published link budget for the LX4 spec. Are you sure that 1. both X2 modules are functional and 2. all of your jumpers and connectors are in good shape (clean end faces, no kinks/micro-bends), etc? A little troubleshooting pointed me to mode conditioning patches (a piece of SM and MM welded together) but I find it very hard to believe that this patch will solve my problem. A mode-conditioning patch can extend the distance and reduce the dispersion penalty you pay on multimode fiber by admitting only one mode of light into the fiber from the transmit side of the optics at each end. Do you have any singlemode fiber between the buildings, or do you just have OM2 grade multimode? jms Before I invest 800$ for 2 patch-fibers, Is this the way I should go, or am I overlooking anything? Thanks in advance, Dirk-Jan van Helmond ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10GBase-LX4 and OM2 fibre -- MCP?
LX4 is not supported on the 6500s. Show int trans supported-list ... X2 LX4 NONE ... Mack McBride Network Architect Viawest, Inc. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Cisco NSP Sent: Wednesday, August 04, 2010 2:21 PM To: cisco-nsp Subject: [c-nsp] 10GBase-LX4 and OM2 fibre -- MCP? Hi all, I'm not very fibre-savvy, so if anybody could help me, I'd very much appreciate it! I have two Cisco 6500s about 250 meters apart in two separate buildings. Between those two buildings I have OM2 grade fibre. and both Cisco have an 10GBase-LX4 X2 interface. When I measure the fibre end-to-end it has about 1,9dB attenuation in the 1300nm spectrum but when I connect the fibre to the interface, I don't get link-up. A little troubleshooting pointed me to mode conditioning patches (a piece of SM and MM welded together) but I find it very hard to believe that this patch will solve my problem. Before I invest 800$ for 2 patch-fibers, Is this the way I should go, or am I overlooking anything? Thanks in advance, Dirk-Jan van Helmond ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10GBase-LX4 and OM2 fibre -- MCP?
Based on the following, you might have too much light. From : http://www.cisco.com/en/US/prod/collateral/modules/ps5455/product_bulletin_c25-530836.html Notes for LX4: 1. In some cases, customers might experience that a link would be operating properly over OM2 fiber type without MCP. 2. Some customers may be tempted to connect 10GBASE-LX4 devices over MMF jumper cables without MCP cables. This includes the case of links over OM3 cable for which the MCP should not be used. There is a risk to overload and saturate the adjacent receiver causing high bit error rate, link flaps and eventually irreversible damage. In such cases, a 5-dB attenuator for 1300nm should be used and plugged at the transmitter of the optical module on each side of the link. 3. Another alternative for short reaches within the same location is to use a single-mode patch cable. There will be no saturation over single-mode fiber. Please note the 10GBASE-LX4 devices can reach up to 10km over single-mode fiber as per compliance to IEEE. On 08/04/2010 02:11 PM, Cisco NSP wrote: Thanks for all the responses. Unfortunately there is no single-mode fiber between the buildings. I'm much more familiar with 10GBase-SR and 10GBase-LR and I would have liked to use it instead. But we have to work with the current cabling. I've checked the orientation of the TX/RX both ways and both didn't work. I can try to clean the faces again, but the 1.9dB attenuation seems a good indication to me that the fibre itself is ok. Mack, I'm not aware that the X2-LX4 interface was not supported on the 6500. Do you have an url confirming this? FWIW, the optic is placed in a VS-S720-10G-3C supervisor (port Te5/4). Regards, Dirk-Jan van Helmond On Wed, Aug 4, 2010 at 6:40 PM, Justin M. Streiner strei...@cluebyfour.orgwrote: On Wed, 4 Aug 2010, Cisco NSP wrote: Hi all, I'm not very fibre-savvy, so if anybody could help me, I'd very much appreciate it! I have two Cisco 6500s about 250 meters apart in two separate buildings. Between those two buildings I have OM2 grade fibre. and both Cisco have an 10GBase-LX4 X2 interface. From what I recall, the recommended maximum distance on 10GBASE-LX4 on OM3 fiber is 300 meters. When I measure the fibre end-to-end it has about 1,9dB attenuation in the 1300nm spectrum but when I connect the fibre to the interface, I don't get link-up. That is well within the published link budget for the LX4 spec. Are you sure that 1. both X2 modules are functional and 2. all of your jumpers and connectors are in good shape (clean end faces, no kinks/micro-bends), etc? A little troubleshooting pointed me to mode conditioning patches (a piece of SM and MM welded together) but I find it very hard to believe that this patch will solve my problem. A mode-conditioning patch can extend the distance and reduce the dispersion penalty you pay on multimode fiber by admitting only one mode of light into the fiber from the transmit side of the optics at each end. Do you have any singlemode fiber between the buildings, or do you just have OM2 grade multimode? jms Before I invest 800$ for 2 patch-fibers, Is this the way I should go, or am I overlooking anything? Thanks in advance, Dirk-Jan van Helmond ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10GBase-LX4 and OM2 fibre -- MCP?
On Wed, 4 Aug 2010, Cisco NSP wrote: Thanks for all the responses. Unfortunately there is no single-mode fiber between the buildings. I'm much more familiar with 10GBase-SR and 10GBase-LR and I would have liked to use it instead. But we have to work with the current cabling. I've checked the orientation of the TX/RX both ways and both didn't work. I can try to clean the faces again, but the 1.9dB attenuation seems a good indication to me that the fibre itself is ok. Yes, it does sound like the plant fiber itself is ok, but a test with a power meter only tells you about attenuation. On long multimode runs, dispersion can be a big issue. Also, did you run that power meter test through all of the same jumpers that you're trying to use in the actual link, to rule out the possibility of a bad jumper? Are you sure the X2s themselves are OK, and don't have dirty connectors? Mack, I'm not aware that the X2-LX4 interface was not supported on the 6500. Do you have an url confirming this? FWIW, the optic is placed in a VS-S720-10G-3C supervisor (port Te5/4). I found the following link, but it's only for XENPAKs, not X2s. I could not find an X2-LX4 end of sale notice on Cisco's website. http://www.cisco.com/en/US/prod/collateral/modules/ps5455/eol_c51_599855.html Also, regarding mode-conditioning patch cords, I've seen them for a lot less than $800 USD (assuming the price you originally mentioned was in USD). jms On Wed, Aug 4, 2010 at 6:40 PM, Justin M. Streiner strei...@cluebyfour.orgwrote: On Wed, 4 Aug 2010, Cisco NSP wrote: Hi all, I'm not very fibre-savvy, so if anybody could help me, I'd very much appreciate it! I have two Cisco 6500s about 250 meters apart in two separate buildings. Between those two buildings I have OM2 grade fibre. and both Cisco have an 10GBase-LX4 X2 interface. From what I recall, the recommended maximum distance on 10GBASE-LX4 on OM3 fiber is 300 meters. When I measure the fibre end-to-end it has about 1,9dB attenuation in the 1300nm spectrum but when I connect the fibre to the interface, I don't get link-up. That is well within the published link budget for the LX4 spec. Are you sure that 1. both X2 modules are functional and 2. all of your jumpers and connectors are in good shape (clean end faces, no kinks/micro-bends), etc? A little troubleshooting pointed me to mode conditioning patches (a piece of SM and MM welded together) but I find it very hard to believe that this patch will solve my problem. A mode-conditioning patch can extend the distance and reduce the dispersion penalty you pay on multimode fiber by admitting only one mode of light into the fiber from the transmit side of the optics at each end. Do you have any singlemode fiber between the buildings, or do you just have OM2 grade multimode? jms Before I invest 800$ for 2 patch-fibers, Is this the way I should go, or am I overlooking anything? Thanks in advance, Dirk-Jan van Helmond ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10GBase-LX4 and OM2 fibre -- MCP?
On Wed, 4 Aug 2010, Mack McBride wrote: LX4 is not supported on the 6500s. Show int trans supported-list ... X2 LX4 NONE I have several 6509s running some flavor of 12.2(33)SXH, with lots of XENPAK/X2 SR, LX4, LR, and ER optics in production with no problems. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3560G-48 - Getting close to port capacity
Hi, We have 3560G-48's running at remote DataCentres(Connecting to 7200's via PortChan) - We interconnect to clients in these remote DC's via eth. At one DC, the 3560 is getting close to running out of ports(~8 remaining) - Simplest solution is for us to purchase another 3560G, run a portchan trunk to the 1st 3560G, and then when new clients connect we would need to add vlans to both switches...not ideal, but the only other option would be to upgrade to 3750's, and stack them?(3750's are nearly double the price though!). Are there any other alternatives that we should be looking at?(Given a limited budget) Note - the 3560's are only performing L2 - Our 7200's are doing L3/BGP/MPLS/LNS duties, and we exceed the vlan limitation on 2960's. We also considered potentially migrating to a collapsed core/dist layer(Using 4500? No idea on price, and then we run into redundancy probs?), with 3560's hanging of this switch as access layer. Thanks in advance for any suggestions. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10GBase-LX4 and OM2 fibre -- MCP?
The literature for the 6708 blade lists the X2-10GB-LX4 as an option for the 6500. http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns668/net_business_benefit0900aecd80534918.html The release notes also list it as supported. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/hardware.html#wp3051725 Unfortunately the IOS lists it as unsupported (SXH5 code). Different code may list it differently. You may be able to get it working by using 'service unsupported-transceiver' command. I have not tried that. Your receive power is fine on the link indicating the fiber is fine. The modal bandwidth may not be sufficient for the distance or dispersion may be excessive for 10G as well. You will need to do additional testing to determine that. But my suspicion is less than full support for the LX4 transceiver in the code train. The LRM may provide the support you need but is not specifically listed in the supported list. I suspect it may have the same issue. I have not tried those modules. You may also want to investigate FN62840. Some models don't work right. http://www.cisco.com/en/US/ts/fn/misc/FN62840.html I am not sure if the documentation is inaccurate but our customers have run into this problem and the solution was switching to LR type modules. Your distance is too long for regular SR modules. Mack -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Cisco NSP Sent: Wednesday, August 04, 2010 3:12 PM To: cisco-nsp Subject: Re: [c-nsp] 10GBase-LX4 and OM2 fibre -- MCP? Thanks for all the responses. Unfortunately there is no single-mode fiber between the buildings. I'm much more familiar with 10GBase-SR and 10GBase-LR and I would have liked to use it instead. But we have to work with the current cabling. I've checked the orientation of the TX/RX both ways and both didn't work. I can try to clean the faces again, but the 1.9dB attenuation seems a good indication to me that the fibre itself is ok. Mack, I'm not aware that the X2-LX4 interface was not supported on the 6500. Do you have an url confirming this? FWIW, the optic is placed in a VS-S720-10G-3C supervisor (port Te5/4). Regards, Dirk-Jan van Helmond On Wed, Aug 4, 2010 at 6:40 PM, Justin M. Streiner strei...@cluebyfour.orgwrote: On Wed, 4 Aug 2010, Cisco NSP wrote: Hi all, I'm not very fibre-savvy, so if anybody could help me, I'd very much appreciate it! I have two Cisco 6500s about 250 meters apart in two separate buildings. Between those two buildings I have OM2 grade fibre. and both Cisco have an 10GBase-LX4 X2 interface. From what I recall, the recommended maximum distance on 10GBASE-LX4 on OM3 fiber is 300 meters. When I measure the fibre end-to-end it has about 1,9dB attenuation in the 1300nm spectrum but when I connect the fibre to the interface, I don't get link-up. That is well within the published link budget for the LX4 spec. Are you sure that 1. both X2 modules are functional and 2. all of your jumpers and connectors are in good shape (clean end faces, no kinks/micro-bends), etc? A little troubleshooting pointed me to mode conditioning patches (a piece of SM and MM welded together) but I find it very hard to believe that this patch will solve my problem. A mode-conditioning patch can extend the distance and reduce the dispersion penalty you pay on multimode fiber by admitting only one mode of light into the fiber from the transmit side of the optics at each end. Do you have any singlemode fiber between the buildings, or do you just have OM2 grade multimode? jms Before I invest 800$ for 2 patch-fibers, Is this the way I should go, or am I overlooking anything? Thanks in advance, Dirk-Jan van Helmond ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] quick VTP question.
After reading up on VTP server configurations at Cisco, I wanted to get someone's real life experience sign off on this. Cisco docs state that you can have more than one VTP server in a VTP domain and that updates on one will update the other and vise versa. My concern is that I have two switches that are in different domains and going to migrate one of them onto the same domain as the other. How will this affect the VLAN information? If I have both configured with the exact same VLANs and VLAN names, will this prevent a total loss of VLAN data in one or both of these switches? Any advise would be greatly appreciated. Thanks, - Troy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT - Anyone else seeing downloads not working
I recently saw this xkcd comic and the first thing I thought of when I saw it was the Cisco website. http://xkcd.com/773/ regards, Tony. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] mpls route target export question
I'm having a hard time grasping, just exactly what the export feature does. From what I see, the import command basically tells the vrf which routes to let into the table. Can any body give me a answer as to what the export route target feature really does in a large network? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mpls route target export question
Here's my interpretation / explanation: In order to get a route into a VRF there needs to be some type of tag the router can use to determine which routes to import into a particular VRF. This is done with route-target export command. In a particular vrf you'd route-target import what was exported from other vrf's. So it's the identifier that allows the router to import whatever routes you want in the route-table of a particular VRF. Another way to say it: what is 'exported' from one VRF is a BGP extended community that is sent by BGP in updates to other PE routers. The other PE routers use the extended community as that 'tag' for import into VRF's (or not - depending on how the RT import is configured). I believe the route-target exported needs to be unique across the entire routing domain (else you could have one customer import other customers routes). RD can be different per PE router - but I'm not sure why anyone would want to do that. If if someone does - can you share thoughts on that? See here: http://www.ciscopress.com/articles/article.asp?p=28259seqNum=5 http://ciscodreamer.blogspot.com/2009/08/vrf-route-target.html and for night night reading: http://ciscodreamer.blogspot.com/2009/08/vrf-route-target.html On Wed, Aug 4, 2010 at 7:03 PM, Michael Sprouffske msprouff...@yahoo.comwrote: I'm having a hard time grasping, just exactly what the export feature does. From what I see, the import command basically tells the vrf which routes to let into the table. Can any body give me a answer as to what the export route target feature really does in a large network? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
