Re: [c-nsp] CoPP for SSH on nexus 7k. Confused!
On 20/10/2010, at 4:42 PM, Shanawaz wrote: 1. I assume this is happening because all traffic is matching the deny statement in the ACL copp-system-acl-telnet. What does the deny in an CoPP ACL do? in the context of a CoPP policy: nothing. its not valid to have a 'deny' IP ACL matching a CoPP policy. it effectively won't match anything. 2. Isnt there a 'deny ip any any'by default at the end of all access-lists. In this case.. even the ACL copp-system-acl-ssh would have a deny ip any any at the end. implicit deny is not there for CoPP, because CoPP is closer to QoS in behavior that it only 'matches' against permit statements. also note that 'class-default' CoPP class-map may be allowing this traffic although your policy you listed below looks entirely valid. I have tried my best to explain, but then if you dont understand the scenario, I can try again ;) your CoPP policy looks valid which makes me think of two possibilities: 1. you are connecting to the vty via out-of-band mgmt0 which is in the management vrf. since its out-of-band the inband CoPP policy does not apply. 2. your new CoPP is not actually applied. you will need to do 'conf t; control-plane; no service-policy input copp-system-policy; service-policy input copp-system-policy' to reapply it. take note of the timestamp on show copp status and output/content of show policy-map interface control-plane. cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SLA tracking, what do you ping?
Yeah, something like traceroute.org which is always answering But you better try to get a closer IP to ping, one that is reliable and gives you indication of what should be working fine, something like the provider's LNS you're connecting to, or the like -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Heath Jones Sent: Wednesday, October 20, 2010 10:23 AM To: Jay Nakamura Cc: cisco-nsp Subject: Re: [c-nsp] SLA tracking, what do you ping? Just ping 'the internet'... :) On 20 October 2010 02:35, Jay Nakamura zeusda...@gmail.com wrote: When you use IP SLA to track if an upstream is working on a ISP connection (From customer point of view, and you are not the ISP that knows what will be safe to ping), what do you usually configure to ping? I have found that one hop up from the CPE is not necessary reliable on DSL/Cable. I was wondering if anyone can share their experience on what works well and what to look out for. Thanks, ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] C6K EoMPLS Rate Limiting
AFAIK it is possible on a C6K to rate limite a EoMPLS interface with standard IOS MQC command. Is it softwared based or hardware based? Regards, Manu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] HWIC-4ESW and Pseudo-WIRE L2TPV3
Hello all. I try to realize a setup with 2 cisco 2801 to backup a fiber in case of outage. We have 2 pairs of cisco 3750 on each site with one path to fiber, and one path via pseudowire On 2801 interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.252 speed 100 full-duplex no mop enabled ! interface FastEthernet0/1 no ip address duplex auto speed auto no cdp enable xconnect 10.0.0.2 1 encapsulation l2tpv3 pw-class BACKUPLINK I need to interconnect the 2801's to a third site. This time is a classic vpn with route. HQ: 192.168.0/24 REMOTE: 192.168.10.0/24 But with my current setup, 2801's pass the trafic of the 3750's but, don't care the content of packet. i need to connect another interface from the 2801 to the 3750, I want to know if is possible to xconnect a port from HWIC-4ESW, or i need absolutly HWIC-1FE(L3 port) ? Thank's for your reply ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] help firm are and firewall questions
Hi I have questons about ASA5 510 1/ Can I know from firm ware to get this is ASA55 10- BUN-K9 or this is ASA55 10-SEC- BUN-K9 2/ How can I check the firm ware/serial no. in cisco site to know that it is BUN K9 or this is SEC BUN K9? 3/ Can I know in Cli that this is ASA55 10- BUN-K9 or this is ASA55 10-SEC- BUN-K9 I only see there are 5 FE only but can't see 2GE 3FE in the box. Thank you so much ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HWIC-4ESW and Pseudo-WIRE L2TPV3
Jean-Dominique, Using HWIC on an ISR, you can configured xconnect on an SVI (not on physical port), but that xconnect will not allow BPDUs to pass over the l2tpv3 tunnel. This requires latest 12.4T code (tested on 12.4(24)T3). Its a known limitation on the HWIC, and development does not have current plans to fix it do to the other implications for the hwic module. So, use dedicated L3 ports for l2tpv3 if you need bpdus to pass. Rob On 10/20/2010 7:06 AM, Jean-Dominique BAYLAC wrote: Hello all. I try to realize a setup with 2 cisco 2801 to backup a fiber in case of outage. We have 2 pairs of cisco 3750 on each site with one path to fiber, and one path via pseudowire On 2801 interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.252 speed 100 full-duplex no mop enabled ! interface FastEthernet0/1 no ip address duplex auto speed auto no cdp enable xconnect 10.0.0.2 1 encapsulation l2tpv3 pw-class BACKUPLINK I need to interconnect the 2801's to a third site. This time is a classic vpn with route. HQ: 192.168.0/24 REMOTE: 192.168.10.0/24 But with my current setup, 2801's pass the trafic of the 3750's but, don't care the content of packet. i need to connect another interface from the 2801 to the 3750, I want to know if is possible to xconnect a port from HWIC-4ESW, or i need absolutly HWIC-1FE(L3 port) ? Thank's for your reply ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3750 Reboot Issue
Do you see the same stack trace appear on all versions of code? If yes then you are seeing the same issue across multiple codes and it could be a new bug. I have seen switches reload with similar (but not the same) exceptions due to SNMP polling some OID's that were not really supported. Do you know if there is any aggressive polling? Can you corelate the SNMP poll's to memory leaking on the switch? Getting TAC to decode the stack trace(s) will be the fastest way to identify what could be causing the issue. On Tue, Oct 19, 2010 at 9:19 AM, Erik Fritzler efritz...@darkfibersolutions.com wrote: Has anyone experienced crashes with the 3750-12S switches. We have tried 12.2(44), 12.2(50), 12.2(53), and 12.2(55) to alleviate the issue but no difference. I had read about a cisco bug for a memory leak where enabling ip routing on the switch was a workaround. I have tried this, but no change. The switches will stay up for 2-3 days then crash again. One switch just has 2 layer 2 etherchannel interfaces configured, the other is a distribution layer with single dot1q trunks. Here is a copy of the log for the crash event. Oct 18 17:58:26: %PLATFORM-1-CRASHED: System previously crashed with the following message: Oct 18 17:58:26: %PLATFORM-1-CRASHED: Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(50)SE1, RELEASE SOFTWARE (fc2) Oct 18 17:58:26: %PLATFORM-1-CRASHED: Copyright (c) 1986-2009 by Cisco Systems, Inc. Oct 18 17:58:26: %PLATFORM-1-CRASHED: Compiled Mon 06-Apr-09 08:19 by amvarma Oct 18 17:58:26: %PLATFORM-1-CRASHED: Oct 18 17:58:26: %PLATFORM-1-CRASHED: Debug Exception (Could be NULL pointer dereference) Exception (0x2000)! Oct 18 17:58:26: %PLATFORM-1-CRASHED: Oct 18 17:58:26: %PLATFORM-1-CRASHED: SRR0 = 0x01963184 SRR1 = 0x00029230 SRR2 = 0x006B79A4 SRR3 = 0x00021000 Oct 18 17:58:26: %PLATFORM-1-CRASHED: ESR = 0x DEAR = 0x TSR = 0x8C00 DBSR = 0x1000 Oct 18 17:58:26: %PLATFORM-1-CRASHED: Oct 18 17:58:26: %PLATFORM-1-CRASHED: CPU Register Context: Oct 18 17:58:26: %PLATFORM-1-CRASHED: Vector = 0x2000 PC = 0x00A70FBC MSR = 0x00029230 CR = 0x3003 Oct 18 17:58:26: %PLATFORM-1-CRASHED: LR = 0x00A70F80 CTR = 0x019584F0 XER = 0xE05F Oct 18 17:58:26: %PLATFORM-1-CRASHED: R0 = 0x00A70F80 R1 = 0x02FA5F38 R2 = 0x R3 = 0x0376087C Oct 18 17:58:26: %PLATFORM-1-CRASHED: R4 = 0x R5 = 0x R6 = 0x R7 = 0x Oct 18 17:58:26: %PLATFORM-1-CRASHED: R8 = 0x7530 R9 = 0x R10 = 0x R11 = 0x0005 Oct 18 17:58:26: %PLATFORM-1-CRASHED: R12 = 0xC197AFF2 R13 = 0x0011 R14 = 0x019568F0 R15 = 0x Oct 18 17:58:26: %PLATFORM-1-CRASHED: R16 = 0x R17 = 0x R18 = 0x R19 = 0x Oct 18 17:58:26: %PLATFORM-1-CRASHED: R20 = 0x R21 = 0x R22 = 0x R23 = 0x025E Oct 18 17:58:26: %PLATFORM-1-CRASHED: R24 = 0xAB1234AB R25 = 0x027297F0 R26 = 0x035A42D0 R27 = 0x Oct 18 17:58:26: %PLATFORM-1-CRASHED: R28 = 0x0272B8A4 R29 = 0x01EC5BD4 R30 = 0x027297F0 R31 = 0x Oct 18 17:58:26: %PLATFORM-1-CRASHED: Oct 18 17:58:26: %PLATFORM-1-CRASHED: Stack trace: Oct 18 17:58:26: %PLATFORM-1-CRASHED: PC = 0x00A70FBC, SP = 0x02FA5F38 Oct 18 17:58:26: %PLATFORM-1-CRASHED: Frame 00: SP = 0x02FA5F48PC = 0x00A70F80 Oct 18 17:58:26: %PLATFORM-1-CRASHED: Frame 01: SP = 0x02FA5F78PC = 0x019535D8 Oct 18 17:58:26: %PLATFORM-1-CRASHED: Frame 02: SP = 0x02FA5F90PC = 0x01953028 Oct 18 17:58:26: %PLATFORM-1-CRASHED: Frame 03: SP = 0x02FA5FC8PC = 0x01953C7C Oct 18 17:58:26: %PLATFORM-1-CRASHED: Frame 04: SP = 0x02FA5FE0PC = 0x01956780 Oct 18 17:58:26: %PLATFORM-1-CRASHED: Frame 05: SP = 0x02FA5FF8PC = 0x01956990 Oct 18 17:58:26: %PLATFORM-1-CRASHED: Frame 06: SP = 0x02FA6000PC = 0x00A72F48 Oct 18 17:58:26: %PLATFORM-1-CRASHED: Frame 07: SP = 0xPC = 0x00A69A18 Oct 18 17:58:26: %PLATFORM-1-CRASHED: Any help would be greatly appreciated. Erik Fritzler Director of NOC Services Dark Fiber Solutions, Inc. 600 ½ Grant Ave. York, NE 68467 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HWIC-4ESW and Pseudo-WIRE L2TPV3
Ok thank's for you rapid reply, i know what i have to do. Le 20/10/2010 14:26, Rob Taylor a écrit : Jean-Dominique, Using HWIC on an ISR, you can configured xconnect on an SVI (not on physical port), but that xconnect will not allow BPDUs to pass over the l2tpv3 tunnel. This requires latest 12.4T code (tested on 12.4(24)T3). Its a known limitation on the HWIC, and development does not have current plans to fix it do to the other implications for the hwic module. So, use dedicated L3 ports for l2tpv3 if you need bpdus to pass. Rob On 10/20/2010 7:06 AM, Jean-Dominique BAYLAC wrote: Hello all. I try to realize a setup with 2 cisco 2801 to backup a fiber in case of outage. We have 2 pairs of cisco 3750 on each site with one path to fiber, and one path via pseudowire On 2801 interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.252 speed 100 full-duplex no mop enabled ! interface FastEthernet0/1 no ip address duplex auto speed auto no cdp enable xconnect 10.0.0.2 1 encapsulation l2tpv3 pw-class BACKUPLINK I need to interconnect the 2801's to a third site. This time is a classic vpn with route. HQ: 192.168.0/24 REMOTE: 192.168.10.0/24 But with my current setup, 2801's pass the trafic of the 3750's but, don't care the content of packet. i need to connect another interface from the 2801 to the 3750, I want to know if is possible to xconnect a port from HWIC-4ESW, or i need absolutly HWIC-1FE(L3 port) ? Thank's for your reply ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] help firm are and firewall questions
Deric, -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Deric Kwok Sent: Wednesday, October 20, 2010 8:00 AM 1/ Can I know from firm ware to get this is ASA55 10- BUN-K9 or this is ASA55 10-SEC- BUN-K9 A distributor? 2/ How can I check the firm ware/serial no. in cisco site to know that it is BUN K9 or this is SEC BUN K9? No real way to tell, unless you can get a packing slip from when it was ordered. The difference between a ASA5510-BUN-K9 and ASA5510-SEC-BUN-K9 is that it's bundled with ASA5510-SEC-PL, the security plus license, allowing for 2 GE interfaces, more sessions, and HA. 3/ Can I know in Cli that this is ASA5510- BUN-K9 or this is ASA5510-SEC- BUN-K9 Yes, show ver | i license This platform has a Base license - no security plus license This platform has an ASA 5510 Security Plus license - security plus I only see there are 5 FE only but can't see 2GE 3FE in the box. License upgrade. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] sh proc cpu hist - 3750 stack
You could use remote command N show proc cpu where N is the member index. But even though the hotter switches might have a higher switching load you probably can't see any correlation to the CPU load. The devices are strictly[0] hardware forwarding. That works - thanks Peter! -Jeff This electronic mail (including any attachments) may contain information that is privileged, confidential, or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please delete the original message in its entirety (including any attachments) and notify us immediately by reply email so that we may correct our internal records. Midland Paper Company accepts no responsibility for any loss or damage from use of this electronic mail, including any damage resulting from a computer virus. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Redistributing ipv6 static default route into eigrp failure
No one replied, but I found the problem and/or bug. Unlike eigrp over ipv4, setting redistribute static with no metrics defined doesn't work. It silently accepts it, but does not do any redistribution of static routes. Changing it to redistribute static metric 1 1 1 1 1 works. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew Huff Sent: Tuesday, October 19, 2010 5:14 PM To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] Redistributing ipv6 static default route into eigrp failure Okay, I must be missing something. I've setup a default static route that is showing up in the ipv6 route tables, but not in the local ipv6 eigrp topology nor redistributing out. Anyone have a clue? Or yet another ipv6 bug interface Vlan4 ip address 129.77.4.252 255.255.255.0 ipv6 address 2620:0:2810:104::252/64 ipv6 enable ipv6 eigrp 14607 standby version 2 standby 4 ip 129.77.4.254 standby 4 priority 108 standby 4 preempt standby 104 ipv6 2620:0:2810:104::254/64 standby 104 priority 108 standby 104 preempt end ipv6 route ::/0 Vlan4 2620:0:2810:104::1 ipv6 router eigrp 14607 eigrp router-id 129.77.40.8 redistribute static switch-user2#show ipv6 route IPv6 Routing Table - Default - 19 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 S ::/0 [1/0] via 2620:0:2810:104::1, Vlan4 C 2620:0:2810:104::/64 [0/0] via Vlan4, directly connected L 2620:0:2810:104::252/128 [0/0] via Vlan4, receive D 2620:0:2810:11E::/64 [90/768] via FE80::2D0:FF:FEF3:7000, TenGigabitEthernet1/1 via FE80::2D0:4FF:FE16:0, TenGigabitEthernet1/2 D 2620:0:2810:E001::252/127 [90/1024] via FE80::2D0:FF:FEF3:7000, TenGigabitEthernet1/1 via FE80::2D0:4FF:FE16:0, TenGigabitEthernet1/2 D 2620:0:2810:E001::254/127 [90/768] via FE80::2D0:FF:FEF3:7000, TenGigabitEthernet1/1 C 2620:0:2810:E002::252/127 [0/0] via TenGigabitEthernet1/1, directly connected L 2620:0:2810:E002::253/128 [0/0] via TenGigabitEthernet1/1, receive D 2620:0:2810:E002::254/127 [90/768] via FE80::2D0:FF:FEF3:7000, TenGigabitEthernet1/1 D 2620:0:2810:E101::252/127 [90/1024] via FE80::2D0:FF:FEF3:7000, TenGigabitEthernet1/1 via FE80::2D0:4FF:FE16:0, TenGigabitEthernet1/2 D 2620:0:2810:E101::254/127 [90/768] via FE80::2D0:4FF:FE16:0, TenGigabitEthernet1/2 C 2620:0:2810:E102::252/127 [0/0] via TenGigabitEthernet1/2, directly connected L 2620:0:2810:E102::253/128 [0/0] via TenGigabitEthernet1/2, receive D 2620:0:2810:E102::254/127 [90/768] via FE80::2D0:4FF:FE16:0, TenGigabitEthernet1/2 D 2620:0:2810:FF01::1/128 [90/128512] via FE80::2D0:FF:FEF3:7000, TenGigabitEthernet1/1 via FE80::2D0:4FF:FE16:0, TenGigabitEthernet1/2 D 2620:0:2810:FF01::2/128 [90/128512] via FE80::2D0:4FF:FE16:0, TenGigabitEthernet1/2 D 2620:0:2810:FF01::7/128 [90/128768] via FE80::2D0:FF:FEF3:7000, TenGigabitEthernet1/1 via FE80::2D0:4FF:FE16:0, TenGigabitEthernet1/2 LC 2620:0:2810:FF01::8/128 [0/0] via Loopback0, receive L FF00::/8 [0/0] via Null0, receive switch-user2#show ipv6 eigrp topology EIGRP-IPv6 Topology Table for AS(14607)/ID(129.77.40.8) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 2620:0:2810:E101::254/127, 1 successors, FD is 768 via FE80::2D0:4FF:FE16:0 (768/512), TenGigabitEthernet1/2 P 2620:0:2810:104::/64, 1 successors, FD is 2816 via Connected, Vlan4 P 2620:0:2810:FF01::2/128, 1 successors, FD is 128512 via FE80::2D0:4FF:FE16:0 (128512/128256), TenGigabitEthernet1/2 P 2620:0:2810:E001::252/127, 2 successors, FD is 1024 via FE80::2D0:FF:FEF3:7000 (1024/768), TenGigabitEthernet1/1 via FE80::2D0:4FF:FE16:0 (1024/768), TenGigabitEthernet1/2 via FE80::209:44FF:FE22:EEC0 (3072/512), Vlan4 P 2620:0:2810:FF01::7/128, 2 successors, FD is 128768 via FE80::2D0:FF:FEF3:7000 (128768/128512), TenGigabitEthernet1/1 via FE80::2D0:4FF:FE16:0 (128768/128512), TenGigabitEthernet1/2 via FE80::209:44FF:FE22:EEC0 (130816/128256), Vlan4 P 2620:0:2810:FF01::1/128, 2 successors, FD is 128512 via FE80::2D0:FF:FEF3:7000 (128512/128256), TenGigabitEthernet1/1 via FE80::2D0:4FF:FE16:0 (128512/128256), TenGigabitEthernet1/2 P 2620:0:2810:E002::254/127, 1 successors, FD is 768
Re: [c-nsp] SLA tracking, what do you ping?
On a side note, is there a way to ping several IPs and declare it down if, for example, 2 out of 3 is down? I am mostly interested in removing default route via track command. I read the documentation and couldn't find how you could do that but sometimes I just have one of those days. 2010/10/20 Ziv Leyes z...@gilat.net: Yeah, something like traceroute.org which is always answering But you better try to get a closer IP to ping, one that is reliable and gives you indication of what should be working fine, something like the provider's LNS you're connecting to, or the like -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Heath Jones Sent: Wednesday, October 20, 2010 10:23 AM To: Jay Nakamura Cc: cisco-nsp Subject: Re: [c-nsp] SLA tracking, what do you ping? Just ping 'the internet'... :) On 20 October 2010 02:35, Jay Nakamura zeusda...@gmail.com wrote: When you use IP SLA to track if an upstream is working on a ISP connection (From customer point of view, and you are not the ISP that knows what will be safe to ping), what do you usually configure to ping? I have found that one hop up from the CPE is not necessary reliable on DSL/Cable. I was wondering if anyone can share their experience on what works well and what to look out for. Thanks, ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SLA tracking, what do you ping?
Jay -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura Sent: Wednesday, October 20, 2010 10:15 AM To: cisco-nsp Subject: Re: [c-nsp] SLA tracking, what do you ping? On a side note, is there a way to ping several IPs and declare it down if, for example, 2 out of 3 is down? I am mostly interested in removing default route via track command. I read the documentation and couldn't find how you could do that but sometimes I just have one of those days. How about a track Boolean statement? -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SLA tracking, what do you ping?
I've answered this on a previous post, here's an example of what I use == ip sla monitor 1 type echo protocol ipIcmpEcho 1.1.1.1 ! ip sla monitor schedule 1 life forever start-time now ! track 1 rtr 1 reachability ! ip sla monitor 2 type echo protocol ipIcmpEcho 2.2.2.2 ! ip sla monitor schedule 2 life forever start-time now ! track 2 rtr 2 reachability ! ip route 10.0.0.0 255.255.255.0 1.1.1.1 100 name track 1 ip route 10.0.0.0 255.255.255.0 2.2.2.2 200 name track 2 == As long as 1.1.1.1 is available, it's routing will be valid because the smaller administrative distance, if not, then the second one will become active. In any case, you'll always see only one routing line in table. You could add a few more using the same principle, just bear in mind, ip sla is a bit resource consuming, so you better not use it deliberately. Hope this helps, Ziv -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura Sent: Wednesday, October 20, 2010 4:15 PM To: cisco-nsp Subject: Re: [c-nsp] SLA tracking, what do you ping? On a side note, is there a way to ping several IPs and declare it down if, for example, 2 out of 3 is down? I am mostly interested in removing default route via track command. I read the documentation and couldn't find how you could do that but sometimes I just have one of those days. 2010/10/20 Ziv Leyes z...@gilat.net: Yeah, something like traceroute.org which is always answering But you better try to get a closer IP to ping, one that is reliable and gives you indication of what should be working fine, something like the provider's LNS you're connecting to, or the like -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Heath Jones Sent: Wednesday, October 20, 2010 10:23 AM To: Jay Nakamura Cc: cisco-nsp Subject: Re: [c-nsp] SLA tracking, what do you ping? Just ping 'the internet'... :) On 20 October 2010 02:35, Jay Nakamura zeusda...@gmail.com wrote: When you use IP SLA to track if an upstream is working on a ISP connection (From customer point of view, and you are not the ISP that knows what will be safe to ping), what do you usually configure to ping? I have found that one hop up from the CPE is not necessary reliable on DSL/Cable. I was wondering if anyone can share their experience on what works well and what to look out for. Thanks, ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ** ** This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ** ** ** ** This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ** ** ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SLA tracking, what do you ping?
Jay Nakamura wrote: When you use IP SLA to track if an upstream is working on a ISP connection (From customer point of view, and you are not the ISP that knows what will be safe to ping), what do you usually configure to ping? I have found that one hop up from the CPE is not necessary reliable on DSL/Cable. I was wondering if anyone can share their experience on what works well and what to look out for. Dont know about your ISP , but we provide customers with an anycasted sponge which accepts ICMP and various other standard RTR operations, for this purpose. We deployed this mainly as an alternative to running routing protocols over customer circuits over which there was no link loss detected when a break in the middle (mainly badly setup 3rd party pseudowire circuits), am now looking at BFD backed up static routes to replace this. Routing protocols are always preferable, IMHO. Dave. -- David Freedman Group Network Engineering Claranet Group ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CoPP for SSH on nexus 7k. Confused!
On Wed, 20 Oct 2010, Shanawaz wrote: Lincoln, On Wed, Oct 20, 2010 at 7:29 PM, Lincoln Dale l...@cisco.com wrote: On 20/10/2010, at 4:42 PM, Shanawaz wrote: 1. I assume this is happening because all traffic is matching the deny statement in the ACL copp-system-acl-telnet. What does the deny in an CoPP ACL do? in the context of a CoPP policy: nothing. its not valid to have a 'deny' IP ACL matching a CoPP policy. it effectively won't match anything. I will disagree with you here (and I will make my disagreement conditional ;) pending some testing tomorrow). When I removed the deny acl, the CoPP was behaving as expected. However when I added the deny acl, I could SSH from networks outside of 129.63.8.0/24. I have a feeling the deny is playing the same role as a deny in an access-list which is referenced in a route-map. I understand the deny will exempt traffic from having the policy applied. I could be way off the mark here, I will check the rest of the CoPP policy and also perhaps conclusively know by putting a log at the end of that deny statement to see if there are any matches. Interestingly I am not seeing any matches whatsoever on my default class which again makes me suspect the only deny ip any any statement I have got. It's my understanding that more IOS-like VTY ACLs are coming NX-OS 5.1, which was supposed to be out last month, but wasn't on CCO the last time I looked (late last week). In CoPP, the pass/drop action is controlled by the policy itself, based on the ACLs/classes you define. I ended up implementing SSH access control through CoPP like this: 1. Create an access list to define hosts/networks that are allowed to connect: ip access-list MGMT-ALLOW 10 remark Limit management access to trusted hosts 20 permit tcp 10.1.1.0/24 any eq 22 30 permit tcp 10.2.1.0/24 any eq 22 ... no explicit deny at the end 2. Create an access list to define traffic to deny ip access-list MGMT-ACCESS-DENY statistics per-entry 10 remark Deny all management traffic that is not explicitly permitted 20 permit tcp any any telnet 20 permit tcp any any 22 ... no explicit deny at the end 3. Create a CoPP class map to allow management access, based on the ACL above class-map type control-plane match-any COPP-SYSTEM-CLASS-MGMT-ALLOW match access-group name MGMT-ALLOW 4. Create another class-map to deny management access, based on your deny ACL class-map type control-plane match-any COPP-SYSTEM-CLASS-MGMT-DENY match access-group name MGMT-DENY 5. Add these class maps to the system CoPP policy policy-map type control-plane copp-system-policy class COPP-SYSTEM-CLASS-MGMT-ALLOW police cir 1 kbps bc 250 ms conform transmit violate drop class COPP-SYSTEM-CLASS-MGMT-DENY police cir XXX kbps bc 250 ms conform drop violate drop On the deny policy, since you're dropping all traffic, I would think you can make the CIR pretty much whatever you want. The order is important. Your deny policy must be after your allow policies. jms class-map class-default (match-any) police cir 100 kbps , bc 375 ms module 1 : conformed 0 bytes; action: transmit violated 0 bytes; action: drop module 2 : conformed 0 bytes; action: transmit violated 0 bytes; action: drop 2. Isnt there a 'deny ip any any'by default at the end of all access-lists. In this case.. even the ACL copp-system-acl-ssh would have a deny ip any any at the end. implicit deny is not there for CoPP, because CoPP is closer to QoS in behavior that it only 'matches' against permit statements. also note that 'class-default' CoPP class-map may be allowing this traffic although your policy you listed below looks entirely valid. I have tried my best to explain, but then if you dont understand the scenario, I can try again ;) your CoPP policy looks valid which makes me think of two possibilities: 1. you are connecting to the vty via out-of-band mgmt0 which is in the management vrf. since its out-of-band the inband CoPP policy does not apply. I am ssh'ing to various interfaces on the router, not to mgmt0 ip address which is out of band 2. your new CoPP is not actually applied. you will need to do 'conf t; control-plane; no service-policy input copp-system-policy; service-policy input copp-system-policy' to reapply it. take note of the timestamp on show copp status and output/content of show policy-map interface control-plane. Now thats interesting, I did make changes today to the copp policy and yet it says test-router#sh copp status Last Config Operation: no match access-group name copp-system-acl-icmp Last Config Operation Timestamp: 09:11:14 AEST Sep 21 2010 Last Config Operation Status: Success Policy-map attached to the control-plane: copp-system-policy Does that mean that everytime I change the copp policy I have to do no service-policy and enable it again? Thanks for your time once again, I can send the full CoPP policy off-list if
Re: [c-nsp] IPv6 ND cache via SNMP
On 10/18/10 5:03 PM, Michael Sinatra wrote: Is anyone out there polling the IPv6 neighbor discovery cache via SNMP? I am mainly interested in getting the cache from 6500s running SXI4a on the VS-720-10GE-3C. In earlier IOS versions (on different platforms, I believe), this was done using the interim CISCO-IETF-IP-MIB (specifically cInetNetToMediaTable), but it seems as though this should all have been merged into the new RFC 4293-compliant IP-MIB. However, with ip.ipNetToPhysicalTable, I get 'no such object'. ipv6NetToMediaTable (part of the IPV6-MIB) works great on JunOS, but not on cisco (also 'no such object'). It's not clear from the MIB locater if this is even supported in SXI4a--looks like not. Are we really still that far from IPv4/IPv6 feature parity? Currently what I am doing is scraping show ipv6 neighbor via RANCID and shoving it into a flat file for processing and insertion into a SQL DB. But...yuck! This would be a lot cleaner with SNMP--and far fewer moving parts. One perl script could easily poll and push into SQL all at once. If anyone has further insights, or working OIDs on this platform, let me know. michael ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Hi Michael, There has been some recent work on SNMP::Info for this: http://snmp-info.cvs.sourceforge.net/viewvc/snmp-info/snmp-info/Info/Ipv6.pm?view=log This means it should be available in future versions of Netdot (aiming for 1.0) and Netdisco. I can successfully get the ND cache from our 6500s running SXI4a using that code in my tests. Regards, cv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Redistributing ipv6 static default route into eigrp failure
Hi, On Wed, Oct 20, 2010 at 04:01:52PM -0400, Harold Ritter wrote: Redistribution without metrics will lead to the exact same result for Eigrp for IPv4. No. static - eigrp will nicely pick interface bandwidth etc. somethingelse - eigrp needs metrics set. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp4M6PFA39RE.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Redistributing ipv6 static default route into eigrp failure
Hi Gert, My bad. You are right. It has been too long since I last checked ;-) Le 2010-10-20 à 16:28, Gert Doering a écrit : Hi, On Wed, Oct 20, 2010 at 04:01:52PM -0400, Harold Ritter wrote: Redistribution without metrics will lead to the exact same result for Eigrp for IPv4. No. static - eigrp will nicely pick interface bandwidth etc. somethingelse - eigrp needs metrics set. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de Harold Ritter Directeur Technique/Technical Leader Advanced Services Central Engineering CCIE 4168 (RS, SP) har...@cisco.com Téléphone: 514 847 6856 Les Systèmes Cisco 1800 McGill College Suite 700 Montréal, Québec H3A 3J6 Canada ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6K EoMPLS Rate Limiting
I am a little rusty on PFC QoS but this should work. It would be hardware based. I have not run across an example of a 6K punt to CPU for QoS. Don't even think it can happen. Pretty sure it just ignores QoS features that are not supported. -Ben On Oct 20, 2010, at 6:04 AM, Manu Chao wrote: AFAIK it is possible on a C6K to rate limite a EoMPLS interface with standard IOS MQC command. Is it softwared based or hardware based? Regards, Manu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CoPP for SSH on nexus 7k. Confused!
On 21/10/2010, at 2:49 AM, Justin M. Streiner wrote: It's my understanding that more IOS-like VTY ACLs are coming NX-OS 5.1, indeed, NX-OS 5.1 does have VTY ACLs: ltd-n7010-1# conf t Enter configuration commands, one per line. End with CNTL/Z. ltd-n7010-1(config)# line vty ltd-n7010-1(config-line)# ip access-class ? WORD List name (Max Size 64) ltd-n7010-1(config-line)# ip access-class foo ? in Inbound packets out Outbound packets note however that CoPP is still (in many cases) superior as its h/w data plane providing the protection before the packets get to control plane whereas VTY ACLs are in software on the control plane itself. i guess one could provide best-of-both-worlds by using an established CoPP policy with a high rate and a low rate of protection via CoPP for the initial syn/synack session setup. which was supposed to be out last month, but wasn't on CCO the last time I looked (late last week). on time or quality. pick one. :) it will be out before the end of the month. cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IP SLA Scalability
Hi, Has anyone ran a rather large amount of SLA probes from a router who can comment on the cpu performance characteristics on how it scaled for your particular platform? Specifically looking to see if its feasible to expect a router to be able to go upwards of 500+ simultaneous monitors(looking at a total of about 10-15k pps of udp-jitter probes in total). Also any thoughts on the best platform for the task? the 7201/ASR1002-F seem like a possible good fit and would like to aim for something in its category - price on the lowerish side of the scale, rack space used minimal, large cpu, mpls-te capable, can accept SFP optics. Ultimately the cheapest box for the task is what i'm after, those devices may be an overkill and if I can get away with a 3800 ISR or less then even better. Before anyone says that I should look at another vendor/solution, this is already being done in the background. I am purely after what a Cisco router can offer in this regards, i've never come across more than about 20 sla probes on a router before so am interested to hear the results. Cheers, Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP Reestablish-order
Hi there, I have the problem that the CPU on my router is going mad when my link to an IX gets up again after an interface flap, the router reestablishes all sessions in the same time and then kinda gets in a loop because he begins to drop BGP packets after being so busy processing BGP updates. :-) Is there a way to define the order how those sessions come up again or that I can specify a reestablish timer for each neighbor, so that I can let the less important peers to wait for a specific amount of time before trying to get the session back? I'm looking forward to see if anyone of you had the same experiences and how you solved this situation. Thank you for your inputs and best regards, Mario --- Mario Iseli Network Engineer Finecom Telecommunications AG Internet Communication Robert-Walser-Platz 7 CH-2501 Biel/Bienne Phone +41 (0)32 559 99 99 Fax+41 (0)32 559 99 90 Email mario.is...@finecom.ch Webhttp://www.finecom.ch --- smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CoPP for SSH on nexus 7k. Confused!
This is a rather long email. so please be warned. I have tried to simplify my config in the lab environment. Hardware is the same as production Nx 7010 running n7000-s1-dk9.4.2.4.bin Scenario 1: Config -- policy-map type control-plane copp-system-policy class copp-system-class-management police cir 1 kbps bc 375 ms conform transmit violate drop class copp-system-class-undesirable police cir 32 kbps bc 375 ms conform drop violate drop class class-default police cir 100 kbps bc 375 ms conform transmit violate drop control-plane service-policy input copp-system-policy class-map type control-plane match-any copp-system-class-management match access-group name copp-system-acl-ssh match access-group name copp-system-acl-telnet class-map type control-plane match-any copp-system-class-undesirable match access-group name copp-system-acl-ssh-deny ip access-list copp-system-acl-ssh 10 permit tcp 129.63.8.0/24 any eq 22 ip access-list copp-system-acl-telnet 10 permit tcp 129.63.8.0/24 any eq telnet 20 deny ip any any log ip access-list copp-system-acl-ssh-deny 10 permit tcp any any eq 22 Actual behavior: I can SSH from a completely different network. Lets say 136.172.20.22 which is not on the allowed list. expected behavior: I should not be able to SSH from 136.172.20.22. The traffic would match statement 20 in copp-system-acl-telnet and get to the next class copp-system-class-undesirable where it should get dropped. Or the traffic should match copp-system-acl-ssh-deny and get dropped. Scenario 2: I removed the deny ip any any from copp-system-acl-telnet ip access-list copp-system-acl-telnet 10 permit tcp 129.63.8.0/24 any eq telnet Expected behavior: I should not be able to SSH from 136.172.20.22 actual behavior: It works as expected . i can even see matches against the class copp-system-class-undesirable when I do 'sh policy-map interface control-plane' So I know the solution to my problem and I have fixed it by removing the deny statement. but is this the way it is meant to behave? Otherwise I can lodge a TAC case to see if they can see the same issue. The hypothesis is the deny statement in copp-system-acl-telnet is possibly sending traffic to default-class or just sending the traffic straight through. The reason I am saying its possibly sending the traffic straight through is the scenario 3 below Scenario 3: I added the 'deny ip any any' statement again. And I added a few classes above our SSH class and undesirable class so nothing ever can get to default class with the exception of our sneaky SSH traffic. I can still SSH from outside networks and there are no matches whatsoever in default class. So what is the SSH traffic from 136.172.20.22 matching to to be allowed in? ip access-list copp-system-acl-telnet 10 permit tcp 129.63.8.0/24 any eq telnet 20 deny ip any any policy-map type control-plane copp-system-policy class copp-system-class-critical police cir 39600 kbps bc 375 ms conform transmit violate drop class copp-system-class-important police cir 1060 kbps bc 1500 ms conform transmit violate drop class copp-system-class-management police cir 1 kbps bc 375 ms conform transmit violate drop class copp-system-class-undesirable police cir 32 kbps bc 375 ms conform drop violate drop class class-default police cir 100 kbps bc 375 ms conform transmit violate drop class-map type control-plane match-any copp-system-class-important match access-group name copp-system-acl-glbp match access-group name copp-system-acl-hsrp match access-group name copp-system-acl-vrrp match access-group name copp-system-acl-icmp6-msgs match access-group name copp-system-acl-pim-reg class-map type control-plane match-any copp-system-class-management match access-group name copp-system-acl-ftp match access-group name copp-system-acl-ntp match access-group name copp-system-acl-ntp6 match access-group name copp-system-acl-radius match access-group name copp-system-acl-sftp match access-group name copp-system-acl-snmp match access-group name copp-system-acl-ssh match access-group name copp-system-acl-telnet class-map type control-plane match-any copp-system-class-critical match access-group name copp-system-acl-bgp match access-group name copp-system-acl-bgp6 match access-group name copp-system-acl-eigrp match access-group name copp-system-acl-igmp match access-group name copp-system-acl-msdp match access-group name copp-system-acl-ospf match access-group name copp-system-acl-ospf6 match access-group name copp-system-acl-pim match access-group name copp-system-acl-pim6 match access-group name copp-system-acl-rip match access-group name copp-system-acl-vpc If my testing doesnot make sense, I can try explaining again. Regards. Shanawaz ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at
Re: [c-nsp] CoPP for SSH on nexus 7k. Confused!
On 21/10/2010, at 12:05 PM, Shanawaz wrote: If my testing doesnot make sense, I can try explaining again. your tests make perfect sense and just reiterate what i said up front. a 'deny' won't do what you think it does. net-net: 1. use a 'permit' ACL to match the traffic you want, set a policy of 'transmit' with whatever rate you want. 2. use a 'permit' ACL to match the traffic you want to block, set a policy of 'drop'. i.e. ALL CoPP ACLs end up being 'permit', never 'deny'. think of it like a QoS ACL, it behaves the same way. cheers, lincoln. Regards. Shanawaz ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3750s - Stackwise Plus
On Oct 17, 2010, at 3:00 PM, Jeff Kell wrote: The old 3550G-12 still has no (affordable) alternative. ex4200-24F We now have a few of them in production with plans for more. They have XFP ports, so you have a variety of options for the uplinks as well. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 ND cache via SNMP
On Oct 19, 2010, at 1:52 AM, Phil Mayers wrote: On 10/19/2010 01:03 AM, Michael Sinatra wrote: Is anyone out there polling the IPv6 neighbor discovery cache via SNMP? Previously, yes. I get them via expect/cli now, because the OID sorting required for snmpwalk of that table on 6500s is prohibitively expensive when it gets very large (well - it is for IPv4 ipNetToMedia; I am assuming the same for ipv6, and since the expect script already runs for v4...) We landed in the same boat. Asking the 6500, which has less general-purpose processing power than my cell phone, to sort and export ten thousand or so entries every 'n' minutes was fruitless. So, now I scrape it with clogin for both v4 and v6 and shovel this into sql. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CoPP for SSH on nexus 7k. Confused!
Point taken. The moral of the story is 'dont put a deny statement in your CoPP ACL's' Thanks a lot for the replies. On Thu, Oct 21, 2010 at 12:40 PM, Lincoln Dale l...@cisco.com wrote: On 21/10/2010, at 12:05 PM, Shanawaz wrote: If my testing doesnot make sense, I can try explaining again. your tests make perfect sense and just reiterate what i said up front. a 'deny' won't do what you think it does. net-net: 1. use a 'permit' ACL to match the traffic you want, set a policy of 'transmit' with whatever rate you want. 2. use a 'permit' ACL to match the traffic you want to block, set a policy of 'drop'. i.e. ALL CoPP ACLs end up being 'permit', never 'deny'. think of it like a QoS ACL, it behaves the same way. cheers, lincoln. Regards. Shanawaz ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Redistributing ipv6 static default route into eigrpfailure
Hi Gert, My bad. You are right. It has been too long since I last checked ;-) same here, fell into the same trap.. guess with static being the only exception (is this documented anywhere?), adding default-metric to eigrp has been in my dna, not questioning the exceptions :) oli Hi, On Wed, Oct 20, 2010 at 04:01:52PM -0400, Harold Ritter wrote: Redistribution without metrics will lead to the exact same result for Eigrp for IPv4. No. static - eigrp will nicely pick interface bandwidth etc. somethingelse - eigrp needs metrics set. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu- muenchen.de Harold Ritter Directeur Technique/Technical Leader Advanced Services Central Engineering CCIE 4168 (RS, SP) har...@cisco.com Téléphone: 514 847 6856 Les Systèmes Cisco 1800 McGill College Suite 700 Montréal, Québec H3A 3J6 Canada ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Redistributing ipv6 static default route into eigrpfailure
Hi, On Thu, Oct 21, 2010 at 07:36:48AM +0200, Oliver Boehmer (oboehmer) wrote: My bad. You are right. It has been too long since I last checked ;-) same here, fell into the same trap.. guess with static being the only exception (is this documented anywhere?), adding default-metric to eigrp has been in my dna, not questioning the exceptions :) Well, I'm not sure whether it's documented anywhere, but this is soo useful :-) - and this is what we really missed when we changed from customer-routes-in-EIGRP to customer-routes-in-BGP. Our typical usage case is two routers, HSRP, trying to get (mostly) symmetric traffic - so we put bandwidth 1g on the master router, bandwith 100k on the backup router, and EIGRP will do the right thing. With BGP, extra route maps and stuff are needed to designate certain statics-to-interfaces as this is backup. (I find it surprising that it doesn't work that way for EIGRP-for-IPv6...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpC2SQmiGuZP.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP SLA Scalability
On Thu, 21 Oct 2010, Ben Steele wrote: Has anyone ran a rather large amount of SLA probes from a router who can comment on the cpu performance characteristics on how it scaled for your particular platform? You should really contact your account team to get a comment from them. I've spoken to the product manager for IP SLA and I was quite surprised by some comments I got regarding the functionality and the thinking/handling of it within Cisco. Specifically looking to see if its feasible to expect a router to be able to go upwards of 500+ simultaneous monitors(looking at a total of about 10-15k pps of udp-jitter probes in total). I'd say Cisco doesn't have a product that has been designed to scale this far and is supposed to work for prolonged sustained testing like I guess you want to do. They consider 300 second of 50pps testing extremely long and if single high jitter packet in that long test occurs, the opinion seems to be that fixes for that is on a best-effort work priority. It's not something they really test on all platforms and all code. Before anyone says that I should look at another vendor/solution, this is already being done in the background. I am purely after what a Cisco router can offer in this regards, i've never come across more than about 20 sla probes on a router before so am interested to hear the results. If you're doing this in an MPLS VPN scenario, you might want to make sure you test your code so it has timestamping for arrival time for packets even if they are labeled. I ran into this on a 7301 5 years ago, took 14 months for that TAC case to complete with the answer that timestamping wasn't done in labeled packets and as a result, any cpu spike would cause jitter in the measurements. Converting the router to IP only (putting it behind a MPLS PE router) solved the problem. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/