Re: [c-nsp] ME Series for a LAN/Server Farm
I'm not sure I really care about all the features. From the pricing I saw it's dirt cheap for what it does. I just want something that operates close enough to a real switch that I can use it in a LAN environment and not become a human FAQ. On Thu, Dec 9, 2010 at 2:12 AM, Mark Tinka mti...@globaltransit.net wrote: On Thursday, December 09, 2010 08:05:49 am Phil Bedard wrote: 3600X might be an option,... For the application the OP is looking at, the ME3600X/3800X might be overkill. It's a very powerful switch, bordering on a real router. I'd keep things simple unless the OP needs all these features. Cheers, Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
Hi. I'm looking at the new 3600X series it was just released in Sept. I noticed the no local switching for UNI ports. Is there a way to disable the UNI/NNI relationship completely or enable local switching for UNI ports? That might be true if you run the UNI-ports as switchports. OTOH you can create bridge-domains which to switch traffic between the UNI-ports. At the plus-side, you can have different Vlan-Id's on the UNI-ports :-) -- Pelle RFC1925, truth 11: Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
On Thursday, December 09, 2010 03:56:22 pm Keegan Holley wrote: I'm not sure I really care about all the features. From the pricing I saw it's dirt cheap for what it does. I just want something that operates close enough to a real switch that I can use it in a LAN environment and not become a human FAQ. If you're happy with the price, then by all means, nothing should stop you from deploying it any way you want provided it does everything you need :-). Whoever decided that GSR and CRS routers were Cisco's core platforms would shoot me for running 7206's in this role several years back :-). Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 4900M with QoS on a portchannel
QOS can never be applied on Port Channels because they are logical interfaces. The QoS on most Cisco Devices is done at the ASIC level and so it can only be done on physical interfaces, the port channel will pass the packets to the Physical Ifs and these in turn will apply the service policy on egress. Jorge Rodriguez,CCNP-Voice Senior Voice/Data Consultant Netxar Technologies PCS 7876888530 jorge.rodrig...@netxar.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pshem Kowalczyk Sent: Wednesday, December 08, 2010 8:16 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 4900M with QoS on a portchannel Hi, I must be missing something obvious here, so please stay with me. I'm currently devising config for the device. We have a 4900M that will be connected over 2x10G to a customer. I want to apply a very simple QoS in this scenario - mark packets on input and act on that on output: class-map match-any CUST-SW-IN-PRIO match cos 5 6 class-map match-any CUST-SW-IN-AF4 match cos 4 class-map match-any CUST-SW-IN-AF1 match cos 2 3 class-map match-any CUST-SW-OUT-PRIO match qos-group 15 class-map match-any CUST-SW-OUT-AF4 match qos-group 14 class-map match-any CUST-SW-OUT-AF1 match qos-group 11 policy-map CUST-SW-IN-INPUT class CUST-SW-IN-PRIO set qos-group 15 class CUST-SW-IN-AF4 set qos-group 14 class CUST-SW-IN-AF1 set qos-group 11 class class-default policy-map CUST-SW-OUT-OUTPUT class CUST-SW-OUT-PRIO priority police rate percent 37 class class-default The idea is that there should never be more then 37% of CoS 5 and CoS 6 traffic leaving the interface. All ingress interfaces have the CUST-SW-IN-INPUT policy applied (on either physical interfaces, or PortChannels). When I try to apply the output policy I get the following: 1. On physical interface (member of the portchannel): ASAUESD01(config)#int te1/1 ASAUESD01(config-if)#service-policy output CUST-SW-OUT-OUTPUT % A service-policy with non-queuing actions should be attached to the port-channel associated with this physical port. 2. On a portchannel: ASAUESD01(config-if)#int po1 ASAUESD01(config-if)#service-policy output CUST-SW-OUT-OUTPUT % A service-policy with queuing actions can be attached in output direction only on physical ports. What am I missing here? software: Version 12.2(53)SG1 (cat4500e-IPBASEK9-M) hardware: WS-C4900M kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] full routes / backup router
We have a Customer with a 45-60 Mbps Constant Throughput from the internet on a 100Mbps link on a 2851 with 1GB of ram for the full Internet Routes + about 2K internal Routes. We have one of these per each(2) ISP connection. Jorge Rodriguez,CCNP-Voice Senior Voice/Data Consultant Netxar Technologies PCS 7876888530 jorge.rodrig...@netxar.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Adam Greene Sent: Wednesday, December 08, 2010 7:30 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] full routes / backup router Hi, I need a backup router for a 7206VXR/NPE-400/512MB RAM than can handle full routes from a single eBGP peer. Router provides transit to an end-user. Remaining configs on router are minimal, max throughput is about 30-40Mbps. Would a 2911/512MB RAM be sufficient? Or is the CPU too puny? Maybe we need a 3825/521MB RAM? Or I guess we could just get a backup 7206VXR/NPE-400/512MB RAM. Thanks, Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS DHCP Server - dynamic and static in one subnet
08.12.2010 17:35, Ramcharan, Vijay A пишет: Since you mentioned one subnet with static allocations from a portion of that subnet I assume that you don't want the DHCP server handing out your static allocations. You can configure exclusions (i.e. don't give out these addresses) with ip dhcp excluded-address It doesn't help. After applying command, Cisco says: % Address range contains an already reserved address. Also, I tryed to remove static pool and replace it with another pool for single host - it works! But when I return static pool with 'origin file' - it again doesn't look into it... :( Vijay Ramcharan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Artyom Viklenko Sent: Wednesday, December 08, 2010 2:09 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IOS DHCP Server - dynamic and static in one subnet Hi, List! I'm trying to figure out how to achive the foloving. Let's say we have one subnet, f.e. x.y.z.192/27. I would like to use DHCP in it. But also have static mappings for some portion of address space from this subnet. I've create dhcp pool with 'network' statement. So far so good. All works as expected. Now I put text file on tftp server and created another pool with 'origin' statement. But clients PC's still get their ip assigned from the first dhcp pool. ip dhcp pool test-pool network x.y.z.192 255.255.255.224 default-router x.y.z.193 dns-server 1.2.3.4 5.6.7.8 domain-name test.domain.tld lease 0 12 ! ip dhcp pool test-static-pool origin file tftp://t.t.t.t/test-static-pool default-router x.y.z.193 dns-server 1.2.3.4 5.6.7.8 domain-name test.domain.tld lease 0 12 ! What's wrond with this config? Is it possible with ios dhcp server at all? Please, give me some hints. Thanks in advance! -- Sincerely yours, Artyom Viklenko. --- ar...@aws-net.org.ua | http://www.aws-net.org.ua/~artem ar...@viklenko.net | JID: ar...@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Sincerely yours, Artyom Viklenko. --- ar...@aws-net.org.ua | http://www.aws-net.org.ua/~artem ar...@viklenko.net | JID: ar...@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
JFYI, all ports (with the exception of GigiabitEthernet0 which is the management port and doesn't have uni/nni) on the ME3600X are defaulted to nni in the running-config. interface GigabitEthernet0 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1 port-type nni ! interface GigabitEthernet0/2 port-type nni ! interface GigabitEthernet0/3 port-type nni .etc, interface TenGigabitEthernet0/1 port-type nni ! interface TenGigabitEthernet0/2 port-type nni -Vinny -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Edward Salonia Sent: Wednesday, December 08, 2010 6:33 PM To: Andrew Koch; cisco-nsp-boun...@puck.nether.net; Keegan Holley Cc: Cisco NSPs Subject: Re: [c-nsp] ME Series for a LAN/Server Farm Correct. In older versions of the IOS you were limited to the number of nni ports but that has changed. -Original Message- From: Andrew Koch andrew.k...@gawul.net Sender: cisco-nsp-boun...@puck.nether.net Date: Wed, 8 Dec 2010 17:19:07 To: Keegan Holleykeegan.hol...@sungard.com Cc: Cisco NSPscisco-nsp@puck.nether.net Subject: Re: [c-nsp] ME Series for a LAN/Server Farm On Wed, Dec 8, 2010 at 16:50, Edward Salonia e...@edgeoc.net wrote: One thing to watch for is that there is no local switching among UNI ports. You could either set your port type to NNI or you could set the vlan as a community vlan to enable local switching. Double check the specs on these. If I am remembering correctly, there is a limit on some ME switches to the number of NNI ports you can enable. (I believe it was 4). Also be aware of the power supplies being fixed. As in, you cannot swap an AC for a DC, nor are they field replaceable. Andy Koch ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
Yeah hence the ellipses and the recommendation to maybe look elsewhere. :) It is definitely feature overkill for someone looking for a L2 switch with ample fiber termination, but if you are dead set to go Cisco and do not want something chassis based... Phil On 12/9/10 2:12 AM, Mark Tinka mti...@globaltransit.net wrote: On Thursday, December 09, 2010 08:05:49 am Phil Bedard wrote: 3600X might be an option,... For the application the OP is looking at, the ME3600X/3800X might be overkill. It's a very powerful switch, bordering on a real router. I'd keep things simple unless the OP needs all these features. Cheers, Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Flexible Packet Match
Hello: I have been going back and forth with Cisco TAC about Flexible Packet Matching (FPM). At the moment, I am trying to configure a nested class in the tcdf file. In the future, I am interested in defining specific packet matches to drop. I have read all documentation that I can find on Cisco's site, including: Read 'readme_first.txt Looked at this: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_qas0900aecd804b915e.html Looked at this: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/product_data_sheet0900aecd8034bd93.html So, I am looking for a guide to the Cisco schema for FPM, and perhaps a table showing a cli command and the matching xml syntax. Any help appreciated. Here is the immeditate problem: Standard IP access list 15 10 permit 192.168.55.12 20 permit 192.168.131.27 Class Map match-any ccenternat (id 17) Match access-group 15 ##the regex is cisco's and does work as a standalone xml file ?xml version=1.0 encoding=UTF-8? tcdf class name=bt type=stack match=any match regex start=l2-start offset=54 size=32 value=\x13BitTorrent\x20protocol/regex regex start=l2-start offset=54 size=32 value=GET\x20.*\?info_hash=/regex regex start=l2-start offset=54 size=32 value=[a|A][z|Z][v|V][e|E][r|R]\x01/regex /match /class class name=thisone type=access-control match=all match class name=bt/class class name=ccenternat/class /match /class policy type=access-control name=tcp_policy class name=thisone/class actiondrop/action /policy /tcdf best, dennis ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] full routes / backup router
Thanks Gert, Joseph and Jorge. We need to pass the full routing table to a customer who is load balancing between us and another upstream provider. As far as data throughput goes, yes, the 2911 looks like a good fit. But I was concerned about whether the CPU would be able to handle the frequent BGP updates associated with a full routing table. The routerperformance.pdf unfortunately does not list the process switching specs on the 2900's. The 2911 would be a cold spare, to be used only when the 7204VXR dies. Thanks, Adam On 12/9/2010 2:30 AM, Gert Doering wrote: Hi, On Wed, Dec 08, 2010 at 06:30:08PM -0500, Adam Greene wrote: I need a backup router for a 7206VXR/NPE-400/512MB RAM than can handle full routes from a single eBGP peer. Router provides transit to an end-user. Remaining configs on router are minimal, max throughput is about 30-40Mbps. What good is full routes from a single peer? Just point a default route there... Would a 2911/512MB RAM be sufficient? Or is the CPU too puny? Maybe we need a 3825/521MB RAM? Or I guess we could just get a backup 7206VXR/NPE-400/512MB RAM. As per the routerperformance.pdf, the 2911 is (regarding packet forwarding) nearly as fast as the NPE-400, and the 2921 would be somewhat faster - so if then NPE-400 is sufficient now, the 2921 should do well as backup. OTOH, why bother with BGP full tables if all you have is a single peer. gert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Flexible Packet Match
Dennis, I dont see ccenternat defined anywhere, though you are calling it in the nested class thisone. The XML DOES validate, but I believe you must define the class ccenternet before you can match against ccenternat. Hope this helps, Rob On 12/9/2010 11:13 AM, Dennis Bohn wrote: Hello: I have been going back and forth with Cisco TAC about Flexible Packet Matching (FPM). At the moment, I am trying to configure a nested class in the tcdf file. In the future, I am interested in defining specific packet matches to drop. I have read all documentation that I can find on Cisco's site, including: Read 'readme_first.txt Looked at this: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/prod_qas0900aecd804b915e.html Looked at this: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6723/product_data_sheet0900aecd8034bd93.html So, I am looking for a guide to the Cisco schema for FPM, and perhaps a table showing a cli command and the matching xml syntax. Any help appreciated. Here is the immeditate problem: Standard IP access list 15 10 permit 192.168.55.12 20 permit 192.168.131.27 Class Map match-any ccenternat (id 17) Match access-group 15 ##the regex is cisco's and does work as a standalone xml file ?xml version=1.0 encoding=UTF-8? tcdf class name=bt type=stack match=any match regex start=l2-start offset=54 size=32 value=\x13BitTorrent\x20protocol/regex regex start=l2-start offset=54 size=32 value=GET\x20.*\?info_hash=/regex regex start=l2-start offset=54 size=32 value=[a|A][z|Z][v|V][e|E][r|R]\x01/regex /match /class class name=thisone type=access-control match=all match class name=bt/class class name=ccenternat/class /match /class policy type=access-control name=tcp_policy class name=thisone/class actiondrop/action /policy /tcdf best, dennis ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP MRAI
For faster convergence, our service provider suggested to disable the BGP min advertisement interval (set it to 0). Is this really a good idea, even as we receive the full Internet table ? cheers, keti ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] need advice to analysis traffic immediately
Hi When the bandwidth is high / spike, how can I be easy way to identify the traffic coming from in cisco In linux, I can run the iftop -i int Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need advice to analysis traffic immediately
Enable netflow on the router and export it to a collector. Here's a free one that's pretty. http://www.plixer.com/ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Deric Kwok Sent: Thursday, December 09, 2010 12:43 PM To: Cisco Network Service Providers Subject: [c-nsp] need advice to analysis traffic immediately Hi When the bandwidth is high / spike, how can I be easy way to identify the traffic coming from in cisco In linux, I can run the iftop -i int Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 4900M with QoS on a portchannel
QOS is generally applied on the input direction for port channels and that works fine. Output QOS is generally much more limited. Ie. You can't do classification on output and those kinds of things. This is very platform specific. Mack McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jorge L. Rodriguez Aguila Sent: Thursday, December 09, 2010 6:47 AM To: Pshem Kowalczyk; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 4900M with QoS on a portchannel QOS can never be applied on Port Channels because they are logical interfaces. The QoS on most Cisco Devices is done at the ASIC level and so it can only be done on physical interfaces, the port channel will pass the packets to the Physical Ifs and these in turn will apply the service policy on egress. Jorge Rodriguez,CCNP-Voice Senior Voice/Data Consultant Netxar Technologies PCS 7876888530 jorge.rodrig...@netxar.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pshem Kowalczyk Sent: Wednesday, December 08, 2010 8:16 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 4900M with QoS on a portchannel Hi, I must be missing something obvious here, so please stay with me. I'm currently devising config for the device. We have a 4900M that will be connected over 2x10G to a customer. I want to apply a very simple QoS in this scenario - mark packets on input and act on that on output: class-map match-any CUST-SW-IN-PRIO match cos 5 6 class-map match-any CUST-SW-IN-AF4 match cos 4 class-map match-any CUST-SW-IN-AF1 match cos 2 3 class-map match-any CUST-SW-OUT-PRIO match qos-group 15 class-map match-any CUST-SW-OUT-AF4 match qos-group 14 class-map match-any CUST-SW-OUT-AF1 match qos-group 11 policy-map CUST-SW-IN-INPUT class CUST-SW-IN-PRIO set qos-group 15 class CUST-SW-IN-AF4 set qos-group 14 class CUST-SW-IN-AF1 set qos-group 11 class class-default policy-map CUST-SW-OUT-OUTPUT class CUST-SW-OUT-PRIO priority police rate percent 37 class class-default The idea is that there should never be more then 37% of CoS 5 and CoS 6 traffic leaving the interface. All ingress interfaces have the CUST-SW-IN-INPUT policy applied (on either physical interfaces, or PortChannels). When I try to apply the output policy I get the following: 1. On physical interface (member of the portchannel): ASAUESD01(config)#int te1/1 ASAUESD01(config-if)#service-policy output CUST-SW-OUT-OUTPUT % A service-policy with non-queuing actions should be attached to the port-channel associated with this physical port. 2. On a portchannel: ASAUESD01(config-if)#int po1 ASAUESD01(config-if)#service-policy output CUST-SW-OUT-OUTPUT % A service-policy with queuing actions can be attached in output direction only on physical ports. What am I missing here? software: Version 12.2(53)SG1 (cat4500e-IPBASEK9-M) hardware: WS-C4900M kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] full routes / backup router
A 2900 would cope fine with this, for sure. Just for kicks I ran a full BGP feed to an 1841 one day a few years back and after the initial onslaught of populating the routing table it coped fine with the incremental BGP updates coming in after that. Not that I would ever recommend it but Reuben On 10/12/2010 4:07 AM, Adam Greene wrote: Thanks Gert, Joseph and Jorge. We need to pass the full routing table to a customer who is load balancing between us and another upstream provider. As far as data throughput goes, yes, the 2911 looks like a good fit. But I was concerned about whether the CPU would be able to handle the frequent BGP updates associated with a full routing table. The routerperformance.pdf unfortunately does not list the process switching specs on the 2900's. The 2911 would be a cold spare, to be used only when the 7204VXR dies. Thanks, Adam On 12/9/2010 2:30 AM, Gert Doering wrote: Hi, On Wed, Dec 08, 2010 at 06:30:08PM -0500, Adam Greene wrote: I need a backup router for a 7206VXR/NPE-400/512MB RAM than can handle full routes from a single eBGP peer. Router provides transit to an end-user. Remaining configs on router are minimal, max throughput is about 30-40Mbps. What good is full routes from a single peer? Just point a default route there... Would a 2911/512MB RAM be sufficient? Or is the CPU too puny? Maybe we need a 3825/521MB RAM? Or I guess we could just get a backup 7206VXR/NPE-400/512MB RAM. As per the routerperformance.pdf, the 2911 is (regarding packet forwarding) nearly as fast as the NPE-400, and the 2921 would be somewhat faster - so if then NPE-400 is sufficient now, the 2921 should do well as backup. OTOH, why bother with BGP full tables if all you have is a single peer. gert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HSRP/VRRP, IPv6 and IOS XE?
Gert, I was just updated by the BU that this feature is now listed in FN... Thanks Arie -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: Monday, November 29, 2010 12:05 To: Arie Vayner (avayner) Cc: Gert Doering; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] HSRP/VRRP, IPv6 and IOS XE? Hi, On Mon, Nov 29, 2010 at 10:02:17AM +0100, Arie Vayner (avayner) wrote: It is listed as supported in the release notes: http://www.cisco.com/en/US/docs/ios/ios_xe/3/release/notes/asr1k_feats _i mportant_notes_31s.html#wp3026018 Oh, cool. Can you give me the wrong reference? Well, it's in the feature navigator - if you search by feature, enter HSRP, select HSRP for IPv6, then the OS selection won't even list IOS XE - just plain IOS. If you select HSRP, it will list IOS/IOS XE/IOS XR, so the FN does know about XE - seemingly just not enough. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] need advice to analysis traffic immediately
I generally use top-talkers for that. ip flow-top-talkers top 50 sort-by bytes Then put ip flow ingress/egress on interfaces as needed. On Thu, 09 Dec 2010 19:43:03 +0100, Deric Kwok deric.kwok2...@gmail.com wrote: Hi When the bandwidth is high / spike, how can I be easy way to identify the traffic coming from in cisco In linux, I can run the iftop -i int Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Handling the inbound ACL's with dynamic pd ipv6 prefix from the ISP
-Original Message- From: Per Carlson [mailto:pe...@hemmop.com] Sent: Monday, December 06, 2010 12:58 PM To: George Manousakis Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Handling the inbound ACL's with dynamic pd ipv6 prefix from the ISP But let's say now that you got an ftp server, or a www server on a host. How can you set your access list? Since you have no clue what your ipv6 pd will be like you have to permit all inbound traffic from internet to all hosts to ports 80 and/or 25. With PD you (most likely) get a prefix shorter than /64. For a SOHO a /56 is quite common. This enables you to have more than one subnet (256 subnets with a /56) behind the router. My suggestion is to put all those hosts with public accessible services on one subnet, and all clients on another subnet. You can then have different ACL's protecting the different subnets (allow any - tcp/80 on the www-server subnet, deny any on the client subnet). If you would like to (and have enough subnets) you can put the www-server on one subnet and a ftp-server on another as well. The problem is that the pd assigned from the ISP is not static! So how can you set ACL rules with a dynamic prefix? The assignment you say may be used but still you cannot define the www-server subnet on the ACL because you cannot know what the subnet will be! Don't fall in the trap thinking of IPv6 as IPv4 + longer addresses! IS there a way to allow some services to internal hosts without exposing everything to internet? Yes, use ULA's (RFC4193). I actually meant how to set the ACL in order to allow access to only one host and not the whole range. Why would you use ULA's? I can also recommend reading RFC4864 (Local Network Protection for IPV6) which discusses how to move from IPv4+NAT to IPV6 in some scenarios. -- Pelle RFC1925, truth 11: Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP MRAI
For faster convergence, our service provider suggested to disable the BGP min advertisement interval (set it to 0). Is this really a good idea, even as we receive the full Internet table ? the main benefit of MRAI in the Internet context is to reduce the number of updates/withdraws following routing changes in an more densly meshed AS environment. I think [1] examined this. If you are AS is more on the edge of the Internet, reducing the MRAI should have no negative side effects. oli [1] http://conferences.sigcomm.org/sigcomm/2000/conf/paper/sigcomm2000-5-2.p df ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Handling the inbound ACL's with dynamic pd ipv6 prefix from the ISP
Hi George. My suggestion is to put all those hosts with public accessible services on one subnet, and all clients on another subnet. You can then have different ACL's protecting the different subnets (allow any - tcp/80 on the www-server subnet, deny any on the client subnet). If you would like to (and have enough subnets) you can put the www-server on one subnet and a ftp-server on another as well. The problem is that the pd assigned from the ISP is not static! So how can you set ACL rules with a dynamic prefix? The assignment you say may be used but still you cannot define the www-server subnet on the ACL because you cannot know what the subnet will be! No you don't know the subnet, but that's not a problem. Here's a partitial config assuming a /56 PD: int fa0 ! WAN ipv6 dhcp client pd PREFIX int fa1 ! www-server subnet ipv6 address PREFIX 0:0:0:1::/64 eui-64 ipv6 traffic-filter WWW-SERVER out int fa2 ! clients subnet ipv6 address PREFIX 0:0:0:2::/64 eui-64 ipv6 traffic-filter CLIENTS out ipv6 access-list WWW-SERVER permit tcp any any eq 80 deny ipv6 any any ipv6 access-list CLIENTS deny ipv6 any any Yes, the subnets need to live on separate interfaces, physical or logical, for easy filtering. Note: This config is PARTIAL and parts of it won't work at all! For example will the Client subnet have little connectivity :-) IS there a way to allow some services to internal hosts without exposing everything to internet? Yes, use ULA's (RFC4193). I actually meant how to set the ACL in order to allow access to only one host and not the whole range. Why would you use ULA's? ULA's are a great way to run internal services without worries. As long as you ingress filter fc00::/7 on the WAN-link you are safe. Having multiple IPv6 addresses on a interface opens up a lot of new possibilities! -- Pelle RFC1925, truth 11: Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3550 layer 3 switch replacement for v6
I need to start looking at replacing 3550-48 switches with something comparable that supports ipv6. I tried using feature navigator, but the info it was giving me was so suspect I won't even bother repeating it. My impression from past looks into this issue is that the 3560-48TS (which actually went end of sales earlier this year) is a comparable switch to the 3550, does ipv6 in hardware, but has far less flexible per port policing, which will require a total redesign of our customer port limits. I'm wondering if there are any major surprises with the 3560 when you enable ipv6 routing and ipv6 ospf? I know doing so cuts the supported number of routes in half. Also, we've kind of been abusing the 3550s, by running them with generally most of the ports in layer 3 mode. The recommended number of routed interfaces on a 3550-48 is only 8! Can we get away with running 48 dual-stack layer 3 ports on a 3560-48TS? Or is there a better switch I should be looking at? Is the 3560 v2 appreciably better than the original? It looks like the only change we'd benefit from is lower power consumption. They run the same software, so features should be the same. -- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HSRP/VRRP, IPv6 and IOS XE?
Hi, On Thu, Dec 09, 2010 at 08:54:27PM +0100, Arie Vayner (avayner) wrote: I was just updated by the BU that this feature is now listed in FN... Confirmed! HSRP for IPv6 is now listed for IOS XE 3.1S thanks, gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpJGasguK4Ir.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3550 layer 3 switch replacement for v6
On 12/9/2010 12:54, Jon Lewis wrote: I need to start looking at replacing 3550-48 switches with something comparable that supports ipv6. I tried using feature navigator, but the info it was giving me was so suspect I won't even bother repeating it. My impression from past looks into this issue is that the 3560-48TS (which actually went end of sales earlier this year) is a comparable switch to the 3550, does ipv6 in hardware, but has far less flexible per port policing, which will require a total redesign of our customer port limits. I'm wondering if there are any major surprises with the 3560 when you enable ipv6 routing and ipv6 ospf? I know doing so cuts the supported number of routes in half. Also, we've kind of been abusing the 3550s, by running them with generally most of the ports in layer 3 mode. The recommended number of routed interfaces on a 3550-48 is only 8! Can we get away with running 48 dual-stack layer 3 ports on a 3560-48TS? I have some etherswitch service modules (3750 in a NME) running IPv6 with OSPF just fine. Other than a /128 ACL requiring ff:fe in the right spot (someone detailed why either here or NANOG when I complained about it previously) to store it in TCAM, I don't have any major complaints with their IPv6 support. I'm not doing anything fancy, just pushing packets with anti-spoofing ACLs. I don't do any policing with them though, and that's really where you will probably be annoyed the most. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HSRP/VRRP, IPv6 and IOS XE?
On 09-12-10 22:22, Gert Doering wrote: On Thu, Dec 09, 2010 at 08:54:27PM +0100, Arie Vayner (avayner) wrote: I was just updated by the BU that this feature is now listed in FN... Confirmed! HSRP for IPv6 is now listed for IOS XE 3.1S Please pay attention whether this is HSRP on link-local addresses only, or the better one on global addresses as well. One may get disappointed with being forced to use link-local IP's as gateways. At least on the normal IOS they were implemented separately. -- Grzegorz Janoszka ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HSRP/VRRP, IPv6 and IOS XE?
Hi, On Thu, Dec 09, 2010 at 10:44:14PM +0100, Grzegorz Janoszka wrote: On 09-12-10 22:22, Gert Doering wrote: On Thu, Dec 09, 2010 at 08:54:27PM +0100, Arie Vayner (avayner) wrote: I was just updated by the BU that this feature is now listed in FN... Confirmed! HSRP for IPv6 is now listed for IOS XE 3.1S Please pay attention whether this is HSRP on link-local addresses only, or the better one on global addresses as well. One may get disappointed with being forced to use link-local IP's as gateways. At least on the normal IOS they were implemented separately. Yes. *This* is the HSRP with link local feature, the other one is called HSRP for IPv6 with global addresses or something like that. It's not really a technical problem to use link-locals + interface here, it's just we don't do it in IPv4, so we don't think it should be done in IPv6 that way thinking that gets in the way. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpI377ZzCnR7.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Compressed IPv6 ACLs on Cat6500
On (2010-12-08 17:39 -0800), Mack McBride wrote: The misunderstanding is anything with a prefix longer than /88 includes discarded bits in the subnet portion as opposed to the host portion. The missing bits are never/rarely going to lead to expected behaviour. Anything more specific than /88 should just be used. Checking the TCAM is really useful way to observe how the issue of compression is irrelevant, and you should only ever use /88 or less specific. Consider ACL entries: rtr#sh ipv6 access-list XYZZY IPv6 access list XYZZY deny tcp host 1234:5678:9ABC:DEF1:2345:6789:ABCD:EF12 eq www host 2001:DB8::1 eq 42 sequence 10 deny tcp F00F:C7C8::/104 eq www host 2001:DB8::1 eq 42 sequence 20 deny tcp F00F::C7C9:0/120 eq www host 2001:DB8::1 eq 42 sequence 30 Compiled as ACEs: rtr#show tcam interface TenGigabitEthernet2/0/1.11 acl out ipv6 deny tcp 50:F00F:C7C8::/88(eui) eq www host 2A:2001:DB8::1(eui) eq 42 deny tcp 50:F00F::C9:0/104(eui) eq www host 2A:2001:DB8::1(eui) eq 42 deny tcp host 50:1234:5678:9ABC:DEF1:2345:67CD:EF12(eui) eq www host 2A:2001:DB8::1(eui) eq 42 Especially observe how the sequence 20 becomes completely different rule in hardware, certainly not giving useful results. So the simple answer/rule is, don't use anything more specific than /88, and you're getting expected results There really isn't any practical scenarios where compression is relevant, as EUI-64 is less specific than /88 and anything more specific is going to give undesirable results. (Don't get confused by the first hextet (yea), it is just port number) -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3550 layer 3 switch replacement for v6
The 4948E may be a good fit but the full enterprise image is pricy. It has better QOS and 1G/10G SPF+ uplinks. Mack.McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Seth Mattinen Sent: Thursday, December 09, 2010 2:29 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3550 layer 3 switch replacement for v6 On 12/9/2010 12:54, Jon Lewis wrote: I need to start looking at replacing 3550-48 switches with something comparable that supports ipv6. I tried using feature navigator, but the info it was giving me was so suspect I won't even bother repeating it. My impression from past looks into this issue is that the 3560-48TS (which actually went end of sales earlier this year) is a comparable switch to the 3550, does ipv6 in hardware, but has far less flexible per port policing, which will require a total redesign of our customer port limits. I'm wondering if there are any major surprises with the 3560 when you enable ipv6 routing and ipv6 ospf? I know doing so cuts the supported number of routes in half. Also, we've kind of been abusing the 3550s, by running them with generally most of the ports in layer 3 mode. The recommended number of routed interfaces on a 3550-48 is only 8! Can we get away with running 48 dual-stack layer 3 ports on a 3560-48TS? I have some etherswitch service modules (3750 in a NME) running IPv6 with OSPF just fine. Other than a /128 ACL requiring ff:fe in the right spot (someone detailed why either here or NANOG when I complained about it previously) to store it in TCAM, I don't have any major complaints with their IPv6 support. I'm not doing anything fancy, just pushing packets with anti-spoofing ACLs. I don't do any policing with them though, and that's really where you will probably be annoyed the most. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Compressed IPv6 ACLs on Cat6500
On (2010-12-09 23:59 +0200), Saku Ytti wrote: Ugh. The missing bits are never/rarely going to lead to expected behaviour. Anything more specific than /88 should just be used. /just not/ deny tcp F00F::C7C9:0/120 eq www host 2001:DB8::1 eq 42 sequence 30 deny tcp 50:F00F::C9:0/104(eui) eq www host 2A:2001:DB8::1(eui) eq 42 Especially observe how the sequence 20 becomes completely different rule in /sequence 30/ -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD and no ip redirects ?
Agree but so does BFD in echo mode but echo also proves that the IP punt path to the CPU is working. So not that I see no value in BFD but I do not see any additional value of this mode over echo. -Ben On Dec 7, 2010, at 5:09 PM, Gert Doering wrote: hi, On Tue, Dec 07, 2010 at 11:40:51AM -0500, Benjamin Lovell wrote: I have a dubious opinion of the usefulness as you are really only proving the forwarding of the ONE IP forwarding entry that leads back to your connected IP, but that's the idea anyway. Well, it proves that the path is working end-to-end (which helps a lot in todays everything is ethernet, but no useful error signalling environments) and that there is at least a compatible IP configuration on the remote interface (same network or unnumbered with a proper route back). Of course this is not a complete self-test of the remote machine, but that would be somewhat expensive to do every 10ms :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3550 layer 3 switch replacement for v6
On 12/09/2010 08:54 PM, Jon Lewis wrote: I need to start looking at replacing 3550-48 switches with something comparable that supports ipv6. I tried using feature navigator, but the We use the 3750s with IPv6 very satisfactorily. But as you suggest, they probably won't meet your policing needs. I am not sure there's a (cheap) Cisco product that will do what you want. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multiple EIGRP processes (ASNs)
Does anyone know of a way to make IOS see two distinct EIGRP processes ( Different ASNs ) equally. The standard behavior (On my version of IOS at least) is to choose the route which was learned from the lower EIGRP ASN regardless of metric. I can influence which routes are chosen by manipulating the Administrative Distance in the EIGRP process, but this is very limited in control. I would like to use the EIGRP metric for more optimal routing. Thanks! -Yuri Bank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 4G 4rd party flash drive for XR-12k
Hello. Flash drives for XR on Cisco 12000 are quite expensive if bought from Cisco. XR writes a lot to the drive so thus there are other requirements than for running IOS which basically never writes to the drive at all. What do people do out there? I found some industrial grade flash such as http://www.memorydepot.com/ssd/listcat.asp?catid=icf8000 which has 2M program/erase cycles, which seems a lot and I would hope be sufficient. Any other hints in this area? I'd like them to survive several years in normal operation... -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
