Re: [c-nsp] re-advertising eBGP learned prefixes
Could you post the output of show ip bgp neighbor 10.36.254.2 ? Andrey Koklin wrote: On 10/20/2011 19:17, Gert Doering wrote: ip as-path access-list 100 permit ^$ ip as-path access-list 101 permit _21017_ ip as-path access-list 102 permit _21017_21017_ This... route-map TO_VPN_CTK permit 10 match ip address prefix-list TO_VPN_CTK match as-path 100 ... together with this will only permit AS-paths matched by ACL 100, which is ^$ = your local AS. So this AS path ACL will never permit anything learned from eBGP. Oh, yes, this is important error! I've added now the AS which prefixes should be seen there. Now it is: -- 8 -- router bgp 65036 no synchronization bgp log-neighbor-changes bgp redistribute-internal network 10.36.0.0 mask 255.255.0.0 network 213.129.126.0 timers bgp 5 20 15 neighbor 10.36.254.2 remote-as 21017 neighbor 10.36.254.2 soft-reconfiguration inbound neighbor 10.36.254.2 route-map FROM_VPN_CTK in neighbor 10.36.254.2 route-map TO_VPN_CTK out neighbor 213.129.126.1 remote-as 65036 neighbor 213.129.126.1 soft-reconfiguration inbound default-information originate distance bgp 100 100 10 no auto-summary ip as-path access-list 100 permit ^$ ip as-path access-list 100 permit _30835_ ip prefix-list TO_VPN_CTK description announced nets through CTK VPN ip prefix-list TO_VPN_CTK seq 10 permit 0.0.0.0/0 ip prefix-list TO_VPN_CTK seq 20 permit 213.129.126.0/24 ip prefix-list TO_VPN_CTK seq 30 permit 10.36.0.0/16 ip prefix-list TO_VPN_CTK seq 35 permit 10.36.0.0/16 le 28 ip prefix-list TO_VPN_CTK seq 40 permit 10.36.0.0/18 le 28 ip prefix-list TO_VPN_CTK seq 50 permit 10.36.248.0/23 le 24 route-map TO_VPN_CTK permit 10 match ip address prefix-list TO_VPN_CTK match as-path 100 -- 8 -- But unfortunately, the problem remains: spring#cle ip bgp * soft spring#sh ip bgp 10.36.72.32 BGP routing table entry for 10.36.72.32/27, version 507121 Paths: (1 available, best #1, table Default-IP-Routing-Table) Flag: 0x820 Not advertised to any peer 20485 30835, (received used) 10.36.2.22 (metric 3072) from 213.129.126.1 (10.36.1.1) Origin incomplete, metric 0, localpref 100, valid, internal, best Originator: 10.36.1.4, Cluster list: 10.36.1.1 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 port-channel logical interfaces
On 10/21/2011 12:19 AM, Keegan Holley wrote: I need to add a port channel with L3 sub interfaces to a 6509 with a SUP720. Here's the code and a sh mod from the box. This isn't explicitly in the feature navigator. Is this not supported at all or do I just need a different code version or feature set. Do you mean: int Po1 no switchport no ip address int Po1.1 encapsulation dot1q blah ip address blah AFAIK this works. The usual warning about sub-ints on 6500 apply; they burn the VLAN tag internally anyway, so you might as well just use an SVI (unless you want BFD GRR CISCO but it's rubbish on 6500 anyway) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] re-advertising eBGP learned prefixes
On 10/21/2011 10:45, Sergey Nikitin wrote: Could you post the output of show ip bgp neighbor 10.36.254.2 ? Yes, here it is: -- 8 -- spring# sh ip bgp nei 10.36.254.2 BGP neighbor is 10.36.254.2, remote AS 21017, external link BGP version 4, remote router ID 80.82.57.179 BGP state = Established, up for 1d19h Last read 00:00:02, last write 00:00:02, hold time is 20, keepalive interval is 5 seconds Configured hold time is 20,keepalive interval is 5 seconds, Minimum holdtime from neighbor is 15 seconds Neighbor capabilities: Route refresh: advertised and received(old new) Address family IPv4 Unicast: advertised and received Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 35 35 Notifications: 25 5 Updates:42954 147160 Keepalives: 64387204874883 Route Refresh: 2 0 Total:64817365022083 Default minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast BGP table version 569719, neighbor version 569707/0 Output queue size : 0 Index 1, Offset 0, Mask 0x2 1 update-group member Inbound soft reconfiguration allowed Inbound path policy configured Outbound path policy configured Route map for incoming advertisements is FROM_VPN_CTK Route map for outgoing advertisements is TO_VPN_CTK Sent Rcvd Prefix activity: Prefixes Current: 38295 (Consumes 30732 bytes) Prefixes Total: 19674 21173 Implicit Withdraw:134804 Explicit Withdraw: 19828 20074 Used as bestpath: n/a257 Used as multipath:n/a 0 Saved (soft-reconfig):n/a296 (Consumes 15392 bytes) OutboundInbound Local Policy Denied Prefixes:--- route-map:11964 21 Suppressed duplicate: 4800 Bestpath from this peer: 19576n/a Total:31544821 Number of NLRIs in the update sent: max 287, min 0 Connections established 35; dropped 34 Last reset 1d19h, due to User reset Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 1 Local host: 10.36.254.1, Local port: 15312 Foreign host: 10.36.254.2, Foreign port: 179 Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x7AD85240C): Timer StartsWakeupsNext Retrans 35028 8 0x0 TimeWait0 0 0x0 AckHold 26931 23160 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger0 0 0x0 DeadWait0 0 0x0 iss: 2289351992 snduna: 2290290732 sndnxt: 2290290732 sndwnd: 15088 irs: 2142678336 rcvnxt: 2143467834 rcvwnd: 15038 delrcvwnd: 1346 SRTT: 300 ms, RTTO: 303 ms, RTV: 3 ms, KRTT: 0 ms minRTT: 0 ms, maxRTT: 432 ms, ACK hold: 200 ms Flags: active open, nagle IP Precedence value : 6 Datagrams (max data segment is 1460 bytes): Rcvd: 57420 (out of order: 0), with data: 26977, total data bytes: 789497 Sent: 58985 (retransmit: 8, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 35282, total data bytes: 938739 -- 8 -- Andrey Koklin wrote: On 10/20/2011 19:17, Gert Doering wrote: ip as-path access-list 100 permit ^$ ip as-path access-list 101 permit _21017_ ip as-path access-list 102 permit _21017_21017_ This... route-map TO_VPN_CTK permit 10 match ip address prefix-list TO_VPN_CTK match as-path 100 ... together with this will only permit AS-paths matched by ACL 100, which is ^$ = your local AS. So this AS path ACL will never permit anything learned from eBGP. Oh, yes, this is important error! I've added now the AS which prefixes should be seen there. Now it is: -- 8 -- router bgp 65036 no synchronization bgp log-neighbor-changes bgp redistribute-internal network 10.36.0.0 mask 255.255.0.0 network 213.129.126.0 timers bgp 5 20 15 neighbor 10.36.254.2 remote-as 21017 neighbor 10.36.254.2 soft-reconfiguration inbound neighbor 10.36.254.2 route-map FROM_VPN_CTK in neighbor 10.36.254.2 route-map TO_VPN_CTK out neighbor 213.129.126.1 remote-as 65036 neighbor 213.129.126.1 soft-reconfiguration inbound default-information originate distance bgp 100 100 10 no auto-summary ip as-path access-list 100 permit ^$ ip as-path access-list 100 permit _30835_ ip prefix-list TO_VPN_CTK description
Re: [c-nsp] BGP
use a prefix list filter sending only that subnet. 2011/10/20 Mohammad Khalil eng_m...@hotmail.com: Hi all , i have in the attached file br1.hq is the border router which terminates 3 international links i want to advertise the x.x.x.x subnet through the provider terminated to CR1 (the provider send default route) what is the best practice in order for only the subnet x.x.x.x to use this default route and no other subnets use ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] re-advertising eBGP learned prefixes
Looks like your as-path ACL is still blocking your route try: ip as-path access-list 100 permit _30835 On Thu, Oct 20, 2011 at 6:00 PM, cisco-nsp-requ...@puck.nether.net wrote: Send cisco-nsp mailing list submissions to cisco-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to cisco-nsp-requ...@puck.nether.net You can reach the person managing the list at cisco-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of cisco-nsp digest... Today's Topics: 1. Re: re-advertising eBGP learned prefixes (Gert Doering) 2. Re: re-advertising eBGP learned prefixes (Andrey Koklin) -- Message: 1 Date: Thu, 20 Oct 2011 17:17:46 +0200 From: Gert Doering g...@greenie.muc.de To: Andrey Koklin a...@veco.ru Cc: Gert Doering g...@greenie.muc.de, cisco-nsp@puck.nether.net Subject: Re: [c-nsp] re-advertising eBGP learned prefixes Message-ID: 20111020151746.gk8...@greenie.muc.de Content-Type: text/plain; charset=us-ascii Hi, On Thu, Oct 20, 2011 at 07:13:50PM +0400, Andrey Koklin wrote: ip as-path access-list 100 permit ^$ ip as-path access-list 101 permit _21017_ ip as-path access-list 102 permit _21017_21017_ This... route-map TO_VPN_CTK permit 10 match ip address prefix-list TO_VPN_CTK match as-path 100 ... together with this will only permit AS-paths matched by ACL 100, which is ^$ = your local AS. So this AS path ACL will never permit anything learned from eBGP. Maybe this should have been ip as-path access-list 100 permit ^$ ip as-path access-list 100 permit _21017_ ip as-path access-list 100 permit _21017_21017_ (100 in all 3 lines) I've just tried to remove filters. The router started to advertise all but the needed prefixes, like 10.36.72.32/27... See above: the as-path filter is borked. gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ http://www.muc.de/%7Egert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de -- next part -- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available URL: https://puck.nether.net/pipermail/cisco-nsp/attachments/20111020/edafa327/attachment-0001.pgp -- Message: 2 Date: Thu, 20 Oct 2011 19:39:45 +0400 From: Andrey Koklin a...@veco.ru To: Gert Doering g...@greenie.muc.de Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] re-advertising eBGP learned prefixes Message-ID: 4ea040c1.8000...@veco.ru Content-Type: text/plain; charset=ISO-8859-1 On 10/20/2011 19:17, Gert Doering wrote: ip as-path access-list 100 permit ^$ ip as-path access-list 101 permit _21017_ ip as-path access-list 102 permit _21017_21017_ This... route-map TO_VPN_CTK permit 10 match ip address prefix-list TO_VPN_CTK match as-path 100 ... together with this will only permit AS-paths matched by ACL 100, which is ^$ = your local AS. So this AS path ACL will never permit anything learned from eBGP. Oh, yes, this is important error! I've added now the AS which prefixes should be seen there. Now it is: -- 8 -- router bgp 65036 no synchronization bgp log-neighbor-changes bgp redistribute-internal network 10.36.0.0 mask 255.255.0.0 network 213.129.126.0 timers bgp 5 20 15 neighbor 10.36.254.2 remote-as 21017 neighbor 10.36.254.2 soft-reconfiguration inbound neighbor 10.36.254.2 route-map FROM_VPN_CTK in neighbor 10.36.254.2 route-map TO_VPN_CTK out neighbor 213.129.126.1 remote-as 65036 neighbor 213.129.126.1 soft-reconfiguration inbound default-information originate distance bgp 100 100 10 no auto-summary ip as-path access-list 100 permit ^$ ip as-path access-list 100 permit _30835_ ip prefix-list TO_VPN_CTK description announced nets through CTK VPN ip prefix-list TO_VPN_CTK seq 10 permit 0.0.0.0/0 ip prefix-list TO_VPN_CTK seq 20 permit 213.129.126.0/24 ip prefix-list TO_VPN_CTK seq 30 permit 10.36.0.0/16 ip prefix-list TO_VPN_CTK seq 35 permit 10.36.0.0/16 le 28 ip prefix-list TO_VPN_CTK seq 40 permit 10.36.0.0/18 le 28 ip prefix-list TO_VPN_CTK seq 50 permit 10.36.248.0/23 le 24 route-map TO_VPN_CTK permit 10 match ip address prefix-list TO_VPN_CTK match as-path 100 -- 8 -- But unfortunately, the problem remains: spring#cle ip bgp * soft spring#sh ip bgp 10.36.72.32 BGP routing table entry for 10.36.72.32/27, version 507121 Paths: (1 available, best #1, table Default-IP-Routing-Table) Flag: 0x820 Not advertised to any peer 20485 30835, (received used) 10.36.2.22 (metric
Re: [c-nsp] re-advertising eBGP learned prefixes
On 10/21/2011 11:38, Michael Chomicz wrote: Looks like your as-path ACL is still blocking your route try: ip as-path access-list 100 permit _30835 Indeed, this AS is last in the path, thank you. I've changed the acl, still the problem remains: -- 8 -- router bgp 65036 no synchronization bgp log-neighbor-changes bgp redistribute-internal network 10.36.0.0 mask 255.255.0.0 network 213.129.126.0 timers bgp 5 20 15 neighbor 10.36.254.2 remote-as 21017 neighbor 10.36.254.2 soft-reconfiguration inbound neighbor 10.36.254.2 route-map FROM_VPN_CTK in neighbor 10.36.254.2 route-map TO_VPN_CTK out neighbor 213.129.126.1 remote-as 65036 neighbor 213.129.126.1 soft-reconfiguration inbound default-information originate distance bgp 100 100 10 no auto-summary ip as-path access-list 100 permit ^$ ip as-path access-list 100 permit _30835 ip prefix-list TO_VPN_CTK description announced nets through CTK VPN ip prefix-list TO_VPN_CTK seq 10 permit 0.0.0.0/0 ip prefix-list TO_VPN_CTK seq 20 permit 213.129.126.0/24 ip prefix-list TO_VPN_CTK seq 30 permit 10.36.0.0/16 ip prefix-list TO_VPN_CTK seq 35 permit 10.36.0.0/16 le 28 ip prefix-list TO_VPN_CTK seq 40 permit 10.36.0.0/18 le 28 ip prefix-list TO_VPN_CTK seq 50 permit 10.36.248.0/23 le 24 route-map TO_VPN_CTK permit 10 match ip address prefix-list TO_VPN_CTK match as-path 100 -- 8 -- But unfortunately, the problem remains: spring#cle ip bgp * soft spring#sh ip bgp 10.36.72.32 BGP routing table entry for 10.36.72.32/27, version 571288 Paths: (1 available, best #1, table Default-IP-Routing-Table) Flag: 0x820 Not advertised to any peer 20485 30835, (received used) 10.36.2.22 (metric 3072) from 213.129.126.1 (10.36.1.1) Origin incomplete, metric 0, localpref 100, valid, internal, best Originator: 10.36.1.4, Cluster list: 10.36.1.1 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] re-advertising eBGP learned prefixes
Hi, On Fri, Oct 21, 2011 at 12:02:42PM +0400, Andrey Koklin wrote: spring#cle ip bgp * soft I'm not fully trusting * soft here - could you try clear ip bgp 10.36.254.2 soft out (It *should* not make a difference - but there's nothing obviously wrong I could see in your config now, so it really should work now, except maybe for not sufficiently clearing of the sessions) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpOHqwsqokUQ.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] re-advertising eBGP learned prefixes
On 10/21/2011 12:36, Gert Doering wrote: On Fri, Oct 21, 2011 at 12:02:42PM +0400, Andrey Koklin wrote: spring#cle ip bgp * soft I'm not fully trusting * soft here - could you try clear ip bgp 10.36.254.2 soft out (It *should* not make a difference - but there's nothing obviously wrong I could see in your config now, so it really should work now, except maybe for not sufficiently clearing of the sessions) Gert, I've tried soft out without results, and full bgp neighbor restart after. Seems, nothing changed... Would it be useful to try some other IOS version, perhaps? spring#sh ver spring uptime is 1 year, 2 weeks, 2 days, 17 hours, 50 minutes System returned to ROM by reload at 19:20:06 MSD Mon Oct 4 2010 System restarted at 19:21:22 MSD Mon Oct 4 2010 System image file is flash:c3845-adventerprisek9-mz.124-25c.bin ... spring#clear ip bgp 10.36.254.2 spring#sh ip bgp sum BGP router identifier 10.36.33.1, local AS number 65036 BGP table version is 578440, main routing table version 578440 616 network entries using 72072 bytes of memory 954 path entries using 49608 bytes of memory 50/41 BGP path/bestpath attribute entries using 6200 bytes of memory 2 BGP rrinfo entries using 48 bytes of memory 33 BGP AS-PATH entries using 808 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 128736 total bytes of memory 296 received paths for inbound soft reconfiguration BGP activity 117142/116526 prefixes, 559917/558963 paths, scan interval 60 secs NeighborVAS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.36.254.2 4 21017 5023466 6483511 57839800 00:00:27 295 213.129.126.1 4 65036 6420334 6629000 57844000 1d02h 342 spring#sh ip bgp 10.36.72.32 BGP routing table entry for 10.36.72.32/27, version 579143 Paths: (1 available, best #1, table Default-IP-Routing-Table) Flag: 0x820 Not advertised to any peer 20485 30835, (received used) 10.36.2.22 (metric 3072) from 213.129.126.1 (10.36.1.1) Origin incomplete, metric 0, localpref 100, valid, internal, best Originator: 10.36.1.4, Cluster list: 10.36.1.1 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] re-advertising eBGP learned prefixes
Hi, On Fri, Oct 21, 2011 at 01:25:11PM +0400, Andrey Koklin wrote: Gert, I've tried soft out without results, and full bgp neighbor restart after. Seems, nothing changed... Would it be useful to try some other IOS version, perhaps? spring#sh ver System image file is flash:c3845-adventerprisek9-mz.124-25c.bin 12.4(25*) should be fine. So we're overlooking something. You mentioned that exporting of the /27 works if you remove all the output filters? In that case, something in the prefix-list would be the only thing left as suspicious - but it looks all fine to me (le 28 definitely does match /27...). Maybe - just for testing - add the /27 to the prefix-list, as a permit 10.36.72.32/27 just to see what happens. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpwEGSMElMYR.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS TE to use 2 default routes?
So, We have two connections to our upstream - same AS, both eBGP. Our internal topology makes it a bit hard for us to use eBGP multipath to make use of both outbound; it's sort of like follows: upstream1upstream2 | | R1 --- R2 --- stuff | | | R3 R4 --- stuff | | \--- R5 ---/ We have a high-traffic source attached to R4, and the IGP costs mean that R4 will never choose R1 as en exit point. I am very (very) anxious to avoid tweaking IGP costs. We've had bad experiences with that in the past, and there's a whole other bunch of stuff hanging off R2 and R4 that this kind of tweaking might disturb. In addition, it would prevent e.g. R5 from using both default routes (there are high traffic nodes attached there too, though less so). Is it at all sensible to build 2x MPLS TE tunnels from R4-R2 and R4-R1, and use these to make the eBGP routes multipath candidates? Am I setting myself up for pain? Obviously the preferred option would be to re-do the topology, but at the moment we lack sufficient 10gig ports to do this, and it would mean either WDM or layer2 links (ugh). Platform is 6500/sup720 running 12.2(33)SXJ1. Thoughts welcome. Cheers, Phil ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS TE to use 2 default routes?
On Friday, October 21, 2011 05:51:08 PM Phil Mayers wrote: Is it at all sensible to build 2x MPLS TE tunnels from R4-R2 and R4-R1, and use these to make the eBGP routes multipath candidates? Am I setting myself up for pain? Yes, you can do that. Just make sure the R2-R4 link can handle traffic for: o R2-to-R4. o R2-to-R5. o R2-to-R3 (backup path). o R2-to-R1 (backup path). Ignore the backup paths if you're going to build strict paths for the MPLS-TE LSP's (recommended), as the LSP wouldn't form across them anyway. We do this within our core network to support load balancing for non-equal-cost distances (towards peers or customers), even though bandwidth within the core is the same; just like your case. Cheers, Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] re-advertising eBGP learned prefixes
Hi, On 10/21/2011 13:30, Gert Doering wrote: On Fri, Oct 21, 2011 at 01:25:11PM +0400, Andrey Koklin wrote: Gert, I've tried soft out without results, and full bgp neighbor restart after. Seems, nothing changed... Would it be useful to try some other IOS version, perhaps? spring#sh ver System image file is flash:c3845-adventerprisek9-mz.124-25c.bin 12.4(25*) should be fine. So we're overlooking something. You mentioned that exporting of the /27 works if you remove all the output filters? In that case, something in the prefix-list would be the only thing left as suspicious - but it looks all fine to me (le 28 definitely does match /27...). Maybe - just for testing - add the /27 to the prefix-list, as a permit 10.36.72.32/27 just to see what happens. Additional permit didn't work either. Finally, I've got some results, but still don't understand the problem's source. If I remove all the output filters, needed nets ain't advertised either, but I get many similar /27, /28 external nets, which are advertised. The only difference I see is in their incoming paths (with output filters removed): spring#sh ip bgp 10.36.72.32 BGP routing table entry for 10.36.72.32/27, version 602983 Paths: (1 available, best #1, table Default-IP-Routing-Table) Flag: 0x820 Not advertised to any peer 20485 30835, (received used) 10.36.2.22 (metric 3072) from 213.129.126.1 (10.36.1.1) Origin incomplete, metric 0, localpref 100, valid, internal, best Originator: 10.36.1.4, Cluster list: 10.36.1.1 While this one works fine: spring#sh ip bgp 10.20.69.16 BGP routing table entry for 10.20.69.16/28, version 592359 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: 1 21017 44237 30835, (received used) 10.36.2.22 (metric 3072) from 213.129.126.1 (10.36.1.1) Origin incomplete, metric 0, localpref 100, valid, internal, best Originator: 10.36.1.4, Cluster list: 10.36.1.1 I've changed now the incoming prefixes weight on other router for testing, to choose alternate channel. After this, the needed prefixes started advertising, even with output filters applied: spring#sh ip bgp 10.36.72.32 BGP routing table entry for 10.36.72.32/27, version 603507 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: 1 21017 44237 30835, (received used) 10.36.2.22 (metric 3072) from 213.129.126.1 (10.36.1.1) Origin incomplete, metric 0, localpref 100, valid, internal, best Originator: 10.36.1.4, Cluster list: 10.36.1.1 It's good already, but I need the other channel too for redundancy. Do you have an idea with fresh eye, how this could be fixed? Thanks, Andrey ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS
Hello If you have the following physical scenario custABROCADE CER--CISCO ROUTER--BROCADE CER---custA When i build a Virtue Lease Lines on the Brocades will this traverse through the Cisco router? I am not sure How to configure the Cisco for LSP signalling so the packets can pass. Anybody have any experience with this? Thanks Chris -- //CL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] re-advertising eBGP learned prefixes
Hi, On Fri, Oct 21, 2011 at 05:11:47PM +0400, Andrey Koklin wrote: spring#sh ip bgp 10.36.72.32 BGP routing table entry for 10.36.72.32/27, version 602983 Paths: (1 available, best #1, table Default-IP-Routing-Table) Flag: 0x820 Not advertised to any peer 20485 30835, (received used) 10.36.2.22 (metric 3072) from 213.129.126.1 (10.36.1.1) Origin incomplete, metric 0, localpref 100, valid, internal, best Originator: 10.36.1.4, Cluster list: 10.36.1.1 [..] spring#sh ip bgp 10.36.72.32 BGP routing table entry for 10.36.72.32/27, version 603507 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: 1 21017 44237 30835, (received used) 10.36.2.22 (metric 3072) from 213.129.126.1 (10.36.1.1) Origin incomplete, metric 0, localpref 100, valid, internal, best Originator: 10.36.1.4, Cluster list: 10.36.1.1 I have to admit that there is nothing really obvious on why one of them would be advertised, and the other one would not be (especially with no output filters). Sorry... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpqc7BD3mx3N.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS
On Friday, October 21, 2011 10:24:48 PM Chris Lane wrote: Anybody have any experience with this? Assuming you're signaling the pw with LDP, the Cisco router won't do anything other than forward the LDP packets between both Brocade switches. When it comes to forwarding the VPN traffic down the pw between both Brocade's, the Cisco will label switch the traffic between both ends of the pw. Just make sure LDP is configured on the Cisco ('mpls ip' under the relevant interfaces). Pretty standard. Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] non-existing input errors on 6500/SXI...?
Hi, I have a one port on a 7603/sup32/SXI that is showing me input errors but refuses to tell what *sort* of errors... GigabitEthernet1/9 is up, line protocol is up (connected) ... Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 8818000 bits/sec, 2562 packets/sec 5 minute output rate 24086000 bits/sec, 3252 packets/sec 49922820560 packets input, 18467489252395 bytes, 0 no buffer Received 189510308 broadcasts (86256414 multicasts) 0 runts, 0 giants, 0 throttles 1815587 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 65761578040 packets output, 73084507578266 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Cisco-Msh int g1/9 count err PortAlign-ErrFCS-Err Xmit-ErrRcv-Err UnderSize OutDiscards Gi1/9 0 0 01815644 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/9 0 0 0 0 0 0 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Gi1/90 000 0 so, right, it's Rcv-Err, but what sort of errors? Nothing in any of the other columns, and operationally, the link is behaving perfectly normal, so I'm not overly worried - just annoyed by our NMS flagging the link as hey, errors, check! all the time... This is a Sup32, onboard GE, SXI3. The interface goes to a 2960G, about 2m of cat6 cable, nothing particularily exciting. interface GigabitEthernet1/9 description SW: sp1/xxx:g0/14 (sp1) switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 2-999 switchport mode trunk storm-control broadcast level 1.00 and the other end is symmetric: interface GigabitEthernet0/14 description SW: sp1/xxx:gi1/9 (sp1) switchport trunk allowed vlan 2-21,23-999 switchport mode trunk storm-control broadcast level pps 1k 100 storm-control multicast level pps 1k 100 storm-control action trap end ... so how to figure out where these errors are coming from? (No smartnet on this particular box, so I can't go ask TAC) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpqBHeww8iI9.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR5K-PSC-K9 - can anyone help with questions on the ASR5's?
Frank Pecora P3 Systems, Inc. Direct: +1-585-334-2976 Mobile: +1-585-406-1928 www.P3systemsinc.com - Cisco I Juniper I Foundry I Riverbed I Sun I Polycom I Avaya ARUBA Network Solutions ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] non-existing input errors on 6500/SXI...?
Hi Gert, My understanding (and it may be outdated) is that on the cat6k and cat5k, Rcv-err is a receive buffer failure caused by excessive traffic. What kind of linecard is it? Dale Thus spake Gert Doering (g...@greenie.muc.de) on Fri, Oct 21, 2011 at 06:01:02PM +0200: Hi, I have a one port on a 7603/sup32/SXI that is showing me input errors but refuses to tell what *sort* of errors... GigabitEthernet1/9 is up, line protocol is up (connected) ... Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 8818000 bits/sec, 2562 packets/sec 5 minute output rate 24086000 bits/sec, 3252 packets/sec 49922820560 packets input, 18467489252395 bytes, 0 no buffer Received 189510308 broadcasts (86256414 multicasts) 0 runts, 0 giants, 0 throttles 1815587 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 65761578040 packets output, 73084507578266 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Cisco-Msh int g1/9 count err PortAlign-ErrFCS-Err Xmit-ErrRcv-Err UnderSize OutDiscards Gi1/9 0 0 01815644 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/9 0 0 0 0 0 0 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Gi1/90 000 0 so, right, it's Rcv-Err, but what sort of errors? Nothing in any of the other columns, and operationally, the link is behaving perfectly normal, so I'm not overly worried - just annoyed by our NMS flagging the link as hey, errors, check! all the time... This is a Sup32, onboard GE, SXI3. The interface goes to a 2960G, about 2m of cat6 cable, nothing particularily exciting. interface GigabitEthernet1/9 description SW: sp1/xxx:g0/14 (sp1) switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 2-999 switchport mode trunk storm-control broadcast level 1.00 and the other end is symmetric: interface GigabitEthernet0/14 description SW: sp1/xxx:gi1/9 (sp1) switchport trunk allowed vlan 2-21,23-999 switchport mode trunk storm-control broadcast level pps 1k 100 storm-control multicast level pps 1k 100 storm-control action trap end ... so how to figure out where these errors are coming from? (No smartnet on this particular box, so I can't go ask TAC) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DMVPN Per Tunnel QoS Question
Hi Group, I just have a question regarding Per Tunnel QoS within a DMVPN... Specifically about the percent command within the CBWFQ child policy. I know for Per Tunnel QoS it needs to be implemented in a hierichal policy. So I have a parent policy that shapes traffic to 1.5Mbps, then nested inside a child policy that let say gives a traffic class a percentage of 20. My question is where is it calculating the 20% from? The bandwidth statement on the tunnel interface? Or configuration from the parent policy because it's shaping traffic to 1.5MB?...so 20% of 1.5MB? Just looking for some insight :) __ DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail. This message has been scanned for the presence of computer viruses, Spam, and Explicit Content. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] non-existing input errors on 6500/SXI...?
Hi, On Fri, Oct 21, 2011 at 11:14:38AM -0500, Dale W. Carder wrote: My understanding (and it may be outdated) is that on the cat6k and cat5k, Rcv-err is a receive buffer failure caused by excessive traffic. What kind of linecard is it? Sup32, the port is on the sup32 itself, and the whole box is not really doing that much - total throughput right now is at about 150 Mbit/s, and there isn't anything with known-bursty characteristic either (and all VLANs coming in on that port go out on another ethernet port with no load on it). The errors don't really correlate to load either - they just increase slowly over time, by something like 20-150 errors per 5 minute interval. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpa5YILyAnt2.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] non-existing input errors on 6500/SXI...?
Gert, Are the errors incrementing, or are they going up/down over time? There are a couple of bugs with counter outputs where they are read/initialized incorrectly. Can you look at show int counters trunk for wrong encap? The 2960G uses DTP by default, so it may just be those frames hitting the interface. Switchport trunk encapsulation on the 2960G should be set to be dot1q. Also, check L3 interfaces (vlan interfaces or no switchport interfaces) for anything regarding input queue drops: sh int | inc is up|Input show queueing interface gi1/9 could also show queuing drops on input. Regards, John Gill cisco On 10/21/11 1:18 PM, Gert Doering wrote: Hi, On Fri, Oct 21, 2011 at 11:14:38AM -0500, Dale W. Carder wrote: My understanding (and it may be outdated) is that on the cat6k and cat5k, Rcv-err is a receive buffer failure caused by excessive traffic. What kind of linecard is it? Sup32, the port is on the sup32 itself, and the whole box is not really doing that much - total throughput right now is at about 150 Mbit/s, and there isn't anything with known-bursty characteristic either (and all VLANs coming in on that port go out on another ethernet port with no load on it). The errors don't really correlate to load either - they just increase slowly over time, by something like 20-150 errors per 5 minute interval. gert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS TE to use 2 default routes?
On 10/21/2011 11:26 AM, Mark Tinka wrote: We do this within our core network to support load balancing for non-equal-cost distances (towards peers or customers), even though bandwidth within the core is the same; just like your case. That's promising. Having tried it on a test router, it seems a config like: int Tun1xx ip unnumbered Loopback1 tunnel mode mpls traffic-eng tunnel destination Rxx tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng autoroute metric absolute 1 ! Just for example, obviously tunnel mpls traffic-eng path-option 1 dynamic ...in particular, the autoroute metric absolute is needed to fix the metrics so that the tunnels are equal-cost, yes? Do I want autoroute announce? Since the routes I care about are BGP, the only thing I need to tunnels for is to force the IGP cost to the iBGP loopbacks to equal. In terms of my original ascii diagram, will the presence of these tunnels on R4 induce R5 to send traffic upwards to R4 (and via the tunnels) when it might previously have sent it directly? Or are the tunnels local to each router and not advertised into IGP? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] non-existing input errors on 6500/SXI...?
Hi, On Fri, Oct 21, 2011 at 02:17:32PM -0400, John Gill wrote: Are the errors incrementing, or are they going up/down over time? Slowly increasing, never going down. There are a couple of bugs with counter outputs where they are read/initialized incorrectly. Oh? Never been hit by that one, but indeed, that would be exciting :-) Can you look at show int counters trunk for wrong encap? Cisco-M#sh int g1/9 count trunk PortTrunkFramesTx TrunkFramesRx WrongEncap Gi1/9 6577933240649937765599 0 The 2960G uses DTP by default, so it may just be those frames hitting the interface. I assumed something like that, but if I understand the 6500 right, it also has DTP on-by-default: Cisco-M#sh int g1/9 acc GigabitEthernet1/9 SW: sp1/switch6:g0/14 (sp1) ProtocolPkts In Chars In Pkts Out Chars Out Other 0 0 323191 29733572 Spanning Tree 3 711232 261042841 25060112736 CDP 161772 101431044 179775 84853449 DTP 323501 19410060 0 0 mmmh. Now that's funny, sending out other packets but receiving DTP just fine... but yeah, that's a symmetric counter bug - the 2960 has the same weirdness... Switch6#sh int g0/14 acc GigabitEthernet0/14 SW: sp1/cisco-m:gi1/9 (sp1) ProtocolPkts In Chars In Pkts Out Chars Out Other 0 0 300953 18057180 Spanning Tree 39125257 2504016448 2113 135232 CDP 26657 11195940 23994 15044238 DTP 479342876040 0 0 (so where's the 47000 DTP packets coming from if the other end never sent a single one?) Since both sides are set to switchport mode trunk unconditionally, I'll disable DTP on both sides (switchport noneg) and see whether it changes anything... ... some 5 later: no, didn't fix anything: Cisco-M#sh int g1/9 | inc err 33 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 304072 packets output, 142939079 bytes, 0 underruns Switchport trunk encapsulation on the 2960G should be set to be dot1q. My 2960G has no other encapsulations anyway... Switch6(config-if)#swi trunk ? allowed Set allowed VLAN characteristics when interface is in trunking mode native Set trunking native characteristics when interface is in trunking mode pruning Set pruning VLAN characteristics when interface is in trunking mode Also, check L3 interfaces (vlan interfaces or no switchport interfaces) for anything regarding input queue drops: This box has been up since 36 weeks, so quite a number of input flushes have accumulated over time. I've cleared all counters, and all Input (and input error) counters are still zero, while the input errors on gi1/9 are again at 50... sh int | inc is up|Input show queueing interface gi1/9 could also show queuing drops on input. Nothing there: Packets dropped on Receive: BPDU packets: 0 que dropped30-s bytespeak bytes5-mins avg bps peak bps [cos-map] 1 0 0 0 0 0 [0 1 2 3 4 5 6 7 ] there errors are hiding really well... :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpZ44mfCpwWw.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MAC loop in REP network
Hi, I've had a problem on a pair of 4500 switches with a MAC address. We first noticed the CPU being at 99%, and upon investigating, noticed one switch complained about a flapping MAC address. Further examination showed that the two switches showed the MAC being advertised from the other's TenGB interface - they're running with dual TenG in a REP loop. Now while there are lots of VLANs and devices connected to the two switches, it only happened with one single MAC on one VLAN. Examining the REP structure resulted in this output: switch1#show rep topology REP Segment 1 BridgeName PortName Edge Role -- switch1.fd3 Te4/1 Pri Alt switch2.fd3 Te4/1 Open switch2.fd3 Te3/1 Open switch1.fd3 Te3/1 Sec Open (same for both) DIsplaying the detailed version showed this: REP Segment 1 switch1.fd3, Te4/1 (Primary Edge) Alternate Port, some vlans blocked Bridge MAC: 0023.5ef0.d2c0 Port Number: 0100 Port Priority: 050 Neighbor Number: 1 / [-4] [..] switch1.fd3, Te3/1 (Secondary Edge) Open Port, all vlans forwarding Bridge MAC: 0023.5ef0.d2c0 Port Number: 0C0 Port Priority: 010 Neighbor Number: 4 / [-1] (same for both switches) Switch1 is the one that has the MAC that was flapping, between a portchannel that is physically connected to the device sourcing that mac, and the Ten3/1 interface. The second switch showed the MAC being sourced on Ten4/1. I temporarily fixed this flapping as well as the high CPU load by blocking the VLAN in question on one of the TenG interfaces ... Here's the port configs: interface TenGigabitEthernet3/1 switchport trunk encapsulation dot1q switchport mode trunk rep segment 1 edge preferred rep preempt delay 15 interface TenGigabitEthernet4/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-212,214-4094 - did this to mitigate the loop problem switchport mode trunk rep segment 1 edge preferred rep preempt delay 15 Switch2: interface TenGigabitEthernet3/1 switchport trunk encapsulation dot1q switchport mode trunk rep segment 1 rep preempt delay 15 interface TenGigabitEthernet4/1 switchport trunk encapsulation dot1q switchport mode trunk rep segment 1 rep preempt delay 15 Any idea what's going wrong here? This only started when we added a port with access to VLAN 213 on switch2 ... Tnx, -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS TE to use 2 default routes?
Hi, On 22 October 2011 07:35, Phil Mayers p.may...@imperial.ac.uk wrote: On 10/21/2011 11:26 AM, Mark Tinka wrote: We do this within our core network to support load balancing for non-equal-cost distances (towards peers or customers), even though bandwidth within the core is the same; just like your case. That's promising. Having tried it on a test router, it seems a config like: int Tun1xx ip unnumbered Loopback1 tunnel mode mpls traffic-eng tunnel destination Rxx tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng autoroute metric absolute 1 ! Just for example, obviously tunnel mpls traffic-eng path-option 1 dynamic ...in particular, the autoroute metric absolute is needed to fix the metrics so that the tunnels are equal-cost, yes? Yes, otherwise the tunnel will assume the IGP cost to the destination. Do I want autoroute announce? Since the routes I care about are BGP, the only thing I need to tunnels for is to force the IGP cost to the iBGP loopbacks to equal. Yes you want that - the next hop for BGP prefix is taken from IGP, so IGP has to know how to get there. Without autoroute annouce you'll have to manually send traffic down the tunnel. In terms of my original ascii diagram, will the presence of these tunnels on R4 induce R5 to send traffic upwards to R4 (and via the tunnels) when it might previously have sent it directly? Or are the tunnels local to each router and not advertised into IGP? Short answer - no it won't, long one - forwarding adjacency will advertise tunnel into IGP, so it's visible from other routers (I generally find that feature more dangerous then useful), autoroute announce is only local to the router in which it's configured. kind regards Pshem ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/