Re: [c-nsp] risks of assigning redundant paths on data link layer to end-customer
On Tue, 2011-11-22 at 06:55 +0200, Martin T wrote: Lets assume there is a following setup: http://img844.imageshack.us/img844/9133/stp.png ISP manages R1, C3550-24-A, C-355-24-B and C2950-24-A. Customer-SW is fully under customer control. As you can see, there are two paths to Customer-SW. What are the risks with such setups in general? You mention loops, which is probably one of the worst risks. Besides this there's the fact that a L2 networks spans many more devices. With L3 interconnect you would only put the two devices closest to the customer at risk. This might of course adversely affect other things, but only things connected to these two devices. The L2 network streches through all the shown devices. Other things than loops can cause problems, e.g. broadcasts or STP control traffic. That the root is placed with the customer is IMHO no big problem. They might have reasons to place it somewhere special, and since only one of the two paths from the CPE to R1 would be active at any time (because of STP) it doesn't really matter where the root is from your point of view. I'm able to name two disadvantages: 1) in case customer configures (accidentally) spanning-tree bpdufilter enable on his ports Fa0/23 - 24 there will be L2 loop which causes very high PPS and CPU load in ISP devices 2) in case customer switch is a STP root(it's easy to become root switch by changing priority when root guard on ISP side is not configured) and customer VLAN is through many ISP switches, non-optimal paths for traffic can take place Are there some other possibilities for L2 loop? Or anyone seen a hub/switch which handles 802.1d/802.1w BPDU's somewhat abnormally and might create a L2 loop(under certain circumstances)? Any other disadvantages which might arise with setups like this? regards, martin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA vs. ASR for large Wireless NAT deployment ?
Hi, On Sun, Nov 13, 2011 at 12:59:53PM +0800, Mark Tinka wrote: We've deployed some ASR1006's for NAT44 and NAT64. The NAT44 is for our IPTv VoD service (Unicast), while the NAT64 is for IPv6-only customers trying to reach IPv4-only resources. Can you give some more details on that? You really have IPv6-only customers? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp9SD0NhcMWN.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] control plane traffic monitor
Hi is there away or software to graphically monitor control plane and data plane traffic ? thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] risks of assigning redundant paths on data link layer to end-customer
(Hit send too early, sorry! Second paragraph was missing.) On Tue, 2011-11-22 at 06:55 +0200, Martin T wrote: Lets assume there is a following setup: http://img844.imageshack.us/img844/9133/stp.png ISP manages R1, C3550-24-A, C-355-24-B and C2950-24-A. Customer-SW is fully under customer control. As you can see, there are two paths to Customer-SW. What are the risks with such setups in general? You mention loops, which is probably one of the worst risks. Besides this there's the fact that a L2 networks spans many more devices. With L3 interconnect you would only put the two devices closest to the customer at risk. This might of course adversely affect other things, but only things connected to these two devices. The L2 network streches through all the shown devices. Other things than loops can cause problems, e.g. broadcasts or STP control traffic. To mitigate these things you should aggressively police broadcast and maybe multicast traffic. You should also implement CoPP (or similar) on any devices with a L3 connection to the specific VLAN. That the root is placed with the customer is IMHO no big problem. They might have reasons to place it somewhere special, and since only one of the two paths from the CPE to R1 would be active at any time (because of STP) it doesn't really matter where the root is from your point of view. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] control plane traffic monitor
On Nov 22, 2011, at 7:58 AM, zaid wrote: Hi is there away or software to graphically monitor control plane and data plane traffic ? This depends on the platform. Some devices present a 'Control Plane Interface' via SNMP that can be polled. More details would be helpful here. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] New System Test
I upgraded the system this mailing list is on and wanted to send a test message to make sure things were looking good. If you see any troubles, please let me know by a private email. Thanks! - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] control plane traffic monitor
the platform are 7600 ios 12.2 SR and 12000 ios xr 3.9.0 thanks From: Jared Mauch ja...@puck.nether.net To: zaid zaidoo...@yahoo.com Cc: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Sent: Tuesday, November 22, 2011 4:51 PM Subject: Re: [c-nsp] control plane traffic monitor On Nov 22, 2011, at 7:58 AM, zaid wrote: Hi is there away or software to graphically monitor control plane and data plane traffic ? This depends on the platform. Some devices present a 'Control Plane Interface' via SNMP that can be polled. More details would be helpful here. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] control plane traffic monitor
? You mean SNMP trending? Netflow statistics? Can you be more specific? -Hammer- I was a normal American nerd -Jack Herer On 11/22/2011 06:58 AM, zaid wrote: Hi is there away or software to graphically monitor control plane and data plane traffic ? thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Strange 7200 Ethernet issue over Metro E
So I'm not sure where to start with this one, any pointers would be appreciated. I'd be happy to google but I'm not sure what the condition is here at all, I'm pretty baffled. Here's the setup. A Single 7200 with an NPE400 and a few fast E interfaces. I have two metro Ethernet pretty standard connections terminated on fast 1/0 and fast 3/0. Each has trunking enabled and different VLAN tags on each although they share destinations in common. Our colocation on VLAN 600 on fast 1/0 for example would be 800 on fast 3/0. There's no overlap in VLAN tags. On each is attached a /30. So the config looks something like this. int fast 1/0 no ip address no ip proxy arp no ip directed broadcast speed 100 duplex full int fast 1/0.600 encapsulation dot1q 600 ip address 192.168.1.1/30 desc colo (and so on) both the same on each interface with the same type of setup just with different tags. Ok, the problem. If I bring up link 2 on fast 3/0 all the traffic moves in the outbound direction from fast 1/0 to 3/0 until 1/0 finally settles at 0 bits per second. No matter whether I play with the routing weights or preferences the traffic still prefers the second interface. To be honest, I don't even know how traffic on 1/0 would even arrive on 3/0. This happens even if I shut down the individual sub interfaces, leave only the interface itself up and disable all the routing protocols by hand bound to each neighbor address. What gives? Obviously something on layer 2 is going squarely but with the sub interfaces disabled I don't understand how my traffic redirecting and stranger still arriving at the far end. What am I missing, I'm quite confused! I'm guessing something on the carrier providing the Metro E but I'm not sure where to start diagnosing this issue. Any ideas would be appreciated. Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Three ISPs - Three Edge Routers - iBGP Mesh
Two of our DC's are about to get their 3rd internet drop. Each ISP connection has its own edge router. HSRP is running facing on the LAN side. Please see https://supportforums.cisco.com/message/3496562#3496562 for topology and further discussions. I expect that packets leaving the DC will hit the HSRP active, perform the route lookup and exit via the best path BGP has selected (and/or the best path my PfR setup has installed). Does anyone see any gotcha's with just letting BGP do its thing; no local-pref changing, no path prepending? Mark Mason NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Three ISPs - Three Edge Routers - iBGP Mesh
On Tue, Nov 22, 2011 at 8:41 AM, Mark Mason mma...@jackhenry.com wrote: Two of our DC's are about to get their 3rd internet drop. Each ISP connection has its own edge router. HSRP is running facing on the LAN side. Please see https://supportforums.cisco.com/message/3496562#3496562 for topology and further discussions. I expect that packets leaving the DC will hit the HSRP active, perform the route lookup and exit via the best path BGP has selected (and/or the best path my PfR setup has installed). Does anyone see any gotcha's with just letting BGP do its thing; no local-pref changing, no path prepending? Mark Mason It should be fine. You'll get asymmetric routing regardless of what you do for the most part since you can only influence another AS' routing polices only so much using prepending. I'd only mess with localpref if you are over loading one of the links. Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Three ISPs - Three Edge Routers - iBGP Mesh
Mark, I'm not questioning your design, I'm just curious. Why add a third ISP? Redundancy? Is it a capacity issue? I understand having redundancy to two providers but I'm curious why you want a third? Or is this just a carrier thing and I'm thinking from and end customer viewpoint? -Hammer- I was a normal American nerd -Jack Herer On 11/22/2011 08:59 AM, Joseph Jackson wrote: On Tue, Nov 22, 2011 at 8:41 AM, Mark Masonmma...@jackhenry.com wrote: Two of our DC's are about to get their 3rd internet drop. Each ISP connection has its own edge router. HSRP is running facing on the LAN side. Please see https://supportforums.cisco.com/message/3496562#3496562 for topology and further discussions. I expect that packets leaving the DC will hit the HSRP active, perform the route lookup and exit via the best path BGP has selected (and/or the best path my PfR setup has installed). Does anyone see any gotcha's with just letting BGP do its thing; no local-pref changing, no path prepending? Mark Mason It should be fine. You'll get asymmetric routing regardless of what you do for the most part since you can only influence another AS' routing polices only so much using prepending. I'd only mess with localpref if you are over loading one of the links. Joseph ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] what series router as nas with l2tp to support 2200 ppp users?
HI What series router as nas to support 2200 ppp users? Can I know the estimated price? Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] what series router as nas with l2tp to support 2200 ppp users?
Not sure if you looking for the smallest or largest device to accomplish this but here are two options. We run a 7204VXR (NPE-G1);currently terminates 300 tunnels with 2500 sessions @ 400 megs of aggregate traffic. CPU load is current 65%, max 75%. On the other side of the spectrum we run an ASR1002; 280 tunnels with 2500 sessions @ 400 megs of aggregate traffic. CPU load is currently 14%, max 17%. No idea what the pricing of these kits are, sorry. Andrew. On 11/22/2011 10:32 AM, Deric Kwok wrote: HI What series router as nas to support 2200 ppp users? Can I know the estimated price? Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CISCO ASR 5000 . P3 is in need of a consultant....
Please email me regarding a 6 month contract for a Fortune 500 customer. Frank Pecora CEO P3 Systems, Inc. Voip: +1-585-444-8504 / 101 Direct: +1-585-334-2976 Mobile: +1-585-406-1928 www.P3systemsinc.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS/VPN QoS on asr1001
Hi All. Can someone give me a hint about MPLS/VPN QoS mapping on an asr1001. I have 4 that needs to enablet for QoS, and I'we been looking at some reference guides. I would like to make a shot pipe implementation with five classes. Most all documentation have a mapping between the experimental and the cos value. Is there a reason for this ??, isn't possible to use the DIFF-serv value for the mapping between mlps and customer interface We normally have 2 or 3 mpls interface per box and 2 CE interfaces. /Arne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Three ISPs - Three Edge Routers - iBGP Mesh
On 11/22/11 8:41 AM, Mark Mason wrote: Two of our DC's are about to get their 3rd internet drop. Each ISP connection has its own edge router. HSRP is running facing on the LAN side. Please see https://supportforums.cisco.com/message/3496562#3496562 for topology and further discussions. I expect that packets leaving the DC will hit the HSRP active, perform the route lookup and exit via the best path BGP has selected (and/or the best path my PfR setup has installed). Does anyone see any gotcha's with just letting BGP do its thing; no local-pref changing, no path prepending? Yes, a vast majority of your traffic will exit via the provider on the HSRP active, which may present balancing problems in the outbound direction. Step 9 in the PSA is 'prefer external path over internal path', so if neither of the two other links have been given a higher weight, carry a higher LP, present a shorter AS path, somehow have a better origin code, it'll go out the directly-connected link. Your inbound will balance easily, except that inbound isn't easy to balance. pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] what series router as nas with l2tp to support 2200 ppp users?
You should be able to pick up a used 7206 w/ a NPE-G1 for a few thousand dollars. On Tue, Nov 22, 2011 at 10:43 AM, Andrew K. and...@vianet.ca wrote: Not sure if you looking for the smallest or largest device to accomplish this but here are two options. We run a 7204VXR (NPE-G1);currently terminates 300 tunnels with 2500 sessions @ 400 megs of aggregate traffic. CPU load is current 65%, max 75%. On the other side of the spectrum we run an ASR1002; 280 tunnels with 2500 sessions @ 400 megs of aggregate traffic. CPU load is currently 14%, max 17%. No idea what the pricing of these kits are, sorry. Andrew. On 11/22/2011 10:32 AM, Deric Kwok wrote: HI What series router as nas to support 2200 ppp users? Can I know the estimated price? Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CISCO ASR 5000 . P3 is in need of a consultant....
On 22/11/2011 15:51, frank Pecora wrote: Please email me regarding a 6 month contract for a Fortune 500 customer. A toilet cleaning contract? I think you got the wrong list for commercial spam, regardless of what type of contract you're talking about. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] what series router as nas with l2tp to support 2200 ppp users?
Hi, There are some others vendors that I think you should be evaluating, just to confirm which is the best option. For this scenario you can check SmartEdge from Ericsson and E-series/MX from Juniper. ASR is a good option as well. Best Regards, Thiago Lizardo Em 22/11/2011, às 14:01, Josh Baird joshba...@gmail.com escreveu: You should be able to pick up a used 7206 w/ a NPE-G1 for a few thousand dollars. On Tue, Nov 22, 2011 at 10:43 AM, Andrew K. and...@vianet.ca wrote: Not sure if you looking for the smallest or largest device to accomplish this but here are two options. We run a 7204VXR (NPE-G1);currently terminates 300 tunnels with 2500 sessions @ 400 megs of aggregate traffic. CPU load is current 65%, max 75%. On the other side of the spectrum we run an ASR1002; 280 tunnels with 2500 sessions @ 400 megs of aggregate traffic. CPU load is currently 14%, max 17%. No idea what the pricing of these kits are, sorry. Andrew. On 11/22/2011 10:32 AM, Deric Kwok wrote: HI What series router as nas to support 2200 ppp users? Can I know the estimated price? Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS 12.2 to 15.1
Hello, Any using IOS 15.1 on a cisco 7206VXR without any issues? Is it ok to go from 12.2 to 15.1? --sharlon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS/VPN QoS on asr1001
Can someone give me a hint about MPLS/VPN QoS mapping on an asr1001. I have 4 that needs to enablet for QoS, and I'we been looking at some reference guides. I would like to make a shot pipe implementation with five classes. Most all documentation have a mapping between the experimental and the cos value. Is there a reason for this ??, reason could be that you've been looking at PFC QoS (or Catalyst QoS) documents which are based on the internal cos concept. This does not apply to the ASR1k (or most other router platforms). isn't possible to use the DIFF-serv value for the mapping between mlps and customer interface We normally have 2 or 3 mpls interface per box and 2 CE interfaces. Please look at http://www.cisco.com/en/US/tech/tk436/tk428/technologies_tech_note09186a 008022ad7e.shtml#shortpipe, you should be able to use this config example when drafting your QoS for the ASR1k.. Not sure if you want to do any remarking on your P devices, if not, you can keep the P config much simpler than illustrated in the above URL oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ME3600 IOS / SPAN
Hi there, Anyone out there tried the new IOS 15.1(2). Currently we are running 12.2(52) and wondering if we should be upgrading it 15.1(2) in production. Release notes mentioned a lot of open caveats rather than the fixed ones. Also has anyone tried port mirroring / SPAN on the ME3600. Can't really find documentation on how to do that on these switches. I am not even sure if it's supported on the ME3600. Any feedback would be appreciated. Thanks - Ankur ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS 12.2 to 15.1
We are upgraded from 12.2 into 15.0 in last year, and few months back upgraded to 15.1 to get some new voice features. We are running on NPE-G1. Only thing we notice is because we upgraded from some old 12.2 image have to rewrite some parts of config, which isn't upgraded automatically. On 22.11.2011 21:13, Sharlon R. Carty wrote: Hello, Any using IOS 15.1 on a cisco 7206VXR without any issues? Is it ok to go from 12.2 to 15.1? --sharlon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Three ISPs - Three Edge Routers - iBGP Mesh
Hammer- Actually were expecting to install 4th and maybe 5th in the far future. Online banking, credit card/debit card processing is our business and having a number of ISP connections provides the least number of hops for our client base, best round-trip, and best customer experience to the online banking site. Their web requests come into the DC, we reach out to each respective bank/credit union host, via our managed DMVPN service, query that account and serve the data up to the web requester. Making sure we have the best path to those institutions is the #1 reason. I'd like to peer with Cogent and Verizon also. Heck today really who is a Tier 1 carrier anymore? Mark Mason NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3600 IOS / SPAN
We are using 15.1(2)EY, because we wanted some new features. Unfortunately there are still a lot of features missing + some things that don't work well (primarily the -hardcoded- small egress buffers) Also, SPAN is not (currently) supported. Generally whales seems like a nice platform, but still missing a lot. -- Tassos Ankur Mittal wrote on 22/11/2011 20:16: Hi there, Anyone out there tried the new IOS 15.1(2). Currently we are running 12.2(52) and wondering if we should be upgrading it 15.1(2) in production. Release notes mentioned a lot of open caveats rather than the fixed ones. Also has anyone tried port mirroring / SPAN on the ME3600. Can't really find documentation on how to do that on these switches. I am not even sure if it's supported on the ME3600. Any feedback would be appreciated. Thanks - Ankur ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Three ISPs - Three Edge Routers - iBGP Mesh
Mark Mason wrote: Two of our DC's are about to get their 3rd internet drop. Each ISP connection has its own edge router. HSRP is running facing on the LAN side. Please see https://supportforums.cisco.com/message/3496562#3496562 for topology and further discussions. I expect that packets leaving the DC will hit the HSRP active, perform the route lookup and exit via the best path BGP has selected (and/or the best path my PfR setup has installed). Does anyone see any gotcha's with just letting BGP do its thing; no local-pref changing, no path prepending? Given the flatt-ish topology of the Internet these days you will see most of your traffic use the local transit on the active hsrp node. This is because for the same route with equal as-path length and local-preference the router will prefer the ebgp (local) route over the ibgp routes. If you want to roughly balance outbound traffic across all three transit links, you will need to use local-pref to prefer some routes/as-paths over others regardless of whether they are on the local router or not. The common way to do this is to make a short list of large ISP/backbone AS's, prefer some of them on each link and adjust until you get the preferred traffic distribution. - Kevin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Three ISPs - Three Edge Routers - iBGP Mesh
Makes sense. Thank you for the education. -Hammer- I was a normal American nerd -Jack Herer On 11/22/2011 12:33 PM, Mark Mason wrote: Hammer- Actually were expecting to install 4th and maybe 5th in the far future. Online banking, credit card/debit card processing is our business and having a number of ISP connections provides the least number of hops for our client base, best round-trip, and best customer experience to the online banking site. Their web requests come into the DC, we reach out to each respective bank/credit union host, via our managed DMVPN service, query that account and serve the data up to the web requester. Making sure we have the best path to those institutions is the #1 reason. I'd like to peer with Cogent and Verizon also. Heck today really who is a Tier 1 carrier anymore? Mark Mason NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] risks of assigning redundant paths on data link layer to end-customer
Peter, thank you for reply! Storm-contol helps here a lot. I set storm-control broadcast level pps 2000 1000 and storm-control multicast level pps 2000 1000 to C2950-24-A port Fa0/24 and C3550-24-B port Fa0/24. In other words to ports which face the Customer-SW. Once the storm-control settings were in place, I wasn't able to flood broadcast frames across the VLAN. However, are there some other possibilities for L2 loop? I mean other than filtering out BPDU's in Customer-SW? In addition, before applying the storm-control configuration settings, the network was heavily flooded: Customer-SW#sh int Fa0/23 | i bits 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 77321000 bits/sec, 142110 packets/sec Customer-SW#sh int Fa0/24 | i bits 5 minute input rate 77322000 bits/sec, 142111 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec Customer-SW# Why there is a flood only in one direction? I created this flood by configuring 192.168.1.1/24 IP address to R1 interface Fa0/0.300 and executing ping 192.168.1.2 which sent out the broadcast ARP frames. regards, martin 2011/11/22 Peter Rathlev pe...@rathlev.dk: (Hit send too early, sorry! Second paragraph was missing.) On Tue, 2011-11-22 at 06:55 +0200, Martin T wrote: Lets assume there is a following setup: http://img844.imageshack.us/img844/9133/stp.png ISP manages R1, C3550-24-A, C-355-24-B and C2950-24-A. Customer-SW is fully under customer control. As you can see, there are two paths to Customer-SW. What are the risks with such setups in general? You mention loops, which is probably one of the worst risks. Besides this there's the fact that a L2 networks spans many more devices. With L3 interconnect you would only put the two devices closest to the customer at risk. This might of course adversely affect other things, but only things connected to these two devices. The L2 network streches through all the shown devices. Other things than loops can cause problems, e.g. broadcasts or STP control traffic. To mitigate these things you should aggressively police broadcast and maybe multicast traffic. You should also implement CoPP (or similar) on any devices with a L3 connection to the specific VLAN. That the root is placed with the customer is IMHO no big problem. They might have reasons to place it somewhere special, and since only one of the two paths from the CPE to R1 would be active at any time (because of STP) it doesn't really matter where the root is from your point of view. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS 12.2 to 15.1
On 22/11/2011 17:13, Sharlon R. Carty wrote: Any using IOS 15.1 on a cisco 7206VXR without any issues? Is it ok to go from 12.2 to 15.1? I haven't run into any trouble with 15.1 on 7200 yet, but I've found 15.x (both M and T images) to be a bagful of fun on smaller ISRs. In fact, I had an emergency upgrade on a T image today, due to BVI on one interface knocking out ipv6 ND on a completely separate interface. Nice. Unless you have any particular reason to go to 15.1, I would recommend using a recent SRE image. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3600 IOS / SPAN
On 22/11/2011 18:44, Tassos Chatzithomaoglou wrote: Unfortunately there are still a lot of features missing + some things that don't work well (primarily the -hardcoded- small egress buffers) Can you elaborate on this? Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 3560X performance in the wild
Greetings all, I was wondering if anyone has used the 3560X-48T switches and would be kind enough to give me the good/bad/ugly on them ? Thanks Dave ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3600 IOS / SPAN
We migrated from ME-3400 to ME-3800X and we noticed that we started getting output drops on 1G interfaces, while the traffic was ~700 Mbps. I know about bursts and so on, but the same traffic wasn't causing any drops on the older platform. We tried some output shaping service policies under the interface, but the drops were still there, and then on the policy-map too. We also noticed that the rate counters on the policy-map were totally wrong. Then we applied shaping service policies under the service instances and increased the queue-limit to the max available, and the drops got very low (but still existent). Tac concluded that this is due to the default egress buffers being too small, and we're waiting for the developers to come up with a solution. Another issue we met, is that any match of non-default classes under the service policies under the service instances wasn't working at all, when there was no ingress L2 control traffic from the other side. I know it sounds very strange, but this was the conclusion we came to, after doing many different tests. To summarize, we have quite a few of strange cases with tac on this platform. -- Tassos Nick Hilliard wrote on 22/11/2011 22:29: On 22/11/2011 18:44, Tassos Chatzithomaoglou wrote: Unfortunately there are still a lot of features missing + some things that don't work well (primarily the -hardcoded- small egress buffers) Can you elaborate on this? Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Whales 15.1 (was: ME3600 IOS / SPAN)
While we're on the subject - Has anyone found any interoperability issues with xconnects between FCS 12.2 (and rebuilds) and FCS+1 15.1? We've had one or two issues with 15.1 xconnects not passing traffic between 12.2(52)EY1 xconnects. Our solution was to downgrade 15.1 to 12.2(52) EY2 which seems to be fully compatible with the lesser of the 12.2(52)EY builds. We can't speak for anything more recent in the 12.2 train than EY2 because we were badly in need of 15.1 features, so we jumped right into it when it started shipping. On 2011-11-22, at 5:05 PM, Tassos Chatzithomaoglou wrote: We migrated from ME-3400 to ME-3800X and we noticed that we started getting output drops on 1G interfaces, while the traffic was ~700 Mbps. I know about bursts and so on, but the same traffic wasn't causing any drops on the older platform. We tried some output shaping service policies under the interface, but the drops were still there, and then on the policy-map too. We also noticed that the rate counters on the policy-map were totally wrong. Then we applied shaping service policies under the service instances and increased the queue-limit to the max available, and the drops got very low (but still existent). Tac concluded that this is due to the default egress buffers being too small, and we're waiting for the developers to come up with a solution. Another issue we met, is that any match of non-default classes under the service policies under the service instances wasn't working at all, when there was no ingress L2 control traffic from the other side. I know it sounds very strange, but this was the conclusion we came to, after doing many different tests. To summarize, we have quite a few of strange cases with tac on this platform. -- Tassos Nick Hilliard wrote on 22/11/2011 22:29: On 22/11/2011 18:44, Tassos Chatzithomaoglou wrote: Unfortunately there are still a lot of features missing + some things that don't work well (primarily the -hardcoded- small egress buffers) Can you elaborate on this? Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3560X performance in the wild
On Tue, 2011-11-22 at 12:59 -0700, Dave wrote: I was wondering if anyone has used the 3560X-48T switches and would be kind enough to give me the good/bad/ugly on them ? We have a couple of WS-C3560X-48T-Ls in use. They seem to function just as well as their 24 port cousins. Any specific things on your mind? -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] risks of assigning redundant paths on data link layer to end-customer
On Tue, 2011-11-22 at 21:49 +0200, Martin T wrote: However, are there some other possibilities for L2 loop? I mean other than filtering out BPDU's in Customer-SW? Filtering BPDUs will generate a loop, that's correct. If there's any chance the customer would do this to you, I really think you should find another solution. :-) Customer-SW#sh int Fa0/23 | i bits 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 77321000 bits/sec, 142110 packets/sec Customer-SW#sh int Fa0/24 | i bits 5 minute input rate 77322000 bits/sec, 142111 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec Customer-SW# Why there is a flood only in one direction? I created this flood by configuring 192.168.1.1/24 IP address to R1 interface Fa0/0.300 and executing ping 192.168.1.2 which sent out the broadcast ARP frames. Um... did you have 142 kpps of broadcast traffic? That does indeed seem like a loop. Do the Received X broadcasts and Y packets input match up, meaning it really is broadcast? Unidirectional traffic like that can also be because of unicast flooding caused by an asymmetric L2 forwarding topology. What's the purpose of the redundancy? Is it on purpose that there's no L3 redundancy? And why is the STP interconnect needed? It seems like a setup that is next to impossible to actually secure. :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] risks of assigning redundant paths on data link layer to end-customer
2011/11/21 Martin T m4rtn...@gmail.com Lets assume there is a following setup: http://img844.imageshack.us/img844/9133/stp.png ISP manages R1, C3550-24-A, C-355-24-B and C2950-24-A. Customer-SW is fully under customer control. As you can see, there are two paths to Customer-SW. What are the risks with such setups in general? I'm able to name two disadvantages: 1) in case customer configures (accidentally) spanning-tree bpdufilter enable on his ports Fa0/23 - 24 there will be L2 loop which causes very high PPS and CPU load in ISP devices That is a risk, but control plane protection is a must for a router in an environment like that so hopefully you're protected against it. You could also write the config for them or a config guide to keep them from messing things up. Is the environment multi-tennant? If not the only risk is one customer blowing up their own environment. If not you or the ISP should install some protections to contain bridging loops. 2) in case customer switch is a STP root(it's easy to become root switch by changing priority when root guard on ISP side is not configured) and customer VLAN is through many ISP switches, non-optimal paths for traffic can take place You should never connect to a customer network without some protection. Root-guard or setting your priority to extend sys-id +1 or something. You should also manipulate the spanning-tree priorities so that the same links block in every vlan. Are there some other possibilities for L2 loop? Or anyone seen a hub/switch which handles 802.1d/802.1w BPDU's somewhat abnormally and might create a L2 loop(under certain circumstances)? Any other disadvantages which might arise with setups like this? Unidirectional-links, bad-asics/switchports, cables plugged into the wrong ports, bad copper/fiber patch panels. There are several things that could cause a bridging loop. Layer-2 networks aren't to be feared it just needs to be done right like everything else. You can probably find some docs on ISP best practices on google to fill in anything that doesn't come up in this thread. regards, martin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3560X performance in the wild
On Nov 22, 2011, at 2:59 PM, Dave dcostell-cisco...@torzo.com wrote: Greetings all, I was wondering if anyone has used the 3560X-48T switches and would be kind enough to give me the good/bad/ugly on them ? Replies to list appreciated. This question just came up for me as well. --Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ME3600 IOS / SPAN
Thanks for the information. Are you saying that we can't push more than 700 Mbps thorugh a GigE interface on the ME3600 switch when running a 15.1(2) version. We are noticing some weird problems with this platform- - Upgraded the software from 12.2(52)EY to 15.1(2)EY and when the switch rebooted, we lost Out-of-Band management to the switch. Resolution: Had to console into the switch and do a shut/no shutdown on the OOB mgmt interface. - Also did nop cdp enable globally and lost OOB mgmt functionaily. Had to do the same thing as mentioned above to resolve the issue. I noticed that this is actually mentioned the Open caveats What I am mainly concerned about is the service instance / bridge domain model that was introduced in the whales version. Have you found any weird behaviour with doing simple VLAN manipulation or Q-in-Q and the QoS classification on ingress and or other catastrophic problems. I would appreciate if you guys can share any other findings or open caveats that are not mentioned in the cisco release notes but do exist on this software version. Thanks- Ankur ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Three ISPs - Three Edge Routers - iBGP Mesh
On 11/22/2011 8:41 AM, Mark Mason wrote: iscussions. I expect that packets leaving the DC will hit the HSRP active, perform the route lookup and exit via the best path BGP has selected (and/or the best path my PfR setup has installed). Does anyone see any gotcha What does the network look like in the down direction? Firewalls? And I wouldn't use 1.1.1.1. I'd recommend something like 2.2.2.2. It's more...therefore better :) tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3560X performance in the wild
On 11/22/2011 5:15 PM, Peter Rathlev wrote: On Tue, 2011-11-22 at 12:59 -0700, Dave wrote: I was wondering if anyone has used the 3560X-48T switches and would be kind enough to give me the good/bad/ugly on them ? We have a couple of WS-C3560X-48T-Ls in use. They seem to function just as well as their 24 port cousins. Any specific things on your mind? We have some C3560X-24Ts (with IP Services upgrades) in production as CE routers. They work as well as the 3560s we had been using. We don't have any under serious load, no QoS, and no 10G deployments, so no horror stories yet. Some output drops on some uplinks but doesn't feel as shallow as 3560 non-Xs. They run 3560E images. No idea how much hardware they have in common. Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF question / interconnecting ABRs
On 11/21/2011 06:59 PM, Jeff Bacon wrote: Is there some better way to handle this? Or do I just do the virtual-links/dual-connects and accept the hack? Do you actually need areas? How many routes are involved? There's probably 500 routes or so; it's hard to be sure entirely because many of them hide behind summarization/range-statements. It COULD all be run as a single area 0 but given that the entire mesh spans everything from a 10G NYC metro ring to a trans-Pac internet VPN mesh, the result would seem fairly ugly. Other than the problem of how to avoid split-area syndrome when there are 1 ABRs joining an area to area 0 without creating separate links between the devices for area X and 0, it works fairly well as-is. (Well, that and, why can't you tell an ABR to stop advertising the range statement when you've lost all other neighbors in that area? but that's a fringe case.) Could you consider a design with OSPF/iBGP or similar? That might be an ideal end-game. I still need to finish flushing out EIGRP, though, and it's a continuously-in-flux network - we keep adding sites and kit and vendor connections seemingly as fast as we have time to string it all up. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ADSL sync speed Info at LAC/LNS
Thanks. Does the LAC sends the connect-info by default to LNS? and then LNS sends them to Radius? From: Patrick Cole z...@amused.net To: ar ar_...@yahoo.com Cc: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Sent: Monday, November 21, 2011 9:43 PM Subject: Re: [c-nsp] ADSL sync speed Info at LAC/LNS Assuming you have control of the DSLAM and it correctly sends the PPPoE VSA's to the BRAS that performs the LAC function, the following can be used http://www.cisco.com/en/US/docs/ios-xml/ios/vpdn/configuration/xe-3s/vpd-cfg-aaa.html#GUID-AD2177CB-5798-4BFE-9D19-89DA83CEF9C6 Pat Mon, Nov 21, 2011 at 04:57:46PM +0800, ar wrote: Hi. I am trying to get info for the ADSL sync speed at the LAC/LNS level. Is there a way I can get this? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
