Re: [c-nsp] WS-C2970G-24TS as access switches
On 12/28/11 11:02 AM, Mike wrote: I was using these for exactly the same reasons stated above. This year, I have had three seperate instances where the switch had to lose power (move, re-work pwr arrangements, etc), and all three times the PSU apparently gave up the ghost and refused to power back up. Nothing 'happened' funny power wise, not zapped or otherwise mistreated in any way. I think these units were of a vintage vulnerable to the bad chineese capacitor problem and I think whatever cap in the psu just went fizzle while it was operating, which would let the units continue running but once it lost power, would prevent a successful full power on start up. This is a very common failure mode with some types of switching power supplies. It is typically a resistor and not a capacitor. We saw a lot of it with the power bricks supplied with Fujitsu DSL modems a few years ago. It's real fun when there's a widespread power outage and customers all over town are down once power is restored. There's a high value resistor, typically in the hundreds of kilo-ohms used to kick-start the switcher. Once it's going, the resistor isn't needed until power is removed and restored. These typically fail open. If the gear is worth salvaging or if it's crucial to get it back online while waiting for a replacement, I typically replace these with a resistor of substantially higher power rating than the original. I was able to find and deploy the rps-675 (redundant power) after being burned this way three times, and it came in damm handy because there was a 4th event (another burned up 2970 psu) and this time the 675 kept it running till I was able to have an orderly replacement and maintinence window (with a 3560). I would reccomend deploying the rps units if you are going to use any cisco products with single power supply, but especially if you're going to be using the 2970's which have proven (in my shop) to be a (literally) dying breed. These power supplies are commodity items from Chinese manufacturers that are used in a variety of gear, not just Cisco switches. You can often Google the part number on the power supply brick itself and find replacements. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow Exporters for 3750
nProbe or softflowd will generate the netflows based on SPAN traffic received over the interface. flow-fanout can be used to push flows to another collector. http://www.splintered.net/sw/flow-tools/docs/flow-fanout.html http://www.mindrot.org/projects/softflowd/ Cheers, Aaron. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Wojciechowski Sent: Wednesday, 28 December 2011 9:58 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Netflow Exporters for 3750 All: Would anyone be able to recommend a 3rd party NetFlow exporter that I could hook up to span port(s) on our 3750 switch stack? I know there are some out there and we are interested in others opinions. Thanks much, Jeff Wojciechowski LAN, WAN and Telephony Administrator Midland Paper Company 101 E Palatine Rd Wheeling, IL 60090 * tel: 847.777.2829 Ê fax: 847.403.6829 e-mail: jeff.wojciechow...@midlandpaper.commailto:jeff.wojciechowski@midlandpaper.c om http://www.midlandpaper.com This electronic mail (including any attachments) may contain information that is privileged, confidential, or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please delete the original message in its entirety (including any attachments) and notify us immediately by reply email so that we may correct our internal records. Midland Paper Company accepts no responsibility for any loss or damage from use of this electronic mail, including any damage resulting from a computer virus. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow Exporters for 3750
On 12/28/2011 01:58 PM, Jeff Wojciechowski wrote: All: Would anyone be able to recommend a 3rd party NetFlow exporter that I could hook up to span port(s) on our 3750 switch stack? I know there are some out there and we are interested in others opinions. Enormous list here: http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html I've successfully used softflowd in the past, and found it good. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Limit vs allocate
Hi , in regard to QoS , what is the difference between limit and allocate ? does allocate means using bandwidth ? and limit using police ? Thanks BR, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Deploying MSTP
During your transition, or possibly for a long time dependent on where the STP edge will be: This is the statement from config guide which has made my headache: -In a mixed MSTP and PVST+ network, the common spanning-tree (CST) root must be inside the MST backbone, and a PVST+ switch cannot connect to multiple MST regions. A. have full controll of root (and STP edge) for all vlans B. start migration on root switch Any vlan outside MST region with lower STP priority than MST will be in a Inconsistent state until this has been solved. 'show spantree root' on the root switch is a good starting advice Easy to simulate this behaviour using only 2 switches Jon Harald Bøvre On 28. des. 2011 17:14 Steve Dodd sd...@syringanetworks.net wrote: -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Chuck Church Sent: Wednesday, December 28, 2011 7:02 AM To: 'Frédéric Loui'; 'Jay Nakamura' Cc: 'cisco-nsp' Subject: Re: [c-nsp] Deploying MSTP Yep, definitely important to verify what VLANs are mapped to the instances. The Nexus for example reserves some VLANs that aren't obvious, so when you map them, they end up back in instance 0 with no warning. IOS didn't reserve those, so both my instance 0 and the one with high-numbered VLANs didn't match, so I had all kinds of problems till we discovered that. There is a checksum that you can get it to display that should match between all connected devices. Can't remember the command, but it worked well. Chuck show spanning-tree mst configuration digest will show you the hash and should match on all devices in the MST region. -Steve ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 netflow
Hi, On Thu, Dec 29, 2011 at 01:00:20AM +0200, Mohammad Khalil wrote: does it matter if i have configured the export parameters from the global mode or from the flow-cache mode What hardware, what software, which version? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpmN1AbdeW6D.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow Exporters for 3750
You might also consider YAF from Carnegie-Mellon's NetSA group. I work with their SiLK tool-suite and found them solid. http://tools.netsa.cert.org/yaf/index.html Joe From: Phil Mayers p.may...@imperial.ac.uk To: cisco-nsp@puck.nether.net Date: 12/29/2011 08:32 AM Subject:Re: [c-nsp] Netflow Exporters for 3750 Sent by:cisco-nsp-boun...@puck.nether.net On 12/28/2011 01:58 PM, Jeff Wojciechowski wrote: All: Would anyone be able to recommend a 3rd party NetFlow exporter that I could hook up to span port(s) on our 3750 switch stack? I know there are some out there and we are interested in others opinions. Enormous list here: http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html I've successfully used softflowd in the past, and found it good. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 netflow
Cisco 3725 Date: Thu, 29 Dec 2011 12:18:00 +0100 From: g...@greenie.muc.de To: eng_m...@hotmail.com CC: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] IPv6 netflow Hi, On Thu, Dec 29, 2011 at 01:00:20AM +0200, Mohammad Khalil wrote: does it matter if i have configured the export parameters from the global mode or from the flow-cache mode What hardware, what software, which version? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-C2970G-24TS as access switches
On 12/29/2011 12:28 AM, Jay Hennigan wrote: On 12/28/11 11:02 AM, Mike wrote: I was using these for exactly the same reasons stated above. This year, I have had three seperate instances where the switch had to lose power (move, re-work pwr arrangements, etc), and all three times the PSU apparently gave up the ghost and refused to power back up. Nothing 'happened' funny power wise, not zapped or otherwise mistreated in any way. I think these units were of a vintage vulnerable to the bad chineese capacitor problem and I think whatever cap in the psu just went fizzle while it was operating, which would let the units continue running but once it lost power, would prevent a successful full power on start up. This is a very common failure mode with some types of switching power supplies. It is typically a resistor and not a capacitor. We saw a lot of it with the power bricks supplied with Fujitsu DSL modems a few years ago. It's real fun when there's a widespread power outage and customers all over town are down once power is restored. In this case with the 2970's, it's definately a capacitor. I don't have my photos now but it was the same cap all 3 times that bulged out and made it obvious it was the problem. These power supplies are commodity items from Chinese manufacturers that are used in a variety of gear, not just Cisco switches. You can often Google the part number on the power supply brick itself and find replacements. I had that idea too but for the 2970 all I was able to find were branded replacements costing 3x the cost of the used rps675... Mike- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] shaping outbound
Excellent info Anton. This has help immensely. I have tested the configuration example that you have shown me and it seems to work very well. I added a class in the shape-down policy-map for http and shaped it to 2M just for testing. policy-map shape-down class http shape average 200 256000 128000 queue-limit 32768 packets class class-default shape average 4000 service-policy qos-down It works, but I had to add the queue-limit 32768 packets (i know this is a large number), as the default is 64 packets. If I left it at 64 packets I would see many drops in my test environment which makes sense as I am hammering a 2M http policy. I just needed to see this to make sense of it all. From my understanding, when the traffic load is too much for the allotted bandwidth the queue would need to be increased or the bandwidth needs to be increased? If I wanted shape a website, for example youtube.com, would it be best to mark it on the incoming interface with a dscp marking and then shape that dscp marking on the output interface? I tried this, but with no success, I was only able to drop the traffic, and not shape it. Now my next stumbling block is how to shape my sub interfaces for my guest networks on the router. It seems as if you are not allowed to add shaping even with a child/parent policy map. Dan. On Sun, Dec 25, 2011 at 2:46 PM, Anton Kapela tkap...@gmail.com wrote: Dan, On Sat, Dec 24, 2011 at 2:49 PM, Dan Letkeman danletke...@gmail.com wrote: I'm confused as to when and where it is possible to shape traffic. I have a 50Mbps internet connection from our ISP and I would like to shape some of the download traffic using our 2821. Here is what I have setup: lan users - g0/0 - 2821 - g0/1 --internet Currently I have no way of limiting someone from using up the entire pipe. My thought was to add a policy-map in the outbound direction on [..] Any idea on how to go about this? Or Am I stuck with buying a ridiculously expensive packet shaper or something of the sorts? You can, in fact, shape, queue, and control bits arriving at your doorstep if you're willing to give up a bit of the internet pipes' peak downstream bitrate. In general, if you were to, say, queue packets towards your users (lan side), at less than the configured ISP rate, you'd effectively congest within the router (which you control). This could be useful. A rule of thumb I've kept in mind is to shape at ~80% of the overal CIR from your isp. Then, apply queueing to taste. A fairly useful straight-forward approach might look like the following: policy-map qos-down class class-default fair-queue queue-limit 2048 packets policy-map shape-down class class-default shape average 4000 16 service-policy qos-down Then, apply to lan facing port: interface GigabitEthernet0/0 service-policy output shape-down Same for upstream, though, you can typically get away shaping within 95% of the configured CIR bitrate. Say you had 5 mbits/sec upstream. You'd then want something like: policy-map qos-up class class-default fair-queue queue-limit 512 packets policy-map shape-up class class-default shape average 475 19000 service-policy qos-down ..then applied in the output direction of Gi 0/1, per your config setup. Fair-queue alone will ensure per-flow fairness is provided by the router in the Tx direction for any packets buffered in the shaped class-default. This could be 'bad' if you're concerned that or faced with many-flow apps (torrents, etc) out-competing single- or few-flow apps (shoutcast, iptv, netflix, etc). If that's the case, then adjustment and specific queueing must be created to single-out the jerks and/or reserve bits for known-friendly-er apps. If you're not seeing/concerned with flow-rich vs. flow-poor apps getting a fair shake, and are considering a more docile/typical app mix (few big downloads, app updates, imap/exchange email, vpns, net radio, etc), then fair-queue alone will probably be sufficient. -Tk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GRE Tunnelling on the ME3600/ME3800 Switches ?
On Wed, Dec 28, 2011 at 1:30 AM, Reuben Farrelly reuben-cisco-...@reub.net wrote: Hi guys Is GRE tunnelling supported on this platform? Yes, but the cpu-switch asic interface is *not* fast. you'll see ~1mbit usable through it (same as on 3550, 3560, 3750). these are not good devices for this need. if you needed low impact out of band, tftp/ftp access for a remote pop you're turning up, or bgp/isis/ospf routing of some internal space over island-ed transit, sure. but not transit bits or production traffic. The 4948, or a cat4k chassis + sup4 or sup5 will you ~92 mbit usable, as their cpu--switch asic appear to have ~100 mbits usable, and GRE happens in software on a 333mhz+ powerPC cpu, making it roughly as quick as NPE-225. We've a need to run GRE tunnels for a URL filtering solution at our Head Office from outside the firewall, and policy routing + GRE is the only way this can be set up with the upstream vendor. [Pretty sure policy routing is not supported on this platform yet also but confirmation of this would be good as well]. Like the 3550/3560/3750 family, policy routing support is a tcam + sdm carving option on the ME's in question (google 'sdm prefer'). I have not tested/tried matching L4 parameters on these platforms, but L3 matches appear to work indeed. Of course you lose FIB capacity by enabling this support. One would be better off, imho, using wccp v2 to redirect selected/registered traffic to the off-net filtering/etc appliance than PBR tricks or tunnels. Of course, you may end up needing both wccp and gre, in which case, look to cat4k for something approaching reasonably fast/usable/affordable. -Tk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GRE Tunnelling on the ME3600/ME3800 Switches ?
GRE tunneling is currently not supported on ME3800X/ME3600X. The feature is in radar for 2013. Policy based routing is also in the roadmap. -Waris -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Reuben Farrelly Sent: Tuesday, December 27, 2011 11:30 PM To: c-nsp Subject: [c-nsp] GRE Tunnelling on the ME3600/ME3800 Switches ? Hi guys Is GRE tunnelling supported on this platform? I can see no reference to it in any of the configuration guides - but also no reference to it in the unsupported commands section. Has anyone tried to do this? We've a need to run GRE tunnels for a URL filtering solution at our Head Office from outside the firewall, and policy routing + GRE is the only way this can be set up with the upstream vendor. [Pretty sure policy routing is not supported on this platform yet also but confirmation of this would be good as well]. Thanks, Reuben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/