Re: [c-nsp] unicast storm
On 04/19/2012 05:00 AM, ujjwal maghaiya wrote: Could anyone tell to me the possible cases of UNICAST STORM. One common cause is a host that receives a lot of traffic, but doesn't send it - e.g. a syslog server. If the ARP timeout is FDB timeout, when the FDB timeout expires, the packets will be flooded as unknown-unicast. Either: 1. Cause the host to emit traffic 2. Lower the ARP time to FDB timeout Similar things can occur in HSRP setups on the standby route/switch. If you can be a bit more specific about the symptoms you're seeing, people can probably make better suggestions. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IP Source Guard and Smartlog on 3750s
Hi, I'm looking at implementing IPSG on our 3750s. This is a test which stops a host using a port unless its mac-address/host-address match the ip dhcp snooping table. This works fine. IOS is 15.0(1)SE2. The specific hardware is Catalyst 3750G-24PS. My problem is that I want to be alerted when there is a violation. You can't configure traps for IPSG, and there is no syslog entry (from which I could use EEM to generate a trap). The only method offered by the IOS is to use 'smartlog' which sends specially-formatted netflow-v9 messages to a specified collector. It is not possible to manually configure 'flexible netflow' on the 3750 – but I don't know if that would help anyway – except that I would be able to see the records on the switch without sending them to a collector. I've tried a few different collectors – the only one I've found that understands the records is 'Scrutinizer'. It sees the record as an IPSG violation but provides nothing else except the vlan number. (What I would like is the interface and the offending ip/mac). Looking at the raw netflow data via nfcapd/nfdump confirm that the vlan is the only useful field that is sent. I can't find any Cisco documentation on how to interpret the netflow records generated by SmartLog – what the format is; what collectors understand them etc. But if the record only contains the vlan then they are not much use anyway. Any thoughts ? Regards, Martin This email, including any attachment, is intended solely for the use of the intended recipient. It is confidential and may contain personal information or be subject to legal professional privilege. If you are not the intended recipient any use, disclosure, reproduction or storage of it is unauthorised. If you have received this email in error, please advise the sender via return email and delete it from your system immediately. Victoria University does not warrant that this email is free from viruses or defects and accepts no liability for any damage caused by such viruses or defects. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] unicast storm
On (2012-04-19 08:26 +0100), Phil Mayers wrote: 1. Cause the host to emit traffic 2. Lower the ARP time to FDB timeout ACK. 4h is brutally long as IOS default in IOS, some other options: FreeBSD: sysctl net.link.ether.inet.max_age net.link.ether.inet.max_age: 1200 Linux: % sysctl net.ipv4.neigh.eth0.gc_stale_time net.ipv4.neigh.eth0.gc_stale_time = 60 OSX: (not sure if it actually uses/honors this) % sysctl net.link.ether.inet.max_age net.link.ether.inet.max_age: 1200 Windows appears to have had 2min but has since decreased to random sub minute. So the syslog server would need to be not linux and not windows to cause problems. JunOS seems to have 1200s ish, but randomized bit (after clear arp, I'm seeing 1100s through 1500s) I would encourage BSD core team to change the default to below 5min. If both windows and linux can live at 1min or less, I think it's fairly proven that it works in real-life. Hopefully fix would propagate to JunOS and OSX too. One less common and tricky storm can occur if you have L2 metroring to which you've attached two PE routers. When some CPE dies in the metro ring, ARP will of course remain there for 4h. So PE will happily send frame to metro, where it'll get flooded to all ports. Now if the CPE which went down was redundantly terminated to both PE, the backup PE will receive it, and as it sees best path via BGP (instead of local) it'll send it over core back to the primary PE, causing loop. Obviously the DMAC isn't for the backup PE, so this situation will only arise if you are running your interface in promisc mode. Not all routers have VLAN specific promisc mode, so configuring one L2VPN (xconnect), might cause all vLANs to receive all DMACs. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] router does not see IGMP joins
Hitesh Vinzoda wrote: It seems that the problem disappeared after the host sending IGMP joins was moved from a hub (10BASE-T HD) to a switch (100BASE-T FD). I am still confused about the possible cause of the problem. Is PIM enabled on that interface ? I posted the output of sh ip igmp interface fastEthernet 0/0 here https://puck.nether.net/pipermail/cisco-nsp/2012-March/084031.html as you probably remember. It says Multicast routing is enabled on interface. If PIM were not enabled on the interface, how could moving the host from a hub to a switch (without any changes in the router configuration) have solved the problem? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPsec from Linux to Cisco dynamic-map?
Hello! I'm trying to configure an IPsec star network with a couple of Linux boxes connecting to a central IOS router using dynamic-map. The Linux boxes all get their public IP addresses from DHCP, so the IOS router must use only dynamic peering for this IPsec network. The IOS router I'm testing with is an old 2621 running c2600-ik9o3s3-mz.123-23. The Linux boxes run Busybox v1.0.5, with IPSec-tools 0.7. I have this configuration in the router: crypto keyring spokes pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123 crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 5 lifetime 28800 crypto isakmp profile L2L keyring spokes match identity address 0.0.0.0 crypto ipsec transform-set myset esp-aes esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset set pfs group5 set isakmp-profile L2L crypto map mymap 10 ipsec-isakmp dynamic dynmap interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 interface FastEthernet0/1 crypto map mymap Phase 1 seems ok, but then I get this in the Cisco debug: IPSEC(initialize_sas): invalid proxy IDs I have tried changing several IPsec parameters (encr, hash, group, transform-set, pfs, lifetime) both in Cisco and Linux but I always end up with the invalid proxy IDs error, and the information I find about this error is that it could be a mismatch between peering acl:s. But since the router uses dynamic peering I don't have a peering acl in the router. I have tried both 10.1.1.0/24 and 10.1.1.1/24 as Remote Network in the Linux. In my google attempts I found some sample configurations between Cisco and Linux, but unfortunately none using dynamic-map. Anyone knows what could be wrong, or how to better debug it? Thanks! -- Peter Olssonp...@leissner.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3VPN works, but not default route
As a continuation of this thread/task, I now have the default route from my dual core ce-pe hubs, thanks to you all :) ...and now shown below is some output from one of my other pe's further out into the edge of my network...it seems that it is rcv'ing the dual default routes from the dual ce/pe core hubs, but now I'm wanting to allow BOTH default routes into the rib to allow for the typical cef src/dst hashing for load balancing between both pe next hops 10.101.0.1 and 10.101.0.2. Let me know what you think please on how to accomplish this. Aaron test-me3600#sh bgp vpnv4 u rd 10.101.0.1:1 0.0.0.0 BGP routing table entry for 10.101.0.1:1:0.0.0.0/0, version 9620 Paths: (1 available, best #1, no table) Not advertised to any peer Local 10.101.0.1 (metric 4) from 10.101.0.1 (10.101.0.1) Origin incomplete, metric 1, localpref 100, valid, internal, best Extended Community: RT:100:1 OSPF RT:0.0.0.0:5:1 OSPF ROUTER ID:1.1.191.17:0 mpls labels in/out nolabel/16238 test-me3600#sh bgp vpnv4 u rd 10.101.0.2:1 0.0.0.0 BGP routing table entry for 10.101.0.2:1:0.0.0.0/0, version 11522 Paths: (1 available, best #1, no table) Not advertised to any peer Local 10.101.0.2 (metric 3) from 10.101.0.2 (10.101.0.2) Origin incomplete, metric 1, localpref 100, valid, internal, best Extended Community: RT:100:1 OSPF RT:0.0.0.0:5:1 OSPF ROUTER ID:1.1.191.21:0 mpls labels in/out nolabel/16220 test-me3600#sh ip ro vrf one 0.0.0.0 Routing Table: one Routing entry for 0.0.0.0/0, supernet Known via bgp 64512, distance 200, metric 1, candidate default path, type internal Last update from 10.101.0.2 16:33:17 ago Routing Descriptor Blocks: * 10.101.0.2 (default), from 10.101.0.2, 16:33:17 ago Route metric is 1, traffic share count is 1 AS Hops 0 MPLS label: 16220 MPLS Flags: MPLS Required test-me3600#sh run | sec router bgp router bgp 64512 bgp router-id 10.101.12.253 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 10.101.0.1 remote-as 64512 neighbor 10.101.0.1 update-source Loopback0 neighbor 10.101.0.2 remote-as 64512 neighbor 10.101.0.2 update-source Loopback0 neighbor 10.101.0.4 remote-as 64512 neighbor 10.101.0.4 update-source Loopback0 neighbor 10.101.8.2 remote-as 64512 neighbor 10.101.8.2 update-source Loopback0 ! address-family ipv4 exit-address-family ! address-family vpnv4 neighbor 10.101.0.1 activate neighbor 10.101.0.1 send-community extended neighbor 10.101.0.2 activate neighbor 10.101.0.2 send-community extended neighbor 10.101.0.4 activate neighbor 10.101.0.4 send-community extended neighbor 10.101.8.2 activate neighbor 10.101.8.2 send-community extended exit-address-family ! address-family ipv4 vrf one redistribute connected exit-address-family test-me3600# ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3VPN works, but not default route
You will need a unique RD per PE, to allow multiple VPN routes to be discriminated. You also need to enable maximum-paths for the bgp vrf context: PE1: vrf definition vrf rd rd1 route-target both RT end PE2: vrf definition vrf rd rd2 route-target both RT end router bgp AS address-family ipv4 vrf vrf maximum-paths eibgp 2 import 2 exit-address-family address-family ipv6 vrf vrf maximum-paths eibgp 2 import 2 exit-address-family end Tim: On Thu, Apr 19, 2012 at 9:39 AM, Aaron aar...@gvtc.com wrote: As a continuation of this thread/task, I now have the default route from my dual core ce-pe hubs, thanks to you all :) ...and now shown below is some output from one of my other pe's further out into the edge of my network...it seems that it is rcv'ing the dual default routes from the dual ce/pe core hubs, but now I'm wanting to allow BOTH default routes into the rib to allow for the typical cef src/dst hashing for load balancing between both pe next hops 10.101.0.1 and 10.101.0.2. Let me know what you think please on how to accomplish this. Aaron test-me3600#sh bgp vpnv4 u rd 10.101.0.1:1 0.0.0.0 BGP routing table entry for 10.101.0.1:1:0.0.0.0/0, version 9620 Paths: (1 available, best #1, no table) Not advertised to any peer Local 10.101.0.1 (metric 4) from 10.101.0.1 (10.101.0.1) Origin incomplete, metric 1, localpref 100, valid, internal, best Extended Community: RT:100:1 OSPF RT:0.0.0.0:5:1 OSPF ROUTER ID:1.1.191.17:0 mpls labels in/out nolabel/16238 test-me3600#sh bgp vpnv4 u rd 10.101.0.2:1 0.0.0.0 BGP routing table entry for 10.101.0.2:1:0.0.0.0/0, version 11522 Paths: (1 available, best #1, no table) Not advertised to any peer Local 10.101.0.2 (metric 3) from 10.101.0.2 (10.101.0.2) Origin incomplete, metric 1, localpref 100, valid, internal, best Extended Community: RT:100:1 OSPF RT:0.0.0.0:5:1 OSPF ROUTER ID:1.1.191.21:0 mpls labels in/out nolabel/16220 test-me3600#sh ip ro vrf one 0.0.0.0 Routing Table: one Routing entry for 0.0.0.0/0, supernet Known via bgp 64512, distance 200, metric 1, candidate default path, type internal Last update from 10.101.0.2 16:33:17 ago Routing Descriptor Blocks: * 10.101.0.2 (default), from 10.101.0.2, 16:33:17 ago Route metric is 1, traffic share count is 1 AS Hops 0 MPLS label: 16220 MPLS Flags: MPLS Required test-me3600#sh run | sec router bgp router bgp 64512 bgp router-id 10.101.12.253 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 10.101.0.1 remote-as 64512 neighbor 10.101.0.1 update-source Loopback0 neighbor 10.101.0.2 remote-as 64512 neighbor 10.101.0.2 update-source Loopback0 neighbor 10.101.0.4 remote-as 64512 neighbor 10.101.0.4 update-source Loopback0 neighbor 10.101.8.2 remote-as 64512 neighbor 10.101.8.2 update-source Loopback0 ! address-family ipv4 exit-address-family ! address-family vpnv4 neighbor 10.101.0.1 activate neighbor 10.101.0.1 send-community extended neighbor 10.101.0.2 activate neighbor 10.101.0.2 send-community extended neighbor 10.101.0.4 activate neighbor 10.101.0.4 send-community extended neighbor 10.101.8.2 activate neighbor 10.101.8.2 send-community extended exit-address-family ! address-family ipv4 vrf one redistribute connected exit-address-family test-me3600# ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3VPN works, but not default route
As a continuation of this thread/task, I now have the default route from my dual core ce-pe hubs, thanks to you all :) ...and now shown below is some output from one of my other pe's further out into the edge of my network...it seems that it is rcv'ing the dual default routes from the dual ce/pe core hubs, but now I'm wanting to allow BOTH default routes into the rib to allow for the typical cef src/dst hashing for load balancing between both pe next hops 10.101.0.1 and 10.101.0.2. Let me know what you think please on how to accomplish this. assuming you can see both defaults in your show ip bgp vpnv4 vrf one 0.0.0.0 and both , you theoretically only need to enable iBGP multipath: router bgp 64512 address-family ipv4 vrf one maximum-paths ibgp 2 however as your metric to the two PEs is different (at least in your lab), you need to use maximum-paths eibgp 2, as eiBGP-load-sharing will ignore the IGP metric to the egress PE and will install both paths in your RIB.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Protecting MLX/XMR MP against attacks with IP Receive ACLs / extended ACL behaviour
Hello, this week we had an attack directly against one of our XMR (UDP packets to a transfer network IP). I was looking for an CoPP-equivalant and found the IP Receive ACLs feature. In sample case of I block all UDP and allow everthing else I would use that config here according to the manual: access-list 101 remark BLOCK_UDP access-list 101 deny udp any any access-list 102 remark ALLOW_ANYTHING_ELSE access-list 102 permit ip any any ip receive access-list 101 sequence 5 ip receive access-list 102 sequence 10 Manual says that default policy is deny ip any any (applied after last rule). I am wondering what exactly is matched by ip because other protocols are not mentioned. Is ip an equivalent for ipv4 or more some kind of any in an extended access list ? Does the above config work or do I need a standard access list like access-list 50 permit any at the end ? Does anybody maybe already have a known to work-config for 0815 usage (BGP, OSPF, VRRP) ? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Protecting MLX/XMR MP against attacks with IP Receive ACLs / extended ACL behaviour
Sorry, wrong list, should go to foundry-nsp ;) Hello, this week we had an attack directly against one of our XMR (UDP packets to a transfer network IP). I was looking for an CoPP-equivalant and found the IP Receive ACLs feature. In sample case of I block all UDP and allow everthing else I would use that config here according to the manual: access-list 101 remark BLOCK_UDP access-list 101 deny udp any any access-list 102 remark ALLOW_ANYTHING_ELSE access-list 102 permit ip any any ip receive access-list 101 sequence 5 ip receive access-list 102 sequence 10 Manual says that default policy is deny ip any any (applied after last rule). I am wondering what exactly is matched by ip because other protocols are not mentioned. Is ip an equivalent for ipv4 or more some kind of any in an extended access list ? Does the above config work or do I need a standard access list like access-list 50 permit any at the end ? Does anybody maybe already have a known to work-config for 0815 usage (BGP, OSPF, VRRP) ? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] unicast storm
On Wed, Apr 18, 2012 at 09:00:41PM -0700, ujjwal maghaiya wrote: Could anyone tell to me the possible cases of UNICAST STORM. Improperly configured vSphere hosts with vMotions going on... Solaris boxes with multiple interfaces on the same subnet/switch... improperly configured clusters (Microsoft). Just a few we have encountered. Ray ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IP-FORWARD-MIB from RFC 2096 on ASA etc.
From what I've been able to determine Cisco has no plans to expose the routing table via SNMP from the ASA platform. Does anyone in the community have a bug or feature request open with TAC for this? Maybe a bit of customer demand would help persuade them. Aled ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3VPN works, but not default route
Thanks so much, y'all are great. I do already have the unique RD's on all pe's. I do not have the max paths...i tested that yesterday and it didn't seem to work, I think it's because I only used the maximum-paths 2 without those other iebgp things looks good now. maximum-paths ibgp 2 - didn't work maximum-paths ibgp unequal-cost 2 - worked (this is a different pe, but similar in its use, in other words it's not one of those core dual pe's i mentioned) me3600(config)#router bgp 65000 me3600(config-router)#address-family ipv4 vrf one me3600(config-router-af)#maximum-paths ibgp unequal-cost 2 me3600(config-router-af)#do sh ip ro vrf one 0.0.0.0 Routing Table: one Routing entry for 0.0.0.0/0, supernet Known via bgp 65000, distance 200, metric 1, candidate default path, type internal Last update from 10.101.0.1 00:00:01 ago Routing Descriptor Blocks: * 10.101.0.2 (default), from 10.101.0.2, 00:00:01 ago Route metric is 1, traffic share count is 1 AS Hops 0 MPLS label: 16220 MPLS Flags: MPLS Required 10.101.0.1 (default), from 10.101.0.1, 00:00:01 ago Route metric is 1, traffic share count is 1 AS Hops 0 MPLS label: 16238 MPLS Flags: MPLS Required me3600(config-router-af)# -Original Message- From: Tim Durack [mailto:tdur...@gmail.com] Sent: Thursday, April 19, 2012 8:58 AM To: Aaron Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] L3VPN works, but not default route You will need a unique RD per PE, to allow multiple VPN routes to be discriminated. You also need to enable maximum-paths for the bgp vrf context: PE1: vrf definition vrf rd rd1 route-target both RT end PE2: vrf definition vrf rd rd2 route-target both RT end router bgp AS address-family ipv4 vrf vrf maximum-paths eibgp 2 import 2 exit-address-family address-family ipv6 vrf vrf maximum-paths eibgp 2 import 2 exit-address-family end Tim: On Thu, Apr 19, 2012 at 9:39 AM, Aaron aar...@gvtc.com wrote: As a continuation of this thread/task, I now have the default route from my dual core ce-pe hubs, thanks to you all :) ...and now shown below is some output from one of my other pe's further out into the edge of my network...it seems that it is rcv'ing the dual default routes from the dual ce/pe core hubs, but now I'm wanting to allow BOTH default routes into the rib to allow for the typical cef src/dst hashing for load balancing between both pe next hops 10.101.0.1 and 10.101.0.2. Let me know what you think please on how to accomplish this. Aaron test-me3600#sh bgp vpnv4 u rd 10.101.0.1:1 0.0.0.0 BGP routing table entry for 10.101.0.1:1:0.0.0.0/0, version 9620 Paths: (1 available, best #1, no table) Not advertised to any peer Local 10.101.0.1 (metric 4) from 10.101.0.1 (10.101.0.1) Origin incomplete, metric 1, localpref 100, valid, internal, best Extended Community: RT:100:1 OSPF RT:0.0.0.0:5:1 OSPF ROUTER ID:1.1.191.17:0 mpls labels in/out nolabel/16238 test-me3600#sh bgp vpnv4 u rd 10.101.0.2:1 0.0.0.0 BGP routing table entry for 10.101.0.2:1:0.0.0.0/0, version 11522 Paths: (1 available, best #1, no table) Not advertised to any peer Local 10.101.0.2 (metric 3) from 10.101.0.2 (10.101.0.2) Origin incomplete, metric 1, localpref 100, valid, internal, best Extended Community: RT:100:1 OSPF RT:0.0.0.0:5:1 OSPF ROUTER ID:1.1.191.21:0 mpls labels in/out nolabel/16220 test-me3600#sh ip ro vrf one 0.0.0.0 Routing Table: one Routing entry for 0.0.0.0/0, supernet Known via bgp 64512, distance 200, metric 1, candidate default path, type internal Last update from 10.101.0.2 16:33:17 ago Routing Descriptor Blocks: * 10.101.0.2 (default), from 10.101.0.2, 16:33:17 ago Route metric is 1, traffic share count is 1 AS Hops 0 MPLS label: 16220 MPLS Flags: MPLS Required test-me3600#sh run | sec router bgp router bgp 64512 bgp router-id 10.101.12.253 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 10.101.0.1 remote-as 64512 neighbor 10.101.0.1 update-source Loopback0 neighbor 10.101.0.2 remote-as 64512 neighbor 10.101.0.2 update-source Loopback0 neighbor 10.101.0.4 remote-as 64512 neighbor 10.101.0.4 update-source Loopback0 neighbor 10.101.8.2 remote-as 64512 neighbor 10.101.8.2 update-source Loopback0 ! address-family ipv4 exit-address-family ! address-family vpnv4 neighbor 10.101.0.1 activate neighbor 10.101.0.1 send-community extended neighbor 10.101.0.2 activate neighbor 10.101.0.2 send-community extended neighbor 10.101.0.4 activate neighbor 10.101.0.4 send-community extended neighbor 10.101.8.2 activate neighbor 10.101.8.2 send-community extended exit-address-family ! address-family ipv4 vrf one redistribute connected exit-address-family test-me3600# ___ cisco-nsp mailing list cisco-nsp@puck.nether.net
[c-nsp] Understanding Out/Input bytes in Interface Counters on 2811
Dear List, i am having an Cisco 2811 with IOS (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T Our Provider told us that we had a traffic volume of 300GB last month, but the interface counters do not reflect these values: I am curios, if the reported volume should be reflected in the out/input bytes When i am looking on the counters of the interface which is connected to the Provider Router, the following values are shown: 1089368953 packets input, 744025984 bytes 970733443 packets output, 3196131116 bytes I searched the Open/Resolved Caveats document, but couldnt find anything related. http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.pdf So my question is: Shouldn't they be at least somewhat near the reported volume? or am i missing something (maybe very basic) here? or are the counters just broken? Unfortunately, i do not have any other possibility to verify the volume (i know this is bad and will be changed). Any pointers to documents or something else is highly appreciated. Thanks for your time. Kind regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Understanding Out/Input bytes in Interface Counters on 2811
Could be a bunch of reasons. Were the counters cleared at the time when the provider's time of measure started? Did the router reboot or were the counters cleared since? These counters are either a 32 or 64 bit counter. They do occasionally wrap and start over at 0, pretty frequent on 32 bit counters. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Subnovic Sent: Thursday, April 19, 2012 12:43 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Understanding Out/Input bytes in Interface Counters on 2811 Dear List, i am having an Cisco 2811 with IOS (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T Our Provider told us that we had a traffic volume of 300GB last month, but the interface counters do not reflect these values: I am curios, if the reported volume should be reflected in the out/input bytes When i am looking on the counters of the interface which is connected to the Provider Router, the following values are shown: 1089368953 packets input, 744025984 bytes 970733443 packets output, 3196131116 bytes I searched the Open/Resolved Caveats document, but couldnt find anything related. http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.pdf So my question is: Shouldn't they be at least somewhat near the reported volume? or am i missing something (maybe very basic) here? or are the counters just broken? Unfortunately, i do not have any other possibility to verify the volume (i know this is bad and will be changed). Any pointers to documents or something else is highly appreciated. Thanks for your time. Kind regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3VPN works, but not default route
I didn't have to use import, and they still came into vrf. ? any idea why? maximum-paths ibgp 2 - didn't work maximum-paths ibgp unequal-cost 2 - worked me3600(config)#router bgp 65000 me3600(config-router)#address-family ipv4 vrf one me3600(config-router-af)#maximum-paths ibgp unequal-cost 2 me3600(config-router-af)#do sh ip ro vrf one 0.0.0.0 Routing Table: one Routing entry for 0.0.0.0/0, supernet Known via bgp 65000, distance 200, metric 1, candidate default path, type internal Last update from 10.101.0.1 00:00:01 ago Routing Descriptor Blocks: * 10.101.0.2 (default), from 10.101.0.2, 00:00:01 ago Route metric is 1, traffic share count is 1 AS Hops 0 MPLS label: 16220 MPLS Flags: MPLS Required 10.101.0.1 (default), from 10.101.0.1, 00:00:01 ago Route metric is 1, traffic share count is 1 AS Hops 0 MPLS label: 16238 MPLS Flags: MPLS Required Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Understanding Out/Input bytes in Interface Counters on 2811
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck Church wrote: Could be a bunch of reasons. Were the counters cleared at the time when the provider's time of measure started? Did the router reboot or were the counters cleared since? These counters are either a 32 or 64 bit counter. They do occasionally wrap and start over at 0, pretty frequent on 32 bit counters. If the interface counters were cleared, might consider looking at the SNMP counters as they do not get cleared except on reboot. They can wrap, however, just like the interface counters. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+QSYUACgkQE1XcgMgrtyb+IwCfVc0RFMrjyM0UuLUA+dEcRZXu 8QIAoJaRLJbneBUQhhOVkoNRGc4mQyFn =d8Lz -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Understanding Out/Input bytes in Interface Counters on 2811
Thanks Chuck, Bruce and James for your replys, I did clear the counters 6 weeks ago (near the beginning of march) while i was troubleshooting another issue . The router was not rebooted for 15 weeks. Thanks for the hint that the counters are (most probably) 32-bit counters, although the 3 Billion bytes reported as output should fit in the counter. Guess i'll have to live with it and need to implement a better approach to track this stuff. Cheers, Peter On Thu, Apr 19, 2012 at 7:05 PM, Chuck Church chuckchu...@gmail.com wrote: Could be a bunch of reasons. Were the counters cleared at the time when the provider's time of measure started? Did the router reboot or were the counters cleared since? These counters are either a 32 or 64 bit counter. They do occasionally wrap and start over at 0, pretty frequent on 32 bit counters. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Subnovic Sent: Thursday, April 19, 2012 12:43 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Understanding Out/Input bytes in Interface Counters on 2811 Dear List, i am having an Cisco 2811 with IOS (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T Our Provider told us that we had a traffic volume of 300GB last month, but the interface counters do not reflect these values: I am curios, if the reported volume should be reflected in the out/input bytes When i am looking on the counters of the interface which is connected to the Provider Router, the following values are shown: 1089368953 packets input, 744025984 bytes 970733443 packets output, 3196131116 bytes I searched the Open/Resolved Caveats document, but couldnt find anything related. http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.pdf So my question is: Shouldn't they be at least somewhat near the reported volume? or am i missing something (maybe very basic) here? or are the counters just broken? Unfortunately, i do not have any other possibility to verify the volume (i know this is bad and will be changed). Any pointers to documents or something else is highly appreciated. Thanks for your time. Kind regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Understanding Out/Input bytes in Interface Counters on 2811
32bit counters would wrap at 4.29GB so it would never get to 300GB. As far as I know most newer devices have 64 bit counters, but I could be mistaken. The last update I could find on cisco.com was from 2007. It would be pretty stupid to have gigabit interfaces on a device with counters that wrap at about 33Gb.The show int command should show the last time the counters were cleared. Even less likely is they are counting in bits and not bytes. I would want to see this kind of data come from a monitoring platform of some sort. If you don't have graphs I would ask for data from the vendor's billing/polling servers. 2012/4/19 Peter Subnovic cnspmail...@googlemail.com Dear List, i am having an Cisco 2811 with IOS (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T Our Provider told us that we had a traffic volume of 300GB last month, but the interface counters do not reflect these values: I am curios, if the reported volume should be reflected in the out/input bytes When i am looking on the counters of the interface which is connected to the Provider Router, the following values are shown: 1089368953 packets input, 744025984 bytes 970733443 packets output, 3196131116 bytes I searched the Open/Resolved Caveats document, but couldnt find anything related. http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.pdf So my question is: Shouldn't they be at least somewhat near the reported volume? or am i missing something (maybe very basic) here? or are the counters just broken? Unfortunately, i do not have any other possibility to verify the volume (i know this is bad and will be changed). Any pointers to documents or something else is highly appreciated. Thanks for your time. Kind regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Understanding Out/Input bytes in Interface Counters on 2811
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter Subnovic wrote: Thanks Chuck, Bruce and James for your replys, I did clear the counters 6 weeks ago (near the beginning of march) while i was troubleshooting another issue . The router was not rebooted for 15 weeks. Thanks for the hint that the counters are (most probably) 32-bit counters, although the 3 Billion bytes reported as output should fit in the counter. Guess i'll have to live with it and need to implement a better approach to track this stuff. I would recommend using Netflow and export to a Netflow collector. We used that to measure utilization for billing purposes at one company I worked at. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+QWqsACgkQE1XcgMgrtybmGQCg9kaQFtyoirh1EU8hJefxffzw f9UAniY0xZSBzRBH6ZjMzael060LDxGN =VuBL -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Understanding Out/Input bytes in Interface Counters on 2811
2012/4/19 Peter Subnovic cnspmail...@googlemail.com Thanks Chuck, Bruce and James for your replys, I did clear the counters 6 weeks ago (near the beginning of march) while i was troubleshooting another issue . The router was not rebooted for 15 weeks. Thanks for the hint that the counters are (most probably) 32-bit counters, although the 3 Billion bytes reported as output should fit in the counter. Was it 3GB or 300GB? 300GB would not fit in a 32 bit counter. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3VPN works, but not default route
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aaron wrote: I didn't have to use import, and they still came into vrf. ? any idea why? With unique RD, each route advertised by each PE is considered a separate prefix with a different nexthop. So, bestpath is run for each of those unique RD/Prefixes and the bestpath is then imported into the VRF. maximum-paths only comes into play when you have more than one nexthop for each unique RD/prefix (such as when you have redundant RRs). - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+QXGEACgkQE1XcgMgrtyZI6ACfdKbMaBfqQ5oNRnXo745qi4KW wFMAn2hYdLo9Kg51vfWtPiXryotiGtgA =/B1T -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Understanding Out/Input bytes in Interface Counters on 2811
Hi, thanks again to all who replied, i appreciate it. To answer your question: The reported Volume from the ISP is 300GB but the interface counter for output bytes are only showing 3 Billion bytes (3GB) and input bytes are at around 750 MB in a timeframe of 6 weeks (just checked when the counters were cleared for the last time). If you need any additional info, just ask. Thanks again. Cheers, Peter On Thu, Apr 19, 2012 at 8:34 PM, Keegan Holley keegan.hol...@sungard.comwrote: 2012/4/19 Peter Subnovic cnspmail...@googlemail.com Thanks Chuck, Bruce and James for your replys, I did clear the counters 6 weeks ago (near the beginning of march) while i was troubleshooting another issue . The router was not rebooted for 15 weeks. Thanks for the hint that the counters are (most probably) 32-bit counters, although the 3 Billion bytes reported as output should fit in the counter. Was it 3GB or 300GB? 300GB would not fit in a 32 bit counter. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] New Cisco ME3400 IOS?
The new 12.2(58)EX is out there, can somebody please share experience with it? Also would be great if someone can shed some light on what is actually considered an 'Enhanced QoS buffer management' since from the release notes http://www.cisco.com/en/US/docs/switches/metro/me3400e/software/release/12.2_58_ex/release/notes/ol24334.html it seems like the queue size has magically gone up: Option to configure the queue size threshold in percentage terms. You can now specify different queue sizes in absolute (number of packets) or percentage terms for different classes of traffic in the same queue. The upper limit of the number of packets you can specify when configuring a queue limit is increased from 544 to 4272. / Is there a DOC describing how these queue size thresholds actually work on ME3400? -pavel On Fri, Mar 23, 2012 at 11:36 AM, Aled Morris al...@qix.co.uk wrote: On 23 March 2012 07:59, Tassos Chatzithomaoglou ach...@forthnetgroup.gr wrote: Can you please provide more details about Enhanced QoS buffer management? Sometimes this is marketing speak for now works (more) like the documentation claims it always did i.e. fixed wiithout admitting that the code was broken before. Aled ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] converting mp-ibgp full mesh to dual redundant route reflectors
Is this normal/expected when converting from full mesh mp-ibgp to dual redundant rr's ? this is output from one of my pe's learning routes from my dual hub pe's (.1 and .2) (.4 and .8.2 are just two other pe's) sh bgp vpnv4 u al sum ... 10.101.0.1 465000254027001170700 1d16h 150 10.101.0.2 465000245426891170700 1d16h 179 10.101.0.4 465000266029291170700 1d20h 1 10.101.8.2 465000145114421170700 21:41:46 3 now after config'ing dual RR at dual hub pe's (.1 and .2) I see the following... sh bgp vpnv4 u al sum ... 10.101.0.1 465000 40 18 611600 00:11:04 333 10.101.0.2 465000 35 13 611600 00:07:33 333 150 + 179 + 1 + 3 = 333 So is it normal to see all available routes *from both* of my rr's? Also, is this the only thing needed on the rr side? I did this on both hub pe's (.1 and .2) I just want to make sure that adding the cluster id globally to bgp is the right thing to do. ( pretty much only use my pe's for vpnv4 mpls l3vpn ... currently not doing any ipv4 native between my pe's) router bgp 65000 bgp cluster-id 1 commit (of course also I specified on the two hub pe's that all my neighbors are route-reflector-client) Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] mac flapping on 6509 between core and fwsm
does anyone know what would cause this? po30 uplinks to a core router, and po579 is the internal etherchannel assignment for the fwsm. the fwsm is bridging. the 6509 is spanning-tree root for the vlan. vl1250 is the outside interface. the mac in question is core router, configured as po30.1250. the core has numerous other subints configured the same way (so, same mac), but only this vlan reports the move, repeatedly. %MAC_MOVE-SW1_SP-4-NOTIF: Host 0024.f716.5142 in vlan 1250 is flapping between port Po579 and port Po30 6509 vss is running 12.2(33)SXI6 fwsm is 4.1(7) i have multiple fwsm contexts configure the exact same way (diff'd), and i don't see this issue. appreciate any clues. ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] When will SFP+ 10GBase-T optics be available?
I have hosts and storage arrays arriving that are coming with 10GBase-T ports onboard (and no SFP+ ports). This makes it very hard to hook to my SFP+ *only* switches. ;-) My research indicates that the lack of 10GBase-T SFP+ modules is likely due to the power consumption of 10 gig over copper being beyond with the SFP+ form factor allows? So does anyone on the list know if/when a solution to this need will be arriving? Thanks! P.S. Perhaps optics is the wrong word since naturally 10GBase-T is not optical... But you get the idea. ;-) -Eric -- *Eric Rosenberry* Sr. Infrastructure Architect // Chief Bit Plumber ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mac flapping on 6509 between core and fwsm
I,ve seen events when server switch ports are not properly teamed. And physically connected to separate access layer on a switches. Bridged interfaces ...find where the mac address is located On Thu, Apr 19, 2012 at 6:10 PM, ryanL ryan.lan...@gmail.com wrote: does anyone know what would cause this? po30 uplinks to a core router, and po579 is the internal etherchannel assignment for the fwsm. the fwsm is bridging. the 6509 is spanning-tree root for the vlan. vl1250 is the outside interface. the mac in question is core router, configured as po30.1250. the core has numerous other subints configured the same way (so, same mac), but only this vlan reports the move, repeatedly. %MAC_MOVE-SW1_SP-4-NOTIF: Host 0024.f716.5142 in vlan 1250 is flapping between port Po579 and port Po30 6509 vss is running 12.2(33)SXI6 fwsm is 4.1(7) i have multiple fwsm contexts configure the exact same way (diff'd), and i don't see this issue. appreciate any clues. ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Mario Ruiz ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mac flapping on 6509 between core and fwsm
--- On Thu, 4/19/12, Mario Ruiz mruiz...@gmail.com wrote: From: Mario Ruiz mruiz...@gmail.com Subject: Re: [c-nsp] mac flapping on 6509 between core and fwsm To: ryanL ryan.lan...@gmail.com Cc: cisco-nsp@puck.nether.net Date: Thursday, April 19, 2012, 5:14 PM I,ve seen events when server switch ports are not properly teamed. And physically connected to separate access layer on a switches. Bridged interfaces ...find where the mac address is located On Thu, Apr 19, 2012 at 6:10 PM, ryanL ryan.lan...@gmail.com wrote: does anyone know what would cause this? po30 uplinks to a core router, and po579 is the internal etherchannel assignment for the fwsm. the fwsm is bridging. the 6509 is spanning-tree root for the vlan. vl1250 is the outside interface. the mac in question is core router, configured as po30.1250. the core has numerous other subints configured the same way (so, same mac), but only this vlan reports the move, repeatedly. %MAC_MOVE-SW1_SP-4-NOTIF: Host 0024.f716.5142 in vlan 1250 is flapping between port Po579 and port Po30 6509 vss is running 12.2(33)SXI6 fwsm is 4.1(7) i have multiple fwsm contexts configure the exact same way (diff'd), and i don't see this issue. appreciate any clues. ryan Who is reporting the mac-flaps - the 6509 with fwsm OR fwsm itself? it appears that you are seeing it on the 6509 that has the fwsm? if that is the case, the an arp-reply from host at 0024.f716.5142 is being seen via po30 and po579. Why do you have po30 on the same vlan as fwsm's outside int? Can you post relevant portions of the config? ./Randy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mac flapping on 6509 between core and fwsm
On Thu, Apr 19, 2012 at 5:54 PM, Randy randy_94...@yahoo.com wrote: --- On Thu, 4/19/12, Mario Ruiz mruiz...@gmail.com wrote: Who is reporting the mac-flaps - the 6509 with fwsm OR fwsm itself? it appears that you are seeing it on the 6509 that has the fwsm? if that is the case, the an arp-reply from host at 0024.f716.5142 is being seen via po30 and po579. Why do you have po30 on the same vlan as fwsm's outside int? Can you post relevant portions of the config? ./Randy the 6509 is basically our services layer. data center stuff. it has .1q trunks to the cores, where the cores in-turn pick up a .1q tag for the L3 subinterface. in this example, vl1250. vrrp is used between the two cores via the 6509. the 6509 also has .1q trunks to our back-end routers. in this example, vl1251. the back-end routers do hsrp. the fwsm in the 6509 bridges vl1250 and vl1251 in order to do transparent firewalling. pretty standard. vl1250 is outside, vl1251 is inside. the 6509 is what is reporting the mac move, seeing it show up correctly on the uplink port to the core, and then seeing it show up incorrectly on the internal ec for the fwsm. the mac is the physical address of the core subint. i'm wondering if the fwsm is doing some sort of random gratuitous or proxy arp. the fwsm, which essentially participates, sees the correct mac as an arp entry. fwsm1/context removed# sh arp outside ip removed 0024.f716.5142 i seem to have stopped the mac move messages by doing the following towards my cores (on the 6509). mac-address-table static 0024.f716.3242 vlan 1250 interface Port-channel40 mac-address-table static 0024.f716.5142 vlan 1250 interface Port-channel30 not sure what, if anything, yet, that i'm breaking by doing this. .rL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mac flapping on 6509 between core and fwsm
--- On Thu, 4/19/12, ryanL ryan.lan...@gmail.com wrote: From: ryanL ryan.lan...@gmail.com Subject: Re: [c-nsp] mac flapping on 6509 between core and fwsm To: Randy randy_94...@yahoo.com Cc: Mario Ruiz mruiz...@gmail.com, cisco-nsp@puck.nether.net Date: Thursday, April 19, 2012, 6:58 PM On Thu, Apr 19, 2012 at 5:54 PM, Randy randy_94...@yahoo.com wrote: --- On Thu, 4/19/12, Mario Ruiz mruiz...@gmail.com wrote: Who is reporting the mac-flaps - the 6509 with fwsm OR fwsm itself? it appears that you are seeing it on the 6509 that has the fwsm? if that is the case, the an arp-reply from host at 0024.f716.5142 is being seen via po30 and po579. Why do you have po30 on the same vlan as fwsm's outside int? Can you post relevant portions of the config? ./Randy the 6509 is basically our services layer. data center stuff. it has .1q trunks to the cores, where the cores in-turn pick up a .1q tag for the L3 subinterface. in this example, vl1250. vrrp is used between the two cores via the 6509. the 6509 also has .1q trunks to our back-end routers. in this example, vl1251. the back-end routers do hsrp. the fwsm in the 6509 bridges vl1250 and vl1251 in order to do transparent firewalling. pretty standard. vl1250 is outside, vl1251 is inside. the 6509 is what is reporting the mac move, seeing it show up correctly on the uplink port to the core, and then seeing it show up incorrectly on the internal ec for the fwsm. the mac is the physical address of the core subint. i'm wondering if the fwsm is doing some sort of random gratuitous or proxy arp. the fwsm, which essentially participates, sees the correct mac as an arp entry. fwsm1/context removed# sh arp outside ip removed 0024.f716.5142 i seem to have stopped the mac move messages by doing the following towards my cores (on the 6509). mac-address-table static 0024.f716.3242 vlan 1250 interface Port-channel40 mac-address-table static 0024.f716.5142 vlan 1250 interface Port-channel30 not sure what, if anything, yet, that i'm breaking by doing this. .rL Yes! it fixed you issue because of the static-L2-entries you put in place. It has not fixed the underlying-cause! What you were seeing is not related to proxy-arp OR Gratuitous-Arp(that is an un-solicited response per-se) If you wish to get to the bottom of this, feel free to post off-line. ./Randy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/