Re: [c-nsp] questions regarding RSPAN on Catalyst 2950, 3550, 3560, 3750 and 4500 platforms
On (2012-10-02 03:02 +0300), Martin T wrote: 1) First setup: http://i.imgur.com/XFCD8.png traffic captured in PE860 machine- only STP frames show up. VLAN 15 2) Second setup: http://i.imgur.com/a3KjV.png PE860 sees only IPv6 traffic! Am I doing something wrong or is this My first guess is PE860 is not in promiscuous mode and will only see broadcast/multicast. Do the switch counters agree that production traffic is not sent out? -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] questions regarding RSPAN on Catalyst 2950, 3550, 3560, 3750 and 4500 platforms
Saku, thank you for reply! According to /var/log/messages and kernel ring buffer, eth0 enters to promiscuous mode: Oct 2 02:55:39 PE860 kernel: [7745928.328025] device eth0 entered promiscuous mode Oct 2 02:55:43 PE860 kernel: [7745931.459236] device eth0 left promiscuous mode In addition, if I clear counters on WS-C3560G-24TS port Gi0/11 and wait few seconds I can see see that packets output counter of port Gi0/11(line protocol is down (monitoring)) increased by 11 packets and at the same time I received 11 IPv6 packets(dhcp6 solicit, ICMP6 router advertisement, ICMP6 neighbor solicitation) in PE860. ifconfig eth0 in PE860 confirmed, that indeed only 11 RX packets were received. With few seconds I should see dozens of packets captured because VLAN 694 has 1Mbps traffic. Any other ideas? thanks, Martin 2012/10/2 Saku Ytti s...@ytti.fi: On (2012-10-02 03:02 +0300), Martin T wrote: 1) First setup: http://i.imgur.com/XFCD8.png traffic captured in PE860 machine- only STP frames show up. VLAN 15 2) Second setup: http://i.imgur.com/a3KjV.png PE860 sees only IPv6 traffic! Am I doing something wrong or is this My first guess is PE860 is not in promiscuous mode and will only see broadcast/multicast. Do the switch counters agree that production traffic is not sent out? -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Problem with a nat configuration.
Hello, I have a nat configuration problem, with a static NAT, I want exlude to the static nat(192.168.10.1-217.112.66.70) the trafic to the subnet 10.0.13.0/24 and nat this trafic with the loopback1. Is there an issue? I have the following NAT configuration: interface Loopback1 description L3VPN_SERVICES VOICE ip address 172.16.4.76 255.255.255.255 interface Vlan2 description *** VLAN DATA ip address 192.168.10.253 255.255.255.0 ip nat inside interface Dialer0 bandwidth 256 ip address negotiated ip nat outside ip nat translation tcp-timeout 5400 no ip nat service sip udp port 5060 ip nat inside source list L3VPN_SERVICES_VOICE interface Loopback1 overload ip nat inside source static 192.168.10.1 217.112.66.70 ip access-list extended L3VPN_SERVICES_VOICE permit ip any 10.0.13.0 0.0.0.255 deny ip any any PS: I'm working with a Cisco 877: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3) Regards, Samuel CATHELINE ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] questions regarding RSPAN on Catalyst 2950, 3550, 3560, 3750 and 4500 platforms
On 2 October 2012 10:25, Martin T m4rtn...@gmail.com wrote: Any other ideas? Not really, seems like your SPAN might not be doing anything at all. Can you confirm this by removing SPAN config, leaving port just as trunk, and see if you capture same set of packets? -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L2 payload encryption -not p2p
Hi Can anyone recommend a device than could be placed inline between a server and a switched infrastructure that would encrypt L2 payload for communication between two such servers (round 100mbps) I imagine one would need two such devices one at each end (or maybe a NIC in a server) Or is ASA capable of encryption in L2 transparent mode please? adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2 payload encryption -not p2p
Yes there's a lack of trust or control of the switched network adam -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Andy Ellsworth Sent: Tuesday, October 02, 2012 1:36 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] L2 payload encryption -not p2p On Tue, Oct 2, 2012 at 6:07 AM, Adam Vitkovsky adam.vitkov...@swan.skwrote: Can anyone recommend a device than could be placed inline between a server and a switched infrastructure that would encrypt L2 payload for communication between two such servers (round 100mbps) I imagine one would need two such devices one at each end (or maybe a NIC in a server) Or is ASA capable of encryption in L2 transparent mode please? What about Cisco TrustSec? Or is the problem that you don't trust/control the switched network? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] asymmetrical performance inside core
On 10/01/2012 10:31 PM, Mikael Abrahamsson wrote: On Mon, 1 Oct 2012, Tim Densmore wrote: Stab in the dark, but have you verified you don't have a duplex mismatch anywhere? IME, they can look exactly like that. I seriously doubt you'd be able to get 30 megabit/s over somewhere with a duplex mismatch. My testing was done 7-8 years ago so things might have improved regarding TCP congestion algorithms, but I doubt it'd make that much of a difference. My experience is/was that with a duplex mismatch and 10 or 100 megabit, you seldom got more than around 2 megabit/s of effective throughput using TCP. Fair enough. IME, recently on 100m eth with dup mismatch, I've easily been able to pass 30+ mbps one direction, but only 3 - 6 mbps in the other while there was live traffic on it - flash test, iperf, udp, tcp, etc. I'm not super hip on duplex mismatches, but my understanding is they always tend to affect one direction more than the other, especially in scenarios where you have a large push or pull bias on a link. That said, like I said, it was a total stab in the dark since the OP has revealed very little about what his network is comprised of, only that he had severe speed mismatches showing up via speedtests. We know it contains radio but not even the brand. And core + radio usually leads me to expect mikrotik + ubiquiti these days, not cisco, but I may be spending too much time reading wisp lists. TD ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Problem with a nat configuration.
On Tue, Oct 2, 2012 at 2:04 AM, Samuel Catheline scathel...@afone.comwrote: Hello, I have a nat configuration problem, with a static NAT, I want exlude to the static nat(192.168.10.1-217.112.66.70) the trafic to the subnet 10.0.13.0/24 and nat this trafic with the loopback1. Is there an issue? I have the following NAT configuration: interface Loopback1 description L3VPN_SERVICES VOICE ip address 172.16.4.76 255.255.255.255 interface Vlan2 description *** VLAN DATA ip address 192.168.10.253 255.255.255.0 ip nat inside interface Dialer0 bandwidth 256 ip address negotiated ip nat outside ip nat translation tcp-timeout 5400 no ip nat service sip udp port 5060 ip nat inside source list L3VPN_SERVICES_VOICE interface Loopback1 overload ip nat inside source static 192.168.10.1 217.112.66.70 ip access-list extended L3VPN_SERVICES_VOICE permit ip any 10.0.13.0 0.0.0.255 deny ip any any PS: I'm working with a Cisco 877: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3) Regards, Samuel CATHELINE You will need to configure this with NAT on a stick in mind. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml Essentially a route map that tells it to go through the loopback interface. Also, loopback0 will need to have ip nat outside applied. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] questions regarding RSPAN on Catalyst 2950, 3550, 3560, 3750 and 4500 platforms
If I execute no monitor session 2 in WS-C3560G-24TS port Gi0/11 changes from monitoring status to inactive and I can see only CDPv2 messages in PE860. This is expected as Gi0/11 is in remote-span VLAN. If I change Gi0/11 to trunk I can see the very same IPv6 traffic in PE860 + other protocols. Now if I check this IPv6 traffic more closely I can see that all the packets are addressed to Link-Local Scope Multicast Addresses(http://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xml). For example ff02::1(All Nodes Address), ff02::1:ff18:f2d2(Solicited-Node Address), ff02::1:2(All-dhcp-agents), ff02::fb(mDNSv6) etc. Why is only IPv6 traffic sent to monitor port(Gi0/11) when RSPAN on WS-C3560G-24TS is enabled? regards, Martin 2012/10/2, Saku Ytti s...@ytti.fi: On 2 October 2012 10:25, Martin T m4rtn...@gmail.com wrote: Any other ideas? Not really, seems like your SPAN might not be doing anything at all. Can you confirm this by removing SPAN config, leaving port just as trunk, and see if you capture same set of packets? -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] questions regarding RSPAN on Catalyst 2950, 3550, 3560, 3750 and 4500 platforms
On 2 October 2012 15:28, Martin T m4rtn...@gmail.com wrote: Why is only IPv6 traffic sent to monitor port(Gi0/11) when RSPAN on WS-C3560G-24TS is enabled? It seems to catch flooded traffic only, why, I cannot answer. Typical answer is server not in promisc mode. I've had laptop where dmesg/ifconfig would report promisc, but it would never actually go into promisc. But as you can't see the packets being exported by observing the counters, you can determine that SPAN is not working. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6vpe - me3600x
When I enabled vpnv6 on my pre-existing vpnv4 neighbor session I saw it bounceIs there any way around this ? ...i'm concerned about the interruption (for operational environment) on the underlying vpnv4 l3vpn. Would be only momentary though right?... looks like 10 seconds from nbr_reset to Up If no way to avoid this, how do y'all do it ? maint window? Aaron noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast % IPv6 routing not enabled noc-3600(config)#ipv unicast-routing noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast noc-3600(config-router-af)#neighbor 10.101.0.254 activate *Oct 1 21:01:46: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 reset (Capability changed) *Oct 1 21:01:46: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Down Capability changed *Oct 1 21:01:46: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Capability changed *Oct 1 21:01:47: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 active reset (Peer closed the session) *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv6 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:56: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Up ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6vpe - me3600x
I've relegated it to a maintenance window. On 2012-10-02, at 9:53 AM, Aaron aar...@gvtc.com wrote: When I enabled vpnv6 on my pre-existing vpnv4 neighbor session I saw it bounceIs there any way around this ? ...i'm concerned about the interruption (for operational environment) on the underlying vpnv4 l3vpn. Would be only momentary though right?... looks like 10 seconds from nbr_reset to Up If no way to avoid this, how do y'all do it ? maint window? Aaron noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast % IPv6 routing not enabled noc-3600(config)#ipv unicast-routing noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast noc-3600(config-router-af)#neighbor 10.101.0.254 activate *Oct 1 21:01:46: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 reset (Capability changed) *Oct 1 21:01:46: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Down Capability changed *Oct 1 21:01:46: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Capability changed *Oct 1 21:01:47: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 active reset (Peer closed the session) *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv6 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:56: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Up ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6vpe - me3600x
(resending due to ugly formatting) When I enabled vpnv6 on my pre-existing vpnv4 neighbor session I saw it bounceIs there any way around this ? ...i'm concerned about the interruption (for operational environment) on the underlying vpnv4 l3vpn. Would be only momentary though right?... looks like 10 seconds from nbr_reset to Up If no way to avoid this, how do y'all do it ? maint window? Aaron noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast % IPv6 routing not enabled noc-3600(config)#ipv unicast-routing noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast noc-3600(config-router-af)#neighbor 10.101.0.254 activate *Oct 1 21:01:46: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 reset (Capabilitychanged) *Oct 1 21:01:46: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Down Capability changed *Oct 1 21:01:46: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Capability changed *Oct 1 21:01:47: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 active reset (Peer closed the session) *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv6 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:56: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Up ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6vpe - me3600x
No you can't keep it from resetting the neighbor if you are changing the capabilities of a neighbor relationship. That portion is negotiated at open state, and not on the fly. -Blake On Tue, Oct 2, 2012 at 9:01 AM, Aaron aar...@gvtc.com wrote: (resending due to ugly formatting) When I enabled vpnv6 on my pre-existing vpnv4 neighbor session I saw it bounceIs there any way around this ? ...i'm concerned about the interruption (for operational environment) on the underlying vpnv4 l3vpn. Would be only momentary though right?... looks like 10 seconds from nbr_reset to Up If no way to avoid this, how do y'all do it ? maint window? Aaron noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast % IPv6 routing not enabled noc-3600(config)#ipv unicast-routing noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast noc-3600(config-router-af)#neighbor 10.101.0.254 activate *Oct 1 21:01:46: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 reset (Capabilitychanged) *Oct 1 21:01:46: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Down Capability changed *Oct 1 21:01:46: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Capability changed *Oct 1 21:01:47: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 active reset (Peer closed the session) *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv6 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:56: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Up ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6vpe - me3600x
On 02/10/2012 16:01, Aaron aar...@gvtc.com wrote: (resending due to ugly formatting) When I enabled vpnv6 on my pre-existing vpnv4 neighbor session I saw it bounceIs there any way around this ? ...i'm concerned about the interruption (for operational environment) on the underlying vpnv4 l3vpn. Would be only momentary though right?... looks like 10 seconds from nbr_reset to Up If no way to avoid this, how do y'all do it ? maint window? Adding an address family to an existing session requires bouncing it as address family capabilities are negotiated upon session establishment. There is draft-ietf-idr-dynamic-cap which would avoid the reset, but this isn't implemented yet. And we have BGP multi-session so you build one session per AF, which would also avoid session resets. But I guess both are no options for you, so you would need to do it in a maintenance window if the session bounce has an impact. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6vpe - me3600x
I thought this is on by default but apparently it's not Try neighbor x.x.x.x transport multi-session adam -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron Sent: Tuesday, October 02, 2012 4:02 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6vpe - me3600x (resending due to ugly formatting) When I enabled vpnv6 on my pre-existing vpnv4 neighbor session I saw it bounceIs there any way around this ? ...i'm concerned about the interruption (for operational environment) on the underlying vpnv4 l3vpn. Would be only momentary though right?... looks like 10 seconds from nbr_reset to Up If no way to avoid this, how do y'all do it ? maint window? Aaron noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast % IPv6 routing not enabled noc-3600(config)#ipv unicast-routing noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast noc-3600(config-router-af)#neighbor 10.101.0.254 activate *Oct 1 21:01:46: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 reset (Capabilitychanged) *Oct 1 21:01:46: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Down Capability changed *Oct 1 21:01:46: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Capability changed *Oct 1 21:01:47: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 active reset (Peer closed the session) *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv6 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:56: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Up ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6vpe - me3600x
I should have mentioned that this has some serious implications to it especially in large BGP environments So please consider the number of TCP sessions you'll end up with on RRs as well as on PEs adam -Original Message- From: Adam Vitkovsky [mailto:adam.vitkov...@swan.sk] Sent: Tuesday, October 02, 2012 4:22 PM To: 'Aaron'; 'cisco-nsp@puck.nether.net' Subject: RE: [c-nsp] 6vpe - me3600x I thought this is on by default but apparently it's not Try neighbor x.x.x.x transport multi-session adam -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron Sent: Tuesday, October 02, 2012 4:02 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6vpe - me3600x (resending due to ugly formatting) When I enabled vpnv6 on my pre-existing vpnv4 neighbor session I saw it bounceIs there any way around this ? ...i'm concerned about the interruption (for operational environment) on the underlying vpnv4 l3vpn. Would be only momentary though right?... looks like 10 seconds from nbr_reset to Up If no way to avoid this, how do y'all do it ? maint window? Aaron noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast % IPv6 routing not enabled noc-3600(config)#ipv unicast-routing noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast noc-3600(config-router-af)#neighbor 10.101.0.254 activate *Oct 1 21:01:46: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 reset (Capabilitychanged) *Oct 1 21:01:46: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Down Capability changed *Oct 1 21:01:46: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Capability changed *Oct 1 21:01:47: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 active reset (Peer closed the session) *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv6 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:56: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Up ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6vpe - me3600x
Thanks all. Also, since ipv6 seems inevitable, it would seem like a nice way to future proof your network by simply enabling v6 af in the vrf definition (also on me's create vrf using the definition mode for v6), the vpnv6 af under bgp and the v6 af within the vrf specific bgp contextthat way, it's done. Saying this since we seem to be looking for ipv6 capabilities to be supported in must things we do these daysso would seem logical to setup router configs to be v6-ready then... Aaron -Original Message- From: Nick Hilliard [mailto:n...@inex.ie] Sent: Tuesday, October 02, 2012 10:00 AM To: Adam Vitkovsky Cc: Aaron; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6vpe - me3600x In general you don't want to enable multisession bgp unless you know why you need it and you understand all the consequences of doing so. I really wouldn't recommend this as a means of avoiding session flaps due to capabilities renegotiation. Nick Sent from my iWotsit. On 2 Oct 2012, at 15:22, Adam Vitkovsky adam.vitkov...@swan.sk wrote: I thought this is on by default but apparently it's not Try neighbor x.x.x.x transport multi-session adam -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron Sent: Tuesday, October 02, 2012 4:02 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6vpe - me3600x (resending due to ugly formatting) When I enabled vpnv6 on my pre-existing vpnv4 neighbor session I saw it bounceIs there any way around this ? ...i'm concerned about the interruption (for operational environment) on the underlying vpnv4 l3vpn. Would be only momentary though right?... looks like 10 seconds from nbr_reset to Up If no way to avoid this, how do y'all do it ? maint window? Aaron noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast % IPv6 routing not enabled noc-3600(config)#ipv unicast-routing noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast noc-3600(config-router-af)#neighbor 10.101.0.254 activate *Oct 1 21:01:46: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 reset (Capabilitychanged) *Oct 1 21:01:46: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Down Capability changed *Oct 1 21:01:46: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Capability changed *Oct 1 21:01:47: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 active reset (Peer closed the session) *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv6 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:56: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Up ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Problem with a nat configuration.
From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Samuel Catheline Sent: Tuesday, October 02, 2012 3:05 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Problem with a nat configuration. Hello, I have a nat configuration problem, with a static NAT, I want exlude to the static nat(192.168.10.1-217.112.66.70) the trafic to the subnet 10.0.13.0/24 and nat this trafic with the loopback1. Is there an issue? ... PS: I'm working with a Cisco 877: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3) Does your 877 support NVI? (NAT Virtual Interface) This should be able to get around your problem. http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/ http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html Cheers Ross ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6vpe - me3600x
On 02/10/2012 15:22, Adam Vitkovsky wrote: I thought this is on by default but apparently it's not Try neighbor x.x.x.x transport multi-session In general you don't want to enable multisession bgp unless you know why you need it and you understand all the consequences of doing so. I really wouldn't recommend this as a means of avoiding session flaps due to capabilities renegotiation. Nick adam -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron Sent: Tuesday, October 02, 2012 4:02 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6vpe - me3600x (resending due to ugly formatting) When I enabled vpnv6 on my pre-existing vpnv4 neighbor session I saw it bounceIs there any way around this ? ...i'm concerned about the interruption (for operational environment) on the underlying vpnv4 l3vpn. Would be only momentary though right?... looks like 10 seconds from nbr_reset to Up If no way to avoid this, how do y'all do it ? maint window? Aaron noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast % IPv6 routing not enabled noc-3600(config)#ipv unicast-routing noc-3600(config)#router bgp 64512 noc-3600(config-router)#address-family vpnv6 unicast noc-3600(config-router-af)#neighbor 10.101.0.254 activate *Oct 1 21:01:46: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 reset (Capabilitychanged) *Oct 1 21:01:46: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Down Capability changed *Oct 1 21:01:46: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Capability changed *Oct 1 21:01:47: %BGP-5-NBR_RESET: Neighbor 10.101.0.254 active reset (Peer closed the session) *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv6 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:47: %BGP_SESSION-5-ADJCHANGE: neighbor 10.101.0.254 VPNv4 Unicast topology base removed from session Peer closed the session *Oct 1 21:01:56: %BGP-5-ADJCHANGE: neighbor 10.101.0.254 Up ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] cisco 2960 snmp interface description
What needs to be done in order for the switch to pass the descriptions of the interfaces. I looked at a debug and the switch is only sending the physical interface name and not the description. I did a walk on the device and was able to pull this information. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 2960 snmp interface description
If you have default snmp config on 2960, there nothing additional need to pass interface names. Its in ifAlias not in ifDescr On 02.10.2012 23:46, Michael Sprouffske wrote: What needs to be done in order for the switch to pass the descriptions of the interfaces. I looked at a debug and the switch is only sending the physical interface name and not the description. I did a walk on the device and was able to pull this information. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 2960 snmp interface description
If you talk about traps, they don't send ifAlias. We write script which do additional snmpwalk based on ifIndex to findout ifAlias and then send trap with this info. On 03.10.2012 0:15, Michael Sprouffske wrote: this is what I get snmpTrapOID.0 = snmpTraps.3 ifIndex.10005 = 10005 ifDescr.10005 = FastEthernet0/5 ifType.10005 = 6 From: Nikolay Shopik sho...@inblock.ru To: cisco-nsp@puck.nether.net Sent: Tuesday, October 2, 2012 1:11 PM Subject: Re: [c-nsp] cisco 2960 snmp interface description If you have default snmp config on 2960, there nothing additional need to pass interface names. Its in ifAlias not in ifDescr On 02.10.2012 23:46, Michael Sprouffske wrote: What needs to be done in order for the switch to pass the descriptions of the interfaces. I looked at a debug and the switch is only sending the physical interface name and not the description. I did a walk on the device and was able to pull this information. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS XR BVI
Anyone using BVIs and l2vpn on IOS XR for routing interfaces? I am running into some strange issue in an attempt to put 4 ASR9k's into production on my network, but only on ipv4. I am having no issues with Ipv6 and OSPFv3, yet..The last reference I can find to BVI in a IOS XR 4.0.1 and it says, that a lot of features are not supported including IPv6. I went through the release notes up to 4.2.1 and the only reference is the support of ACL's on BVI. Yet, in troubleshooting I am unable to get ipv4 ACLs to work when applied to either the BVI interface or the l2transport interface. http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.0/interfaces/configuration/guide/hc40irb.html Makes me want to just avoid them all together, but to implement card redundancy in our current configuration the BVI is needed. Thanks. -- Natambu Obleton, CISSP CCNA Senior Network Engineer FastTrack Communications, Inc. 970.828.1009 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] data MDT ACL mapping
So there's these enhancements that allow you to deterministically map MVPN groups to specific MDT groups. I gather the following, from playing with it: - you still only get one mdt data net mask, only now you get to say list acl - otherwise it falls through to the default - to the extent it's possible, you get a sequential-match, e.g. ip access-list standard my-groups permit 233.254.99.128 0.0.0.63 ip vrf BLAH mdt default 233.1.1.1 mdt data 233.88.88.64 0.0.0.63 you get 233.254.99.129 - 233.88.88.65 233.254.99.134 - 233.88.88.70 ad nauseum Are there other feasible incantations? The reason I ask is because, well, I use a deterministic method for allocating the MDT groups, so I know that VRF BLAH - default 225.1.1.A data 225.1.A.x-y, and a lot of the input groups are x.y.z.0-255, so it'd be damn handy in debug-panic to not have to continually do a sho ip pim vrf BLAH mdt err am I sending or receiving on this switch anyway? err so which group in this list is what?... Is there any really good reason to run a bunch of MDT data groups besides to allow breaking down the groups in the MVPN so as to allow multicast/SSM in global space to optimize what gets sent where? Is there a downside to letting MVPN splay all the groups out, other than possibly running out of TCAM at some N aggregate number of groups, noting that each MVPN group really takes up two slots in MFIB/whatever-it's-called-on-non-sup2t? (Well, that and having show ip mroute scroll for a really long time, I suppose.) (I figure I'm running around 400 real groups input into the mesh at various points, ranging from 10pps to 50kpps per group. 6500s all, though ME3600s will probably enter the picture.) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS XR BVI
There was a thread on this topic a few months back. Unless my testing was really messed up, ACL's do work. https://puck.nether.net/pipermail/cisco-nsp/2012-July/086171.html Looks like it depends on what line cards you are using as well. Good luck! --chip On Tue, Oct 2, 2012 at 6:00 PM, Natambu Obleton noble...@fasttrackcomm.net wrote: Anyone using BVIs and l2vpn on IOS XR for routing interfaces? I am running into some strange issue in an attempt to put 4 ASR9k's into production on my network, but only on ipv4. I am having no issues with Ipv6 and OSPFv3, yet..The last reference I can find to BVI in a IOS XR 4.0.1 and it says, that a lot of features are not supported including IPv6. I went through the release notes up to 4.2.1 and the only reference is the support of ACL's on BVI. Yet, in troubleshooting I am unable to get ipv4 ACLs to work when applied to either the BVI interface or the l2transport interface. http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.0/interfaces/configuration/guide/hc40irb.html Makes me want to just avoid them all together, but to implement card redundancy in our current configuration the BVI is needed. Thanks. -- Natambu Obleton, CISSP CCNA Senior Network Engineer FastTrack Communications, Inc. 970.828.1009 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Just my $.02, your mileage may vary, batteries not included, etc ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP Router process - high cpu
Hi Guys, High cpu from BGP router process started ~48 hours ago - Happens every 30 seconds (Cisco 7200, NPE-G2normal load is 45-50% cpu) #sh processes cpu sorted CPU utilization for five seconds: 86%/44%; one minute: 53%; five minutes: 50% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 28920754676 99918606207 35.12% 6.76% 5.68% 0 BGP Router All peering sessions on the 7200 have uptime of years(Or many weeks), but I think it has to be due to a re-convergence? Have the following configured under address-family vpnv4 (This conf has always been on the 7200(years))...but the 30 second scan time matches the CPU spikes.bgp scan-time import 10 bgp scan-time 30 Any suggestions on how to track down the cause? Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Router process - high cpu
Take a look at this http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00809d16f0.shtml This is almost always due to route churn. Take a look at your routing table (global and/or VRF) for routes that recently updated (show ip route | i 0:00) and that might give you some clues as to where the churn is coming from. -Pete On Tue, Oct 2, 2012 at 6:00 PM, CiscoNSP_list CiscoNSP_list cisconsp_l...@hotmail.com wrote: Hi Guys, High cpu from BGP router process started ~48 hours ago - Happens every 30 seconds (Cisco 7200, NPE-G2normal load is 45-50% cpu) #sh processes cpu sorted CPU utilization for five seconds: 86%/44%; one minute: 53%; five minutes: 50% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 28920754676 99918606207 35.12% 6.76% 5.68% 0 BGP Router All peering sessions on the 7200 have uptime of years(Or many weeks), but I think it has to be due to a re-convergence? Have the following configured under address-family vpnv4 (This conf has always been on the 7200(years))...but the 30 second scan time matches the CPU spikes.bgp scan-time import 10 bgp scan-time 30 Any suggestions on how to track down the cause? Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
