[c-nsp] tracepath
Hi allI was wondering about the below output , when i get the no reply , does that mean that i faced a change in the MTU through the path?Can i detetct MTU vlaue through the path if configured ? [root@core ~]# tracepath -n www.facebook.com 1: 172.16.2.225 0.135ms pmtu 1500 1: 172.16.2.10.404ms 2: 92.62.113.77asymm 1 0.929ms 3: 92.62.113.21asymm 2 1.178ms 4: 92.62.113.25asymm 3 2.347ms 5: 82.212.74.205 asymm 4 0.860ms 6: 82.212.65.21asymm 5 1.243ms 7: 82.212.65.5 0.976ms 8: 195.50.120.101 62.939ms 9: 4.69.139.120 asymm 8 63.645ms 10: 4.69.153.129asymm 9 62.890ms 11: 4.69.137.66 asymm 10 131.544ms 12: 4.69.141.18 asymm 11 136.979ms 13: 4.69.132.89 asymm 12 136.743ms 14: 4.69.134.146asymm 13 137.186ms 15: 4.69.149.146 asymm 14 161.542ms 16: no reply17: no reply18: no reply19: no reply20: no reply21: no reply22: no reply23: no reply24: no reply25: no reply26: no reply27: no reply28: no reply29: no reply30: no reply31: no reply Too many hops: pmtu 1500 Resume: pmtu 1500 BR, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] enable secret 'password'
Hi, Warning: The CLI will be deprecated soon 'enable secret 5 $x/' Please move to 'enable secret password' CLI Any suggestions on how to get around this - I don't really want the password lying around in plain text... the password shouldnt be lying around in plaintext after entering the command - it should be stored in encrypted format alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dell switches (specifically PowerConnect 7048P) and Ciscos
On 11/27/2012 03:40 AM, Kell, Jeff wrote: We're doing an eval on some PowerConnect 7048P switches, and have run into spanning tree issues. They don't like PVST, but will spit out STP that in theory will revert a Cisco to STP (is this process contagious? or limited to the upstream?). The STP process on vlan1 emits both Cisco PVST and IEEE PDUs IIRC, and when it detects a PDU from the other end on a given port, switches to just using that version of the protocol until the STP state machine is reset (i.e. link down). I think there's also a CLI command to blip it. So it's a per-port (well, per virtual-port, really) thing, similar to the PVST/MST compat. mode that Ciscos do when running MST. That unfortunately requires an untagged vlan 1 on all trunk ports (breaks our standards and would require a mass reconfiguration). Yeah, I always thought it was a bit sucky that the PVST fallback didn't take place on the untagged/native VLAN per-port, as opposed to being hardcoded to vlan1. How hard can it be to implement that? However: IIRC the IEEE-fallback is of limited use in some topologies. If the downstream (IEEE-only) switch blocks the port, then it blocks it for all vlans. But, those vlan/port combos on the upstream Ciscos are in FWD because they can't hear each other via that path. This can lead to surprising behaviour. Worse, if the blocked port is on the upstream Cisco, it's only blocked for vlan 1 using this method. The other vlans are blocked by virtue of the Ciscos hearing each others PVST via that path, and this comes with the attendant 6/30 second delay on failover/failback. You can also try MST if you want to convert (again, breaks our standards and would require a mass reconfiguration). Otherwise they seem quite tolerable and have some attractive features... but I'm not quite sold if it requires a campus-wide mass reconfiguration to get along with existing gear. Personally I wouldn't go for it; but what the question? ;o) Normally I'm not a big fan of proprietary protocols, but MST is so awesomely sucky for Campus environments (map all your VLANs to instances before you start, and never change it - yeah, right!) that we mandate Cisco compatible PVST in all our edge. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dell switches (specifically PowerConnect 7048P) and Ciscos
Hi, On Tue, Nov 27, 2012 at 10:30:00AM +, Phil Mayers wrote: Normally I'm not a big fan of proprietary protocols, but MST is so awesomely sucky for Campus environments (map all your VLANs to instances before you start, and never change it - yeah, right!) that we mandate Cisco compatible PVST in all our edge. MST is equally awsome sucky for datacenter :-) (R-)PVST here as well, or flexlink style dual-uplinks where possible. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpMvfnbnJVWk.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tracepath
On Tue, 2012-11-27 at 10:12 +0200, M K wrote: I was wondering about the below output , when i get the no reply , does that mean that i faced a change in the MTU through the path?Can i detetct MTU vlaue through the path if configured ? snip You're really not making it easy for anyone with that formatting. Please consider using a mail user agent that does sane formatting. [root@core ~]# tracepath -n www.facebook.com 1: 172.16.2.225 0.135ms pmtu 1500 1: 172.16.2.10.404ms 2: 92.62.113.77asymm 1 0.929ms ... 16: no reply continues to the end This just means that the target does not accept traffic destined to the UDP port in question. Since www.facebook.com accepts ping requests you could use traceroute to test the 1500 byte PMTU: traceroute -I -q 1 -n -F www.facebook.com 1500 -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MST Experiences: was Re: Dell switches (specifically PowerConnect 7048P) and Ciscos
On 27/11/2012 9:30 PM, Phil Mayers wrote: Normally I'm not a big fan of proprietary protocols, but MST is so awesomely sucky for Campus environments (map all your VLANs to instances before you start, and never change it - yeah, right!) that we mandate Cisco compatible PVST in all our edge. Wow. I thought it was just me and my lack of MST experience that was the problem when I've looked at migrating to MST - so it's reassuring to know it isn't just me who had had a bad experience with it. Even starting by rolling it out at home on a small 4 switch (two vendor) in a ring topology seemed relatively painful. Most definitely far far more pain than gain. The thought of rolling it out to dozens of switches across multiple states just doesn't bear thinking about. The main thing that has attracted me to look at MST was the widespread multivendor support for it. The vlan-to-spanning-tree mapping concept seems good in theory - but as Phil has said you really only get one shot at getting it right. What vendors, other than Cisco, support some form of Rapid-PVST? I believe Arista do on their switches - are there any others? If it's proprietary, did Arista license it from Cisco or...? It seems so patently obvious that PVST would be a smart idea, yet so few vendors seem to support it. What gives? Reuben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MST Experiences: was Re: Dell switches (specifically PowerConnect 7048P) and Ciscos
On 27/11/12 12:27, Reuben Farrelly wrote: What vendors, other than Cisco, support some form of Rapid-PVST? I believe Arista do on their switches - are there any others? If it's Extreme, Foundry, HP in older firmware (newer firmware dropped it in favour of MST, IIRC - sigh). I think it's pretty widespread, TBH. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 2851 Wiping Flash?
Hey guys, I have a Cisco 2821 - System image file is flash:c2800nm-advipservicesk9-mz.124-24.T.bin and a 2851 - System image file is flash:c2800nm-advipservicesk9-mz.124-24.T2.bin Same exact IOS.. infact, the 2851's IOS was copied fromt the 2821. === *On the 2821 I can:* BDR-A#copy run q Destination filename [q]? 8634 bytes copied in 1.476 secs (5850 bytes/sec) BDR-A# BDR-A#dir Directory of flash:/ 2 -rw-8634 Nov 27 2012 23:22:14 +11:00 q 1 -rw-57726628 May 9 2011 04:48:54 +10:00 c2800nm-advipservicesk9-mz.124-24.T2.bin 128303104 bytes total (70561792 bytes free) BDR-A# === *On the 2851 I cant:* BDR-A#copy run q Destination filename [q]? Erase flash: before copying? [confirm] Erasing the flash filesystem will remove all files! Continue? [confirm] Erasing device... ee ...erased Erase of flash: complete Verifying checksum... OK (0xD846) 9209 bytes copied in 1.864 secs (4940 bytes/sec) BDR-A# === Anyone know what is going on here that just saving a copy of the config will want to wipe the flash? Only think I can think of is the flashcard itself is somehow to cause? * * *Skeeve Stevens, CEO - *eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net Phone: 1300 753 383; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/networkceoau ; blog: www.network-ceo.net The Experts Who The Experts Call Juniper - Cisco – IBM - Brocade - Cloud - Check out our Juniper promotion website for Oct/Nov! eintellego.mx Free Apple products during this promotion!!! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2851 Wiping Flash?
Hi, On Wed, Nov 28, 2012 at 12:00:17AM +1100, Skeeve Stevens wrote: Anyone know what is going on here that just saving a copy of the config will want to wipe the flash? The built-in flash of the classic routers can not erase individual files, but only erase all-in-once, so it will ask you before every write access whether you want to do that. You can write files without erasing, of course, but the flash will eventually fill up and then you need to erase all. 7200/6500/... platforms have disk style flash where you can delete individual files just fine. (Somewhat simplified) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpYmBQ6KAvEN.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MST Experiences: was Re: Dell switches (specifically PowerConnect 7048P) and Ciscos
Hi, On Tue, Nov 27, 2012 at 11:27:08PM +1100, Reuben Farrelly wrote: What vendors, other than Cisco, support some form of Rapid-PVST? I Juniper does, both on MX not-so-switches and on EX. believe Arista do on their switches - are there any others? If it's proprietary, did Arista license it from Cisco or...? It seems so patently obvious that PVST would be a smart idea, yet so few vendors seem to support it. What gives? If we do not implement it but bash Cisco for being non-standard instead, we save money in RD and can make it look like it's all Cisco's fault! It *is* blatantly obvious and logical, but there is no standard document that says you should it do that way. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpFfPHblUYni.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2851 Wiping Flash?
Does the 2851 have 'file verify auto' configured? Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Skeeve Stevens Sent: Tuesday, November 27, 2012 8:00 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 2851 Wiping Flash? Hey guys, I have a Cisco 2821 - System image file is flash:c2800nm-advipservicesk9-mz.124-24.T.bin and a 2851 - System image file is flash:c2800nm-advipservicesk9-mz.124-24.T2.bin Same exact IOS.. infact, the 2851's IOS was copied fromt the 2821. === *On the 2821 I can:* BDR-A#copy run q Destination filename [q]? 8634 bytes copied in 1.476 secs (5850 bytes/sec) BDR-A# BDR-A#dir Directory of flash:/ 2 -rw-8634 Nov 27 2012 23:22:14 +11:00 q 1 -rw-57726628 May 9 2011 04:48:54 +10:00 c2800nm-advipservicesk9-mz.124-24.T2.bin 128303104 bytes total (70561792 bytes free) BDR-A# === *On the 2851 I cant:* BDR-A#copy run q Destination filename [q]? Erase flash: before copying? [confirm] Erasing the flash filesystem will remove all files! Continue? [confirm] Erasing device... ee ...erased Erase of flash: complete Verifying checksum... OK (0xD846) 9209 bytes copied in 1.864 secs (4940 bytes/sec) BDR-A# === Anyone know what is going on here that just saving a copy of the config will want to wipe the flash? Only think I can think of is the flashcard itself is somehow to cause? * * *Skeeve Stevens, CEO - *eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net Phone: 1300 753 383; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/networkceoau ; blog: www.network-ceo.net The Experts Who The Experts Call Juniper - Cisco - IBM - Brocade - Cloud - Check out our Juniper promotion website for Oct/Nov! eintellego.mx Free Apple products during this promotion!!! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] l2vpn me3600X to ASR9k
Hi! I have stumpled across a wierd problem, and would like some input on where to dig for the answer :-) My setup looks like this... All links are routed directly on the interface (/31), no MPLS over SVI. XX-ro-test-02 (ME3600X) -- XX-ro-test-01 (ME3600X) -- XX-ro-core-01 (ASR9K) -- XX-ro-core-02 (ASR9K) -- XX-ro-core-10 (ME3600X) The problem is that when i do a xconnect from ME3600 (tried from test-02 and test-01) to core-02 it fail's. But when connecting them to core-01 or core-10 it works. I also have connected the l2vpn bridge-domain vlan10 between core-01 and core-02 by VFI/VPLS. Both the ASR9K and ME3600 shows the xconnect as status UP. # Software and hardware ASR9K, running 4.2.1 no SMU's RSP440, LineCard, MOD80 (AIP), MPAs 1x20GE, 1x4TE ME3600X, running 15.2(4)S1 (AdvIP) # All devices can reach eachother through lo0 # OSPF, MP-BGP and LDP running. # l3 vpn works, even from XX-ro-core-02 # # # XX-ro-core-01 # lo0 = 1.1.1.1 l2vpn bridge group cd bridge-domain vlan10 neighbor 1.1.1.222 pw-id 555 ! vfi cd neighbor 1.1.1.2 pw-id 10 ! # # XX-ro-core-02 # lo0 = 1.1.1.2 l2vpn bridge group cd bridge-domain vlan10 interface Bundle-Ether1.10 ! neighbor 1.1.1.222 pw-id 444 ! vfi cd neighbor 1.1.1.1 pw-id 10 ! # Looped to bundle-ethernet1.10 RP/0/RSP0/CPU0:XX-ro-core-02#sh run int bundle-ether101.10 Tue Nov 27 10:16:44.368 CET interface Bundle-Ether101.10 vrf cd ipv4 mtu 1500 ipv4 helper-address vrf mgmt 10.0.10.12 ipv4 address 10.10.95.1 255.255.255.128 encapsulation dot1q 10 ! # Looped to bundle-ethernet101.10 RP/0/RSP0/CPU0:XX-ro-core-02#sh run int bundle-ether1.10 Tue Nov 27 10:16:49.155 CET interface Bundle-Ether1.10 l2transport encapsulation dot1q 10 exact rewrite ingress tag pop 1 symmetric ! # XX-ro-test-02 #lo0 1.1.1.222 interface GigabitEthernet0/11 switchport trunk allowed vlan none switchport mode trunk service instance 444 ethernet description test encapsulation dot1q 444 rewrite ingress tag pop 1 symmetric bridge-domain 444 ! ## TEST SETUP, FAILING! interface Vlan444 no ip address xconnect 1.1.1.2 444 encapsulation mpls ! XX-ro-test-01#sh mac address-table vlan 444 4440025.9065.1de8DYNAMIC Gi0/11+Efp444 4440025.906e.73c5DYNAMIC Gi0/11+Efp444 4446c9c.ed3f.a842DYNAMIC 1.137.102.28, 258821064 # This ALWAYS show as a seemingly random ip and pw-id... Although ping fails, I can see packets (ping) from the ASR to the end-host (tcpdump). And ARP records shows up as they should in both the ASR and the end host. But! Every 4-minutes, 7 (Seven), ICMP ping replies goes through... 64 bytes from 10.10.95.1: icmp_req=6144 ttl=255 time=0.811 ms 64 bytes from 10.10.95.1: icmp_req=6145 ttl=255 time=0.974 ms 64 bytes from 10.10.95.1: icmp_req=6146 ttl=255 time=0.841 ms 64 bytes from 10.10.95.1: icmp_req=6147 ttl=255 time=0.890 ms 64 bytes from 10.10.95.1: icmp_req=6148 ttl=255 time=0.835 ms 64 bytes from 10.10.95.1: icmp_req=6149 ttl=255 time=0.871 ms 64 bytes from 10.10.95.1: icmp_req=6150 ttl=255 time=0.825 ms ! 64 bytes from 10.10.95.1: icmp_req=6400 ttl=255 time=0.914 ms 64 bytes from 10.10.95.1: icmp_req=6401 ttl=255 time=0.846 ms 64 bytes from 10.10.95.1: icmp_req=6402 ttl=255 time=0.866 ms 64 bytes from 10.10.95.1: icmp_req=6403 ttl=255 time=2.12 ms 64 bytes from 10.10.95.1: icmp_req=6404 ttl=255 time=0.837 ms 64 bytes from 10.10.95.1: icmp_req=6405 ttl=255 time=0.903 ms 64 bytes from 10.10.95.1: icmp_req=6406 ttl=255 time=0.801 ms Wierd or what..? # TEST SETUP, WORKING! interface Vlan444 no ip address xconnect 1.1.1.1 555 encapsulation mpls ! XX-ro-test-01#sh mac address-table vlan 444 4440025.9065.1de8DYNAMIC Gi0/11+Efp444 4440025.906e.73c5DYNAMIC Gi0/11+Efp444 4446c9c.ed3f.a842DYNAMIC 1.1.1.1, 555 # This sometimes show as a seemingly random ip and pw-id. But can be reset by removing int vlan444 and adding it again with the exact same config. Although even with a random ip/pw-id traffic flows... Tnx! //Claes ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2851 Wiping Flash?
Nope. show run all | i verify nothing... on the 2821 and the 2851. * * *Skeeve Stevens, CEO - *eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net Phone: 1300 753 383; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/networkceoau ; blog: www.network-ceo.net The Experts Who The Experts Call Juniper - Cisco – IBM - Brocade - Cloud - Check out our Juniper promotion website for Oct/Nov! eintellego.mx Free Apple products during this promotion!!! On Wed, Nov 28, 2012 at 12:45 AM, Chuck Church chuckchu...@gmail.comwrote: Does the 2851 have 'file verify auto' configured? Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Skeeve Stevens Sent: Tuesday, November 27, 2012 8:00 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 2851 Wiping Flash? Hey guys, I have a Cisco 2821 - System image file is flash:c2800nm-advipservicesk9-mz.124-24.T.bin and a 2851 - System image file is flash:c2800nm-advipservicesk9-mz.124-24.T2.bin Same exact IOS.. infact, the 2851's IOS was copied fromt the 2821. === *On the 2821 I can:* BDR-A#copy run q Destination filename [q]? 8634 bytes copied in 1.476 secs (5850 bytes/sec) BDR-A# BDR-A#dir Directory of flash:/ 2 -rw-8634 Nov 27 2012 23:22:14 +11:00 q 1 -rw-57726628 May 9 2011 04:48:54 +10:00 c2800nm-advipservicesk9-mz.124-24.T2.bin 128303104 bytes total (70561792 bytes free) BDR-A# === *On the 2851 I cant:* BDR-A#copy run q Destination filename [q]? Erase flash: before copying? [confirm] Erasing the flash filesystem will remove all files! Continue? [confirm] Erasing device... ee ...erased Erase of flash: complete Verifying checksum... OK (0xD846) 9209 bytes copied in 1.864 secs (4940 bytes/sec) BDR-A# === Anyone know what is going on here that just saving a copy of the config will want to wipe the flash? Only think I can think of is the flashcard itself is somehow to cause? * * *Skeeve Stevens, CEO - *eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net Phone: 1300 753 383; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/networkceoau ; blog: www.network-ceo.net The Experts Who The Experts Call Juniper - Cisco - IBM - Brocade - Cloud - Check out our Juniper promotion website for Oct/Nov! eintellego.mx Free Apple products during this promotion!!! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2851 Wiping Flash?
I know what it did... the question was WHY between a 2821 and 2851 it acts differently. * * *Skeeve Stevens, CEO - *eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net Phone: 1300 753 383; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/networkceoau ; blog: www.network-ceo.net The Experts Who The Experts Call Juniper - Cisco – IBM - Brocade - Cloud - Check out our Juniper promotion website for Oct/Nov! eintellego.mx Free Apple products during this promotion!!! On Wed, Nov 28, 2012 at 12:10 AM, Martin Moens mmo...@globecomm-europe.comwrote: If you do *not* answer 'No' to the question 'Erase flash: before copying? [confirm]' it will erase the flash... IOS warned you twice Martin From: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] on behalf of Skeeve Stevens [skeeve+cisco...@eintellego.net] Sent: Tuesday, November 27, 2012 2:00 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 2851 Wiping Flash? Hey guys, I have a Cisco 2821 - System image file is flash:c2800nm-advipservicesk9-mz.124-24.T.bin and a 2851 - System image file is flash:c2800nm-advipservicesk9-mz.124-24.T2.bin Same exact IOS.. infact, the 2851's IOS was copied fromt the 2821. === *On the 2821 I can:* BDR-A#copy run q Destination filename [q]? 8634 bytes copied in 1.476 secs (5850 bytes/sec) BDR-A# BDR-A#dir Directory of flash:/ 2 -rw-8634 Nov 27 2012 23:22:14 +11:00 q 1 -rw-57726628 May 9 2011 04:48:54 +10:00 c2800nm-advipservicesk9-mz.124-24.T2.bin 128303104 bytes total (70561792 bytes free) BDR-A# === *On the 2851 I cant:* BDR-A#copy run q Destination filename [q]? Erase flash: before copying? [confirm] Erasing the flash filesystem will remove all files! Continue? [confirm] Erasing device... ee ...erased Erase of flash: complete Verifying checksum... OK (0xD846) 9209 bytes copied in 1.864 secs (4940 bytes/sec) BDR-A# === Anyone know what is going on here that just saving a copy of the config will want to wipe the flash? Only think I can think of is the flashcard itself is somehow to cause? * * *Skeeve Stevens, CEO - *eintellego Pty Ltd ske...@eintellego.net ; www.eintellego.net Phone: 1300 753 383; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellego ; http://twitter.com/networkceoau linkedin.com/in/skeeve twitter.com/networkceoau ; blog: www.network-ceo.net The Experts Who The Experts Call Juniper - Cisco – IBM - Brocade - Cloud - Check out our Juniper promotion website for Oct/Nov! eintellego.mx Free Apple products during this promotion!!! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] l2vpn me3600X to ASR9k
What does the sh l2vpn bridge-domain det or sh l2vpn bridge-domain int det says? adam -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Claes Jansson Sent: Tuesday, November 27, 2012 1:50 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] l2vpn me3600X to ASR9k Hi! I have stumpled across a wierd problem, and would like some input on where to dig for the answer :-) My setup looks like this... All links are routed directly on the interface (/31), no MPLS over SVI. XX-ro-test-02 (ME3600X) -- XX-ro-test-01 (ME3600X) -- XX-ro-core-01 (ASR9K) -- XX-ro-core-02 (ASR9K) -- XX-ro-core-10 (ME3600X) The problem is that when i do a xconnect from ME3600 (tried from test-02 and test-01) to core-02 it fail's. But when connecting them to core-01 or core-10 it works. I also have connected the l2vpn bridge-domain vlan10 between core-01 and core-02 by VFI/VPLS. Both the ASR9K and ME3600 shows the xconnect as status UP. # Software and hardware ASR9K, running 4.2.1 no SMU's RSP440, LineCard, MOD80 (AIP), MPAs 1x20GE, 1x4TE ME3600X, running 15.2(4)S1 (AdvIP) # All devices can reach eachother through lo0 # OSPF, MP-BGP and LDP running. # l3 vpn works, even from XX-ro-core-02 # # # XX-ro-core-01 # lo0 = 1.1.1.1 l2vpn bridge group cd bridge-domain vlan10 neighbor 1.1.1.222 pw-id 555 ! vfi cd neighbor 1.1.1.2 pw-id 10 ! # # XX-ro-core-02 # lo0 = 1.1.1.2 l2vpn bridge group cd bridge-domain vlan10 interface Bundle-Ether1.10 ! neighbor 1.1.1.222 pw-id 444 ! vfi cd neighbor 1.1.1.1 pw-id 10 ! # Looped to bundle-ethernet1.10 RP/0/RSP0/CPU0:XX-ro-core-02#sh run int bundle-ether101.10 Tue Nov 27 10:16:44.368 CET interface Bundle-Ether101.10 vrf cd ipv4 mtu 1500 ipv4 helper-address vrf mgmt 10.0.10.12 ipv4 address 10.10.95.1 255.255.255.128 encapsulation dot1q 10 ! # Looped to bundle-ethernet101.10 RP/0/RSP0/CPU0:XX-ro-core-02#sh run int bundle-ether1.10 Tue Nov 27 10:16:49.155 CET interface Bundle-Ether1.10 l2transport encapsulation dot1q 10 exact rewrite ingress tag pop 1 symmetric ! # XX-ro-test-02 #lo0 1.1.1.222 interface GigabitEthernet0/11 switchport trunk allowed vlan none switchport mode trunk service instance 444 ethernet description test encapsulation dot1q 444 rewrite ingress tag pop 1 symmetric bridge-domain 444 ! ## TEST SETUP, FAILING! interface Vlan444 no ip address xconnect 1.1.1.2 444 encapsulation mpls ! XX-ro-test-01#sh mac address-table vlan 444 4440025.9065.1de8DYNAMIC Gi0/11+Efp444 4440025.906e.73c5DYNAMIC Gi0/11+Efp444 4446c9c.ed3f.a842DYNAMIC 1.137.102.28, 258821064 # This ALWAYS show as a seemingly random ip and pw-id... Although ping fails, I can see packets (ping) from the ASR to the end-host (tcpdump). And ARP records shows up as they should in both the ASR and the end host. But! Every 4-minutes, 7 (Seven), ICMP ping replies goes through... 64 bytes from 10.10.95.1: icmp_req=6144 ttl=255 time=0.811 ms 64 bytes from 10.10.95.1: icmp_req=6145 ttl=255 time=0.974 ms 64 bytes from 10.10.95.1: icmp_req=6146 ttl=255 time=0.841 ms 64 bytes from 10.10.95.1: icmp_req=6147 ttl=255 time=0.890 ms 64 bytes from 10.10.95.1: icmp_req=6148 ttl=255 time=0.835 ms 64 bytes from 10.10.95.1: icmp_req=6149 ttl=255 time=0.871 ms 64 bytes from 10.10.95.1: icmp_req=6150 ttl=255 time=0.825 ms ! 64 bytes from 10.10.95.1: icmp_req=6400 ttl=255 time=0.914 ms 64 bytes from 10.10.95.1: icmp_req=6401 ttl=255 time=0.846 ms 64 bytes from 10.10.95.1: icmp_req=6402 ttl=255 time=0.866 ms 64 bytes from 10.10.95.1: icmp_req=6403 ttl=255 time=2.12 ms 64 bytes from 10.10.95.1: icmp_req=6404 ttl=255 time=0.837 ms 64 bytes from 10.10.95.1: icmp_req=6405 ttl=255 time=0.903 ms 64 bytes from 10.10.95.1: icmp_req=6406 ttl=255 time=0.801 ms Wierd or what..? # TEST SETUP, WORKING! interface Vlan444 no ip address xconnect 1.1.1.1 555 encapsulation mpls ! XX-ro-test-01#sh mac address-table vlan 444 4440025.9065.1de8DYNAMIC Gi0/11+Efp444 4440025.906e.73c5DYNAMIC Gi0/11+Efp444 4446c9c.ed3f.a842DYNAMIC 1.1.1.1, 555 # This sometimes show as a seemingly random ip and pw-id. But can be reset by removing int vlan444 and adding it again with the exact same config. Although even with a random ip/pw-id traffic flows... Tnx! //Claes ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] l2vpn me3600X to ASR9k
Here is the output, currently running from XX-ro-test-01 switch, not
XX-ro-test-02 as in the initial output.
//Claes
#
# ME3600X
#
XX-ro-test-01#sh mpls l2transport vc detail
Local interface: Vl444 up, line protocol up, Eth VLAN 444 up
Interworking type is Ethernet
Destination address: 1.1.1.2, VC ID: 444, VC status: up
Output interface: Te0/1, imposed label stack {16000 16015}
Preferred path: not configured
Default path: active
Next hop: 1.1.2.2
Create time: 04:11:03, last status change time: 04:10:57
Last label FSM state change time: 04:10:57
Last peer autosense occurred at: 04:10:57
Signaling protocol: LDP, peer 1.1.1.2:0 up
Targeted Hello: 1.1.1.221(LDP Id) - 1.1.1.2, LDP is UP
Status TLV support (local/remote) : enabled/supported
LDP route watch : enabled
Label/status state machine: established, LruRru
Last local dataplane status rcvd: No fault
Last BFD dataplane status rcvd: Not sent
Last BFD peer monitor status rcvd: No fault
Last local AC circuit status rcvd: No fault
Last local AC circuit status sent: No fault
Last local PW i/f circ status rcvd: No fault
Last local LDP TLV status sent: No fault
Last remote LDP TLVstatus rcvd: No fault
Last remote LDP ADJstatus rcvd: No fault
MPLS VC labels: local 26, remote 16015
Group ID: local 0, remote 4
MTU: local 1500, remote 1500
Remote interface description: Access PW
Sequencing: receive disabled, send disabled
Control Word: Off (configured: autosense)
Dataplane:
SSM segment/switch IDs: 8219/4121 (used), PWID: 8
VC statistics:
transit packet totals: receive 2293, send 19143
transit byte totals: receive 203612, send 3547582
transit packet drops: receive 0, seq error 0, send
#
# ASR
#
RP/0/RSP0/CPU0:XX-ro-core-02#sh l2vpn bridge-domain bd-name vlan10 detail
Tue Nov 27 15:42:32.432 CET
Legend: pp = Partially Programmed.
Bridge group: canaldigital, bridge-domain: vlan10, id: 4, state: up,
ShgId: 0, MSTi: 0
Coupled state: disabled
MAC learning: enabled
MAC withdraw: enabled
MAC withdraw for Access PW: enabled
MAC withdraw sent on bridge port down: disabled
Flooding:
Broadcast Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
MAC port down flush: enabled
MAC Secure: disabled, Logging: disabled
Split Horizon Group: none
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
DHCPv4 snooping: disabled
IGMP Snooping profile: none
Bridge MTU: 1500
MIB cvplsConfigIndex: 5
Filter MAC addresses:
Create time: 23/11/2012 14:38:00 (4d01h ago)
No status change since creation
ACs: 1 (1 up), VFIs: 1, PWs: 3 (2 up), PBBs: 0 (0 up)
List of ACs:
AC: Bundle-Ether1.10, state is up
Type VLAN; Num Ranges: 1
VLAN ranges: [10, 10]
MTU 1500; XC ID 0xa009; interworking none
MAC learning: enabled
Flooding:
Broadcast Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
MAC port down flush: enabled
MAC Secure: disabled, Logging: disabled
Split Horizon Group: none
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
DHCPv4 snooping: disabled
IGMP Snooping profile: none
Storm Control: disabled
Static MAC addresses:
Statistics:
packets: received 41606, sent 13575
bytes: received 2989424, sent 3747002
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic ARP inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
List of Access PWs:
PW: neighbor 1.1.1.221, PW ID 444, state is up ( established )
PW class not set, XC ID 0xc00b
Encapsulation MPLS, protocol LDP
Source address 1.1.1.2
PW type Ethernet, control word disabled, interworking none
PW backup disable delay 0 sec
Sequencing not set
PW Status TLV in use
MPLS Local Remote
--
---
Label16015 26
Group ID 0x4 0x0
InterfaceAccess PW unknown
MTU 1500 1500
Control word disabled disabled
PW type Ethernet Ethernet
VCCV CV type 0x2 0x12
(LSP ping verification)(LSP ping
verification)
VCCV CC type 0x6 0x2
(router alert label) (router alert label)
(TTL expiry)
[c-nsp] Sup-720 Spurious / Traceback
Hi All, Just experienced a load of these on one of our 6500/Sup-7203BXL units: 15:13:01.373 GMT: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x40D42728 reading 0x8 15:13:01.373 GMT: %ALIGN-3-TRACE: -Traceback= 40D42728 40D425B4 40D42618 418D8C74 40306030 40306970 4030A2FC 4313B13C 15:13:01.373 GMT: %ALIGN-3-TRACE: -Traceback= 40D42748 40D425B4 40D42618 418D8C74 40306030 40306970 4030A2FC 4313B13C 15:13:01.373 GMT: %ALIGN-3-TRACE: -Traceback= 40D42754 40D425B4 40D42618 418D8C74 40306030 40306970 4030A2FC 4313B13C 15:13:01.373 GMT: %ALIGN-3-TRACE: -Traceback= 40D42760 40D425B4 40D42618 418D8C74 40306030 40306970 4030A2FC 4313B13C 15:13:01.373 GMT: %ALIGN-3-TRACE: -Traceback= 40D4276C 40D425B4 40D42618 418D8C74 40306030 40306970 4030A2FC 4313B13C 15:13:01.373 GMT: %ALIGN-3-TRACE: -Traceback= 43142C78 40D3867C 418D8C8C 40306030 40306970 4030A2FC 4313B13C 4030B854 Debugging docs say to run this next: #show alignment No alignment data has been recorded. Total Spurious Accesses 2088, Recorded 18 Address Count Traceback 8226 0x40D42728 0x40D425B4 0x40D42618 0x418D8C74 0x40306030 0x40306970 0x4030A2FC 0x4313B13C C226 0x40D42748 0x40D425B4 0x40D42618 0x418D8C74 0x40306030 0x40306970 0x4030A2FC 0x4313B13C 10226 0x40D42754 0x40D425B4 0x40D42618 0x418D8C74 0x40306030 0x40306970 0x4030A2FC 0x4313B13C 14226 0x40D42760 0x40D425B4 0x40D42618 0x418D8C74 0x40306030 0x40306970 0x4030A2FC 0x4313B13C 8226 0x40D4276C 0x40D425B4 0x40D42618 0x418D8C74 0x40306030 0x40306970 0x4030A2FC 0x4313B13C 8678 0x43142C78 0x40D3867C 0x418D8C8C 0x40306030 0x40306970 0x4030A2FC 0x4313B13C 0x4030B854 8 9 0x40D42728 0x40D425B4 0x40D42618 0x418D8C74 0x403052CC 0x403062A0 0x40306970 0x4036EDC0 C 9 0x40D42748 0x40D425B4 0x40D42618 0x418D8C74 0x403052CC 0x403062A0 0x40306970 0x4036EDC0 10 9 0x40D42754 0x40D425B4 0x40D42618 0x418D8C74 0x403052CC 0x403062A0 0x40306970 0x4036EDC0 14 9 0x40D42760 0x40D425B4 0x40D42618 0x418D8C74 0x403052CC 0x403062A0 0x40306970 0x4036EDC0 8 9 0x40D4276C 0x40D425B4 0x40D42618 0x418D8C74 0x403052CC 0x403062A0 0x40306970 0x4036EDC0 8 27 0x43142C78 0x40D3867C 0x418D8C8C 0x403052CC 0x403062A0 0x40306970 0x4036EDC0 0x4036F1BC 8 26 0x40D42728 0x40D425B4 0x40D42618 0x418D8C74 0x403052CC 0x403062A0 0x40306970 0x4030A2FC C 26 0x40D42748 0x40D425B4 0x40D42618 0x418D8C74 0x403052CC 0x403062A0 0x40306970 0x4030A2FC 10 26 0x40D42754 0x40D425B4 0x40D42618 0x418D8C74 0x403052CC 0x403062A0 0x40306970 0x4030A2FC 14 26 0x40D42760 0x40D425B4 0x40D42618 0x418D8C74 0x403052CC 0x403062A0 0x40306970 0x4030A2FC 8 26 0x40D4276C 0x40D425B4 0x40D42618 0x418D8C74 0x403052CC 0x403062A0 0x40306970 0x4030A2FC 8 78 0x43142C78 0x40D3867C 0x418D8C8C 0x403052CC 0x403062A0 0x40306970 0x4030A2FC 0x4313B13C However it has _not_ logged any of these others as traces or spurious accesses? I’ve just checked all our other chassis and none of them show anything under ‘show alignment’ - i.e. all zero counters. So we’ve never had this before (we have a lot of these in service) and I’m just curious what thoughts anyone has. Standard documentation says to upgrade IOS and/or log with TAC. It’s running 12.2(33)SXJ3 so we can upgrade to SXJ4, which was recently marked as a ‘safe’ release. I’m curious though if people think this is likely to be hardware related or a software bug. Again, documentation suggests a software issue, but to have suddenly seen it on one chassis without warning I’m a little sceptical. It’s still performing fine and I’d rather not waste a reload if it’s unlikely to actually fix anything. Only related events were a couple of 3rd party IPv6 BGP sessions reset about 1 minute prior to the most recent events. Not sure if that can be related though, but worth mentioning. Any advice or pointers appreciated! Cheers all, Robert Williams Backline / Operations Team Custodian DataCentre tel: +44 (0)1622 230382 email: rob...@custodiandc.com http://www.custodiandc.com/disclaimer.txt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup-720 Spurious / Traceback
On 27/11/12 16:21, Robert Williams wrote: Hi All, Just experienced a load of these on one of our 6500/Sup-7203BXL units: I've seen those occasionally. We reliably get them just after a reload. I think they're often cosmetic. So we’ve never had this before (we have a lot of these in service) and I’m just curious what thoughts anyone has. Standard documentation says to upgrade IOS and/or log with TAC. It’s running 12.2(33)SXJ3 so we can upgrade to SXJ4, which was recently marked as a ‘safe’ release. I’m curious though if people think this is likely to be hardware related or a software bug. Again, documentation suggests a software issue, but to have suddenly seen it on one chassis without warning I’m a little sceptical. It’s still performing fine and I’d rather not waste a reload if it’s unlikely to actually fix anything. Only related events were a couple of 3rd party IPv6 BGP sessions reset about 1 minute prior to the most recent events. Not sure if that can be related though, but worth mentioning. I think it's probably a code bug that triggers a protective/cosmetic error. We've never had any problems ignoring them - on this platform, at least. Maybe different on others. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup-720 Spurious / Traceback
On Nov 27, 2012, at 11:21 AM, Robert Williams wrote: Any advice or pointers appreciated! So, when you see these alignment errors or tracebacks, they are always a software defect. Typically this is something doing bogus pointer math, but the event was non-fatal. (As compared to an ALIGN-1-FATAL message). Take this entry: Address Count Traceback 8226 0x40D42728 0x40D425B4 0x40D42618 0x418D8C74 0x40306030 0x40306970 0x4030A2FC 0x4313B13C Someone (with that stack trace) was trying to look at the memory at 0x8, and did 226 times for that stack trace. This is likely code that does something like this: struct somestruct *foo = NULL; printf(%s\n, foo-bar); but since foo is null, and bar is located 8 bytes in a normal struct of type 'somestruct' you get that address. With a better 'show version' Cisco should be able to identify if it is a known defect or a new one. You should open a case and IMHO cisco should at least triage it even if you don't have support so the defect can be fixed for other customers. The output decoder/interpreter may also be able to diagnose this as it will decode the stack trace and match against known public bugs. Hope this helps. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2851 Wiping Flash?
On 11/27/12 5:00 AM, Skeeve Stevens wrote: Hey guys, [snip] === *On the 2851 I cant:* BDR-A#copy run q Destination filename [q]? Erase flash: before copying? [confirm] Erasing the flash filesystem will remove all files! Continue? [confirm] Erasing device... ee ...erased Erase of flash: complete Type the letter n (as in no) when asked to confirm erasure. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Wake on Lan over layer 3 hops
I need to be able to send a magic packet over three layer 3 hops. Can this be done? all I'm finding is an ip directed broadcast on a simple layer 3 switch. How do you do it over multiple router hops? TIA Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Wake on Lan over layer 3 hops
On (2012-11-27 11:44 -0800), Scott Voll wrote: I need to be able to send a magic packet over three layer 3 hops. Can this be done? all I'm finding is an ip directed broadcast on a simple layer 3 switch. You send it to L3 broadcast address, which will make the edge router send it as l2 broadcast. Remember to enable directed-broadcast forwarding with ACL, allowing only the WOL originating host. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dell switches (specifically PowerConnect 7048P) and Ciscos
Just curious, is the VLAN mapping to instances the big issue you guys have with MST? In our deployments we used pretty large ranges to cover growth, and mapped purposes such as L2-only VLANs (no SVI), servers, users, VoIP, etc into separate instances, worked pretty solidly. Except when Nexus changes the mappings on you because some are reserved that is... Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gert Doering Sent: Tuesday, November 27, 2012 5:47 AM To: Phil Mayers Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Dell switches (specifically PowerConnect 7048P) and Ciscos Hi, On Tue, Nov 27, 2012 at 10:30:00AM +, Phil Mayers wrote: Normally I'm not a big fan of proprietary protocols, but MST is so awesomely sucky for Campus environments (map all your VLANs to instances before you start, and never change it - yeah, right!) that we mandate Cisco compatible PVST in all our edge. MST is equally awsome sucky for datacenter :-) (R-)PVST here as well, or flexlink style dual-uplinks where possible. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MST Experiences: was Re: Dell switches (specifically PowerConnect 7048P) and Ciscos
Hello, MST is a really good ***not*** proprietary protocol.. You just need to understand how it works and how you can interconnect your regions all together (not very straightforward I agree) If you just have independent Layer 2 area's, you can create something like that (on all your layer 2 domain) region area1 / area2 / area3 / ... instance 0 : no vlan (just used to avoid loop between regions) instance 1 : vlan 1 to 2050 instance 2 : vlan 2051 to 4095 root of instance 0 should be forced somewhere on your network. root of instance 1 will be core1 on each area root of instance 2 will be core2 on each area So if you do that, you just have to pick one vlan from the list (instance 1 or instance 2) and that's it. Best Regards, Nicolas. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dell switches (specifically PowerConnect 7048P) and Ciscos
Hi, On Tue, Nov 27, 2012 at 03:22:27PM -0500, Chuck Church wrote: Just curious, is the VLAN mapping to instances the big issue you guys have with MST? In our deployments we used pretty large ranges to cover growth, and mapped purposes such as L2-only VLANs (no SVI), servers, users, VoIP, etc into separate instances, worked pretty solidly. Except when Nexus changes the mappings on you because some are reserved that is... This link is full, I want *that* VLAN to go over *there* as preferred path. Blam, MST topology change, game over. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpwe84Xf3poY.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MST Experiences: was Re: Dell switches (specifically PowerConnect 7048P) and Ciscos
Hi, On Tue, Nov 27, 2012 at 10:11:18PM +0100, Nicolas KARP wrote: MST is a really good ***not*** proprietary protocol.. You just need to understand how it works and how you can interconnect your regions all together (not very straightforward I agree) If you just have independent Layer 2 area's, you can create something like that (on all your layer 2 domain) region area1 / area2 / area3 / ... instance 0 : no vlan (just used to avoid loop between regions) instance 1 : vlan 1 to 2050 instance 2 : vlan 2051 to 4095 Yeah, we have read the textbook, too. Get this deployed in a real world network, where requirements change every few days or weeks, and then come back, telling us that MST is really good :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpY4j6C6v2zs.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup-720 Spurious / Traceback
Hi, Thanks for the feedback people, we'll log a TAC for it anyway if it may help locate the bug - but won't rush for a reload now since it seems to be performing just fine. It's set to reload with SXJ4, so it will boot that in the next available window for it. Cheers again! Robert Williams Backline / Operations Team Custodian DataCentre tel: +44 (0)1622 230382 email: rob...@custodiandc.com http://www.custodiandc.com/disclaimer.txt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: 27 November 2012 16:29 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Sup-720 Spurious / Traceback On 27/11/12 16:21, Robert Williams wrote: Hi All, Just experienced a load of these on one of our 6500/Sup-7203BXL units: I've seen those occasionally. We reliably get them just after a reload. I think they're often cosmetic. So we've never had this before (we have a lot of these in service) and I'm just curious what thoughts anyone has. Standard documentation says to upgrade IOS and/or log with TAC. It's running 12.2(33)SXJ3 so we can upgrade to SXJ4, which was recently marked as a 'safe' release. I'm curious though if people think this is likely to be hardware related or a software bug. Again, documentation suggests a software issue, but to have suddenly seen it on one chassis without warning I'm a little sceptical. It's still performing fine and I'd rather not waste a reload if it's unlikely to actually fix anything. Only related events were a couple of 3rd party IPv6 BGP sessions reset about 1 minute prior to the most recent events. Not sure if that can be related though, but worth mentioning. I think it's probably a code bug that triggers a protective/cosmetic error. We've never had any problems ignoring them - on this platform, at least. Maybe different on others. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mpls ping directly-connected?
On Mon, Nov 19, 2012 at 4:33 PM, Gert Doering g...@greenie.muc.de wrote: Hi, On Mon, Nov 19, 2012 at 03:55:23PM -0500, Tim Durack wrote: Thanks, that gives me something to look at. (C6K running 12.2(33)SXI6.) (I'm curious to hear how you get this solved in the end. Something new to learn :) ). Ended up punting to a maintenance window. Still find it hard to believe there is no easy test for this. -- Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Wake on Lan over layer 3 hops
--- On Tue, 11/27/12, Saku Ytti s...@ytti.fi wrote: From: Saku Ytti s...@ytti.fi Subject: Re: [c-nsp] Wake on Lan over layer 3 hops To: cisco-nsp@puck.nether.net Date: Tuesday, November 27, 2012, 12:02 PM On (2012-11-27 11:44 -0800), Scott Voll wrote: I need to be able to send a magic packet over three layer 3 hops. Can this be done? all I'm finding is an ip directed broadcast on a simple layer 3 switch. You send it to L3 broadcast address, which will make the edge router send it as l2 broadcast. Remember to enable directed-broadcast forwarding with ACL, allowing only the WOL originating host. -- ++ytti umm..since it is over three L3 hops, wouldn't OP also need - ip helper-address broadcast ip of dest_subnet at the source in addition to the above? ./Randy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Wake on Lan over layer 3 hops
On Tue, 2012-11-27 at 13:55 -0800, Randy wrote: umm..since it is over three L3 hops, wouldn't OP also need - ip helper-address broadcast ip of dest_subnet at the source in addition to the above? Have the WoL management station use the subnet broadcast address as destination instead of the limited broadcast address. With the suggested helper-address configuration you'd send all WoL packets to all of your networks every time. And with many hundred access networks the interface configuration wouldn't scale. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA 8.4 VPN config help
I'm trying to configure a remote office and have run into a roadblock that I'm hoping someone will be able to help with. I have configured a few remote VPNs using ASA's in the past but always on pre 8.3 code without any issues...so I'm sure its just something minor that I'm missing. The setup is fairly basic, I'm trying to setup a p2p vpn between our main office(pix firewalls) and remote office(asa5510 pair). Hosts will connect from the main office to the remote site for pop3 and smtp access. I currently have the remote office up and am able to use the ipsec vpn client to connect and access the internal network on the remote side. Once I add the peer config and bring up the p2p vpn by connecting to the smtp server on the remote side via the vpn it works just fine, however, I loose my ability to use the ipsec client. The ipsec client connects just fine, but I am unable to access any of the resources I was able to prior to bringing up the peer. If I remove the cryptomap set peer statement bringing down the p2p vpn, the ipsec client starts working again. The main office site has a few other connections like this and they work just fine, its just my one site with 8.4 code running that is causing trouble...I think it might have to do with my identity nat statement but after fiddling for a few hours a second set of eyes would be helpful. 10.1.0.0/16 is at the main office where as 10.2.0.0/16 is at the remote side. Here is trimmed configuration that is running on the remote side. ASA Version 8.4(3)12 ! hostname edge-vpn domain-name remote.test.com dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address 65.x.x.4 255.255.255.248 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.2.254.4 255.255.255.0 ! interface Ethernet0/2 description STATE Failover Interface ! interface Ethernet0/3 description LAN Failover Interface ! interface Management0/0 shutdown nameif management security-level 100 no ip address management-only ! boot system disk0:/asa843-12-k8.bin ftp mode passive same-security-traffic permit intra-interface object network remote-clients subnet 192.168.1.0 255.255.255.0 object network local-resources subnet 10.2.0.0 255.255.0.0 access-list acl_vpn_tunnel standard permit 10.2.0.0 255.255.0.0 access-list l2l_ros extended permit tcp host 10.2.0.24 eq pop3 host 10.1.40.17 access-list l2l_ros extended permit tcp host 10.2.0.24 eq smtp host 10.1.40.17 pager lines 24 mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool ip_vpn_admin 192.168.1.0-192.168.1.15 nat (inside,outside) source static remote-clients remote-clients destination static local-resources local-resources no-proxy-arp route outside 0.0.0.0 0.0.0.0 65.x.x.1 1 route inside 10.2.0.0 255.255.0.0 10.2.254.1 1 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL service resetoutside crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set l2lvpn esp-aes-256 esp-sha-hmac crypto dynamic-map dynmap 10 set ikev1 transform-set myset crypto map mymap 25 match address l2l_ros crypto map mymap 25 set peer 60.y.y.233 crypto map mymap 25 set ikev1 transform-set l2lvpn crypto map mymap 25 set nat-t-disable crypto map mymap 65535 ipsec-isakmp dynamic dynmap crypto map mymap interface outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication rsa-sig encryption 3des hash sha group 5 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 5 lifetime 3600 crypto ikev1 policy 50 authentication pre-share encryption aes-256 hash sha group 2 lifetime 3600 crypto ikev1 policy 70 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 group-policy vpn_admin internal group-policy vpn_admin attributes dns-server value 10.1.40.17 split-tunnel-policy tunnelspecified split-tunnel-network-list value acl_vpn_tunnel default-domain value remote.test.com username user1 password ** encrypted username user1 attributes group-lock value Ops tunnel-group DefaultL2LGroup ipsec-attributes isakmp keepalive threshold 60 retry 10 tunnel-group DefaultRAGroup ipsec-attributes isakmp keepalive threshold 60 retry 10 tunnel-group 60.y.y.233 type ipsec-l2l tunnel-group 60.y.y.233 ipsec-attributes ikev1 pre-shared-key * tunnel-group Ops type remote-access tunnel-group Ops general-attributes address-pool ip_vpn_admin default-group-policy vpn_admin authorization-required tunnel-group Ops ipsec-attributes ikev1 trust-point remote.test.trustpoint isakmp keepalive threshold 60 retry 10 Thank you in advance for any pointers. Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Wake on Lan over layer 3 hops
Thanks all. it ended up being the ACL didn't include the WoL server Scott On Tue, Nov 27, 2012 at 2:12 PM, Peter Rathlev pe...@rathlev.dk wrote: On Tue, 2012-11-27 at 13:55 -0800, Randy wrote: umm..since it is over three L3 hops, wouldn't OP also need - ip helper-address broadcast ip of dest_subnet at the source in addition to the above? Have the WoL management station use the subnet broadcast address as destination instead of the limited broadcast address. With the suggested helper-address configuration you'd send all WoL packets to all of your networks every time. And with many hundred access networks the interface configuration wouldn't scale. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MST Experiences: was Re: Dell switches (specifically PowerConnect 7048P) and Ciscos
As Gert says - I understand mst just fine, thanks. It's just completely unsuitable for our needs, and by the sound of it, others too. It's also a solution looking for a problem. Even puny 600mhz cpu in sup720 can handle vast numbers of vports with no appreciable load, afaict. I'm sure there are topologies in which mst is suitable - the designers can't have been idiots - but not any topology I've ever needed to run. Nicolas KARP li...@karp.fr wrote: Hello, MST is a really good ***not*** proprietary protocol.. You just need to understand how it works and how you can interconnect your regions all together (not very straightforward I agree) If you just have independent Layer 2 area's, you can create something like that (on all your layer 2 domain) region area1 / area2 / area3 / ... instance 0 : no vlan (just used to avoid loop between regions) instance 1 : vlan 1 to 2050 instance 2 : vlan 2051 to 4095 root of instance 0 should be forced somewhere on your network. root of instance 1 will be core1 on each area root of instance 2 will be core2 on each area So if you do that, you just have to pick one vlan from the list (instance 1 or instance 2) and that's it. Best Regards, Nicolas. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Sent from my mobile device, please excuse brevity and typos. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] non-wrapping snmp uptime?
I suspect the answer is no, but is there a 64-bit uptime value available via snmp in IOS? Specifically on older gear like a 3550? The 32-bit counter wrapping at 470-some days caused some mild panic. Thanks, Charles -- Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet www.bway.net sp...@bway.net - 212.655.9344 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
