Re: [c-nsp] Cisco 6506E 4Byte ASN IOS Support

[Jon Lewis]

On Thu, 7 Apr 2016, Jason Berenson wrote:


Greetings,

We're currently running a handful of 6506E's in our network for edge routers. 
We're running this IOS:


s72033-advipservicesk9_wan-mz.122-18.SXF6.bin

I need to upgrade it to support 4Byte ASN's.  We're running some basic 
BGP/OSPF with 10G interfaces and full tables.  If anyone has any 
recommendations on which IOS to upgrade to I'd greatly appreciate it.


Looking for stability over everything and 4Byte ASN support.


s72033-advipservicesk9_wan-mz.122-33.SXI8.bin

Good luck with the reboots.  You are aware of the "bad memory" issue you 
might run into causing cards working today to not make it through a 
reload?


--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] blackholed traffic on ether-channel

[Hunter Fuller]

Look out for SY2!! We were on that release when we rolled out our
Cat6807s in 2014 but there was a gross bug where a malformed mDNS
packet could crash the sup! We had a quad-sup VSS at this time and it
crashed all four within a minute! I'm unsure if this was VSS specific
but I did get confirmation that it wasn't quad-sup specific.

We are now on 15.1(2)SY4 and life is good... for now...

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure


On Thu, Apr 7, 2016 at 3:29 AM, Mark Tinka  wrote:
>
>
> On 7/Apr/16 10:14, Holemans Wim wrote:
>
>>
>> As an solution the page points to 3 new software releases :
>> Known Fixed Releases: (3)
>> 15.2(1)SY1.118
>> 15.3(1)IE101.312
>> 15.4(1)IA1.22
>> Of these 3 releases none is available for download ? There is even no 
>> 15.3 of 15.4 train available in the download software page...
>
> Cisco normally publish future releases as being fixed before the
> releases become physically available. It is just a commitment from the
> BU to say in which release a bug is going to get fixed. When the release
> actually becomes available is orthogonal to the bug details.
>
>> Anyone has an idea where I can find a software release in which this problem 
>> is fixed so I can install this before activating these switches on our 
>> network ?
>
> We started using this platform back in 2014.
>
> We are using the code that was the only one available back then -
> 15.1(2)SY2 - without any issue.
>
> We were actually just about to start a round of upgrades to the latest
> stable release, but after seeing this thread, best to wait.
>
> In all fairness, we are running the switches as pure Layer 2 core
> devices, but with lots of 10Gbps LACP links. No issues with that since 2014.
>
> If you don't have any features that require anything beyond 15.1(2)SY2,
> I'd suggest trying this if there aren't any defects in it worth noting
> for your environment.
>
> Mark.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 6506E 4Byte ASN IOS Support

[Gert Doering]

Hi,

On Thu, Apr 07, 2016 at 12:15:16PM -0700, Jason Berenson wrote:
> We're currently running a handful of 6506E's in our network for edge 
> routers.  We're running this IOS:
> 
> s72033-advipservicesk9_wan-mz.122-18.SXF6.bin

This is slightly prehistoric...

We're fairly happy with 15.1(2)SY4 and with 12.2(33)SXI14.  

Both support 4byte-ASNs and the usual 6500 stuff (Sup720-10G here).

Caveat: there's a couple of Cisco PSIRT advisories that both versions
*are* affected - so if you upgrade anyway, go for 15.1(2)SY7 or see
if the issues in SXI affect you.  There seems to be no SXI release that
has everything fixed, so you could give SXJ a try - but I have no personal
experience with recent SXJ versions (early ones were not very stable).

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco 6506E 4Byte ASN IOS Support

[Jason Berenson]

Greetings,

We're currently running a handful of 6506E's in our network for edge 
routers.  We're running this IOS:


s72033-advipservicesk9_wan-mz.122-18.SXF6.bin

I need to upgrade it to support 4Byte ASN's.  We're running some basic 
BGP/OSPF with 10G interfaces and full tables.  If anyone has any 
recommendations on which IOS to upgrade to I'd greatly appreciate it.


Looking for stability over everything and 4Byte ASN support.

Thanks!

Jason.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] what the heck is "ip forward-protocol nd" good for

[Sebastian Beutel]

Hi Phil,
hi List,

On Thu, Apr 07, 2016 at 01:03:24PM +0100, Phil Mayers wrote:
> On 06/04/16 17:16, Sebastian Beutel wrote:
> 
> >What do you think: Is this a bug?
> 
> As others have said: IOS defaults are, largely, insane for 2016.
> 
> We have:
> 
> no ip forward-protocol nd
> no ip forward-protocol udp tftp
> no ip forward-protocol udp nameserver
> no ip forward-protocol udp domain
> no ip forward-protocol udp time
> no ip forward-protocol udp netbios-ns
> no ip forward-protocol udp netbios-dgm
> no ip forward-protocol udp tacacs
> 
> ...amongst other things in our standard IOS config.
> 
> It's one more tedious part of modern IT - reaping the "benefits" of
> compatibility with the very best the 1980s had to offer.
>
To me the "Cisco IOS IP Application Services Command Reference" is a little
blurry: 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/command/iap-cr-book/iap-i1.html#wp1776761080

If i get it right, enabling an ip helper on an interfaces enables forwarding
of a list of stuff. Furthermore the global "ip forward-protocol udp"
(without any protocol name) enables forwarding all of this on any interface.
I suppose, that it's very naive to assume, that the lines you wrote could be
replaced by this:

no ip forward-protocol udp
ip forward-protocol udp bootpc
ip forward-protocol udp bootps

But the thing that keeps me puzzled is, that only "ip forward-protocol nd" 
appears 
in a "sho run" of a default virgin configuration and none of the above does.
Not even in a "sho run {all|full}. Why exactly this and none of the others? 

Best, Sebastian.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] what the heck is "ip forward-protocol nd" good for

[Stephen Stuart]

> On 07/04/16 13:06, Nick Cutting wrote:
> > The whizzkids often used a connection to the super-unprotected LAN to
> > get themselves out of a locked room while they were being held
> > captive by white collar criminals. Those 80's protocols got them out
> > of numerous Jams.
> 
> "How do you make it play itself?"
> "Number of players: zero"
> "SIGSEGV: halting"
> "...ah"

Clearly leaving an unsecured console running when your code has a
zero-day exploit over not sanitizing inputs is also a risk.

Stephen
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] what the heck is "ip forward-protocol nd" good for

[Phil Mayers]

On 07/04/16 13:06, Nick Cutting wrote:

The whizzkids often used a connection to the super-unprotected LAN to
get themselves out of a locked room while they were being held
captive by white collar criminals. Those 80's protocols got them out
of numerous Jams.


"How do you make it play itself?"
"Number of players: zero"
"SIGSEGV: halting"
"...ah"
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] what the heck is "ip forward-protocol nd" good for

[Nick Cutting]

The whizzkids often used a connection to the super-unprotected LAN to get 
themselves out of a locked room while they were being held captive by white 
collar criminals.
Those 80's protocols got them out of numerous Jams.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil 
Mayers
Sent: 07 April 2016 13:03
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] what the heck is "ip forward-protocol nd" good for

On 06/04/16 17:16, Sebastian Beutel wrote:

> What do you think: Is this a bug?

As others have said: IOS defaults are, largely, insane for 2016.

We have:

no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs

...amongst other things in our standard IOS config.

It's one more tedious part of modern IT - reaping the "benefits" of 
compatibility with the very best the 1980s had to offer.

:o(
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] what the heck is "ip forward-protocol nd" good for

[Phil Mayers]

On 06/04/16 17:16, Sebastian Beutel wrote:


What do you think: Is this a bug?


As others have said: IOS defaults are, largely, insane for 2016.

We have:

no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs

...amongst other things in our standard IOS config.

It's one more tedious part of modern IT - reaping the "benefits" of 
compatibility with the very best the 1980s had to offer.


:o(
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] what the heck is "ip forward-protocol nd" good for

[Mark Tinka]

On 7/Apr/16 13:36, Gert Doering wrote:

> Which really shouldn't be default nowadays, while "ipv6 unicast-routing"
> *should* be... :-)

IOS 22.5(SE6) :-).

If anyone remembers, when the ME3600X/3800X first launched in 2010, you
needed explicitly "ip routing" to enable IP/MPLS capability. 12.2(EY)
greatness!

Mark.



signature.asc
Description: OpenPGP digital signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] what the heck is "ip forward-protocol nd" good for

[Gert Doering]

Hi,

On Thu, Apr 07, 2016 at 01:31:23PM +0200, Mark Tinka wrote:
> > Be grateful we do not need to explicitly configure
> >
> > ip classless
> > ip subnet-zero
> 
> Or "ip routing" :-).

Which really shouldn't be default nowadays, while "ipv6 unicast-routing"
*should* be... :-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] what the heck is "ip forward-protocol nd" good for

[Mark Tinka]

On 7/Apr/16 13:14, Patrick M. Hausen wrote:

> Be grateful we do not need to explicitly configure
>
>   ip classless
>   ip subnet-zero

Or "ip routing" :-).

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] what the heck is "ip forward-protocol nd" good for

[Patrick M. Hausen]

Hi, all,

> Am 07.04.2016 um 13:03 schrieb Mattias Gyllenvarg :
> 
> Yeah, This was discussed some time ago when they where planning on IOS 15
> and checked what we wanted here on the list.
> 
> I asked for a global "modern standards/defaults" but no go.
> Or legacy-default-off.
> Nothing fancy, just like the above. No proxy-arp etc etc, stuff left behind
> the last millenia.

Be grateful we do not need to explicitly configure

ip classless
ip subnet-zero

;-)
Patrick
-- 
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
i...@punkt.de   http://www.punkt.de
Gf: Jürgen Egeling  AG Mannheim 108285

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] what the heck is "ip forward-protocol nd" good for

[Mattias Gyllenvarg]

Yeah, This was discussed some time ago when they where planning on IOS 15
and checked what we wanted here on the list.

I asked for a global "modern standards/defaults" but no go.
Or legacy-default-off.
Nothing fancy, just like the above. No proxy-arp etc etc, stuff left behind
the last millenia.

ons 6 apr. 2016 kl 18:51 skrev Saku Ytti :

> On 6 April 2016 at 19:16, Sebastian Beutel
>  wrote:
>
> Hey,
>
> > So i asked wisdom of the search engines and found out, that there
> once
> > was a protocol with the name "sun-nd" and the ip protocol number 77,
> used in
> > suns diskless sun 2 stations. The line "ip forward-protocol nd" seems to
> be
> > the equivalent for sun-nd what ip-helper is for dhcp. Could this be? A
> > workaround for a 30 year old proprietary legacy protocol is in the
> default
> > configuration of a modern router? This is what i found:
>
> Helper is for any number of protocols iterated by 'ip
> forward-protocol'. Usually as you say DHCP (BOOTP).
>
> Cisco (and other vendors) are in difficult position when it comes to
> default settings. You ship with some config, and no matter how crazy
> they are, changing them will break something from someone.
>
> I think one solution to this would be to support multiple
> standard/default settings, and your config would have line about which
> standard you are using. If there is nothing, it's using the latest
> available in that image. This way people could choose when they adopt
> more modern standards and as vendors and customers learn how things
> should be configured, it would be lower barrier to introduce new
> standard.
> Basically this standard release would be just be config over which
> user config is merged on, likely very simple concept for ios-xr,
> junos, but perhaps not so simple for classic ios.
> --
>   ++ytti
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Output Drops Due to QoS and threshold size

[Saku Ytti]

On 7 April 2016 at 07:26, Victor Sudakov  wrote:
> If Thres1 in Q1 is set to 1000%, this would mean 500 buffers. Where
> are the 500-200=300 additional buffers borrowed? From the common pool?


>From the document

---
Anything over 100% means the tx queue can use common buffers to queue
packets.  The default value for this field is 400%.
---

I've not worked with small cats in several years and I'm not ready to
refresh my memory on them, as I don't expect needing to work on their
QoS in future, sorry.

-- 
  ++ytti
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] blackholed traffic on ether-channel

[Mark Tinka]

On 7/Apr/16 10:14, Holemans Wim wrote:

>
> As an solution the page points to 3 new software releases :
> Known Fixed Releases: (3)
> 15.2(1)SY1.118
> 15.3(1)IE101.312
> 15.4(1)IA1.22
> Of these 3 releases none is available for download ? There is even no 
> 15.3 of 15.4 train available in the download software page...

Cisco normally publish future releases as being fixed before the
releases become physically available. It is just a commitment from the
BU to say in which release a bug is going to get fixed. When the release
actually becomes available is orthogonal to the bug details.

> Anyone has an idea where I can find a software release in which this problem 
> is fixed so I can install this before activating these switches on our 
> network ?

We started using this platform back in 2014.

We are using the code that was the only one available back then -
15.1(2)SY2 - without any issue.

We were actually just about to start a round of upgrades to the latest
stable release, but after seeing this thread, best to wait.

In all fairness, we are running the switches as pure Layer 2 core
devices, but with lots of 10Gbps LACP links. No issues with that since 2014.

If you don't have any features that require anything beyond 15.1(2)SY2,
I'd suggest trying this if there aren't any defects in it worth noting
for your environment.

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] blackholed traffic on ether-channel

[Holemans Wim]

Just bought several C6880-X to replace some 6500 with Sup32. They will have a 
lot of LACP channels...
Tried to search for the bug numbers mentioned below, the first one came back as 
not cisco inside only, the second one comes with an information page with the 
title :
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy25743
C6880-X-LE: Contiguous 4 10G ports goes down and cannot be brought up

As an solution the page points to 3 new software releases :
Known Fixed Releases:   (3)
15.2(1)SY1.118
15.3(1)IE101.312
15.4(1)IA1.22
Of these 3 releases none is available for download ? There is even no 15.3 
of 15.4 train available in the download software page...
Anyone has an idea where I can find a software release in which this problem is 
fixed so I can install this before activating these switches on our network ?

Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp


-Oorspronkelijk bericht-
Van: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Namens Aaron DuShey
Verzonden: woensdag 6 april 2016 20:40
Aan: selamat pagi 
CC: cisco-nsp 
Onderwerp: Re: [c-nsp] blackholed traffic on ether-channel

Sorry for the earlier misfire.

On Wed, Apr 6, 2016 at 10:55 AM, selamat pagi  wrote:

> Setup:
> 4 port LACP channel, C6880 <->  Nexus 7k
>
> Recently we had the issue that most (not all) traffic was black-holed 
> on a C6880.
> No interface counters, nor the port-channel status, nor an NMS pointed 
> to any abnormal behavior.
>
> Finally, the problem was resolved by shutting down a specific  
> interface on C6880.
> It seems that one defect port affected the function of the entire 
> port-channel !!
>

FWIW We recently ran into a somewhat similar port-channel issue on 6880 
15.2(1)SY1a. BU told us symptoms were possibly related to CSCuw08272/CSCuy25743.
That issue is slated to be fixed in 15.2(1)SY2.
-Aaron
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/