Re: [c-nsp] ARP on ASR9k 4.3.2
On Thu, Jan 16, 2014 at 2:35 AM, Florian Lohoff f...@zz.de wrote: Hi, we made some upgrade from 4.1.1 to 4.3.2 tonight and discovery new and strange ARP behaviour. The ASR9k seems to store arbitrary ARP responses in its MAC Address table. We ran into similar trouble when swapping out our router for an ASR9k running 4.2.3. Cisco scrambled a SMU for that release (sorta). From their information it is not entirely arbitrary. Any IP that is routed down that link can have an ARP stored. Our trouble became a bit worse when we removed the route and the ARP was still present; the router was then black-holing traffic by trying to send it via the stale ARP. I know linux has some bad behaviour concerning ARP (default proxy arp etc) but still i wouldnt expect a decent networking device polluting their ARP table with entries for ip address not directly connected or better - not reachable in any directly connected ip segment. We thought so to. We opened a case - Cisco DDTS CSCty06696 was the result. Cisco did not agree that this was faulty behavior: they insisted that it was correct. The DDTS and SMU are for an option to disable the ability to learn out of subnet ARPs. Under the interface you can configure arp learning local to block out-of-subnet ARPs. PS: I made some sysctl tweaks on the linux machine to behave a little more nice but still i see a bug here. We did the same while waiting for the SMU. The SMU should not be needed for 4.3.2 - the arp learning local interface command should be built-in, so hopefully you are good to go. Our biggest concern over this incident was receiving malicious ARPs on transit and peering links that have routes to large swaths of the network. If the route goes away, the ARP will be retained for long periods and the router will black-hole traffic until that clears. Cisco PSIRT evaluated the concern but evaluated it as a fairly concern. -- Florian Lohoff f...@zz.de Best Regards, Andrew Koch ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ARP on ASR9k 4.3.2
Hi, On Thu, Jan 16, 2014 at 06:32:04PM +0100, Florian Lohoff wrote: We did the same while waiting for the SMU. The SMU should not be needed for 4.3.2 - the arp learning local interface command should be built-in, so hopefully you are good to go. RP/0/RSP0/CPU0:cr2(config- subif)#arp learning ? disable Disable dynamic learning of ARP entries RP/0/RSP0/CPU0:cr2(config-subif)#arp learning local ^ % Invalid input detected at '^' marker. Not in 4.3.2 Bah - 4.3.4 has the fix incorporated. On Thu, Jan 16, 2014 at 11:50 AM, Gert Doering g...@greenie.muc.de wrote: *ROFL* - Sending out gratious arp on a peering exchange lan can blackhole traffic for others - IMHO thats an easy DoS vector - how could that be fairly? fairly effective... fairly nasty... dunno. fairly minor - I dropped a word on my initial response. However, I would agree with your second choice. Andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 best practices
On Thu, Feb 7, 2013 at 2:41 AM, Charles Sprickman sp...@bway.net wrote: As definitive a set of guidelines as is possible at this (early?) point regarding subnet sizes for business customers, residential customers, PoPs Charles, One reference you should check out is the community effort on IP Best Current Operational Practices - especially the ratified BCOP on IPv6 Subnetting. http://www.ipbcop.org/ratified-bcops/bcop-ipv6-subnetting/ It is my understanding that this will be moving to a NANOG-led effort in the future. Details were shared during NANOG this week in regards to the BCOP changes. You may also want to check the archives of the ipv6-ops mailing list for other data - http://lists.cluenet.de/mailman/listinfo/ipv6-ops Best, Andrew Koch ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS-8-DC-KIT-M
On Tue, Jan 22, 2013 at 12:21 PM, Antonio Soares amsoa...@netcabo.ptwrote: Hello group, I need to install the CRS-8-DC-KIT-M on a few CRS-8. Basically this means the change from the Fixed Configuration Power System to the Modular Power System. I'm not able to find anywhere the kit installation guide. I wonder if it really exists. I have queried the local SE and he was not able to help me. Anyone has experience with this ? Here I have the description of each Power System: http://www.cisco.com/en/US/docs/routers/crs/crs1/8_slot/system/description/h q6345_2.html But no details about moving from one to the other. The install guide has good information on removal and installation of both power systems: http://www.cisco.com/en/US/docs/routers/crs/crs1/8_slot/installation/guide/hqlcch2.html#wp1193161 Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ios xr upgrade from 4.1.2 to 4.3.0
On Fri, Jan 11, 2013 at 9:03 AM, Aaron aar...@gvtc.com wrote: Is it ok to do that ? I have found the Cisco IOS-XR upgrade guides to be quite well worth the read through. They cover the required packages, caveats, supported release migrations and a number of verifications to be completed pre- and post-install. http://www.cisco.com/web/Cisco_IOS_XR_Software/index.html HTH, Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Upgrade IOS and incompatible config
On Mon, Dec 3, 2012 at 9:37 PM, Pete Lumbis alum...@gmail.com wrote: My guess is that those commands aren't supported in the T train and are only supported in the SR train. You should look into running 12.2.33.SRE or 15.S code, which is the logical progression from the SRD train. On Mon, Dec 3, 2012 at 9:08 PM, Mike mike-cisconspl...@tiedyenetworks.comwrote: version reccomended to me by the tac engineer was c7200p-advipservicesk9-mz.**124-24.T7.bin. That is an odd recommendation - the 12.4(24)T train is end-of-rebuilds last month. I don't know why Cisco would make such a recommendation: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/eol_c51-632350.html The recommendation from Pete for the SRE or 15.S trains makes much better sense. Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] %ETHC-5-PORTFROMSTP:Port 2/6 left bridge port 2/6
On Fri, Sep 7, 2012 at 7:14 PM, John Elliot johnellio...@hotmail.com wrote: The carrier has acknowledged that they see the following on one of there switches when the outages occur: 2012 Sep 07 00:53:04 UTC +00:00 %ETHC-5-PORTFROMSTP:Port 2/6 left bridge port 2/6 2012 Sep 07 00:53:23 UTC +00:00 %ETHC-5-PORTTOSTP:Port 2/6 joined bridge port 2/6 Ouch, I wouldn't admit that I have switches reporting those messages still facing a customer. The messages you show are from a device running CatOS. CatOS went End-of-software-updates in 2009. There may still be support available for another few months. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_end-of-life_notice0900aecd80699e1a.html Just wanted some clarification on the log detail above - I believe it indicates that port 2/6 lost physical connectivity, then connectivity was re-established ~20seconds later?(And that port 2/6 is part of an etherchannel?) No etherchannel involved. Just reporting that a port stopped forwarding in that bridge domain (went down), then came back up. Nothing here to indicate one way or another that you have CE troubles. HTH, Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SFP high power alarm
On Tue, Aug 21, 2012 at 5:13 AM, marc williams mar...@me.com wrote: 10 GIG cisco compatible SFP in a 3750-X switch. we started to see this error message after a fibre break and repair: %SFF8472-5-THRESHOLD_VIOLATION: Te4/1/2: Tx power high alarm; Operating value: 0.6 dBm, Threshold value: 0.0 dBm Cant see how the TX power can go high? any ideas? Interface is up and working ok. The transceiver may be reporting reflected signal. Any splice will have some reflection, a poor splice may cause high reflected power back into the transmitter and potentially cause damage. This is also true for connectors - they will cause reflection of the signal. This is why APC (angle polished connectors) are used in high-power environments. You will want to check your fibers for reflection. An OTDR read-out from before and after the splice event would be optimal. HTH, Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS-XR LC attribute database errors
On Thu, Aug 16, 2012 at 3:37 PM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: I am seeing these entries in my logs every few minutes. I have done searches and found only reference to them where it says to copy the error and sent to Cisco. Has someone seen these before and if so, what needs to be done to resolve the issue. LC/0/1/CPU0:Aug 16 09:03:22 PDT: fib_mgr[154]: %ROUTING-FIB-4-LCL_ATTRIB_ENTER_OOR : Proto:ipv4, VRF:default, Local attribute index database max(65536) reached. OOR state:red LC/0/1/CPU0:Aug 16 09:03:22 PDT: fib_mgr[154]: %ROUTING-FIB-6-LCL_ATTRIB_EXIT_OOR : Proto:ipv4, VRF:default, Local attribute index database OOR state: green.OOR local attribute count:5 you are running out of resources (OOR) on the BGP attribute table in the FIB, likely due to bgp attribute-download enabled, the router can't store more than 65536 different entries. which platform is this on? XR12000? oli We saw as similar message in our CRS1 routers in IOS-XR 3.9.2. It was attributed to CSCrf80648, which confirms the limitation for BGP attributes at 65k entries. The limit is increased in IOS-XR 4.0.0 for the CRS1 to 256k entries. Possibly oli can confirm if there is a similar enhancement for the 12k. If there is not an enhancement, it is a hard limit and you are limited in the options - either ignore and have some missing attributes, or disable attribute download entirely. If you choose to ignore, you may want to check out Logging Suppression Rules - these are for the CRS, but I assume the command syntax is the same on 12k. http://www.cisco.com/en/US/docs/routers/crs/software/crs_r3.9/system_monitoring/configuration/guide/oc39alrm.html#wp1344914 and http://www.cisco.com/en/US/docs/routers/crs/software/crs_r3.9/system_monitoring/configuration/guide/oc39alrm.html#wp134498 HTH, Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] how can i use all 3 of these routes for load sharring?
On Wed, Jul 25, 2012 at 10:34 AM, Aaron aar...@gvtc.com wrote: Any idea why I see 3 default routes in bgp but only 2 get put into rib? How would I get all 3 of these into rib? Aaron, you will want to review this BGP best-path selection algorithm http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431.shtml Take particular note at which point the algorithm no longer applies when multi-path is used (step 8 and beyond). I snipped the relevant bits from each route here - Notice that you have different Metric (MED) and different Origin on the first two compared to the third. As these are used by the algorithm before step 8, they do affect your multi-path selection, and thus the third route is not used as part of your multi-path. RP/0/RSP0/CPU0:9k#sh bgp vrf one 0.0.0.0 10.101.0.1 (metric 3) from 10.101.0.1 (10.101.0.1) Origin incomplete, metric 1, localpref 100, valid, internal, multipath, import-candidate, imported 10.101.0.2 (metric 2) from 10.101.0.2 (10.101.0.2) Origin incomplete, metric 1, localpref 100, valid, internal, best, group-best, multipath, import-candidate, imported 2.4.6.45 from 2.4.6.45 (1.3.9.173) Origin IGP, localpref 100, valid, external, group-best HTH, Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] default-information IPv6 IOS-XR
On Wed, Apr 25, 2012 at 22:03, henrry huaman henry.hua...@yahoo.es wrote: Hi guys, Please could help us, we need to send defaul route in IPv6 (IOS-XR). Hi Henry, I am guessing that you want to send a default route to a BGP peer. In this case, your syntax below will not work out. You are instead looking for default-originate under the address family under the particular neighbor. router bgp 65404 neighbor 2001:db8::1 address-family ipv6 unicast default-originate And we have only this command in bgp proccess default-information originate. This is used to import a default-route into the BGP process with the redistribute command. Typically when you redistribute from another protocol 0.0.0.0/0 and ::/0 are ignored. This changes that default behavior. HTH, Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] UDLD misbehaviour
On Wed, Jul 13, 2011 at 16:15, Leonardo Gama Souza leonardo.so...@nec.com.br wrote: Hello my friends, I had some problems on an optical fibre between two 6509 switches and UDLD kicked in to avoid STP loops, but when the switch tried to recover from the error-disable state, the link went up, even with optical fibre problems. This misbehaviour caused a major outage in the network. I couldn't find any known bug for the current IOS version 12.2(33)SXI3. I worked around the issue keeping the interface in a shutdown state until I resolved the cabling issue. Can someone shed some light on the solution? It looks like UDLD did its job just fine. The trouble is the configuration of errdisable recovery. By default, the switch will not recover any errdisabled port. This causes the port to stay disabled until resolution of the underlying problem, allowing an engineer to resolve before executing a manual bounce of the port. show errdisable recovery will show your current settings. The defaults are all to be disabled and a timer of 300 seconds. Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] switch port shutdown and no shutdown- what exactly happens?
On Thu, Jun 2, 2011 at 06:07, Martin T m4rtn...@gmail.com wrote: Hi, rather stupid subject, but the thing is, that I have one Cisco WS-C2950-24 switch, which has one Motorola radio device connected to one of fast-ethernet ports: WS-C2950-24[Fa0/1] - [eth]Motorola_radio_device Problem is, that about once every 24h this connection stops forwarding traffic. I have changed the fast-ethernet ports in WS-C2950-24 switch and even replaced the switch with a new one, I have replaced the Motorola_radio_device, there are no interface flaps and errors on switch port, nothing interesting in the Motorola_radio_device log file. Both devices are behind the proper UPS. Once the traffic between those two devices stops, simple shutdown and no shutdown to the switch port helps. Cat5e cable between the devices is 75m(246 feet) long. One might suspect the cable/connectors, but on the other hand there really are no errors on the switch port. What might cause the issue where reinitialization of the Ethernet port reallows traffic forwarding? Might there be a possibility to reproduce such situation in the lab? Hi Martin, You mention this Motorola device is a radio. Is this a receiver only, or a transmitter also? Is it putting out a signal of considerable strength? I have seen all sorts of odd troubles when RFI gets induced into a device that is not intended of receiving it, including completely seizing up. Assuming this is a transceiver, I wonder if you have proper grounding of the radio so that it puts its RF to ground rather than to that nice cable you strung for your ethernet connectivity. Also, have you isolated the radio from the switch - used fiber or an isolator block? This only happens on the 24th? Is the radio setup to do something on that day, such as a pre-scheduled test? Being that the cable is 75m, it may also be acting as an antenna. Again, changing this to a fiber connection would eliminate this potential pickup of noise. Using a properly terminated shielded cable may also be a choice. If neither of these are feasible, you could run the ethernet cabling through a ferrite core at each end that would prevent some noise from entering the switch and radio. As far as the specifics in the switch during a shut/no shut, I am not certain. However, if the radio is inducing bits to flip in registers or overloading the ethernet port receiver, resetting the port may refire the receiver correctly. HTH, Andy Koch KC9GXN ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] debug to see what IP is trying to log in via telnet
On Wed, Feb 23, 2011 at 14:21, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, wouldn't the IP of the host it speaks of in the logs? or does it just say failed log in from somewhere out on the network…? my logs have a src… %SEC-6-IPACCESSLOGP: list denied tcp 88.243.16.148(3900) - 10.142.7.1(23), 1 packet the device is on a legit bit of network so will be allowed by the current VTY/management plane ACLs ... AAA system sees query from the switch not from the originator of the login. its trivial i know that (which is the frustrating part! :-) ) You can log the successful ACL attempts too, even though the login failed. This is provided the box is not too overly active with valid login attempts. access-list 80 permit 0.0.0.0 0.0.0.0 log line vty 0 4 access-class 80 in Then you get a log like so, indicating the ACL was passed, not necessarily that a login was completed: Aug 14 09:34:45.082 CDT: %SEC-6-IPACCESSLOGS: list 80 permitted x.x.x.x 2 packets HTH, Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Outbound Load balancing using eBGP
On Wed, Dec 22, 2010 at 16:33, RAZ MUHAMMAD raz.muham...@gmail.com wrote: Unfortunately the vendor does not support multipath or anything similar on their platform. As you asked on a Cisco list, you got a response on what can be done with Cisco equipment - use multipath. You might try asking the vendor if they have any tricks. Otherwise, you should try looking for a user group mailing list for whatever vendor that may be (it would be quite a bit more helpful to identify what equipment you are using). There are Alcatel, Extreme, Foundry, Force10, HP, Huawei and Juniper mailing lists hosted on puck @ http://puck.nether.net/mailman/listinfo/ Possibly they can be of use, being that the users of whatever type of equipment you are using are in the same boat. Good Luck, Andrew Koch ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME Series for a LAN/Server Farm
On Wed, Dec 8, 2010 at 16:50, Edward Salonia e...@edgeoc.net wrote: One thing to watch for is that there is no local switching among UNI ports. You could either set your port type to NNI or you could set the vlan as a community vlan to enable local switching. Double check the specs on these. If I am remembering correctly, there is a limit on some ME switches to the number of NNI ports you can enable. (I believe it was 4). Also be aware of the power supplies being fixed. As in, you cannot swap an AC for a DC, nor are they field replaceable. Andy Koch ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TACACS emergency password management
On Tue, Nov 2, 2010 at 03:35, Mark Tinka mti...@globaltransit.net wrote: I've always wondered why (maybe it's supported and I just haven't figured out how) RANCID updates don't include the username of the person that made the changes which caused the updates in the first place in Cisco, like Juniper does. I don't use RANCID, but I suspect that it is using SNMP WriteNet to effect its changes. This is an SNMP set command that contains the IP address of a TFTP server and a string of the filename to import into the running configuration. As IOS has no user associated with the SNMP daemon, when updates are made via this method, no username is shown as the last change. However, typically, the log will show a SNMP WriteNet request was processed. I write/understand code for sh**, so I'm not sure whether this is a limitation in IOS(-**) or RANCID. But having this for Juniper helps a great deal, as it's much easier to tell who made the last change(s). Yes, it would be nice to see who changed the configuration, but the SNMP WriteNet doesn't have a user to go with. Regards, Andy Koch ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/