Re: [c-nsp] Upgrading to 40G
Mikael Abrahamsson swm...@swm.pp.se writes: When 40GE and 100GE was standardized it was taken for granted that 40GE would be used to connect servers and perhaps a little inter-building backhaul, because of that only up to 10km was standardized. Just in case any vendors read this list: There is a market for 40km 40G optics! Even non-standard. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
Ian Henderson i...@ianh.net.au writes: What about MacSec? Works between 3560X/4500/4500X/Sup2T/etc for wire rate L2 encryption. http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1/XE_330SG/configuration/guide/swmacsec.html#wp1334072 says: Does that actually work over WAN links that are not just plain optical paths? I have been wondering if you can get MacSec to work over EoMPLS. VPLS seems unlikely, as MacSec seems to be point-to-point. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS down to the CPE
Adam Vitkovsky adam.vitkov...@swan.sk writes: How plausible is that customer will replace your device with theirs without you noticing it + they crack all the passwords so they can run ISIS, LDP and BGP sessions with you. They don't need to do that. Just put a switch between the CE and the upstream. Then inject MPLS packets from a different port on the switch. Maybe one day we will get either strict MPLS label checks or L2 encryption and authentication. At that point the only attacks are to the CE itself. I am not holding my breath. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 802.1Q-in-Q VLAN Tag Termination on 7600/6500 OSN modules
Davide Ambrosi davide.ambr...@trivenet.it writes: I see that 7600 catalyst modules doesn't support QinQ VLAN termination (the command encapsulation dot1q outer-vlan second-dot1q inner-vlan) because they are LAN modules. The only cheap way to do what you want is to use some other box to either do VLAN translation or place the traffic into EoMPLS tunnels. I am not actually sure whether the 7600 will do routed EoMPLS with LAN-cards, I have only tried that with a SIP-600. ES+ will obviously do what you want as you mention, and ASR1k and ASR9k can do the same. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] stp on me3600 on efp's with locally connected older switch
Nick Hilliard n...@foobar.org writes: there's no 128 vlan limit - it's a spanning tree topology limit of 128 instances for pvrst. If you need more than 128 different topologies in a your network, your network would probably benefit from a redesign. And if you want to use all 4094 vlans on your 3560, there's no problem doing so. Does that actually help? Does a 3560 merge multiple VLANs into a single topology if they happen to use the same ports everywhere? When I first hit the 128 VLAN limit on a 3560G I was a bit shocked and decided to go with Q-in-Q to get around it. Then I hit the buffer limits and switched away from Cisco. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router for wholesale DSL aggregation over L2TP
Scott Lambert lamb...@lambertfam.org writes: It turns out that the telco is going to give the DSL to us via QinQ rather than L2TP as I had assumed. I've been reading up on that and it doesn't look too bad. I have not figured out the shaping of the individual client connections, yet. Some more reading will likely fill in the gap between ubr and whatever is needed with PPPoE over QinQ. Do you need PPPoE at all? You can probably identify the client by the combination of VLANs alone. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco interface shutdown detection, how is possible?
h bagade baga...@gmail.com writes: I've also tested Cisco router connection on different systems with different OSes. On Win systems, when I disable the Ethernet card, router detects it at the time but on FreeBSD systems, when I set interface down, the router shows Line Protocol as up! Be careful to not be fooled by IPMI either. If IPMI is configured, the link may stay up even though the OS believes it is down. Indeed, the link may stay up even though the server is off (though of course it dies if the server loses power). Some servers are shipped factory-default with IPMI enabled on the regular ethernet interfaces. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Site to site vpn Cisco Router to Fortinet
Joe Freeman j...@netbyjoe.com writes: Now I'm having trouble getting traffic across it. I've got a policy in the FG that allows any/any between the internal interface and the tunnel (both ways). Traffic counters aren't incrementing on either policy. I've also checked my static routes that send traffic to the tunnel on both sides. Since it is a 0.0.0.0/0 tunnel both src and dst, a plain ping from the Fortigate should at least go through the tunnel. Personally I would try diagnose sniffer packet tunnelinterface on the Fortigate while at the same time doing execute ping something that hits the static route. If that does not show any traffic, the problem has to involve routing somehow. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 PE-CE
Saku Ytti s...@ytti.fi writes: Out of curiosity. Why are people choosing to run IGP in network borders? Link-state is complex, expensive and poorly manageable (in terms of filters/policies/route-map) Do you need filters/policies/route-maps in a VRF? If a customer messes up, they only take out their own VRF. OSPF in a VRF can be pretty much hands-off. You do not even need to configure neighbors. The only problem is if your customer sends you a million routes. It would be great if someone came up with a zero-configuration solution for BGP. I have seriously considered switching our default PE-CE routing protocol to eBGP, but it ends up quite complicated. OSPF may be expensive in theory, but in practice it performs well. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 PE-CE
Saku Ytti s...@ytti.fi writes: It shouldn't be argued this direction, BGP needs no justification, IGP does. Fair enough. We did this decade ago, no one has looked back. Configuring BGP in certain platforms can be 0 touch on PE. Like if you use 'allow CIDR' in JunOS or 'bgp listen range CDIR peer-group X' in JunOS you don't even need to touch PE when adding CE. I suppose I could dynamically generate a neighbor allow when a new interface is provisioned on the PE. You still need to touch the CE though, whereas with OSPF you basically just need to enable it on the interface. You must be usíng the interface addresses for the BGP peering endpoints, since you would need an IGP to reach any loopbacks, and we are trying to avoid running an IGP? I cannot get away with using the same BGP neighbor address for all CE's. In JunOS you can further reduce config cruft by using apply-group to fill in all stuff like import/export maps, asn, as-override etc, so those would only appear in single place. Nice. OSPF may be expensive in theory, but in practice it performs well. RIP is the real scale beast :) If you truly need to run thousands of sessions. I know someone doing RIP to the server at TOR, where RIP was only scalable solution. It is indeed, I have considered that too. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 PE-CE
Saku Ytti s...@ytti.fi writes: I guess vendor could implement this by allowing DHCP default-gw to be configured as BGP peer. Now you just need to be buying devices for half a million USD to get PERS/ER done :) That is an absolutely brilliant idea actually! Scripting should handle that, no problem. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9000/RSP440 Console Issue
Saku Ytti s...@ytti.fi writes: On CMP you can upload images, on on-band RS232 you cannot (most don't even support anymore and even those which do it's not practical, as it takes less time time go on-site, short of moon nazis Internet, and while they pay well, we thought it was unethical to provide connectivity). On CMP you can build cheap OOB network (eth switches cost nothing compared to proper RS232 server like Avocent) You are so completely right. In addition, servers can be power cycled remotely through CMP if need be, whereas routers need an expensive managed PDU and you always have the risk that someone got the wiring or the documentation wrong and you hit the wrong box. Similar problems with the serial wiring/documentation of course, but at least you generally discover the problem before you do anything bad. In addition, properly implemented CMP interfaces provide a certain amount of defence against attacks on the management network, because a configuration mistake can never link production and management -- for that you need a vulnerability in the CMP. IMHO no switch or router should have management access enabled on an interface which can be configured to pass non-management traffic. I'd say kill the on-band RS232 and roll CMP only. Absolutely. RS232 is not quite useless, but it is far from a proper OOB management solution. Do the Cisco servers have proper OOB management? If so, can they send a few people from the various other business units on a field trip to the server guys? /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9000/RSP440 Console Issue
Łukasz Bromirski luk...@bromirski.net writes: I saw customer dropping our 4900M after learning the FE0 management can't be used to route it's default route to the internet for the rest of multi-10GE customers. True story as they say. No amount of education at this point can make him change his mind. You'll hit customers saying it's needed, and those saying it's forbidden. Yes, you can't win either way. Again, the same story. We won't ditch our console servers! is very often confronted with the Only proper OOB is Ethernet OOB!. Hard to judge if you're trying to sell to everyone :) The server people generally left the serial console port on the servers though. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT on Cisco ASA
Covalciuc Piotr pkovalc...@gmail.com writes: I know, the servers can communicate through local network (10.10.10.x). I'd like just to know if the communication between local servers can be established through NATed IP. If so, how it should be configured on ASA? I believe this link answers your question: https://supportforums.cisco.com/thread/1003238 Generally the term for traffic going in and out of the same interface on a router is hairpin, so you get some good results by searching for NAT hairpin. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPFv3 in a VRF on a 7600
Thank you all for your answers. This mailing list is always a great help. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] reliability of ping to router physical-, sub- or loopback interface
sth...@nethelp.no writes: Cisco is the same. The router's job is to forward packets, not to generate ICMP replies (whether this is due to explicit ping, or for instance traceroute through the router). You should *expect* that a modern router will have limitations on how much control plane traffic (bps, pps) it will accept/generate. I would hope that a modern router handled at least ICMP ECHO in hardware. Latency tests are often useful for debugging, and ping is an easy-to-use and widely available tool for latency testing. Having to start an incoming support call by explaining why a high varying latency as measured by ping does not actually mean that something is wrong easily wastes a couple of minutes. Even worse if that was the only problem the customer had. So please, router vendors, make ICMP ECHO fast and reliable. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] sup2T software release notes have hit
Gert Doering g...@greenie.muc.de writes: Mmmh. GPU based forwarding? Build a high-end 10Gbit router using $1000 PC parts? Tempting... :-) Already been done, http://shader.kaist.edu/packetshader/ The code is not publically available. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] What is the lowest latency switch?
sth...@nethelp.no writes: It already exists on some platforms. Lightly edited to hide som details: sthaug@xxx start shell % pwd /var/home/core-remote % grep 'BGP.*Established to Idle' /var/log/messages | awk '{print $9}' x.y.4.170 x.y.120.77 sed is there too. Is there a handy way to run traditional show commands from the shell? I.e. combine the power of a Unix shell with the commands Juniper admins take for granted? /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router recommendation for small ISP
Mounir Mohamed mounirmoha...@gmail.com writes: For investment protection I recommend Cisco ASR1001, It is an ISP class gear that allows you to add services as you grow without performance degradation. Check it out. http://www.cisco.com/en/US/products/ps10878/index.html I know I am repeating myself, but be aware of the 500k route limitation. It may be ok for you, but if you are buying the box for investment protection, you could end up disappointed in a couple of years. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Advice: Which routers to purchase ?
Łukasz Bromirski luk...@bromirski.net writes: The ASR 1001 is hardware-based router that has 4 GE interfaces and is priced at 17k$ with dual PSUs. The ASR 1001 can with proper license do 5Gbit/s line-rate, while the 7201 is 1Mpps engine that will slow down with every feature turned on. Does the 1001 have the limitation of 512000 routes in its FIB, like the 1002-F? /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Compressed IPv6 ACLs on Cat6500
Mack McBride mack.mcbr...@viawest.com writes: Correct, The security posture is more important. General consensus is that a subnet is a /64. More specifics should be used to reduce exposure to attacks. Links for example are generally assigned as /126 or /127. It can be an advantage to reserve a /64 to every link in your provisioning databases but then use the first /127 in the actual router configuration. That way you can still filter on /64. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Are multicast MAC addresses allowed in the source field?
man, 15 11 2010 kl. 10:29 +, skrev Tomas Daniska: it's not only ARP reply that takes into account when talking operability of such solutions. At one particular case, we had been hit hard with this clustering method. Over the time, everything worked as the old switches were slightly lax on RFP compliance. After upgrading to a 3C[XL] system, we have experienced the packet with multicast source MAC were getting dropped under some circumstances in hardware. Clearly a Microsoft way of doing things - let's bend the standard, let it spread, and then let the end users beat those who do comply. Microsoft were by far not the first to do this, and I still believe that it is a brilliant solution to a difficult problem, even though we do not use it. It is highly worrying if the 6500/7600 breaks this for layer 2 traffic. If we provide an EoMPLS link to a customer, it better be transparent. Support for this will definitely go into our next requirements document. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF design (danger will)
William Cooper wcoope...@gmail.com writes: On Mon, Oct 25, 2010 at 4:07 PM, Benny Amorsen benny+use...@amorsen.dk wrote: Actually it does, in some cases. BGP cannot maintain 2 links to the same neighbour, and so it does not work if you have redundant links (except for LACP links and similar). That is when you need OSPF so you can peer on the loopback addresses. Doesn't multi-path fulfill this requirement? No multipath is a way to install multiple routes into the FIB. That is all well and good but it is an entirely separate problem. BGP cannot maintain two sessions to the same neighbour. Imagine router A having two ethernet links to router B, with router A having addresses 1.1.1.1/24 and 2.2.2.1/24, and router B having addresses 1.1.1.2/24 and 2.2.2.2/24. Then you could set up two BGP neighbours on router A, 1.1.1.2 and 2.2.2.2. However, the second session won't work, because it has the same router ID as the first session. Hence why you need to add 3.3.3.1/32 as loopback on router A, 3.3.3.2/32 on router B, run OSPF to get the correct redundant routing of the loopbacks, and peer on 3.3.3.x. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF design (danger will)
Christopher J. Wargaski war...@gmail.com writes: It just doesn't make sense to run OSPF when all of the links to the remote locations will be running BGP. Actually it does, in some cases. BGP cannot maintain 2 links to the same neighbour, and so it does not work if you have redundant links (except for LACP links and similar). That is when you need OSPF so you can peer on the loopback addresses. It is a bit surprising that no one has bothered to make an extension to BGP for this purpose, but I guess the OSPF/BGP combination works well enough. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Are multicast MAC addresses allowed in the source field?
John Neiberger jneiber...@gmail.com writes: We have an application involving a firewall cluster where the cluster has a VIP associated with it, but the VIP apparently replies to ARP requests with a multicast MAC address. The idea, ultimately, is that both firewalls in the cluster will receive the same traffic all the time. To make this work, the router would have to accept an ARP reply that had a multicast source address (I have no idea if that's technically a problem or not) and the switches would have to populate their MAC address tables properly. Sadly RFC 1812 hasn't been updated, so some routers (notably Juniper and Cisco) do not accept multicast MAC addresses as ARP replies. For those you need to configure static ARP, which is a pain. It is a shame that none of the multicast-based cluster vendors (Stonesoft, Microsoft, Checkpoint, I'm sure there are more) invested the effort required to get this method officially RFC-blessed. It seems to me that this ought to work as long as we're not running IGMP snooping or anything like that on the switches. IGMP snooping is something you actually want in this case, because the firewalls properly join the IGMP group and therefore traffic isn't broadcast to all interfaces. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASIC to switch port mapping
Gert Doering g...@greenie.muc.de writes: Now if I had more time :-) it might be worth investigating the (Linux) streaming server software used, whether it can be changed to invest a bit more CPU to better smooth out the packets... OTOH, the kernel might just wreck this, and smear it all togehter again. (*Now* we really get even more off-topic for c-nsp than usual) You can use pspacer to achieve something close to perfect smoothing of bursty traffic. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASIC to switch port mapping
Nick Hilliard n...@foobar.org writes: From what I remember, the EX4200 has rather small buffers - not terribly different in size to the 3560/3750 range. This is from memory, so I could be mistaken. Juniper are rather coy on the topic, which is always a sign of relative paucity. If the box had buffer capacity which was worth mentioning, they'd mention it in the marketing blurb. 3MB per PFE, according to: http://www.juniper.net/us/en/local/pdf/implementation-guides/8010073-en.pdf See table 2. I'm not sure how much buffer the 3560 actually has, just that it isn't enough. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] full duplex mismatch speed - dynamips
sth...@nethelp.no writes: I would have agreed five to ten years ago. However, nowadays we use autoneg everywhere with a few well known exceptions (e.g. Cisco 7200 with Fast Ethernet PAs). Autoneg simply gives us less problems. Autoneg also has the advantage of almost always failing in an easily detectable way: The interface goes half duplex. So as soon as you see a half-duplex interface you know that something is wrong. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Centos upload speed slower on 1000m than 100m over WAN links
Gert Doering g...@greenie.muc.de writes: (Unfortunately, design goals for the 2960S/3750X were different than get this fixed, so the buffer size is the same) If you want to stick with Cisco, do they have any similar products with larger buffers? I.e 24 or 48 1000base-T and some SFP/SFP+ uplink ports? /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3rd Party Twinax cables on Nexus 5000
Asbjorn Hojmark - Lists li...@hojmark.org writes: The supported ones (incl. 3rd party) are listed here: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps10110/data_sheet_c78-568589.html Are there similar lists for other Cisco switches? I found one, but it only lists Cisco's own modules: http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6974.html /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cheap 10G between 7600 and Procurve 5406zl
Nick Hilliard n...@inex.ie writes: Also, twinax SFP+ are manufacturer-specific. Is it possible to get a twinax-cable with a Cisco-coded SFP+ at one end and a Procurve-coded SFP+ at the other? It's certainly possible to hack one up, if you have transceiver. Are they compatible though? If I bought a Cisco twinax and a Procurve twinax, could I detach the cable from one of the SFP+'s and attach it to the other brand SFP+? One option might be a Cisco OneX Converter, with a procurve twinax sfp+ cable. There are no guarantees it would work, even if you use service unsupported-transceiver on the cisco side. However, if it worked, it would probably be quite cheap. I must admit that I'm tempted to try. $300 for the chance to save $2000 and possibly more if I have more sites. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cheap 10G between 7600 and Procurve 5406zl
These days you can get cheap twinax 10G cables with SFP+ at the ends to connect two Cisco switches or two Procurves. Short distance only of course, but very cheap. I would like to connect a Procurve 5406zl which has a SFP+ port to one of the 10Gbps ports on a Cisco 7600 RSP720-3CXL-10GE. Twinax ends in SFP+, the ports on the RSP720 are X2. Are there any adapters from X2 to SFP+? Also, twinax SFP+ are manufacturer-specific. Is it possible to get a twinax-cable with a Cisco-coded SFP+ at one end and a Procurve-coded SFP+ at the other? If a twinax-based solution isn't possible, what is the cheapest solution? /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco VPN and 64 bit Windows
Gert Doering g...@greenie.muc.de writes: Not that they are willing to ship an IPSEC VPN client for 64 bit windows... There are vendors other than C and J, and one of them recently lowered the price for its basic PC client software (available for 64-bit Windows as well) to 0... /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SPA V1 vs V2
Rob Shakir r...@eng.gxn.net writes: I can confirm that the v1 SPA does _NOT_ support QinQ termination - it will let you configure it with 'encaps dot1q 400 second-dot1q 200', but will just fail to do anything. I wish that Cisco would fix it so that these cards that do not support a feature do not let you configure it! Also, to some it might be surprising that the SIP-600 in a 7600 will not do QinQ no matter the SPA version, whereas the SIP-400 supposedly will with a v2 SPA (I haven't had the chance to actually try, and some documentation says that it won't work)... /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560 buffering
Marian Ďurkovič m...@bts.sk writes: Yes, if both hosts are connected at the same speed, no extensive buffering is needed. However, another usage scenario for such switches is speed downshift, e.g. 1Gbps uplink - 100 Mbps host (or 10 Gbps - 1 Gbps), where the relation to TCP window size does apply. It would be extremely handy if the switch did flow control in that case. However, I believe the 3560-series is incapable of transmitting XON/XOFF, while it does respect incoming XON/XOFF. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
Tassos Chatzithomaoglou ach...@forthnet.gr writes: I had exactly the same experience too. To be honest i was hoping Cisco would have atleast coded an applet capable of maxing download speed or splitting the file in multiple parts and downloading all of them concurrently. If that improves speed, either your network or your network stack is broken, or you're simply grabbing extra bandwidth to the detriment of others on the same network. In the last case the network administrators ought to use a more fair queueing algorithm. Either way, it would seem silly for Cisco to support such a thing. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Using wireshark to decode IPSec/ESP
Dale Shaw dale.shaw+cisco-...@gmail.com writes: It's been years since I was armpit deep in IPSec but I am assuming the encryption key it wants is NOT the ISAKMP pre-shared key. Nope, it wants the session key used for that particular session. This can be hard to get, depending on which platforms the IPSEC end points are. For Linux you can get the keys with ip xfrm state. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum spannig tree instances
David Hughes da...@hughes.com.au writes: . works like a charm until it doesn't. Any PV based STP will not work in a dense server virtualisation environment. So these days that's basically any hosting provider. MST is your only choice and if you pre-provision your vlan/instance mappings it works fine. Been running it without a single issue for ages. The other option is to do dot1q tunneling, so the switches have no idea which traffic they're carrying. It makes configurations a lot simpler, but obviously gives less control over which VLAN's are available on which ports. Getting *STP right in a q-in-q environment is not without its own challenges of course. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multiple vlans on a port
Matthew Huff mh...@ox.com writes: Also, with 802.1q framing, you might run into fragmentation on the non-native VLANs. You may want to adjust the MTU on the virtual machines if Linux doesn't do it automatically. Linux, with reasonably modern kernels, automatically allows an extra 4 bytes for the 802.1q tag. You're ok, as long as the switch allows them too. This logic seems to break down when doing q-in-q, where you may have to adjust the MTU to 1508 for the untagged device. This may be fixed in the last few kernels; I haven't tried lately. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 and VLANs
Paul Stewart p...@paulstewart.org writes: On a related note to the PS below... we have tested lt2tpv3 on a few different boxes running various IOS images and on each of the devices we did test we seen the same behavior. This means something is either broke in the code in my opinion or that we are doing something wrong. Typically that means the second option in our case (lol) but I did get a fair amount of feedback offline from folks with similar problems;) Generally problems with PMTU are caused by people blocking ICMP in their (usually PIX/ASA) firewalls. If you control the whole path, you can make sure that you're not one of the culprits. On the other hand, if you're trying to reach the Internet through tunnels with non-1500-byte MTU, you'll just have to accept that it won't work. You can MSS adjust for TCP traffic though or you can lower your interface or route MTU as workarounds. The only real fix is either PIX/ASA administrators getting a clue, or Cisco getting a clue. Not particularly likely. /Benny (Yes, I'm bitter.) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] General performance based routing question?
Brad Hedlund brhed...@cisco.com writes: No, not at all. PFR runs locally on the router and does not rely on any other routers having PFR enabled (unless you have separated the MC function). PFR makes traffic engineering decisions based on the traffic measurements on your routers only. You do not need any special configuration, coordination, or support from a 3rd party. Does PfR do anything for incoming traffic, or is it strictly for outgoing traffic? Dynamic, automatic management of BGP-prefix-prepending and BGP communities would be quite neat. If Cisco solved that problem I'd be very impressed. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to improve C3750G switch uplink speed?
Jonathan Brashear jonathan.brash...@hq.speakeasy.net writes: As an aside, PVST can become an issue when you're scaling up into dozens/hundreds of VLANs. The 3560/3750 series supports only 128 PVST instances. I discovered this the hard way. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1000 series again: Netflow export
Elmar K. Bins e...@4ever.de writes: So, the conclusion is: The mgt port is absolutely useless for me and I could have saved the money on it. Mgt Ethernet will take one of the precious ports on the SP, and it will make ACLs and route filtering necessary, too. The mgmt port should perhaps be thought of as an ethernet version of the console port? Personally, I would prefer that to be the case; the more it looks like a serial port + a terminal server + a power control bar, the better. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1000 series again: Netflow export
Elmar K. Bins e...@4ever.de writes: This forces everyone with out-of-band management and monitoring equipment to sacrifice one of the power ports for management and again run ACL based security there. Just like in the olden days... It allows the rest of us to get rid of the terminal servers and the managed power bars. Assuming you can power cycle a failed router through the management ports, of course. The port should be sufficiently isolated that there is no risk of an intrusion providing the attacker access to the management network, even if the attacker can run arbitrary code on the router. Again, just like a serial port. It's about time the router vendors give us the remote management capabilities that server vendors have provided for years or decades. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco MPLS interoperability with Mikrotik (or Linux) MPLS
Charles Wyble char...@thewybles.com writes: Last time I looked into this (mid last year) the Linux bits weren't very mature. Not sure how Mikrotik or Vyatta have changed it. Hopefully they have made things better. Mikrotik has done their own MPLS/VPLS implementation. You can't really use experiences with the (indeed immature) attempts that others made as a guide. In the last 6 months Mikrotik's MPLS implementation has taken great leaps forward. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] number of VRFs on Cisco Cat/7600
Adam Armstrong li...@memetic.org writes: I have heard it said that more than 512 VRFs is crazy. more than 1024 *INSANE*. Why? You want as many customers one one box as possible, to keep costs and maintenance down. Having an array of PE's at 1/100th of capacity just because they're limited to 512 VRFs is crazy. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source solution to deploy a radius server against Cisco devices?
Chris Hills c...@chaz6.com writes: Radiator /is/ open-source, but it is not free. The fact that you get the source code doesn't by itself make the software open-source. The license may be this one: http://www.open.com.au/license.html but it says that any click-through license overrides what is written there, so don't put too much faith in that. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DS1 provisioning using IP Unnumbered vs /30s
Alex Balashov abalas...@evaristesys.com writes: There is no reason why you need to waste IP address on the /30s - who said they have to be public IPs? Just carve out some address space out of a 10.0.0.0/8 range and use private transport IPs. You risk that ICMP comes from those addresses. This could happen with traceroute, where it is harmless, and with ICMP-Packet-Too-Big, where it isn't harmless. Is there a way to force a particular IP to be used for ICMP messages with Cisco? /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Catalyst 3750 stacks with many members
Kevin Graham [EMAIL PROTECTED] writes: My biggest single gripe is Cisco's own internal games with them with product handicapping such as the lack of a 3750E equivalent to the 3650E-12D and a higher-densitity or 'E' version of the 3750G-12S). (It would also be really nice to see an ISSU equivalent for these...) Indeed, Cisco seems to be completely out of the loop when it comes to non-modular fiber switches. Competing vendors can do 48 1Gbps SFP in one rack unit, and the best Cisco can do is 12... /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DualStack IPv4/IPv6 for access?
Mark Newton [EMAIL PROTECTED] writes: The next challenge is to find consumer-grade ADSL2+ CPE which does IPv6. Can't expect all my residential customers to run out and buy 877's, right? Mikrotik Routerboards will do it, admittedly in a prerelease (but hey, that shouldn't really scare Cisco customers...) They don't have the ADSL modem built-in though. That would have been handy. I doubt you'll find anything much cheaper. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000
Mark Tinka [EMAIL PROTECTED] writes: I think the only reason folk wouldn't look at the ASR9000 for Metro-E P/PE deployments, at least in the short to medium term, is because IOS XR might be anaemic when compared to regular IOS. Isn't the 7600 likely to be cheaper than the ASR9000 for the same number of ports? I think the ASR9000 looks good for P/PE duty from what little information is out, but some price information would be nice. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Upgrading edge router
Ben Steele [EMAIL PROTECTED] writes: As for licenses this one is a little weird, basically adv enterprise is cheaper than adv ip even though it has all the features of adv ip, seems to be purely based on ppl not wanting features they will never use available on an image and Cisco making them pay more for that feature, my advice is buy the cheaper adv enterprise, it will do IPv6. It is a bit weird that an edge router in 2008 doesn't ship with IPv6 in its base image. It's also a bit weird that the price of the base image is separate from the price of the router. You can't just grab a random Linux distribution and install that... /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] c7604 starter kit
Feature Navigator says that IEEE 802.1Q-in-Q VLAN Tag Termination is available in asr1000rp1-ipbase.02.01.00.122-33.XNA.bin. I was certainly worried for a minute there :) /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 Subnetting - Service Provider
Florian Weimer [EMAIL PROTECTED] writes: * Bob Snyder: One issue we ran into was that not all the networking gear we had could support /126. The vendor's (not Cisco) immature support for IPv6 could only understand the concept of /128 loopbacks and /64 subnets. Subnets smaller than /64 containing (conceptually) global unicast addresses are not allowed per the IPv6 addressing architecture RFC. So it's just another case of vendors got bitten by RFCs that don't match customer requirements. 8-/ You could also call it unreasonable customer requirements. If you spend a /40 on linknets you can have 2^24 of them. A /40 is nothing to an ISP. An enterprise would be a bit more cramped, but any enterprise needing more than say 1 linknets should probably get an AS-number and some provider-independent space -- and then there's plenty of space again. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Possible List Troll/Spammer..
Marko Milivojevic [EMAIL PROTECTED] writes: In our defense (yes, I'm one of those people), some of us may not have a choice. When we leave for vacation, we must configure auto responder, if we are using work e-mail for mailing list subscriptions... If a mail program sends an autoresponse to a list mail, it's simply broken. I believe even Exchange/Outlook is smart enough to not do that. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA or FRSW in transparent mode over qinq
Christian Koch [EMAIL PROTECTED] writes: im a bit confused by your use of terms in the question... are you asking about vrf-aware firewalls? Probably. Most of them seem to only do 250 firewalls per box, or in the case of the FWSM, per module. What about the service providers with thousands of VRFs? /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA or FRSW in transparent mode over qinq
Pavel Skovajsa [EMAIL PROTECTED] writes: What if the service provider wants to provide centralized firewalled internet connection to those customers? Exactly. There must be many ISP's which offer hosted firewalls and Internet access for their MPLS customers. But how? None of the solutions seem to scale. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA or FRSW in transparent mode over qinq
Pavel Skovajsa [EMAIL PROTECTED] writes: does anybody know whether ASA or FWSW is able to firewall qinq packets in transparent mode? Does anybody have some configs of this? In short we are a service provider who wants to offer firewall protection to various customer qinq tunnels. I don't know the answer to your question, but I do have another one... Which firewall does MPLS providers use to connect customer VRF's to the Internet? 6500's with FWSM's? What if they have thousands of VRF's? All of the usual enterprise firewalls like ASA, Netscreen, Checkpoint VSX top out at a few hundred virtual firewalls per box. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] trunks, vlans and a metroLAN
Eric Van Tol [EMAIL PROTECTED] writes: Are /31 subnets valid for an ethernet network nowadays? See RFC 3021. Speaking of which, I wish we could redefine the subnet address to be a usable host address in general. I know the history with zero-broadcast and all that, but this is 2008... /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7201 rack mounting
[EMAIL PROTECTED] writes: racked a lot of 7200's. never had a problem with them drooping alarmingly. tighten your screws. It IS a problem with 1U front mounted stuff. Even 3750's suffer from it. The solution is to turn the brackets around and move the rack posts back. This doesn't work very well if there are patch panels in the same rack though. /Benny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/