Re: [c-nsp] many 2960-X rebooting today
> On Mar 16, 2018, at 2:08 PM, Nick Cutting <ncutt...@edgetg.com> wrote: > > Thanks we have disabled this now - It is in our new build script, these were > rolled out a few months ago. > > I guess there is no way of seeing if this exploit was executed, perhaps in > the crashdump somewhere? I’m struggling to remember. I want to say you will see a %SYS-5-CONFIG - Configured from XXX by YYY message. The questions become: - Are you syslogging out to a server that would have caught this ? - Is there any IP in there of where it was originated from ? - If so - other than an abuse report to the respective ISP and blocking the IP - what can be done ? I guess the other thing I’d add - is if there’s any weak crypto (type 7, or even a weak type 5 etc.) passwords or keys in your config, you might want to change these. In other words, assume they have a copy of your config and act accordingly. PS: This is all assuming it was an exploit like this in the first place. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] many 2960-X rebooting today
> On Mar 16, 2018, at 12:49 PM, Nick Cutting <ncutt...@edgetg.com> wrote: > > Anyone seen a number of internet facing 2960-X switches restart today? > > We have had 3 different clients, 6 different switches all reboot today. > > No uptime in common, no code version in common. > > One of them has WS-C2960X-24TS-L - Version 15.2(2)E6 > > The only thing they do have in common is that they have internet IP addresses > for MGT - with SSH allowed, locked down to certain public IP's. > > Just wondering if this may be the execution of an exploit by a baddie. > > Nick I haven’t - but the first thing that popped into my head was: https://github.com/Sab0tag3d/SIET You might want to scan/nmap your switches. I know some folks that got hit with this last year. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ONS TCC2P Question
In a former life we had this happen all the time (initially). We were polling the nodes via SNMP and this seemed to run them out of memory. If I recall - we severely pruned back what SNMP we were hitting it with and it seemed to get better. So having said all that - do you have anything poking at the nodes at any regular intervals ? -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 4500X in VSS - Upgrading IOS XE
> On Apr 5, 2016, at 7:20 PM, CiscoNSP List <cisconsp_l...@hotmail.com> wrote: > > > > Disconnecting VSS/removing VSS/VSL conf was a recommendation from TAC(For a > non ISSU upgrade)which sounded like a very unusual requirement > lol.hence my question here. > > > cheers I think ‘unusual’ is an understatement. Tearing down the VSL/VSS defeats the purpose of building it in the first place. I have done the ISSU procedure on a 4500X VSS and it was successful. The environment was all connected/static though - so it was very easy and essentially 0 ‘blip’. If you have routing protocols running - it would be nice to see NSF work in this scenario. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 "SH1-0151. This is the serial number, of our orbital gun." signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS VRF (lite) command - route-replicate recursion-policy
I’m having no luck finding any info on this knob. This is in a VRF definition and then down in the address family. I have route-replicat(ion) working - but this knob is also there staring me in the face. Smells like it might be useful (i.e. guessing it’s function). Thanks in advance for any info. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 SH1-0151. This is the serial number, of our orbital gun. signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS - Proxy arp + DAD gratuitous arp
Hello, Was wondering if anyone has ever seen an issue like this. Anecdotal is fine too. Essentially, I have an environment that the server guys are seeing duplicate IP issues - specifically from Win2k8 servers. They say that they can manually intervene (dont know the details) and get the NIC working - but the ‘manual’ is the part thats killing them (rightfully so). This is one of the only environments where I don’t control layer3 (layer2 VM farm - upstream layer3 is $org) :( So I’m really doing forensics as I can’t “touch” the routers :( In all the other environments of the like (where I DO control layer3) - we don’t have this problem. In those environments we run 4900Ms - with relatively recent IOS. In the questionable environment - I’m getting the feeling they may have some old gear doing layer3. Here’s my theory - could the DAD GARP from Win2k on bootup be ‘answered’ by proxy arp on the Cisco side ? In my environment where I control layer3 - this is what debug arp says when a box boots or changes it’s IP: Dec 2 18:16:29.108: IP ARP: ignored gratuitous arp src 0.0.0.0 0011.2233.4455, dst 1.1.1.1 0066.7788.9900, interface Vlan110 I have no special config on this box arp-wise. I am assuming that that is the (sane) default behavior of this version of IOS. Could there be an older IOS (or bug) that would NOT ignore this and rather ‘answer’ for it ? What about local proxy-arp (have never touched local proxy arp, only read about it). I’m thinking that a proxy arp answer could trigger the duplicate IP detection in Win2k8. No strange spanning tree errors or logs that I can see. It could also be a ‘3rd party’ on the vlan somewhere - i.e. not the Cisco router(s). I am working with $org, but while I sit and wait on emails and pcaps - I thought I’d post this. Thanks in advance for any brain cycles spent on it. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RFC3107 (Inter-AS MPLS LABEL dist via BGP) on Nexus (7k) ?
Apologies if this has been covered before - if so I can’t find it. Here is the IOS version of this (albeit based on older IOS): http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsiasleb.html Doing this currently with great success on a 6509 VSS pair. In looking at Nexus 7k for example, having a hard time finding proof that this is in there. I see RFC 3107 called out in ‘supported standards’ on some NXOS sheets, but I can’t find any commands or examples of folks actually doing this. Thanks in advance for any feedback. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 SH1-0151. This is the serial number, of our orbital gun. signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco autonomous AP - 802.11n / ac ?
Hello, Sorry if the subject matter is a bit downrange for the list, but I figured folks here might have some info on this. Currently I use rancid (clogin) to hit APs daily and change a PSK. This is for guest access, and the script also writes the info to a simple HTML web page. This works great. However, it seems that there is essentially no such thing as a Cisco N or AC AP that runs IOS (autonomous) anymore... If you have one AP - you are expected to have a controller (even if some kind of ISR baked in deal). So my question is either/or - can anyone confirm that Cisco is essentially deprecating autonomous APs with newer radio tech ? Or - can someone point me to something that could do what I'm doing now (linux+rancid+script+ap). I would assume this solution would be non-Cisco. Off list replies are fine to minimize noise. Sorry this isn't about NTP reflection... ;) -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NXOS - 'format' command missing ?
Hello, I did some searching on this, and couldn't find anyone else complaining of it - so I figured I'd ask here. Got some 5548UP's, they were running 5.1.something out of the box, just put 5.2(1)N1(4) on them. Same issue with original code as well as new. Cisco docs state there is a 'format' command. You should be able to use this on usb1: for example (the USB port near mgmt0/console). Here is what I have: ... eventEvent Manager commands find Find a file below the current directory gunzip Uncompresses LZ77 coded files gzip Compresses file using LZ77 coding hardware Change hardware usage settings install Upgrade software ... It's not 'hidden' either. n5kup-1# format ^ % Invalid command at '^' marker. n5kup-1# format usb1: ^ % Invalid command at '^' marker. Any info would be appreciated, even if 'yes it doesn't exist, you're not crazy'. Thanks. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 8779 B023 7637 CEC8 C5C6 4052 664D 7E08 3CBB 1739 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500/Sup720-3BXL FIB TCAM tuning
On Sat, 19 Jan 2013, Pete Templin wrote: Has anyone successfully tuned this, and if so could you share the software version and tunings used? We're running advipservicesk9_wan-mz.122-33.SXJ2 if that matters. Just did this last week. Doing the other half of them next week. -- swr0-9#sh ver | inc ^Cisco IOS Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI6, RELEASE SOFTWARE (fc4) swr0-9#sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4- 768k MPLS- 16k (default) IPv6 + IP Multicast - 120k (default) swr0-9#sh run | inc maximum-routes mls cef maximum-routes ip 768 -- -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 8779 B023 7637 CEC8 C5C6 4052 664D 7E08 3CBB 1739 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Catalyst 3xxx IPv6 VRF Lite ?
Small update: our Cisco SE says roadmap for this is August 2013. That seems overly specific to me, but I'm just relaying what he told me. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 8779 B023 7637 CEC8 C5C6 4052 664D 7E08 3CBB 1739 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Catalyst 3xxx IPv6 VRF Lite ?
So I found this: http://www.gossamer-threads.com/lists/cisco/nsp/160249 Anyone have any exciting news on this front since April : :) Any of the folks @cisco.com on this list that are able/willing to comment ? I'm working on an order to upgrade all our desktop switches, and have been using this: http://www.cisco.com/en/US/prod/switches/ps5718/ps708/networking_solutions_products_genericcontent0900aecd805f0955.pdf It certainly helps, but skips over something as specific as IPv6 VRF lite. Not to 'cross the streams' WRT to the other list, but it looks like Juniper EX3200 supports this (and generally would match up to the 3560X's I was looking at). I'm thinking about backing my 3560Xes down to L2 license, and putting a router in at the sites to be the 'VRF concentrator'. This adds a bit of complexity, cost, and less performance (sites are generally connected back via 1G fiber - so a 39xx router would be maxing out at 300-500mpbs ?) I've rambled long enough - if anyone has any info or advice I'd be grateful. Thanks. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 8779 B023 7637 CEC8 C5C6 4052 664D 7E08 3CBB 1739 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Catalyst 3xxx IPv6 VRF Lite ?
On Sat, 13 Oct 2012, Gregoire Huet wrote: Hello I've been told by Cisco that the feature would be available by 1st half of 2013. Thanks for the info. I could probably get by till then - I really need ipv6 initially in the global table anyway. Just didn't want to choose a platform that would have this feature gap indefinitely. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cat 6500 - uRPF - FIB TCAM
Hello, I know this has been mentioned over the years here and there, but I don't know that I fully understand the exact behavior. I've always read 'urpf halves your tcam...'. So this only applies to the interface on which it's configured, correct ? So for example, in a single switch with the full routing table (using ipv4 for examples, and using simple even numbers not counting any built-in entries): uplink 1 - 400k routes uplink 2 - 400k routes customer interface 1 - 2 routes customer interface 2 - 2 routes So this is 400,004 entries. Adding (strict) urpf to the customer interfaces (not the uplinks) would make this 400,008 ? I guess I'm just unsure of if urpf is added to a single interface (even a customer interface with 1 or 2 prefixes) - does this have some 'global' effect ? Thanks in advance. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 8779 B023 7637 CEC8 C5C6 4052 664D 7E08 3CBB 1739 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat 6500 - uRPF - FIB TCAM
Thanks to Tim - that was exactly the clarification I was looking for. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 8779 B023 7637 CEC8 C5C6 4052 664D 7E08 3CBB 1739 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CCO - Downloads area borked ?
Getting various server side fails (file not availible, JAMon PageRenderMonitor, etc). Just wanted to see if other folks are having similar issue. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 8779 B023 7637 CEC8 C5C6 4052 664D 7E08 3CBB 1739 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Performace - IP DHCP Snooping
On Sun, 14 Aug 2011, Alexander Clouter wrote: * Andrew Miehs and...@2sheds.de [2011-08-14 17:20:35+0200]: On 14/08/2011, at 12:56 PM, Alexander Clouter wrote: Two gotchas: * 'ip dhcp snooping database flash:dhcp-snoop.db', so that if the switch reboots all the clients do not get locked out I don't understand why you would require storing this data? The dhcp servers are on the trusted ports - and clients are all on untrusted. What more information needs to be stored? http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html#wp1090370 Switch reloads occur for many reasons (power failures, IOS updates, etc) and you do not want all the workstations hanging off that switch being dead in the water when/if they do not renew their lease... My understanding is that by itself - DHCP snooping doesn't require this. Your workstations will not be 'dead in the water'. The switch will simply have an empty table upon boot and rebuild as renewals etc flow. User traffic itself will be unaffected. But if you also run DAI - then this is required and the situation you present would manifest. Personally I do the tracking anyway - even if not enabling DAI initially. This way if DAI is added in the future it's one less thing to check off the list of prerequisites. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Dot1q 'injection' on Nexus 7k access port
I plan on digging around some on my own, but wanted to quickly see if anyone has any data, or lab experience etc on this. My question is that if I am connected to an access port, and I send a tagged frame, will this frame make it to the VLAN in question ? Thanks. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] redundancy via VPN
On Wed, 13 Jul 2011, Scott Voll wrote: I would like to add some redundancy to our network. we currently have a MAN connection between two sites. Each site also has internet connectivity with other providers (not our MAN provider). Which is the better way to add redundancy over those internet connections: GetVPN, or DMVPN using GRE or is there a better option yet? TIA Scott ___ If your topology is simple enough, and the set of routes manageable / nicely aggregated - why not just a VPN that will get used by virtue of following the default route ? In other words, assuming OSPF/BGP/BFD-static etc on the MAN connection - when that goes away, the more specific to the other site is gone. Assuming default flows toward the internet devices, if they can do VPN, it will get used by virtue of not having the more specific MAN route. For something more complex, I'd look at some kind of dynamic protocol, and using the same one if you can get away with it (i.e. no mutual distribution, filtering, etc). BGP has good knobs to influence this, OSPF/EIGRP would take a tunnel bandwidth into account and should work as well. I've historically also done this with GRE from devices riding an IPSEC tunnel that only encrypted the GRE endpoints. I assume nowadays in IOS with VTI's you can do this more elegantly. On ASA (at least code I've touched) there isn't much at your disposal WRT IPSEC stuff. Not very flexible or dynamic. Other vendors fare differently because you can run OSPF/BGP on their firewalls, and actually have the VPN manifest as an 'interface'. Kill multiple birds with one stone. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DWDM Optics use
On Sat, 4 Jun 2011, Keegan Holley wrote: I'm struggling with a use for DWDM optics. I understand the concept of DWDM/CWDM and phase shifting to create more links over a single fiber. Once that is done the ASIC/FPGA bandwidth allocated to the port remains the same, correct? So if I create multiple 1G connections on a single port with these magic sfp's am I still limited by the 1g/2g chip in the device. Are all the logical connections forced to be sub-rate? I know the larger equipment handles this differently, so I'm only concerned with the 3750/3560 size boxes. Hmm, I may be misunderstanding - but I think you are misunderstanding how DWDM tuned optics works. A 1g or 10g DWDM optic is still a singe 1 or 10 interface. It's just that that transmit laser is tuned to a channel (i.e. 1546.12). Router#sh int tenGigabitEthernet 7/1 | inc media Full-duplex, 10Gb/s, media type is DWDM-46.12 The reason you may need this is to connect this port directly to a (R)OADM. There are (at least) two ways on the DWDM transport side to handle this: a) Use a *sponder (transponder = 1:1, muxponder = n:1, etc). You can use 'grey' optics now (i.e. good ole SX/LX etc). These cards on the DWDM side are expensive though. or b) Buy DWDM optics, and go directly into the mux/demux on the DWDM. We are doing option b) in parts of our network because the cost of a) was too much, and these links aren't going to do any moving around or going away any time soon. Again, apologies if I've misunderstood you. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] tools.cisco.com - DNS issues ?
Seeing this from multiple places. I get SERVFAIL from my bind boxes, but I can poke at it manually with dig and I can get the A record for tools sometimes. It seems like after the 20 second TTL expires it's busted again. I will start looking into local issues, but as I see this from 2 seperate unlrelated networks I wanted to see if anyone else can confirm/deny/add input. Thanks in advance. PS: Before I hit send, I looked in my home resolver's log and see: May 25 11:57:54 ice named[28394]: error (unexpected RCODE SERVFAIL) resolving 'tools.cisco.com/A/IN': 72.163.4.28#53 May 25 11:57:55 ice named[28394]: error (unexpected RCODE SERVFAIL) resolving 'tools.cisco.com/A/IN': 64.102.246.5#53 May 25 11:57:55 ice named[28394]: error (unexpected RCODE SERVFAIL) resolving 'tools.cisco.com/A/IN': 128.107.227.197#53 Seems like tools.cisco.com is delegated out to 4 GSSes. These guys burping today maybe ? Seems like one of them is completely unreachable, the other 3 threw SERVFAIL as logged above. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router Upgrade Path
So far we are happy with our ASR1004s. It's a bit misleading when you first look at the product - because whereas 7206 == 6 PA slots, 1004 really has 8 (standard / half-height) SPA slots. Sounds like it would fit what you are doing nicely. I believe the ASR line is the official sucessor to the 7200 family. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS - ipv6 uppercase in config - why ?
Is there a reason that ipv6 addresses are stored with uppercase letters in config ? We can type them in either case and it's understood. Why convert to upper when writing config ? At issue is when I do 'show run | inc 2607:ff70' and get nothing I scratch my head for a second. Then I try 'show run | inc 2607:FF70' and get what I expected. This seems inefficent, error-prone, and likely to drive Randy Bush crazy :) ducks Not a huge deal I guess, but I just can't understand why I have to remember to explicitly capitialize all [a-f] when the default would have been lower-case (less fingers). -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS - ipv6 uppercase in config - why ?
On Wed, 5 Jan 2011, Aaron wrote: So, how would you propose that the system know that you are looking for an IPV6 config vs something else like a description or named acl/tunnel/etc? Yeah I thought of that but failed to mention it. In short, one wouldn't put the (impossible ?) burden on the parser to make that determination. I think the 'right' thing to do is (for Cisco) follow the RFC(s) as the other posters helpfully pointed out (great info, exactly what I was looking for). I think the short answer for now is 'deal with it'. The longer answer is stay tuned to cisco-nsp/release notes/etc. to see if/when it is changed in the future. This is the kind of 'minor detail' that I like to be sure I understand, and then put into training material I put together for our internal folks. Thanks to all who replied. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Specification of RA that responds to RS (applied RA suppress I/F)
This was a thread from last month. I have just tonight decided to fire up ipv6 on an interface facing some linux machines in the data center. I don't have transit yet but I at least wanted to trace/ping over my own backbone. Before I go any further, much like the OP last month, I'm running SXI3 on 6500 (sup720-3bxl). Anyway, we are an HSRP shop. All customer interfaces are delivered as 2 routed ports, customer puts them in same vlan/switch on their side and we run HSRP. In trying to keep this model for ipv6, I noticed some strangeness in how this behaves. Or at least my expectations (good chance I'm wrong to begin with). The message from last month said that: ipv6 nd ra suppress ipv6 nd prefix default no-advertise Would stop machines from accidentially lighting up ipv6. This makes sense to me, and I really like that solution for a pure static / 'server' segment. However, it seems HSRP hooks into ND/RA so that it can advertise the HSRP address in the RA's. These commands above seem to tangle this up, and unexpected results come from that. I'll try to summarize: hsrp itself: ra is hsrp derived address autoconfig / prefix announcement still in effect hsrp + ipv6 nd prefix default no-advertise: === ra is hsrp derived address autoconfig / prefix announcment is OFF (Yay !) hsrp + ipv6 nd prefix default no-advertise + ipv6 nd ra suppress: = ra from each 'real' router - link local (2 default gateways) autoconfig / prefix announcment is OFF (Yay !) So it looks like I can't have my cake (HSRP) and eat it too (no RA + no autoconfig). I'm currently using the middle solution. What got my attention to begin with, is after statically defining the default gateway on the linux machine, I had two default gateways, one obviously from an RA: default via fe80::5:73ff:fea0:1 dev eth0 metric 1 mtu 1500 advmss 1440 hoplimit 4294967295 default via fe80::5:73ff:fea0:1 dev eth0 proto kernel metric 1024 expires 0sec mtu 1500 advmss 1440 hoplimit 64 So that's 'fine' - but makes my OCD twitch. PS: why is the lifetime of the HSRP birthed RA 0sec ? Is this an HSRP thing ? PPS: sh ipv6 interface fastEthernet 2/43 snip ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 3 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses. /snip Hosts do NOT use stateless autoconfig for addresses, I'm guessing this is cosmetic - this command doesn't know about me disabling prefix announcments ? PPPS: 12.4T says it supports a global address for the HSRP ip ? I only have the option of autoconfig or link-local on my 6500. Is this something coming for Catalyst ? -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ipv6 static route with tracking
On Tue, 15 Jun 2010, Brandon Applegate wrote: :( Running 12.2(33) SRE on a 7600 specifically. I have some ipv4 routes nailed to Null with a track statement at the end. I don't have the option on the ipv6 static routes. Is this something that was overlooked in development, or is there some deep IOS code reason why this doesn't exist ? Answering my own post. Opened a TAC case on this and was told it's a roadmap item - but no ETA. :( ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ipv6 static route with tracking
:( Running 12.2(33) SRE on a 7600 specifically. I have some ipv4 routes nailed to Null with a track statement at the end. I don't have the option on the ipv6 static routes. Is this something that was overlooked in development, or is there some deep IOS code reason why this doesn't exist ? -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] asr1k IOS-XE bgp route-map / crash
We have some asr1k's running full ipv4 BGP (couple of carriers EBGP - IBGP to our core). As soon as I added a seq to a route-map that is attached to an EBGP neighbor, about 10 seconds later the router crashed hard. This neighbor was up at the time. After the router came back, I shut the neighbor, edited route-maps and brought the neighbor back. This worked as expect - and crash-free. We are running asr1000rp1-advipservicesk9.02.04.01.122-33.XND1.bin. Before I run off to cisco.com to search bugs / open TAC case, I wanted to post this to see if anyone else has seen this happen in the real world. Needless to say this sucks pretty bad, as it precludes me from making any kind of routing policy tweaks on the fly (i.e. business day) with any confidence. Thanks in advance for any info. If I find something out from Cisco I will self-reply for posterity. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] asr1k IOS-XE bgp route-map / crash
On Sun, 23 May 2010, Brandon Applegate wrote: We have some asr1k's running full ipv4 BGP (couple of carriers EBGP - IBGP to our core). As soon as I added a seq to a route-map that is attached to an EBGP neighbor, about 10 seconds later the router crashed hard. This neighbor was up at the time. After the router came back, I shut the neighbor, edited route-maps and brought the neighbor back. This worked as expect - and crash-free. We are running asr1000rp1-advipservicesk9.02.04.01.122-33.XND1.bin. Before I run off to cisco.com to search bugs / open TAC case, I wanted to post this to see if anyone else has seen this happen in the real world. Needless to say this sucks pretty bad, as it precludes me from making any kind of routing policy tweaks on the fly (i.e. business day) with any confidence. Thanks in advance for any info. If I find something out from Cisco I will self-reply for posterity. This is a known bug: --- CSCsz23108 Bug Details Applying BGP soft-configuration router crashes after 300k prefixes Symptom: When applying soft-configuration inbound to IPv4 family within BGP. The router can crash after receiving 300,000 prefixes. If the soft-configuration is not present, the router is stable. --- The short answer is that we need to turn off soft-reconfig in our network. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv6 static NAT (PAT)
Hi, I'm trying to figure out the (NAT/PAT) mechanics of assigning a customer ipv6 only. I know I don't have to worry about this today, but I tend to jump to the worst case scenario first and work backwards. (FYI - I am talking about datacenter / dedicated access only - i.e. no residential at all) In the ipv4 world, if I have a single (static) IP assigned, I can do all kinds of PAT (send port 80 to 192.168.1.10, send port 25 to 192.168.1.11, etc). Aside from 'nat is evil' issue, I personally view this as fairly efficient and a good conservation of resources (ipv4 addresses that is). Of course this has to fit your network needs, and for many folks I would say it does. However, to provide reachability from an ipv4 only client to an ipv6 only 'server', parts of this design break down. Assume I have an ipv6 only customer, but they have a web server that they need to have reachable from the ipv4-only clients during the great transition. I can take a single ipv4 address from what I have left, charge them some fee for using it, and static NATPT this to their webserver ipv6 address. However, now if they also have a mail server that they need reachable in the same manner, I have to use another ipv4 address and NATPT that through likewise. I had assumed that I could PAT the ipv4, thereby using only one ipv4 address but sending each port to a different ipv6 address. Or even doing ipv6 PAT on an ASA for example. From what I can find, there is no ipv6 'PAT' functionality in either ASA code or IOS. From the customers perspective, this is a waste of the $fee for the IP, since I only need a few ports to get me through during the transition. I don't need N unique ipv4 address. Not to mention that this is a waste of the providers addresses, which are of course under duress. It would be nice, and a very engineering centric view to say 'if you want reachability to my ipv6 server, you need to complain to YOUR ISP to get you ipv6 access'. This would also accelerate ipv6 growth. However, I have a feeling that the PHBs wouldn't find this acceptable if a single business partner/customer stuck on ipv4 only couldn't reach one of their services. I guess an ugly hack would be to have a middle layer, using rfc1918 ipv4. The outermost layer would do ipv4-ipv4 PAT, sending a single ipv4 address + ports to unique rfc1918. These rfc1918s would then NATPT to the real ipv6. Is there any way to do this without an extra 'fixer' nat box ? -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6500 line card mounted cable management bars (??)
We have some of these in the data center. They fit the screws on the Cat 6500 line cards, and they slide on. So they a) can be installed/removed without taking line card out and b) do NOT go in front of the dreaded fan card. They are very simple, and flat, and have a row of slits for velcro / tie downs. The funny thing, and my question, is that we don't know where we got them from :) Anyone know where these come from ? I tried several google searches and looked around on cisco.com. The bar does have a Foxconn stamp. Thanks in advance for any info. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA ipv6 + icmp types
So I'm playing around with ipv6 on the ASA. I'm running the latest code (8.2(1)). And in trying to get traceroutes and pings 'through' the ASA, I've found that icmp-types are translated to 'english' but using the ipv4 codes. I.e. code 3 for ipv6 is time-exceeded but shows up in config as unreachable (because unreachable == 3 in ipv4). I'm guessing I should open a TAC case and complain ? You could call it a cosmetic issue, but I see myself making mistakes because the burden is on me to translate the icmp types as I enter config :( -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange SSH lag with ACL applied
Sounds like your SSH server is trying to reverse resolve your IP (for logging). You can either fix your ACL to allow this DNS traffic, or there is a global config (UseDNS no) you can put in sshd_config. Worth a shot to test at least. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. On Thu, 7 Jan 2010, Andy Saykao wrote: Hi All, I have what seems like a trivial problem but can't figure out what's causing it. I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x). Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's from accessing it. What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to VLAN2, it takes a very long time for the SSH login promtp to appear. If I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going on with my ACL??? Why the lag for the SSH prompt to appear? interface Vlan2 ip address 203.12.53.aaa 255.255.255.224 ip access-group VLAN2-FILTER-OUT out no ip redirects no ip mroute-cache ip ospf priority 15 load-interval 30 tag-switching ip ! ip access-list extended VLAN1-FILTER-OUT permit ip host 203.10.110.x host 203.12.53.x permit ip host 203.10.110.y host 203.12.53.x permit ip host 203.10.110.z host 203.12.53.x permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x deny ip any host 203.12.53.x permit ip any any Interestingly enough when I permit ip any to access Host B as the very first line in the ACL, the SSH prompt is instantaneous. permit ip any host 203.12.53.x log I even tried permiting Host A as the very first line in the ACL like so, but no joy. permit ip host 210.15.210.x host 203.12.53.x log Any ideas??? Thanks. Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Linux VPN client suggestion?
On Tue, 3 Nov 2009, Brandon Ewing wrote: I believe the Anyconnect client is supported on Linux installs. Anyconnect is supported on 8.x software versions, and Anyconnect Essentials (Client-based tunnels only, no clientless SSL, supported in 8.2) licenses are available for a low cost. If your supported user count is low, and you do not currently utilize any Anyconnect SSL slots, the base license allows a maximum of two active Anyconnect clients without additional license purchase. -- Brandon Ewing(nicot...@warningg.com) I'm still on old PIXes here, but looking to the future (and I'm a linux guy) I found Openconnect. http://www.infradead.org/openconnect.html From what I've read the Cisco Anyconnect client for Linux suffers problems again, not kernel level but SSL / library / 32/64 bit issues. Openconnect reads like it's a lot cleaner than all the workarounds to get Anyconnect working. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CEF flags explanation ?
So I've been fighting a strange issue all day. I have a prefix that is having reachability issues, and after exhausting all the normal 'internet is broken' checks, traceroutes etc, I find that a traceroute inside my own AS doesn't even work (well). The one thing I find different about this prefix are the 'flags' from show ip cef x.x.x.x detail. Other 'healthy' prefixes don't have this. Routing table looks fine BTW. router#sh ip cef 192.168.0.0 detail | inc flags 192.168.0.0/24, epoch 11, flags need ps clean 'flags need ps clean' - that's the head scratcher. I have a TAC case opened on it, but I thought I might get a quicker and better answer from the list. Thanks in advance. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RSP720-3CXL - 512k ipv4 route capacity ?
I'm pretty sure either I'm not understanding something architecuture-wise or we've enabled something globally that halves this. The marketing sheet says this will do 1M ipv4 routes. My show commands lead me to believe our systems will only do 512k. Not a problem today (for full internet) but I would like to understand. We are doing ipv4 only, some MPLS, nothing earth-shattering. The command and output that leads me to post this is: router# sh platform hardware capacity forwarding snip Module FIB TCAM usage: TotalUsed %Used 1 72 bits (IPv4, MPLS, EoM) 524288 293721 56% 144 bits (IP mcast, IPv6) 2621448 1% /snip This is half of the rated max for the 3CXL and double that of the 3C. We are running ES+ line cards but we have some CFC-based cards in it as well. So my operating mode is still: router# sh platform hardware pfc mode PFC operating mode : PFC3CXL Thanks in advance for any info. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSP720-3CXL - 512k ipv4 route capacity ?
On Wed, 16 Sep 2009, Sidney Boumendil wrote: It supports 1M ipv4 routes *only*. Default setup is 512K ipv4 and mpls + 256 ipv6 and mcast. Use mls cef max in conf mode to reconfigure this. HTH Sidney This is exactly what I was looking for, thanks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Strange listening TCP ports on a 7600 ?
PORT STATE SERVICE VERSION /tcp open unknown 4509/tcp open unknown 4510/tcp open unknown Google/CCO etc fail me. Various IOS show commands fail me. Any idea what these are ? Thanks. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCP throughput /WAN delay simulation with back to back routers
On Wed, 19 Aug 2009, Thilak T wrote: Hello Folks , I am trying to test TCP throughput with different variables. I want to simulate a delay of aprox 45msec between two test PCs connected two bat to back routers . How do we introduce an artificial delay where in the actual delay is on 2-3 msec.Using cisco routers.? Google 'dummynet'. FreeBSD with Dummynet does this nicely. If you really want it transparent, you can build a dummynet machine with 2 NICs and do it in bridged mode. You can play with bandwidth, delay, introduce packet drops etc. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server
On Tue, 11 Aug 2009, Gregory Boehnlein wrote: I use cu - looks to be a lot like tip http://www.computerhope.com/unix/ucu.htm Per the E-mail, the issue is that I need things like HylaFax and other commercial software that relies on direct access to the /dev/tty device to access a modem on a remote Cisco box.. Minicom, CU, all of that is great, but I can't have Hylafax use Minicom to communicate w/ a remote modem. I need a driver that appears to be a serial port on the Linux box, that is connected to a remote modem on the Cisco so that proprietary software can communicate w/ the modem as if it were locally attached. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ What about socat ? http://www.dest-unreach.org/socat/ Surely your distro has packages in $repo. You could have this start from and rc script. socat PTY,link=$HOME/dev/vmodem0,raw,echo=0,waitslave EXEC:'ssh modemserver.us.org socat - /dev/ttyS0,nonblock,raw,echo=0' Yours would be even simpler, as the right hand side would be (probably) just a tcp-connect: -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS MTU / Jumbo frames etc.
I know this has been covered, at least in part on this list before, and I have read those posts. However, I'm still trying to wrap my head around what is happening internally (or rather on the wire) in the various scenarios. Scenario #1 === 10 gig interface (ES20 CXL based) - default mtu 1500 MPLS turned on, no 'mpls mtu' command Default, packets have one label, I get icmp 3,4 frag needed back telling me to go to 1496 for 1500 byte (linux ping -M do -s 1472) Scenario #2 === 10 gig interface (ES20 CXL based) - default mtu 1500 MPLS turned on - 'mpls mtu override 1508' added Default, packets have one label, packet is '1504', no icmp frag Interface can do up to 9216 mtu, so 1500+N labels == not a big deal (??) Scenario #3 === 10 gig interface (ES20 CXL based) - mtu changed to 9216 MPLS turned on - mpls mtu == interface mtu by default (does not show up in config) One label packet, with 9216 size (linux ping -M do -s 9188) goes through, with no icmp frag needed. So I'm confused on what's happening in one scenario vs. another. It seems that in scenario 1, the 'outer' MTU is 'signalling' down and kicking off a icmp frag needed. Scenario 2 goes through because we are telling the router it's allowed to send a 'baby-giant' (i hate that term). Scenario 3 really gets me though. Why doesnt it complain and tell me icmp frag to 9212 or something ? Isnt the frame 9220 when it's all said and done ? Is the router fragmenting this in software at the 'mpls level' and just not telling me ? Should I set mtu down to 9212 or something to make sure that the router NEVER frags frames ? I guess a fireaxe solution would be for us to simply define 'jumbo frames' in our network as 9000 bytes, period. But I'd like to actually understand why this behaviour seems to change as I slide the MTU around. I want to make sure that our $$$ isnt being wasted by killing the CPU with fragmentation (if thats whats happening, again scenario 3 is really puzzling me). Apologizes ahead of time if all this info is out there somewhere, again I've read Ivan's page on this, CCO docs, archives etc. Thanks in advance. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS MTU / Jumbo frames etc.
On Wed, 22 Jul 2009, Gert Doering wrote: Hi, On Wed, Jul 22, 2009 at 02:16:29PM -0400, Brandon Applegate wrote: Scenario 3 really gets me though. Why doesnt it complain and tell me icmp frag to 9212 or something ? Isnt the frame 9220 when it's all said and done ? Is the router fragmenting this in software at the 'mpls level' and just not telling me ? Should I set mtu down to 9212 or something to make sure that the router NEVER frags frames ? I'd bet that the linux box is not sending full-sized 9220 packets, but fragmenting inside. I'm sending full 9216 packets. Confirmed with tcpdump as I'm sending. The 9220 number is what the frame looks like after 1 MPLS label. Hence my confusion as to how scenario 3 is working without icmp unreachables etc (ala scenario 1). Unless the linux box has 10GE to the router, and is allowed to use full 9220 MTU (via ifconfig and/or ip route), it will send 1500 byte fragments. Yes I have my MTU cranked up in linux and am doing all of this intentionally as a test. Unless tcpdump is lying to me, these are unfragmented 9216-byte frames leaving and coming back with no 'complaints' in sceneraio 3. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS MTU / Jumbo frames etc.
On Wed, 22 Jul 2009, Brandon Applegate wrote: I know this has been covered, at least in part on this list before, and I have read those posts. However, I'm still trying to wrap my head around what is happening internally (or rather on the wire) in the various scenarios. Scenario #3 === 10 gig interface (ES20 CXL based) - mtu changed to 9216 MPLS turned on - mpls mtu == interface mtu by default (does not show up in config) One label packet, with 9216 size (linux ping -M do -s 9188) goes through, with no icmp frag needed. So I'm confused on what's happening in one scenario vs. another. It seems that in scenario 1, the 'outer' MTU is 'signalling' down and kicking off a icmp frag needed. Scenario 2 goes through because we are telling the router it's allowed to send a 'baby-giant' (i hate that term). Scenario 3 really gets me though. Why doesnt it complain and tell me icmp frag to 9212 or something ? Isnt the frame 9220 when it's all said and done ? Is the router fragmenting this in software at the 'mpls level' and just not telling me ? Should I set mtu down to 9212 or something to make sure that the router NEVER frags frames ? I guess a fireaxe solution would be for us to simply define 'jumbo frames' in our network as 9000 bytes, period. But I'd like to actually understand why this behaviour seems to change as I slide the MTU around. I want to make sure that our $$$ isnt being wasted by killing the CPU with fragmentation (if thats whats happening, again scenario 3 is really puzzling me). I think I figured (part of) this out. Packets to the router != packets through the router. Trying to ping something on the far side with packet size of 9188/9216 gets me the expected icmp frag @ 9212. I still think I'm going to proclaim that jumbo == 9000 to make it easier for server / storage guys to remember anyway :) -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L3 Etherchannel on ASR / IOS-XE
Is anyone doing it ? I don't have many options for config on the ASR side. On the other side (7609-S) I'm using channel mode 'on'. It's just not passing traffic. Searched CCO, IOS-XE config guide etc. If there is a magic formula to make it work, I'd love to know. Thanks in advance. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3 Etherchannel on ASR / IOS-XE
On Fri, 17 Jul 2009, Elmar K. Bins wrote: Re Brandon, bran...@burn.net (Brandon Applegate) wrote: Is anyone doing it ? I don't have many options for config on the ASR side. On the other side (7609-S) I'm using channel mode 'on'. It's just not passing traffic. Searched CCO, IOS-XE config guide etc. If there is a magic formula to make it work, I'd love to know. Thanks in advance. I'm using L2 etherchannel out of the box (if you can call that L2...), and I discovered that you need the very very latest IOS to get that going. asr1000rp1-adventerprisek9.02.04.00.122-33.XND.bin is the image I'm using in the test setup. Everything else did just not work. HTH, Elmar. Thanks for the push. Upgrading IOS to latest avail (exact same thing you are running) made a world of difference. Looks like I have the option of doing LACP now (didn't before). I've tried both LACP and plain Etherchannel (mode 'on', my personal preference) and both seem to work. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 SH1-0151. This is the serial number, of our orbital gun. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
