Re: [c-nsp] BGP Regex to allow ISP customers
On Mon, Oct 17, 2016 at 08:14:07PM +, Nick Cutting wrote: > If 55 and 56 are Customer AS's connected to AS 100 (our ISP) > need to allow: > > 100 55 i > 100 56 i > > Or 100 55 55 55 I (to allow for prepending) > > But NOT > > 100 55 something else > > Is this possible? > Any help greatly appreciated. > > Nick This should be accomplishable with the following quoted regexp: "_100_((55|56)(_)?)+$" It may catch an edge case where it would pass "100 55 56", but would allow for prepending. I've never screwed with backreferencing on routers, but that might work as well if you just try to match the backreferenced section zero or more times instead of the grouping one or more times. Please note that getting a literal "?" on the Cisco CLI can be accomplished with the sequence ctrl+v ? Also note that if you *ARE* ASN 100, you will not see _100_ in your BGP RIB, as your ASN is only prepended when advertising the route to an external ASN. In that case, you can just match for client ASNs: "_((55|56)(_)?)+$" -- Brandon Ewing (nicot...@warningg.com) pgpbAL1cgUyn9.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9001 Vs ASR1006
On Sun, May 15, 2016 at 12:50:46AM +0300, Saku Ytti wrote: > I would be hesitant investing on ASR9001 right now, it's 32b > control-plane. I'd worry if this means it's not getting Linux based > IOS-XR, and I wonder how focused Cisco will be in supporting 'legacy > software'. Wait, what? Is XR 6.0.1 not supported on the ASR9001? All the release notes contradict that. Or did you mean the non-X 1K routers? -- Brandon Ewing (nicot...@warningg.com) pgpKD8QtT4pEd.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ME3600X 15.2S memory leak
Just had a couple of my ME3600X switches running 15.2(2)S reload over the last few days due to malloc failure. Review of the free memory graphs definitely seems to point to a memory leak of some kind. Anyone else running 15.2S on this platform and know a release that DOESN'T leak memory? All we are doing is L3VPN. -- Brandon Ewing (nicot...@warningg.com) pgpiNTpKpYoMV.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ibgp on 6509 with sup2?
On Thu, Feb 12, 2015 at 11:32:34AM +0200, Mark Tinka wrote: > Does anyone know whether the 6500/7600 supports BGP-SD? That is one way > to have the full table in RAM but limit how much of that table is > downloaded into FIB. > > For any routes that are not in FIB, you can have 0/0 or ::/0 to handle > that traffic. > > This way, if you have any downstream customers that need a full table > from your 6500, you can still send it to them even if your FIB is not > holding the full table. > > Mark. Confirmed that table-map filter works on 15.1(2)SY6 with a Sup2T, if anyone else ever stumbles across this thread. Expands the usefulness of the 6840-X-LE switches, or other Sup2T platforms without XL TCAM. -- Brandon Ewing (nicot...@warningg.com) pgp3iZ1kbDuB5.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS-XR vimrc?
Just started using IOS-XR. My normal text editor is VIM, and I am using that to edit existing route-policies on some ASRs we have deployed. However, the default vimrc has tab settings that make it difficult to edit RPs that default to 2-space indent on control structures, when VIM doesn't auto-indent at all on following new-lines, and the default tab settings insert a tab instead of spaces. I did a little investigation of the underlying OS -- has anyone tried editing/creating /pkg/etc/vim/vimrc to have some more sane settings? Does it persist with system upgrades/reboots? -- Brandon Ewing (nicot...@warningg.com) pgp3eB5kb6kzv.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS: catch 22 when enabling new bgp neighbors
On Fri, Jun 20, 2014 at 08:11:10PM +0300, Dimitris Befas wrote: You can use peer-groups. Setup whatever setting you want for the peer-group (neighbor peer-group-name shutdown) and enable the neighbor when you want. But if you have multiple neighbors then you will affect all of them at once. You can override inbound policy on a per-neighbor basis, but outbound policy will be in lockstep for multiple neighbors in the same peer-group. The above is why we prefer templates instead of groups, but that does nothing to solve the original problem. -- Brandon Ewing(nicot...@warningg.com) pgpiujtHtu8rx.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6880-X XL vs. ASR
On Fri, May 02, 2014 at 09:28:47AM +, Vitkovský Adam wrote: Since these are going to perform L3 termination point for all the VLANs there's no need for VSS and I think the better option is to keep two separate brains. adam Given all the interesting failure modes I've personally observed in the history of the VSS concept, I can also highly recommend keeping the brains separate and running a NHRP to handle your redundancy. -- Brandon Ewing(nicot...@warningg.com) pgpYQQMRtjhl5.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software
On Wed, Apr 09, 2014 at 12:05:46PM -0400, Cisco Systems Product Security Incident Response Team wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Multiple Vulnerabilities in Cisco ASA Software Advisory ID: cisco-sa-20140409-asa Revision 1.0 For Public Release 2014 April 9 16:00 UTC (GMT) Has anyone had any luck finding the fixed 8.3(2.40) images? The latest interims I can find are 2.39. Emailed TAC, but no response yet. -- Brandon Ewing(nicot...@warningg.com) pgprRSnkMrcu4.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ME3600 - xconnect, vlan remap, and STP
Greetings, We are thinking about leveraging the ME3600 platform to provide MPLS connectivity between two switch fabrics, connecting arbitrary VLANs on each end to each other in a redundant fashion. We have a 2 switch fabric at location A, with each switch connected to a different ME3600 via trunk. At location B, the same config is replicated. We want to be able to connect arbitrary VLANs to each other on MPLS xconnects -- IE, vlan 12 on side A is in the same broadcast domain as vlan 23 on side B. My main concern is redundancy and loop prevention -- we want to build two xconnects per pairing, one on each ME3600 per location, and are trying to work out how STP protocols will work and interop in this situation. If MSTP is used on both sides (different regions), should we just build an xconnect for vlan 1 to vlan 1, and transport the BPDUs? What is R-PVSTP is used on one side, and MSTP on the other? How can we ensure that the MST0 BPDU is replicated into each PVST instance when we are doing the mapping? -- Brandon Ewing(nicot...@warningg.com) pgp9Kz9Mx2dAo.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME-3600 Can't see ip pim vrf neighbor
On Fri, May 24, 2013 at 05:26:21PM +0100, Nick Hilliard wrote: On 24/05/2013 00:21, Waris Sagheer (waris) wrote: Is it not documented properly regarding SDM template? Also, the sdm template page: http://www.cisco.com/en/US/docs/switches/metro/me3600x_3800x/software/release/15.3_1_S/configuration/guide/swsdm.html doesn't mention anything about mdt resources. In fact, the page doesn't even mention the sdm application template. Some clarification would be really useful here. For the record, my ME3600X running 15.2(2)S doesn't even have that as an option. Not sure if it's version or licensing preventing it from showing. me01#sdm prefer ? default default template ip ip template -- Brandon Ewing(nicot...@warningg.com) pgpRjrs58cD7T.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco and BGP MED
Is there a knob in Cisco IOS to enable sending the MED learned from an iBGP peer to an eBGP peer? Currently, it appears that if an iBGP route is learned from a local network/aggregate statement, the MED is sent to an eBGP peer, but if the iBGP route is learned from an iBGP peer, no MED is set on the update to the eBGP peer. Confirmed this in my 7206VXR lab, appears to be so in production on my Sup720s, but my Foundry MLX series appear to send the learned MED regardless. Lab output (Route sourced by netowrk statement on R21, advertised to R2 in same AS, who advertises it to R1 in different AS): R21#show ip bgp 192.168.40.0 BGP routing table entry for 192.168.40.0/24, version 2 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: 1 Local 0.0.0.0 from 0.0.0.0 (2.2.2.21) Origin IGP, metric 1, localpref 100, weight 32768, valid, sourced, local, best R2#show ip bgp 192.168.40.0 BGP routing table entry for 192.168.40.0/24, version 2 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: 2 Local 2.2.2.21 (metric 65) from 2.2.2.21 (2.2.2.21) Origin IGP, metric 1, localpref 100, valid, internal, best R1#show ip bgp 192.168.40.0 BGP routing table entry for 192.168.40.0/24, version 3 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 65002 1.1.2.2 from 1.1.2.2 (2.2.2.2) Origin IGP, localpref 100, valid, external, best -- Brandon Ewing(nicot...@warningg.com) pgpu3AE0cjgO9.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Default routes, OSPF zones, and BGP
Greetings, I'm currently in the process of integrating 3 multi-area OSPF sites with customer routes in OSPF, moving towards putting all customer routes in BGP and merging the OSPF area 0s of the sites. The multi-area setup is NSSA no-summary for all non-0 areas at each site, as there are several devices that would probably puke under the full weight of all customer routes currently. I'd like some advice from the community regarding default routes in such an environment. We're making good strides in getting customer routes into BGP, having finished all our AS changes, and have all customer routes in BGP at the first site, ready for the area 0 merge. While looking at the first site, currently non-area 0 routers receive a default from area 0 (default-information originate always from core routers), and this OSPF default route is used by non-area 0 routers to reach the loopbacks of the aggregation and core platforms. We'd prefer not to default-originate in OSPF (tends to install on our core routers with full tables), but if we remove it, the access routers will lose their route to the aggregation/core layer (as area 0 loopback interface LSAs aren't going into non-0 areas). What's the best approach here? Should we just leave the OSPF default in until we get our total OSPF route count low enough to eliminate seperate areas? Should we redistribute lo0 /32s into OSPF to make them external routes that will have LSAs in the non-0 areas? Any feedback, suggestions, or other approaches would be appreciated. -- Brandon Ewing(nicot...@warningg.com) pgpVnbp1iQm8F.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dell switches (specifically PowerConnect 7048P) and Ciscos
On Tue, Nov 27, 2012 at 03:22:27PM -0500, Chuck Church wrote: Just curious, is the VLAN mapping to instances the big issue you guys have with MST? In our deployments we used pretty large ranges to cover growth, and mapped purposes such as L2-only VLANs (no SVI), servers, users, VoIP, etc into separate instances, worked pretty solidly. Except when Nexus changes the mappings on you because some are reserved that is... Chuck In our last test in the datacenter environment, we had deployed MSTP according to Cisco recommended practices (pre-map all vLANs). This wasn't a large issue to us, as we really only have 2 paths through our datacenter fabric. However, on the Dell side, with the PowerConnect 5324s we tested, mapping a vLAN to an MSTP instance attempted to create the vLAN on the Powerconnect. This was a non-starter, and we stopped evaluating the platform. The test we did crashed the Powerconnect as it attempted to create 4000+ vLANs at once. -- Brandon Ewing(nicot...@warningg.com) pgpylZs81Xeyw.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VS-S720-10G (6509 VSS Engine) 10G Port Issue
On Tue, Jun 12, 2012 at 10:28:27PM +0800, Xu Hu wrote: We bought VS-S720-10G engine for VSS in 6509, but now the customer don't want use the VSS mode, they just want to use that as normal engine. So now we are wondering if we use the 10G port for normal Layer2 or Layer3 traffic, will it impact our engine performance or CPU utilization? Is there any detail document talking about this? If ok, then by default, each engine will have two X2 port, so totally we will have four 10G port to use as normal data transmission? Will appreciate for any reply, please share with me with your experience about this case. We successfully converted a pair of VSS switches into two standalone switches without issue, but continuing to use the supervisor 10GE ports as a 20GE port channel between the two switches. We have had no issues with performance on the ports. -- Brandon Ewing(nicot...@warningg.com) pgpu8v79xiCQb.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rapid-PVST and RSTP compatibility
On Wed, May 23, 2012 at 09:42:48AM -0600, Steven Raymond wrote: On May 23, 2012, at 9:15 AM, Covalciuc Piotr wrote: We have a network built on CISCO switches with Rapid-PVST. Now, we want to integrate in the network the DELL PowerConnect switches, which supports RSTP only. Does the Rapid-PVST compatible with RSTP? From what I understand, the Ciscos will still run Rapid-PVST, not fall back to RSTP. Rapid-PVST will interwork with the Dells' RSTP, however. On the cisco you can say spanning-tree mode [ pvst | rapid-pvst | mst ] without a plain RSTP option. PVST R-PVST has limitations in the total number of vlans you can run, however, I think it is 128. You may want to look at running MSTP, which should be somewhat less Cisco proprietary, and the dells will do MSTP as well. MSTP then overcome the PVST vlan count limits. The last time I looked at this, mapping vLANS to an MST instance on a Powerconnect created that vLAN on the switch. Since we were pre-mapping the entire 4K vlan range on our Cisco devices, this blew up the first Powerconnect we tried it on. Note: This was 2+ years ago, on a 53xx-class device. -- Brandon Ewing(nicot...@warningg.com) pgpnd7u2o5qrG.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Crashinfo file
On Thu, May 03, 2012 at 11:09:06AM -0700, le luu wrote: Bha, The only way you can get info from the file is to forward it to Cisco tech support then they will tell you what was wrong. thanks Le Luu Customers with CCO can use the Output Interpreter to partially analyze a crashinfo file. https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl?locale=en -- Brandon Ewing(nicot...@warningg.com) pgpnzZok0zZFI.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6509 sup2 NVRAM corrupted..
On Mon, Apr 02, 2012 at 01:37:38PM +0530, Ambedkar wrote: Hi, I am having a Cisco 6509 sup-2 switch which is booting properly. When i diagnose it says NVRAM area is corrupted and initializing to default values. Every time i need to boot manually. Any solution regarding the NVRAM. Where can i find the NVRAM on the supervisor board, is there any chance to replace with new NVRAM memory. Thanks Bye Ambi. First thing I'd do is replace the watch battery that's on the board -- a dead battery can cause this issue as well. I don't know the type of battery on a Sup2 off the top of my head, but you should be able to get one from your local electronics store. -- Brandon Ewing(nicot...@warningg.com) pgptVCoc5DFNM.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Is Inter-AS option B supported on Catalyst 6500 SXI code?
On Tue, Mar 27, 2012 at 02:00:17PM -0400, schilling wrote: I am trying to have catalyst 6500 w/ sup720 3BXL with 12.2(33)SXI5 to support ASBR exchanging VPN-IPv4, but 6500 is not allocating labels for prefixes learned from eBGP over address family vpnv4. Does anybody ever have this working? Any catch? Thanks, Schilling Have you disabled automatic route-target filtering on the 6500? It will drop routes learned via eBGP if the specific route-target doesn't exist in an import filter in a configured VRF. http://www.cisco.com/en/US/docs/ios/12_3t/mpls/command/reference/mp_a1gt.html#wp1015775 -- Brandon Ewing(nicot...@warningg.com) pgp8saKGIiBVF.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN L2L connecting to SSL VPN user?
On Tue, Dec 06, 2011 at 09:24:11AM -0800, Scott Voll wrote: I think that was the one I was asking about unfortunately I already have it must be my config. Thanks. Scott If you're running 8.1 or 8.0 code, you'll need a nat 0 statement for your outside interface that the SSLVPN is terminating on, matching traffic from SSLVPN net to L2L VPN nets. 8.2 or 8.3/4, identity NAT statements as mentioned, with (outside,outside) as the interface pair. Also, make sure that if you're using split-tunnel specified, that the L2L VPN routes are being sent to the SSLVPN user. I'd suggest using packet-tracer to debug, but you can't really simulate incoming encrypted traffic using it. :/ -- Brandon Ewing(nicot...@warningg.com) pgp3QJcLPsXrD.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS - Horror stories, show-stoppers, other personal experience?
On Fri, Jun 17, 2011 at 08:15:28AM -0500, Bradley Williamson wrote: I just spent the better part of my day splitting a vss. I think it works well for the most part. Fail over works well. It Is easy to manage. MEC is nice too. We tried it in an Multicast environment, and it was too resource limited for what we were doing. If you are not doing much multicast (300+ channels) then it should work well for you. Can you share your experience breaking the VSS into seperate chassis? I have two pairs that we are looking to break due to high CPU usage for the single running route processor supporting two chassis. -- Brandon Ewing(nicot...@warningg.com) pgpibd78Y41YA.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN for Android
On Tue, May 31, 2011 at 06:47:46AM -0400, Justin M. Streiner wrote: On Tue, 31 May 2011, Soon Lee wrote: Is anyone who success to connect vpn for Android on ASA or router? I tried it with ASA L2TP but i couldnt. Pls let me know. Thanks. I've heard of people doing things to get a working IPSEC session, like rooting their phones and compiling vpnc themselves. jms There's an app in the market now, if you have a firmware/kernel with tun.ko pre-installed. I tested it last night, and was able to connect to ipsec on 3G. http://code.google.com/p/get-a-robot-vpnc/ -- Brandon Ewing(nicot...@warningg.com) pgpYsMAaooUMd.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXJ - The good, the bad, the ugly?
On Tue, May 03, 2011 at 08:48:23AM -0400, Jared Mauch wrote: There is a memory leak that is not fixed if you run BGP. Jared Mauch Is this the same one that was present earlier in the SXI releases, where a neighbor in Idle or Active states leaks memory? I thought they had that fixed around SXI4 or SXI5 -- Brandon Ewing(nicot...@warningg.com) pgpCd2VDGADYx.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1002-F NetFlow
On Wed, Apr 27, 2011 at 04:52:08PM +0200, Henry-Nicolas Tourneur wrote: Hello, We are using NetFlow v9 on 2 edge BGP routers (ASR 1002-F) but that works only partially. Indeed, approximatevily 50% of destination and source AS are marked as AS0. On the 6500 platform, flows exported with a src AS or dst AS 0 represent your own AS. Not sure if this is true on the ASR platform. -- Brandon Ewing(nicot...@warningg.com) pgpPI3a8Uol9A.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Safer DDOS drops
On Fri, Apr 08, 2011 at 01:18:40PM -0700, Peter Kranz wrote: 2011-04-08 12:31:49.504 8.832 UDP 58.64.147.47:0 - x:0 20483.0 M 1 2011-04-08 12:31:49.822 8.640 UDP193.142.209.170:0 - :0 66560 98.2 M 1 Attempted to alleviate the customer port congestion by adding the following to the port (an etherchannel made up of 2 1G ports on a WS-X6516-GBIC) access-list 101 remark DOS Attack blocker access-list 101 deny udp any host 208.71.159.144 access-list 101 permit ip any any Those look like UDP fragments (src/dst port 0) -- did you try adding a deny ip any host 208.71.159.144 fragments line? It's possible the router is trying to reassemble the fragments to compare them to the ACL -- someone with more experience on the 6500 platform's ACL quirks could comment. -- Brandon Ewing(nicot...@warningg.com) pgpZxn4V1GnOm.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560 vs 4948 shared buffer memory
On Mon, Mar 07, 2011 at 11:15:01PM -0500, Chris Evans wrote: We don't use 3750 or smaller switches anymore due to this. 4948 is deemed data center class so we started using it ffor that. Haven't had any issues so far. Do note that 4948 doesn't support IPv6 in hardware, and 4948E does. -- Brandon Ewing(nicot...@warningg.com) pgpRdOMGPZFrz.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Black hole
On Thu, Mar 03, 2011 at 10:11:43AM -0500, Jay Nakamura wrote: On Thu, Mar 3, 2011 at 2:22 AM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: You can also disable the check using neighbor x.x.x.x disable-connected-check.. Is it safer to do ebgp-multihop 2 since it will at least limit it to 2 hops instead of disabling it will not do any check at all? I would imagine that the disable-connected-check is more useful, as egp-multihop anything implies disabling the connected check completely. The number just specifies what TTL will be used by the BGP packets. -- Brandon Ewing(nicot...@warningg.com) pgpzmnKnrs4ip.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CoPP IS-IS traffic on N7k
On Tue, Jan 25, 2011 at 05:44:30AM +0700, Roland Dobbins wrote: On Jan 25, 2011, at 5:37 AM, Lincoln Dale wrote: key is probably to find out what traffic is hitting it. NetFlow may be useful to help determine this, as well. Out of curiousity, what interface does the Sup720 list in Netflow when control plane traffic is passed to the route processor? I tried the ones listed as Control Plane Interface, SPAN RP Interface, and SPAN SP Interface, but none of my exported flows have any of their iface #s listed as the outgoing interface. -- Brandon Ewing(nicot...@warningg.com) pgp6f5gSKtwUM.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560E TCAM Question
On Thu, Jan 20, 2011 at 01:07:41PM -0500, Jose Madrid wrote: I have a 3560 and when do I show platform tcam utilization it says that I have 1365 directly connected routes. This is definitely not the case and when I do a show ip route connected there are various IP blocks shown, but none longer than a /26 and maybe a total of 30 routes. Anyone know how these numbers are computed? #sh platform tcam utilization CAM Utilization for ASIC# 0 MaxUsed Masks/ValuesMasks/values IPv4 unicast directly-connected routes: 2048/2048 1365/1365 IPv4 unicast indirectly-connected routes:1024/1024190/190 I believe direct-connected routes also includes IP-ARP entries in TCAM. -- Brandon Ewing(nicot...@warningg.com) pgpgHGKzkCeDW.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560 SVI
On Tue, Nov 16, 2010 at 01:06:43PM -0400, Sharlon R. Carty wrote: Hello, I have a odd situation. I created a SVI on a 3560 switch, assigned an IP address(public) without enabling ip routing and I was able to remotely access the switch. No default route added or anything like that. So how is it that I am able to access the switch? switch is connected to another switch which has a trunk connection to a cisco 7206. If the source IP that you are connecting from is in the same subnet as the SVI you created, a return route exists via connected interface, and no default route is needed. Another case would be an incorrect netmask, with proxy-arp enabled on another ip-routing device in the broadcast network. -- Brandon Ewing(nicot...@warningg.com) pgp47B1M3uzWB.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Uneven LACP load-balancing
On Fri, Nov 12, 2010 at 11:54:03AM -0500, Benjamin Lovell wrote: Following up on this. Does the 3560 support etherchannel hash on src-dst-mac and src-dst-ip? This should change up the hash between CEF and etherchannel and prevent a polarization like effect. No. Either src-dst-ip or src-dst-mac. There is no composite of the two. The puzzling thing to me is, I have identified flows between two IPs, that examined with ip cef exact-route and test etherchannel load-balance, SHOULD use the unutilized link. However, given that 0 traffic is flowing over the unutilized link, clearly there is something else internally going on that is not clear to me that is undocumented. switch#show ip cef exact-route 172.16.79.186 192.168.42.183 172.16.79.186 - 192.168.42.183 = IP adj out of Vlan100, addr 10.10.1.245 switch#show vlan id 100 VLAN Name StatusPorts - --- 100 uplink1 activePo4 switch#test etherchannel load-balance interface po4 ip 172.16.79.186 192.168.42.183 Would select Gi0/51 of Po4 switch#show controller util | inc (^Port|Gi0/51) Port Receive Utilization Transmit Utilization Gi0/51 10 And I've confirmed via NetFlow that a non-trivial amount of data is exchanged between those two IPs. -- Brandon Ewing(nicot...@warningg.com) pgpYmdzl2I8Fm.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Uneven LACP load-balancing
On Fri, Nov 12, 2010 at 11:40:37AM -0600, Brandon Ewing wrote: Unfotunately, I don't know if the layer-2 hashing method on src-dst-ip is independent of whichever CEF algorithm I choose, or if both load balancing levels always use the same algorithm. As a follow-up, I tried switching between the various different CEF hashing algorithms with ip cef load-balance algorithm, but none of the changes altered the polarization I was seeing. Since I have no downstream etherchannels, only upstream, I finally resolved the issue by changing the port-channel balance method to dst-ip only. Once I did that, traffic was evenly distributed. Since I only have port-channels going on one direction, I don't need to worry about polarization downstream to the servers. I would still classify this as a bug, or request additional features to allow one to alter the layer 3 hash ID and layer 2 hash ID seperately to avoid issues such as this where src-dst-ip hashing is required at layer 2. My testing appears to indicate that since both the layer 3 hash and layer 2 hash are the same, links that choose one L3 interface will always choose the same L2 interface inside the individual bundle. Being able to seed them independently should resolve this issue. -- Brandon Ewing(nicot...@warningg.com) pgpNWagvGNfAQ.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Uneven LACP load-balancing
I've got a weird problem that I hope someone can shed some light on. We have multiple 3560G's deployed currently, each utilizing 4 SFP's for uplink. The switches are configured with 2 L2 port-channels, with a different SVI in each port-channel pointing to our upstream router. IE: g0/49 + g0/51 to core A, carries Vlan 100 g0/50 + g0/52 to core B, carries Vlan 200 Group Port-channel ProtocolPorts --+-+---+--- 4 Po4(SU) LACP Gi0/49(P) Gi0/51(P) 5 Po5(SU) LACP Gi0/50(P) Gi0/52(P) We have two default routes, pointing out the above vlans: switch#show ip cef 0.0.0.0 0.0.0.0 0.0.0.0/0 nexthop 10.10.1.241 Vlan200 nexthop 10.10.1.245 Vlan100 The etherchannel load-balancing method is set to src-dst-ip: switch#show etherc load-balance EtherChannel Load-Balancing Configuration: src-dst-ip EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Source XOR Destination MAC address IPv4: Source XOR Destination IP address IPv6: Source XOR Destination IP address However, we are not seeing an even distribution of traffic among the 4 ports -- each L2 etherchannel is trasmitting on only one port: switch#show control util Port Receive Utilization Transmit Utilization Gi0/49 155 Gi0/50 60 Gi0/51 10 Gi0/52 12 57 Examination of flowstats from the core on the uplink interfaces shows a good mix of src/dst IPs -- so why am I getting the polarization? Additionally, examining a test flow with the command line shows that it SHOULD be working, but it's not: switch#show ip cef exact-route 172.16.79.186 192.168.42.183 172.16.79.186 - 192.168.42.183 = IP adj out of Vlan100, addr 10.10.1.245 switch#test etherchannel load-balance interface po4 ip 172.16.79.186 192.168.42.183 Would select Gi0/51 of Po4 However, g0/51 has no traffic on it, and hasn't for some time. Can anyone provide some clue? This is occuring on multiple switches, and all switches are running 12.2(50)SE1 ip services -- Brandon Ewing(nicot...@warningg.com) pgpP7i41pd3Zt.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] App to manage pushing out changes
On Thu, Aug 12, 2010 at 01:24:24PM -0600, Saxon Jones wrote:
CiscoWorks LMS or even RANCID will work for this. On a box with RANCID
installed it's done like so:
for host in router1 router2 router3; do clogin -cconfig t;no ip
access list extended asdf;ip access list extended asdf permit any
any;end;write mem ${host}; done
-saxon
RANCID packages a perl script called par to run commands in parallel, to
speed the actual process with a large number of routers. Check the man
page.
Also, depending on the platform, and the number of changes to make, you
might want to write the config changes to a tftp server, and have the
devices copy the changes to running config. On 3560s, 3750s, etc, every
time you enter/exit an interface, CPU spikes as the ASICs are
scanned/updated, which can slow the process down considerably. Writing
the changes from net does all of your changes in one fell swoop.
--
Brandon Ewing(nicot...@warningg.com)
pgpAStzghilaK.pgp
Description: PGP signature
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MST Reserved VLANs on Nexus 5010
On Sun, Jun 27, 2010 at 12:55:19PM -0400, Ross Vandegrift wrote: The good news is that they should be convinced fairly easily - tell them to look at IOS, it correctly permits any dot1Q ID to be mapped. I had to argue with HP for three years before they removed the requirement that the VLAN exist. They had lost our business by then. Dell is the same way. In lab tests on their Powerconnect switches, attempting to map uncreated vLANs to an MST instance creates them. This was bad when attempting to map all vlans to MST01, switch went nuts and had to be power-cycled. -- Brandon Ewing(nicot...@warningg.com) pgpMvZIgdaQ5R.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transfer speed issues on 3560G
Thanks to all the replies, on and off list. There is no QoS configured on the switch currently. mls qos isn't in the config. Adding srr-queue bandwidth commands to the ports did not improve the situation. The servers in question are not on the same vLAN, we're routing between SVIs. I also tested with UDP, and got the same results as before. If anyone has any additional ideas as to what to check, it would be appreciated. -- Brandon Ewing(nicot...@warningg.com) pgpt2OBdBnRIa.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Transfer speed issues on 3560G
This is a strange issue that I have noticed on a 3560G that we have deployed. We have two servers, on different ports, controlled by different ASICs. Each port negotiates a 1000mb/s link, but I cannot get more than 11MB/s (88mb/s) of traffic between the two ports. I conducted the following tests: Transferring a 1GB file from one server to the other, written to /dev/null Single transfer averaged 11.2MB/s Performed two simultaneous transfers from one server to the other, written to /dev/null. One transfer completed at 2MB/s, the other at 9.3MB/s. This happens consistently, every test. Performed two simultaneous transfers -- one between the two servers on the switch, and one from another server off-switch to one of the servers. Both transfers maxed out at 11MB/s This doesn't appear to be a TCP windowing issue, due to the fact that doubling the number of TCP sessions did not result in a net increase of overall speed. It appears that any flow in between two ports can only reach 100mb/s. Anyone have any idea where I can look to find the root cause? -- Brandon Ewing(nicot...@warningg.com) pgpxxUBJInuQ0.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OSPF for Routed Access -- OSPF in IP Base on 3650/3750?
Greetings, Just spotted a feature called OSPF for Routed Access in the 6500 SXI4 release notes, which seems to indicate that single-area OSPF support is coming to IP Base IOS images. I wasn't able to find any information regarding this feature in the 3750/3650 release notes for 12.2.(53)SE -- does anyone know if the feature is coming in the next release? It'd be very desirable to be able to do simple OSPF without upgrading to the IP Services license. -- Brandon Ewing(nicot...@warningg.com) pgpxPrNBt7cGn.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tracking config changes
On Mon, May 24, 2010 at 06:08:25PM +0100, David Freedman wrote: Give RANCID a look. Some users have posted scripts to trigger config downloads when a change is detected. Yes, IOS can be configured to send SNMP traps for example which can trigger your config management system (i.e RANCID) to collect the new revision and mail out the diffs. (see snmp-server enable traps config) Dave. This does not work correctly on all platforms. See my previous post http://markmail.org/message/4envqn5aepv6nbci and test prior to production. -- Brandon Ewing(nicot...@warningg.com) pgpZA8sveZz4Q.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3550s, SDM, and Feature Manager
FF FF 454 94 00 00 00 00 E0 00 00 00 80 06 00 00 40 00 00 02 08 00260086 6 msk F6 00 00 00 00 00 00 00 00 80 FF 00 00 C0 00 FE 00 00 601 96 00 00 00 00 00 00 00 00 80 06 00 00 00 00 58 00 00 00260086 9 msk FC FF FF 00 00 00 00 00 00 80 FF 00 01 00 00 00 00 00 69243 90 08 06 00 00 00 00 00 00 80 06 00 01 00 00 00 00 00 00260086 8 msk F6 00 00 00 00 00 00 00 00 80 FF 00 00 C0 00 FF 00 00 721 96 00 00 00 00 00 00 00 00 80 06 00 00 00 00 09 00 00 00260086 8 msk F6 00 00 00 00 00 00 00 00 80 FF 00 00 C0 00 FF 00 00 7416 96 00 00 00 00 00 00 00 00 80 06 00 00 00 00 67 00 00 00260086 10msk F7 00 00 00 00 00 00 00 00 80 FF 80 00 C0 FF FF 00 00 9260 96 00 00 00 00 00 00 00 00 80 06 00 00 80 00 B3 00 00 00260086 13msk FE FF FF 00 00 00 00 00 00 80 FF 00 00 00 00 00 00 00 101 86 92 08 06 00 00 00 00 00 00 80 06 00 00 00 00 00 00 00 00260086 12msk F7 00 00 00 00 00 00 00 00 80 FF 80 00 C0 00 00 FF FF 104 1 96 00 00 00 00 00 00 00 00 80 06 00 00 80 00 00 00 B3 00260086 12msk F7 00 00 00 00 00 00 00 00 80 FF 80 00 C0 00 00 FF FF 106 43 96 00 00 00 00 00 00 00 00 80 06 00 00 40 00 00 02 08 00260086 IP default entry 202 msk F 0 1 0 0 1 00 FF 0 00 0 0 1620 146 9 0 1 0 0 1 00 06 0 00 0 0 2082 non-IP default entry 203 msk F 0 1 0 0 1 00 FF 0 00 0 0 1621 156 9 0 0 0 0 1 00 06 0 00 0 0 0082 -- Brandon Ewing(nicot...@warningg.com) pgpDu2TPH3oaR.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] same mac for different ip addr
On Tue, Apr 20, 2010 at 08:35:48AM +0200, Arne Larsen / Region Nordjylland wrote: Hi all. Can someone give me an answer on this. We have a platform that run on Redhat EntR5.3 and uses subinterfaces. I seem that the platform sends the same MAC for all interfaces. What happens in the arp table on the default gateway. Does it keep track of all ip address or does it overwrite it. /Arne When you say subinterfaces -- do you mean vLAN/dot11q interfaces configured with vconfig, or secondary addresses configured as aliases? In either case, it isn't a major issue. If it's vLANs, most switches maintain a different layer 2 forwarding database for each vLAN, so the same MAC in multiple vLANs is handled appropriately. If it's aliases, it still isn't an issue, as the layer 3 device will gladly store the same MAC address in the ARP table for multiple IPs. -- Brandon Ewing(nicot...@warningg.com) pgp9N3mGCNgAy.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Port-channel weirdness VSS
On Tue, Apr 13, 2010 at 12:09:36PM +0200, Koen wrote: I read somewhere on the cisco site that VSS doesn't want to send traffic over the VSL link between the physical switches... This is correct - no matter what show etherc load-balance hash-result or show ip cef exact-route says, the VSS will always prefer to egress on a locally connected link over traversing the VSL. -- Brandon Ewing(nicot...@warningg.com) pgp1ZnmtToXjD.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question - VLAN tagging Catalyst 6500 to Linux Host
On Mon, Apr 05, 2010 at 11:07:54AM -0700, Mack McBride wrote: Vlans between 1005 and 1024 are used for routed links and other things in the 6500 platform. Vlan 1005 to 1019 are used on SXH5. This range can be larger if you are using a large number of routed links as each routed port uses a vlan. You can see this with: show vlan internal usage Mack This is actually controlled by vlan internal allocation policy (ascending|descending). If set to ascending, it starts at 1005 and starts counting up -- if descending, starts at 4094 and counts down. -- Brandon Ewing(nicot...@warningg.com) pgpiLH8ibiLPP.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720 CoPP, limits on CPU performance
On Wed, Mar 24, 2010 at 10:49:19PM -0400, Rodney Dunn wrote: Explain the glean to me again? Sorry..I'm overloaded but trying to catch up on the thread. We, I need to go back and check, implemented periodic punts at one point that would match the glean and all subsequent packets were dropped in hw/under interrupt..it wasn't a 1:1 punt. Rodney Also, the documentation itself is confusing -- at some points, it states that CoPP on 3B is able to match protocol ARP in hardware, but this doesn't appear to actually occur, and ARP traffic falls down to class-default, which can cause issues if you drop exceeded traffic. -- Brandon Ewing(nicot...@warningg.com) pgpNxDasFVO3n.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720 CoPP, limits on CPU performance
On Tue, Mar 23, 2010 at 11:48:56AM -0700, Peter Kranz wrote: If somebody comes up with a 'best-practices' COP example for the 6500 chassis, I'm sure it would be very useful for several people. -Peter Can there really *BE* a best practices for the 6500 when you either can't configure a drop action in your default, or you risk rate-limiting/dropping ARP gleans? -- Brandon Ewing(nicot...@warningg.com) pgpVcykkedJHw.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Current BGP BCP for anchoring and announcing local prefixes
On Tue, Mar 16, 2010 at 09:19:03AM -0400, Drew Weaver wrote: No to thread Hijack, but how do you guys handle injecting /32s for null/blackhole into your upstream providers? Using a tag on the static route? with a route-map that matches the tag? which then adds a community? thanks, -Drew Linux-based route server using iBGP. Our IPs get our nullroute community and our upstreams' nullroute communities, external IPs get our nullroute community and no-export for source-based RTBH. -- Brandon Ewing(nicot...@warningg.com) pgp986dClKq1m.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] what is it with 3550s?
On Tue, Feb 23, 2010 at 06:35:11AM -0500, Devon True wrote: The 4948 does support input and output service policies. -- Devon But does not support IPv6 in hardware, IIRC. Something to keep in mind. -- Brandon Ewing(nicot...@warningg.com) pgpJb41SAkfog.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6500/Sup720 ARP CoPP
On Tue, Feb 09, 2010 at 09:37:32PM +0200, Saku Ytti wrote: I think you've gathered relevant and correct data, I don't think PFC3 supports ARP match in CoPP. So you must use MLS rate-limiter, where you have to remember that AFAIK this is also for transit ARP which you might be bridging as a switch. -- ++ytti Even so, my ARP traffic would STILL hit the class-default class for the CoPP profile, and be rate-limited before reaching the Sup, no? Also, to rebutt, I found http://aharp.ittns.northwestern.edu/papers/copp.html In it, it says that Rodney Dunn contacted the author to state that matching protocol ARP in a class map on the Sup720 SHOULD work. I do see software matches for the ARP class in the policy-map: Software Counters: Class-map: CoPP-CLASS-ARP (match-all) 1492439 packets, 89546340 bytes 5 minute offered rate bps, drop rate bps Match: protocol arp police: cir 8192000 bps, bc 256000 bytes conformed 1492439 packets, 89546340 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: transmit conformed bps, exceed bps However, the output from show mls qos protocol arp still seems to indicate that ARP traffic is being dropped somewhere, even though software and hardware counters for the ARP class show 0 drops. -- Brandon Ewing(nicot...@warningg.com) pgpPS0J2fNFEa.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] what is it with 3550s?
On Wed, Feb 03, 2010 at 03:01:33PM -0500, Eric Van Tol wrote: Are you sure about this? I thought that 12.2(44)SE2 has IPv6 support: Switch1(config)#ipv6 ? access-list Configure access lists general-prefix Configure a general IPv6 prefix hop-limitConfigure hop count limit host Configure static hostnames icmp Configure ICMP parameters localSpecify local options neighbor Neighbor routeConfigure static routes router Enable an IPV6 routing process source-route Process packets with source routing header options unicast-routing Enable unicast routing IPv6 on 3550 is software-switched, as the ASICs on the platform aren't big enough for v6 addressing. -- Brandon Ewing(nicot...@warningg.com) pgpapi2BeuTij.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP - Announcing routes to Internet providers.
On Tue, Jan 05, 2010 at 08:30:27AM +0100, Ivan Pepelnjak wrote: And, BTW, I wish those of you that propose redistributing connected and static routes into BGP a huge budget you'll need to upgrade RAM and TCAM of your routers/switches when everyone decides (after reading this mailing list :) that following your recommendations unconditionally is a good idea :D Ivan I believe Scott was advocating using redistribution with route-maps to community tag internal-only routes as no-export or similar to prevent sending them to their upstreams. This is a way to keep customer prefixes in iBGP instead of your IGP. Your actual global announcements can be tagged with communities when generated (either by redistribution, or network statements with route-maps) to be matched by per-eBGP peer route-maps to influence (prepend, block, allow, change MED, tag with provider community) their behavior. This provides more control over your actual global announcements, and provides much more information regarding your actual customer prefixes as Scott stated when announcing to peers or other customers, especially if you publish a BGP community document for them to reference. (See extremely long NANOG thread from Oct/Nov regarding upstream community support) Regarding Drew's initial question -- unless you are seeing significant enough traffic to your unassigned address space to cause actual congestion or network issues, there really isn't a performance problem. If it is, the suggestion of setting next-hop for your static hold-down routes to an IP that is routed to Null0 on all your edge routers (192.0.2.1 is what I commonly see listed in remote-blackholing documents) would cause the traffic to be dropped at the ingress edge instead of transiting the network would cause the traffic to be dropped at the ingress edge instead of crossing your network from ingress to where the annoucement is sourced. -- Brandon Ewing(nicot...@warningg.com) pgpW1MtSYXItB.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Linux VPN client suggestion?
On Tue, Nov 03, 2009 at 10:34:04AM -0800, Scott Granados wrote: Hi all, I'm running presently Cisco ASA 5520 hardware with the Cisco VPN client to provide remote users access to network resources. I have one user who is interested in a client for Linux (specifically CentOS) and not sure what to suggest. Does anyone have any good pointers for a good client that I can point him to? Any pointers would be appreciated. Thank you Scott I believe the Anyconnect client is supported on Linux installs. Anyconnect is supported on 8.x software versions, and Anyconnect Essentials (Client-based tunnels only, no clientless SSL, supported in 8.2) licenses are available for a low cost. If your supported user count is low, and you do not currently utilize any Anyconnect SSL slots, the base license allows a maximum of two active Anyconnect clients without additional license purchase. -- Brandon Ewing(nicot...@warningg.com) pgpEXlA0dt6YC.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] So when is IPv6 failover coming to the ASA?
On Mon, Sep 28, 2009 at 06:51:43PM +0100, Alan Buxey wrote: Hi, PS on another note, I've found with the ASA that if you specify a UDP_TCP rule - eg DNS/53 then it doesnt quite work right. seperate 53 UDP and 53 TCP, things are fine - i've either mis-understoof the UDP/TCP logic in the ASA or *its* logic is wrong. and only one of us can be right... ;-) TCP/UDP rules still require two rules to be listed in 7.x and 8.0, one with protocol TCP, one with protocol UDP, or be utilized with a protocol-group of tcp-udp. If you expand the access-list with show run access-list name, you can see the indidivual rules applied. 8.2 introduces dual-service-object-group mode -- meaning you can define a service group WITHOUT the protocol specifiction at the end, and define protocls on a per-service basis: object-group service TEST service-object tcp-udp eq domain service-object tcp eq www service-object icmp echo ! Then utilize it in an ACL: access-list TEST-ACL permit object-group TEST any host 1.2.3.4 -- Brandon Ewing(nicot...@warningg.com) pgpwFHlupYFHR.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 - stateful failover, reason?
On Tue, Sep 22, 2009 at 02:37:41PM -0400, Drew Weaver wrote: Is there any way to get more information about what caused a fail-over between two supervisors in a 6500? All I can appear to get is Active crashed. from show redundancy switchover and my syslog doesn't have any information either. If it actually crashed, you may want to investigate whether a crashinfo file was left behind. Also, is it normal that during switchover you will lose protocols (OSPF) and that you will see messages like these in the log? This is normal -- the new processor has to rebuild all routing protocols when it comes online from RPR or RPR+ mode. Even with SSO mode, if NSF is not configured with all peers on all protocols, the sessions are broken down and rebuilt. Sep 22 08:41:17.651 EDT: %C6KPWR-SP-4-PSOK: power supply 1 turned on. Sep 22 08:41:17.699 EDT: %C6KPWR-SP-4-PSOK: power supply 2 turned on. This is normal, as part of the standby supervisor finishing initialization The log messages sort of confuse me because show version indicates: uptime is 10 weeks, 4 days, 1 hour, 35 minutes So it's been up 10 weeks but the power supplies were just turned on 12 hours ago? I assume that is just random log-spew from the hot-supervisor taking over, though? For more information about uptime for given processors, try show redundancy -- it should give total chassis uptime, last switchover time, number of switchovers, and time on active processor. -Drew -- Brandon Ewing(nicot...@warningg.com) pgpXqkXpHHcVN.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 - stateful failover, reason?
On Tue, Sep 22, 2009 at 01:07:47PM -0700, Bill Blackford wrote: snip This is normal -- the new processor has to rebuild all routing protocols when it comes online from RPR or RPR+ mode. Even with SSO mode, if NSF is not configured with all peers on all protocols, the sessions are broken down and rebuilt. /snip I recently had event very much like this. In my case, even SSO/NSF dropped some adjacencies during this switchover. -b Did you confirm that NSF (Graceful restart, etc) has been negotiated with all adjacencies, and that all adjacent routers are NSF-aware? Also, there is an upper bound to the time alloted to perform the switchover, and the new RP has to signal an NSF event prior to current hold/dead/etc timers expiring -- if you have your OSPF timer set to 1/3, and it takes more than 3 seconds for the standby RP to see the failure, take over, and send the NSF message, the adjacency will already have been dropped. -- Brandon Ewing(nicot...@warningg.com) pgpnCovm8J1YT.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mapping CPU IDs to reality
On Mon, Jul 27, 2009 at 01:14:39PM -0500, Jeff Bacon wrote: I am *guessing* that index x001 is the switch processor, and x017 is the route processor. Strangely, the first digit doesn't line up with the slot/module # - CPU 1001 is clearly the DFC (continuous 80% CPU, all in lcp scheduler - seems weird but that's life), CPU 2001's usage profile best matches the primary SP, and 3001 matches the secondary. My Google-fu is not up to snuff on this. Is there _any_ logic to CPU identification on this platform? http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a94.shtml ENTITY-MIB::entPhysicalTable will map a processor to an entity ID CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex maps the entity ID to a processor index. CISCO-PROCESS-MIB::cpmCPUTotalTable lists processor utilization by procesor index. -- Brandon Ewing(nicot...@warningg.com) pgplq5cjTYhkb.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Catalyst 2960PD-8TT-L
On Mon, Jul 27, 2009 at 01:57:29PM -0500, Justin Shore wrote: Nick Hilliard wrote: On 27/07/2009 17:39, Justin Shore wrote: The only Cisco-branded switches in the product line that won't have have a CLI are the Express switches. This of course means that the LinkSys switches won't have a Cisco CLI (if they have one at all which I doubt). http://lcli.wikidot.com/ Interesting. So they don't have a Cisco CLI but they have an otherwise limited CLI if you know the tricks to get into it. I don't think that will be helpful in RANCID though. I don't think I can make it jump through all the hoops necessary to get logged in or pass meta control characters. Interesting nonetheless though. Thanks Justin Given the partial commands they gave, it looks VERY similar to the CLI used in Dell Powerconnect 5xxx line. I believe there is a dlogin/drancid that works to archive configurations of those devices. If you can't find them, you can also just use clogin with a custom string to set term length (terminal datadump\r), and match the default login banner (User Name instead of Username). Then you can copy the default rancid to drancid, and change the @commandtable to only do show version, show vlan, and show running-config. -- Brandon Ewing(nicot...@warningg.com) pgpAhc5BeevwK.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Monitoring BGP with NAGIOS
On Thu, Jul 23, 2009 at 09:03:41AM -0500, Frank Bulk wrote: Currently the NAGIOS plugin I'm developing polls the bgpPeerState, bgpPeerIn/OutUpdates and bgpPeerIn/OutTotalMessages and alerts me if there's a change. Since a BGP session could be re-established in a short amount of time, I would like to trigger an alert if the number of In/Out Updates or Messages exceeds the regular value (I'm presuming that when the BGP session re-establishes, these counters climb more quickly than during times of stability). But I'm not sure if Updates/Messages are normally sent every 30 or 60 seconds (I've seen 60 on a wiki page, but sh ip bgp neighbors says that the keepalive interval is 30 seconds and Default minimum time between advertisement runs is 30 seconds. I'm guessing this knob can be adjusted in IOS, so ideally I would like the NAGIOS plugin to accommodate for that, such that if the counters move '5' in 5 minutes that's OK with a 60 second period, but if it's a 30 second period, then those counts should move 10 times. But keep-alive/scan interval doesn't seem to be listed in the MIB. BGP4-MIB::bgpPeerHoldTime ( .1.3.6.1.2.1.15.3.1.18 ) BGP4-MIB::bgpPeerKeepAlive ( .1.3.6.1.2.1.15.3.1.19 ) Hold time is 3x keepalive by default Updates are sent as they are processed There are also OIDs for the locally configured hold and keepalive timers, as you will use your peer's configured timers if they are lower. Also, there's a lot more information available at the Cisco CLI when executing sh ip bgp summary, specifically: . Up/Down times BGP4-MIB::bgpPeerInUpdateElapsedTime ( .1.3.6.1.2.1.15.3.1.24 ) BGP4-MIB::bgpPeerLastError ( .1.3.6.1.2.1.15.3.1.14 ) If you think I'm going about this the wrong way, please feel free to tell me. =) Have you looked at the following plugins in the Nagios Exchange? http://exchange.nagios.org/directory/Plugins/Uncategorized/Software/SNMP/check_bgp_neighbors/details http://exchange.nagios.org/directory/Plugins/Uncategorized/Software/SNMP/check_bgp/details Cisco's MIB Browser also has a wealth of information regarding BGP SNMP http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=enstep=2mibName=BGP4-MIB -- Brandon Ewing(nicot...@warningg.com) pgp6sPG2LVuDS.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIX/ASA Change Control
On Fri, Jun 26, 2009 at 09:01:11AM -0400, Ryan West wrote: I'm curious to see what others are using for a frontend to RANCID. Besides the emailing of the diff's that take place, what are others using to browse the repository? -ryan I set my latest RANCID installation up with SVN instead of a CVS backend. I needed to apply a patch to correct an issue where RANCID doesn't gracefully handle SVN telling it to do an update prior to a commit, but other than that, it's a drop-in replacement. Hooking WebSVN into the repository RANCID maintains places a nice web interface on it, allowing one to see when/how/why changes were made to the configurations. Maintaining a working directory locally on the server where you can check out revisions and perform svn diff on is also useful. -- Brandon Ewing(nicot...@warningg.com) pgpK1ObcOWWOC.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No GRP images for GSR's?
On Tue, Mar 24, 2009 at 08:59:17AM -0700, Michael K. Smith - Adhost wrote: Hello All: I just want to make sure I haven't lost my mind. I logged into CCO looking for 12.0S images for the GRP and all I see is PRP images. Has Cisco stopped supplying images for the GRP-based GSR's? Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) GRP and GRP-B are EOL/EOS at this time. Last release is 12.0(32)S Looks like in the new browser, they're filed as 12000 Performance Route Processor Engine images. Filename is still gsr-p-mz, which runs on the GRP. Note that 12.0(32)S12 contains the 4-byte ASN problems discussed here and on NANOG, so 12.0(32)S11 is your best bet. -- Brandon Ewing(nicot...@warningg.com) pgprAXtuJcQvm.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3400
On Wed, Mar 11, 2009 at 01:44:21PM +0300, Dmitry Valdov wrote: Hi! The device says 9K total (5K directly connected and 4K indirect).. === #sh sdm pref The current template is default template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: 5K number of IPv4 IGMP groups + multicast routes:1K number of IPv4 unicast routes:9K number of directly-connected IPv4 hosts:5K number of indirect IPv4 routes: 4K number of IPv4 policy based routing aces: 0.5K number of IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 1K If it's like a 3560's SDM, be careful: A connected subnet is 4 indirect IPv4 routes -- it stores a CEF receive entry for the network address, broadcast address, assigned IP, and then the CEF attach for the actual netblock. And even though directly-connected IPv4 hosts is listed under the unicast routes prefix, it isn't counting connected networks. Each connected subnet is a glean in the directly-attached section, and each IP - ARP address is an adjacency in the directly-attached section, so it's really more a limitation on the amount of ARP entries the switch can store. -- Brandon Ewing(nicot...@warningg.com) pgpmU1fmntwyC.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vpn client issues with ASA
On Thu, Feb 05, 2009 at 05:41:39AM -0500, John Aldrich wrote: We just upgraded our firewall from a Pix to an ASA, and now, for some reason, even though we have it specified in the VPN Client software, we are having to enter our password every time. Is this a feature of the ASA or is it configurable? We never had to do this before, and it's rather annoying. I don't think it's the client as I never had to do this before, and also, I set up a new connection from scratch and it required the password as well when connecting. Any suggestions? You need to add isakmp ikev1-user-authentication none to the RA tunnel-group to disable XAUTH. -- Brandon Ewing(nicot...@warningg.com) pgpDmlfoo7VVJ.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Active Supervisor on 6500 - SNMP?
On Fri, Dec 26, 2008 at 11:08:20AM -0700, Matlock, Kenneth L wrote: Is there an SNMP MIB to tell me which supervisor in a cat6500-series chassis is currently the active, and what state (hot/cold/etc) the standby supervisor is in? CISCO-RF-MIB http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/SSO_MIBS.html#wp1035478 snmpwalk -v 2c -c public 6500_vss_test 1.3.6.1.4.1.9.9.176 CISCO-RF-MIB::cRFStatusUnitId.0 = INTEGER: 21 CISCO-RF-MIB::cRFStatusUnitState.0 = INTEGER: active(14) CISCO-RF-MIB::cRFStatusPeerUnitId.0 = INTEGER: 37 CISCO-RF-MIB::cRFStatusPeerUnitState.0 = INTEGER: standbyHot(9) CISCO-RF-MIB::cRFStatusPrimaryMode.0 = INTEGER: true(1) CISCO-RF-MIB::cRFStatusDuplexMode.0 = INTEGER: true(1) CISCO-RF-MIB::cRFStatusManualSwactInhibit.0 = INTEGER: false(2) CISCO-RF-MIB::cRFStatusLastSwactReasonCode.0 = INTEGER: userInitiated(4) CISCO-RF-MIB::cRFCfgRedundancyMode.0 = INTEGER: hotStandbyRedundant(8) CISCO-RF-MIB::cRFCfgRedundancyModeDescr.0 = STRING: SSO (Stateful Switchover) -- Brandon Ewing(nicot...@warningg.com) pgpFJLK1V1vu0.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
On Thu, Dec 18, 2008 at 11:55:01AM +0100, Marcus.Gerdon wrote: Hi @All, what information I got regarding AS32 is somewhat worrysome: 12.0(32)S12 Q4/2008 for 72 GSR 12.0(32)S12 is out as of yesterday with support for 4-byte AS on GRP and PRP http://www.cisco.com/en/US/docs/ios/12_0s/release/ntes/120SNEWF.html#wp3521658 I loaded it on a test router yesterday -- I immediately ran into the issue discussed last week on NANOG: http://markmail.org/message/3ofvjyggayfxezna -- Brandon Ewing(nicot...@warningg.com) pgpFPx02JXeH5.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3750 software stability
Can anyone here provide thoughts / suggestions regarding the version of IOS for the 3750 platform that has the least problems, and offers the most stability? Featureset is not an issue, as layer 3 functions are not required, just QoS/LACP. -- Brandon Ewing([EMAIL PROTECTED]) pgpSBf4uKwrKL.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
