Re: [c-nsp] [External] Cisco 6509-E SSH and Telnet not allowing connections

[Chuck Church]

Is it out of memory?  That could keep it from being able to create vty
sessions.  You should see log entries.

Chuck

On Sat, Feb 27, 2021, 5:49 PM Lee Starnes  wrote:

> Hello Hunter,
>
> It does respond to ping and all other functions are working including
> responding to SNMP RO and RW.
>
> -Lee
>
> On Sat, Feb 27, 2021 at 12:31 PM Hunter Fuller  wrote:
>
> > I have no idea, but just curious, does the box respond to other
> > control plane traffic from outside, like pings?
> >
> > --
> > Hunter Fuller (they)
> > Router Jockey
> > VBH Annex B-5
> > +1 256 824 5331
> >
> > Office of Information Technology
> > The University of Alabama in Huntsville
> > Network Engineering
> >
> > On Sat, Feb 27, 2021 at 1:05 PM Lee Starnes 
> > wrote:
> > >
> > > Hello all,
> > >
> > > Ran into an issue that I can't seem to resolve and really don't want to
> > > reboot the chassis. Have 1 of our 6509-e units that has decided it is
> not
> > > going to allow connections to it via ssh or telnet. I can get access
> via
> > > console. When trying to connect, you do not get connection refused. You
> > > just hang for several seconds before getting a connection timed out
> > > message.
> > >
> > > On the switch, I show no connection attempts.
> > >
> > > A check to see if the ssh server is running and have any connections
> > shows
> > > normal.
> > > #sh ip ssh
> > > SSH Enabled - version 1.99
> > > Authentication timeout: 120 secs; Authentication retries: 3
> > > #sh ssh
> > > %No SSHv1 server connections running.
> > > %No SSHv2 server connections running.
> > >
> > > Doing debugs, I see nothing show up for connection attempts. Also if I
> > > attempt to connect to itself from itself it also just hangs before
> > getting
> > > a connection timed out message. I would expect the normal response of
> > > connection refused when trying to connect to itself.
> > >
> > > There is an ACL in place on the VTY lines and even removing that, still
> > > gets the same results. I have removed the input transport on the vty
> > lines
> > > and then read added them.
> > >
> > > Is there anything else I can try before having to reboot/switch to the
> > > standby SUP?
> > >
> > > This was all working normally until sometime around 4am. and nothing
> was
> > > logged before or after the issue started other than my login via
> console
> > > and various changes/commands issued in an attempt to debug/resolve this
> > > issue.
> > >
> > > Any help would be greatly appreciated.
> > >
> > > -Lee
> > > ___
> > > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Verizon LTE config in South East USA

[Chuck Church]

Hey all,

 

Does anyone have a good working config for a Cisco LTE EHWIC
in a 1900 to work with Verizon?  These LTE WICs are new to me.  Verizon gave
us an APN to use, but many of the other parameters seem to be a guess.
Things like SIM authentication, etc.  From what I can tell I might be
attached to the cell network, but I'm not sure.  We're doing a negotiated IP
address for the interface, but not getting an IP.  What I've found via
config guides and Google hasn't been totally helpful.  Any help appreciated!

 

Thanks,

 

Chuck Church

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Anyconnect VPN on IOS that supports TLS 1.2

[Chuck Church]

Hey all,

 

I've got a small company I support occasionally that deploys
Anyconnect VPN service on small ISR G2 models for customers.  It seems that
recently Chrome and it seems like Edge and IE are not allowing connections
to TLS 1.0 or anything SSL.  It appears that based on googling this is a
known issue, that was resolved on ASA with a recent 9.x release.  Anyone
know a work-around for IOS 15.x?  Once the users of the VPN login once to
the portal page then can install the anyconnect client and never use the
browser again.  But that first time is an issue.  The configs are good,
works fine on older Firefox versions.

 

Thanks,

 

Chuck

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6800 ISSU issue

[Chuck Church]

So, just to follow up, we had a TAC case open for this.  The ISSU method
(eFSU) we were using is only supported when staying within the train you're
on.   See
https://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/SX_SY_EFSU_Compatibility_Matrix.xlsx
.  You'd think IOS would warn you were trying to use a method that wasn't
compatible, but it seems to just result in what we saw.  It's still a
mystery on what method we've got to use to minimize downtime on our
upgrade.  I assume there is a good documented method for quad sups, and
changing major version numbers.

Chuck


On Mon, Apr 22, 2019 at 11:21 AM Garrett Skjelstad 
wrote:

> We had similar issues. The best way we found to correct it was to do
> individual module resets just prior to running ISSU.
>
> After "hw-module reset"-ing all the supers, one at a time, we were able to
> ISSU without issue.
>
> On Mon, Apr 22, 2019, 05:50 Chuck Church  wrote:
>
>> All,
>>
>>Ran into an issue with using FSU on a quad-sup 6800 VSS pair with
>> Sup6T.  We're going from 15.3(1)SY2 to 15.5(1)SY2.  It appears after the
>> standby sup upgrade starts (after the issu loadversion command is done), a
>> 3 minute timer is expiring and causing an automatic abort.  From the logs:
>>
>> Apr 21 2019 05:52:34.856: %ISSU_PROCESS-SW1-6-LOADVERSION_INFO:
>> Standby-ICS
>> has gone offline, wait for reboot
>>
>> Apr 21 2019 05:55:34.866: %ISSU_PROCESS-SW1-3-ABORT: Starting abort
>> sequence, reason: LOADVERSION: Standby-ICS has not come back online
>>
>> Now we could see via the console cable that the standby would eventually
>> boot up.  Due to the version changes there was an FPGA upgrade done and I
>> believe a second boot of it.  Thus more than the 3 minute timer I'm
>> hitting.  Anyone seen this before and/or know what to do?
>>
>> Thanks,
>>
>> Chuck
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 6800 ISSU issue

[Chuck Church]

All,

   Ran into an issue with using FSU on a quad-sup 6800 VSS pair with
Sup6T.  We're going from 15.3(1)SY2 to 15.5(1)SY2.  It appears after the
standby sup upgrade starts (after the issu loadversion command is done), a
3 minute timer is expiring and causing an automatic abort.  From the logs:

Apr 21 2019 05:52:34.856: %ISSU_PROCESS-SW1-6-LOADVERSION_INFO: Standby-ICS
has gone offline, wait for reboot

Apr 21 2019 05:55:34.866: %ISSU_PROCESS-SW1-3-ABORT: Starting abort
sequence, reason: LOADVERSION: Standby-ICS has not come back online

Now we could see via the console cable that the standby would eventually
boot up.  Due to the version changes there was an FPGA upgrade done and I
believe a second boot of it.  Thus more than the 3 minute timer I'm
hitting.  Anyone seen this before and/or know what to do?

Thanks,

Chuck
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Ipv4Martian in ASR output

[Chuck Church]

Hey all,

 I'm looking at the output of 'show platform hardware qfp active
statistics drop' and see a pretty large number of drops due to
'Ipv4Martian'.  Googling didn't tell me anything more than it's a counter
under that command.  Which I knew already.  I seem to remember Juniper
associating martians with bogon lists but didn't think Cisco did that.
Anyone know what this counter indicates?

Thanks,

Chuck
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750G Switch

[Chuck Church]

Yes, the 3750e images are for 3750E and 3750X models only to my knowledge.

chuck

-Original Message-
From: cisco-nsp  On Behalf Of Simon
Lockhart
Sent: Saturday, December 08, 2018 11:25 AM
To: Harry Hambi - Atos 
Cc: 'cisco-nsp@puck.nether.net' 
Subject: Re: [c-nsp] 3750G Switch

On Fri Dec 07, 2018 at 03:40:45PM +, Harry Hambi - Atos wrote:
> Trying to upgrade a 3750G from IOS  
> c3750e-universalk9-mz.150-2.SE10.bin  to a latest version  
> c3750e-universalk9-mz.152-4.E7.bin, and I am getting the following error:
> Error loading "flash: c3750e-universalk9-mz.152-4.E7.bin

Is it definitely a 3750G? If so you're using the wrong image. 3750G images
start c3750-, and come in ipbase/ipservices variants.

Simon
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750 and CVE-2018-0167

[Chuck Church]

Cisco might be willing to do that, but I think they'd much rather you buy a
new switch.  I have seen them offer updates beyond end of security patch
dates, but it's usually for larger chassis such as 6500s.  

Chuck

-Original Message-
From: Sebastian Beutel  
Sent: Monday, June 04, 2018 1:15 PM
To: Chuck Church 
Cc: Brian Turnbow ; NSP - Cisco

Subject: Re: [c-nsp] 3750 and CVE-2018-0167

Hi Chuck,

On Mon, Jun 04, 2018 at 11:41:52AM -0400, Chuck Church wrote:
>
> I thought with LLDP you can turn off receive and transmit of LLDP 
> messages separately.  If you disable the receipt of them and only 
> transmit, does that address the issue?
>
The security advisory mentioned no workaround. Maybe this could help and we
will definitively give it a try. Maybe we even find an exploit to test it.
Thanks for the suggestion.

>
> These switches are end of all support dates. They most surely won't 
> address this bug.
>
I know. End of shipping was 2013 and end of security was 2016. But as this
plattform is still widely useed, my naive hope was, that Cisco could utilise
this issue to demonstrate the world that they offer the benefits of a
premium class vendor that doesn't sell their customers down the river, even
if their product is long out of sale. 

Best,
   Sebastian.
 
> 
> On Mon, Jun 4, 2018 at 5:54 AM, Sebastian Beutel < 
> sebastian.beu...@rus.uni-stuttgart.de> wrote:
> 
> > Hi Brian,
> >
> > On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote:
> > >
> > > We don't use lldp, but you can turn it off on an interface by 
> > > interface bassis.
> > >
> > We need lldp because our ip phones learn their voice vlan via lldp. 
> > We can't define dedicated phone ports because people are used to 
> > plug in their phone wherever they choose to.
> >
> > >
> > > Why run it on ports with devices outside of your control?
> > >
> > We didn't choose so. Universities had byod long before it had a name...
> >
> > Best,
> > Sebastian.
> >
> > >
> > > > -Original Message-
> > > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On 
> > > > Behalf
> > Of
> > > > Sebastian Beutel
> > > > Sent: mercoledì 30 maggio 2018 17:52
> > > > To: cisco-nsp@puck.nether.net
> > > > Subject: [c-nsp] 3750 and CVE-2018-0167
> > > >
> > > > Dear list,
> > > >
> > > > we're still having some Cat 3750 in operation and it will 
> > > > still
> > take
> > > some time
> > > > till we can retire the last ones. We've asked Cisco whether they 
> > > > are
> > > planning
> > > > to publish a new software image for this platform that fixes
> > > > CVE-2018-0167 despite the fact that the product is way beyond 
> > > > end of security and vulnerability support.
> > > > Our Cisco representative stated that they are not planning 
> > > > to do so
> > > despite
> > > > the severity of the bug. He also said we're the only customer 
> > > > having
> > > this issue.
> > > > So my question is: If you're still running 3750s, how do you 
> > > > deal with
> > > this?
> > > >
> > > > Best,
> > > >Sebastian.
> > > >
> > > > P.S.: Cisco's advisory:
> > > >
> > > https://tools.cisco.com/security/center/content/
> > CiscoSecurityAdvisory/cisco-sa-20180328-lldp
> >
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750 and CVE-2018-0167

[Chuck Church]

I thought with LLDP you can turn off receive and transmit of LLDP messages
separately.  If you disable the receipt of them and only transmit, does
that address the issue?  These switches are end of all support dates.  They
most surely won't address this bug.

Chuck

On Mon, Jun 4, 2018 at 5:54 AM, Sebastian Beutel <
sebastian.beu...@rus.uni-stuttgart.de> wrote:

> Hi Brian,
>
> On Thu, May 31, 2018 at 07:03:23PM +0200, Brian Turnbow wrote:
> >
> > We don't use lldp, but you can turn it off on an interface by interface
> > bassis.
> >
> We need lldp because our ip phones learn their voice vlan via lldp. We
> can't
> define dedicated phone ports because people are used to plug in their phone
> wherever they choose to.
>
> >
> > Why run it on ports with devices outside of your control?
> >
> We didn't choose so. Universities had byod long before it had a name...
>
> Best,
> Sebastian.
>
> >
> > > -Original Message-
> > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
> Of
> > > Sebastian Beutel
> > > Sent: mercoledì 30 maggio 2018 17:52
> > > To: cisco-nsp@puck.nether.net
> > > Subject: [c-nsp] 3750 and CVE-2018-0167
> > >
> > > Dear list,
> > >
> > > we're still having some Cat 3750 in operation and it will still
> take
> > some time
> > > till we can retire the last ones. We've asked Cisco whether they are
> > planning
> > > to publish a new software image for this platform that fixes
> > > CVE-2018-0167 despite the fact that the product is way beyond end of
> > > security and vulnerability support.
> > > Our Cisco representative stated that they are not planning to do so
> > despite
> > > the severity of the bug. He also said we're the only customer having
> > this issue.
> > > So my question is: If you're still running 3750s, how do you deal with
> > this?
> > >
> > > Best,
> > >Sebastian.
> > >
> > > P.S.: Cisco's advisory:
> > >
> > https://tools.cisco.com/security/center/content/
> CiscoSecurityAdvisory/cisco-sa-20180328-lldp
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NBAR2

[Chuck Church]

I guess it’s not a popular topic.  Google hasn’t found much on it either.  
Bummer.  I guess I’ll have to get my hands on an ISR4k.

 

Chuck

 

From: Garrett Skjelstad  
Sent: Friday, May 25, 2018 5:29 PM
To: Chuck Church 
Cc: cisco-nsp NSP 
Subject: Re: [c-nsp] NBAR2

 

Bumped for shared interest.

 

On Fri, May 25, 2018, 06:51 Chuck Church mailto:chuckchu...@gmail.com> > wrote:

All,

 I'm curious if anyone is using NBAR2 with a recent protocol pack to
identify Office 365 traffic, specifically the ability to differentiate
between Outlook, Skype, and OneDrive traffic when it's TCP/443.  The
release notes for the newest protocol packs show they only work on 16.x
releases on ISR4K/ASR1K, which I don't have easy access to.  We don't have
express route, and need a way to assign a DSCP value to each traffic type
based on what it is.  Obviously everything from O365 cloud via internet
will be DSCP 0 to us.  We use different DSCP values over our WAN for QOS
purposes.  Looking for some feedback.

Thanks,

Chuck
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
<mailto:cisco-nsp@puck.nether.net> 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] NBAR2

[Chuck Church]

All,

 I'm curious if anyone is using NBAR2 with a recent protocol pack to
identify Office 365 traffic, specifically the ability to differentiate
between Outlook, Skype, and OneDrive traffic when it's TCP/443.  The
release notes for the newest protocol packs show they only work on 16.x
releases on ISR4K/ASR1K, which I don't have easy access to.  We don't have
express route, and need a way to assign a DSCP value to each traffic type
based on what it is.  Obviously everything from O365 cloud via internet
will be DSCP 0 to us.  We use different DSCP values over our WAN for QOS
purposes.  Looking for some feedback.

Thanks,

Chuck
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Copying new IOS to 7600 resulting in IPC logs

[Chuck Church]

I tried to do SCP to a 3560 recently because it was on the 'outside' of a 
stateful FW and the switch acting as a server was the only way I could get an 
image to it.  Getting folks to change FW rules wasn't easy.   I think I got 
like 3 kbps throughput to it, at 99% CPU.  It was painful to watch.  

Chuck

-Original Message-
From: Frank Bulk <frnk...@iname.com> 
Sent: Wednesday, May 02, 2018 6:37 PM
To: 'Chuck Church' <chuckchu...@gmail.com>; 'James Bensley' 
<jwbens...@gmail.com>; 'Cisco-nsp List' <cisco-nsp@puck.nether.net>
Subject: RE: [c-nsp] Copying new IOS to 7600 resulting in IPC logs

Just because I like to choose secure TCP rather than insecure UDP.  I'm not 
dogmatic about it, and it looks like it has its impacts.

Thanks for all the feedback.

Frank

-Original Message-
From: Chuck Church <chuckchu...@gmail.com>
Sent: Wednesday, May 02, 2018 5:26 PM
To: 'James Bensley' <jwbens...@gmail.com>; 'Frank Bulk' <frnk...@iname.com>; 
'Cisco-nsp List' <cisco-nsp@puck.nether.net>
Subject: RE: [c-nsp] Copying new IOS to 7600 resulting in IPC logs

Is there a reason you need to use SCP?  The crypto overhead is pretty massive.  
Granted it's more secure, but the CPU hit is bad on many older devices.

Chuck

-Original Message-
From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of James Bensley
Sent: Wednesday, May 02, 2018 10:41 AM
To: Frank Bulk <frnk...@iname.com>; Cisco-nsp List <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] Copying new IOS to 7600 resulting in IPC logs

On 2 May 2018 at 14:00, Frank Bulk <frnk...@iname.com> wrote:
> No, I do not have anything set.  What do you recommend for a value?
>
> Frank

Hi Frank,

The default value is 200 (ms). You need to have a play to find out whats right 
for you. Some 7600s we have with many hundreds of BGP sessions that have 
developed a bit of a flop sweat, I think they are set to 100ms which seems to 
work OK.

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Copying new IOS to 7600 resulting in IPC logs

[Chuck Church]

Is there a reason you need to use SCP?  The crypto overhead is pretty
massive.  Granted it's more secure, but the CPU hit is bad on many older
devices.

Chuck

-Original Message-
From: cisco-nsp  On Behalf Of James
Bensley
Sent: Wednesday, May 02, 2018 10:41 AM
To: Frank Bulk ; Cisco-nsp List

Subject: Re: [c-nsp] Copying new IOS to 7600 resulting in IPC logs

On 2 May 2018 at 14:00, Frank Bulk  wrote:
> No, I do not have anything set.  What do you recommend for a value?
>
> Frank

Hi Frank,

The default value is 200 (ms). You need to have a play to find out whats
right for you. Some 7600s we have with many hundreds of BGP sessions that
have developed a bit of a flop sweat, I think they are set to 100ms which
seems to work OK.

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Etherchannel QOS support on ISR4K

[Chuck Church]

Thank you Antoine.  Did the config require 'port-channel load-balancing
vlan-manual' or 'load-balancing vlan' commands to make it work?  Or at
least be accepted by the CLI?   So at this point there still is no working
marking on a port channel. That is unfortunate.

Chuck

On Fri, Aug 25, 2017 at 9:00 AM, Antoine Monnier <mrantoinemonn...@gmail.com
> wrote:

> From memory we were running 3.16.x on ISR4K with a service-policy applied
> inbound on a port-channel to do marking. Config was "validated" by cisco
> themselves before it was put into prod.
> Was put into prod. Marking did not happen.
> We were then told it is not supported yet.
>
> Port-channel and QoS on ASR/ISR4K has always been an issue with lot of
> different limitations depending on the software you run.
>
> On Thu, Aug 24, 2017 at 2:55 PM, Chuck Church <chuckchu...@gmail.com>
> wrote:
>
>> All,
>>
>>I've been looking everywhere for a definitive doc on Ingress QOS
>> service-policy support.  All the docs I've found on Cisco's site seem to
>> mentions IOS-XE 3, but seem to be ASR1K specific.  Can't seem to find any
>> etherchannel docs for ISR4K specifically.  Upon trying to apply an ingress
>> policy on a 4K port channel int (main int has IP address, no subints), the
>> error message "service-policy input COS-IN not supported on this target"
>> is
>> displayed. It's a 4451-X running 3.13.3. Port channel config looks like
>> this:
>> interface Port-channel1 description HJ102530 Customer LAN ip address
>> 10.x.y.2 255.255.255.252 no ip proxy-arp ip flow monitor netflow input ip
>> flow monitor netflow output ip tcp adjust-mss 1432 no negotiation auto
>>
>> Now I did find in this doc:
>> https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_mqc/co
>> nfiguration/xe-3s/qos-mqc-xe-3s-book/qos-eth-int.html#GUID-
>> AD7EB461-CAD5-463F-9F0D-4486D327D049
>>
>> reference to these commands: port-channel load-balancing vlan-manual
>> or load-balancing
>> vlan (on interface)
>>
>> This router is ISP-owned so I'd like to find out the definitive answer
>> prior to having them try something.  Anyone know the real deal with QOS
>> and
>> 4K?
>>
>> Thanks,
>>
>> Chuck
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Etherchannel QOS support on ISR4K

[Chuck Church]

All,

   I've been looking everywhere for a definitive doc on Ingress QOS
service-policy support.  All the docs I've found on Cisco's site seem to
mentions IOS-XE 3, but seem to be ASR1K specific.  Can't seem to find any
etherchannel docs for ISR4K specifically.  Upon trying to apply an ingress
policy on a 4K port channel int (main int has IP address, no subints), the
error message "service-policy input COS-IN not supported on this target" is
displayed. It's a 4451-X running 3.13.3. Port channel config looks like
this:
interface Port-channel1 description HJ102530 Customer LAN ip address
10.x.y.2 255.255.255.252 no ip proxy-arp ip flow monitor netflow input ip
flow monitor netflow output ip tcp adjust-mss 1432 no negotiation auto

Now I did find in this doc:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_mqc/configuration/xe-3s/qos-mqc-xe-3s-book/qos-eth-int.html#GUID-AD7EB461-CAD5-463F-9F0D-4486D327D049

reference to these commands: port-channel load-balancing vlan-manual
or load-balancing
vlan (on interface)

This router is ISP-owned so I'd like to find out the definitive answer
prior to having them try something.  Anyone know the real deal with QOS and
4K?

Thanks,

Chuck
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1006 ESP20 SIP10 LAG/LaCP Limitations

[Chuck Church]

That’s interesting.  We hit the limit in 3.13.  That was on 1002X, 1002, and 
1006 with RP1 and SIP10/ESP20.  I never really dug in enough to know if it was 
an RP, ESP, or SIP limitation.  Maybe the SIP is the culprit.

 

Chuck

 

From: David Deutsch [mailto:ddeut...@tsicorp.net] 
Sent: Friday, June 9, 2017 9:30 AM
To: Chuck Church <chuckchu...@gmail.com>
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR1006 ESP20 SIP10 LAG/LaCP Limitations

 

Looks like it's a limit of 3.7, however Denali 16.3.1 notes appear to increase 
this to 16.

 

However of course, it appears 16.3 doesn't support my SIP10 cards, does anyone 
know if this is the case in 16.5 everest?

 

--David




__

 

  
<http://www.tsicorp.net/wp-content/themes/tsi-corp/images/logo_tsi_signature.jpg>
 

David Deutsch

Chief Technology Officer
Televergence Solutions, Inc.

 

(213) 943-2012 (Direct)

ddeut...@tsicorp.net <mailto:ddeut...@tsicorp.net> 

 

 

On Fri, Jun 9, 2017 at 8:44 AM, Chuck Church <chuckchu...@gmail.com 
<mailto:chuckchu...@gmail.com> > wrote:

It's my understanding that this is the platform limit, and can't be changed.
I don't recall the docs that verified it, but our Cisco SEs told us that.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net 
<mailto:cisco-nsp-boun...@puck.nether.net> ] On Behalf Of
David Deutsch
Sent: Friday, June 9, 2017 8:12 AM
To: cisco-nsp@puck.nether.net <mailto:cisco-nsp@puck.nether.net> 
Subject: [c-nsp] ASR1006 ESP20 SIP10 LAG/LaCP Limitations

Hello all,

I've got a new ASR1006(2xESP20, 2xSIP10) and am trying to establish a 8 port
LaCP LAG back to my main switch stack. However getting the following error
when trying to add the 5th interface to the port group:

Error: Cannot exceed 4 interfaces per channel

I'm surprised that this model has such a small limit, can anyone point me to
a model specific document that shows this as a hard limit? or should I look
for an IOS XE command to increase it.

Any advice appreciated.

--David
__


David Deutsch
Chief Technology Officer
Televergence Solutions, Inc.

(213) 943-2012 (Direct)
ddeut...@tsicorp.net <mailto:ddeut...@tsicorp.net> 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
<mailto:cisco-nsp@puck.nether.net> 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1006 ESP20 SIP10 LAG/LaCP Limitations

[Chuck Church]

It's my understanding that this is the platform limit, and can't be changed.
I don't recall the docs that verified it, but our Cisco SEs told us that.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
David Deutsch
Sent: Friday, June 9, 2017 8:12 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ASR1006 ESP20 SIP10 LAG/LaCP Limitations

Hello all,

I've got a new ASR1006(2xESP20, 2xSIP10) and am trying to establish a 8 port
LaCP LAG back to my main switch stack. However getting the following error
when trying to add the 5th interface to the port group:

Error: Cannot exceed 4 interfaces per channel

I'm surprised that this model has such a small limit, can anyone point me to
a model specific document that shows this as a hard limit? or should I look
for an IOS XE command to increase it.

Any advice appreciated.

--David
__


David Deutsch
Chief Technology Officer
Televergence Solutions, Inc.

(213) 943-2012 (Direct)
ddeut...@tsicorp.net
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Load balancing on portchan (4500X->ASR1006)

[Chuck Church]

That fact that the 4500X is only doing L2 shouldn't have an effect on its 
ability to look at IP addresses and port numbers for load balancing.  It might 
help.  But tunneling things such as GRE and MPLS could certainly put all 
traffic on one link.  4500X is based on Sup7, depending on OS version you 
should have some options.  3.8 will do:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-8-0E/15-24E/configuration/guide/xe-380-configuration/channel.html#72570

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
CiscoNSP List
Sent: Sunday, June 4, 2017 4:07 AM
To: "Rolf Hanßen" 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Load balancing on portchan (4500X->ASR1006)

Hi mate - 4500X(Primary) it is egress usage on both ports, 4500X(Secondary), it 
is the opposite)ingressI only tried mac balancing for testinglol, it 
seems to get the best balance.cant use ip/porton src/dst ip, or src/dst 
port.4500X only does layer 2 (Trunking vlans up to ASR1000, which does L3 
(dot1q subints on portchan).an old legacy setup from many years ago, that 
is goign to be retirred adap 


Thanks



From: "Rolf Hanßen" 
Sent: Sunday, 4 June 2017 12:49 AM
To: CiscoNSP List
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Load balancing on portchan (4500X->ASR1006)

Hello,

I read your mail twice and still don't know which direction is affected (4500X 
tp ASR or ASR to 4500X or both).
Please be aware that the balancing hash method only affects outbound traffic, 
so changing the method on the 4500X only affects traffic towards the ASR.
Using mac adresses for balancing is a bad idea. Years ago we had the great idea 
to connect several servers with dual nic to a router with a 2 port channel 
switching between.
MAC on the router was always the same, MACs on the servers were all even 
because we used the same port on all servers.
Result: no balaning at all.

Is the switch able to use IP / Port for all frames or do you have packts it 
maybe does not understand (like MPLS Packets)?

kind regards
Rolf

> Hi Everyone - Have a 4 port etherchan between ASR1006/4500X(In VSS) - 
> Tried virtually all the load-balancing options on the 4500X, but port "1"
> in the portchan group always gets majority of traffic share.
>
>
> Links are:
>
>
> ASR1006  4500X (2)
>
> 0/0/31/1/4
>
> 1/0/01/1/16
>
> 1/0/32/1/4
>
> 2/0/02/1/16
>
>
> src/dst ip - I get both ports on "primary" 4500X being primarily used
> (1/1/4 getting the most)
>
> src/dst mac - I get a bit of a better load spread, but 2/1/4 gets very 
> little traffic, and again 1/1/4 gets the most
>
> src/dst port - 1/1/4 gets the most, 2/1/16 gets a lot more (ingress), 
> 2/1/4, very little
>
>
> The portchan peak usage is 2 to 2.5Gb/sec, but would do more, as it is 
> being limited by the load-balancingi.e 1/1/4 will max out at 
> 1G/sec (We have a very bursty traffic.SP - So mix of 
> Inet/L3VPN/backup/replication etc)
>
>
> If anyone has some suggestions on how to achieve a better(more even) 
> traffic spread, it would be greatly appreciatedMigrating to 10Gb 
> is what we plan to do, but am interested in anyones comments on why 
> 1/1/4 is used so heavily regardless of the load-balancing algorithm 
> used (Assuming it is because it is the "first" portspanning tree  
> probably preferring this port?)the ASR1006 only has 2 
> load-balancing options flow-based or vlan-manual..lol and I dont 
> have any interest in setting up manual vlan load-balancing 😉)
>
>
> Thanks
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
cisco-nsp Info Page - 
puck.nether.net
puck.nether.net
To see the collection of prior postings to the list, visit the cisco-nsp 
Archives. Using cisco-nsp: To post a message to all the list members, send ...



> archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Minimum hardware and version to run VSS

[Chuck Church]

I'm pretty sure you need a PFC 3C or higher.  The 3B on that Sup720 won't
work.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Youssef Bengelloun-Zahr
Sent: Tuesday, May 30, 2017 8:29 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Minimum hardware and version to run VSS

Dear C-NSP community,

I have a client that's running the following gear in their campus :

Mod Ports Card Type  Model  Serial
No.

--- - -- --
---

  1   24  CEF720 24 port 1000mb SFP  WS-X6724-SFP

  24  CEF720 4 port 10-Gigabit Ethernet  WS-X6704-10GE

  3   24  CEF720 24 port 1000mb SFP  WS-X6724-SFP

  4   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX

  52  Supervisor Engine 720 (Hot)WS-SUP720-3B

  62  Supervisor Engine 720 (Active) WS-SUP720-3B

  7   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX

  8   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX

  9   48  CEF720 48 port 10/100/100



with version : Version 12.2(18)SXF16 IP Services ! Yes, I know right !?!


He is thinking about adding some extra redundancy by adding a second chassis
and migration to a VSS stack.


I've tried to look for the minimum requirements to run a VSS stack through
the Cisco Feature Navigator. According to it, my client is not eligible but
I wanted to gather your opinions first.


What do you think is the minimum requirements to meet hardware / software
wize ?

Thank you for your help.

Best regards.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] "snmpEngineTime" seems to wrap with "sysUpTime" in old IOS release

[Chuck Church]

I'm not sure if the snmpenginetime wrapping would increment the
snmpEngineBoots, but it would make sense that it would.  If that is the
case, there are definitely bugs from a 8 or so years ago where devices
didn't update their snmpEngineBoots counter upon reload.  So you'd reboot
switch, snmpEngineBoots didn't increment on the device (I guess it's stored
in NVRAM), and the SNMP manager would stop talking to the device since
snmpenginetime was no longer what it was expecting, and the snmpengineboot
hadn't incremented.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Nathan Lannine
Sent: Thursday, April 6, 2017 12:23 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] "snmpEngineTime" seems to wrap with "sysUpTime" in old
IOS release

> How to explain this behavior? Is it likely some kind of SNMP agent

I may not have this totally right, but I believe sysUpTime is a 32-bit
value, which will only go out about 400 and some odd days before it wraps to
0.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cat 6500: WS-X6748-SFP and VSS?

[Chuck Church]

I believe the minimum requirement to run VSS is PFC3C.  I would expect that to 
mean DFC3C or higher on the line cards.  Anything with 3A or 3B wouldn't work.  
If you upgraded the line card DFCs to 3C or 3CXL and they're not working, I'm 
guessing it would be time to call TAC, I think that should work.  I would think 
that a linecard/DFC mismatch issue would show up in the log.  Not just have 
ports down.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Patrick 
M. Hausen
Sent: Monday, January 16, 2017 10:03 AM
To: Cisco Network Service Providers 
Subject: Re: [c-nsp] Cat 6500: WS-X6748-SFP and VSS?

Hi all,


> Am 16.01.2017 um 15:36 schrieb Patrick M. Hausen :
> In the release notes for IOS 15.1SY I found this remark about 
> supported Gigabit Ethernet modules:
> 
> WS-X6748-SFP
> with WS-F6700-DFC3CXL , WS-F6700-DFC3C , WS-F6700-DFC3BXL (not 
> supported in virtual switch mode)

Sorry, I have to rephrase my question after a second look:


WS-X6748-SFP
(with WS-F6700-DFC3CXL , WS-F6700-DFC3C , WS-F6700-DFC3BXL (not supported in 
virtual switch mode) WS-F6700-DFC3B (not supported in virtual switch mode) or 
WS-F6700-CFC )


So I think this reads as:

WS-X6748-SFP with DFC-3CXL or DFC3C supported
with DFC3BXL or DFC3B   supported, but no VSS

Am I reading this correctly? I yes, I have a different problem alltogether.

I upgraded two of our core switches from Sup720-3BXL to Sup720-10GE with 
PFC-3CXL, then upgraded all the DFCs on the line cards and installed IOS 
15.1(2)SY9.

None of the copper Gigabit interfaces work. All show "down, line protocol is 
down (notconnect)" regardless of the connection.

Any ideas on how to proceed from here?

BTW: this includes Gi1/1/3 and Gi2/1/3 - the copper interfaces in the 
supervisor engines. Not only on the 6748 linecards.

Thanks
Patrick
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 
9109 100
i...@punkt.de   http://www.punkt.de
Gf: Jürgen Egeling  AG Mannheim 108285

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Upgrade IOS from 15.0(2).se7 to15.0(2) se10

[Chuck Church]

I'm not sure about the microcode.  We've deployed a lot of SE10 lately.  I
haven't heard of any long reboots from the SE6 we were on.  SE9 fixed the
TCP memory leak PSIRT from March or last fall, or maybe it was the NTP
vulnerability.  I don't remember which.  But SE9 introduced a bad SNMP
memory leak that wasn't in the SE6 we'd been using.  SE10 fixed the memory
leak, and has been pretty solid so far.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Harry Hambi - Atos
Sent: Thursday, November 10, 2016 3:57 AM
To: 'cisco-nsp@puck.nether.net' 
Subject: [c-nsp] Upgrade IOS from 15.0(2).se7 to15.0(2) se10

Hi all,
Does anyone know if there's a microcode in SE10 IOS?, I remember when
upgrading to SE7 it was taking 29min per switch due to the microcode .
Reading the release notes for SE10, can anyone tell me the main benefits if
any to upgrade to SE10?. Thanks in advance.


Rgds
Harry

Harry Hambi BEng(Hons)  MIET  Rsgb

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Router memory problem

[Chuck Church]

That’s pretty low.  Under a megabyte for largest block.  Is soft reconfig 
enabled?  Maybe turn that off, or like you said filter some routes. 

 

Chuck

 

From: Joseph Mays [mailto:m...@win.net] 
Sent: Wednesday, October 26, 2016 3:06 PM
To: Chuck Church <chuckchu...@gmail.com>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Router memory problem

 

Perhaps. Looks like, but I don't know if it's TOO low.

core-gw1.noc#show mem

HeadTotal(b) Used(b) Free(b)   Lowest(b)  Largest(b)

Processor   6381CC60   78368   438972176 5506192  945056  898812

  I/OE003355443210948872226055602228776022426364

 

Maybe if I reduce the size of the bgp tables.

 

-Original Message- 

From: Chuck Church 

Sent: Wednesday, October 26, 2016 2:51 PM 

To: 'Joseph Mays' ; cisco-nsp@puck.nether.net 
<mailto:cisco-nsp@puck.nether.net>  

Subject: RE: [c-nsp] Router memory problem 

 

Is the router out of RAM?  A really low memory condition might cause this.  
'show mem' or 'show log' (if configured) might show some malloc errors if that 
is the issue.

 

Chuck

 

-Original Message-

From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joseph 
Mays

Sent: Wednesday, October 26, 2016 2:28 PM

To: cisco-nsp@puck.nether.net <mailto:cisco-nsp@puck.nether.net> 

Subject: [c-nsp] Router memory problem

 

I’m dealing with a serious problem on a router I can only connect to remotely. 
Show run on the router returns nothing.

 

core-gw1.noc#show run

core-gw1.noc#

 

The running config is definitely there, though and the router is operational. 
And interestingly the system that copies the router’s config every night seems 
to have no problem pulling it down via tftp. And I can add and remove config 
commands and have them become active, even though I can’t see the config when 
it’s running.

 

I tried copying the running config to the startup config and got an error.

 

core-gw1.noc#dir nvram:

Directory of nvram:/

 

  488  -rw-   19717  startup-config

  489  1157  private-config

  490  -rw-   19717  underlying-config

1    46  persistent-data

2  -rw-   0  ifIndex-table

3  -rw-   4  rf_cold_starts

 

522232 bytes total (498234 bytes free)

core-gw1.noc#write mem

startup-config file open failed (Not enough space)

 

I found that any command I try with regards to the startup config gets the same 
result. I concluded that the nvram: must be corrupt. So I did an “erase” to 
reformat and clear it, and that went fine. so then I tried to write the 
startup-config again and had the same problem.

 

core-gw1.noc#erase nvram:

Erasing the nvram filesystem will remove all configuration files! Continue? 
[confirm] [OK] Erase of nvram: complete core-gw1.noc#dir nvram:

Directory of nvram:/

 

  508  -rw-   0  startup-config

  509     0  private-config

  510  -rw-   0  underlying-config

1    46  persistent-data

2  -rw-   0  ifIndex-table

3  -rw-   4  rf_cold_starts

 

522232 bytes total (519108 bytes free)

core-gw1.noc#copy run start

Destination filename [startup-config]?

startup-config file open failed (Not enough space)

 

So now I am in a position where I don’t dare reboot the router because it has 
no startup config. I did try tftping the backup config to nvram:, and it worked 
find as long as I gave it another name.

 

core-gw1.noc#copy tftp nvram:

Address or name of remote host [admin2.win.net]?

Source filename [core-gw1.noc-confg.noALW]? noc-config Destination filename 
[noc-config]?

Accessing tftp://admin2.win.net/noc-config...

Loading noc-config from 216.24.27.2 (via FastEthernet2/0): !!!

[OK - 34368 bytes]

 

34368 bytes copied in 0.756 secs (45460 bytes/sec) core-gw1.noc#dir nvram:

Directory of nvram:/

 

  508  -rw-   0  startup-config

  509     0  private-config

  510  -rw-   0  underlying-config

1    46  persistent-data

2  -rw-   0  ifIndex-table

3  -rw-   4  rf_cold_starts

4  -rw-   34368  noc-config

 

But when I tried to rename noc-config to startup-config, it gave the same space 
error. As does deleting startup-config, or any attempt to do anything to the 
startup-config file.

 

Here is the show ver info on the router.

 

Cisco Internetwork Operating System Software IOS (tm) 7200 Software 
(C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE (fc5) Technical Support: 
http://www.cis

Re: [c-nsp] Router memory problem

[Chuck Church]

Is the router out of RAM?  A really low memory condition might cause this.  
'show mem' or 'show log' (if configured) might show some malloc errors if that 
is the issue.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joseph 
Mays
Sent: Wednesday, October 26, 2016 2:28 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Router memory problem

I’m dealing with a serious problem on a router I can only connect to remotely. 
Show run on the router returns nothing.

core-gw1.noc#show run
core-gw1.noc#

The running config is definitely there, though and the router is operational. 
And interestingly the system that copies the router’s config every night seems 
to have no problem pulling it down via tftp. And I can add and remove config 
commands and have them become active, even though I can’t see the config when 
it’s running.

I tried copying the running config to the startup config and got an error.

core-gw1.noc#dir nvram:
Directory of nvram:/

  488  -rw-   19717  startup-config
  489  1157  private-config
  490  -rw-   19717  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts

522232 bytes total (498234 bytes free)
core-gw1.noc#write mem
startup-config file open failed (Not enough space)

I found that any command I try with regards to the startup config gets the same 
result. I concluded that the nvram: must be corrupt. So I did an “erase” to 
reformat and clear it, and that went fine. so then I tried to write the 
startup-config again and had the same problem.

core-gw1.noc#erase nvram:
Erasing the nvram filesystem will remove all configuration files! Continue? 
[confirm] [OK] Erase of nvram: complete core-gw1.noc#dir nvram:
Directory of nvram:/

  508  -rw-   0  startup-config
  509     0  private-config
  510  -rw-   0  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts

522232 bytes total (519108 bytes free)
core-gw1.noc#copy run start
Destination filename [startup-config]?
startup-config file open failed (Not enough space)

So now I am in a position where I don’t dare reboot the router because it has 
no startup config. I did try tftping the backup config to nvram:, and it worked 
find as long as I gave it another name.

core-gw1.noc#copy tftp nvram:
Address or name of remote host [admin2.win.net]?
Source filename [core-gw1.noc-confg.noALW]? noc-config Destination filename 
[noc-config]?
Accessing tftp://admin2.win.net/noc-config...
Loading noc-config from 216.24.27.2 (via FastEthernet2/0): !!!
[OK - 34368 bytes]

34368 bytes copied in 0.756 secs (45460 bytes/sec) core-gw1.noc#dir nvram:
Directory of nvram:/

  508  -rw-   0  startup-config
  509     0  private-config
  510  -rw-   0  underlying-config
1    46  persistent-data
2  -rw-   0  ifIndex-table
3  -rw-   4  rf_cold_starts
4  -rw-   34368  noc-config

But when I tried to rename noc-config to startup-config, it gave the same space 
error. As does deleting startup-config, or any attempt to do anything to the 
startup-config file.

Here is the show ver info on the router.

Cisco Internetwork Operating System Software IOS (tm) 7200 Software 
(C7200-IK9SU2-M), Version 12.3(23), RELEASE SOFTWARE (fc5) Technical Support: 
http://www.cisco.com/techsupport Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Tue 24-Jul-07 21:42 by stshen
Image text-base: 0x60008AF4, data-base: 0x61F53280

ROM: System Bootstrap, Version 12.2(20030826:190624) [BLD-npeg1_rommon_r11 
102], DEVELOPMENT SOFTWARE
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.2(15)B, EARLY DEPLOYMENT 
RELEASE SOFTWARE (fc1)

core-gw1.noc uptime is 11 hours, 10 minutes System returned to ROM by reload at 
03:00:12 EDT Wed Oct 26 2016 System restarted at 03:02:54 EDT Wed Oct 26 2016 
System image file is "disk2:c7200-ik9su2-mz.123-23.bin"
Last reload reason: Reload command



This product contains cryptographic features and is subject to United States 
and local country laws governing import, export, transfer and use. Delivery of 
Cisco cryptographic products does not imply third-party authority to import, 
export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for compliance 
with U.S. and local country laws. By using this product you agree to comply 
with applicable laws and regulations. If you are unable to comply 

Re: [c-nsp] Nexus 5448 IOS from 5.0.3 to 7.0.1 upgrade

[Chuck Church]

Go to Cisco.com like you would for any other IOS/NX-OS image download.  If
you find the image you have (hopefully you've got both the system and the
kickstart files) is one you can download for your platform, you should be
good.  Or check the release notes.  Actually, check the release notes for
NX-OS regardless, it'll list caveats, HW support, upgrade procedures, etc.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Satish Patel
Sent: Wednesday, August 03, 2016 11:35 AM
To: Cisco Network Service Providers 
Subject: Re: [c-nsp] Nexus 5448 IOS from 5.0.3 to 7.0.1 upgrade

it was N5K-5548UP-FA model.

On Wed, Aug 3, 2016 at 11:16 AM, Satish Patel  wrote:
> We have Cisco Nexus 5448 old switch running 5.0.3 and we don't have 
> smartnet on them but i got 7.0.1 IOS from someone else so planning to 
> upgrade them but i didn't find any prerequisite documentation related 
> that switch.
>
> Does Cisco Nexus 5448UP-FA support 7.0.1 software? Does anyone has any 
> past experience related this device?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISR4431-AX/K9

[Chuck Church]

Isn't WAAS their WAN acceleration product?  I don't think NBAR has any
reliance on that.  You just use NBAR to identify the traffic, then normal
QOS policy to do something with it.  I haven't done it on an ASR or ISR 4K,
but that's how it's worked on all previous devices.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Adam
Greene
Sent: Wednesday, July 13, 2016 1:04 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ISR4431-AX/K9

Kind of worried based on
http://www.cisco.com/c/en/us/products/collateral/routers/3900-series-integra
ted-services-routers-isr/guide_c07-726864.html that I'm also going to have
to buy: 

 

ISR4430U-MEM-SSD

DRAM upgrade to 16GB, Flash Memory upgrade to 16GB, NIM Carrier and 200GB
SSD Bundle

 

Not sure if WAAS is required for NBAR2, though, or even if not, if I should
use WAAS instead, or if they are synonymous.

 

And 1300 WAAS Optimized TCP Connections seems tiny, considering the ASA 5520
in line with it reports high water marks of up to 187,000 connections,
though averages about half that probably. Maybe WAAS connections are not the
same, though .

 

From: Adam Greene [mailto:maill...@webjogger.net]
Sent: Wednesday, July 13, 2016 12:50 AM
To: 'cisco-nsp@puck.nether.net' 
Subject: ISR4431-AX/K9

 

Hey guys,

 

If I need a router that can do application based bandwidth throttling
(NBAR2) at 500M-1G aggregate throughput, ISR4431-AX/K9 should do the trick,
right? It seems to provide the features and throughput. Please tell me if
I'm wrong (other services enabled on the router will be limited to BGP and
OSPF).

 

Thanks,

Adam

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Etherchannel load-balacing change on live network

[Chuck Church]

Well, yeah.  I realize that is the correct fix.  I thought I read at some
point he was concerned about downtime involved with it.  That's where I
would look to see about potential bugs.  In case there is one that tends to
blackhole all traffic on that port channel, or QOS breaks, or whatever.  I
personally have changed the hash algorithm on a 6500 during moderate traffic
flow, was just a blip.  Hopefully that is the OP's outcome too.

 

Chuck

 

From: Mark Tinka [mailto:mark.ti...@seacom.mu] 
Sent: Friday, July 08, 2016 11:37 AM
To: Chuck Church <chuckchu...@gmail.com>; 'Satish Patel'
<satish@gmail.com>
Cc: 'Cisco Network Service Providers' <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] Etherchannel load-balacing change on live network

 

 

On 8/Jul/16 17:34, Chuck Church wrote:

If it's that much of a concern, I would look at the release notes for a
'current' IOS version for that platform, and check the caveats for bugs that
might have involved your version and etherchannel stuff.  Or a search on the
bug tool, though that involves a little luck on guessing the right keyword.


If the OP is getting biased hashing now, he really has no choice but to
enable IP entropy.

I'm sure taking a small hit is better than dropping packets due to poor
spraying of traffic.

Mark.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Etherchannel load-balacing change on live network

[Chuck Church]

If it's that much of a concern, I would look at the release notes for a
'current' IOS version for that platform, and check the caveats for bugs that
might have involved your version and etherchannel stuff.  Or a search on the
bug tool, though that involves a little luck on guessing the right keyword.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark
Tinka
Sent: Friday, July 08, 2016 3:41 AM
To: Satish Patel 
Cc: Cisco Network Service Providers 
Subject: Re: [c-nsp] Etherchannel load-balacing change on live network



On 7/Jul/16 22:35, Satish Patel wrote:

> I am seeing out of 4 etherchannel 1 of under heavy utilization. I 
> checked on switch and its saying "src-mac" load-balancing. I need to 
> change it to src-dst-ip so load sharing get more randomize.
>
> Just wanted to make sure it won't hurt current traffic.

>From my experience, it shouldn't.

But like all things, plan it during a maintenance window if you are really
concerned.

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WS-C4948-10GE Memory leak

[Chuck Church]

Definitely should be running something newer, given the number of
vulnerabilities that old IOS has in it.  We've had good luck with 15.0(2)SG
on these platforms.   SG10 looks to be the latest available.  That does have
an NTP vulnerability in it from earlier this year, but I'm told SG11 will
fix that, and be available sometime in July.  SG10 would be a good choice.
Google 'IOS memory usage' and you should find a bunch of articles to
troubleshoot.  But upgrading is probably the smartest thing to try.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Jason Berenson
Sent: Wednesday, June 15, 2016 2:45 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] WS-C4948-10GE Memory leak

Greetings,

I have a pair of WS-C4948-10GE both running
cat4500-entservicesk9-mz.122-52.SG.bin.  One has been up for almost 7 years
with no issues.  The other has to be rebooted every few months because of a
memory leak.

Both are customer facing routers running some basic BGP/OSPF and IPv6.

Is there a newer IOS I should be running?  Any commands that might shed some
more light on this?

Thanks in advance.

Jason.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] EzVPN config

[Chuck Church]

Anyone,

 

I've been scratching my head for an hour or so regarding
Cisco EzVPN and multiple spokes.  Googling sample configs seems to not turn
up any that cover multiple spokes.  My problem is I've got a hub (Cisco 871,
running 12.4T) with a static address, and a couple spokes, dynamic addresses
on the WAN interfaces.  Spoke to hub always works fine, but the ACL that
controls what to put in the IPSec tunnel is eluding me.   The clients seem
to support an ACL, but that didn't seem to work.  Our config requires NAT
overload for anything internet bound that we don't want to send to another
spoke or the hub.  What seems to work now is an ACL on the hub that permits
traffic from its internal interface to the spoke internal interfaces, and
then permits for spoke A internal subnet to spoke B.  

What is troubling is that 'show cry ips client ez' on the
spokes looks like this:

 

Save Password: Allowed

Split Tunnel List: 1

   Address: 192.168.0.0

   Mask   : 255.255.255.0

   Protocol   : 0x0

   Source Port: 0

   Dest Port  : 0

Split Tunnel List: 2

   Address: 192.168.200.0

   Mask   : 255.255.255.0

   Protocol   : 0x0

   Source Port: 0

   Dest Port  : 0

Split Tunnel List: 3

   Address: 192.168.10.0

   Mask   : 255.255.255.0

   Protocol   : 0x0

   Source Port: 0

   Dest Port  : 0

Current EzVPN Peer: ((hub WAN IP ADDRESS))

 

This seems to indicate that the ACL only cares about the source, and the use
of an extended ACL isn't needed.  But standard ACL didn't seem to work.  The
config guides I found aren't clear on ACL format.  At this point I'd like to
see a good running config of what it is supposed to look like, or at least a
good doc that covers more than one spoke.  I'm not looking for direct spoke
to spoke traffic, just spoke to spoke via the hub is fine.  This is the URL
I've been trying to follow, but I'm only getting so far with it:

http://www.cisco.com/c/dam/en/us/products/collateral/security/ios-easy-vpn/p
rod_white_paper0900aecd80313bd6.pdf

 

Thanks,

 

Chuck

 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISR4431 memory usage

[Chuck Church]

I don't see a problem with the amount of memory you've got free, and the
biggest block.  1.4 GB free, 1.0GB largest block are a ton of memory for a
full table.

Chuck

-Original Message-
From: CiscoNSP List [mailto:cisconsp_l...@hotmail.com] 
Sent: Wednesday, June 01, 2016 6:05 PM
To: Chuck Church <chuckchu...@gmail.com>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ISR4431 memory usage


Thanks Chuck - Yes, from my experience on the ASR1K's the iosd does consume
a lot of ram...dont have access to one atm, but I dont recall them using as
much as these ISR4431's (With pretty much base conf on them)

sh mem fyr on the 4431

sh mem
HeadTotal(b) Used(b) Free(b)   Lowest(b)
Largest(b)
Processor  7F350775C010   1727628752   295329344   1432299408   678975912
1048575908
 lsmpi_io  7F350705A1A8 6295128 6294304 824 824
412
Dynamic heap limit(MB) 1000  Use(MB) 0

I could probably try and squeeze in a full table on the 4431, but it's
looking like 8Gb might be needed to safely do so?

Cheers


From: Chuck Church <chuckchu...@gmail.com>
Sent: Wednesday, 1 June 2016 10:09 PM
To: 'CiscoNSP List'; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] ISR4431 memory usage

Isn't that normal, for the linux kernel to give most of the RAM to IOSD?
>From inside IOSD is where you need to be concerned.  What does the
traditional 'show mem' tell you, the first few lines?  The 'free' and
'largest' columns are what you are looking for.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
CiscoNSP List
Sent: Tuesday, May 31, 2016 10:10 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ISR4431 memory usage

Hi Everyone,


Purchased a couple of ISR4431's for a small POP,  that has a single
IPTransit service (Currently being handled by an old 2851, taking full table
and default)obviously full table not necessary, but we had a customer at
this POP that wanted the full table advertised to them, so we needed to take
it from the upstream.


2851 handles the full table no problems - only has 1Gb dram, and is using
~57% ram


The 4431's we purchased to replace the 2851 have (default) 4Gb ram, and I
was a little shocked when I turned them on to see that with virtually no
config on them, they are already using ~83-84% of the ram:


#show platform software status control-processor brief Load Average  Slot
Status  1-Min  5-Min 15-Min
  RP0 Healthy   0.00   0.00   0.00

Memory (kB)
 Slot  StatusTotal Used (Pct) Free (Pct) Committed (Pct)
  RP0 Healthy  3972052  3317944 (84%)   654108 (16%)   1530296 (39%)


sh platform resources
**State Acronym: H - Healthy, W - Warning, C - Critical
Resource Usage Max Warning
CriticalState


RP0 (ok, active)
H
 Control Processor   5.81% 100%90%
95% H
  DRAM   3240MB(83%)   3878MB  90%
95% H
ESP0(ok, active)
H
 QFP
H
  DRAM   1609582KB(76%)2097152KB   80%
90% H
  IRAM   0KB(0%)   0KB 80%
90% H


..and iosd looks to be the main user:


#monitor platform software process rp active

top - 09:59:58 up 7 days, 23:38,  0 users,  load average: 0.00, 0.00, 0.00
Tasks: 380 total,   4 running, 376 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.7%us,  1.7%sy,  0.0%ni, 97.6%id,  0.0%wa,  0.0%hi,  0.0%si,
0.0%st
Mem:   3972052k total,  3324360k used,   647692k free,   211736k buffers
Swap:0k total,0k used,0k free,  1705968k cached

  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
30505 root  20   0 9830m 161m 113m R   10  4.2   1226:27 fman_fp_image
23117 root  20   0 2205m 709m 341m S3 18.3 258:15.06 linux_iosd-imag
20408 root  20   0  288m  73m  30m S2  1.9 192:48.66 bsm
 2142 root  20   0 72468  24m  18m S1  0.6  69:33.01 iomd



...Now, my question is, can we "safely" take the full table on the
4431's...Ive had a read of the following:
http://www.cisco.com/c/en/us/td/docs/routers/access/4400/troubleshooting/mem
orytroubleshooting/isr4000_mem.html


And it mentions that iosd/memory allocation is allocated as "needed"...but
Im not clear on whether the way the platform allocates memory, will allow us
to take a full table with 4Gb ram.Im really hoping it will, and we dont
have to upgrade the ram on them?


Cheers.



[http://www.cisco.com/web/fw/i/logo-open-graph.gif]<http://www.cisco.com/c/e
n/us/td/docs/routers/access/4400/troubleshooting/memorytroubleshooting/isr40
00_mem.html>

Memory Troubleshooting Guide for Cisco 4000 Series
ISRs<http://www.cisco.com/c/en/us/td/docs/routers/access/4400/troubleshoo

Re: [c-nsp] ISR4431 memory usage

[Chuck Church]

Isn't that normal, for the linux kernel to give most of the RAM to IOSD?
>From inside IOSD is where you need to be concerned.  What does the
traditional 'show mem' tell you, the first few lines?  The 'free' and
'largest' columns are what you are looking for.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
CiscoNSP List
Sent: Tuesday, May 31, 2016 10:10 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ISR4431 memory usage

Hi Everyone,


Purchased a couple of ISR4431's for a small POP,  that has a single
IPTransit service (Currently being handled by an old 2851, taking full table
and default)obviously full table not necessary, but we had a customer at
this POP that wanted the full table advertised to them, so we needed to take
it from the upstream.


2851 handles the full table no problems - only has 1Gb dram, and is using
~57% ram


The 4431's we purchased to replace the 2851 have (default) 4Gb ram, and I
was a little shocked when I turned them on to see that with virtually no
config on them, they are already using ~83-84% of the ram:


#show platform software status control-processor brief Load Average  Slot
Status  1-Min  5-Min 15-Min
  RP0 Healthy   0.00   0.00   0.00

Memory (kB)
 Slot  StatusTotal Used (Pct) Free (Pct) Committed (Pct)
  RP0 Healthy  3972052  3317944 (84%)   654108 (16%)   1530296 (39%)


sh platform resources
**State Acronym: H - Healthy, W - Warning, C - Critical
Resource Usage Max Warning
CriticalState


RP0 (ok, active)
H
 Control Processor   5.81% 100%90%
95% H
  DRAM   3240MB(83%)   3878MB  90%
95% H
ESP0(ok, active)
H
 QFP
H
  DRAM   1609582KB(76%)2097152KB   80%
90% H
  IRAM   0KB(0%)   0KB 80%
90% H


..and iosd looks to be the main user:


#monitor platform software process rp active

top - 09:59:58 up 7 days, 23:38,  0 users,  load average: 0.00, 0.00, 0.00
Tasks: 380 total,   4 running, 376 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.7%us,  1.7%sy,  0.0%ni, 97.6%id,  0.0%wa,  0.0%hi,  0.0%si,
0.0%st
Mem:   3972052k total,  3324360k used,   647692k free,   211736k buffers
Swap:0k total,0k used,0k free,  1705968k cached

  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND
30505 root  20   0 9830m 161m 113m R   10  4.2   1226:27 fman_fp_image
23117 root  20   0 2205m 709m 341m S3 18.3 258:15.06 linux_iosd-imag
20408 root  20   0  288m  73m  30m S2  1.9 192:48.66 bsm
 2142 root  20   0 72468  24m  18m S1  0.6  69:33.01 iomd



...Now, my question is, can we "safely" take the full table on the
4431's...Ive had a read of the following:
http://www.cisco.com/c/en/us/td/docs/routers/access/4400/troubleshooting/mem
orytroubleshooting/isr4000_mem.html


And it mentions that iosd/memory allocation is allocated as "needed"...but
Im not clear on whether the way the platform allocates memory, will allow us
to take a full table with 4Gb ram.Im really hoping it will, and we dont
have to upgrade the ram on them?


Cheers.



[http://www.cisco.com/web/fw/i/logo-open-graph.gif]

Memory Troubleshooting Guide for Cisco 4000 Series
ISRs
www.cisco.com
DRAM for Cisco 4300 Series ISRs . Cisco 4300 ISR platforms use 1600MHz DIMMs
for memory. The platforms have one or two DIMM slots for main system memory.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] necessity of nowadays

[Chuck Church]

UDLD works well when you've got a L2 switch with distributed processing,
such as a 6500.  We've had cases where a Sup was failing, perhaps due to
overheating in a failed air conditioned closet.  It failed to the point
BPDUs were no longer being sent, but forwarding was still working.  I guess
the SP wasn't happy, but PFC still forwarding.  Loop results.  UDLD fixed
that issue.  We did that prior to spanning tree loop guard existing.  I
think loop guard can replace UDLD in some cases.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Sebastian Beutel
Sent: Wednesday, March 23, 2016 7:21 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] necessity of nowadays

Hi List,

i've been pondering about the real need for udld nowadays, each time it
bites me in a case of false positive. At least since we have gigabit SFPs it
became almost impossible to willfully provoke an unidirectinal link: The
physical port allready detects missing light and goes down.
Moreover, the main use of udld (prevent unidirectional loops in an stp
topology) has also lost importance since link aggregation has replaced load
balancing via multiple or per vlan stp topologys.
That's why i am asking myself whether udld is a residue that nowadays
causes more harm than it prevents and should therefore not be used anymore.
At least on gigabit and faster links and if there are no really dumb media
converters involved.

What do you think?

Best,
   Sebastian.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] C3560X Layer 3 throughput

[Chuck Church]

'no ip redirects' doesn't stop the processing of redirects that are
received, it stops the sending of them.  There must be another host that was
sending them that this 3560X was receiving.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
David Wilkinson
Sent: Monday, March 07, 2016 4:57 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] C3560X Layer 3 throughput

Hi All,

Quick update, It turns out that redirects were getting punted up to the CPU
even with "no ip redirects" in the config.
Split up the ranges on to 2 separate VLANs and the CPU dropped to 10% with
0% interupts.

Thanks for your help.

Regards

David



On 17/02/2016 03:55, Adam Baxter wrote:
> Looks normal to me. your interrupt is only 6% ~ .
>
> they sit around 50%~ CPU. It will not cause any problems.
>
> This is of my 3750x Switches.
>
> CPU utilization for five seconds: 54%/4%; one minute: 48%; five
> minutes: 47%
>
> Take a look at the following.
>
> http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/softwar
> e/troubleshooting/cpu_util.html#wp999591
>
> "We consider anything below 50 percent CPU utilization to be 
> acceptable. A sustained level of approximately 50 percent, such as 
> this example, is also acceptable."
>
> Regards,
>
> Adam.
>
> On 17 February 2016 at 04:59, David Wilkinson 
> > wrote:
>
> CEF is enabled, it was the first thing I checked.
>
>
> On 16/02/2016 18:17, Hunter Fuller wrote:
>
> Don't worry about that kind of cpu on these boxes. We have
> dozens in
> production doing only layer 2 traffic and we see usage like this:
>
> CU234C3560XU01#show proc cpu | inc CPU
> CPU utilization for five seconds: 41%/6%; one minute: 40%;
> five minutes: 40%
>
> CCRH120C3560XU01#show proc cpu | incl CPU
> CPU utilization for five seconds: 43%/3%; one minute: 39%;
> five minutes: 36%
>
> CV108c3560Xu01#show proc cpu | incl CPU
> CPU utilization for five seconds: 48%/10%; one minute: 43%;
> five minutes: 41%
>
> Is that with high levels of throughput?
> This one is doing layer 3 routing.
>
>
> On 16/02/2016 18:35, Octavio Alvarez wrote:
>
> On 02/16/2016 03:53 AM, David Wilkinson wrote:
>
> Hi all,
>
> What is the real world expected throughput on the C3560X
> devices when
> doing basic Layer 3 routing?
> We have a customer who has a couple of these and are doing
> around
> 50-60Mpbs, around 10Kpps and is hitting around 50% CPU and
> we are
> wondering if this is normal for these switches as it seems
> a little high
> to us.
>
> The configuarion is very basic, couple of VLANs, HSRP and
> a static route
> providing a default route upsteam.
>
> Is this normal for the WS-C3560X-24?
>
> What is the process at fault? (show proc cpu sort and check
> the first
> lines).
>
> It is mostly interrupt.
>
>
>
> ___
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco IOS-XE 3S platforms Series Root Shell License Bypass Vulnerability

[Chuck Church]

Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Robert Hass

>I'm looking for exploitation of issue 'Cisco IOS-XE 3S platforms Series
Root Shell License Bypass Vulnerability' (CSCuv93130). I would like to check
if it's really working on my Ciscos >running IOS XE. Anyone have recipe how
to do it ?

>Rob

I tried playing with this a month ago.  There doesn't appear to be a way to
do it without the shell access license that only TAC can get you.  It's not
one of those licenses that you can RTU to activate, at least I had no luck.

Chuck


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Configure port to supply PoE only

[Chuck Church]

You could simply create a bogus VLAN for each AP, and put each port in a 
separate VLAN in access mode.  Pretty simple config.  Or a private isolated 
VLAN, but that is a little more config work.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ricardo 
Stella
Sent: Thursday, January 14, 2016 5:57 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Configure port to supply PoE only

Hi folks,

Sorry if this might be a 'stupid' question.  I need to test a wireless mesh 
configuration and the only thing I have available to supply power to the access 
points (PoE+) is a 2960S switch.

The switch is isolated to the network, but when it seems that when I add more 
than one access point to it, they are 'talking' to each other.  So is there a 
way to configure the ports so that the ports only supply power?
The moment the second access point is connected and goes up, I start getting 
flapping errors.

Thanks in advance for your help and apologies if it is indeed a dumb question. 
All I ask is that you minimize your laughs.  :)

Ricardo.

--
°(((=((===°°°(((
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] C6509 Fabric Switch Capacity

[Chuck Church]

Like others said, the ports are mapped to ASICs and ASICs mapped to
channels.  Packets will drop.  A useful command is 'show platform hardware
capacity'.  That list peak utilizations along with when they happened.  At
least it should, older SXF didn't seem to have it working right, but I think
SXH should be ok.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Alireza Soltanian
Sent: Wednesday, January 13, 2016 6:55 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] C6509 Fabric Switch Capacity

Hi everybody

We have C6509-E with SUP720-3BXL. Based on what I understood from Cisco
Website, in this setup we can have 40Gbps in Fabric Switch between slots.
This Fabric Switch is divided into two 20Gbps channels.

Now in one our chassis we have this setup:

 

Mod Ports Card Type  Model  Serial
No.

--- - -- --
---

  28  CEF720 8 port 10GE with DFCWS-X6708-10GE
---

  3   48  CEF720 48 port 1000mb SFP  WS-X6748-SFP
---

  4   48  CEF720 48 port 1000mb SFP  WS-X6748-SFP
---

  52  Supervisor Engine 720 (Hot)WS-SUP720-3BXL
---

  62  Supervisor Engine 720 (Active) WS-SUP720-3BXL
---

  7   48  CEF720 48 port 1000mb SFP  WS-X6748-SFP
---

  88  CEF720 8 port 10GE with DFCWS-X6708-10GE
---

  98  CEF720 8 port 10GE with DFCWS-X6708-10GE
---

 

Mod MAC addresses   HwFw   Sw
Status

--- -- --  
---

  2  0026.cbb2.3968 to 0026.cbb2.396f   2.1   12.2(18r)S1  12.2(33)SXH8 Ok

  3  0026.993a.a8bc to 0026.993a.a8eb   2.3   12.2(18r)S1  12.2(33)SXH8 Ok

  4  0015.c640.24f4 to 0015.c640.2523   1.5   12.2(14r)S5  12.2(33)SXH8 Ok

  5  000a.b818.94f8 to 000a.b818.94fb   5.2   8.4(2)   12.2(33)SXH8 Ok

  6  001b.d50d.9224 to 001b.d50d.9227   5.9   8.5(4)   12.2(33)SXH8 Ok

  7  001d.70dc.a8f0 to 001d.70dc.a91f   1.14  12.2(14r)S5  12.2(33)SXH8 Ok

  8  0023.0455.bd80 to 0023.0455.bd87   1.6   12.2(18r)S1  12.2(33)SXH8 Ok

  9  0018.b967.2338 to 0018.b967.233f   1.3   12.2(18r)S1  12.2(33)SXH8 Ok

 

Mod  Sub-Module  Model  Serial   Hw
Status 

 --- -- --- ---
---

  2  Distributed Forwarding Card WS-F6700-DFC3CXL   ---  1.6Ok

  3  Distributed Forwarding Card WS-F6700-DFC3BXL   ---  5.6Ok

  4  Distributed Forwarding Card WS-F6700-DFC3BXL   ---  5.3Ok

  5  Policy Feature Card 3   WS-F6K-PFC3BXL ---  1.8Ok

  5  MSFC3 Daughterboard WS-SUP720  ---  2.5Ok

  6  Policy Feature Card 3   WS-F6K-PFC3BXL ---  1.10   Ok

  6  MSFC3 Daughterboard WS-SUP720  ---  3.5Ok

  7  Distributed Forwarding Card WS-F6700-DFC3BXL   ---  5.3Ok

  8  Distributed Forwarding Card WS-F6700-DFC3CXL   ---  1.0Ok

  9  Distributed Forwarding Card WS-F6700-DFC3CXL   ---  1.0Ok

 

This output shows the Fabric Switch Utilization on each Slot:

 

show fabric utilization 

 slotchannel  speedIngress % Egress %

2  020G   11   55

2  120G   16   13

3  020G37

3  120G12

4  020G   152

4  120G   173

5  020G00

6  020G00

7  020G   172

7  120G   152

8  020G   13   53

8  120G   35   59

9020G   32   19

 

My questions are is What will happen if we exceed capacity(Egress or
Ingress) in Channel#0 of Slot#2? Will device use Capacity of Channel#1?

 

Thank you

Alireza

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] C6509 Fabric Switch Capacity

[Chuck Church]

Yes, it’s just that that the 6704 has fairly small buffers.  The later 67xx 
10GE blades had much bigger buffers.  Check the data sheet, 
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_data_sheet09186a00801dce34.html

 

Table 1.  16 megs versus 200 for others.

 

Chuck

 

From: ckn...@savage.za.org [mailto:ckn...@savage.za.org] On Behalf Of Chris 
Knipe
Sent: Wednesday, January 13, 2016 9:26 AM
To: Chuck Church <chuckchu...@gmail.com>
Cc: Alireza Soltanian <soltan...@gmail.com>; cisco-nsp 
<cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] C6509 Fabric Switch Capacity

 

Hi,

 

Just wanted to chip in here...

 

Whilst I can understand over subscription (and subsequent drops) on the 
WS-X6708, would the same hold true for the WS-X7604?  

 

On Wed, Jan 13, 2016 at 3:35 PM, Chuck Church <chuckchu...@gmail.com 
<mailto:chuckchu...@gmail.com> > wrote:

Like others said, the ports are mapped to ASICs and ASICs mapped to
channels.  Packets will drop.  A useful command is 'show platform hardware
capacity'.  That list peak utilizations along with when they happened.  At
least it should, older SXF didn't seem to have it working right, but I think
SXH should be ok.

Chuck


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net 
<mailto:cisco-nsp-boun...@puck.nether.net> ] On Behalf Of
Alireza Soltanian
Sent: Wednesday, January 13, 2016 6:55 AM
To: cisco-nsp@puck.nether.net <mailto:cisco-nsp@puck.nether.net> 
Subject: [c-nsp] C6509 Fabric Switch Capacity

Hi everybody

We have C6509-E with SUP720-3BXL. Based on what I understood from Cisco
Website, in this setup we can have 40Gbps in Fabric Switch between slots.
This Fabric Switch is divided into two 20Gbps channels.

Now in one our chassis we have this setup:



Mod Ports Card Type  Model  Serial
No.

--- - -- --
---

  28  CEF720 8 port 10GE with DFCWS-X6708-10GE
---

  3   48  CEF720 48 port 1000mb SFP  WS-X6748-SFP
---

  4   48  CEF720 48 port 1000mb SFP  WS-X6748-SFP
---

  52  Supervisor Engine 720 (Hot)WS-SUP720-3BXL
---

  62  Supervisor Engine 720 (Active) WS-SUP720-3BXL
---

  7   48  CEF720 48 port 1000mb SFP  WS-X6748-SFP
---

  88  CEF720 8 port 10GE with DFCWS-X6708-10GE
---

  98  CEF720 8 port 10GE with DFCWS-X6708-10GE
---



Mod MAC addresses   HwFw   Sw
Status

--- -- --  
---

  2  0026.cbb2.3968 to 0026.cbb2.396f   2.1   12.2(18r)S1  12.2(33)SXH8 Ok

  3  0026.993a.a8bc to 0026.993a.a8eb   2.3   12.2(18r)S1  12.2(33)SXH8 Ok

  4  0015.c640.24f4 to 0015.c640.2523   1.5   12.2(14r)S5  12.2(33)SXH8 Ok

  5  000a.b818.94f8 to 000a.b818.94fb   5.2   8.4(2)   12.2(33)SXH8 Ok

  6  001b.d50d.9224 to 001b.d50d.9227   5.9   8.5(4)   12.2(33)SXH8 Ok

  7  001d.70dc.a8f0 to 001d.70dc.a91f   1.14  12.2(14r)S5  12.2(33)SXH8 Ok

  8  0023.0455.bd80 to 0023.0455.bd87   1.6   12.2(18r)S1  12.2(33)SXH8 Ok

  9  0018.b967.2338 to 0018.b967.233f   1.3   12.2(18r)S1  12.2(33)SXH8 Ok



Mod  Sub-Module  Model  Serial   Hw
Status

 --- -- --- ---
---

  2  Distributed Forwarding Card WS-F6700-DFC3CXL   ---  1.6Ok

  3  Distributed Forwarding Card WS-F6700-DFC3BXL   ---  5.6Ok

  4  Distributed Forwarding Card WS-F6700-DFC3BXL   ---  5.3Ok

  5  Policy Feature Card 3   WS-F6K-PFC3BXL ---  1.8Ok

  5  MSFC3 Daughterboard WS-SUP720  ---  2.5Ok

  6  Policy Feature Card 3   WS-F6K-PFC3BXL ---  1.10   Ok

  6  MSFC3 Daughterboard WS-SUP720  ---  3.5Ok

  7  Distributed Forwarding Card WS-F6700-DFC3BXL   ---  5.3Ok

  8  Distributed Forwarding Card WS-F6700-DFC3CXL   ---  1.0Ok

  9  Distributed Forwarding Card WS-F6700-DFC3CXL   ---  1.0Ok



This output shows the Fabric Switch Utilization on each Slot:



show fabric utilization

 slotchannel  speedIngress % Egress %

2  020G   11   55

2  120G   16   13

3  020G37

3  120G12

4  020G   152

4  120G   173

5  020G00

6  020G00

7  020G   172

7  120G   15

Re: [c-nsp] switch for SAN

[Chuck Church]

What are your needs?  10GE?  Layer 3 capable?  There are a lot of small
Cisco switches.  The main difference between the 3650 and 3850 is the
wireless controller thing to my knowledge.  Not really beneficial to a SAN
switch.  Since Cisco tends to not publish buffer sizes for a lot of these
small switches, it's a bit of a guess.  The 2960X are decent for a lot of
purposes, maybe SAN.  That's just a guess though.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Adam
Greene
Sent: Friday, January 08, 2016 9:44 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] switch for SAN

Hi all,

 

I know running Catalyst switches for SAN backbone fabric is not the best
idea, due to limited buffers. 

 

However, we have been doing just that with a 3750X and Dell Equallogic
6100/4100s for quite some time, with no issues.

 

We are putting in a NetApp FAS3160 and need to add a switch. I see 3750X is
EOL and Cisco positions the 3850 as its replacement. 3850 is even slightly
less expensive than 3750X.

 

Questions:

-  Should we expect the 3850 to perform as well or better than the
3750X for this application?

-  Is there any other switch we should be looking at which is not
humongously more expensive? Maybe Nexus 3k could work, but it's a lot more
expensive. Maybe 4948E? Seems up there price-wise, too .

 

Thanks,

Adam

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Equipment for a large-ish LAN event

[Chuck Church]

Isn't game traffic fairly small in bandwidth need, but very latency
dependent?  QOS seems like a good fit here.  Priority queue the game traffic
based on matched ACL, and best effort everything else, re-marking it as
necessary.  Based on previous years, what are the true bandwidth needs?  

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Laurent Dumont
Sent: Tuesday, December 08, 2015 4:23 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Equipment for a large-ish LAN event

Here is a rough draft of our usual topology. Imagine a few more "Players"
section scattered around the 2x10G rings.

We are already planning for IPV6 but that really depends on our upstream
ability to actually provide the feature. Very good point about BCP38, that
is not something we had considered. We usually segment the network for each
row of tables which usually ends up being 48 players in the same vlan.

Thanks!

   +---2x10G--+---CORE - Routing to external
  |  |
  |  |
  |  |
  |  |
2x10G|| 2x10G
  |  |
  |  |
  +---+ 3650 - Distribution switches 
for the 2x10G ring
  2x10G|
 |
 |2960X as Access with 2x1G
Uplinks
 |
 |
 +---+--+
 |   |
 |   | Players
 |   |
 +--+



On 12/8/2015 3:34 PM, Mikael Abrahamsson wrote:
> On Tue, 8 Dec 2015, Laurent Dumont wrote:
>
>> We were looking at either the Nexus 7004 chassis or the ASR 9004/9006 
>> chassis as the core "switch". We would then use 48xGigE and 1x24 SFP+ 
>> line cards. Our actual port requirements and somewhat flexible but we 
>> do need at least 4x10G Fiber ports. And at least 48 GigE ports for 
>> players or access switches.
>
> I don't really understand your topology. 2001-2004 I was involved in 
> providing network connectivity to around 2500-4500 users at Dreamhack, 
> back then the largest LAN in the world as far as we knew. Back then we 
> made do with 2x100FE for 20 computers and the core connectivity was 
> 2xGE. I'd say your design seems to fairly similar, but with 2x10GE 
> instead, but I'm just guessing from what you wrote.
>
> ASR9k has been used before and will do just fine. Dreamhack has grown 
> a bit since I was involved:
>
>
http://www.cisco.com/c/dam/en/us/products/collateral/routers/asr-9000-series
-aggregation-services-routers/dreamhack_v4acs_final.pdf 
>
>
http://www.extremetech.com/extreme/107245-inside-the-worlds-largest-lan-part
y 
>
>
http://www.pack4dreamhack.nl/interviews/dreamhack-behind-the-scenes-network/

>
>
>> I'm also open to any suggestion within Cisco portfolio. Our needs are 
>> pretty standard and nothing extraordinary but we would like to use 
>> this opportunity in order to try new equipment and technologies that 
>> are usually only seem within ISP and large networks.
>
> Don't forget to provide dual stack (IPv4 and IPv6) connectivity. Limit 
> your broadcast domains (I'd say 20-50 users per broadcast domain), and 
> make sure you do antispoofing (BCP38) for everybody.
>

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Equipment for a large-ish LAN event

[Chuck Church]

-Original Message-
From: Jared Mauch [mailto:ja...@puck.nether.net] 
Sent: Wednesday, December 09, 2015 8:41 AM
To: Chuck Church <chuckchu...@gmail.com>
Cc: ldum...@coldnorthadmin.com; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Equipment for a large-ish LAN event

>If bandwidth isn’t an issue QoS adds no value and increases complexity 
>unnecessarily.  

I was thinking for worst case, perhaps a sore loser after getting killed in the 
game decides to generate traffic with the intention of creating issues, or 
maybe just fires up bit torrent or other bandwidth hog type things.  Granted I 
haven't played games in a good 8 years or more, but in my experience, the 
latency stats the game provides for you and others is something gamers watch.  
They'll bitch if someone next to them has a claimed 1 ms advantage.  By 
priority queuing game traffic, no matter what else is going on, the game should 
still fly.  Obviously you don't want to starve out your management protocols 
with the QOS, but that is trivial overhead.

Chuck

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Pkt forwarding query

[Chuck Church]

I think you can policy route based on input interface.  At least I seem to
remember something along those lines that you could match input interface
on.  At least with IOS you could do that, not sure about IOS-XR.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Hank
Nussbacher
Sent: Monday, November 02, 2015 2:19 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Pkt forwarding query

I am looking for a simple solution on IOS-XR where each and every pkt that
comes out of a specific interface (Gi0/1) would be auto-fwded into tunnel0
(uni-directional only).  No routing decisions, no BGP lookup, no static
routing, no FIB, no RIB, just some sort of auto-fwd rule which would bypass
the router entirely.  Possible?

Thanks,
Hank

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 vs ISR4000

[Chuck Church]

Unless your QOS requires shaping, it seems like an L3 switch like a 3560
would work.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Michael Malitsky
Sent: Monday, September 21, 2015 8:53 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ASR920 vs ISR4000

I need to upgrade the edge router for one of my deployments.  Current 2811
is not expected to support the new WAN links.  I need 4-5 ports (copper is
fine), aggregate throughput up to 125Mb (not accounting for future growth),
BGP with 3-5 peers and <100 routes, and QoS.  I don't ever expect to support
telephony or MPLS.  Cisco's suggestion is to use an ISR4331.

The question is whether I should also consider an ASR920 for this role?
I've seen it mentioned on this list a few times.  It looks like both will
fill my basic requirements, price points are similar, and both run IOS-XE.
The ISR's performance is capped at 300Mb, and I can add a small number of
ports.  The ASR's performance is essentially unlimited, and I can add more
ports (by purchasing licenses).  The ISR will do encryption if I ever need
it, in software only, and the ASR will not.

Are there any major differences I am missing?  Any first-hand experiences
would be especially appreciated.

Sincerely,
Michael

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920

[Chuck Church]

I'm not sure about the ASR920, but the ASR100x can only use the SFP-GE-T
module.  GLC-T won't work.  

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Aaron
Sent: Friday, July 31, 2015 9:44 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ASR920

I just got an ASR920 and am having problems with getting basic Ethernet
connection from a laptop to a copper sfp port on it.

 

Config seems ok, but no connectivity, no ping, no arp entries in cache.  SFP
and utp cable test out fine on ME3600.

 

Is there something about the ASR920 that I need to know to enable ports or
something ?

 

Aaron

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Random BGP Drops

[Chuck Church]

It looks like you're lumping all the traffic for routing, management,
monitoring, and undesirable into a single police statement.  There are
millions of drops as a result.  Dedicating a police statement to each class
would be far better.  Especially since undesirable is grouped in there.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Catalin Dominte
Sent: Friday, July 24, 2015 11:11 AM
To: Mark Tinka mark.ti...@seacom.mu
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Random BGP Drops

Just a few more details about this.

This did not happen on any IPv6 sessions. Only IPv4.  The v6 sessions
haven't flapped for months.

The specific thing we are looking at in the logs on the other side is this
line:
Jul 24 00:33:04  rt1 rpd[1396]: bgp_read_v4_message:10656: NOTIFICATION
received from A.B.C.D (External AS *): code 4 (Hold Timer Expired
Error), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 3040466763
snd_nxt: 3040466801 snd_wnd: 16194 rcv_nxt: 3738492361 rcv_adv: 3738508724,
hold timer out 90s, hold timer remain 1:07.779687s

More specifically: hold timer remain 1:07.779687s

Does this indicate one-way communication over the BGP session? We can't
think what would cause that apart from our CoPP policy, the relevant bit of
that is:

policy-map copp
  class routing
  class management
  class monitoring
  class undesirable
   police 600conform-action transmit exceed-action drop
  class other
  class netbios
   police cir 32000conform-action drop exceed-action drop
violate-action drop

Hardware Counters:

class-map: undesirable (match-all)
  Match: access-group 125
  police :
600 bps 187500 limit 187500 extended limit
  Earl in slot 1 :
4182956794 bytes
5 minute offered rate 40 bps
aggregate-forwarded 4172677422 bytes action: transmit
exceeded 10279372 bytes action: drop
aggregate-forward 152 bps exceed 0 bps
  Earl in slot 4 :
54888502997 bytes
5 minute offered rate 9040 bps
aggregate-forwarded 34946501956 bytes action: transmit
exceeded 19942001041 bytes action: drop
aggregate-forward 7016 bps exceed 0 bps

  Software Counters:

Class-map: undesirable (match-all)
  276617525 packets, 36984017831 bytes
  5 minute offered rate 6000 bps, drop rate  bps
  Match: access-group 125
  police:
  cir 600 bps, bc 187500 bytes
conformed 276617377 packets, 36983876623 bytes; actions:
  transmit
exceeded 150 packets, 141208 bytes; actions:
  drop
conformed 6000 bps, exceed  bps

Class-map: other (match-all)
  109899621 packets, 10132415208 bytes
  5 minute offered rate 4000 bps
  Match: access-group 124

  Hardware Counters:

class-map: netbios (match-all)
  Match: access-group 126
  police :
32000 bps 1500 limit 1500 extended limit
  Earl in slot 1 :
0 bytes
5 minute offered rate 0 bps
aggregate-forwarded 0 bytes action: drop
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
  Earl in slot 4 :
0 bytes
5 minute offered rate 0 bps
aggregate-forwarded 0 bytes action: drop
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps

  Software Counters:

Class-map: netbios (match-all)
  0 packets, 0 bytes
  5 minute offered rate  bps, drop rate  bps
  Match: access-group 126
  police:
  cir 32000 bps, bc 1500 bytes, be 1500 bytes
conformed 0 packets, 0 bytes; actions:
  drop
exceeded 0 packets, 0 bytes; actions:
  drop
violated 0 packets, 0 bytes; actions:
  drop
conformed  bps, exceed  bps, violate  bps

Class-map: class-default (match-any)
  3182132665 packets, 248587325791 bytes
  5 minute offered rate 237000 bps, drop rate  bps
  Match: any
3182132679 packets, 248587324073 bytes
5 minute rate 237000 bps


Kind regards,

Catalin Dominte
Senior Network Consultant
+44(0)1628302007
Nocsult Ltd
www.nocsult.net


On Fri, Jul 24, 2015 at 2:33 PM, Catalin Dominte 
catalin.domi...@nocsult.net wrote:

 I checked this and the MSS matches on both sides:

 Juniper side:
sndsbcc:  0 sndsbmbcnt:  0  sndsbmbmax: 262144
 sndsblowat:   2048 sndsbhiwat:  32768
rcvsbcc:  0 rcvsbmbcnt:  0  rcvsbmbmax: 262144
 rcvsblowat:  1 rcvsbhiwat:  32768
proc id:   3283  proc name:rpd
iss: 1163062337  sndup: 1163062397
 snduna: 1163097242 sndnxt: 1163097242  sndwnd:  15130
 sndmax: 1163097242sndcwnd:  65535 sndssthresh: 1073725440
irs: 3033053077  rcvup: 3033087402
 rcvnxt: 3033087402 rcvadv: 3033069519  rcvwnd:  16384
rtt:  

Re: [c-nsp] Random BGP Drops

[Chuck Church]

You're right.  I meant to imply that the classes without any action could
still be hitting the undesirable one and being policed.  Had they been
explicitly transmitted via an action on the other classes they wouldn't be
evaluated against the undesirable one.  I'm thinking a BGP peer may be using
a high port on the local side, and matching against that ACL for
undesirable.

Chuck

-Original Message-
From: Daniel Dib [mailto:daniel@reaper.nu] 
Sent: Friday, July 24, 2015 12:44 PM
To: 'Chuck Church' chuckchu...@gmail.com; 'Catalin Dominte'
catalin.domi...@nocsult.net
Cc: cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] Random BGP Drops

As far as I can see he is just policing undesirable and netbios. The other
classes are just there without policing so it will not do something or he
didn't paste the entire config here. I don't think it looks related to CoPP
based on that output. 

I suppose a Telnet on TCP on port 179 to the other side works? Any other
indications that something isn't stable?

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Chuck Church
Sent: den 24 juli 2015 17:55
To: 'Catalin Dominte'
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Random BGP Drops

It looks like you're lumping all the traffic for routing, management,
monitoring, and undesirable into a single police statement.  There are
millions of drops as a result.  Dedicating a police statement to each class
would be far better.  Especially since undesirable is grouped in there.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Catalin Dominte
Sent: Friday, July 24, 2015 11:11 AM
To: Mark Tinka mark.ti...@seacom.mu
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Random BGP Drops

Just a few more details about this.

This did not happen on any IPv6 sessions. Only IPv4.  The v6 sessions
haven't flapped for months.

The specific thing we are looking at in the logs on the other side is this
line:
Jul 24 00:33:04  rt1 rpd[1396]: bgp_read_v4_message:10656: NOTIFICATION
received from A.B.C.D (External AS *): code 4 (Hold Timer Expired
Error), socket buffer sndcc: 57 rcvcc: 0 TCP state: 4, snd_una: 3040466763
snd_nxt: 3040466801 snd_wnd: 16194 rcv_nxt: 3738492361 rcv_adv: 3738508724,
hold timer out 90s, hold timer remain 1:07.779687s

More specifically: hold timer remain 1:07.779687s

Does this indicate one-way communication over the BGP session? We can't
think what would cause that apart from our CoPP policy, the relevant bit of
that is:

policy-map copp
  class routing
  class management
  class monitoring
  class undesirable
   police 600conform-action transmit exceed-action drop
  class other
  class netbios
   police cir 32000conform-action drop exceed-action drop
violate-action drop

Hardware Counters:

class-map: undesirable (match-all)
  Match: access-group 125
  police :
600 bps 187500 limit 187500 extended limit
  Earl in slot 1 :
4182956794 bytes
5 minute offered rate 40 bps
aggregate-forwarded 4172677422 bytes action: transmit
exceeded 10279372 bytes action: drop
aggregate-forward 152 bps exceed 0 bps
  Earl in slot 4 :
54888502997 bytes
5 minute offered rate 9040 bps
aggregate-forwarded 34946501956 bytes action: transmit
exceeded 19942001041 bytes action: drop
aggregate-forward 7016 bps exceed 0 bps

  Software Counters:

Class-map: undesirable (match-all)
  276617525 packets, 36984017831 bytes
  5 minute offered rate 6000 bps, drop rate  bps
  Match: access-group 125
  police:
  cir 600 bps, bc 187500 bytes
conformed 276617377 packets, 36983876623 bytes; actions:
  transmit
exceeded 150 packets, 141208 bytes; actions:
  drop
conformed 6000 bps, exceed  bps

Class-map: other (match-all)
  109899621 packets, 10132415208 bytes
  5 minute offered rate 4000 bps
  Match: access-group 124

  Hardware Counters:

class-map: netbios (match-all)
  Match: access-group 126
  police :
32000 bps 1500 limit 1500 extended limit
  Earl in slot 1 :
0 bytes
5 minute offered rate 0 bps
aggregate-forwarded 0 bytes action: drop
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
  Earl in slot 4 :
0 bytes
5 minute offered rate 0 bps
aggregate-forwarded 0 bytes action: drop
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps

  Software Counters:

Class-map: netbios (match-all)
  0 packets, 0 bytes
  5 minute offered rate  bps, drop rate  bps
  Match: access-group 126
  police:
  cir 32000 bps, bc 1500 bytes, be 1500 bytes
conformed 0 packets, 0 bytes; actions:
  drop
exceeded 0 packets, 0 bytes; actions

Re: [c-nsp] Issues with 2921, NAT and Skype?

[Chuck Church]

Not really positive, but Skype does rely on SIP I believe.  If so, the IOS
NAT could be trying to modify the addresses in the payload, which the
NAT-awareness in Skype itself is probably trying to correct.  Leading to a
lot of confused packets.  Try adding this:

no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060

If not that, maybe it's a NAT timeout issue, maybe bump up the NAT timers.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Scott Granados
Sent: Thursday, June 11, 2015 12:53 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Issues with 2921, NAT and Skype?

Hi,

I have a strange problem and I'm not familiar with the inner workings of
Skype to know for sure but I believe I have a problem caused by my NAT
config.  In some instances, after 1 minute the video will freeze especially
when using a Skype gateway to another service.  Point to point Skype calls
for the most part work and audio is generally unimpacted.  I have a very
basic NAT setup which follows.

interface GigabitEthernet0/1
 bandwidth 5
 ip address 1.2.3.1 255.255.255.252
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly in
 media-type sfp
!
interface GigabitEthernet4/0
 ip address 4.3.2.1 255.255.255.252
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly in
!
ip nat inside source list 120 interface GigabitEthernet4/0 overload

Is there a modification to this that might better supports the needs of
Skype callers originating requests from behind this router?  Any pointers
that might have some general best practices for this type of setup?  Any
ideas would be most appreciated.

Thank you
Scott

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Logs are empty

[Chuck Church]

Plus there were thousands of syslogs that were dropped.  I'm assuming
because no hosts look to be configured?  Not sure they that's not getting to
the buffer though.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Michael Malitsky
Sent: Tuesday, May 12, 2015 2:27 PM
To: Lukas Tribus; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Logs are empty

True.  However, logging monitor plus terminal monitor change absolutely
nothing.

I do expect more messages in the buffer, especially after having debugs
turned on, for traffic that I know is transiting the router.  At least
acknowledgements of configuration changes.  Something, besides messages
incident to the router booting up.  BTW, these 13 did not show up until 3-4
hours after boot.
Thanks

Sincerely,
Michael 

-Original Message-
From: Lukas Tribus [mailto:luky...@hotmail.com]
Sent: Tuesday, May 12, 2015 12:39 PM
To: Michael Malitsky; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] Logs are empty

 Working with a brand new 2911, 15.4(3)M2. I can't get anything to show 
 up in the logs.
 Neither monitor

Which is disabled via no logging monitor, so that should be expected?



 nor buffer

The show logg contains 13 messages from the buffer logging. Do you expect
something else?


Lukas

  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Storm-control Issue

[Chuck Church]

Doesn't the output of 'show int capab' tell you if it's got that ability?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Hilliard
Sent: Monday, April 13, 2015 11:33 AM
To: M K; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Storm-control Issue

On 13/04/2015 16:47, M K wrote:
 The line card in use is 48 10/100 mb rj45

It would be helpful to provide a line card model number.

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Whatsup Calls

[Chuck Church]

Well, it's possible he's working for a company where policy is in certain
locations, no phone devices are allowed.  Only the phones the company
provides are allowed in those areas.  Security concerns could be the reason.
Not all of us on this mailing list work for ISPs and provide general
Internet service.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Mihai Tanasescu
Sent: Thursday, April 02, 2015 6:49 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Whatsup Calls

On 4/2/15 12:24 PM, Roland Dobbins wrote:

 On 2 Apr 2015, at 17:06, M K wrote:

 Whatsup released voice recently , i wonder does Cisco SCE has the 
 ability to block it ?
 Why do you want to block a valuable service WhatsApp users have been 
 requesting for quite some time?

 ---
 Roland Dobbins rdobb...@arbor.net
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

Because he probably works for one of those monopoly behaving Telcos that
still think the big bucks are made with international calls over their GSM
network:)


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: NTP windows servers

[Chuck Church]

I guess I assumed windows using DNS correctly was wrong.  There is a way to 
flush dns (I think it’s ipconfig /flushdns) but it really shouldn’t be 
necessary.

 

Chuck

 

From: Scott Voll [mailto:svoll.v...@gmail.com] 
Sent: Thursday, March 26, 2015 11:33 AM
To: Chuck Church
Cc: Eric Louie; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OT: NTP windows servers

 

TTL is 1 hour. this lasted over 2 weeks before we changed from FQDN to 
IP.  which corrected the problem.

 

On Thu, Mar 26, 2015 at 8:20 AM, Chuck Church chuckchu...@gmail.com 
mailto:chuckchu...@gmail.com  wrote:

What was the TTL of the DNS entry?  I'm assuming windows DNS respects TTLs
and re-polls when it expires?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net 
mailto:cisco-nsp-boun...@puck.nether.net ] On Behalf Of
Scott Voll

Sent: Thursday, March 26, 2015 10:44 AM
To: Eric Louie
Cc: cisco-nsp@puck.nether.net mailto:cisco-nsp@puck.nether.net 
Subject: Re: [c-nsp] OT: NTP windows servers

we ended up changing the NTP FQDN to the IP and restarted services and it
fixed it.  It's like the FQDN only gets resolved once and never again.  So
after changing it to the IP I'm guessing I could change back to the FQDN.
 we were just hoping that changing the DNS was going to fix it.

Scott

On Wed, Mar 25, 2015 at 4:50 PM, Eric Louie elo...@techintegrity.com 
mailto:elo...@techintegrity.com 
wrote:

 restarting the NTP service might fix the problem, although if I'm
 reading this right, you restarted the Windows Servers after changing the
NTP source.

 I'm assuming that you changed the C:\Program Files
 (x86)\NTP\etc\ntp.conf file to use the new address AND removed the old
 one.  Directions from there are to stop and start the NTP service.



 On Mon, Mar 16, 2015 at 12:54 PM, Scott Voll svoll.v...@gmail.com 
 mailto:svoll.v...@gmail.com  wrote:

 I am migrating NTP from one router to another (and changing IP
addresses).

 All our servers were pointing to the old router for NTP.

 I have changed the NTP source on those servers to the new one.
 restarted and if I log an ACL for NTP, I'm still seeing the servers
 connect to the old router.  Any ideas on how to fix that?  I'm not a
windows server guy.

 TIA

 Scott
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 mailto:cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
mailto:cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: NTP windows servers

[Chuck Church]

What was the TTL of the DNS entry?  I'm assuming windows DNS respects TTLs
and re-polls when it expires?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Scott Voll
Sent: Thursday, March 26, 2015 10:44 AM
To: Eric Louie
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OT: NTP windows servers

we ended up changing the NTP FQDN to the IP and restarted services and it
fixed it.  It's like the FQDN only gets resolved once and never again.  So
after changing it to the IP I'm guessing I could change back to the FQDN.
 we were just hoping that changing the DNS was going to fix it.

Scott

On Wed, Mar 25, 2015 at 4:50 PM, Eric Louie elo...@techintegrity.com
wrote:

 restarting the NTP service might fix the problem, although if I'm 
 reading this right, you restarted the Windows Servers after changing the
NTP source.

 I'm assuming that you changed the C:\Program Files 
 (x86)\NTP\etc\ntp.conf file to use the new address AND removed the old 
 one.  Directions from there are to stop and start the NTP service.



 On Mon, Mar 16, 2015 at 12:54 PM, Scott Voll svoll.v...@gmail.com wrote:

 I am migrating NTP from one router to another (and changing IP
addresses).

 All our servers were pointing to the old router for NTP.

 I have changed the NTP source on those servers to the new one.  
 restarted and if I log an ACL for NTP, I'm still seeing the servers 
 connect to the old router.  Any ideas on how to fix that?  I'm not a
windows server guy.

 TIA

 Scott
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BGP dram confusion

[Chuck Church]

This.

...isn't a sentence.  And since when isn't a 3BXL large enough for a full
table assuming you can live with the CPU issues.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark
Tinka
Sent: Wednesday, March 11, 2015 2:52 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] BGP dram confusion



On 11/Mar/15 18:49, Nick Hilliard wrote:

 running full dfz on this platform has not been a good thing to do for 
 several years.

This.

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ospf (passive-interface default)

[Chuck Church]

Your network statements need to match the interfaces you want added into the
OSPF process.  Passive-interface doesn't play a part in what does/doesn't
get inserted into the OSPF process.  Passive-interface turns off the sending
of hello packets out that interface (and processing of any received).  So
you can have a network (interface) that is inserted into OSPF, yet can't
form any neighbors.  The configuration of OSPF directly on interfaces is a
part of OSPFv3 (for IPv6 only I believe).  

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
CiscoNSP List
Sent: Tuesday, March 03, 2015 3:41 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ospf (passive-interface default)

Hi Everyone,

Dont have a lab handy to test this, so hoping someone can answer:

If you configure:

router ospf 1
network 10.10.10.0 0.0.0.3 area 1

without passive-int default, will ospf be enabled on all Interfaces, or
just the Interface with 10.10.10.0/30 configured on it?

I was always under the impression that (best practice) is to do the
following, so that ospf is disabled on all ints, apart from the ones
configured with no passive int foo

router ospf 1
passive-int default
no passive int gi0/1
network 10.10.10.0 0.0.0.3 area 1

...and,  (As an alternative) is configuring ospf under each interface now a
method many use instead of the above example?

...I havent tried the per int method (I will later today), but in theory,
I think having all the config under router ospf xx would be easier to
maintain...i.e. all the config is in the one section for ospf?

Cheers.

  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Block Ultra Surf v14 on ASA

[Chuck Church]

That will technically accomplish the requested goal.  There may be a bunch
of side effects though.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Hilliard
Sent: Wednesday, February 18, 2015 10:48 AM
To: Mohamed Nagy; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Block Ultra Surf v14 on ASA

On 18/02/2015 13:41, Mohamed Nagy wrote:
 I would like to block ultra surf v14 on asa how can i do it ??

it runs on tcp port 443 so if you block that port, you should be good.

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Block Ultra Surf v14 on ASA

[Chuck Church]

I’ve never dealt with Ultrasurf before (nor heard of it), but a quick google 
search lists a lot of methods to try to block it.  Everything from blocking 
google docs document that lists all proxies to blocking the proxies themselves. 
 Probably gonna be a lot of work blocking all those IPs, I’m guessing there are 
100s of them (maybe thousands).  If you control the client workstations, might 
be easier to run a workstation software inventory program to catch the 
software. 

 

Chuck

 

From: Mohamed Nagy [mailto:eng.mohamedn...@gmail.com] 
Sent: Wednesday, February 18, 2015 7:09 PM
To: Nick Hilliard
Cc: Chuck Church; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Block Ultra Surf v14 on ASA

 

Yes i cannot block all https port it will be Catastrophic in my network is 
there another solution's from asa ??

 

On Wed, Feb 18, 2015 at 7:06 PM, Nick Hilliard n...@foobar.org 
mailto:n...@foobar.org  wrote:

On 18/02/2015 16:53, Chuck Church wrote:
 That will technically accomplish the requested goal.  There may be a bunch
 of side effects though.

yes, it will block all https.  This is what happens when you try to block a
VPN system which was explicitly designed to be difficult to block.

The real answer to the question is that this application cannot be blocked
with an ASA.  The OP will need to buy very expensive DPI hardware to guess
what sort of port 443 traffic is https and what sort is VPN traffic.

Nick



 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SIP-400 error

[Chuck Church]

The SIP400 is one of the products covered by that memory issue.  Seems to be
what is going on.

http://www.cisco.com/web/about/doing_business/memory_pu.html

They should replace it with or without support on it.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Raheel Muhammad
Sent: Sunday, January 25, 2015 4:53 AM
To: jamie rishaw
Cc: Cisco NSP ((E-mail) )'
Subject: Re: [c-nsp] SIP-400 error

What if we dont have support for this device :-) On Jan 25, 2015 12:51 PM,
jamie rishaw j...@arpa.com wrote:

 Sounds like a TAC issue to me.

 On Sun, Jan 25, 2015 at 1:49 AM, Raheel Muhammad  
 raheel.muham...@gmail.com wrote:

 Dear All,

 We keep receiving this error due to which services on this slot are 
 flapping. Any idea what is it and resolution?

 SLOT 1: *Jan 24 23:37:44 KWT: %CARDMGR-4-ESF_DEV_INFO: ESF internal 
 inconsistency corrected on Egress ESF Engine: SRAM2 Parity Error
 (0x0004 0x002006A0 0x006B0008)
 SLOT 1: *Jan 24 23:37:44 KWT: %CARDMGR-4-ESF_DEV_RELOADED: The ESF 
 microcode has automatically recovered from an internal inconsistency.
 SLOT 1: *Jan 24 23:39:13 KWT: %CARDMGR-4-ESF_DEV_INFO: ESF internal 
 inconsistency corrected on Egress ESF Engine: SRAM2 Parity Error
 (0x0004 0x00200B20 0x01330008)
 SLOT 1: *Jan 24 23:39:13 KWT: %CARDMGR-4-ESF_DEV_RELOADED: The ESF 
 microcode has automatically recovered from an internal inconsistency.
 SLOT 1: *Jan 24 23:42:08 KWT: %CARDMGR-4-ESF_DEV_INFO: ESF internal 
 inconsistency corrected on Egress ESF Engine: SRAM2 Parity Error
 (0x0004 0x002006A0 0x006B0008)
 SLOT 1: *Jan 24 23:42:08 KWT: %CARDMGR-4-ESF_DEV_RELOADED: The ESF 
 microcode has automatically recovered from an internal inconsistency.
 SLOT 1: *Jan 24 23:46:30 KWT: %CARDMGR-4-ESF_DEV_INFO: ESF internal 
 inconsistency corrected on Egress ESF Engine: SRAM2 Parity Error
 (0x0004 0x002003E0 0x003F0008)
 SLOT 1: *Jan 24 23:46:30 KWT: %CARDMGR-4-ESF_DEV_RELOADED: The ESF 
 microcode has automatically recovered from an internal inconsistency.
 SLOT 1: *Jan 24 23:47:51 KWT: %CARDMGR-4-ESF_DEV_INFO: ESF internal 
 inconsistency corrected on Egress ESF Engine: SRAM2 Parity Error
 (0x0004 0x00200B80 0x01390008)
 SLOT 1: *Jan 24 23:47:51 KWT: %CARDMGR-4-ESF_DEV_RELOADED: The ESF 
 microcode has automatically recovered from an internal inconsistency.
 SLOT 1: *Jan 24 23:48:41 KWT: %CARDMGR-4-ESF_DEV_INFO: ESF internal 
 inconsistency corrected on Egress ESF Engine: SRAM2 Parity Error
 (0x0004 0x002006E0 0x006F0008)
 SLOT 1: *Jan 24 23:48:41 KWT: %CARDMGR-4-ESF_DEV_RELOADED: The ESF 
 microcode has automatically recovered from an internal inconsistency.
 *Jan 24 23:53:41 KWT: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk 
 header, chunk 0  data 24152858  chunkmagic D0D0D0D  chunk_freemagic 
 D0D0D0D -Process= BGP Scanner, ipl= 0, pid= 579 -Traceback= 
 883DF9Cz 9C341BCz 82D1F98z 82D29A0z B417004z B411278z *Jan 24 
 23:54:41 KWT: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, 
 chunk 0  data 24152858  chunkmagic D0D0D0D  chunk_freemagic D0D0D0D 
 -Process= BGP Scanner, ipl= 0, pid= 579 -Traceback= 883DF9Cz 
 9C341BCz 82D1F98z 82D29A0z B417004z B411278z *Jan 24 23:55:41 KWT: 
 %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk 0  data 
 24152858  chunkmagic D0D0D0D  chunk_freemagic D0D0D0D -Process= BGP 
 Scanner, ipl= 0, pid= 579 -Traceback= 883DF9Cz 9C341BCz 82D1F98z 
 82D29A0z B417004z B411278z


 Thanks
 Raheel
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/




 --
 jamie rishaw // .com.arpa@j - reverse it. ish.

 I don't drink alcohol from that portion of the color spectrum.
   - Ron Swanson ( Nick Offerman ), Parks and Recreation

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1000 QFP/ESP utilization

[Chuck Church]

Thanks, it does seem like it's more of a CPU load than a % of the maximum 
bandwidth your ESP is capable of.  I guess I'll just watch the bps counters 
along with the TailDrops in the other command output.

Chuck

-Original Message-
From: Łukasz Bromirski [mailto:luk...@bromirski.net] 
Sent: Friday, January 16, 2015 2:10 PM
To: Chuck Church
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR1000 QFP/ESP utilization

Chuck,

 On 15 Jan 2015, at 13:06, Chuck Church chuckchu...@gmail.com wrote:
 
 I took that as
 meaning the % of BW against your ESP limit such as 5 gigabit in this case.
 Our two I'm looking at (both running 3.7.4) look like this (bottom 3 lines):
 
 Total (pps)  344698  357155  334210
 340850
 (bps)   2266105832  2329040800  2187654192
 223908
 Processing: Load (pct)   4   5 4
 4
 
 The % listed is 4 or 5, yet the bps total seems to be about 2.2 
 gigabit, or approaching half  of what the ESP5 should be able of 
 doing.  Should I just use the bps line and ignore the processing load 
 line?  I'm not sure what it's indicating a percentage of.  The total 
 bps line matches up pretty well with the 5 minute input count of all 
 interfaces.

The processing load (percentage) is quite low, as ESP CPU may not be tasked 
with lot of things to do on the traffic itself. Depending on the features 
configured you may be either higher or lower.

-- 
There's no sense in being precise when |   Łukasz Bromirski
 you don't know what you're talking |  jid:lbromir...@jabber.org
 about.   John von Neumann |http://lukasz.bromirski.net


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR1000 QFP/ESP utilization

[Chuck Church]

All,

We're deploying ASRs now, our first bunch were 1002 last year, and
many more 1002X this year.  I've been looking at ESP utilization, since our
first few were ordered incorrectly with ESP5.  The command show platform
hardware qfp active datapath utilization mentioned here:
http://www.gossamer-threads.com/lists/cisco/nsp/169123   seems to indicated
the last line will give you your utilization of the ESP.  I took that as
meaning the % of BW against your ESP limit such as 5 gigabit in this case.
Our two I'm looking at (both running 3.7.4) look like this (bottom 3 lines):

Total (pps)  344698  357155  334210
340850
(bps)   2266105832  2329040800  2187654192
223908
Processing: Load (pct)   4   5 4
4

The % listed is 4 or 5, yet the bps total seems to be about 2.2 gigabit, or
approaching half  of what the ESP5 should be able of doing.  Should I just
use the bps line and ignore the processing load line?  I'm not sure what
it's indicating a percentage of.  The total bps line matches up pretty well
with the 5 minute input count of all interfaces.

Thanks,

Chuck



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1006 Upgrade

[Chuck Church]

Well, yeah.  If you've got the budget to keep an $80,000+ router laying
around doing nothing most of the time, a lab is the best place to get
proficient at this.  Not all ISP would have this luxury.  The small one I
support occasionally certainly doesn't.

Chuck

-Original Message-
From: Mark Tinka [mailto:mark.ti...@seacom.mu] 
Sent: Wednesday, January 14, 2015 7:32 AM
To: cisco-nsp@puck.nether.net
Cc: Chuck Church; 'Jordi Magrané Roig'
Subject: Re: [c-nsp] ASR1006 Upgrade

On Wednesday, January 14, 2015 02:06:28 PM Chuck Church
wrote:

 It depends on how long your maintenance window is. 
 Reloading the whole chassis is vastly easier, but you'll be down about 
 5 minutes I'm guessing. ISSU is much less.

It's not uncommon to inflate a maintenance window to account for some
unforeseen eventuality.

  Also, if you've never done ISSU, and you've got a maintenance window 
 with a lot of time, this might be the time to try the ISSU just to see 
 how it's done, and what to look out for.  There are lots of tricks and 
 gotchas.
 Easier to learn something when you're not under pressure to have 
 something fixed with minimal downtime.

Ummh - lab?

Mark.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1006 Upgrade

[Chuck Church]

It depends on how long your maintenance window is.  Reloading the whole
chassis is vastly easier, but you'll be down about 5 minutes I'm guessing.
ISSU is much less.  Also, if you've never done ISSU, and you've got a
maintenance window with a lot of time, this might be the time to try the
ISSU just to see how it's done, and what to look out for.  There are lots of
tricks and gotchas.  Easier to learn something when you're not under
pressure to have something fixed with minimal downtime.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Jordi Magrané Roig
Sent: Wednesday, January 14, 2015 6:08 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR1006 Upgrade

Dear all,

Thank you very much for your comments. 

One more question. Which procedure do you recommend to upgrade the device,
reload or issu? The upgrade will be made in a maintenace window.

Thanks!

Date: Tue, 13 Jan 2015 21:25:25 -0700
Subject: Re: [c-nsp] ASR1006 Upgrade
From: fordl...@gmail.com
To: jordimagr...@hotmail.com
CC: cisco-nsp@puck.nether.net

disregard - I thought I read IOS-XR - yours is IOS-XE - it can be done the
way you suggest.

On Tue, Jan 13, 2015 at 9:19 PM, Scott Miller fordl...@gmail.com wrote:
The proper steps for upgrading an IOS-XR are the following:
1.  install upgrade2.  install add3.  install activate4.  install commit5.
install deactivate6.  install remove You can not simply boot system flash
bootflash:NAME-OF-NEW-RELEASE
http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-2/system_ma
nagement/configuration/guide/b_sysman_cg42crs/b_sysman_cg42crs_chapter_010.h
tml


Summary of Package ManagementThe general procedure for adding optional
packages, upgrading a package or package set, or downgrading packages on the
router is as follows: Copy the package file or files to a local storage
device or file server. Add the package or packages on the router using the
command install add. Activate the package or packages on the router using
the install activate command. Commit the current set of packages using the
install commit command.
Scott
On Tue, Jan 13, 2015 at 8:16 AM, Jordi Magrané Roig
jordimagr...@hotmail.com wrote:
Dear Colleagues,



I'm planning upgrade my ASR1006. I never upgrade this model of router before
and I have a doubt. I have found the ISSU procedure to upgrade the device
but my question is if I can simply put the following command in the
configuration:



boot system flash bootflash:NAME-OF-NEW-RELEASE



and reload the device.





The ASR1006 has two ESP-20 and two RP2. In the bootflash and stby-bootflash,
I have the old image of the IOS XE and the new image of the IOS XE.



Thanks for your support.



Best regards,

Jordi







___

cisco-nsp mailing list  cisco-nsp@puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/




  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Fractional DS3, dsu bandwidth statement and circuit interruption

[Chuck Church]

Keep in mind you can always copy a config script into running config, that
will allow you to remotely unconfigure an interface and configure it without
risk of your CLI session being broken and the re-config part not being
applied.  So schedule your reload, copy your (hopefully tested) script into
run.  If you can get into the device remotely still (and then verify your
config change worked), you can then cancel the reload.  Else wait 5 minutes
and try again.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Doug
McIntyre
Sent: Monday, December 08, 2014 8:59 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Fractional DS3, dsu bandwidth statement and circuit
interruption

On Mon, Dec 08, 2014 at 07:26:18AM -0600, papaia wrote:
 Need to change the bandwidth statement in the DSU line item config 
 (up-ing the available bandwidth for a fractional DS3), for a router 
 placed remotely from my office. Lacking an off-band access to this 
 router, I am wondering if that change would trigger a circuit 
 connectivity drop, and if so, if there would be a recovery of such, on 
 its own, or if I would be better off with feet (and hands) on the ground,
to reload or even fix.

It will probably be disruptive, but IIRC, the subrate DS3s just used the
'dsu bandwidth' command? That gives you a chance to just type the command on
the remote, and then on the local and wait for it to sync up again.

One trick you can do, is to schedule a reload up for say 5 minutes, do your
config, see if it works, and then cancel the reload and 'write mem'.
Not quite as neat as commit confirm on JunOS, but still gives you a safty
net.

Now, if you needed to mess around with subrate T1, you would definately need
onsite hands on, to unconfigure the t1 groups, and then reconfigure the t1
groups. But the DS3 was just the single command from what I remember.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EVCs/BDIs/SVIs

[Chuck Church]

Last I checked, the BDI will only support MST for a spanning tree protocol.
That was a show-stopper for us, weren't prepared for a migration everywhere
to that.  There are also more limitations for BDIs - 
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/configuration/guide/cha
ssis/asrswcfg/bdi.html#pgfId-1054861

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
James Bensley
Sent: Tuesday, September 16, 2014 4:30 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] EVCs/BDIs/SVIs

What is the different between a BDI on ASRs and an SVI?

Looking around the Internet they seem to be SVIs that you can bridge a
service instance to except they are called Bridge Domain Interface instead
of Switch Virtual Interface (I guess becaus these are routers not
switches?).

Any other difference apart from the name? Are they essentialy SVIs?


Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1001 RAM

[Chuck Church]

I've been talking to our Cisco guys about SW redundancy, and the advantages of 
sub-package mode.  They're claiming the sub-package mode uses less memory than 
the consolidated mode.  We've never played with it, but maybe something to look 
at.  

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio 
Soares
Sent: Tuesday, August 12, 2014 11:00 AM
To: 'Gabriel'; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR1001 RAM

Can you share these outputs from both routers ?

show cef fib
show cef table


Regards,

Antonio Soares, CCIE #18473 (RS/SP)
amsoa...@netcabo.pt
http://www.ccie18473.net

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gabriel
Sent: terça-feira, 12 de Agosto de 2014 14:36
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR1001 RAM

Hi,

we have 2 ASR1001 in one location. They each receive a full table from 
different providers and have an iBGP session between them. One of them 
generated this message today:

*Aug 11 23:11:16.983: %FIB-2-FIBDOWN: CEF has been disabled due to a low memory 
condition. It can be re-enabled by configuring ip cef [distributed]

For some reason, it only saw 500k prefixes today (I'm assuming the provider is 
doing some aggregation before sending the full table?).
I had to put some filtering in place and then re-enabled CEF. IOS-XE version is 
3.07.01.S.152-4.S1

We have the exact same setup in another location (with different ISPs). The 
only difference is the IOS-XE version: 3.06.00.S.152-2.S. I saw one of these 
exceed 500k and there were no error messages whatsoever.



On Mon, Aug 11, 2014 at 9:35 PM, Rich Lewis rle...@sis.tv wrote:
 Those memory figures below are from an ASR1001 running IOS-XE 03.09.00.S / 
 15.3(2)S.

 What was the image that you ran into memory issues with? Just so I 
 know to avoid it! :-)


 -Original Message-
 From: Gustav UHLANDER [mailto:gustav.ulan...@steria.se]
 Sent: 09 August 2014 23:33

 Yea that depends on sw version.
 We ran into the issue when upgrading to a newer image on routers that 
 receive full feeds from upstream.
 Sent it to tac and they said it was memory issue.

 Skickas med OWA för iPad
 
 Från: cisco-nsp cisco-nsp-boun...@puck.nether.net för Rich Lewis 
 rle...@sis.tv
 Skickat: den 6 augusti 2014 21:30:55


 FWIW, we have full tables on an ASR1001 with 4GB RAM, and with 
 add-path
 enabled:

 503890 network entries using 124964720 bytes of memory
 982424 path entries using 110031488 bytes of memory BGP using
 281251490 total bytes of memory

 I guess it depends what else you're doing, but 4GB would seem ample 
 on the face of it.


 **

 Satellite Information Services Limited. Registered Office: Whitehall 
 Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company 
 No. 4243307

 The information in this email (which includes any files transmitted with it) 
 is confidential and is intended for the addressee only. Unauthorized 
 recipients are required to maintain confidentiality. If you have received 
 this email in error please notify the sender immediately, destroy any copies 
 and delete it from your computer system.

 **


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1001 RAM

[Chuck Church]

That seems crazy that 4GB can't support a full table.  I know the ASR halves
it's memory to support SW redundancy, but still.  You don't have SSO
configured on the ASR do you?  I saw that that split the memory in half once
again.  Not at all necessary on a 1001.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Richard Hicks
Sent: Wednesday, August 06, 2014 1:33 PM
To: CiscoNSP List
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR1001 RAM

We just purchased these 16GB kits for our ASR1001's:

http://www.memoryx.com/masr1k100116gb.html

Haven't had any problems.

The 4GB that come default on the ASR1001's cannot hold a full BGP routing
table.

I tried to get our Cisco Rep and Reseller to recommend Cisco Approved RAM
but they would not bite.
Said they were concerned that any non-Cisco branded memory would not be up
to the task.  Hog wash.

$15k list price for 16GB of standard ECC RAM is criminal.


On Tue, Aug 5, 2014 at 7:36 PM, CiscoNSP List cisconsp_l...@hotmail.com
wrote:

 Hi Guys,

 Can anyone please recommend (Non Cisco) ram for the ASR1001's ?

 Cheers.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS: catch 22 when enabling new bgp neighbors

[Chuck Church]

Any reason you can't null route that remote neighbor host, configure the
neighbor and shut it down, then remove that static route?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Lukas Tribus
Sent: Friday, June 20, 2014 10:40 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] IOS: catch 22 when enabling new bgp neighbors

Hey guys,


I feel like this is a stupid question with a simple solution, but I just not
see it:

When I configure a new BGP session, before I can shutdown the neighbor or
apply a specific peer-group/session-template/policy-template, I need to
configure the remote-as, so the first command in the address-family is:

 neighbor 2001::123 remote-as 65005


Now, if I don't specify the policies right away, or shutdown the session
right away (or the ssh terminal slows down for whatever reason), IOS will
establish the BGP session as-is (without any policies), until I manage to
configure the rest.

In that case, I'm leaking everything I have to the other side for a short
period of time, possibly triggering max-prefix limits or causing other
nastiness.

Especially when using SSH and configuring long IPv6 addresses on IOS-XE
here, this seams to be a problem, copy'n'pasting from notepad is not enough
in that situation (somehow, the terminal slows down when pasting the config
to some 2 - 3 chars per second).


Any way to make IOS(-XE) behave in a more sane way so I can configure
everything *before* the session brought up? Like defaulting to shutdown or
something like that?


Let me know how you guys avoid this problem.



Thanks!

Lukas

  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] purpose of asr management port?

[Chuck Church]

From what I've read, the netflow export is the only thing you can't do on
the management port.  Everything else (ntp, tacacs, snmp, syslog, ssh, file
copy, whatever) should work.  Granted you need to put it in a VRF, but
that's trivial since it's local.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Andrew Miehs
Sent: Thursday, May 29, 2014 7:53 PM
To: Mike
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] purpose of asr management port?

Out of band management network instead of the console port.

Sent from a mobile device

 On 30 May 2014, at 5:04, Mike mike-cisconspl...@tiedyenetworks.com
wrote:
 
 Hi,
 
 The more I look at it, the value of the onboard management port seems to
be zero. While I love the idea of out of band and so forth, there are things
like aaa / netflow / snmp / ssh and so forth that I want to be able to do
but apparently can't be done with the build-in port, and so I'm going to
burn an official gig port to do those jobs instead.
 
 Can anyone give me a concrete use case for the built in management gig
port or should I just treat it like an unwanted appendage and move on?
 
 Mike-
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Replace NVRAMBattery - decrease impact

[Chuck Church]

I suppose you could.  It'd be a lot like playing 'Operation'.  Don't touch
the sides.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Rolf Hanßen
Sent: Wednesday, April 02, 2014 5:38 AM
To: Andrew Clark
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Replace NVRAMBattery - decrease impact

Slot 2,3 and 4 are not in use, I could remove the cover-cards and access the
front part of slot 5 easily.

 The battery is right on the board behind the faceplate. I don't see 
 how you could replace it without removing the sup at least part way.
 I will say I've seen failures on this particular test that were 
 resolved by just reseating the battery.

 Andrew

 On Apr 1, 2014, at 11:00 AM, cisco-nsp-requ...@puck.nether.net wrote:

 Replace NVRAMBattery - decrease impact

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750E to stack of 2960x.....

[Chuck Church]

Are the physical links up?  They see each other via CDP?   If so, are the
channels up (assuming LACP or PAgP)?  If those are up, check spanning tree
on both sides.  Could be a disagreement on channels or native VLAN, or
something err-disabled.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Scott Voll
Sent: Tuesday, March 04, 2014 10:19 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] 3750E to stack of 2960x.

I have a building that has a 3750E at the core and access layer with some
new 2960X's

I have both a stack of two and a single.

Both have a port channel up to the 3750E.

Both have now lost there uplinks to the 3750E within two days of being
installed.

Anyone have any ideas as to what to look for?

I see nothing in the syslogs of either the 2960x or the 3750E.

I'm thinking Spanning tree?  or VTP?  or ??

Areas you would look at?

TIA

Scott
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SPA Module compatibility

[Chuck Church]

This is what you need.  The SPA modules are for other platforms.

http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/2600-360
0-3700-series-t3-e3-network-module/product_data_sheet09186a008010fba2.html

See the note at the bottom of table 1 regarding the SM-NM-ADPTR module
needed.


Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alex
Nyagah
Sent: Thursday, February 20, 2014 3:19 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] SPA Module compatibility

Hello Team,

I have Cisco 3900 series routers and i want to get  E3 and DS3 lines from a
local provider. Which SPA cards are compatible with the 3900 routers. I have
ordered
SPA-XT3/E3 but from the various sources am not sure it is compatible with
the router.
I will appreciate team advice..

-- 

*Alex *
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ARP problems with UCS FI 6140XP

[Chuck Church]

Not really sure what an 'FI' is, but can you set the mac address aging time
on this FI to something longer than 5 minutes, and or have the netflow
collector do 'something' to send traffic, like configure NTP on it?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe
Loiacono
Sent: Friday, January 17, 2014 9:38 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ARP problems with UCS FI 6140XP

I have a host that is receiving netflow UDP exports. A couple times a day
the export flow stops. The MAC address is getting dropped from the FI MAC
address table. A simple HTTP access to the host restores the MAC address and
the flow.

It looks like CIMC logging is for system events only. Is there a way I can
debug or log *network* messages (e.g., ARP, etc.)

Thanks,

Joe Loiacono
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Memory testing

[Chuck Church]

Anyone,

 

Got a 3845 with a gig of RAM that has been crashing with a
memory parity error.  Got some replacement memory on the way.  The funny
part is the router was fine while we were burning it in for a few days.  I'm
not sure if the traffic passing through or the memory usage from the full
table is causing the crashing that didn't show up with the router 'just
sitting there turned on'.  I'd like to test this thoroughly with the
replacement memory in there to make sure it's not the chassis itself.
Thinking of giving it an iBGP session to another router to get a full table
and let it sit for a few days, and then swap the memory modules around (slot
0 move to slot 1, slot 1 move to slot 0) so in theory all memory cells get
'touched'.  Anyone see a hole in this theory, or have a better idea?  Router
is out of Smartnet by the way.

 

Thanks,

 

Chuck

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 2960S vlan ACL eating some L2 transit packets!?

[Chuck Church]

Is there a bug that is setting the Ethernet broadcast bit accidentally
internally?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Patrick M. Hausen
Sent: Monday, January 13, 2014 2:16 PM
To: Gert Doering
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 2960S vlan ACL eating some L2 transit packets!?

Hi, Gert,

Am 13.01.2014 um 17:36 schrieb Gert Doering g...@greenie.muc.de:
 Question 1: is that documented anywhere?  ACLs on interface vlan X on
a layer2-only switch used to only apply to management traffic,
never ever to transit traffic

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/1
2.2_55_se/configuration/guide/2960scg.pdf

Looks to me like you are correct. pp. 31-18 ff.

Bug?

Best regards
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax
0721 9109 100
i...@punkt.de   http://www.punkt.de
Gf: Jürgen Egeling  AG Mannheim 108285





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

[Chuck Church]

Is it possible the static default was in the running config, but not the 
startup, and the router rebooted?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Methsri 
Wickramarathna
Sent: Thursday, November 14, 2013 11:54 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Static Default route missing

Hi all,
Yesterday we had a strange behavior on one of our Cisco 1841 router. Which was 
suddenly unreachable and after when we troubleshoot the issue and found out 
router has missing it's default-route. Initially we thought that someone may 
accidentally removed it. TAC logs enabled on router so I have went through all 
the logs and found no record regarding route removed.

We are taking router backups daily so I have compared previous router backups 
and found out, default route was there on 12th November and missing it on 13th 
November 2013.

Any idea about this issue.

Router IOS :- c1841-adventerprisek9-mz.150-1.M4.3.bin



~~( ŊëŌ )~~
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

[Chuck Church]

Is there an IP address on the interface the default is using, or is it using 
DHCP?  DHCP can add a default route to the table, but wouldn't show up in 
either config.

Chuck


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Methsri 
Wickramarathna
Sent: Friday, November 15, 2013 9:50 AM
To: Harold 'Buz' Dale
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Static Default route missing

Nick  Router is enabled with tacas+ AAA ... I can see all the commands 
entered with the usernames...

Chuck  Router isn't rebooted .. uptime was 30 weeks :(

Harold  Router statement missing from both running and startup configs ... 
When I enter *show ip route 0.0.0.0* it says network not available :(

Any ideas ???/


On Fri, Nov 15, 2013 at 8:12 PM, Harold 'Buz' Dale buz.d...@usg.edu wrote:

 My first thought was that it rebooted and wasn¹t in the saved config. 
 IS the route statement missing or just the route from the table?
 Luck,
 Buz

 On 11/15/13, 6:42 AM, Nick Hilliard n...@foobar.org wrote:

 On 15/11/2013 10:44, Methsri Wickramarathna wrote:
  Any Ideas ???
 
 most likely to be someone's typo.  Best idea to enable logging and 
 tacacs+ AAA on the device so that you can see what's going on and who 
 did it.  AAA logging is an invaluable tool for follow-up problem diagnosis.
 
 Nick
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/




--
--
´`_,,,_
___´$$$`_´$$$`
`$$$`__,,,,___´´
_`$$$`´$$`_´$$`´$´
__`$$$`_´$`_´$`__´$$$´
___`$$$_$$$_$$$_´$$$´_
`$$_$$$_$$$`´$$´_
___,,__`$$_$$$_$$$_$$´_
_´$``$$_$$$_$$$_$$´_
´$`´$$$_$$$_$$$_$´_
´$$_$$$_$$$_$´_
___`$$$_$$$_$$_$$´_
__`$_$__$$_$$_$$´_
___`,___,,_,$´_
_`$´_
__`$$$´_
`´_
___`´_

~~( ŊëŌ )~~
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] policy routing by dest port?

[Chuck Church]

Wouldn't there be some NATing involved?  Else what is your DNS server going
to do with a destination address that it doesn't own?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mike
Sent: Tuesday, November 12, 2013 11:26 AM
To: 'Cisco-nsp'
Subject: [c-nsp] policy routing by dest port?

Hi,

 I have a situation which may require me to reroute all dns traffic in
my network comming from subscribers destined to offsite resolvers, over to
one of my own resolvers instead. The subscribers are all terminated on 7201
and effectively I would like to have a rule I can drop in that says 'dns
traffic to anywhere but my official resolvers is forwarded here'. The
subscribers are mostly pppoe which means lots of virtual access interfaces
on the router, and no adjusting the supplied dns servers via ppp won't do (I
need to overcome corrupt / hijacked cpe which are ignoring these values).

Thanks for any pointers.

Mike-

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TAC hits a new record level of aggravation...

[Chuck Church]

It's not just the TAC tool that has been suck-ified.  The replacement for
the dynamic configuration tool sucks.  Tried it a few days ago, first thing
it asks for is a whole bunch of customer info.  I just wanted to verify if
there is a non-EOS OC-3 POS that would work with a 6500.  Painful.  Today it
crashes when I find what I think is the right link.  Then the replacement
for Software Advisor is Software Research.  It takes looking around to find
that Research doesn't cover many devices, and you eventually find a link to
the old software advisor.  

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark
Tinka
Sent: Sunday, November 03, 2013 1:09 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] TAC hits a new record level of aggravation...

On Sunday, November 03, 2013 07:52:33 AM Jeff Kell wrote:

 Maybe we should all go back to the phone call interface. 
 Will probably get Bangalore, but who knows.  Refuse the web garbage :)

Make every case a Priority 1 case (call if you the description command on
your CLI fails, as a P1 log) - maybe they'll get the point (probably not).

Mark.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] NSP remarking IP Prec/DSCP

[Chuck Church]

Anyone,

 

Working on an issue with DSCP being set on a VoIP provider 3
or 4 AS away and the packets showing up all default when they reach our
network.  Really only thing coming in that isn't marked is a tiny amount of
Prec 7, which I suspect to be BGP itself.  Before I spend a bunch of time
calling help desks, I'm wondering if this is a common practice?  I thought
the Net Neutrality rules prevented such practice.  ISPs involved appear to
be Time Warner, Windstream, Charter, and Level 3.

 

Thanks,

 

Chuck

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NSP remarking IP Prec/DSCP

[Chuck Church]

Thanks Phil.  (and others who replied).  I could swear when we first peered
with these ISPs, we were seeing EF and AF31 coming from the VoIP carrier
(SIP trunks and ATA/phones).  Guess one of the ISPs noticed that somewhere
along the way.

Chuck


-Original Message-
From: Phil Bedard [mailto:phil...@gmail.com] 
Sent: Tuesday, October 22, 2013 1:32 PM
To: Chuck Church; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] NSP remarking IP Prec/DSCP

Net Neutrality means everyone gets marked as zero on ingress into the
network.  If you have a specific contract with the provider maybe things
operate differently, but then you start getting into preferential treatment
of traffic...

No providers preserve incoming markings for normal Internet traffic, unless
their routers are misconfigured.

Phil 

On 10/22/13 12:22 PM, Chuck Church chuckchu...@gmail.com wrote:

Anyone,

 

Working on an issue with DSCP being set on a VoIP 
provider 3 or 4 AS away and the packets showing up all default when 
they reach our network.  Really only thing coming in that isn't marked 
is a tiny amount of Prec 7, which I suspect to be BGP itself.  Before I 
spend a bunch of time calling help desks, I'm wondering if this is a 
common practice?  I thought the Net Neutrality rules prevented such 
practice.  ISPs involved appear to be Time Warner, Windstream, Charter, 
and Level 3.

 

Thanks,

 

Chuck

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6500 IOS recommendation?

[Chuck Church]

It depends.  Last I checked, 15.1 on 6500 didn't have any support for
FlexWAN, Enhanced FlexWAN, or SIPs.  Is that still the case?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jon
Lewis
Sent: Monday, October 21, 2013 2:25 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] 6500 IOS recommendation?

I noticed in email from cisco today:


END-OF-LIFE NOTIFICATIONS

Cisco IOS Software Release 12.2(33)SXJ - Cisco has announced the end-of-sale
and end-of-life dates for the Cisco IOS Software Release 12.2(33)SXJ.
Customers are encouraged to migrate to the Cisco IOS Software Release
15.1(2)SY.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/end-of-life
-notice-c51-729742.html

SXI is similarly affected (earlier dates).

Are people actually upgrading to 15.1SSY, or just running late 12.2(33)SXI
or SXJ until these boxes run out of resources?

--
  Jon Lewis, MCP :)   |  I route
  |  therefore you are _
http://www.lewis.org/~jlewis/pgp for PGP public key_
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF Over FR

[Chuck Church]

Looks like a carriage return/linefeed issue.  Composing on Unix/Linux maybe?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of M K
Sent: Monday, October 07, 2013 3:45 AM
To: c...@marenda.net; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OSPF Over FR

Thanks all for the kind repliesAnd sorry for the posts but am using chrome
and usual web Hotmail interface and don't know if there is extra thing i can
do to make my posts readable :)

 From: c...@marenda.net
 To: gunner_...@live.com; cisco-nsp@puck.nether.net
 Subject: AW: [c-nsp] OSPF Over FR
 Date: Sun, 6 Oct 2013 23:38:08 +0200
 
 - ensure you HUB will be DR by setting ospf priority on the interface
level
   probably you which set this to zero on the spokes or a very low value.
 
 - correct the network statements,
   i think it should read  network 192.168.123.0 0.0.0.255 area 0 
   for the FR-interface , using the broadcast-emulation of frame-relay.
 
   Otherwise, one single network 0.0.0.0 0.0.0.0 area 0 
   should catch'em all...
 
 - is the ospf interface type correct thru automagic ?
 
 - and probably the frame-relay-switch is just broken.
 
   Test connectivity betweek each router-pair
   with loopback interfaces and static routes.
 
 
  -Ursprüngliche Nachricht-
  Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag 
  von M K
  Gesendet: dimanche 6 octobre 2013 17:08
  An: cisco-nsp@puck.nether.net
  Betreff: [c-nsp] OSPF Over FR
  
  Hi , I have three routers R1 , R2 and R3R1 is the hub and is 
  configured as below R1#sh run int s0/0.123Building configuration...
  Current configuration : 201 bytes!interface Serial0/0.123 multipoint 
  ip address 192.168.123.1 255.255.255.0 snmp trap link-status 
  frame-relay map ip 192.168.123.3 103 broadcast frame-relay map ip 
  192.168.123.2 102 broadcast R1#sh run | sec router ospfrouter ospf 1 
  router-id 1.1.1.1 log-adjacency-changes network 1.1.1.1 0.0.0.0 area 
  0 network
  192.168.14.1 0.0.0.0 area 0 network 192.168.123.1 0.0.0.0 area 0 
  neighbor 192.168.123.2 neighbor 192.168.123.3 R2#sh run int s0/0 
  Building configuration...
  Current configuration : 190 bytes!interface Serial0/0 ip address
  192.168.123.2 255.255.255.0 encapsulation frame-relay clock rate
  200 frame-relay map ip 192.168.123.1 201 broadcast no 
  frame-relay inverse-arpend R2#R2#R2#sh run | sec router ospfrouter 
  ospf 1 router-id
  2.2.2.2 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 0 network
  192.168.123.2 0.0.0.0 area 0 neighbor 192.168.123.1 R3#sh run int 
  s0/0Building configuration...
  Current configuration : 190 bytes!interface Serial0/0 ip address
  192.168.123.3 255.255.255.0 encapsulation frame-relay clock rate
  200 frame-relay map ip 192.168.123.1 301 broadcast no 
  frame-relay inverse-arpend R3#sh run | sec router ospfrouter ospf 1 
  router-id
  3.3.3.3 log-adjacency-changes network 3.3.3.3 0.0.0.0 area 0 network
  192.168.123.3 0.0.0.0 area 0 neighbor 192.168.123.1 Why on R1 i 
  cannot receive anything from R2 ?
  R1#sh ip route ospf  3.0.0.0/24 is subnetted, 1 subnetsO
  3.3.3.0 [110/65] via 192.168.123.3, 00:06:21, Serial0/0.123 Even 
  though the neighborship is up ?
  Thanks
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net 
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco IPSec VPN's (Tunnel Interfaces) migrating from 12.2.25 to 15.1.4

[Chuck Church]

I'd be surprised if something didn't migrate over automatically.  IOS will
accept older style commands, and upon parsing them, changed them to the new
format itself.  You sure you're not running 12.4(25)?  I don't think 2800s
were around for 12.2.   I've moved 2800s from 12.4 to 15.1 with no issues,
none were running IPSec though.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Blake Pfankuch - Mailing List
Sent: Thursday, September 12, 2013 5:49 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco IPSec VPN's (Tunnel Interfaces) migrating from
12.2.25 to 15.1.4

Working with a vendor who is saying that when we upgrade from 12.2.25 to
15.1.4 on a couple of 2800 series routers holding about 15 IPSec vpn's and
tunnel interfaces with EIGRP across them we are going to have to rewrite all
of the config due to completely new command syntax on 15.1.4 compared to
12.2.25.

Has anyone run into this before?  I am seeing little differences, but not
crazy amounts...

Thanks,
Blake
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] CoPP - matching protocol ARP plus an input-interface

[Chuck Church]

All,

 

Working on 871 router at a customer site.  Unknown ARP flood
coming from customer LAN was crushing router CPU, guessing about 2800
pkt/sec.  A service policy applied to control plane just matching ARP does
what expected, but when I tried to limit it to just customer-side ARP by
matching protocol ARP plus input-int VL1:

 

Service-policy input: CoPP

 

Class-map: ARP (match-all)

  0 packets, 0 bytes

  5 minute offered rate 0 bps, drop rate 0 bps

  Match: protocol arp

  Match: input-interface Vlan1

  police:

  cir 8000 bps, bc 1500 bytes

conformed 0 packets, 0 bytes; actions:

  transmit

exceeded 0 packets, 0 bytes; actions:

  drop

conformed 0 bps, exceed 0 bps

 

Class-map: class-default (match-any)

  863 packets, 132033 bytes

  5 minute offered rate 21000 bps, drop rate 0 bps

  Match: any

 

I don't get any matches.  If I remove the match input-int, the counters
again start increasing for ARP.  Is it a known issue that CoPP can't be
combined with an input-int, or maybe just ARP combined with that?  Reading
various URLS such as:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html

 

didn't exactly say that, although it mentioned ARP being processed at
CEF-exception interface.   Does that explain it?

 

 

Thanks,

 

Chuck

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] CoPP - matching protocol ARP plus an input-interface

[Chuck Church]

All,

    Working on 871 router at a customer site.  Unknown ARP flood
coming from customer LAN was crushing router CPU, guessing about 2800
pkt/sec.  A service policy applied to control plane just matching ARP does
what expected, but when I tried to limit it to just customer-side ARP by
matching protocol ARP plus input-int VL1:

Service-policy input: CoPP

    Class-map: ARP (match-all)
  0 packets, 0 bytes
  5 minute offered rate 0 bps, drop rate 0 bps
  Match: protocol arp
  Match: input-interface Vlan1
  police:
  cir 8000 bps, bc 1500 bytes
    conformed 0 packets, 0 bytes; actions:
  transmit
    exceeded 0 packets, 0 bytes; actions:
  drop
    conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
  863 packets, 132033 bytes
  5 minute offered rate 21000 bps, drop rate 0 bps
  Match: any

I don’t get any matches.  If I remove the match input-int, the counters
again start increasing for ARP.  Is it a known issue that CoPP can’t be
combined with an input-int, or maybe just ARP combined with that?  Reading
various URLS such as:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html

didn’t exactly say that, although it mentioned ARP being processed at
CEF-exception interface.   Does that explain it?


Thanks,

Chuck



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] CoPP - matching protocol ARP plus an input-interface

[Chuck Church]

All,

 

Working on 871 router at a customer site.  Unknown ARP flood
coming from customer LAN was crushing router CPU, guessing about 2800
pkt/sec.  A service policy applied to control plane just matching ARP does
what expected, but when I tried to limit it to just customer-side ARP by
matching protocol ARP plus input-int VL1:

 

Service-policy input: CoPP

 

Class-map: ARP (match-all)

  0 packets, 0 bytes

  5 minute offered rate 0 bps, drop rate 0 bps

  Match: protocol arp

  Match: input-interface Vlan1

  police:

  cir 8000 bps, bc 1500 bytes

conformed 0 packets, 0 bytes; actions:

  transmit

exceeded 0 packets, 0 bytes; actions:

  drop

conformed 0 bps, exceed 0 bps

 

Class-map: class-default (match-any)

  863 packets, 132033 bytes

  5 minute offered rate 21000 bps, drop rate 0 bps

  Match: any

 

I don't get any matches.  If I remove the match input-int, the counters
again start increasing for ARP.  Is it a known issue that CoPP can't be
combined with an input-int, or maybe just ARP combined with that?  Reading
various URLS such as:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/htcpp.html

 

didn't exactly say that, although it mentioned ARP being processed at
CEF-exception interface.   Does that explain it?

 

 

Thanks,

 

Chuck

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexu 5020 HSRP issues

[Chuck Church]

Any control plane policing in action?  If Nexus support it, I'm not sure...

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Christian Kildau
Sent: Friday, August 09, 2013 9:33 AM
To: Rati Berikaant Jokhadze
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Nexu 5020 HSRP issues

sw2# sh run int vlan200

!Command: show running-config interface Vlan200
!Time: Fri Aug  9 13:32:04 2013

version 5.2(1)N1(5)

interface Vlan200
  no shutdown
  description vlan fuer HNAS 10.8.200.0/24 - HSRP 10.8.200.1
  no ip redirects
  ip address 10.8.200.3/24
  hsrp version 2
  hsrp 1
preempt
ip 10.8.200.1

sw1# ping 10.8.200.3
PING 10.8.200.3 (10.8.200.3): 56 data bytes
64 bytes from 10.8.200.3: icmp_seq=0 ttl=254 time=2.524 ms
64 bytes from 10.8.200.3: icmp_seq=1 ttl=254 time=0.954 ms
64 bytes from 10.8.200.3: icmp_seq=2 ttl=254 time=0.854 ms
64 bytes from 10.8.200.3: icmp_seq=3 ttl=254 time=1.138 ms
64 bytes from 10.8.200.3: icmp_seq=4 ttl=254 time=0.875 ms

--- 10.8.200.3 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss round-trip
min/avg/max = 0.854/1.268/2.524 ms




Am 09.08.2013 um 14:30 schrieb Rati Berikaant Jokhadze:

 Hi ,
 
 Please share us SW2 int vlan200 config.
 
 and ping result from sw1 to sw2
 
 On 08/09/2013 03:52 PM, Christian Kildau wrote:
 Hi Cisco-NSP,
 
 we're having some very strange issues while adding HSRP to our Nexus 5020
where both HSRP peers are up, but don't recognize each other, thus causing
some issues.
 
 Our config is pretty simple, running 4 VLANs and VPC. VPC is up and the
Trunks are running fine.
 
 We now added some SVIs for L3 routing which also seems to be working
fine.
 But as soon as we add HSRP config as follows:
 
 interface Vlan200
   no shutdown
   no ip redirects
   ip address 10.8.200.2/24
   hsrp version 2
   hsrp 1
 preempt
 priority 110
 ip 10.8.200.1
 
 we're facing some very strange issues.
 According to 'debug hsrp engine packet hello' both sides do send HSRP
Hello Packets, but the other end never receives them, so both peers are in
Active state:
 
 sw1# sh hsrp group 1 brief
 Interface   Grp Prio P StateActive addr  Standby addr Group
addr
 Vlan200 1   110  P Active   localunknown
10.8.200.1
   (conf)
 sw2# sh hsrp group 1 brief
 Interface   Grp Prio P StateActive addr  Standby addr Group
addr
 Vlan200 1   100  P Active   localunknown
10.8.200.1
   (conf)
 
 What could cause this?
 
 Thanks for any hint!
 
 Kind Regards
 Christian
 
 P.S.
 features are enabled of course ;-)
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Router rebooting due to software crash.

[Chuck Church]

I think you can actually get recent 12.4 code for it.  Not the latest, but
close.  Could be a memory issue with it, a DOS against it, etc.  Reseating
the modules and memory and trying a more recent IOS might all help.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Justin M. Streiner
Sent: Tuesday, August 06, 2013 10:18 AM
To: Cisco-nsp
Subject: Re: [c-nsp] Router rebooting due to software crash.

On Mon, 5 Aug 2013, Joseph Mays wrote:

 We have a cisco 3600 that has rebooted twice in the last two hours, 
 both times due to a software crash that shows the same memory address. 
 I checked show mem and nothing is listed as operating that address, 
 at least not right now. This router has been in operation a long time 
 and has not had these problems previously. Nothing has changed in the 
 config on the router in the last several months, at least.

Another possibility is that the version of code you're running is vulnerable
to one (or more) of the many bugs that can cause a Cisco router to reload,
leak memory, etc.  12.3(6) is pretty ancient code, and the
3640 has been end-of-life since 2007, and no new code has been released for
it since probably late 2005.

I don't know what function this router serves in your network, but replacing
it with something newer that can run newer code is worth considering,
epecially if it's something that can be reached from untrusted networks.

jms
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] pix 6.1(3)

[Chuck Church]

Just a guess, but maybe the Pix sequence number randomization is breaking
something.  I think you can turn it off, maybe a 'no sysopt something'
command?  There are later 6.3 images that might be usable as well, could be
a bug.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Hilliard
Sent: Thursday, July 11, 2013 3:17 PM
To: Aaron
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] pix 6.1(3)

On 11/07/2013 19:20, Aaron wrote:
 that my acks from the inside computer ARE being sent at the pix.  Is 
 there something weird that you know about with this issue where only a 
 few websites are like this ?  all other web traffic flows nicely 
 through that pix.

I haven't used 6.x since 7.0 was released and that was a very long time ago,
maybe 10 years.  I can barely remember what I had for lunch today, never
mind off-beat bugs from 10 years ago.  Seriously, upgrade /  throw in trash
/ donate to your nearest museum. :-)

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] RESOLVED: Weird IPv6 problem passing Layer3 traffic

[Chuck Church]

Yeah, that actually seems worse than dropping all traffic.  I suppose your
CoPP rules could group 'unknown BGP' into its own class, rather than falling
into class default.  Seeing the drops in the unknown BGP section might be a
little more obvious than the class default drops.

Chuck


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Hilliard
Sent: Friday, July 05, 2013 12:56 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] RESOLVED: Weird IPv6 problem passing Layer3 traffic

On 05/07/2013 17:33, Mack McBride wrote:
 Most right thinking ISPs should have rules that rate limit rather than 
 drop the connection.

in many cases, the packet throughput from bgp session pinup to loading full
dfz will tickle CoPP limits, causing the session to be torn down.

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup-720 fabric failures

[Chuck Church]

Anyone remember the term 'chip creep'?  Came across that back in a Novell
Service and Support exam a LONG time ago.  Still relevant!

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mack
McBride
Sent: Friday, July 05, 2013 12:22 PM
To: Phil Mayers; Robert Williams
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Sup-720 fabric failures

This is actually a common fault in electronics (not just routers).
As the device cools, improper solder connections separate causing issues
(ie. Something isn't making good contact).
As the device heats up the components expand and restore contact and
everything works fine.
This is in fact a fault.  Under normal conditions the device should be able
to function as long as you don't get condensation and you don't freeze the
capacitors (which freeze somewhere below 0C).
Obviously fluctuating the temperature will make the situation worse as the
poor connection eventually becomes no connect from shrinking and expanding.

LR Mack McBride
Network Architect

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil
Mayers
Sent: Friday, July 05, 2013 5:25 AM
To: Robert Williams
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Sup-720 fabric failures

On 05/07/13 12:22, Robert Williams wrote:
 Slightly warmer than that, a cosy 15 degrees Celsius I'm afraid...

That's really weird. We have operated sup720 in places that cool.

 Any ideas?

None spring to mind, beyond a really odd hardware fault.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WS-C4506 dropped links which had LACP enabled under heavy load

[Chuck Church]

So are the port-channel ints dropping line protocol, or the gig-E ints
themselves?  If the gig-E ints, are you saying the non-channeled ints stay
up, but the channeled ones drop?  I would think Ethernet keepalives wouldn't
be a function of the CPU, but an ASIC thing.  Could be wrong though...

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Aaron
Sent: Tuesday, June 11, 2013 10:52 AM
To: Martin T
Cc: cisco-nsp
Subject: Re: [c-nsp] WS-C4506 dropped links which had LACP enabled under
heavy load

Keep alives need to be generated


On Tue, Jun 11, 2013 at 8:35 AM, Martin T m4rtn...@gmail.com wrote:

 Hi,

 has anyone seen a behavior where Cisco WS-C4506 drops line-protocol
 on GigE ports(WS-X4306-GB module) which have LACP enabled when SUP(Sup
 V-10GE) CPU load is ~100%? I guess that LACP frames are processed in 
 SUP CPU and it's normal to see LACPDUs time-out, but how can this 
 affect interface line-protocol?


 regards,
 Martin
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WS-C4506 dropped links which had LACP enabled under heavy load

[Chuck Church]

Hmmm.  Perhaps Cisco's implementation of LACP and etherchannel intentionally
has the line-protocol drop when LACP neighbors time out, maybe that's how
they get un-bundled?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Martin T
Sent: Tuesday, June 11, 2013 12:14 PM
To: Aaron
Cc: cisco-nsp
Subject: Re: [c-nsp] WS-C4506 dropped links which had LACP enabled under
heavy load

Aaron,

as far as I know, keepalive frames(EtherType 0x9000) have nothing to do with
Ethernet interface line protocol. You can connect two ports with keepalive
frames disabled, but you'll still see the line protocol up. Cisco line
protocol should be link integrity check
signals sent by Ethernet transceiver circuits(PHY).


regards,
Martin


2013/6/11, Aaron dudep...@gmail.com:
 Keep alives need to be generated


 On Tue, Jun 11, 2013 at 8:35 AM, Martin T m4rtn...@gmail.com wrote:

 Hi,

 has anyone seen a behavior where Cisco WS-C4506 drops line-protocol
 on GigE ports(WS-X4306-GB module) which have LACP enabled when 
 SUP(Sup
 V-10GE) CPU load is ~100%? I guess that LACP frames are processed in 
 SUP CPU and it's normal to see LACPDUs time-out, but how can this 
 affect interface line-protocol?


 regards,
 Martin
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] BGP timer selection with DISA

[Chuck Church]

Anyone,

Looking at adjusting our BGP neighbor keepalive/dead timers for
connection to DISA.  Our standard site config is 2 edge routers, each with a
DISA circuit/peer and iBGP between the two routers of ours.  What are
sensible timer settings for our environment?  Our router CPUs tend to run
pretty low (even though they are Sup720 and ISR or ISR G2 at small sites -
under 20%) and circuits tend to average fairly low utilization (under 50%)
over long periods.  Full DISA table is under 20,000 prefixes, so I don't
anticipate CPU issues during neighbor establishment.  Was thinking 5/20 for
DISA eBGP peers, and 3/12 for iBGP between our two.  Too aggressive?

Thanks,

Chuck Church



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Auto Negotiate

[Chuck Church]

Since it sounds like DHCP is involved, is spanning tree portfast enabled on
the ports?  I agree with Nick, auto-neg probably isn't broken, unless some
config was put on the interface to intentionally break it.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Hilliard
Sent: Wednesday, June 05, 2013 10:20 AM
To: Harry Hambi
Cc: 'cisco-nsp@puck.nether.net'
Subject: Re: [c-nsp] Auto Negotiate

On 05/06/2013 15:07, Harry Hambi wrote:
 Been having some strange issues recently regarding auto negotiate. The 
 switches in questions are 6509 running IOS 12.217rSX3, and 3750 
 stack IOS 12.2.53rSE1. Some pc's connected to ports on these 
 switches will not get an IP address when configured to auto..

12.2(17r) is the boot-rom version.  You can get the operating software
revision using:

Router#show version | i s72033

 changed the Network Adapter Link Speed from Auto Neg to 100 meg Full 
 ...pc aquires IP, Changed to 100 meg Half, pc works.
 Port states show no errors, tried changing ports on switch no change.
 Any ideas appreciated.

I could check the cabling.  I.e. with a proper cable certification tester.
 If that's not the problem it could be crappy drivers or crappy ethernet
cards.  Cisco autoneg works pretty well on both c6500 and c3750 hardware
these days (although it is completely broken on several older units).

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6500 Supervisor redundancy

[Chuck Church]

If you've got a compact flash card (either a spare, or the one from the
running sup), you could put that in the new sup (if a spare, format it in
the existing sup, and copy that image file to it).  Get your console
cable/PC ready, and attach to the new sup.  In the existing sup, set the
redundancy mode to SSO.  Cross your fingers, and push the new sup in.  Break
into ROMMON, and manually boot it off the disk0: card.  'boot
disk0:s72033-' .  That should get the new sup up on the correct IOS, and
SSO should enable itself.  Set your boot statement on the existing sup, and
write it, and verify (show bootvar) that both sups agree on the boot image
and confreg.  Of course make sure boot images are in the right places now.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Edward Salonia
Sent: Wednesday, May 29, 2013 11:28 AM
To: Ben Hammadi, Kayssar (NSN - TN/Tunis)
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 6500 Supervisor redendancy

While your mileage may vary I have has great success in doing this exact
thing. RMA sups don't necessarily come with the same code as what you are
running. Put the new sup in (same hardware, right?) and it should boot up
into RPR standby cold due to the mid matched code. At this point copy the
code from the flash of one sup to the other 'wr mem', check 'show red' to
ensure config reg and boot var are correct and a 'redundancy reload peer'
should do the trick.

Out of curiosity, what code are you running on this?

Also is your box configured for SSO mode currently and is running in
simplex, or is it configured for RPR. If the latter, I think it may require
a reload to change modes, but I don't recall.

Good luck.

- Ed


On May 28, 2013, at 5:10 PM, Ben Hammadi, Kayssar (NSN - TN/Tunis)
kayssar.ben_hamm...@nsn.com wrote:

 Hi,
 
   My major concern is about the IOS difference , should I find a way to
check what is the IOS on the new Supervisor or this will not make difference
, I read the successful stories in Cisco websites but here I am asking
people who really did that on live Switchs. 
 
 Br.
 
 BEN HAMMADI Kayssar
  
 NOKIA SIEMENS NETWORKS
 Lead Engineer -BroadBand Connectivity
 JNCIE-M (#471), JNCIE-SP (#1147), CCIP
 
 
 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf 
 Of ext Justin M. Streiner
 Sent: Tuesday, May 28, 2013 9:58 PM
 To: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] 6500 Supervisor redendancy
 
 On Tue, 28 May 2013, Ben Hammadi, Kayssar (NSN - TN/Tunis) wrote:
 
  I have a 6509 with a standalone Sup720 and I am preparing to add a 
 redundant one, I don't know the software on the new Supervisor and my 
 final goal is to make both work on SSO mode. Can someone propose a 
 procedure with happy end :) ?
 
 There are numerous resources online that talk about how to configure 
 dual supervisors in a Cat6500 switch.
 
 You might be better off asking specific questions, based on things 
 you've tried or read through, rather than asking other people to do 
 the majority of the work for you.
 
 jms
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] router selection......

[Chuck Church]

So the functions the router aren't changing, but the bandwidth is going to
go up?  What is the current BW going through it now?  From what I've heard
about the ISR G2, the CPU doesn't go up linearly with the BW being pushed
through it.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Scott Voll
Sent: Friday, May 24, 2013 10:53 AM
To: cisco-v...@puck.nether.net; cisco-nsp@puck.nether.net
Subject: [c-nsp] router selection..

Sorry for the cross post.  But I wasn't sure which was the better forum to
post in.

I currently have a 2951 running voice, Security, VPN, and Data.  it works
really great for our current needs.  BUT we are going to start pushing more
that 300mbps and this router is only rated for 296mbps per the spec sheet.

What is the next move up to support up to gig throughput and still support
ZBFW, GRE, IPSEC, PRI's for Voice, and QoS at Gig speeds?

Do I have to separate out my WAN (use an ASR) and then continue with the
2951 for my security / voice?

What are my options?

Thanks

Scott
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Time warp?

[Chuck Church]

I've been seeing HTML and some blank emails too since yesterday.

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Seth
Mattinen
Sent: Wednesday, May 01, 2013 1:24 PM
To: cisco-nsp
Subject: [c-nsp] Time warp?

Am I on crack or are messages being sent from 2010 to the list?

~Seth
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Compatibility Issue

[Chuck Church]

This should cover it:

 

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release
/notes/ol_14271.pdf

 

I don’t believe the E versus non-E chassis drop line card support, it’s the
IOS version that does.  In this case, SXH dropped support for some line
cards that SXF and earlier ones did.

 

Chuck

 

From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Murphy, Jay, DOH
Sent: Wednesday, June 30, 2010 3:23 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Compatibility Issue

 

All,

 

Anyone familiar with this module, WS-X6324-100FX-MM? Currently, it resides
in an older 6509 Catalyst with an older COS platform. The old 6509 is using
a SUP1 engine. Is this blade compatible with the newer model 6509E? I am
using a 720 sup engine, and an IOS platform. I initiated a query on
Cisco.com, to no avail. Any input?

 

~Jay Murphy 
IP Network Specialist
NM State Government

 

IT Services Division

PSB – IP Network Management Center

Santa Fé, New México 87505 

We move the information that moves your world. 

“Good engineering demands that we understand what we’re doing and why, keep
an open mind, and learn from experience.”

“Engineering is about finding the sweet spot between what's solvable and
what isn't.

   Radia Perlman

P Please consider the environment before printing e-mail

 

 



Confidentiality Notice: This e-mail, including all attachments is for the
sole use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited unless specifically provided under the New Mexico
Inspection of Public Records Act. If you are not the intended recipient,
please contact the sender and destroy all copies of this message. -- This
email has been scanned by the Sybari - Antigen Email System. 



image004.pngimage003.jpg___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ipsla - latency - related to cellular backhaul

[Chuck Church]

We use a decent software based router dedicated to IP SLA to source all
probes from (3845 in our case).  If you have a device at the destination
that has consistently low CPU (like an L2 switch that doesn't get clobbered
with SNMP constantly), that works good for ICMP probing.  For UDP jitter
type testing, you need an IP SLA responder.  If it's that important, you can
put a dedicated router out there (871 are dirt cheap on EBay).  

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pete
Lumbis
Sent: Friday, April 26, 2013 9:56 AM
To: Tony
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ipsla - latency - related to cellular backhaul

Some hardware platforms and offload ping, mainly Echo Reply. I know that
ASR1k and the GSR can do this off the top of my head (that is, I'm not
saying this is an exhaustive list). Echo Requests will always be generated
by the Supervisor/RP/Central CPU.

If Echo Replies are not offloaded then the possibility of jitter/higher
latency always exists and will not be a valid test compared to data plane.
If a data plane will be handled through hardware, while we have to punt a
ping to the CPU then schedule the IP Input and ICMP processes (in IOS) to
handle these. The time it takes to schedule this will very if there are
higher priority processes running. If you sit at your desk and ping your
local gateway router you will probably see a fair amount of jitter. If you
ping something else that isn't a router, or that can offload ICMP, you'll
see both better response times and less jitter.

-Pete


On Thu, Apr 25, 2013 at 7:35 PM, Tony td_mi...@yahoo.com wrote:

 Hi,




 
  From: Aaron aar...@gvtc.com
 
 Tac says that this drop and the latency seen using various ipsla 
 pings is expected since all pings are treated less than everything 
 else and could
 be
 getting policed by LPTS (I don't know what LPTS is)
 

 Google tells me that LPTS = Local Packet Transport Services. TAC are 
 meaning packets that are destined for the router control plane, not 
 the forwarding plane (ie. packets TO the router, not THROUGH the router).
 Response to these packets can depend on how busy the router is and 
 also any CoPP that might be implemented. Has potentially to be true. 
 If you have no CoPP on the devices and they are under minimal load 
 (CPU wise) then this probably shouldn't be a factor.

 Are you losing any traffic that is going through the device (ie. from 
 ping
 tests) ?


 regards,
 Tony.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] automating router failover in eBGP environment

[Chuck Church]

Since the customer is homed to two different providers they most likely have
their own AS number.  So the right way would be have each router do eBGP to
one of the providers, and iBGP between the two routers.  Each router should
announce the customer's IP space to the provider.  BGP timers can be
adjusted down to a reasonable amount, maybe 20 seconds.  There are other
options like BFD to help as well.   HSRP will work on the inside, but not on
the outside, since it's doubtful the two WAN providers are sharing the same
subnet.

Chuck

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Adam Greene
Sent: Wednesday, March 13, 2013 5:55 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] automating router failover in eBGP environment

Hi guys,

 

Customer has a 7204VXR (15.1(4)M5, Advanced Enterprise K9) running eBGP to
two upstream providers on the WAN side, and to about 10 customers on the LAN
side. The (2) WAN ports and the (1) LAN port are all GigE. They have a
redundant 7204VXR they can manually fail over to when the primary router
fails. 

 

They want to automate the failover.

 

My first thought is to put a switch in front of and behind the two 7204VXR's
and run HSRP, on both the LAN and WAN interfaces of the routers. 

 

Questions: 

-  Will I run into any gotchas with this approach; and 

-  Is there a better way?

 

Convergence is a big issue. It needs to be as fast as possible. I assume BGP
peering will pass to the backup router as fast as HSRP does, since all the
BGP peers care about is the IP address they are peering with, and the
virtual IP will not change during failover.

 

But maybe there is a better / faster way.

 

Thanks for any input / advice.

 

Thanks,

Adam

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/