Re: [c-nsp] 6500 VSS question
Anyone? Otherwise gonna ask TAC, just want to verify my thoughts. Thanks, Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Church, Charles Sent: Monday, May 16, 2011 6:07 PM To: nsp-cisco Subject: [c-nsp] 6500 VSS question All, Noticed an unexpected result today when testing VSS failover. Our setup has dual sups in each chassis, with a supervisor port of each chassis connecting to the matching supervisor port on the other chassis, i.e. 1/5/4 connects to 2/5/4, and 1/6/4 connects to 2/6/4. Today when pulling out the active sup, the hot-standby took over immediately as it should, but we noticed all the linecards in the chassis with the pulled sup resetting. I was under the assumption that a sup transitioning from RPR-warm to standby hot would remain forwarding at L2, thus keeping the VSL up. Now I'm questioning that. It would explain the result, as the linecards couldn't get to an active supervisor. I'm thinking I should have a third VSL link (of that port channel) on a non-sup linecard. When we did the eFSU, we noticed real long outages of the linecards of the chassis getting the final reload as well. Possibly the same issue, no connectivity to the active sup? Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 VSS question
Phil, The VSS is the 'bonding' of 2 6500 chassis into one, with one CLI controlling both chassis. Kind of like a 3750 stack. Up until I think SXI3, you were limited to one sup in each chassis. One sup would be elected the active, and the other would be the hot standby, like normal SSO, but split between chassis. With SXI3 or 4, you can add a second sup into each chassis. These sups backup the other sup in that chassis. The additional sups take the role of RPR warm. Each chassis can have at most 1 sup as either active or hot-standby, and the other sup if up will be RPR warm. If your active sup is lost, the hot-standby (in other chassis) transitions to active, and the backup sup in the chassis which just lost the active sup will transition from RPR-warm to hot-standby. The VSS link exists between the two chassis to act almost like a backplane, carrying some traffic, but also state info, and other things you might find on the backplane. Chuck Church -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, May 17, 2011 12:39 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6500 VSS question On 17/05/11 16:31, Church, Charles wrote: Anyone? Otherwise gonna ask TAC, just want to verify my thoughts. I know nothing much about VSS, but I see a couple of confusing aspects in your email; you refer to instant failover (which is SSO), RPR+ and eFSU. Can you elaborate on the exact sequence of events, and what the standby state of the other nodes and SUPs was at each point? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 VSS question
First one up is active, the first one up in the opposite chassis becomes the standby. The other sups fall into RPR mode. Unfortunately the docs for eFSU and ISSU don't cover the 4 sup method well, the placement of the VSLs seems to be a bit of a mystery. Doesn't sound like you can have too many. Will know soon, tried to bring up another one today, but an odd bug involving an etherchannel looping frames after change to 'performance mode' killed us. Will try again soon. Chuck -Original Message- From: Matlock, Kenneth L [mailto:matlo...@exempla.org] Sent: Tuesday, May 17, 2011 4:44 PM To: Murphy, William; Church, Charles; nsp-cisco Subject: RE: [c-nsp] 6500 VSS question I haven't looked TOO in-depth on this yet, but with VSS and 4 supervisors, do all 4 come up in SSO mode, or do the first 2 come up in SSO, and the other two come up in RPR+ mode? 4 Supervisor VSS is still VERY new, and I wouldn't be surprised if it's a hybrid of the 2 modes at this point still. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Murphy, William Sent: Tuesday, May 17, 2011 1:09 PM To: Church, Charles; nsp-cisco Subject: Re: [c-nsp] 6500 VSS question Is your redundancy mode set to RPR? I think what you are doing only works if the mode is set to SSO... -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Church, Charles Sent: Tuesday, May 17, 2011 10:31 AM To: nsp-cisco Subject: Re: [c-nsp] 6500 VSS question Anyone? Otherwise gonna ask TAC, just want to verify my thoughts. Thanks, Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Church, Charles Sent: Monday, May 16, 2011 6:07 PM To: nsp-cisco Subject: [c-nsp] 6500 VSS question All, Noticed an unexpected result today when testing VSS failover. Our setup has dual sups in each chassis, with a supervisor port of each chassis connecting to the matching supervisor port on the other chassis, i.e. 1/5/4 connects to 2/5/4, and 1/6/4 connects to 2/6/4. Today when pulling out the active sup, the hot-standby took over immediately as it should, but we noticed all the linecards in the chassis with the pulled sup resetting. I was under the assumption that a sup transitioning from RPR-warm to standby hot would remain forwarding at L2, thus keeping the VSL up. Now I'm questioning that. It would explain the result, as the linecards couldn't get to an active supervisor. I'm thinking I should have a third VSL link (of that port channel) on a non-sup linecard. When we did the eFSU, we noticed real long outages of the linecards of the chassis getting the final reload as well. Possibly the same issue, no connectivity to the active sup? Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ *** Exempla Confidentiality Notice *** The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any other dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by replying to the message and deleting it from your computer. Thank you. *** Exempla Confidentiality Notice *** smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6500 VSS question
All, Noticed an unexpected result today when testing VSS failover. Our setup has dual sups in each chassis, with a supervisor port of each chassis connecting to the matching supervisor port on the other chassis, i.e. 1/5/4 connects to 2/5/4, and 1/6/4 connects to 2/6/4. Today when pulling out the active sup, the hot-standby took over immediately as it should, but we noticed all the linecards in the chassis with the pulled sup resetting. I was under the assumption that a sup transitioning from RPR-warm to standby hot would remain forwarding at L2, thus keeping the VSL up. Now I'm questioning that. It would explain the result, as the linecards couldn't get to an active supervisor. I'm thinking I should have a third VSL link (of that port channel) on a non-sup linecard. When we did the eFSU, we noticed real long outages of the linecards of the chassis getting the final reload as well. Possibly the same issue, no connectivity to the active sup? Thanks, Chuck smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VRF aware tacacs
Hey all, Simple question (hopefully). Is there any way to get the info you'd see using 'show tacacs' where you see the tacacs server statistics while using VRF-aware TACACS with a private group? Been looking for a while, haven't found anything yet. Thanks, Chuck smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Non-disruptive ISSU for Nexus 5000
Brad, What is the consequence of doing a disruptive upgrade on one of the 5010s or 5020s? I've had a 5010 reboot due to a fan issue, with no server connectivity lost due to the redundancy. Will the one not being upgraded keep its VPCs up, or will they go down for a bit while the other is reloading? I'm not too worried about any downstream FEX modules, but keeping the VPCs up on 10 gig ports is what's important. Thanks, Chuck -Original Message- From: Brad Hedlund (brhedlun) [mailto:brhed...@cisco.com] Sent: Sunday, March 13, 2011 10:53 PM To: Church, Charles Cc: nsp-cisco Subject: Re: [c-nsp] Non-disruptive ISSU for Nexus 5000 Hi Chuck, ISSU for Nexus 5000 is only supported when the switch is a Leaf on the Spanning Tree, not a Root. That might be the case with your 5010s, but not your 5020s. Reason for that is because there is a ~90 sec budget to restart the lone control plane, and that is too long for a STP root not to be sending BPDUs ;( BTW, you can make a trunk port an Edge with the interface command: spanning-tree port type edge trunk Cheers, Brad Brad Hedlund http://bradhedlund.com -- On Mar 13, 2011, at 8:13 PM, Church, Charles charles.chu...@harris.com wrote: All, I'm having a hard time getting a non-disruptive upgrade to happen on my Nexus 5010s and 5020s. I'd really like to have non-disruptive, as we've got SAN attached Windows servers which tend to blue screen if they're unable to reach their iSCSI disks across the Nexus devices for more than a couple seconds. The topology has a pair of 5020s peered together, with a downstream 5010 pair peered together. The NetApp SAN is a VPC off the 5020s, and the servers are multiple VPCs (one for each enclosure) off the 5010s. There are no redundant links, all VPCs. All ports on the 5010s and 5020s are designated forwarding. The connections into the SAN and servers are trunks, thus not really able to fall into the 'edge' category needed for a non-disruptive ISSU. It seems a trunk can't be an edge port, even if it should be. Since I've got no redundant links, should I consider disabling spanning tree all together until the upgrade is complete? I've got redundancy into all chassis, so the loss of one switch doing a 'disruptive' upgrade is ok, but my concern is the peer switch will drop the VPCs as well (like when you've got temporarily-mismatching things like QoS, etc). Any other way to consider? Thanks, Chuck Church Network Planning Engineer, CCIE #8776 Southcom Harris IT Services 1210 N. Parker Rd. Greenville, SC 29609 Office: 864-335-9473 Cell: 864-266-3978 E-mail: charles.chu...@harris.com Southcom E-mail: charles.church@hq.southcom.mil ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Non-disruptive ISSU for Nexus 5000
All, I'm having a hard time getting a non-disruptive upgrade to happen on my Nexus 5010s and 5020s. I'd really like to have non-disruptive, as we've got SAN attached Windows servers which tend to blue screen if they're unable to reach their iSCSI disks across the Nexus devices for more than a couple seconds. The topology has a pair of 5020s peered together, with a downstream 5010 pair peered together. The NetApp SAN is a VPC off the 5020s, and the servers are multiple VPCs (one for each enclosure) off the 5010s. There are no redundant links, all VPCs. All ports on the 5010s and 5020s are designated forwarding. The connections into the SAN and servers are trunks, thus not really able to fall into the 'edge' category needed for a non-disruptive ISSU. It seems a trunk can't be an edge port, even if it should be. Since I've got no redundant links, should I consider disabling spanning tree all together until the upgrade is complete? I've got redundancy into all chassis, so the loss of one switch doing a 'disruptive' upgrade is ok, but my concern is the peer switch will drop the VPCs as well (like when you've got temporarily-mismatching things like QoS, etc). Any other way to consider? Thanks, Chuck Church Network Planning Engineer, CCIE #8776 Southcom Harris IT Services 1210 N. Parker Rd. Greenville, SC 29609 Office: 864-335-9473 Cell: 864-266-3978 E-mail: charles.chu...@harris.com Southcom E-mail: charles.church@hq.southcom.mil smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Move from SXI4 to SXI5
Just as a follow-up, the high CPU was caused by the policy routing. We needed to phase our traffic from one firewall set to another, but not all at once. So 0/0 went out old FW, and subnet by subnet (vlan by vlan) was shifted via policy routing. Nothing complicated, deny IP going to internal destinations, permit all else. Applied gradually to ~50 VLAN interfaces. No logging on ACL of course. Anyway, we're done and policy routing is off. CPU back down to 20% now. WCCP is now on twice as many VLANs as before, no CPU difference from that. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Wednesday, January 26, 2011 6:53 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Move from SXI4 to SXI5 On 01/26/2011 11:41 PM, Church, Charles wrote: All, I've been contemplating moving from SXI4 to SXI5 lately for our VSS core router pair. They're currently doing 4 lite VRFs (no MPLS), all LAN modules, all 6700 series blades (10/100/1000), gig SFP, and 16 port 10 gig. Some OSPF, no other protocols. VTPv3 server, using SNMPv3 actively. Using a redundant sup in each chassis (they're in RPR mode). Acting as NTP servers, doing lots of policy routing and WCCP. Over the last few days of adding more and more policy routing and WCCP, the CPU (of active sup) has been moving up to 50% and beyond, mostly interrupt based. However in the past, I've seen really high CPU due to that NTP bug. I've heard rumors of lower CPU with SXI5 in general. Any reason not to move to this? We've got a couple of boxes on SXI5 (very different config; no VSS, MPLS v4/v6 VPNs; sso/nsf failover) and are moving the rest over the next few weeks. No problems so far[1] and lots of nasty CEF corruption bugs fixed. Whether it'll help you specifically I don't know; I'm surprised that WCCP and policy routing are consuming noticeable CPU. Certainly the latter should be hardware only (not sure about WCCP though). Have you examined CPU-punt traffic with a SPAN session? [1] Minor point: no problems except the active/open bugs, which are present in all releases of SXI and not fixed yet ;o) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VLAN int down on 3925, but spanning tree shows forwarding on that VLAN
Anyone seen this before, 3925 running 15.0(1)M4, with a 4 port ESW card. VLAN int is down/down, while 'show vlan-switch' shows vlan active. Show spanning tree for this VLAN shows a switchport on the 4 port card forwarding on this VLAN. It's happened a couple times to us on this device. Shutting and un-shutting the VLAN interface brings it up, it'll be fine for days then. Any ideas? Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Move from SXI4 to SXI5
All, I've been contemplating moving from SXI4 to SXI5 lately for our VSS core router pair. They're currently doing 4 lite VRFs (no MPLS), all LAN modules, all 6700 series blades (10/100/1000), gig SFP, and 16 port 10 gig. Some OSPF, no other protocols. VTPv3 server, using SNMPv3 actively. Using a redundant sup in each chassis (they're in RPR mode). Acting as NTP servers, doing lots of policy routing and WCCP. Over the last few days of adding more and more policy routing and WCCP, the CPU (of active sup) has been moving up to 50% and beyond, mostly interrupt based. However in the past, I've seen really high CPU due to that NTP bug. I've heard rumors of lower CPU with SXI5 in general. Any reason not to move to this? Thanks, Chuck smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SPAN on 6500
All, I'm running into some issues with SPAN session limitations on 6500 (SXI on a VSS pair). After reading this doc: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configu ration/guide/span.html I'm lead to believe that if I make the destination interface a trunk, a span source of say VLANs 10 and 20 will leave the destination port with those VLAN tags intact. This appears to match the 'encapsulation replicate' that is present on the 3560s. My end goal is to use 2 3560 switches off of the 6500s to distribute SPAN sessions to 4 separate entities. Switch A will get a SPAN session off of the 6500 consisting of VLAN groups X and Y. Switch B will get a SPAN session off of the 6500 consisting of VLAN groups X and Z. Switch A will span VLAN group X to a certain destination port, and group Y to another. Switch B will do a similar thing with VLAN groups X and Z. I'm assuming normal local SPAN. I think the relies on the SPAN off of the 6500 to keep the VLAN tags intact. Can anyone confirm if my assumption is correct? Thanks, Chuck smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Enhanced PAgP for VSS
Anyone, I've got a 6500 VSS pair running 12.2(33)SXI4, with an attached 4500 running 12.2(54)SG. From what I can tell, they should both support enhanced PAgP. However, they don't seem to realize it, this is what they both tell me: SCUCER02-05CRT01#sh pag 114 du (this is the 6500 VSS pair) PAgP dual-active detection enabled: Yes PAgP dual-active version: 1.1 Channel group 114 dual-active detect capability w/nbrs Dual-Active trusted group: No Dual-Active Partner Partner Partner Port Detect Capable Name Port Version Te1/3/5 No SCUHQB02308UAS01.hq. Te5/1 N/A Te2/3/5 No SCUHQB02308UAS01.hq. Te6/1 N/A SCUCER02-05CRT01# SCUHQB02308UAS01#sh pag 10 du(this is the 4510) PAgP dual-active detection enabled: Yes PAgP dual-active version: 1.1 Channel group 10 Dual-Active Partner Partner Partner Port Detect Capable Name Port Version Te5/1 No SCUCER02-05CRT01 Te1/3/5 N/A Te6/1 No SCUCER02-05CRT01 Te2/3/5 N/A SCUHQB02308UAS01# It would appear that they both support it, there is a PAgP channel up (all 4 links are desirable). From what I've read, there isn't any configuration needed to enable this. Any idea what might be wrong? Thanks, Chuck smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] %ERROR: Standby doesn't support this command
Arie, Thanks, I did confirm that we were seeing the tracebacks. Since 12.2(54) adds VRF-aware TACACS, I think we need to go to that anyway. Will give it a shot. Chuck -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Sunday, August 01, 2010 10:57 AM To: Lee; Church, Charles Cc: nsp-cisco Subject: RE: [c-nsp] %ERROR: Standby doesn't support this command This seems to be CSCsx87562. Can you please see if you got some tracebacks in the log before this happened? Something like: %SYS-3-TIMERNEG: Cannot start timer (0x) with negative offset (- YY). See release notes for more info... Fix should be in 12.2(54)SG Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lee Sent: Friday, July 30, 2010 21:30 To: Church, Charles Cc: nsp-cisco Subject: Re: [c-nsp] %ERROR: Standby doesn't support this command On 7/30/10, Church, Charles charles.chu...@harris.com wrote: Anyone, I'm having issues with some 4510s with dual Sup6-E running 12.2(53)SG2 doing this on interface range command. Making our deployment kind of tough: SCUAS01(config-if)#interface range GigabitEthernet1/1 - 48 SCUAS01(config-if-range)# switchport mode access %ERROR: Standby doesn't support this command % Command failed on interface. Aborting SCUAS01(config)# I don't remember the error message, but I've had that same type of problem where a 'switchport mode access' fails when applied to a range. A default int range g1/1 - 48 int range g1/1 - 48 switchport mode access gets around the problem. But we have very few switches with dual supervisors, so it might be a work-around for a different problem... Regards, Lee In the release notes it claims a similar issue was fixed: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/O L_51 84.htmlCSCsa67042 But that's from a while ago. I'm told by our installer guy that occasionally it is accepted, seems to depend on if the switch was recently rebooted, he claims. The interface type is correct. I tried using bug navigator, but it's not giving me any results, not sure if it's working right today, or if I've got a browser issue. Any help appreciated. Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] %ERROR: Standby doesn't support this command
Anyone, I'm having issues with some 4510s with dual Sup6-E running 12.2(53)SG2 doing this on interface range command. Making our deployment kind of tough: SCUAS01(config-if)#interface range GigabitEthernet1/1 - 48 SCUAS01(config-if-range)# switchport mode access %ERROR: Standby doesn't support this command % Command failed on interface. Aborting SCUAS01(config)# In the release notes it claims a similar issue was fixed: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_51 84.htmlCSCsa67042 But that's from a while ago. I'm told by our installer guy that occasionally it is accepted, seems to depend on if the switch was recently rebooted, he claims. The interface type is correct. I tried using bug navigator, but it's not giving me any results, not sure if it's working right today, or if I've got a browser issue. Any help appreciated. Thanks, Chuck smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself
I got bit by this just a couple weeks ago. Building a new core router for a location, couldn't ping up through the Sidewinder gateways I'm only a little familiar with. Blaming it on my lack of Sidewinder experience, turns out my default had changed to strict mode after changing the inward facing ints to strict. Doh! Seems like a warning message would be nice, like they do with portfast. Chuck Church Network Planning Engineer, CCIE #8776 Southcom Harris IT Services 1210 N. Parker Rd. Greenville, SC 29609 Office: 864-335-9473 Cell: 864-266-3978 E-mail: charles.chu...@harris.com Southcom E-mail: charles.church@hq.southcom.mil -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jared Mauch Sent: Thursday, July 29, 2010 3:32 PM To: bas Cc: Cisco Subject: Re: [c-nsp] SXI3 strange issue, Loose mode uRPF jumps to strict by itself On the SUP720/EARL7 unicast-rpf is a global setting on the device. If someone changes *any* interface to strict, all interfaces with u-rpf enabled will change to strict. - jared On Jul 29, 2010, at 3:21 PM, bas wrote: Hi All, Yesterday we had a strange issue. Our monitoring tool alerted that one of our boxes (SUP720-3BXL - 6506 running SXI3) became unreachable. When we logged in everything looked ok. BGP was up, OSPF was up and nothing special in logging. Still traffic had dropped to near zero. With debug ip cef drop we immediately saw that traffic was dropped due to uRPF feature. All upstream interfaces had strict mode uRPF configured, before the problems started it was loose mode uRPF. After manually changing them back too loose mode traffic was restored. A couple of minutes before the problems started an engineer had configured a customer facing interface with strict mode uRPF. Apparently this configuration changed triggered a bug that caused upstream interface loose mode to be automagically turned to strict mode. So, hereby a heads up. If your SXI3 boxes show strange behavior, quickly check uRPF. Cya, Bas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NX-OS - Fabric Path
Hmmm. When I looked at the 'show accounting log' on one of mine, I did see a couple other 10.1.1.x addresses other than the .50 when mine arrived. I didn't capture it, but they did have early dates which I believe were before we received them. Does seem like some test addresses. I have the same 10.1.1.1 VRF 0/0 route as well. Chuck -Original Message- From: Charles Spurgeon [mailto:c.spurg...@mail.utexas.edu] Sent: Saturday, July 24, 2010 6:57 PM To: Church, Charles Cc: Manu Chao; Peter Rathlev; Lincoln Dale; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NX-OS - Fabric Path Thanks for posting this. I am seeing the same thing and since I know that I am the only person with access to the switches I was wondering where those addrs had come from. I am building the lab config and no one else knows which console TS lines I was using or which ints. I have two new 5020s running 4.2(1)N1(1) that were unboxed a week and a half ago and set up in the lab area. I got a chance to work on them today and when looking at the config one of them had mgmt0 configured with 10.1.1.61 and the other had mgmt0 configured with 10.1.1.63. Both of them had the management vrf default route pointed to 10.1.1.1. I am the only person working on these switches and I bypassed the setup config when they were powered up. I did NOT configure them with these addrs. Nor were they connected to any live network that had access to any DHCP server. I have no idea where they got this config. Probably a leftover from mfg testing? Their mgmt0 ints were not connected to the same VLAN and I didn't see an ARP storm. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurg...@its.utexas.edu / 512.475.9265 On Mon, Jul 19, 2010 at 10:35:56PM -0400, Church, Charles wrote: Just be careful about connecting the mgmt0 interfaces to anything prior to configuring them. The default IP address of 10.1.1.50 on them (at least on the 4.2 5000s) will cause a spectacular ARP storm when they conflict with each other, like when you attach several unconfigured ones to the same network. Several thousand PPS, eventual reloads, etc. Our installation guys got ahead of the config guys in our new DC, nice little mess it made. Not sure why they put a default address on them, hope it's something they correct in the future. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Manu Chao Sent: Monday, July 19, 2010 7:17 PM To: Peter Rathlev Cc: Lincoln Dale; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NX-OS - Fabric Path Yes, but Nexus hardware is the right platform if you don't want to loose any packet in your DC ;) On Tue, Jul 20, 2010 at 12:56 AM, Peter Rathlev pe...@rathlev.dk wrote: On Tue, 2010-07-20 at 08:29 +1000, Lincoln Dale wrote: right now the hardware is using a frame format that is not that of what TRILL uses (and as such we're using a Cisco-defined ethertype), however the hardware is capable of supporting standards-based TRILL as and when the standard is finalised ratified. Would that hardware happen be the EARL8? And would there be any chance that us old skool Cat6500 guys get to share to thrill of TRILL (or similar)? :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NX-OS - Fabric Path
Just be careful about connecting the mgmt0 interfaces to anything prior to configuring them. The default IP address of 10.1.1.50 on them (at least on the 4.2 5000s) will cause a spectacular ARP storm when they conflict with each other, like when you attach several unconfigured ones to the same network. Several thousand PPS, eventual reloads, etc. Our installation guys got ahead of the config guys in our new DC, nice little mess it made. Not sure why they put a default address on them, hope it's something they correct in the future. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Manu Chao Sent: Monday, July 19, 2010 7:17 PM To: Peter Rathlev Cc: Lincoln Dale; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] NX-OS - Fabric Path Yes, but Nexus hardware is the right platform if you don't want to loose any packet in your DC ;) On Tue, Jul 20, 2010 at 12:56 AM, Peter Rathlev pe...@rathlev.dk wrote: On Tue, 2010-07-20 at 08:29 +1000, Lincoln Dale wrote: right now the hardware is using a frame format that is not that of what TRILL uses (and as such we're using a Cisco-defined ethertype), however the hardware is capable of supporting standards-based TRILL as and when the standard is finalised ratified. Would that hardware happen be the EARL8? And would there be any chance that us old skool Cat6500 guys get to share to thrill of TRILL (or similar)? :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10 gig ethernet interface up, line protocol down on VSL connection
-Original Message- From: Reinhold Fischer [mailto:reinhold.fisc...@gmx.net] Sent: Sunday, July 11, 2010 11:12 AM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 10 gig ethernet interface up, line protocol down on VSL connection Are you negotiating the channel (PAGP/LACP) or is it configured to channel mode ON? IIRC Cisco recommends ON for the VSL. The behaviour that you descibe looks like one interface is configured to mode ON and the other end tries to negotiate the portchannel. hth, Reinhold Yep, I'm using 'on'. Here's the config for the Po and physical ints. Same on the other one too: interface Port-channel10 description Switch 1 link to Switch 2 no switchport no ip address switch virtual link 1 mls qos trust cos no mls qos channel-consistency end Router#sh run int t1/5/4 Building configuration... Current configuration : 116 bytes ! interface TenGigabitEthernet1/5/4 no switchport no ip address mls qos trust cos channel-group 10 mode on end Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10 gig ethernet interface up, line protocol down on VSL connection
Thanks Brad. I did that step on both, both of them rebooted, but both come up as the active sup, since the VSL link won't come up. The config on switch 2 is correct Reinhold, using port channel 20 and link 2 on that one. I'll be back with the devices tomorrow morning, I'll dig through the logs and some other int troubleshooting tomorrow. Chuck -Original Message- From: Brad Hedlund (brhedlun) [mailto:brhed...@cisco.com] Sent: Sunday, July 11, 2010 12:19 PM To: Church, Charles Cc: Reinhold Fischer; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 10 gig ethernet interface up, line protocol down on VSL connection Charles, FWIW, this happened to me once and it turned out I forgot the last step in the VSS conversion process: 'switch mode accept virtual'. Cheers, Brad Sent from my iPhone Brad Hedlund, CCIE 5530 Cisco Systems, Inc. Technical Solutions Architect Data Center http://bradhedlund.con On Jul 11, 2010, at 11:09 AM, Church, Charles charles.chu...@harris.com wrote: -Original Message- From: Reinhold Fischer [mailto:reinhold.fisc...@gmx.net] Sent: Sunday, July 11, 2010 11:12 AM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 10 gig ethernet interface up, line protocol down on VSL connection Are you negotiating the channel (PAGP/LACP) or is it configured to channel mode ON? IIRC Cisco recommends ON for the VSL. The behaviour that you descibe looks like one interface is configured to mode ON and the other end tries to negotiate the portchannel. hth, Reinhold Yep, I'm using 'on'. Here's the config for the Po and physical ints. Same on the other one too: interface Port-channel10 description Switch 1 link to Switch 2 no switchport no ip address switch virtual link 1 mls qos trust cos no mls qos channel-consistency end Router#sh run int t1/5/4 Building configuration... Current configuration : 116 bytes ! interface TenGigabitEthernet1/5/4 no switchport no ip address mls qos trust cos channel-group 10 mode on end Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10 gig ethernet interface up, line protocol down on VSL connection
Brad, Sorry, I misread this initially as the 'switch convert mode virtual' command. That was the one I did on both. It's my understanding that with SXI, you no longer need the 'accept' command. I seem to remember SXI rejecting that a few months ago. I didn't try that again since. I'm running SXI4. Thanks, Chuck -Original Message- From: Brad Hedlund (brhedlun) [mailto:brhed...@cisco.com] Sent: Sunday, July 11, 2010 1:48 PM To: Church, Charles Cc: Reinhold Fischer; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 10 gig ethernet interface up, line protocol down on VSL connection Charles, You should only need to type 'switch mode accept virtual' just once, on the primary switch. If you typed it on each switch it tells me the VSL link never formed properly in initial conversion process. Cheers, Brad Sent from my iPhone Brad Hedlund, CCIE 5530 Cisco Systems, Inc. Technical Solutions Architect Data Center http://bradhedlund.com On Jul 11, 2010, at 11:33 AM, Church, Charles charles.chu...@harris.com wrote: Thanks Brad. I did that step on both, both of them rebooted, but both come up as the active sup, since the VSL link won't come up. The config on switch 2 is correct Reinhold, using port channel 20 and link 2 on that one. I'll be back with the devices tomorrow morning, I'll dig through the logs and some other int troubleshooting tomorrow. Chuck -Original Message- From: Brad Hedlund (brhedlun) [mailto:brhed...@cisco.com] Sent: Sunday, July 11, 2010 12:19 PM To: Church, Charles Cc: Reinhold Fischer; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 10 gig ethernet interface up, line protocol down on VSL connection Charles, FWIW, this happened to me once and it turned out I forgot the last step in the VSS conversion process: 'switch mode accept virtual'. Cheers, Brad Sent from my iPhone Brad Hedlund, CCIE 5530 Cisco Systems, Inc. Technical Solutions Architect Data Center http://bradhedlund.con On Jul 11, 2010, at 11:09 AM, Church, Charles charles.chu...@harris.com wrote: -Original Message- From: Reinhold Fischer [mailto:reinhold.fisc...@gmx.net] Sent: Sunday, July 11, 2010 11:12 AM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 10 gig ethernet interface up, line protocol down on VSL connection Are you negotiating the channel (PAGP/LACP) or is it configured to channel mode ON? IIRC Cisco recommends ON for the VSL. The behaviour that you descibe looks like one interface is configured to mode ON and the other end tries to negotiate the portchannel. hth, Reinhold Yep, I'm using 'on'. Here's the config for the Po and physical ints. Same on the other one too: interface Port-channel10 description Switch 1 link to Switch 2 no switchport no ip address switch virtual link 1 mls qos trust cos no mls qos channel-consistency end Router#sh run int t1/5/4 Building configuration... Current configuration : 116 bytes ! interface TenGigabitEthernet1/5/4 no switchport no ip address mls qos trust cos channel-group 10 mode on end Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 10 gig ethernet interface up, line protocol down on VSL connection
Anyone, Ran into a weird issue today with a re-build of a VSS pair. A botched IOS upgrade forced me to rebuild the pair. Was going ok, but I'm having trouble getting the VSL link up between the two. Switch 2 had the port channel for the VSL link up/up, but on switch 1, it stays up/down. Adding a second 10 gig link to the port channel on each side resulted in both up/up on switch 2, and both up/down on switch 1. It was working a month ago in a lab, the lab guys upgrading to SXI4 killed the config. I'm starting from scratch. I ran out of time today, didn't get a chance to see if the ints would come up if the 'switch virtual link 1' command wasn't on there, or check the logs. Using 2 ints should have ruled out bad X2 modules. Just wondering if anyone has seem something similar with VSS. Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6509 reboots on its own... again...
I remember 'chip creep' being a question on my Novell service and support exam way back when. I laughed, but a few years later, had a video card that was acting erratic with an odd pattern. Thought it was a long shot, but all the video RAM chips had crept out halfway. Pushed them back in, problem solved. Just heating and cooling can do it. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Li Sent: Monday, July 05, 2010 8:05 PM To: Alan Buxey Cc: Gert Doering; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco 6509 reboots on its own... again... On Jul 5, 2010, at 4:50 AM, Alan Buxey wrote: == Blades didn't move for months if not years for some ! Plus, diags passed fully without any kind of problem ! we had an issue earlier this year when the temperature of a data centre went up by 3 degrees and cooled repidly. yep. reseating the blade fixed it. hmmm. :-) Thermal cycling is a fact of life, as is vibration and connector corrosion. Yes, 3 degrees doesn't seem like much, but at the microscopic scale, it's more than enough to cause boards (and parts!) to expand and contract. When you combine that with the continual vibration of fans, and corrosion from general atmospheric contact, Bad Things can and do happen. Tony ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] sh module csm 2 probe real
Looks like maybe it's computing time wrong. That date is surprisingly close to the start of UNIX time, which was Jan 1, 1970. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Sony Scaria Sent: Thursday, May 27, 2010 3:30 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] sh module csm 2 probe real hello group, Can someone please explain me why it is showing 13:36:47 gmt 06/14/70. I've searched a lot, but i couldnt find any explanation. btw, my switch is sync with precent time. Switch#sh module csm 2 probe real real = 10.106.110.17:53, probe = PROBE-DNS, type = dns, vserver = W-DNSTCP-O, sfarm = W-DNSTCP-O status = OPERABLE,* current = 13:36:47 gmt 06/14/70, *successes = 236591, last success* = 13:36:48 gmt 06/14/70,* failures = 144, last failure = *09:58:50 gmt 06/11/70,* state = Server is healthy. real = 10.106.110.17:53, probe = PROBE-DNS, type = dns, vserver = W-DNS-O, sfarm = W-DNS-O status = OPERABLE, current = 13:36:47 gmt 06/14/70, successes = 236591, last success = 13:36:48 gmt 06/14/70, failures = 144, last failure = 09:58:50 gmt 06/11/70, state = Server is healthy. Switch#sh clock 07:26:16.712 gmt Thu May 27 2010 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Obtaining MD signature
If you download this file, you should find the md5 hash for all images in there. Not sure how up to date the file is, it was produced when the rootkit exploit came out: http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml File link is near the bottom: http://www.cisco.com/web/tsweb/psirt/cisco-sr-20080516-rootkits-r2.4.zip Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alan Buxey Sent: Friday, May 07, 2010 2:42 PM To: Rick Kunkel Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Obtaining MD signature Hi, The SOLE copy I've got of s72033-adventerprisek9_wan-mz.122-18.SXF4.bin resides on a TFTP server used for backup purposes. This TFTP server cant you just copy it onto a sup720 flash drive - eg disk0: and run verify s72033-adventerprisek9_wan-mz.122-18.SXF4.bin ? alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Old PSIRT still around
Anyone, Our IA scanning people (using eEye's Retina) are telling me come recent IOSs we're running (12.2(33)SXI3 and 15.0(1)M2) are vulnerable to the BGP regular expression issue from almost 3 years ago. This one: http://www.cisco.com/en/US/products/products_security_response09186a00808bb91c.html Looking at the bug ID CSCsk33054, it's a bit confusing what has fixes for it. 12.4(15)T2 is listed in the '1st found in' section, and also in the 'Fixed in' section. But under 'known affected versions' link, 15.0(1)M1 is listed, which came out well after 12.4(15)T2. For the 6500s, it does appear to be fixed in SXF13 and more recent SXH versions. SXI appears to never have had it. But the 12.4T and 15.0 thing has me a bit confused. Can anyone shed some light on that for me? Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Notice to lurking vendors...
For the 3rd time in the last 5 days I've had some reseller of hardware call me directly, can't see any way they got my number other than finding my signature on this list. This is the last time. I don't handle purchasing for my company, nor am I going to have you bother the people in my company who do. In the future I will start naming your company on this list if it keeps happening. It's your company's reputation on the line, proceed with extreme caution Chuck smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 5xxx VPC peer keepalives
Anyone, Coming up on a design issue with our upcoming first deployment of Nexus 5010s and 5020s in a new datacenter. It's recommended in the following doc to use the mgmt0 interface for peer keepalive messages: http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/Cisco_Nexus_5000_Series_NX-OS__chapter8.html#concept_47F7274E5FDA489884D0488BC491B066 We're doing a true out of band management approach on this new network, so the mgmt0 interfaces all home back to an OOB switch/router (4507) which houses the NMS gear, etc. My concern is that a reload (or failure of some type) on this OOB switch could cause a 'dual active' situation on all the Nexus pairs of devices . (6 pairs of 5010s, and the pair of 5020s that aggregate the 5010 pairs). I don't think I want that to happen. So the alternative seems to be a back to back non-VPC-peer link between the two devices using a VLAN interface, but I hate the idea of using a 10 gig port just for keepalives. There are what appears to be additional copper mgmt ports on the boxes, but they're covered up, and not in the CLI. Any way to utilize those? Any other possibilities I'm overlooking? Or am I stuck getting 1 gig copper SFPs and crossover cables for keepalives? Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMPv3 bug on 3550
I can't find my notes on it, but I seem to remember it being a bug. I believe a later code fixed our issue. Chuck Church Network Planning Engineer, CCIE #8776 Southcom Harris IT Services 1210 N. Parker Rd. Greenville, SC 29609 Office: 864-335-9473 Cell: 864-266-3978 E-mail: mailto:charles.chu...@harris.com charles.chu...@harris.com Southcom E-mail: mailto:charles.church@hq.southcom.mil charles.church@hq.southcom.mil From: Ibrahim Abo Zaid [mailto:ibrahim.aboz...@gmail.com] Sent: Tuesday, April 27, 2010 7:15 AM To: Peter Rathlev Cc: Church, Charles; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SNMPv3 bug on 3550 Hi All Iam facing the same below issue on 7200 with 12.2(25)S image does anyone face the same problem ? is it a bug ? thanks --Ibrahim On Thu, Feb 7, 2008 at 1:33 AM, Peter Rathlev pe...@rathlev.dk wrote: Sorry about the empty mail before, was busy wiping up coffee from my keyboard. :-) I've tested the same on our 3550/SEE2's and with the same results. Trial and error shows that if I exclude the auth md5 blah part of the user definition, everything works as expected. It doesn't help using SHA. When creating the user I get this log message by the way: Feb 7 00:16:56.657 met: Configuring snmpv3 USM user, persisting snmpEngineBoots. Please Wait... It never gets further. It also seems to be the snmp-server host ... command that creates the snmp-server group testuser command. I'm no expert in SNMPv3, but that may or may not be an error. So I'd say it's a bug. (Just use v2c, hacky sacks never really died so why should v2c? :-) Regards, Peter On Wed, 2008-02-06 at 15:03 -0600, Church, Charles wrote: Thanks. I did try it that way too. Long log shows it doing this: PSRB-U00-OS-03(config)#do sh run | i test PSRB-U00-OS-03(config)#do sh snmp user PSRB-U00-OS-03(config)#do sh snmp group PSRB-U00-OS-03(config)#snmp-server group testgroup v3 auth access 98 PSRB-U00-OS-03(config)#do sh run | i test snmp-server group testgroup v3 auth access 98 PSRB-U00-OS-03(config)#snmp-server user testuser testgroup v3 auth md5 blah access 98 PSRB-U00-OS-03(config)#do sh run | i test snmp-server group testgroup v3 auth access 98 PSRB-U00-OS-03(config)#snmp-server host 172.24.4.5 version 3 auth testuser PSRB-U00-OS-03(config)#snmp-server host 172.24.5.6 version 3 auth testuser PSRB-U00-OS-03(config)#snmp-server host 172.26.4.7 version 3 auth testuser PSRB-U00-OS-03(config)#do sh run | i test snmp-server group testuser v3 auth notify *tv....0F snmp-server group testgroup v3 auth access 98 snmp-server host 172.24.4.5 version 3 auth testuser snmp-server host 172.24.5.6 version 3 auth testuser snmp-server host 172.26.4.7 version 3 auth testuser PSRB-U00-OS-03(config)#do sh snmp group groupname: testuser security model:v3 auth readview : no readview specified writeview: no writeview specified notifyview: *tv....F row status: active groupname: testgroupsecurity model:v3 auth readview : v1defaultwriteview: no writeview specified notifyview: no notifyview specified row status: active access-list: 98 PSRB-U00-OS-03(config)#do sh snmp user User name: testuser Engine ID: 8009030D65D8D281 storage-type: nonvolatileactive access-list: 98 Authentication Protocol: MD5 Privacy Protocol: None Group-name: testgroup PSRB-U00-OS-03(config)# So it would appear that the configuration of the trap destinations is what's causing the group with the user name to be created. Same result if you do the user first, and then the group. Any ideas? Thanks, Chuck -Original Message- From: Tassos Chatzithomaoglou [mailto:ach...@forthnet.gr] Sent: Wednesday, February 06, 2008 3:42 PM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SNMPv3 bug on 3550 I think you have to create group first, then user. -- Tassos Church, Charles wrote on 6/2/2008 9:27 μμ: Hey all, I'm seeing the following behavior on 3550s running c3550-ipbasek9-mz.122-25.SEE2.bin: Commands entered: snmp-server user testuser testgroup v3 auth md5 (password) access 98 snmp-server group testgroup v3 auth not *tv....FF access 98 snmp-server host 172.24.4.5 version 3 auth testuser Results of commands: snmp-server group testuser v3 auth notify *tv....0F snmp-server group testgroup v3 auth notify *tv....FF snmp-server host 172.24.4.5 version 3 auth testuser So the configuration of a user called 'testuser' is creating a group called 'testuser'. We should only be seeing 'testgroup' exist as a group, right? I did a search through bug navigator, didn't see anything involving snmp and user or group listed. Is this a known issue? We use the same
Re: [c-nsp] Device management in VRFs
Just as a follow-up, the ssh source interface doesn't put the scp outbound traffic into the VRF. I haven't tried the SCP server on the switch, that might be a work-around. Since I can SSH to the box via the VRF, I'd hope the SCP would work that way too. Chuck From: Andriy Bilous [mailto:andriy.bil...@gmail.com] Sent: Monday, April 12, 2010 3:42 AM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Device management in VRFs cisco seems to know about -vrf option in outgoing ssh connections on 4500. http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst4500/12.2/53SG/configuration/vrf.html#wp1082522 As for copy you have to specify ip tftp/ftp source-interface to choose proper vrf (dunno if ip ssh source-interface will work for scp) On Mon, Apr 12, 2010 at 5:06 AM, Church, Charles charles.chu...@harris.commailto:charles.chu...@harris.com wrote: Anyone, I'm wondering if there are any open feature requests or bugs for cleaning up the remaining things that don't seem to work in VRFs. I've resorted to the idea of using the global table for management on 6500s and other devices for various things that don't like VRFs. But now I run into the newer 4500 sups that have the dedicated 10/100 management port. These ports are locked into a VRF called mgmtVrf. Can't change it. Find out there are some important things that aren't possible using a VRF, such as SSH client (can't connect to a host in a VRF) or pretty much any file copy operation initiated from the switch. It'd be nice to use those ports since they're usable from ROMMON for remote recovery (we've got term servers attached), but this file copy feature is pretty important. Any idea? Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Device management in VRFs
Thanks Andriy, I'll take a look as 12.2.53. In my experience with the 6500s, the 'source-interface' commands didn't seem to help with reaching VRF-connected hosts, but I'll re-try it. The 4500s were my big hurdle, so maybe it'll work ok. SCP is the only protocol we can really use, for security reasons. Chuck From: Andriy Bilous [mailto:andriy.bil...@gmail.com] Sent: Monday, April 12, 2010 3:42 AM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Device management in VRFs cisco seems to know about -vrf option in outgoing ssh connections on 4500. http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst4500/12.2/53SG/configuration/vrf.html#wp1082522 As for copy you have to specify ip tftp/ftp source-interface to choose proper vrf (dunno if ip ssh source-interface will work for scp) On Mon, Apr 12, 2010 at 5:06 AM, Church, Charles charles.chu...@harris.commailto:charles.chu...@harris.com wrote: Anyone, I'm wondering if there are any open feature requests or bugs for cleaning up the remaining things that don't seem to work in VRFs. I've resorted to the idea of using the global table for management on 6500s and other devices for various things that don't like VRFs. But now I run into the newer 4500 sups that have the dedicated 10/100 management port. These ports are locked into a VRF called mgmtVrf. Can't change it. Find out there are some important things that aren't possible using a VRF, such as SSH client (can't connect to a host in a VRF) or pretty much any file copy operation initiated from the switch. It'd be nice to use those ports since they're usable from ROMMON for remote recovery (we've got term servers attached), but this file copy feature is pretty important. Any idea? Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Device management in VRFs
Anyone, I'm wondering if there are any open feature requests or bugs for cleaning up the remaining things that don't seem to work in VRFs. I've resorted to the idea of using the global table for management on 6500s and other devices for various things that don't like VRFs. But now I run into the newer 4500 sups that have the dedicated 10/100 management port. These ports are locked into a VRF called mgmtVrf. Can't change it. Find out there are some important things that aren't possible using a VRF, such as SSH client (can't connect to a host in a VRF) or pretty much any file copy operation initiated from the switch. It'd be nice to use those ports since they're usable from ROMMON for remote recovery (we've got term servers attached), but this file copy feature is pretty important. Any idea? Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] dual sups/chassis with 6500 VSS
Anyone, According to several docs I've read, such as this one: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/product_solution_overview0900aecd806fa5d0.html It appears that dual sups/chassis is planned for a future release. Can anyone give me an approximate date or train that it might show up? Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PBR support on 6500 w/ VSS and on 4500 Sup6L-E
Anyone, Been looking around on Cisco's web site, trying to find out if PBR (policy based routing) is supported on a VSS pair of 6500s and also on the new 4500 Sup6L-E. What I'm trying to accomplish is based on source address, send traffic either via a normal path or use an alternate next hop (I need to force certain traffic types through a FW, security mandate). The 4500 is on the other side, and needs to PBR the return traffic, using opposite source/dest pairs. I didn't find anything that definitively said yes or no. Software advisor leads me to believe it exists in Enterprise Services for the 4500, but that image is for the Sup6-E as well, not sure if the feature is really there for the 'L' version. Just want to make sure. Thanks, Chuck smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA output of show dhcpd binding - odd hardware address?
There isn't a .12 appended to the end. It's actually the '01' at the front that was prepended. I think it has something to do with bootp clients vs. DHCP clients that causes the '01' to show up. I believe '01' indicates ethernet, if memory serves me correctly. Chuck Church Network Planning Engineer, CCIE #8776 Southcom Harris IT Services 1210 N. Parker Rd. Greenville, SC 29609 Office: 864-335-9473 Cell: 864-266-3978 E-mail: charles.chu...@harris.com Southcom E-mail: charles.church@hq.southcom.mil -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Wojciechowski Sent: Tuesday, March 09, 2010 10:05 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA output of show dhcpd binding - odd hardware address? Greetings all: Running 8.2(1) on an ASA 5505 and am curious if anyone can tell me what the +.12 is after the MAC address bound to 172.20.48.37? Diane-VPN# show dhcpd binding IP address Hardware addressLease expirationType 172.20.48.36 0019.6983.7339 536677 secondsAutomatic 172.20.48.370100.0874.255f.12 537139 secondsAutomatic The Cisco 8.2 command reference sample command sample output shows a similar example but with a .43 at the end of the MAC address with no explanation of the suffix. Last I checked MAC addresses were 12 characters not 14? Many thanks again, Jeff Wojciechowski LAN, WAN and Telephony Administrator Midland Paper Company 101 E Palatine Rd Wheeling, IL 60090 * tel: 847.777.2829 Ê fax: 847.403.6829 e-mail: jeff.wojciechow...@midlandpaper.commailto:jeff.wojciechow...@midlandpaper.c om http://www.midlandpaper.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Policy-routing for a protocol
Hey all, Got kind of a design problem I'm working on, trying to see what my options are. Gonna have a site with dual 7206, both with full tables, doing iBGP between. Each 7206 will have (2) links going to upstream, all (4) links in same remote AS. Both routers have a 50 meg circuit for general use, and a 10 meg circuit we'd like to dedicate to VTC type traffic. To handle the inbound traffic, I was going to announce the smaller local address block dedicated to VTC gear only out the VTC-dedicated circuits. Upstream provider should be able to deal with that easily. Outbound seems a bit trickier. Seems like I need to policy route the traffic, matching on the source address of the VTC gear. The next hop is what I'm getting stuck on, since I could be black-holing VTC traffic if that BGP peer was down, but the interface was up (it's metro ethernet, local link doesn't guarantee BGP is up). There is a 'verify-availability' option, but seems to be tied to CDP, and upstream uses Juniper. Any new IOS feature out there that might help? Most likely gonna run 12.4 mainline on them. I toyed with the idea of a separate VRF for VTC, but the downstream firewall stuff is gonna rule that out. I don't think I can leverage static object tracking in a route map, but maybe I overlooked something. Any help would be appreciated. Thanks, Chuck Church smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Best practice - Core vs Access Router
The weird part is the NDE process is still using CPU. Which netflow setting are you using for 'mls flow ip xxx'? Since both the RP and SP CPU are getting crushed at times, seems like more than just a punted packet issue, since that would be primarily RP, wouldn't it? Chuck -Original Message- From: Andy B. [mailto:globic...@gmail.com] Sent: Tuesday, February 09, 2010 8:50 AM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router I can almost certainly rule that out. Last time this happened I turned off NDE, but it did not change much. Here the result anways: smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Best practice - Core vs Access Router
I haven't used the 'flow-aggregation ...' in the past, but it has a destination on it still. Not sure if that's still causing exporting to happen or not. Can you reduce the flow mask from 'interface-full' to something like 'source' so that it will use less TCAM space? Chuck -Original Message- From: Andy B. [mailto:globic...@gmail.com] Sent: Tuesday, February 09, 2010 10:15 AM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router On Tue, Feb 9, 2010 at 4:03 PM, Church, Charles charles.chu...@harris.com wrote: The weird part is the NDE process is still using CPU. Which netflow setting are you using for 'mls flow ip xxx'? Since both the RP and SP CPU are getting crushed at times, seems like more than just a punted packet issue, since that would be primarily RP, wouldn't it? Netflow is basically configured like this: ip flow-cache entries 524288 ip flow-cache timeout active 1 mls ip slb purge global mls ip multicast flow-stat-timer 9 mls aging fast time 4 threshold 2 mls aging long 128 mls aging normal 64 mls netflow usage notify 80 300 mls flow ip interface-full mls flow ipv6 interface-full mls rate-limit unicast cef glean 200 50 mls rate-limit all ttl-failure 100 10 no mls acl tcam share-global mls cef error action freeze ip flow-export source Loopback0 ip flow-export version 5 origin-as ip flow-aggregation cache as cache timeout active 1 export destination ip 9000 enabled smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Best practice - Core vs Access Router
I was going by the 'show proc cpu hist' he gave for both the SP and RP. Both looked pretty bad across the board. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, February 09, 2010 10:56 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Best practice - Core vs Access Router On 09/02/10 15:03, Church, Charles wrote: The weird part is the NDE process is still using CPU. Which netflow setting are you using for 'mls flow ip xxx'? Since both the RP and SP CPU are What evidence do we have for the RP and SP both being hit? getting crushed at times, seems like more than just a punted packet issue, since that would be primarily RP, wouldn't it? Not if it were a loop ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ smime.p7s Description: S/MIME cryptographic signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] find window's machine from Cisco Router
Sorry, meant to send this yesterday, had some email issues Why not enable netflow on the router, and see who's using what ports? If you can capture enough source and destination port info, you can compare that to the 'fingerprint' type stuff that NMAP does and make some educated guesses. But NMAP from a remote machine will be far easier. Just make sure you own all the gear between the NMAP machine and the end hosts, since any ISP filtering might throw off the results. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Smales, Robert Sent: Friday, February 05, 2010 12:39 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router You can't identify the OS from a MAC address, MAC addresses are assigned by whoever made the Ethernet chip, the Linux boxes could have cards from the same manufacturer as the Windows boxes - I've got two home-built PCs, identical hardware, one runs Windows 7, the other Debian Etch, you couldn't tell them apart by their MAC addresses. If there are only 7 devices on the OPs network, wouldn't it be simpler to walk round the room to see what was what? Robert Robert Smales Technical Engineer CableWireless Worldwide www.cw.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net]on Behalf Of John P. Schneider Sent: 05 February 2010 14:36 To: 'vijay gore'; Brian Turnbow Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Maybe I'm over simplifying this but can't you just compare the MAC addresses? If you only have 7 machines it would not take very long. Thank You, John Schneider -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of vijay gore Sent: Friday, February 05, 2010 4:39 AM To: Brian Turnbow Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router No sir. it's not working, actually sir, in this router there are 7 PC's connected, some PC having Linux OS some PC's having Windows OS, now i want to know which machine having Linux OS which machine having Windows OS. please help me out this sir On Fri, Feb 5, 2010 at 3:57 PM, Brian Turnbow b.turn...@twt.it wrote: it looks like you have loggin enabled for warings only try logging buffered debugging another alternative if the first does not log, is to do a debug ip packet using an access list that matches only netbios. this could be more processor intensive. first create access-list 102 permit udp any any range 137 138 then debug ip packet 102 when done don't forget undebug all Brian -- *From:* vijay gore [mailto:vijaygor...@gmail.com] *Sent:* venerdì 5 febbraio 2010 10.57 *To:* Brian Turnbow *Cc:* cisco-nsp@puck.nether.net *Subject:* Re: [c-nsp] find window's machine from Cisco Router Dear Sir, it's giving me below output, it's not showing net bios packet users, Router#sho log Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level debugging, 40 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level warnings, 10 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. ESM: 0 messages dropped Trap logging: level informational, 43 message lines logged Log Buffer (51200 bytes): *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface
[c-nsp] 802.1X on WS-X4448-GB-SFP
Anyone know if 802.1x is supported on this line card? Not finding the answer on Cisco's web site or anywhere else. My Sup's gig port looks like this: PSRB-U01-AS-01#sh int g1/1 cap GigabitEthernet1/1 Model: WS-X4515-Gbic Type: 1000BaseSX Dot1x: yes ---* Maximum MTU: 9198 bytes (Jumbo Frames) Multiple Media Types: no Diagnostic Monitoring: N/A Queuing: rx-(N/A), tx-(1p3q1t, Sharing/Shaping) But I can't find definitively if that SFP module supports it. Thanks in advance, Chuck Church Network Planning Engineer, CCIE #8776 Southcom Harris IT Services 1210 N. Parker Rd. Greenville, SC 29609 Office: 864-335-9473 Cell: 864-266-3978 E-mail: charles.chu...@harris.com Southcom E-mail: charles.church@hq.southcom.mil ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Wr mem causes massive delay...
This is a software based router, and 'wri mem' is very CPU intensive. What does the CPU look like before the wri mem is done? I don't think this is abnormal. Chuck - Original Message - From: Jonathan Charles jonv...@gmail.com To: cisco-v...@puck.nether.net; cisco-nsp@puck.nether.net Sent: Monday, January 25, 2010 7:27 AM Subject: [c-nsp] Wr mem causes massive delay... So, noticed something weird... Got a 2851 with 512MB or RAM... if I have a constant ping going thru the router and I write mem, the ping goes up by a factor of 5 Cisco 2851 (revision 53.50) with 507904K/16384K bytes of memory. Processor board ID FTX1345A0EY 2 Gigabit Ethernet interfaces 51 Serial interfaces 6 Channelized/Clear T1/PRI ports 1 Virtual Private Network (VPN) Module 4 Voice FXS interfaces DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 126000K bytes of ATA CompactFlash (Read/Write) Reply from 172.16.2.11: bytes=32 time=32ms TTL=60 Reply from 172.16.2.11: bytes=32 time=34ms TTL=60 Reply from 172.16.2.11: bytes=32 time=133ms TTL=60 Reply from 172.16.2.11: bytes=32 time=30ms TTL=60 Reply from 172.16.2.11: bytes=32 time=25ms TTL=60 So, is this normal? Jonathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT - Infoblox vs. Bluecat
Thank you all for your responses. Doesn't seem like a real consensus, but at least I've got a few issues to bounce off the two vendors. Chuck -Original Message- From: Frank Bulk [mailto:frnk...@iname.com] Sent: Saturday, January 16, 2010 12:52 AM To: Church, Charles; nsp-cisco Subject: RE: OT - Infoblox vs. Bluecat We've been using Bluecat for several years in a SP environment primarily for DHCP and we've had a tough go of it, with the product, people, and support (contact me off-list for more detail). Based on our experience, I think it's a better fit in an enterprise environment with a single DHCP/DNS administrator. A few months ago I had a web-based presentation and demo of the Infoblox product and would probably buy their product the next time. In regards to IPv6 support, this is from the BlueCat's Adonis v6.0.1 release notes: - DNS Service is not supported on XHA in IPv6 networks. - Cannot configure an IPv6 address on an NIC. When I asked about DHCPv6, this was the tech support person's response: What do you mean by DHCPv6? And this coming from a DHCP/DNS appliance vendor. When I pointed them to the Wikipedia article, they came back and said they don't support it. When I asked for an ETA, they wrote back I am sorry, but I don't have any ETA. I then asked if the support DNS over IPv6, and they wrote back I am sorry but, we don't support DNS over IPv6. So unless things have changed drastically from late October, it would appear that BlueCat's claims for IPv6 support are false. Frank -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Church, Charles Sent: Friday, January 15, 2010 9:10 AM To: nsp-cisco Subject: [c-nsp] OT - Infoblox vs. Bluecat I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before. Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another? I've googled, but most articles are 5 years or more old. Off-line responses encouraged. The planned use is for govt, so full access to the kernel is nice for hardening/verification. Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind. Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice. Thanks in advance, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OT - Infoblox vs. Bluecat
I apologize for this being fairly OT for a Cisco list, but I figured someone on here has touched some DNS gear before. Anyone work with Infoblox and Bluecat, and run across a significant reason to choose one over another? I've googled, but most articles are 5 years or more old. Off-line responses encouraged. The planned use is for govt, so full access to the kernel is nice for hardening/verification. Also need TSIG, DNSSEC, and IPv6 support, which they both claim to have, as they're both based on recent bind. Secure mgmt such as SNMPv3, SSHv2, and SSL would be nice. Thanks in advance, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2801 full bgp multihome
No. My 2821 running 12.4 mainline has 2 peers, has about 350 MB in use for everything. 512 really should be the minimum. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Benjamín Gálvez Sent: Wednesday, January 06, 2010 11:03 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco 2801 full bgp multihome *Hi, Can Cisco 2801 with 256MB RAM can handle full BGP table (1-2 peers, multihome) ? Best regards Benjamín * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [Suspected Spam] Rmon checksum failed on WS-C4006
I seem to remember CatOS 7.x and above needing a ROMMON version of 6.x or above. I don't think your 5.4(1) will do it. It's a downloadable upgrade. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Sony Scaria Sent: Saturday, December 05, 2009 7:37 AM To: cisco-nsp@puck.nether.net Subject: [Suspected Spam][c-nsp] Rmon checksum failed on WS-C4006 Hi All, I've observed Rmon checksum failed when I run sh ver on one of my catos switch. The system is stable for a long time and I did not observe any related logs. I had done some research , but couldn't gather any info on Rmon checksum. cat4013 (enable) sh ver WS-C4006 Software, Version NmpSW: 8.4(5)GLX Copyright (c) 1995-2005 by Cisco Systems, Inc. NMP S/W compiled on Jan 12 2005, 12:30:16 GSP S/W compiled on Jan 12 2005, 11:47:47 System Bootstrap Version: 5.4(1) Hardware Version: 3.2 Model: WS-C4006 Serial #: FOXXX Mod Port Model Serial # Versions --- -- - 1 2WS-X4013 JAB Hw : 3.2 Gsp: 8.4(5.0) Nmp: 8.4(5)GLX 2 48 WS-X4148-RJJABXXX Hw : 3.0 3 48 WS-X4148-RJJABXXX Hw : 3.0 4 48 WS-X4148-RJJABXXX Hw : 3.0 5 48 WS-X4148-RJJABXXX Hw : 3.0 6 48 WS-X4148-RJJAEXXX Hw : 2.3 DRAMFLASH NVRAM Module Total UsedFreeTotal UsedFreeTotal Used Free -- --- --- --- --- --- --- - - - 1 65536K 40542K 24994K 16384K 5760K 10624K 480K 402K 78K Rmon checksum failed. Uptime is 323 days, 10 hours, 34 minutes --- cat4013 (enable) sh test Diagnostic mode (mode at next reset:) complete Environmental Status (. = Pass, F = Fail, U = Unknown, N = Not Present) PS1: .PS2: . PS3: . PS1 Fan: .PS2 Fan: . PS3 Fan: . PEM: N Fan Tray: . Temperature: .Chassis Temperature: 43 degC (110 degF) Over Temperature Threshold: 75 degC (167 degF) Critical Temperature Threshold: 95 degC (203 degF) Module 1 : 2-port 1000BaseX Supervisor POST Results Network Management Processor (NMP) Status: (. = Pass, F = Fail, U = Unknown) Galaxy Supervisor Status : . CPU Components Status Processor : . DRAM : . RTC: . EEPROM : . FLASH : . NVRAM : . Temperature Sensor : . Uplink Port 1: . Uplink Port 2: . Me1 Status : . EOBC Status : . SCX1000 - 0 Register : . Switch Sram: . Switch Gigaports 0: . 1: . 2: . 3: . 4: . 5: . 6: . 7: . 8: . 9: . 10: . 11: . SCX1000 - 1 Register : . Switch Sram: . Switch Gigaports 0: . 1: . 2: . 3: . 4: . 5: . 6: . 7: . 8: . 9: . 10: . 11: . SCX1000 - 2 Register : . Switch Sram: . Switch Gigaports 0: . 1: . 2: . 3: . 4: . 5: . 6: . 7: . 8: . 9: . 10: . 11: . GBIC Status: (. = Pass, F = Fail, N = No Gbic, X = Non-Gbic Port) Ports 1 2 -- . . cat4013 (enable) Sony. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] New feature, can't find it documented - NTP using DNS
Hey all, Ran across this by accident on a 871 running 12.4(24)T2: DE-Atlanta(config)#ntp server ? A.B.C.D IP address of peer WORDHostname of peer X:X:X:X::X IPv6 address of peer ip Use IP for DNS resolution ipv6Use IPv6 for DNS resolution vrf VPN Routing/Forwarding Information DE-Atlanta(config)#ntp server ip ? WORD Hostname of peer DE-Atlanta(config)#ntp server ip pool.ntp.org ? burstSend a burst when peer is reachable iburst Send a burst when peer is unreachable key Configure peer authentication key maxpoll Maximum poll interval minpoll Minimum poll interval prefer Prefer this peer when possible source Interface for source address version Configure NTP version cr DE-Atlanta(config)#ntp server ip pool.ntp.org Translating pool.ntp.org...domain server (12.127.16.67) [OK] DE-Atlanta#sh run | i ntp ntp server ip pool.ntp.org ntp server 64.73.32.134 ntp server 207.46.197.32 DE-Atlanta#sh ntp ass address ref clock st when poll reach delay offset disp ~38.229.71.1 192.168.0.16 2 3 64 7 0.000 658.174 1938.4 ~64.73.32.1344.213.182.1282 40 64 3 0.000 665.796 3937.7 ~207.46.197.32 169.229.70.643 44 64 3 0.000 655.923 3949.7 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured DE-Atlanta# - Been wanting this for years. Any idea what this feature is called? Didn't see anything in the release notes or feature navigator about it. Curious if it honors DNS TTLs, etc. I do see that it's negotiated V4 on these peers, but I don't think it's a function of NTP V4. Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] One-way traffic using L2TPv3
Hey all, Just for the record, it seems my issue was tied into using an xconnect statement on a port on a 16 port ESW module, even though there was a 'no switchport' on there. Upgrading to 12.4(25b) didn't fix it, in fact, it made it worse, no traffic in either direction. But when I moved the xconnect to the built-in ethernet port, and used subints for VLANs, no issue, worked like it should. P.S. Throughput seems pretty good. Random frame sizes (even dist) from 600 bytes to 1400 bytes (avoiding any fragmentation) had 95 mbit bi-directionally at 90% CPU on the 3660. All interrupt traffic. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Church, Charles Sent: Wednesday, November 18, 2009 5:05 PM To: nsp-cisco Subject: [c-nsp] One-way traffic using L2TPv3 Anyone, Labbing up L2TPv3 on a couple routers back to back, having some issues with just one way traffic. Topology looks like this: Ixia(port3)Fa1/8(3660)Fa0/0Fa0/0(3660)Fa1/8(port4)Ixia Both Ixia ports are sending traffic, but only port4 is receiving any traffic. Port Fa1/8 on the right 3660 shows packets coming in, but 'sh l2tun sess pack' on the right 3660 doesn't show any packets in, which the fa0/0 interface counters confirm. Any idea what would cause this one-way behavior? When I put the 4 ports in a bridge groups (Ieee), traffic flowed as expected, so I know the Ixia isn't to blame. Relevant config: R3 (left) l2tp-class testclass authentication password 7 05080F1C2243 ! pseudowire-class test-pclass encapsulation l2tpv3 protocol l2tpv3 testclass ip local interface FastEthernet0/0 ip pmtu ! ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.252 ip flow ingress duplex auto speed auto ! ! interface FastEthernet1/8 no switchport no ip address no cdp enable xconnect 10.0.0.2 400 encapsulation l2tpv3 pw-class test-pclass ! R4(right) l2tp-class testclass authentication password 7 05080F1C2243 ! pseudowire-class test-pclass encapsulation l2tpv3 protocol l2tpv3 testclass ip local interface FastEthernet0/0 ip pmtu ! ! interface FastEthernet0/0 ip address 10.0.0.2 255.255.255.252 ip flow ingress duplex auto speed auto hold-queue 150 out ! ! interface FastEthernet1/8 no switchport no ip address no cdp enable xconnect 10.0.0.1 400 encapsulation l2tpv3 pw-class test-pclass ! Any ideas?IOS is 12.4(10) IK9S , platform is 3660. Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SUP2 boot problem
I think you'll get that kind of behavior if the flash card was formatted under CatOS. Get it booted into native IOS 12.2, then format the card under IOS, and re-copy the image to it. If it's formatted correctly, you should see some monlib info listed mentioning version it was formatted under, etc. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jonas Sent: Monday, November 16, 2009 1:20 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] SUP2 boot problem Hello, Im trying to upgrade an old SUP2. I can boot 12.1.27 from bootflash: without problem. When I do reload from IOS with 12.2.18 and boot from disk0: it will give the error below and stay i rommon. disk0: is a 64MB flash disk. System Bootstrap, Version 7.1(1) Copyright (c) 1994-2001 by cisco Systems, Inc. c6k_sup2 processor with 262144 Kbytes of main memory Autoboot executing command: boot disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin Command error complete on disk0: open: read error...requested 0x4 bytes, got 0x trouble reading device magic number loadprog: error - on file open boot: cannot load disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin Exit at the end of BOOT string rommon 1 When I do reset from rommon the SUP2 boots OK from the flash disk with 12.2.18. But not with reload inside IOS again. Any idea what can cause this? /Jonas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SUP2 boot problem
Forgot to mention, 'sh flash all' will show you the monlib stuff. Chuck -Original Message- From: Church, Charles Sent: Monday, November 16, 2009 1:44 PM To: 'Jonas'; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] SUP2 boot problem I think you'll get that kind of behavior if the flash card was formatted under CatOS. Get it booted into native IOS 12.2, then format the card under IOS, and re-copy the image to it. If it's formatted correctly, you should see some monlib info listed mentioning version it was formatted under, etc. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jonas Sent: Monday, November 16, 2009 1:20 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] SUP2 boot problem Hello, Im trying to upgrade an old SUP2. I can boot 12.1.27 from bootflash: without problem. When I do reload from IOS with 12.2.18 and boot from disk0: it will give the error below and stay i rommon. disk0: is a 64MB flash disk. System Bootstrap, Version 7.1(1) Copyright (c) 1994-2001 by cisco Systems, Inc. c6k_sup2 processor with 262144 Kbytes of main memory Autoboot executing command: boot disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin Command error complete on disk0: open: read error...requested 0x4 bytes, got 0x trouble reading device magic number loadprog: error - on file open boot: cannot load disk0:s222-adventerprisek9_wan-mz.122-18.SXF6.bin Exit at the end of BOOT string rommon 1 When I do reset from rommon the SUP2 boots OK from the flash disk with 12.2.18. But not with reload inside IOS again. Any idea what can cause this? /Jonas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Different CPU load on two 7206VXR-NPEG2
The T2 router has vastly different queue sizes. It would appear that it has some type of QOS applied to it, where the other one doesn't. That would explain the additional CPU usage. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ruzhanskaya Olga Sent: Tuesday, November 10, 2009 11:08 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Different CPU load on two 7206VXR-NPEG2 Hello List! We have 2 7206VXR-NPEG2 routers in different towns (T1 and T2), with the same configuration template, same IOS - 12.2(31)SB11. Each of them have one interface for client's services termination; one for transport connection to core routers (P router). The challenge is : traffic load on T1 is twice as much on T2, but the CPU load is almost the same. Details: 1) There are the same number/load of Internet services with uRPF enabled on both routers 2) The same number acls 3) In sh proc cpu sorted the main cycles are used for packet forwarding -- Here are some outputs from T2 (less traffic, same CPU load),uplink, 5 minutes after cleared counters: T2#sh int gi0/2 | i 30 30 second input rate 459618000 bits/sec, 74812 packets/sec 30 second output rate 276334000 bits/sec, 59440 packets/sec T2#sh int gi0/2 | i queue Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/1000/0 (size/max total/drops) T2#sh int gi0/2 | i queue Input queue: 0/1000/0/0 (size/max/drops/flushes); Total output drops: 0 Here are some outputs from T1 (more traffic, same CPU load),uplink, 5 minutes after cleared counters: T1# sh int gi0/2 | i 30 30 second input rate 780209000 bits/sec, 111772 packets/sec 30 second output rate 356832000 bits/sec, 105820 packets/sec T1# sh int gi0/2 | i queue Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 Output queue: 0/40 (size/max) T1# sh int gi0/2 | i error 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets -- Any suggestions are appreciated. Best regards, Olga ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISR G2 multicore?
Cool. Seems like the data and control planes would be a logical split. Can't imagine that IP input cares what BGP scanner is doing, or vice versa. Hope it works out. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James Weathersby (jweather) Sent: Tuesday, October 27, 2009 10:16 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ISR G2 multicore? We're looking at several options for the multi-core CPU. Offloading specific features, management, apps, HA options. We've looked very closely at some of the other attempts to use multi-core processors across Cisco and are trying to learn from their experiences. james ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DWDM optics on 6500s
Thanks. I assume that even though the 6509-V-E is available, until the 80gig line cards and Sup are available, you'd be stuck at 40gig/slot? Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Varriale Sent: Monday, October 19, 2009 5:07 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DWDM optics on 6500s It will shortly but it won't do you any good with the existing family of sups. The 2T will be the first (and last?) sup that can push the bandwidth to all those slots. You can also reference the 6509-V-E...it's ready for 80gbps/slot. You can order that today. Note that it's a NEBS chassis. tv - Original Message - From: Church, Charles cchur...@harris.com To: Kevin Graham kgra...@industrial-marshmallow.com Cc: cisco-nsp@puck.nether.net Sent: Monday, October 19, 2009 1:12 PM Subject: Re: [c-nsp] DWDM optics on 6500s Are you saying a 6513-E chassis exists? I can't find any reference to it. That would solve a few of the problems we currently have (density issue) Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Kevin Graham Sent: Monday, October 19, 2009 11:45 AM To: Nick Hilliard; mti...@globaltransit.net Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DWDM optics on 6500s As a side issue, there are electrical limitations imposed by the physical cross-bar unit inside the actual chassis, but I don't know how much of a problem these limitations are in practice. 6500E was the key for this. Besides nutty amounts of POE capacity, it also picked up improved backplane for 20g+ fabric and extending to all 11 LC slots in the 6513. (Still need to dig up details, as faster SSO time is also tied to chassis, though I can't recall why). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DWDM optics on 6500s
Are you saying a 6513-E chassis exists? I can't find any reference to it. That would solve a few of the problems we currently have (density issue) Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Kevin Graham Sent: Monday, October 19, 2009 11:45 AM To: Nick Hilliard; mti...@globaltransit.net Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DWDM optics on 6500s As a side issue, there are electrical limitations imposed by the physical cross-bar unit inside the actual chassis, but I don't know how much of a problem these limitations are in practice. 6500E was the key for this. Besides nutty amounts of POE capacity, it also picked up improved backplane for 20g+ fabric and extending to all 11 LC slots in the 6513. (Still need to dig up details, as faster SSO time is also tied to chassis, though I can't recall why). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Will UDLD work with converters ?
Definitely avoid aggressive mode with converters, unless you've got errdisable recovery timers enabled. Otherwise if you reload one side, the other side will stop receiving UDLD but it's link is still up (from the converter), so it'll errdisable the port. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Fitzwater Sent: Friday, October 02, 2009 11:42 AM To: Jeff Fitzwater Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Will UDLD work with converters ? According to the doc if I am using a TX port the DEFAULT is UDLD DISABLED, so I have to enable it and also it states that I need to run in AGGRESSIVE MODE when using TX. I think I read that correct! Jeff On Oct 2, 2009, at 11:30 AM, Jeff Fitzwater wrote: Why do you say TX does not support UDLD? The doc and port configs support it. Am I missing something? Jeff On Oct 2, 2009, at 11:14 AM, Nick Hilliard wrote: [100% agreed on rant. ghods, it is so depressing to fork out for cisco optics and find that they don't work on other cisco gear]. On 02/10/2009 15:27, Justin Shore wrote: Back to your question though, yes UDLD should work fine over MCs. as someone else noted, only for optical transceivers. TX does not support UDLD (which was what the original poster was wondering about). Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ospf hellos
So as long as your router is correctly mapping the IP PREC to the COS (802.1P field), it sounds like it might help. These are 802.1Q tagged packets on the wireless, right? Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jon Simola Sent: Wednesday, September 23, 2009 1:13 PM To: Rens Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ospf hellos On Wed, Sep 23, 2009 at 7:35 AM, Rens r...@autempspourmoi.be wrote: Is there a way to prioritize ospf hello packets with 802.1p? They are by default. See http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080094612.shtml Cisco IOS assigns an IP precedence of 6 to routing protocol packets on the control plane. As noted by RFC 791, The Internetwork Control designation is intended for use by gateway control originators only. Specifically, Cisco IOS marks these IP-based control packets: Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP) hellos, and keepalives. Telnet packets to and from the router also receive an IP precedence value of 6. The assigned value remains with the packets when the output interface transmits them into the network. -- Jon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
It looks like it needs unrestricted access so that it can access your file system, since it presents its own file manager looking thing so you can pick where to save the files. No way to know for sure though. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Hennigan Sent: Tuesday, September 15, 2009 2:09 PM To: Cisco Mailing list Subject: Re: [c-nsp] Enhanced download procedure Tassos Chatzithomaoglou wrote: It should work after you allow it. Why should I need to allow Unrestricted access to my computer in order to download a file? What exactly is that Java applet doing? Could it do something malicious? How do you know for sure? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASDM not working after upgrades
Can you HTTPS to the device using a normal browser and get the initial screen? Chuck - Original Message - From: Leslie Meade lme...@signal.ca To: cisco-nsp@puck.nether.net Sent: Tuesday, August 11, 2009 2:30 PM Subject: [c-nsp] ASDM not working after upgrades I am getting the error of Unable to launch device manager from 10.1.254.254 I have uploaded the correct files and change the config to match ASA5540-01# sh run asdm asdm image disk0:/asdm-621.bin asdm location 10.1.6.25 255.255.255.255 inside asdm history enable ASA5540-01# sh run http http server enable http 10.1.6.0 255.255.255.0 inside ASA5540-01# sh flash --#-- --length-- -date/time-- path 131 11348300Aug 11 2009 10:09:00 asdm-621.bin 132 16275456Aug 11 2009 10:10:10 asa821-k8.bin If I roll back to the older code and asdm it works fine. Any ideas Leslie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High Memory Usage due to NAT
Those are still pretty long timeouts. Can you reduce those, a minute for ICMP should be plenty. 2 minutes should be good for the other two. Machines infected with stuff could certainly be opening sessions that could be killed off quickly. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Thursday, July 23, 2009 12:12 PM To: Cisco Mailing list Subject: [c-nsp] High Memory Usage due to NAT I m facing a strange issue regarding the NAT. The problem statement is as below NAT configured on 3845 with 12.4.24 T ADV ENT SERVICES - Have got 64 /25 inside subnets to do the nat with 64 Live IP's. one each for /25 inside subnet. - I checked the processes and memory on freshly loaded router which comes out to be 49 MB of free memory. - started the NAT on router with 8 of /25 inside ip pool with policy NAT to 8 live IP's. The router withing 3 hours hanged due to no availability of free memory. Rebooted it and removed the NAT. - Checked Cisco website for NAT it says 312 bytes per translation that gives us around 3 MB for 1 translations. Checked the logs and found peak translation only to be 15000. - Found that problem was NAT ACL with any statement in destination portion ( extended one). Changed it with standard ACL with no any statement. - Reviewed and resumed the NAT on router. it works now but it uses around 20 MB of memory for just 1 translation entries. - Checked the UDP, TCP and ICMP timeout Limited UDP to 4 Mins. TCP to 25 Mins and ICMP- 5 Mins. was able to free only 2 MB of so from 20 MB. - Changed the IOS from ADV ent services to IP base to get rid of unwanted processess and services as main AIM of this router is to run NAT. - Freshly loaded router gave me 120 MB of free space and was happy now to test out the things. - Againg started the NAT for 8 pools of /25 inside subnet with 8 live IP's ( Policy nat ). - At 25000 translations it eats up memory of around 24 MB. - Turned of Virtual Reassembly as it was reaching to thresold very often. - Migrated another 8 pools of /25 which comes to total of 16 /25 Inside subnets and free memory left to 64 MB. with the peak translation upto 42000 and active translation to 15000 on an average. - It often gives the I/O memory errors too ( with only 16 /25 Pools configured on it). - All this stuff works fine with Netscreen firewall overloaded with only 4 IP's for all 64 /25 pools. . ( Is netscreen had an edge over cisco when it comes to NAT _?? ) I wonder..! If Cisco says that only 312 bytes are required for storing a single translation Why i m not able to free my DRAM memory. Tried my luck with everything. Need some expert advice on this to figure out the High Memory usage of NAT NOTE : Only default router and no other services are used on router apart from Netflow Thanks in Advance Regards Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange NAT and DHCP Problem
Did you try ip dhcp bootp ignore? Chuck -Original Message- From: Andy Saykao [mailto:andy.say...@staff.netspace.net.au] Sent: Tuesday, July 21, 2009 12:45 AM To: Church, Charles; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Strange NAT and DHCP Problem Hi Charles, Tried what you suggested but no go. no ip bootp server clear ip dhcp binding IP Client has obtained an infinite lease again. 172.16.75.1190021.e9a0.777c Infinite Automatic Cheers. Andy -Original Message- From: Church, Charles [mailto:cchur...@harris.com] Sent: Monday, 20 July 2009 10:12 PM To: Andy Saykao; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Strange NAT and DHCP Problem The infinite DHCP entry is probably a BOOTP client, which doesn't have the concept of a lease. There are knobs (ip dhcp bootp ignore) that can turn off bootp, and only allow DHCP. I think by default, it'll service both. Chuck This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange NAT and DHCP Problem
Sorry, replied too quickly. Can't think of any other workaround then. Chuck -Original Message- From: Andy Saykao [mailto:andy.say...@staff.netspace.net.au] Sent: Tuesday, July 21, 2009 1:47 AM To: Church, Charles; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Strange NAT and DHCP Problem Found a similar post on NSP in Feb 2009. http://www.gossamer-threads.com/lists/cisco/nsp/103408 Need the command ip dhcp bootp ignore but this isn't supported on the 7600. http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftdbootp. html#wp1026678 Cheers. Andy -Original Message- From: Andy Saykao Sent: Tuesday, 21 July 2009 2:45 PM To: 'Church, Charles'; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Strange NAT and DHCP Problem Hi Charles, Tried what you suggested but no go. no ip bootp server clear ip dhcp binding IP Client has obtained an infinite lease again. 172.16.75.1190021.e9a0.777c Infinite Automatic Cheers. Andy -Original Message- From: Church, Charles [mailto:cchur...@harris.com] Sent: Monday, 20 July 2009 10:12 PM To: Andy Saykao; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Strange NAT and DHCP Problem The infinite DHCP entry is probably a BOOTP client, which doesn't have the concept of a lease. There are knobs (ip dhcp bootp ignore) that can turn off bootp, and only allow DHCP. I think by default, it'll service both. Chuck This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange NAT and DHCP Problem
The infinite DHCP entry is probably a BOOTP client, which doesn't have the concept of a lease. There are knobs (ip dhcp bootp ignore) that can turn off bootp, and only allow DHCP. I think by default, it'll service both. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Andy Saykao Sent: Monday, July 20, 2009 3:49 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Strange NAT and DHCP Problem Hi All, Just a few questions about DHCP and some strange NAT entries. 1/ What can cause this strange NAT entry where there's no protocol, outside local/global defined??? I'm always seeing it in the NAT able. core2#sh ip nat trans Pro Inside global Inside local Outside local Outside global --- 210.15.240.8 172.16.75.111 --- --- Seems to be giving me a warning message whenever it can't use the inside global IP when there are active translations in place: %IPNAT-4-ADDR_ALLOC_FAILURE: Address allocation failed for 172.16.75.111, pool NAT-POOL might be exhausted 2/ How is it possible that a DHCP client (172.16.75.113) has been able to have their lease expiration time set to infinite when I haven't set any lease time within the DHCP config so it should default to 1 day (see below). 3/ Any reasons why a DHCP client might prefer to send their own Client-ID (0065) instead of their MAC address as shown for 172.16.75.111? (see below). core2#sh ip dhcp binding IP address Client-ID/ Lease expirationType Hardware address 172.16.75.1110065Jul 21 2009 05:34 PM Automatic 172.16.75.1130021.e9a0.777c Infinite Automatic The DHCP config is pretty straight forward: ip dhcp pool Wireless-512b network 172.16.75.0 255.255.255.0 domain-name netspace.net.au default-router 172.16.75.1 dns-server 210.15.254.240 210.15.254.241 Running on Cisco 7606 with IOS 12.2(18)SXF11. Thanks. -- Regards, Andy Saykao Systems Administrator Netspace Online Systems Pty Ltd Phone : 03 9811 0049 Mobile : 0401 422 406 Fax : 03 9811 0044 E-Mail : andy.say...@staff.netspace.net.au blocked::mailto:andy.say...@staff.netspace.net.au This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Shaping and dialer ints 12.4(24)T vs. 15T8
Can anyone confirm for me if some shaping and/or NBAR bugs were fixed between 24T and older 15T7 or T8? Platform is 870, interface is Ethernet doing PPPoE to upstream DSL modem. Under 15T, a policy applied to the physical Ethernet int that looked like this: class-map match-any Hi-Priority match protocol rtp match protocol sip match protocol ssh ! policy-map Shape-Out class Hi-Priority priority 200 class class-default shape average 2048000 Didn't seem to have any effect on locally-originated traffic (no matches on SSH), nor did the shaping on class default seem to work. End result was traffic was sent without shaping, SSH wasn't prioritized, and remote access to router sucked! I figured it was just the way it worked, figured you had to apply something to the dialer int. But can't do GTS on that int. Figured I'd trying a later IOS, tried 24T, and it seems to work fine. Matching SSH, and the class default counters seem fine now. Nothing appears to be needed on the dialer int after all. Just wondering if that's indeed the cause. Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6148-RJ21 Ethernet Modules
My biggest comments surround insuring that they're supported in recent software. Cisco pulled some hardware support in the SXI - SXI1 rebuild. Didn't know about that. Thought SXH and SXI had the same HW support. Are there release notes for SXI1 up yet? Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] basic nat question
What's the purpose of having those additional addresses bound as secondaries? It's not needed for NAT. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ryan Goldberg Sent: Thursday, June 04, 2009 8:17 AM To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] basic nat question I really did *not* want my first post to cisco-nsp to be this lame, but... if you have second- got an 1841 out there, with x.x.x.161/29 bound on the internet facing port, and .163, .164, .165 also bound as secondaries. need to do some static nat, but only the entries for the primary IP work eg ip nat inside source static tcp 192.168.1.103 110 x.x.x.161 110 vrf ISP2 extendable works just fine ip nat inside source static tcp 192.168.1.156 443 x.x.x.163 110 vrf ISP2 extendable does not work a clue that I'm unable to make use of is the traffic that I send to the secondary, comes back from the primary according to the nat trans table, and as verified by packet capture any help you could provide would be hugely appreciated running 12.4.24T.. Thanks- Ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS and VLAN
Steve, You have an example of this? I've found on the platforms I work on most that you can't use any LLQ (priority keyword) on a subint. So I've put a policy handling the priority stuff on the main int, and then the other shaping/policing stuff on the subint, but have always questioned its effectiveness, or the order of operation for traffic, whether it hits the subint policy first, or the main int one. Thanks, Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steve McCrory Sent: Wednesday, April 29, 2009 12:40 PM To: Jay Nakamura; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] QoS and VLAN Have you tried implementing Modular QoS CLI (MQC) using service policies? I haven't worked on the 7500 platform but we have successfully applied QoS for VoIP on subinterfaces on the 7200 series routers. It should be noted that on sub-interfaces, you need a parent service policy to shape traffic to a particular level and then a child service policy which will carry out the actual QoS markings/prioritizations within the shaped allowance. Steven Steven McCrory Senior Network Engineer Netservices PLC Waters Edge Business Park Modwen Road Manchester, M5 3EZ www.netservicesplc.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Nakamura Sent: 29 April 2009 16:36 To: cisco-nsp@puck.nether.net Subject: [c-nsp] QoS and VLAN We have several customers coming in on Ethernet. They are connected to L2 switch and trunked into a 7500 router via VLAN. This has worked fine so far with the use of rate-limit on the sub-interface. Most customers have 5~10mbps. However, we are increasingly needing QoS so VoIP traffic does not drop when data traffic bursts. Only work around I know how to do is to give separate rate-limit based on IP address since most of the time VoIP has separate gateway on the customer side than the data firewall. Classification of the traffic is not a problem. The issue is, how do you give VoIP traffic priority over data traffic on a Ethernet sub-interface? Is there a good way to implement this on a 7500? If not, what Cisco hardware will work? We are on a tight budget and the number of clients are small. (dozen or so) Would going with L3 switch be better? If so, what model? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ NetServices plc, Company No. 4178393, Registered Office: NetServices House, 31 Modwen Road, Waters Edge Business Park, SALFORD, M5 3EZ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] question about SSO
Unless there are DFCs involved, I would expect a tiny delay when the linecards switch over to the other PFC. I thought Cisco promised failover times or a second or two with SSO on a 6500. I think you're seeing what you should. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Neil d Sent: Tuesday, April 28, 2009 2:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] question about SSO Hi everyone, I have a 7609s with 2 sup720, working in sso mode, now when the sup switchover, according to cisco documentation, layer 2 traffic shouldnt be interupted, but I noticed there's a rougly 0.6s gap in packet loss. ( traffic is in/out the same router, no other router involved). Is this normal? I was thinking forwarding plan is not affected by the redundancy switchover command. maybe I'm wrong? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 High Cpu IP Input
Just curious. What kind of PPS was this multicast traffic? Was the fact that it was multicast the big issue, or just the TTL itself? Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Chris Lane Sent: Friday, April 24, 2009 10:07 AM To: Lee Cc: Richard Gallagher; cisco-nsp Subject: Re: [c-nsp] 3750 High Cpu IP Input nterface Vlan217 description CUSTOMER A ip address x.x.x.x.x ip access-group 178 in no ip redirects no ip unreachables no ip proxy-arp ip multicast ttl-threshold 3 shcpu CPU utilization for five seconds: 92%/51%; one minute: 92%; five minutes: 92% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 9 14412 39169367 0.95% 0.19% 0.08% 0 ARP Input 51 155152901076172 2.55% 0.92% 0.93% 0 Fifo Error Detec 67 12541522329 24 0.15% 0.07% 0.05% 0 HLFM address ret 115 622003413812 1503 7.34% 7.52% 7.49% 0 Hulc LED Process 136 166229 17815 9330 0.63% 0.60% 0.60% 0 PI MATM Aging Pr 168 5892258 12519191470 25.23% 23.54% 24.45% 0 IP Input 171 32572 45322718 0.15% 0.13% 0.12% 0 Spanning Tree thanks for input 2009/4/24 Lee ler...@gmail.com These TTL=1 are causing the high CPU. Just out of curiousity, would adding ip multicast ttl-threshold 3 and/or no ip unreachable on the interface reduce cpu usage? Lee On 4/24/09, Richard Gallagher rgall...@cisco.com wrote: Input queue was full of packets like this: Buffer information for RxQ3 buffer at 0x2E792F0 data_area 0x7BB2AB0, refcount 1, next 0x2E7E210, flags 0x200 linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 if_input 0x3ABBAE0 (Vlan217), if_output 0x0 (None) inputtime 00:00:00.000 (elapsed never) outputtime 00:00:00.000 (elapsed never), oqnumber 65535 datagramstart 0x7BB2AF6, datagramsize 82, maximum size 2196 mac_start 0x7BB2AF6, addr_start 0x7BB2AF6, info_start 0x0 network_start 0x7BB2B04, transport_start 0x7BB2B18, caller_pc 0x6D1024 source: 74.212.165.187, destination: 224.0.0.252, id: 0x3CDA, ttl: 1, TOS: 0 prot: 17, source port 58064, destination port 5355 Buffer information for RxQFB buffer at 0x2672BB0 data_area 0x758C35C, refcount 1, next 0x263960C, flags 0x200 linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1 if_input 0x3ABBAE0 (Vlan217), if_output 0x0 (None) inputtime 00:00:00.000 (elapsed never) outputtime 00:00:00.000 (elapsed never), oqnumber 65535 datagramstart 0x758C3A2, datagramsize 64, maximum size 2196 mac_start 0x758C3A2, addr_start 0x758C3A2, info_start 0x0 network_start 0x758C3B0, transport_start 0x0, caller_pc 0x6D1024 source: 74.212.165.187, destination: 224.0.0.252, id: 0x3CDA, ttl: 1, TOS: 0 prot: 17, source port 58064, destination port 5355 These TTL=1 are causing the high CPU. On 24 Apr 2009, at 14:26, Chris Lane wrote: Richard Gallagher found that it was one of my customers sending mcast packets with a TTL 1. Tried adding ACL's to lower CPU but this didn't fix. We shutdown Vlan to verify and CPU came down 40% to adequate levels. I have a call into out customer notifying them to fix. Thanks to all for your input Regards Chris 2009/4/24 Chris Lane clane1...@gmail.com Yes with a high preference. 2009/4/24 junior drr...@ya.ru Hello. Does this switch have default route? Chris Lane wrote: sh ip traffic IP statistics: Rcvd: 37788273 total, 24253 local destination 0 format errors, 0 checksum errors, 9771492 bad hop count 0 unknown protocol, 27979860 not a gateway 0 security failures, 0 bad options, 7762670 with options Opts: 0 end, 0 nop, 0 basic security, 0 loose source route 0 timestamp, 0 extended security, 0 record route 0 stream ID, 0 strict source route, 7762670 alert, 0 cipso, 0 ump 0 other Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble 0 fragmented, 0 couldn't fragment Bcast: 2884 received, 87 sent Mcast: 2334 received, 2209 sent Sent: 24621 generated, 8328118 forwarded Drop: 4258 encapsulation failed, 0 unresolved, 83 no adjacency 69 no route, 0 unicast RPF, 0 forced drop 0 options denied, 0 source IP address zero ICMP statistics: Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 0 unreachable 9560 echo, 0 echo reply, 0 mask requests, 0 mask replies, 0 quench 0 parameter, 0 timestamp, 0 info request, 0 other 0 irdp solicitations, 0 irdp advertisements Sent: 0 redirects, 3129 unreachable, 0 echo, 9560 echo reply 0 mask requests, 0 mask replies, 0 quench, 0 timestamp 0 info reply, 47 time exceeded, 0 parameter problem 0 irdp solicitations, 0 irdp advertisements TCP statistics: Rcvd: 7710
Re: [c-nsp] T3 or Ethernet delivery?
-Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Seth Mattinen Sent: Wednesday, April 08, 2009 3:15 AM To: cisco-nsp Subject: [c-nsp] T3 or Ethernet delivery? How do you detect a down condition on Ethernet? My experience is that the interface could be up/up because Ethernet doesn't know about anything further down the line and ends up throwing packets into a magical black hole. Or worse, secret packet loss. Object tracking can take care of this. Or a dynamic routing protocol (no connectivity, no neighbor). You just need to be more careful in your QoS. A routed ethernet port has far more flexibility than a simple switch port on most platforms. You'll probably want to shape/police your traffic outbound if your provided BW is exactly 10, 100, or gig. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C2800 IP Base and IP SLA / RTR
Definitely need to check feature navigator. We found this same thing out. IP Base on 2600-2800 does not equal IP Base on small switches or 7200s. IP SLA...' is the feature to look for. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes Sent: Tuesday, March 31, 2009 9:04 AM To: cisco-nsp Subject: Re: [c-nsp] C2800 IP Base and IP SLA / RTR We have 7200VXR with c7200-is-mz.124-13b.bin which does support IP SLA, but I don't know if the same IOS version on a different platform may not have it. I think also IP advanced services support IP SLA if it's cheaper than enterprise then you could go for it. Hope this helps Ziv -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Rathlev Sent: Tuesday, March 31, 2009 3:51 PM To: cisco-nsp Subject: [c-nsp] C2800 IP Base and IP SLA / RTR Hello, We're about to buy setup a new batch of IP SLA/RTR units and are looking at the C2800 for the purpose. I can see from FN that IP Base apparantly doesn't do IP SLA/RTR, and that we have to get Enterprise Base for that. Can this be true? I only have C2800 Enterprise Base in production right now, but we have a lot of C2600 IP Feature Set (12.3(26)) routers doing RTR now. Do we have to shell out the extra ££ for the Enterprise Base or do anyone have any other ideas for rack mountable RTR units? Thank you. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ + g ל w k- m + ,j j z{jy u w T ~ kzǧq br*. z u lr * N~-^rߊzfgyqy)Lj)Rx+y+Ǩ~fȨ(uڝ֥^Ǭ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF and iBGP session drops between 3640s
That 12.4(3) IOS is pretty old. Trying a newer one might help, as you're vulnerable to many things. It's possible there are bugs you're hitting that are affecting performance. If you could consolidate some things, that may help. You're matching RTP, but also matching packet length, that might be overkill. The fast hellos for OSPF probably aren't helping either. Another thought might be to score a 2950 or 3550 L2 switch, and put that in place of the 2924. Then move all the ACls to that, as it can do them in hardware. You could probably do a little buffer tuning, middle ones look pretty ugly. Probably not long term solution. I think MCQ is more efficient than CAR, might want to move to that completely. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Robert Johnson Sent: Tuesday, March 24, 2009 10:55 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] OSPF and iBGP session drops between 3640s Hello list, I have a small network with four 3640s. Each router has 128/32MB ram, and a single FE interface connected to a catalyst 2924. Two of the routers are running BGP, each with a session to a (single) other provider, and a session between themselves. These are not carrying full tables. All four routers are running OSPF between each other. The problem is that occasionally (from once a week to 3x/day) OSPF neighbor relationships will bounce due to hello timers expiring. Just recently the iBGP session between two of the routers also bounced. There do not appear to be any layer 1 or 2 connectivity problems that would cause this behavior. However, CPU usage on the 3640s seems high- 30% sustained and up to 90% peak, with only 1-2k max PPS. Also, I'm seeing buffer misses and failures. CEF is enabled. There are several relatively long access lists that are being processed, and the routers are doing QoS classifying and tagging at layers 2 and 3 for VoIP performance. Without any major hardware changes, where do I begin here? Thanks in advance. The fun stuff (sho buffers, sho proc cpu hist, sho proc cpu, sho run): router1#sho buffers Buffer elements: 1118 in free list (500 max allowed) 707983613 hits, 0 misses, 1119 created Public buffer pools: Small buffers, 104 bytes (total 78, permanent 50, peak 104 @ 4w0d): 42 in free list (20 min, 150 max allowed) 18990955 hits, 3598 misses, 4408 trims, 4436 created 312 failures (0 no memory) Middle buffers, 600 bytes (total 25, permanent 25, peak 176 @ 7w0d): 22 in free list (10 min, 150 max allowed) 651012877 hits, 12602 misses, 30744 trims, 30744 created 2744 failures (0 no memory) Big buffers, 1536 bytes (total 50, permanent 50, peak 63 @ 2d19h): 50 in free list (5 min, 150 max allowed) 4658228 hits, 1005 misses, 102 trims, 102 created 936 failures (0 no memory) VeryBig buffers, 4520 bytes (total 10, permanent 10, peak 12 @ 7w0d): 10 in free list (0 min, 100 max allowed) 129 hits, 807 misses, 13 trims, 13 created 807 failures (0 no memory) Large buffers, 5024 bytes (total 1, permanent 0, peak 3 @ 7w0d): 1 in free list (0 min, 10 max allowed) 14 hits, 793 misses, 2764 trims, 2765 created 793 failures (0 no memory) Huge buffers, 18024 bytes (total 1, permanent 0, peak 3 @ 7w0d): 1 in free list (0 min, 4 max allowed) 16 hits, 779 misses, 3858 trims, 3859 created 778 failures (0 no memory) Interface buffer pools: CD2430 I/O buffers, 1536 bytes (total 0, permanent 0): 0 in free list (0 min, 0 max allowed) 0 hits, 0 fallbacks Header pools: Header buffers, 0 bytes (total 265, permanent 256, peak 265 @ 7w0d): 9 in free list (10 min, 512 max allowed) 253 hits, 3 misses, 0 trims, 9 created 0 failures (0 no memory) 256 max cache size, 256 in cache 7674266 hits in cache, 0 misses in cache Particle Clones: 1024 clones, 0 hits, 0 misses Public particle pools: F/S buffers, 256 bytes (total 384, permanent 384): 128 in free list (128 min, 1024 max allowed) 256 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) 256 max cache size, 256 in cache 0 hits in cache, 0 misses in cache Normal buffers, 1548 bytes (total 512, permanent 512): 384 in free list (128 min, 1024 max allowed) 21114 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) 128 max cache size, 128 in cache 0 hits in cache, 0 misses in cache Private particle pools: IDS SM buffers, 240 bytes (total 128, permanent 128): 0 in free list (0 min, 128 max allowed) 128 hits, 0 fallbacks 128 max cache size, 128 in cache 0 hits in cache, 0 misses in cache FastEthernet0/0 buffers, 1548 bytes (total 192, permanent 192): 0 in free list (0 min, 192 max allowed) 192 hits, 0 fallbacks 192 max cache size, 128 in cache 694772430 hits in cache, 20986 misses in cache router1#sho proc cpu hist router1 02:40:53
Re: [c-nsp] Changing SSH Port on IOS
I use it on some managed routers sitting on other ISP networks. We allow access via the access class from the ISPs that us admins have home accounts on, in addition to the block dedicated to the company that manages them. If we get more than 3 failed attempts in a 1 minute period, it'll lock down to an ACL that allows only the corporate network block, then unlock after 5 minutes (and the BOT has moved on). Of course you'll need to fine tune it for the amount of BOT traffic you've got, etc. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ziv Leyes Sent: Monday, March 23, 2009 3:53 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Changing SSH Port on IOS Nice feature the login enhancement, but could you please share with me what would be a good recommended setting for all the values? On the web page they talk about using the auto secure command, I don't seem to have such option on my IOS, but I have all the others, so I guess I'll have to set it up manually, so what do you recommend? Ziv -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Church, Charles Sent: Monday, March 23, 2009 5:41 AM To: Justin Shore; Charles Wyble Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Changing SSH Port on IOS Another useful feature in newer IOSs is 'Cisco IOS login enhancements'. We find it pretty useful. Upon so many failed logins in a certain timeframe, it can fall back to a more restrictive ACL, then go back to the original after so many minutes. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_log in_enhance.html Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin Shore Sent: Sunday, March 22, 2009 11:26 PM To: Charles Wyble Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Changing SSH Port on IOS Agreed. Never ever put an IOS box up on the Internet with a public IP without at least restricting VTY access. We were directly targetted about 3 years ago right after I came back to the SP. My predecessor hadn't implemented any VTY ACLs. One day I while going through my rediscovery of the network I started noticing that I couldn't get into several devices. The list of devices I couldn't access grew rapidly and within an hour I couldn't log into anything. The attacker pounded every piece of network gear we had from hundreds of remote IPs trying to guess a working userid/password combo. They consumed all VTYs on every device at once. The gear was in 2 states and spread out over many hours of driving so I couldn't visit much of it in person. I spent well over a day getting everything tied down. Fortunately syslog confirmed that we hadn't been compromised. Forgetting the VTY ACL is like forgetting to check you fly being picking up your hot date for the big night or forgetting to turn off your cell phone ringer before showing up at the interview for the perfect job. #sh ip ssh SSH Enabled - version 1.99 Also, disable SSH version 1 support. Only use SSHv2. ip ssh version 2 Justin Charles Wyble wrote: Um. why don't you setup some ACL to limit access? It's generally ill advised to run dameons with shell access directly connected to the internet. :) I use OpenVPN for all my access, and only run SSH on the private interface. I realize this isn't always possible, but is a good solution. Andy BIERLAIR wrote: I'm running s72033-ipservicesk9-mz.122-18.SXF15a with SSH on Port 22. Due too many bots hammering that well-known port, I wanted to change it to something else, but somehow I can't: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http
Re: [c-nsp] Changing SSH Port on IOS
Another useful feature in newer IOSs is 'Cisco IOS login enhancements'. We find it pretty useful. Upon so many failed logins in a certain timeframe, it can fall back to a more restrictive ACL, then go back to the original after so many minutes. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_log in_enhance.html Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin Shore Sent: Sunday, March 22, 2009 11:26 PM To: Charles Wyble Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Changing SSH Port on IOS Agreed. Never ever put an IOS box up on the Internet with a public IP without at least restricting VTY access. We were directly targetted about 3 years ago right after I came back to the SP. My predecessor hadn't implemented any VTY ACLs. One day I while going through my rediscovery of the network I started noticing that I couldn't get into several devices. The list of devices I couldn't access grew rapidly and within an hour I couldn't log into anything. The attacker pounded every piece of network gear we had from hundreds of remote IPs trying to guess a working userid/password combo. They consumed all VTYs on every device at once. The gear was in 2 states and spread out over many hours of driving so I couldn't visit much of it in person. I spent well over a day getting everything tied down. Fortunately syslog confirmed that we hadn't been compromised. Forgetting the VTY ACL is like forgetting to check you fly being picking up your hot date for the big night or forgetting to turn off your cell phone ringer before showing up at the interview for the perfect job. #sh ip ssh SSH Enabled - version 1.99 Also, disable SSH version 1 support. Only use SSHv2. ip ssh version 2 Justin Charles Wyble wrote: Um. why don't you setup some ACL to limit access? It's generally ill advised to run dameons with shell access directly connected to the internet. :) I use OpenVPN for all my access, and only run SSH on the private interface. I realize this isn't always possible, but is a good solution. Andy BIERLAIR wrote: I'm running s72033-ipservicesk9-mz.122-18.SXF15a with SSH on Port 22. Due too many bots hammering that well-known port, I wanted to change it to something else, but somehow I can't: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 100FX duplex
Hey all, Sorry about the really basic question. Can't find a definitive answer anywhere else. Does 100FX do auto-negotiation of duplex? If not, do they default to half or full? We're seeing odd things on our stuff, some are Cisco to Cisco links, some are Cisco to various brands of media converters on into a 10/100 port. Odd things such as collisions on ports set to full, huge amounts of FCS errors at places, etc. The semi-dumb media converters have dip switches that mention duplex, but the directions seem to indication that it affects the copper side of it only. Any good advice? Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] flash disk problem
Does the Sup have Rommon 7.1(1) on it? Otherwise, it won't understand the 64MB ATA card. I believe that's the only one that shows up as disk0:. The smaller ones aren't ATA, so they're linear and show up as slot0:. Did you try verify slavedisk0:filename? Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alex Wa Sent: Wednesday, February 25, 2009 11:46 AM To: lista de correo de cisco Subject: [c-nsp] flash disk problem Hi guys I copied a file to slavedisk0: on a 6513-sup II board. when I try to use verify slaveslot0:filename I get this error output %Error verifying slaveslot0:c6sup22-jk2sv-mz.121-22.E2.bin (Bad file number) the disk was formatted in this switch and the file copied without problems. The issue is that i'm trying to upgrade the IOS to the new one in flash and it can't load. I also would like to know the difference between disk0: and slot0:, i don't fully understand it, if any. thanks in advance Alejandro ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] flash disk problem
Maybe the trick is the software supports it, but you can't actually boot off it until it's 7.1(1). Is this really a 64MB ATA card? The Cisco P/N is MEM-C6K-ATA-1-64M=. That IOS you're running (or trying to run) is pretty old (assuming it's that c6sup22-jk2sv-mz.121-22.E2.bin shown below). That might not support the card either. Either way, I'd definitely get the ROMMON 7.1(1) on there if it's a 64MB ATA, and see if the issue goes away. Chuck From: Alex Wa [mailto:awain...@yahoo.com] Sent: Wednesday, February 25, 2009 2:31 PM To: lista de correo de cisco; Church, Charles Subject: RE: [c-nsp] flash disk problem Thanks,charles Firmware version is 6.1(3), see below output, but i don't undertand why the Sw column is not showing the correct boostrap image that the switch is loading. Now, if it has firmware below 7.1 how can i format and even copy files to and fron the flash? besides when i type verify ? it doesn't show me the disk0: option but I can copy to disk0: . the same happens with slavedisk0: Mod Ports Card Type Model Serial No. --- - -- -- --- 12 Catalyst 6000 supervisor 2 (Standby) WS-X6K-SUP2-2GE SAL06230SDB 22 Catalyst 6000 supervisor 2 (Active)WS-X6K-S2U-MSFC2 SAD061503XZ 3 48 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAD04310F81 4 48 48-port 10/100 mb RJ45 WS-X6148-RJ-45 SAL0715BQZU 5 48 48-port 10/100 mb RJ45 WS-X6148-RJ-45 SAL0715BQZG 6 48 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAL062102WS 7 48 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAL04430GXS 8 48 48-port 10/100 mb RJ45 WS-X6148-RJ-45 SAL06447YF0 9 48 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAL0807UBZ5 Mod MAC addresses HwFw Sw Status --- -- -- --- 1 0005.7485.ff70 to 0005.7485.ff71 3.76.1(3) 7.5(0.6)HUB1 Ok 2 0001.6415.e122 to 0001.6415.e123 3.5 6.1(3) 7.5(0.6)HUB1 Ok 3 0001.9753.22b0 to 0001.9753.22df 1.1 5.4(2) 7.5(0.6)HUB1 Ok 4 000c.85cf.e2b0 to 000c.85cf.e2df 1.2 5.4(2) 7.5(0.6)HUB1 Ok 5 000c.85cf.e3d0 to 000c.85cf.e3ff 1.2 5.4(2) 7.5(0.6)HUB1 Ok 6 0009.1267.5d38 to 0009.1267.5d67 6.1 5.4(2) 7.5(0.6)HUB1 Ok 7 0003.6c2c.3d40 to 0003.6c2c.3d6f 2.2 5.4(2) 7.5(0.6)HUB1 Ok 8 000b.465d.5380 to 000b.465d.53af 1.1 5.4(2) 7.5(0.6)HUB1 Ok 9 000e.8481.33c0 to 000e.8481.33ef 7.5 5.4(2) 7.5(0.6)HUB1 Ok switch#verify ? /md5 Compute an md5 signature for a file bootflash: File to be verified flash: File to be verified slavebootflash: File to be verified slaveslot0: File to be verified slavesup-bootflash: File to be verified slot0: File to be verified sup-bootflash: File to be verified sup-slot0: File to be verified --- On Wed, 2/25/09, Church, Charles cchur...@harris.com wrote: From: Church, Charles cchur...@harris.com Subject: RE: [c-nsp] flash disk problem To: awain...@yahoo.com, lista de correo de cisco cisco-nsp@puck.nether.net Date: Wednesday, February 25, 2009, 9:55 AM Does the Sup have Rommon 7.1(1) on it? Otherwise, it won't understand the 64MB ATA card. I believe that's the only one that shows up as disk0:. The smaller ones aren't ATA, so they're linear and show up as slot0:. Did you try verify slavedisk0:filename? Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alex Wa Sent: Wednesday, February 25, 2009 11:46 AM To: lista de correo de cisco Subject: [c-nsp] flash disk problem Hi guys I copied a file to slavedisk0: on a 6513-sup II board. when I try to use verify slaveslot0:filename I get this error output %Error verifying slaveslot0:c6sup22-jk2sv-mz.121-22.E2.bin (Bad file number) the disk was formatted in this switch and the file copied without problems. The issue is that i'm trying to upgrade the IOS to the new one in flash and it can't load. I also would like to know the difference between disk0: and slot0:, i don't fully understand it, if any. thanks in advance Alejandro ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http
Re: [c-nsp] BGP MSS=576 bytes
Is ip tcp path-mtu-discovery in the global config? Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio M. Soares Sent: Wednesday, February 11, 2009 10:36 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP MSS=576 bytes Hello group, I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an example: ++ 6500sh ip bgp neighbors x.x.x.x ... Datagrams (max data segment is 536 bytes): Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes: 94316052 Sent: 296303 (retransmit: 727), with data: 35046, total data bytes: 994215 6500 ++ The documentation says that PMTUD is enabled by default so this should not be happening: ++ BGP Neighbor Session TCP PMTUD TCP path MTU discovery is enabled by default for all BGP neighbor sessions, but there are situations when you may want to disable TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD works well for larger transmission links (for example, Packet over Sonet links), a badly configured TCP implementation or a firewall may slow or stop the TCP connections from forwarding any packets. In this type of situation, you may need to disable TCP path MTU discovery. In Cisco IOS Release 12.2(33)SRA, 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later releases, configuration options were introduced to permit TCP path MTU discovery to be disabled, or subsequently reenabled, either for a single BGP neighbor session or for all BGP sessions. To disable the TCP path MTU discovery globally for all BGP neighbors, use the no bgp transport path-mtu-discovery command under router configuration mode. To disable the TCP path MTU discovery for a single neighbor, use the no neighbor transport path-mtu-discovery command under router or address family configuration modes. ++ I have for example a direct eBGP peering over TenGiga interfaces where i see the same problem: ++ 6500sh int tenGigabitEthernet x/x | inc MTU MTU 1500 bytes, BW 1000 Kbit, DLY 10 usec, 6500 6500 6500sh ip int tenGigabitEthernet x/x | inc MTU MTU is 1500 bytes 6500 ++ Any explanation to this strange behavior ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
Aren't those BOOTP clients that don't understand the concept of an expiration? Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin Shore Sent: Monday, February 09, 2009 12:51 PM To: Manaf Al Oqlah Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DHCP Binding Expiration Manaf Al Oqlah wrote: Hi all, I am configuring a Cisco 7600 router as DHCP server for my broadband clients. I am using DHCP snooping and ARP inspection for security reasons and the leased time expiration is set for 30 minutes and no excluded-address is configured. The problem is that I still can see some clients IP addresses lease expiration are Infinite in the DHCP binding! what could be the reason for this behavior and could be this some sort of attack!! I get them too. I never have figured out what causes them. So far it hasn't been a big deal for me. BTW, I'd recommend not using the IOS DHCP server for anything that more than convenience at a very small site. I would highly recommend deploying a server-based DHCP server like ISC DHCPd. Lots more bells a whistles to work with. Plus you can have redundancy with the server-based solution. The IOS DHCP server is a fairly stripped down implementation. I don't think it was intended to be used in large environments like a SP's broadband network. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Binding Expiration
Interesting. Might be fun (in a dorky networking kind of way) to look at a packet capture of it. Maybe the client doesn't like the lease time, or it's tied into DDNS somehow. I looked a bit, and found in the RFC (http://www.faqs.org/rfcs/rfc2131.html) a blurb about lease times: The client may ask for a permanent assignment by asking for an infinite lease. Even when assigning permanent addresses, a server may choose to give out lengthy but non-infinite leases to allow detection of the fact that the client has been retired. I've seen those infinite leases before, never cared enough to look into it. Might be interesting to find out why though... Chuck -Original Message- From: Justin Shore [mailto:jus...@justinshore.com] Sent: Monday, February 09, 2009 2:11 PM To: Church, Charles Cc: Manaf Al Oqlah; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DHCP Binding Expiration Church, Charles wrote: Aren't those BOOTP clients that don't understand the concept of an expiration? Once when I was curious (and very bored) I tracked a couple of them down. One was a Windows XP machine and the other was a fairly new D-Link router/firewall CPE (which we have hundreds on our network). I don't know if either of them support Bootp but I would expect this problem to come up more often if that was the case. I'm trying to think of what our customers would have on our edges that would support Bootp. Nothing comes to mind. I'm sure you can configure some older clients to do Bootp of course (Macs still support it if you intentionally configure it that way) but no major demographic comes to mind. I can certainly be missing something though. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cannot connect to ASA using ASDM software
I'm guessing you've upgraded to the latest Java version. Seems like the last one broke the ASDM partially. You can https to the ASA, and then pick the 'run applet' option. On mine, that'll spawn the ASDM executable and it works. But running the executable directly ends up doing what you're seeing. It's annoying. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Aldrich Sent: Monday, February 09, 2009 4:37 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cannot connect to ASA using ASDM software For some reason, our new ASA 5510 series will ONLY let me connect via the web interface. Every time I try it says it is unable to read the configuration from the ASA. However, running the Java version works just fine. I'd really like to know what the problem is and why it can't load the config? Do I need to be connected via serial cable to the ASA or something? Thanks, John Aldrich IT Manager, Blueridge Carpet 706-276-2001, Ext. 2233 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cannot connect to ASA using ASDM software
I'm still using 5.2.x ASDM, as the ASA is running 7.2.x still (both late interim releases). Hoping for a newer ASDM soon. 5.2(4)50 still is broken. Chuck -Original Message- From: Brian [mailto:bms...@gmail.com] Sent: Monday, February 09, 2009 5:23 PM To: Church, Charles; John Aldrich; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cannot connect to ASA using ASDM software You need to upgrade to the latest interim release of ASDM 6.1.5(57) to fix the Java issue with JRE6update11. Brian On 2/9/09, Church, Charles cchur...@harris.com wrote: I'm guessing you've upgraded to the latest Java version. Seems like the last one broke the ASDM partially. You can https to the ASA, and then pick the 'run applet' option. On mine, that'll spawn the ASDM executable and it works. But running the executable directly ends up doing what you're seeing. It's annoying. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Aldrich Sent: Monday, February 09, 2009 4:37 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cannot connect to ASA using ASDM software For some reason, our new ASA 5510 series will ONLY let me connect via the web interface. Every time I try it says it is unable to read the configuration from the ASA. However, running the Java version works just fine. I'd really like to know what the problem is and why it can't load the config? Do I need to be connected via serial cable to the ASA or something? Thanks, John Aldrich IT Manager, Blueridge Carpet 706-276-2001, Ext. 2233 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560, 3560E, 3750E and Adv IP code EoLed?
Actually, that was where I read it: The functionality currently available in the Cisco Catalyst 3560 IOS Advanced IP Services feature set switch is now available in Cisco IOS IP Base and IP Services feature sets. This reduces complexity by not requiring customers to upgrade software to utilize advanced IPv6 features. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5528/eol_c5 1_519208.html Chuck -Original Message- From: Justin Shore [mailto:jus...@justinshore.com] Sent: Saturday, January 31, 2009 11:08 AM To: Church, Charles Cc: Cisco-nsp Subject: Re: [c-nsp] 3560, 3560E, 3750E and Adv IP code EoLed? Ah... I had not heard that. Info like that would be useful in something like, oh I don't know, that announcement of the termination of Adv IP perhaps! Jeff's question about potential price changes would be my next concern. Church, Charles wrote: The way I read it was that they were rolling the Adv IP features (mainly IPv6, I think) into IP Services, making Adv IP Services unnecessary. Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560, 3560E, 3750E and Adv IP code EoLed?
The way I read it was that they were rolling the Adv IP features (mainly IPv6, I think) into IP Services, making Adv IP Services unnecessary. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin Shore Sent: Friday, January 30, 2009 2:27 PM To: 'Cisco-nsp' Subject: [c-nsp] 3560, 3560E, 3750E and Adv IP code EoLed? Does anyone know the story on the end-of-life announcement I just got for the 3560, 3560E and 3750E switches for their Adv IP code? EoL was 5 days ago, last date for selling is 4/29 and that's also the last day for support. The announcement says that there aren't any replacement options for the code either. WTF? Did I miss something? Is Cisco taking away the L3 features from these switches? Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2900 verify flash
Did you actually type out '/md5' in the command, rather than just trying '/'? I've seen some abbreviated commands not work, even if they are unique. On the other hand, I've seen some work that aren't unique. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of chloe K Sent: Friday, January 16, 2009 9:14 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 2900 verify flash Hi 1/ How can I verify in 2900 and it is different from other? In router, I can use verify router#verify ? /md5Compute an md5 signature for a file slot0: File to be verified 2900#verify / ? % Unrecognized command It is only showing. 2900#verify flash:c2900XL-c3h2s-mz.120-5.WC3b.bin Verified flash:c2900XL-c3h2s-mz.120-5.WC3b.bin but I can not check this file after backup in tftp server is in good condition by md5sum 2/ How can I check the IOS different? It makes me many difficult to handle Thank you - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2900 verify flash
Yeah, I've seen some switch IOS do that too, even recent ones. It claims it supports MD5, but then gives an error. If you allow the switch to serve the file via TFTP, you may be able to verify it via TFTP, something like 'verify /md5 tftp://2.2.2.2/c2900XL-bin', from a router or switch that supports verify with MD5 correctly. It's a pain, but can't think of any better way. Chuck From: chloe K [mailto:chloekcy2...@yahoo.ca] Sent: Friday, January 16, 2009 11:44 AM To: Church, Charles; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] 2900 verify flash no luck! 2900#verify /md5 flash:c2900XL-c3h2s-mz.120-5.WC3b.bin ^ % Invalid input detected at '^' marker. 2900# Church, Charles cchur...@harris.com wrote: Did you actually type out '/md5' in the command, rather than just trying '/'? I've seen some abbreviated commands not work, even if they are unique. On the other hand, I've seen some work that aren't unique. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of chloe K Sent: Friday, January 16, 2009 9:14 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 2900 verify flash Hi 1/ How can I verify in 2900 and it is different from other? In router, I can use verify router#verify ? /md5 Compute an md5 signature for a file slot0: File to be verified 2900#verify / ? % Unrecognized command It is only showing. 2900#verify flash:c2900XL-c3h2s-mz.120-5.WC3b.bin Verified flash:c2900XL-c3h2s-mz.120-5.WC3b.bin but I can not check this file after backup in tftp server is in good condition by md5sum 2/ How can I check the IOS different? It makes me many difficult to handle Thank you - Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] temporary static routes
Policy route with a time-based ACL maybe? Just a thought... Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ramcharan, Vijay A Sent: Tuesday, January 06, 2009 12:46 PM To: Cord MacLeod Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] temporary static routes I would second EEM for this but your IOS version probably doesn't support it according to Feature Navigator. Vijay Ramcharan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Geoffrey Pendery Sent: January 06, 2009 12:33 To: Cord MacLeod Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] temporary static routes Embedded Event Manager will let you trigger commands based on lots of events, with timer being one of them. You could have it fire off a no ip route command after a certain number of hours. Check it out: http://cisco.com/go/eem -Geoff On Tue, Jan 6, 2009 at 11:24 AM, Cord MacLeod cordmacl...@gmail.com wrote: I'm looking to inject static routes for a particular period of time into a router then have them expire after a given amount of time. For instance ip route xxx.xxx.xxx.xxx 255.255.255.255 Null0, and have this line removed after 24 hours. Would IOS have a way to do this, or am I looking at having to script this? I'm running 12.2(25)SEB4, RELEASE SOFTWARE (fc1). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Policing Confusion
Agree. We've used this inbound as well on our links to our peers for P2P traffic. Works pretty well, as long as it's TCP and you're shaping it. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Brett Looney Sent: Monday, January 05, 2009 7:05 PM To: 'cisco_nsp' Subject: Re: [c-nsp] Policing Confusion It is a bit dissapointing to know that you cant really manipulate the types of traffic inbound only outbound. I understand why though. I've used inbound policing and shaping on heavily congested links with some success - it has the effect of applying back-pressure to the incoming streams - delaying ACKs and dropping packets; therefore slowing down subsequent traffic. It isn't perfect but it does work to a degree - it just isn't as good as outbound. B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 32 bit ASN
Isn't it about time for a 13.0? Or is Cisco superstitious? :) Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Skeeve Stevens Sent: Wednesday, December 17, 2008 10:57 AM To: 'Luan Nguyen'; 'Antonio Soares'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 32 bit ASN Any dates announced for 12.5T? ...Skeeve -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Luan Nguyen Sent: Thursday, 18 December 2008 2:34 AM To: 'Antonio Soares'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 32 bit ASN Here's an old post on this topic: http://puck.nether.net/pipermail/cisco-nsp/2008-August/053334.html Also, I heard it's going to be implemented beginning 12.5T Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Wednesday, December 17, 2008 7:31 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 32 bit ASN Hello group, Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? I didn't find this feature on Feature Navigator. It's quite strange the fact no information seems to be available. RIPE will start assigning 32-bit ASN's in 1/1/2009. Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat6500 sup2 boot from PCMCIA
I think you can format the card (if it's the 64MB ATA card) in a PC running Windows, use FAT16 filesystem. Copy the image to the card, and try to boot it from ROMMON. Once running, you'll need to format the card in IOS (so the MONLIB (kind of like a boot sector) is put on there). Then you can use Windows to copy the file again to the card (but don't format it again, obviously). Then I think it should auto-boot. If it's less than 64MB, I don't think Windows can recognize it as a disk drive without special drivers, which may or may not exist. Make sure your ROMMON version is 7.1(1) if it is a 64MB card, can't recognize it without. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Lima Sent: Friday, December 12, 2008 1:08 PM To: Scott McGrath; Teller, Robert Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA Hi again, just one question. Is there a way to format the PCMCIA card from another device (A router or a PC). It because I don't have any othr supervisor2 to do this. It could be compatible? Thanks for any suggestión. David -Mensaje original- De: Scott McGrath [mailto:mcgr...@fas.harvard.edu] Enviado el: Viernes, 12 de Diciembre de 2008 11:16 a.m. Para: Teller, Robert CC: David Lima; cisco-nsp@puck.nether.net Asunto: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA You can boot a sup2 from TFTP in ROMMON Teller, Robert wrote: I ran into a similar problem and had to RMA a new sup/cf card from cisco. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Lima Sent: Friday, December 12, 2008 7:41 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software. My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I have A PCMCIA and I want to boot the new IOS from the PCMCIA. I cannot format the PCMCIA from the rommon mode. How can I format the PCMCIA? The only way is format from the target Catatalyst switch? All these because I have an error about invalid magic number when I insert the PCMCIA card into the Supervisor2 slot in rommon mode. Please I need your help, Thanks in advance. David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ # The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. # ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat6500 sup2 boot from PCMCIA
Is it a 64MB card? If so, use 'disk0' in place of 'slot0'. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -Original Message- From: David Lima [mailto:david.l...@alphasys.com.bo] Sent: Friday, December 12, 2008 1:47 PM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA Thanks a lot Charles for your response. I tried your suggestion but when I boot from my slot0:IOS_IMAGE I have a bad file magic number error. Do I missing anything in the Rommon configuration? Rommonboot slot0:IOS_IMAGE Thanks again Charles. David. -Mensaje original- De: Church, Charles [mailto:cchur...@harris.com] Enviado el: Viernes, 12 de Diciembre de 2008 01:40 p.m. Para: David Lima CC: cisco-nsp@puck.nether.net Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA I think you can format the card (if it's the 64MB ATA card) in a PC running Windows, use FAT16 filesystem. Copy the image to the card, and try to boot it from ROMMON. Once running, you'll need to format the card in IOS (so the MONLIB (kind of like a boot sector) is put on there). Then you can use Windows to copy the file again to the card (but don't format it again, obviously). Then I think it should auto-boot. If it's less than 64MB, I don't think Windows can recognize it as a disk drive without special drivers, which may or may not exist. Make sure your ROMMON version is 7.1(1) if it is a 64MB card, can't recognize it without. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Lima Sent: Friday, December 12, 2008 1:08 PM To: Scott McGrath; Teller, Robert Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA Hi again, just one question. Is there a way to format the PCMCIA card from another device (A router or a PC). It because I don't have any othr supervisor2 to do this. It could be compatible? Thanks for any suggestión. David -Mensaje original- De: Scott McGrath [mailto:mcgr...@fas.harvard.edu] Enviado el: Viernes, 12 de Diciembre de 2008 11:16 a.m. Para: Teller, Robert CC: David Lima; cisco-nsp@puck.nether.net Asunto: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA You can boot a sup2 from TFTP in ROMMON Teller, Robert wrote: I ran into a similar problem and had to RMA a new sup/cf card from cisco. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Lima Sent: Friday, December 12, 2008 7:41 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software. My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I have A PCMCIA and I want to boot the new IOS from the PCMCIA. I cannot format the PCMCIA from the rommon mode. How can I format the PCMCIA? The only way is format from the target Catatalyst switch? All these because I have an error about invalid magic number when I insert the PCMCIA card into the Supervisor2 slot in rommon mode. Please I need your help, Thanks in advance. David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ # The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. # ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ Information from ESET
Re: [c-nsp] SXH4 Applying VLAN changes may take few minutes
Which VTP version? V3 has more 'checks' in it, might explain it. I've never seen that with V1/V2. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Granzer Sent: Wednesday, December 10, 2008 4:37 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] SXH4 Applying VLAN changes may take few minutes Hello, did anybody see output below with SXH4 ? Why applying vlan can take a few minutes ? 6503-lab-1#conf t Enter configuration commands, one per line. End with CNTL/Z. 6503-lab-1(config)#vlan 123 6503-lab-1(config-vlan)#end % Applying VLAN changes may take few minutes. Please wait.. In lab enviroment with a few vlans configured applying vlan takes less than one second (like before with SXH and SXF). Thanks, David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommended Cisco boxes for a small multihomingsolution?
When did a gig of RAM be the new requirement for a full table, with a couple views only? It seems 512 on an ISR will still have 150MB free with a full table. Our 2821 with 12.4(21) with 768MB has 400MB free almost all the time. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hank Nussbacher Sent: Thursday, November 13, 2008 9:57 PM To: Mark Tinka Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Recommended Cisco boxes for a small multihomingsolution? And to repeat - to the best of my knowledge the 3825 can't take 1GB of RAM and therefore is not an optimal solution for small multihoming. -Hank On Fri, 14 Nov 2008, Mark Tinka wrote: On Friday 14 November 2008 13:09:58 Eric Cables wrote: If you look at the interactive model ( http://www.cisco.com/en/US/prod/collateral/routers/ps5855 /ps5857/prod_presentation0900aecd80543db9.html) you can see GE0/0 and GE0/1 interfaces. In addition, the data sheet for both the 3825 and 3845 indicates 2 10/100/1000 interfaces: http://www.cisco.com/en/US/prod/collateral/routers/ps5855 /product_data_sheet0900aecd8016a8e8.html I think just to avoid any confusion; 1GB as in RAM/flash, and 1Gbps as in bandwidth/interface :-). Oooh, this B and b thing... Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Client DHCP Server
As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -Original Message- From: Simon Lockhart [mailto:[EMAIL PROTECTED] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +, Mohammed Dado wrote: I have a customer facing a problem that his end-user WiFi router's are issuing IP addresses ! I'm under the impression that this could be stopped by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the ISP end. Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director|* Domain Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: [EMAIL PROTECTED] * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Client DHCP Server
I'm assuming your network is a LAN at the customer site, with a Wimax bridged connection back to the 7500, so the 7500 interface is the default gateway for the LAN. If so, I don't believe there is anything you can configure on the 7500 to stop DHCP clients on the LAN from obtaining addresses from a DHCP server (wifi router) also located on the LAN. Or is your 7500 acting as a bridge, and a customer DHCP server is affecting multiple customers? That can be fixed by some changes on the 7500. Chuck -Original Message- From: Mohammed Dado [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2008 8:11 AM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Client DHCP Server I've tried turning of the DHCP server on the wifi routers, but there's a problem in some of them that the option of turning this service off is already missed. What about using some supported features by the ISP-router to stop this DHCP requests from happening ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -Original Message- From: Church, Charles [mailto:[EMAIL PROTECTED] Sent: 02 November 2008 14:58 To: Mohammed Dado Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Client DHCP Server As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -Original Message- From: Simon Lockhart [mailto:[EMAIL PROTECTED] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +, Mohammed Dado wrote: I have a customer facing a problem that his end-user WiFi router's are issuing IP addresses ! I'm under the impression that this could be stopped by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the ISP end. Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director|* Domain Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: [EMAIL PROTECTED] * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Whats up with this?
Looks like they've built a transporter. Most likely using the IETF protocol MoIP. Matter over IP. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Louis Sent: Friday, October 31, 2008 6:04 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Whats up with this? http://www.cisco.com/cdc_content_elements/flash/netsol/sp/getready/index .html?POSITION=bannerCOUNTRY_SITE=usCAMPAIGN=GetReadyCREATIVE=Corner+ Banner+Ad+go/getreadyREFERRING_SITE=CISCO%2ECOM+INDEX Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Typical BGP operational policies
Hey all, I support a small network, with own ASN. They use address space given by provider A, and are dual homed to providers A and B. We take full routes from each, and announce that address space (a /23) to both. In looking at a variety of looking glass sites out there, I see most only see that network via provider A's AS. One I found did see it via provider B only. Is filtering being done by provider B outbound to it's peers the only explanation for this (or the most likely one)? One particular looking glass didn't have a path to us via provider B, yet does see our serial interface address (last hop that's still part of provider B AS) as reachable via provider B. For what it's worth, address space is 75.77.38.0/23, ASN is 26296. Provider A is 11456, B is 6389. Just wondering if there is a real issue here, or if this partial reachability depending on where you are is normal... Thanks in advance, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206VXR and CBWFQ
I believe the priority queuing can only be applied to a main interface, not a subint. Create a second policy, and do the priority queuing on that one, and apply that to the main int. The VOIP class/policy can remain on the subint. I'm not totally sure about ATM, but that's how I've seen it work on Ethernet. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Networkers Sent: Friday, October 17, 2008 11:10 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 7206VXR and CBWFQ Whenever I try to apply the following I get an error message about how CBWFQ can't be applied to subinterfaces. What is the correct way to do this? Thanks, Chris class-map match-any VOIP match ip dscp ef match precedence 5 class-map match-all CRITICAL match access-group 100 policy-map MyCBWFQ class CRITICAL priority 48 class VOIP bandwidth 320 set precedence 6 vc-class atm MyClass ubr 1536 encapsulation aal5mux ppp Virtual-Template5 interface Virtual-Template5 ip unnumbered Loopback0 service-policy output MyCBWFQ peer default ip address pool default ppp authentication pap callin interface ATM2/0.1921 point-to-point pvc 1/1921 class-vc MyClass ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF
Sounds like an attempt at a man in the middle attack, where an infected host attempts to act as the gateway to see all the network traffic, analyze it, then forward it to the real gateway. Definitely not a good thing. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt Mattias Gyllenvarg Sent: Thursday, October 16, 2008 6:27 AM To: Ozgur Guler; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF Hi all We have seen 3 instances of this the last days where a host (probably infected with a virus) has been broadcasting the mac of the local GW. Effectivly switching alla outbound traffic too his port. Fix has been too shutdown the offending port. So far this has only effected older setups. //Mattias Gyllenvarg 2008/10/16 Ozgur Guler [EMAIL PROTECTED]: no mac address-table notification mac-move might help. --- On Thu, 16/10/08, Jimmy Halim [EMAIL PROTECTED] wrote: From: Jimmy Halim [EMAIL PROTECTED] Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF To: cisco-nsp@puck.nether.net Date: Thursday, 16 October, 2008, 7:51 AM Hi guys, Recently I am getting the following log messages every 2 mins on the 3750 switch. Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 403 is flapping between port Fa1/0/3 and port Gi1/0/1 Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 402 is flapping between port Fa1/0/2 and port Gi1/0/1 Oct 16 06:46:43 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 402 is flapping between port Fa1/0/2 and port Gi1/0/1 This is non service impacting so far. However, I would like to know whether we can disable this logging or not. Anyone has any suggestions? Many Thanks, Jimmy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] c2960g: flash gone mad ?
I believe the IOS is to blame. I saw a similar thing with 12.2(44)SE2 on 3550, I believe. The verify never worked, but MD5 verify did. I don't remember the reload and signature issue though. I'm willing to bet it'll work ok from here on out. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandre Snarskii Sent: Thursday, October 16, 2008 9:21 AM To: Cisco-NSP Mailing List Subject: [c-nsp] c2960g: flash gone mad ? Hi! While trying to upgrade IOS on one of ours c2960g, I got strange message: SW088-022#verify flash:c2960-lanbase-mz.122-46.SE.bin File system hash verification failed for file flash:c2960-lanbase-mz.122-46.SE.bin(No such file or directory). however, MD5 verification of the same file succeeded: SW088-022#verify /md5 flash:c2960-lanbase-mz.122-46.SE.bin [] ...Done! verify /md5 (flash:c2960-lanbase-mz.122-46.SE.bin) = 27ad87f2c90595f3e682633c7985099a Well, I tried to format flash:, and re-upload IOS image - results were the same. And then switch refused to reload 'by command': SW088-022#reload %ERROR: Not able to process Signature in flash:. %ERROR: Aborting reload. so, I had to visit equipment room and reboot it by power cycle (booted normally, looks like that there are no signature check on boot). What is it ? Faulty flash ? Does not looks like - md5 check is just fine... And what to do with that switch ? Is it safe to leave it in network (on office one, without remote reboot ability it not qualified to remote installations) or better to RMA it ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT - SIP Problem
Paul, Do you have no ip nat service sip udp port 5060 in the config? We had all sorts of registration issues involving NAT until we were told to try that. The documentation for it isn't that good, but what it does is turn off the NAT translation of addresses in the SIP payload. That interferes with an ATA already doing things to get around NAT (as most ATAs do these days). Although that old an IOS may not even be doing the payload translation, or support the command. It's worth a try though. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Stewart Sent: Thursday, October 16, 2008 11:15 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] NAT - SIP Problem Hi folks... Have a customer who has two ATA devices behind a Cisco Soho91 and having a problem - trying to figure out if this is an IOS issue, a platform issue or a Session Border Controller issue With the original ATA in place, things worked fine. With a second ATA hooked up, first one still works - second one doesn't. With only the second ATA in place it doesn't work. When I say it doesn't work, the SIP registration will not occur. XYZ#sh ip nat translations Pro Inside global Inside local Outside local Outside global udp xx.xx.111.3:5060 192.168.0.3:5060 xx.xx.98.6:5060 xx.xx.98.6:5060 udp xx.xx.111.3:1029 192.168.0.6:5060 xx.xx.98.6:5060 xx.xx.98.6:5060 I'm working on the hunch that the SBC is getting confused with this newer ATA on the return traffic as the session stays in the NAT translations table forever. The old ATA is 192.168.0.3 and new is 192.168.0.6 - notice the .6 ATA can't use 5060 on the outside interface as it's already in use. A similar problem came up at another site a while ago (against the same SBC's) and we converted it over to firewalled public IP space and worked fine - kind of points me back to the way NAT is behaving on these routers but could be an issue between the NAT and the way the SBC sees the traffic Cisco Internetwork Operating System Software IOS (tm) SOHO91 Software (SOHO91-K9OY6-M), Version 12.2(8)YN, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Any input appreciated... Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Output drops on PPP multilink int
Anyone, Seeing lots of output drops on ppp multilink interfaces across our network, all multiple T1s, on 2600s through 3800 routers. The underlying T1 serial ints don't have many drops (maybe 0.1% of those found on the multilink int worst case). Any idea what would cause drops on the interface? There is no QOS or anything like that on the mu2 int, just an inbound ACL. Google search didn't really turn up anything too useful. CPU and memory on the routers look pretty good. T1s seem pretty clean, the couple routers I watched closely didn't have any T1 errors during the time frames when drops where occuring. All are running recent 12.3 or 12.4 mainline releases. Utilization on the multilink interface was low (under 25%), at least according to the 30 second load interval. Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/