Re: [c-nsp] A9K Netflow export drops
Thus spake Robert Williams (rob...@custodiandc.com) on Sat, May 21, 2016 at 10:59:50AM +: > > I've got an issue on one of our smaller 9001 boxes which is puzzling me. > It suffers from a high rate of netflow export drops (not cache drops) shown > here: > > So from what I understand, it is capturing the flows OK but is unable to get > the flow data out, for some reason. I can confirm that our 9k's suffer from this also. The last I checked you can export at the rate of 2000 flows/sec. I have not looked in 2 years or so to see if this limit was configurable yet. > So - what am I missing here? Surely with a cache capability of 1M it should > be ok to export flows when were are only around 30,000 of them nicely ticking > over? join the club. :-( Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSCuv70838 on asr9k
Thus spake James Bensley (jwbens...@gmail.com) on Wed, Sep 30, 2015 at 09:31:08AM +0100: > On 30 September 2015 at 00:24, Dale W. Carder <dwcar...@wisc.edu> wrote: > > > > Anyone else hitting CSCuv70838 on ASR 9k? We've had a card lock up > > and stop forwarding ipv6 several times now when doing near 100G line > > rate, and once at lower speeds. > > Hi Dale, > > Are you running "5.1.3.BASE or 5.2.4.BASE or 5.3.1.BASE" as per the > bug description? > > We are running 5.1.3 SP4 and in the process of upgrading to SP5. Yes, we've been on 5.1.3.BASE for a while. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CSCuv70838 on asr9k
Anyone else hitting CSCuv70838 on ASR 9k? We've had a card lock up and stop forwarding ipv6 several times now when doing near 100G line rate, and once at lower speeds. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow
Thus spake Peter Rathlev (pe...@rathlev.dk) on Fri, Jul 18, 2014 at 01:54:26PM +0200: (Readded cisco-nsp since I'm not familiar with ASR9k) On Fri, 2014-07-18 at 16:09 +0530, thiyagarajan b wrote: Hello Peter, I need to export IPv6 flows in ASR9001 v4.3.4, Already IPv4 flows are being exported. Is it possible to configure record IPv6 in the same monitor map along with IPv4. Here's a working example from an ASR9k: Dale flow exporter-map FEM-Border-1 version v9 options interface-table timeout 150 options sampler-table timeout 150 template timeout 150 template data timeout 150 template options timeout 150 ! transport udp source Loopback0 destination 257.257.257.257 ! flow monitor-map FMM-v4-Border-1 record ipv4 peer-as exporter FEM-Border-1 cache entries 100 cache timeout active 60 ! flow monitor-map FMM-v6-Border-1 record ipv6 peer-as exporter FEM-Border-1 cache entries 100 cache timeout active 60 ! sampler-map SM-1k random 1 out-of 1000 ! interface HundredGigE0/0/0/1 flow ipv4 monitor FMM-v4-Border-1 sampler SM-1k ingress flow ipv4 monitor FMM-v4-Border-1 sampler SM-1k egress flow ipv6 monitor FMM-v6-Border-1 sampler SM-1k ingress flow ipv6 monitor FMM-v6-Border-1 sampler SM-1k egress ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Divide large PVST domain?
You could deploy rapid spanning tree. It does not care about diameter, instead the max-age effectively defines your upper bound. Dale Thus spake Victor Sudakov (v...@mpeks.tomsk.su) on Tue, Jul 08, 2014 at 04:09:06PM +0700: Colleagues, I have a train of about 20 C3560X switches connected successively. I know such a diameter is not good for STP, however, when I place the root bridge in the middle of the train, PVST still works more or less reliably. However, if I wanted to divide this single STP domain into several smaller ones, which way is best? I can define three geographical areas between which no loop is physically possible and which cannot have any redundant links between one another. Should I just configure a bpdufilter on the border switches to separate the areas, or is there a smarter way, maybe going for MST instead of PVST? Thanks in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Is the Nexus 3064PQ usable ?
Thus spake Antoine Monnier (mrantoinemonn...@gmail.com) on Thu, Jun 12, 2014 at 01:59:01PM +0200: Thanks Michele for sharing the feedback you received on this. Our cisco sales rep is telling us that he has never heard of Nexus used as a campus distribution-layer and is trying to convince us that that Catalyst 6807 is the right choice (instead of Nexus 56128P), even though we would get less 10Gig port-density, 1:2 oversubscription, 5x more RU used, at least twice the power consumption, etc... and all of this for twice the price! We have nexus 5k's and 7k's at the distribution layer for exactly these reasons (well, and cat6.8k wasn't available at the time). Only downside may be anemic buffering, but we keep a keen eye on packet loss. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast Reporting......
Thus spake Phil Mayers (p.may...@imperial.ac.uk) on Fri, May 09, 2014 at 06:20:39PM +0100: On 09/05/2014 16:26, Scott Voll wrote: OK so we are moving from a Unicast to Multicast video stream and we have been reporting on how many people are watching the stream. as we move this to a multicast stream how do I report on how many people are watching? Are there package apps that will do this? the only thing I can think to do is run through every switch and see if it's receiving the stream and try to sparse out the numbers. There has to be a better way Depends on the network topology and devices. e.g. In our network, multicast receivers have cat6k as the last-hop egress router, and routed interfaces are SVIs. In this config, you can run: sh ip igmp snooping statistics [int VlanX] ...which shows something like what you want: Source/GroupInterface Reporter Uptime Last-Join Last-Leave 0.0.0.0/239.a.b.c VlX:GiX/Y 192.0.2.28 4w0d 4w0d - The absolute furthest up (towards the source) you might gather ths info is the last-hop router(s) for all the receiver(s) as hops further upstream just don't see receiver activity, only aggregated joins. Obviously layer2 devices downstream of the last-hop router will see it and may or may not give you this info. A totally different approach is to have the receiver report back via RTCP or similar, but obviously that requires client-side software support. Multicast quicktime clients can report back to a quicktime server, though I've not not looked at how they do this. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 switchport block unicast wrongly filtering ARP broadcasts
It's the multicast block that's causing your problems. On cat6k/720 the multicast block impacts ARP and ipv6 ND, thus rendering that command absolutely maleficent in any typical production environment. Dale Thus spake Justin Krejci (jkre...@usinternet.com) on Thu, Nov 07, 2013 at 02:01:18PM +: To be clear this is just a simplified version of a live network that has many more vlans and networks with routing beyond the 6509. I reduced the topology to just the area where I've identified the problem and can still reproduce the problem. Am I missing something? I thought switchport block unicast should only filter out unicast packets that it wants to flood, not broadcast packets that it wants to flood. -Original Message- From: Justin Krejci [jkre...@usinternet.com] Received: Wednesday, 06 Nov 2013, 4:01pm To: cisco-nsp@puck.nether.net [cisco-nsp@puck.nether.net] Subject: [c-nsp] 6509 switchport block unicast wrongly filtering ARP broadcasts I have a relatively simple hardware configuration and topology 6509-E (tried on 2 different units) Sup720 (also tried Sup720-3B) WS-6548-GE-TX WS-6748-GE-TX IOS Version 12.2(33)SXI6 int g1/1 switchport switchport access vlan 900 switchport mode access switchport block multicast switchport block unicast no cdp enable spanning-tree portfast edge spanning-tree guard root int vlan 900 ip address 10.21.3.2 255.255.255.0 standby 1 ip 10.21.3.1 monitor session 1 source interface g1/1 both monitor session 1 destin interface g1/25 No other non-default vlans or IP addresses are defined anywhere on the 6509. laptop 1 plugged into port g1/1 with 10.21.3.129/24 assigned and is running tcpdump laptop 2 plugged into port g1/25 running tcpdump To start out 6509 has no ARP entries for 10.21.3.129 6509 has no MAC entries for laptop 1 Initiate a ping from the 6509 and the laptop 2 tcpdump shows the arp request from the 6509 source MAC address with destination MAC address FF:FF:FF:FF:FF:FF. The laptop 1 never sees the ARP packet at all. The 6509 then inserts an Incomplete ARP entry for 10.21.3.129 for a short while. No MAC table entries for laptop 1 show up on the 6509 of course. Then initiate a ping from laptop 1 to 10.21.3.2 and everything works as expected, laptop 1 sends ARP request and the ICMP echo and reply packets work correctly. If I now clear the 6509 MAC entry for laptop 1 and the ARP entry for 10.21.3.129 I am back to the 6509 sending broadcast ARP packets as seen in the port mirror on laptop 2 but they never arrive to laptop 1 I stop my ping from laptop 1 to the 6509. If I then remove switchport block unicast from g1/1 this does not immediately resolve the problem, the ARP broadcast still does not get sent out port g1/1 toward laptop 1 but do still see it on laptop 2 via the port mirror. If I then re-initiate a ping from laptop 1 to 10.21.3.2 again everything works as expected as before. If I stop the ping from laptop 1 then I clear the 6509 MAC table entry and ARP entry the 6509 then sends another ARP broadcast for 10.21.3.129 and its sent out port g1/1 toward laptop 1 and normal communication works as expected from that point on. A similar configuration on a routing Catalyst 3560 with switchport block unicast on does not suffer from a similar ARP filtering problem, though I have not specifically captured the packets and done a close inspection, primarily because it appears to be working as designed. So it appears to me there are two problems in this hardware/platform or IOS 1 - switchport block unicast is incorrectly filtering ARP broadcast packets 2 - removing switchport block unicast does not immediately stop filtering ARP broadcast packets It sounds like IOS bug to me. Has anyone run into this behaviour before? Any thoughts? TIA ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS-XR perl toolkit
Does anyone have experience with the perl toolkit for IOS-XR? I am trying a simple example, and it does not seem to work. It writes the XML as a file to disk so I know that much is working, but then it fails with The table could not be found in the response XML which I found in DataResponse.pm lines 128-129 # Error - this should never happen die The table could not be found in the response XML\n; Am I doing something wrong, or does this library not actually work as expected? I have toolkit version 1.4.1 and the router is on 4.3.1. Dale - #!/usr/bin/perl -w use strict; use Cisco::IOS_XR qw(:root_objects); my $session = new Cisco::IOS_XR( transport = 'ssh', host = '1.2.3.4', port = 22, username = 'foo', password = 'bar', connection_timeout = 3); my $node = '0/RP0/CPU0'; my $arp_table = Operational-ARP-NodeTable-Node($node)-EntryTable; my $response = $arp_table-get_entries; if (defined($response-get_error)) { die $response-get_error; } # this works $response-write_file('foo.xml'); # this fails foreach my $entry ($response-get_entries) { print Entry: $entry \n; } ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T - poor netflow performance
Thus spake Nick Hilliard (n...@foobar.org) on Mon, Jul 22, 2013 at 04:51:59PM +0100: I would appreciate if you could register a single opinion: Licenses suck. Please stop forcing them on us or we will buy even more kit from other vendors. I doubt that the reply will be read, tbh. Cisco's corporate position is that they want the go down the road of licensing and regardless of the extent to which this blows goats and causes customer frustration and pain, they will carry on regardless. This sucks. Realizing this, the approach I am advocating for is site licensing. This is the method we use for pretty much every other enterprise thingy like Autocad or Office, or whatever. What nobody wants is to manage keys for thousands of devices especially when things go bump in the night. I look at licensing as lowering downtime. Sure maybe if the kit has NSF, ISSU, magicfoobar redundant RP's then great. But licensing will end up eating into your '9's of uptime. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] New Catalyst 6k chassis
Thus spake Jeff Kell (jeff-k...@utc.edu) on Wed, Jun 26, 2013 at 11:19:31PM -0400: On 6/26/2013 11:10 PM, Justin M. Streiner wrote: It just seems like the new 6k is positioned to poach prospective customers from the (arguably) higher-margin Nexus 7k product line. Now that you mention the N-word I have to ask (as we're looking into a deployment)... how much of it is ready for prime time, and feature compatible with the Catalysts? This clearly depends on the features you use today on the c6k. We did a cpoc and found that the n7k w/ m2's did everything we do today with c6k and then some. YMMV, but test, test, test. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6704-10GE huge input drops (flushes)
Thus spake Saku Ytti (s...@ytti.fi) on Tue, May 07, 2013 at 02:23:27PM +0300: On (2013-05-07 12:11 +0100), Antonio Soares wrote: Yes, back-to-back L3 interface to a GSR. No MPLS, no sub-interfaces. Only IPv4/IPv6 addressing and ISIS there. When the last occurrence happened, we saw an increase of 5 million drops. It's a sporadic thing, it lasts a couple of minutes then everything returns to normal. I would probably setup ERSPAN of SP/RP traffic and wait for drop counter to increase and see if I have something dodgy on capture. But I'm bit worried if they're seen by that capture, as drop equals flush precisely. You could also run show buffers input-interface blah dump to see what is getting punted. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Spanning Tree Instances
Thus spake Leigh Harrison (lharri...@convergencegroup.co.uk) on Fri, Mar 23, 2012 at 12:48:06PM +: Hello all, We have run into an issue on a 3750 switch where it has run out of spanning tree instances. Is this a limitation of PVST or is it a limitation of the switch? I can't seem to find good clarity anywhere. I have some 6509's and nexus 7k's and I'm wondering if they're going to suffer from the same fate... It's a limitation of the switch. I think in the data sheets for each product you will find the number of supported instances. The number of instances is significantly higher for cat6k and n7k. Also just take a look to see if you can get away with MST depending on your topology and expectations. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] forced up/up on a fiber link
On Oct 23, 2012, at 5:59 AM, Phil Mayers wrote: On 23/10/12 10:20, Damian Holdcroft wrote: I remember reading something, somewhere, about the lasers sending pulses for link detection. I don't seem to be able to find anything on fibre link detection at the moment though. Does anybody know anything about it? I don't think this happens on normal links. As has been said, SX and LX optics do indeed fire into the air. Link up is a different matter; this usually is based on light detection and autoneg. Some high-power equipment has eye protection. I've never entirely figured out how this works, but it cuts off the laser when the fibre goes down. See ITU G.664. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Fabric buffer-reserve high: what does it actually do?
Hi Andras, Do you have a link to documentation/ddts that describes this change? Dale Thus spake John Neiberger (jneiber...@gmail.com) on Mon, Aug 27, 2012 at 12:00:02PM -0600: An app owner (Oracle database) has recommended that we enable fabric buffer-reserve high to solve some Oracle problem they seem to be running into. We haven't had a chance to investigate their problem yet, so we're not going to change that just because they asked us to. However, I'm curious about what it actually does and how it interacts with the hardware buffers on the 67xx line cards. I did a quick Google search, but didn't find a lot of detail. Thanks, John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid use without level 15 access?
Thus spake Steven Raymond (sraym...@acedatacenter.com) on Fri, Jul 06, 2012 at 08:50:15AM -0600: Is it possible to make use RANCID for Cisco config archiving without having to grant it full level 15 access? So far we've found no, but wondered if anyone has a trick or two? We had to do something similar for a secure-ish network. We're not using Rancid per-se, but a homegrown tool that is conceptually similar enough that also uses clogin and RCS. In IOS, you can create users that can only run 1 command automatically. So for example we have: username ios-copyrun privilege 15 password 7 username ios-copyrun autocommand copy running-config running-config.save Now, when you ssh ios-copyrun@device (say, via clogin) you get the config saved to a file. Now, come back with a priv 5 user to scp the file off the device. With building blocks like this you can hack up something that is slightly better than throwing priv 15 all over creation. I don't know what Rancid does, but maybe you could script something up. Perhaps someday when IOS incorporates security technologies from the 1990's like 'sudo', life would be easier. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 router hangs (IPV4 routing slows to a crawl) when IPV6 routing is enabled with VRFs.
On Jun 13, 2012, at 8:03 AM, Jim Trotz wrote: if you notice in the above CLI output The slot 5 is busy, try later. Status = 8 this is because the SP goes to 99% cpu utilization on the CFIB LC QUEUE BO process for about 5 minutes. I am going to try (in our lab) to reconfigure the box to put the Internet routes in the global table and the inside routes in a VRF (swap the tables). I'd be curious to the results. Deep down inside, I'm thinking that this cpu busyness as the tcam gets reprogrammed with 500k entries all at once might just be expected behavior on the sup720. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 router hangs (IPV4 routing slows to a crawl) when IPV6 routing is enabled with VRFs.
Hey Jim, Some things / guesses of the top of my head: BFD on the cat6k/720 is implemented centrally. In practice on this platform I think it causes more outages than it is supposed to fix. Are you really, really sure you are not out of fib space with your v4 full table plus mpls labels? (Check sh plat hard cap). Putting the dfz in a vrf may not be a good idea anyway. You don't have something configured like ipv6-urpf configured, do you? When you are actually hitting enter after ipv6 unicast-routing you probably are asking the box to recompute a pile of data structures, assign labels, pointers, etc. Some of that is on the RP, and then the SP gets to do some as well. Then SP then has to commit this (nearly full for v4) rib to the tcam. You are seeing the SP cpu hit 100% while this happens. If you are monitoring your dfc's you would probably see activity there, too. During that time everything (well, nearly everything that is still a fib miss before the hardware shortcut is installed) is getting punted to the RP. SPD is helping to bail you out from some of this flooding to keep priority traffic like hello's up. Keep in mind that these cpu's are slower than the ones in your previous cell phone. I think you have some options like you said: - wait it out - reboot w/ v6 enabled. - if you use hsrp, use preempt delay of 5 min or so. Even without v6, I bet your topology converges from a cold start similarly. Dale Thus spake Jim Trotz (jtr...@gmail.com) on Tue, Jun 12, 2012 at 10:21:26AM -0400: I originally posted this on the IPV6-Ops mailing list, but it now seems to be more of a switching issue than IPV6 protocol related. Background: Our enterprise backbone network has 2ea 6500s with Sup720XLs which connect to our 3 major ISPs at 10Gbs. We call these the Internet Hubs. They are running SXI5 IOS and are configured for BGP (full table), Internet IPV4 Multicast routing and EIGRP for IGP. They are running both IPV4 IPV6 in a dual stack mode with no problems for over a year. These two routers connect to our Enterprise Edge routers (also 6500s with Sup720XL-10G). They are running SXJ1 IOS code and house several VRFs, mostly for guest networks. One of the VRFs is used for ?outside? traffic. A pair of Cisco ASAs connect the ?outside VRF? and the ?inside? global routing tables. The ASAs neighbor EIGRP with the router to learn about IPV4 ?inside? networks. These routers also do MPLS VPNs to connect to various guest networks on different campuses as well as some other DMZ stuff. We also have several outside partners connecting to these routers. The ?edge? routers connect to the Enterprise Core routers which route to various campuses over a large DWDM Ethernet MAN/WAN. The Problem: Occurred when we tried to enable IPV6 routing on the edge routers. We have narrowed the scenario down to these conditions: 1) ?mls ipv6 vrf ?, ?ipv6 address-family? added to one or more VRF definitions. 2) The ?outside? VRF table holds the full Internet table + EIGRP routes to local ?outside? devices/subnets. 3) IPV4 BGP session to a neighbor is open and operational and sharing the ?outside? VRF. 4) No other IPV6 configuration has been entered yet. When ?ipv6 unicast-routing? is entered the following happens: 1) EIGRP BGP neighbors drop on interfaces with BFD enabled. (we took it out) 2) Traffic through the router drops to a crawl (0-2000 bps) ICMP doesn?t seem affected, but I?m not pushing that much ICMP. 3) The SP cpu goes to nearly 100% 4) Most of the interface traffic is routed to the RP (confirmed by ERSPAN) 5) Telnet connections to the router don?t drop and EIGRP neighbors stay connected. This slowness isn?t the same as when BGP is 1st enabled and is loading routes ? its much worse, traffic throughput almost stops ?.!! When we twice tried enabling IPV6 during a change window it brought all Internet connectivity to a halt. I think this is due to the neighbor relationships staying up and the router acting as a ?black hole?. We have been able to duplicate the issue in a lab. At first we just duplicated the hardware and configuration and it seemed all was OK, that?s why we made the 2nd attempt with Cisco TAC and our senior engineers on hand. Turns out you need to be pushing data through the router to see the problem. In the lab I have 3 sessions pushing from the ?outside? and 3 from the ?inside?. One session is doing ICMP pings to a host beyond the router. The 2nd session is doing TFTP GETs (UDP port 69) and the 3rd going HTTP GETs (TCP port 80) using ?curl? scripts. In the lab, the ?slowness? lasts almost 2 minutes. During which there is no unusual traffic (i.e. BGP scanning or reloads) and no CPU processes rise to any noticeable level. Nothing gets logged. The only thing I noticed is the SP CPU goes to 100% and the
Re: [c-nsp] sup720 RP CPU utilisation with 20k adjacencies / IPv6 ND load?
Hey Phil, Thus spake Phil Mayers (p.may...@imperial.ac.uk) on Thu, May 31, 2012 at 03:01:52PM +0100: All, We route our edge networks on 6500s with a pretty high density of 1G ports to edge switches. In the last week or so, we've seen a spike in RP CPU utilisation. This has coincided with records being installed on Facebook and some of our internal services, in preparation for world IPv6 rollout on Jun 6. Effectively, although all our edge networks were IPv6-enabled, few clients lived in the neighbour table because there was little IPv6 traffic; this has now changed, and from what I can see, most of the CPU is going on neighbour table IPv4/ARP table maintenance. On a typical router: CPU utilization for five seconds: 71%/15%; one minute: 71%; five minutes: 70% ...and: 5Sec 1Min 5Min TTY Process 12.15% 12.51% 12.37% 0 IPv6 ND 10.71% 11.07% 10.99% 0 ARP Input 5.51% 6.57% 6.51% 0 IPv6 Input 3.51% 3.29% 3.33% 0 CEF: IPv4 proces 3.03% 2.93% 2.92% 0 IP Input 2.95% 2.89% 2.84% 0 Earl NDE Task A typical SVI config looks like this: interface Vlan202 vrf forwarding PROD ip address 192.168.202.254 255.255.255.0 ip verify unicast source reachable-via rx no ip proxy-arp ip flow ingress standby version 2 standby 0 ip 192.168.202.1 standby 1 ipv6 autoconfig ipv6 nd prefix 2001:db8:1:100::/64 900 600 ipv6 nd router-preference High ipv6 traffic-filter IPV6_EDGE_NET_IN in arp timeout 1200 Note that we are *not* using ipv6 address, but rather specifying the nd prefix only; since we would want to set the timers in any event, we figured why bother with the address (we don't care about it for debugging or static hosts - these are edge networks, with everything using SLAAC). The box has a fair number of adjacencies: #sh mls cef adjacency usage Adjacency Table Size: 1048576 ACL region usage: 3 Non-stats region usage: 132 Stats region usage: 26881 Total adjacency usage:27016 ...and we see the CPU utilisation roughly track the number of adjacencies. My question is: is there anything we can tweak to reduce the amount of CPU time spend in IPv6 ND (and maybe IPv4 ARP) maintenance? Obviously we can increase the arp timeout on IPv4 - is there an equivalent for IPv6? How does IOS behave w.r.t. ND table maintenance - when does it send NS messages to refresh the cache? Our network and some of our peers have run into the same issues as we did our v6 rollouts. Try this out: ipv6 nd reachable-time 90 ipv6 nd ns-interval 5000 As for ipv6 addressing for routers, TIMTOWTDI, just like programming in PERL :-). We are on the other end of the spectrum, with every router SVI assigned to be fe80::1. interface Vlan42 description The Vlan that is the Answer ip address 10.92.67.3 255.255.255.0 ip verify unicast source reachable-via rx allow-self-ping ip helper-address 10.92.254.252 no ip proxy-arp ip flow ingress ip pim dr-priority 4294967294 ip pim sparse-mode ip multicast boundary G-T-LanMulticastBlock ip igmp access-group G-T-LanMulticastBlock ipv6 address FE80::3 link-local ipv6 address 2607:F388:E:100::3/64 ipv6 nd reachable-time 90 ipv6 nd ns-interval 5000 ipv6 nd other-config-flag ipv6 nd router-preference High ipv6 pim dr-priority 4294967295 ipv6 dhcp relay destination 2607:F388::68:1 ipv6 ospf 1 area 0 standby version 2 standby 0 ip 10.92.67.1 standby 0 preempt standby 0 authentication vlan42 standby 1 ipv6 FE80::1 standby 1 preempt standby 1 authentication vlan42 Cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Juniper equivalent for Cisco Cat 6500
How many CE devices are you talking about? Easiest way to save cash is to avoid licensing costs, so move all routing to the core. Dale Thus spake Andrew Miehs (and...@2sheds.de) on Wed, May 23, 2012 at 10:49:19PM +1000: Thanks to all so far who have responded. ASR9000 would be great, but it doesn't compete on price with a 6504 - and we currently don't need to extra performance. It is an Ethernet campus installation. Sorry I wasn't clearer about that. The issue I have is that I need to bring the price down on the edge. The current design has a pair of 4500s acting as CEs connected to 6500s in the core. Additional L2 access switches hang off the two CEs. The problem is that once you start trying to peer 20 vrfs (802.1q) across these links you end up with a lot of sub interfaces, and an extremely complicated CE configuration. This is of course not to mention the HSRP and STP mess that results on top of this... Ideally I would move to a pair of 6504s (VSS) as PE/CEs, bring MPLS right to the edge and terminate the SVIs directly on these boxes. The L2 access switches - 4510s would then hang per port channel off the 6504s... I am also considering suggesting using a single 6500, but the customer was extremely keen on redundant boxes. Thanks for any suggestions... Andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Juniper equivalent for Cisco Cat 6500
Thus spake Andrew Miehs (and...@2sheds.de) on Thu, May 24, 2012 at 01:00:15AM +1000: On Thu, May 24, 2012 at 12:40 AM, Dale W. Carder dwcar...@wisc.edu wrote: How many CE devices are you talking about? Easiest way to save cash is to avoid licensing costs, so move all routing to the core. About 150 pairs of CEs Should work fine on sup-2t. We average about 100 CE (layer 2 only, typically 3750-12S stacks) per pair of cat6k-sup720. Then there is only ipbase/SMI featureset downstream. For us in aggregate that amounted to .6M (list) savings. I'm not saying this is ideal, but cheap and it works. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stacking 3750X vs diverse 4948E
Thus spake Gert Doering (g...@greenie.muc.de) on Tue, May 22, 2012 at 10:51:15PM +0200: Hi, On Tue, May 22, 2012 at 10:42:20PM +0200, Mark Tinka wrote: For the price (or for what the price will be), the 4500-X fits our bill quite nicely in both segments we're looking at. What sort of hardware is inside the 4500-X? More or less it's a Sup-7e. We have roughly 1,200 cat3750 stacks. In general they work great and we've been happy with them. All of them are using cross-stack lacp which for us is the killer L2 feature. We hope to deploy a few hundred 4500-X, but still waiting on VSS. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 basic configuration problem
Thus spake Xu Hu (jstuxuhu0...@gmail.com) on Tue, Apr 24, 2012 at 03:56:47PM +0800: In your network, i have another question, when you use the SLAAC + Stateless DHCPv6 for clients PCs, you will choose the EUI-64 type, actually it also can choose the static addressed? Am i right? I check the website bellow: http://cciethebeginning.wordpress.com/2012/01/18/stateless-dhcpv6-slaac-24/ When most devices do SLAAC now, they will not be doing EUI-64 any more. Instead most clients will be using privacy extensions (rfc 4941) by default. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco's new 4500-X 10G Aggregation Switches
Thus spake Skeeve Stevens (skeeve+cisco...@eintellego.net) on Thu, Feb 16, 2012 at 09:13:38PM +1100: So who is at fault here? Cisco for not using bigger chips? It sucks that we're being forced forward to IPv6, which is often requiring large spend in new kit, but now that kit is going to perform at half the throughput? Seems crap to me. Until you see what it would cost for parallel tcam lookups or whatever it would take to do it. There are linecards on other platforms that do this, iirc. 100Mpps of v6 would be a great problem to have. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird Multicast microburst amplification issue
Do you have any span sessions enabled? Dale Thus spake Matthew Huff (mh...@ox.com) on Fri, Dec 09, 2011 at 01:48:35PM -0500: We have a multicast data stream (real-time ticker data) that by its nature is very bursty. When we connect a source server via gigabit Ethernet to our 6500/sup720 switch via a 6748 module and a destination server via gigabit to the same or different module in the same switch, everything works fine. If the destination server is on a different switch connected by a layer3 10GB connection then we have significant output drops on the Ethernet connected to the destination server. All switches are 6509/sup720 with 6748 line cards. QoS is disabled globally. The servers are identical. The output drops only occur on the Ethernet drop connected to the server. The only thing I can think is happening is that by routing the traffic via the 10gb L3 interface, something is causing the traffic burst to amplify, overrunning the output port. Has anyone seen this, and does anyone know how to mitigate this? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] non-existing input errors on 6500/SXI...?
Hi Gert, My understanding (and it may be outdated) is that on the cat6k and cat5k, Rcv-err is a receive buffer failure caused by excessive traffic. What kind of linecard is it? Dale Thus spake Gert Doering (g...@greenie.muc.de) on Fri, Oct 21, 2011 at 06:01:02PM +0200: Hi, I have a one port on a 7603/sup32/SXI that is showing me input errors but refuses to tell what *sort* of errors... GigabitEthernet1/9 is up, line protocol is up (connected) ... Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 8818000 bits/sec, 2562 packets/sec 5 minute output rate 24086000 bits/sec, 3252 packets/sec 49922820560 packets input, 18467489252395 bytes, 0 no buffer Received 189510308 broadcasts (86256414 multicasts) 0 runts, 0 giants, 0 throttles 1815587 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 65761578040 packets output, 73084507578266 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Cisco-Msh int g1/9 count err PortAlign-ErrFCS-Err Xmit-ErrRcv-Err UnderSize OutDiscards Gi1/9 0 0 01815644 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Gi1/9 0 0 0 0 0 0 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Gi1/90 000 0 so, right, it's Rcv-Err, but what sort of errors? Nothing in any of the other columns, and operationally, the link is behaving perfectly normal, so I'm not overly worried - just annoyed by our NMS flagging the link as hey, errors, check! all the time... This is a Sup32, onboard GE, SXI3. The interface goes to a 2960G, about 2m of cat6 cable, nothing particularily exciting. interface GigabitEthernet1/9 description SW: sp1/xxx:g0/14 (sp1) switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 2-999 switchport mode trunk storm-control broadcast level 1.00 and the other end is symmetric: interface GigabitEthernet0/14 description SW: sp1/xxx:gi1/9 (sp1) switchport trunk allowed vlan 2-21,23-999 switchport mode trunk storm-control broadcast level pps 1k 100 storm-control multicast level pps 1k 100 storm-control action trap end ... so how to figure out where these errors are coming from? (No smartnet on this particular box, so I can't go ask TAC) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750X stacking with 3750 ??
Thus spake Pete Templin (peteli...@templin.org) on Wed, Oct 12, 2011 at 04:30:05PM -0500: On 10/12/11 9:06 AM, Jeff Kell wrote: A 3750X IP Base or IP Services will stack with 3750/3750E, with the usual caveat that the ring will default to the least common denominator (32G for 3750, 64G for 3750E). And that a mixed-platform stack will operate in legacy mode, i.e. no local switching, every packet will go all the way around the ring, bidirectional rings won't see optimal directionalization. Can you point me to documentation on this? I thought the E/X series would still do local switching before frames hit the ring asic. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco and third party transceivers
Thus spake Jason Lixfeld (ja...@lixfeld.ca) on Tue, Sep 27, 2011 at 04:45:39PM -0400: Use whatever optic you want, but if you're going to open a TAC case, they'll ask you to put a Cisco optic in before they do something like RMA a line card. I think the warning message from my nexus 5548up summs it up nicely: Warning: When Cisco determines that a fault or defect can be traced to the use of third-party transceivers installed by a customer or reseller, then, at Cisco's discretion, Cisco may withhold support under warranty or a Cisco support program. In the course of providing support for a Cisco networking product Cisco may require that the end user install Cisco transceivers if Cisco determines that removing third-party parts will assist Cisco in diagnosing the cause of a support issue. Cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WARNING: Netflow Data Export Hardware assisted NAT not supported on 76xx/65xx on the same interface
On Aug 26, 2011, at 11:25 AM, Matthew Huff wrote: Last winter we purchased a pair of 7606 routers to use out at the NYSE colo facility. We connect via a 1gb fiber to the SFTI LCN for market data and FIX traffic. We fully expected to be able to use hardware assisted NAT and NDE to monitor the traffic. The netflow output we get is random, sporadic and very incomplete. After dealing with our Sales team and TAC, we have finally got them to admit that it doesn't work when NAT and NDE are configured on the same interface. I seem to remember that being made apparent when the sup720 was first announced, and I also think it was presented in the cat6k architecture session at networkers when I went in 2005. Sounds to me that you really need a better sales team that can engage the right TME. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Burned up 2790
You can mix match 3750 boxes and stack up to 9 of them together into a virtual chassis. The newer 3750X platform even has field replaceable parts. For your 2970, take a hard look at the capacitors. They are of a vintage when there was considerable problems across the industry: http://en.wikipedia.org/wiki/Capacitor_plague Dale On Jul 15, 2011, at 9:55 AM, Mike wrote: Hi, For the second time in 7 months, I had a 2970 go south on me. I get a power light, and thats about it and no console no nothing. The thing appeared to have some sort of trouble earlier in the day with it interrupting routing briefly between some routers but then it settled down, dying later all of a sudden. No smoke, opening the box shows nothing scorched, and I'm just beside myself trying to figure out what can be done. I would love to be able to justify a 6500 for the redundancy features and plug in card archetecture, but I'm comfortably working within the 24 gige ports and 4 sfp's of the 2970. Is there anything between the 6500 and 2970 that gives me the redundancy of the 6500 with the smaller form factor of the 2970? I an justify spending more since I can't deal with the downtime of a critically important switch going down, I just need some pointers on what to look for. Thanks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Placing an Interface into a VRF Causes it to Become no passive Underneath v6 OSPF
Thus spake Devon True (de...@noved.org) on Wed, Jun 08, 2011 at 11:49:39AM -0400: On our 6500s running SXI5, I have noticed that whenever a vlan interface is assigned to a vrf, the interface is inserted as no passive-interface underneath our ipv6 ospf process. Does anyone know of a knob to turn this feature off? Is OSPFv3 supported under vrf's now? I didn't think it was. If it is now, that is great. In either case this sounds buggy. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA failover - possible with a /30 ?
Hi Jeff, On Jun 6, 2011, at 8:39 PM, Jeff Kell wrote: We are trying to move a customer behind our firewall (an active/active pair of ASAs). They are currently terminated on our edge via a /30 point-to-point link, and they would prefer to keep their addressing the same. The other inbound links to these ASAs are setup for failover, with the failover and standby addresses in the failover configuration. Is it possible to have this link failover without a configured standby address? or will this interface remain down if the primary goes down? Is the standby address only used for monitoring? The simplest solution I can think of is to run the ASA in transparent mode. Then those IP's are only used for management purposes and only need to be reachable to network management infrastructure. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 SUP720 datacenter setup
Thus spake Greg Whynott (greg.whyn...@oicr.on.ca) on Mon, Jan 24, 2011 at 10:32:19AM -0500: FWSM is getting long in the tooth and I can't see it being around much longer It doesn't do IPv6. You need to look at something else like an ASA which can do routed or transparent mode, and has v6 support. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Preventing host with lower ip to become IGMP querier
Hi Pavel, I know that you can force which router will become the DR for the network with the ip pim dr-priority command, otherwise the highest ip address wins the election. Does that change which router becomes the querier? Dale Thus spake Pavel Dimow (paveldi...@gmail.com) on Mon, Oct 25, 2010 at 03:17:35PM +0200: Hello, I have some strange situation (not that I really understand how it works), but I want to prevent device connected to a port to become IGMP querier because it has a lower ip address. I have also made sure to configure profile in order to prevent it for receiving (joining) any multicast groups but all mcast traffic goes to this port also. I don't have management on that device. Thanks in advance for any help/tips ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3750s - Stackwise Plus
On Oct 17, 2010, at 3:00 PM, Jeff Kell wrote: The old 3550G-12 still has no (affordable) alternative. ex4200-24F We now have a few of them in production with plans for more. They have XFP ports, so you have a variety of options for the uplinks as well. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 ND cache via SNMP
On Oct 19, 2010, at 1:52 AM, Phil Mayers wrote: On 10/19/2010 01:03 AM, Michael Sinatra wrote: Is anyone out there polling the IPv6 neighbor discovery cache via SNMP? Previously, yes. I get them via expect/cli now, because the OID sorting required for snmpwalk of that table on 6500s is prohibitively expensive when it gets very large (well - it is for IPv4 ipNetToMedia; I am assuming the same for ipv6, and since the expect script already runs for v4...) We landed in the same boat. Asking the 6500, which has less general-purpose processing power than my cell phone, to sort and export ten thousand or so entries every 'n' minutes was fruitless. So, now I scrape it with clogin for both v4 and v6 and shovel this into sql. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 and Cat 6500
Hi CJ, On Sep 29, 2010, at 9:23 PM, CJ wrote: I am looking at a new setup and wondering what is the minimum setup that a Cat6500 can do IOS/BGP things on IPv6 and IPv4? As long as I am setting up a new setup I may as well learn how to handle the IPv4 and IPv6 dual battle of the bits. Can a Sup2 handle that or?? Sup2 would implement IPv6 routing (if it does at all) in software. That might be ok for test purposes, but not appreciable workloads. Otherwise, you would want a sup720. Then you will need to know how many routes you will have to decide whether you need an XL size PFC or not. Read this thread too: http://puck.nether.net/pipermail/cisco-nsp/2009-May/060466.html Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cheapest Cisco desktop switch that supports Q-in-Q/802.1Q VLAN encapsulation/double-tagged VLANs/Stacked VLANs
Thus spake Frank Bulk (frnk...@iname.com) on Wed, Jul 07, 2010 at 11:37:22PM -0500: I was working on a Foundry/Brocade this week trying to some Q-in-Q - do you mean 0x8100 versus 0x9100? Yes. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cheapest Cisco desktop switch that supports Q-in-Q/802.1Q VLAN encapsulation/double-tagged VLANs/Stacked VLANs
On Jul 7, 2010, at 10:54 PM, Frank Bulk wrote: And why does one page on Cisco's site say: Q. What is 802.1Q Tunneling? Is it an IEEE standard? A. With 802.1Q Tunneling, a service provider's switch can tag on a second 802.1Q tag on top of the customer's 802.1Q tag. This feature is sometimes referred to as Q-in-Q. The Cisco implementation is proprietary and does not interoperate with other implementations. false There is currently no effort to make this into a standard. false, see 802.1ad-2005 What this text really means is that they use a different ethertype. So, if you connect a cat switch to other vendor kit, you need to make sure you have things match. Usually this is not really an issue as long as you are aware of it (and test for it) well in advance. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Specification of RA that responds to RS (applied RA suppress I/F)
Thus spake daigo nakayama (nky...@gmail.com) on Thu, Jun 17, 2010 at 07:57:51AM +0900: Hi, Cat65 interface(GigabitEthernet) sent out RA, when RS was received in the interface that applied ipv6 nd ra suppress. Is this behavior within specification ? If you're looking to stop the responses to solicitation as well, put in both of these: ipv6 nd ra suppress ipv6 nd prefix default no-advertise This has turned out to be a great way to introduce to server hosting subnets, as you can then go machines/applications one by one to staticly configure v6 without worring about unintended machines lighting up their v6 stacks. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720 CoPP, limits on CPU performance
Thus spake Dobbins, Roland (rdobb...@arbor.net) on Wed, Mar 24, 2010 at 02:37:28PM +: It seems like it may make more sense to see if there could be a command added to IOS that denotes these VLANs or Physical interfaces as customer interfaces that tells it to protect the switch from traffic hitting these ports, but then again nothing is ever that easy. And that's precisely what Gert is talking about when he says he wants an automagic CoPP. Or is it just wanting the semantic ease of applying a filter to lo0 on vendor J kit? Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Older gear and IPv6
Thus spake Charles Mills (w3y...@gmail.com) on Wed, Mar 24, 2010 at 10:36:54AM -0400: Doing some research for an IPv6 migration plan. It is almost inevitable that it will run on older switch gear at some point for the sites I'm being tasked with evaluating. Older Layer 3 gear being what it is I'm already aware does everything in software if it supports it at all. What about older layer 2 gear? You should be fine unless you want your switches to do higher level things like MLD snooping or edge port ACL's. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Best practice - Core vs Access Router
On Feb 9, 2010, at 9:26 AM, Saku Ytti wrote: My guess is that you are sporadically getting flood of glean punts which are blocking your input buffers causing OSPF/BGP keepalives to be dropped. Maybe, but does SPD prioritize glean traffic vs IGP? Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA ipv6 + icmp types
On Jan 11, 2010, at 1:41 PM, Brandon Applegate wrote: So I'm playing around with ipv6 on the ASA. I'm running the latest code (8.2(1)). And in trying to get traceroutes and pings 'through' the ASA, I've found that icmp-types are translated to 'english' but using the ipv4 codes. I.e. code 3 for ipv6 is time-exceeded but shows up in config as unreachable (because unreachable == 3 in ipv4). I'm guessing I should open a TAC case and complain ? You could call it a cosmetic issue, but I see myself making mistakes because the burden is on me to translate the icmp types as I enter config :( I would certainly open a tac case and insist on getting a bug id. C's v6 support across across product lines is pretty craptastic. I recently got CSCtb29296 filed. This is very, very, basic broken functionality that shows their v6 feature support and testing is negligible. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bpduguard and trunks?
Hi Howie, Check out the command errdisable detect cause bpduguard shutdown vlan Dale On Dec 3, 2009, at 8:29 AM, Howard Jones wrote: I've just run into an odd problem, and was wondering if anyone else could clarify this for me. [c1]---[Sw1]--[Sw2]---[c2] c1 and c2 are client devices. Sw1 and Sw2 are 3750Gs with a trunk between them. c1 has a trunk to Sw1. One of the vlans in that trunk as passed along the sw1-sw2 trunk to c2. The port facing c1 has bpduguard enabled. Halfway through adding vlans, Sw2 complains about inconsistent BPDUs, and the root bridge mac address is that of c1. It shuts down the trunk port, which is kind of annoying. Does bpduguard only affect access ports and not trunks? That's the only explanation I can see for what is going on. The manual doesn't exactly say either way: At the interface level, you enable BPDU guard on any interface by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature.. Sw1 also has '|no spanning-tree vlan 1-4090|' - will that help or hinder, here? I think the real answer is to stop using switches to ship stuff between sites like this, but that is a battle for another day. Thanks in advance for any illumination... Howie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco vs. Juniper
On Nov 2, 2009, at 1:18 PM, Paolo Lucente wrote: Capacity apart, another good subject for the thread is that without a services DPC, you are realistically trapped to NetFlow v5, which these days might or might not be a problem. IPv6, 32-bit ASNs, L2 information come to the mind ... AFAIK, junos does not have a netflow v9 template that can export both v4 and v6 simultaneously. However, I thought I saw somewhere that 9.6 has a hack to get 32-bit ASN's in netflow v5. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] monitoring switch stacks
On Oct 14, 2009, at 1:19 PM, Alan Buxey wrote: just wondered what folk did out there to monitor switch stacks (eg stackwise+ switch stacks like 3750e, 2975gs etc (not the older gigastack ones) ) - using the basic methods such as ICMP will only show the presence of connectivity to the stack but not the actual health of the stack - eg one member is missing. I'm looking at maybe SNMP but support for MIBS in stacks seems somewhat poor They show up fine, at least on recent code. On earlier versions of code (2 years ago or so), it was very buggy and was not reliable. We monitor the following. There have been occasions when the switch stack ports fail and this caught it. Cheers, Dale IF-MIB::ifDescr.5365 = STRING: StackPort1 IF-MIB::ifDescr.5366 = STRING: StackSub-St1-1 IF-MIB::ifDescr.5367 = STRING: StackSub-St1-2 IF-MIB::ifDescr.5368 = STRING: StackPort2 IF-MIB::ifDescr.5369 = STRING: StackSub-St2-1 IF-MIB::ifDescr.5370 = STRING: StackSub-St2-2 IF-MIB::ifDescr.5371 = STRING: StackPort3 IF-MIB::ifDescr.5372 = STRING: StackSub-St3-1 IF-MIB::ifDescr.5373 = STRING: StackSub-St3-2 IF-MIB::ifOperStatus.5365 = INTEGER: up(1) IF-MIB::ifOperStatus.5366 = INTEGER: up(1) IF-MIB::ifOperStatus.5367 = INTEGER: up(1) IF-MIB::ifOperStatus.5368 = INTEGER: up(1) IF-MIB::ifOperStatus.5369 = INTEGER: up(1) IF-MIB::ifOperStatus.5370 = INTEGER: up(1) IF-MIB::ifOperStatus.5371 = INTEGER: up(1) IF-MIB::ifOperStatus.5372 = INTEGER: up(1) IF-MIB::ifOperStatus.5373 = INTEGER: up(1) CISCO-STACKWISE-MIB::cswSwitchState.1001 = INTEGER: ready(4) CISCO-STACKWISE-MIB::cswSwitchState.2001 = INTEGER: ready(4) CISCO-STACKWISE-MIB::cswSwitchState.3001 = INTEGER: ready(4) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] monitoring switch stacks
Hey Ge! We monitor for input queue drops on 6500's with this oid: .1.3.6.1.4.1.9.9.276.1.1.1.1.10 Our alert for the NOC is drops 100/sec results in a major alarm. Usually it's something stupid happening on a given vlan that needs to be beat down. For SVI's, this goes hand in hand with punts causing cpu exhaustion on these wimpy RP's. I've thought about watching output queue drops, but am not sure how to how to differentiate normal from abnormal. Dale On Oct 14, 2009, at 1:59 PM, Ge Moua wrote: Dale Carder- Are you guys also monitoring queue drops on the interfaces too; if so can you forward me the OID? Regards, Ge Moua | Email: moua0...@umn.edu Network Design Engineer University of Minnesota | Networking Telecommunications Services Dale W. Carder wrote: On Oct 14, 2009, at 1:19 PM, Alan Buxey wrote: just wondered what folk did out there to monitor switch stacks (eg stackwise+ switch stacks like 3750e, 2975gs etc (not the older gigastack ones) ) - using the basic methods such as ICMP will only show the presence of connectivity to the stack but not the actual health of the stack - eg one member is missing. I'm looking at maybe SNMP but support for MIBS in stacks seems somewhat poor They show up fine, at least on recent code. On earlier versions of code (2 years ago or so), it was very buggy and was not reliable. We monitor the following. There have been occasions when the switch stack ports fail and this caught it. Cheers, Dale IF-MIB::ifDescr.5365 = STRING: StackPort1 IF-MIB::ifDescr.5366 = STRING: StackSub-St1-1 IF-MIB::ifDescr.5367 = STRING: StackSub-St1-2 IF-MIB::ifDescr.5368 = STRING: StackPort2 IF-MIB::ifDescr.5369 = STRING: StackSub-St2-1 IF-MIB::ifDescr.5370 = STRING: StackSub-St2-2 IF-MIB::ifDescr.5371 = STRING: StackPort3 IF-MIB::ifDescr.5372 = STRING: StackSub-St3-1 IF-MIB::ifDescr.5373 = STRING: StackSub-St3-2 IF-MIB::ifOperStatus.5365 = INTEGER: up(1) IF-MIB::ifOperStatus.5366 = INTEGER: up(1) IF-MIB::ifOperStatus.5367 = INTEGER: up(1) IF-MIB::ifOperStatus.5368 = INTEGER: up(1) IF-MIB::ifOperStatus.5369 = INTEGER: up(1) IF-MIB::ifOperStatus.5370 = INTEGER: up(1) IF-MIB::ifOperStatus.5371 = INTEGER: up(1) IF-MIB::ifOperStatus.5372 = INTEGER: up(1) IF-MIB::ifOperStatus.5373 = INTEGER: up(1) CISCO-STACKWISE-MIB::cswSwitchState.1001 = INTEGER: ready(4) CISCO-STACKWISE-MIB::cswSwitchState.2001 = INTEGER: ready(4) CISCO-STACKWISE-MIB::cswSwitchState.3001 = INTEGER: ready(4) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 on ME3400
On Oct 14, 2009, at 10:03 PM, ML wrote: I've got a customer that *needs* a 1-2 RU router that handles IPv6 in hardware. I know the 3650/3750 can handle but I only need at most 4 SFP ports. The ME-3400G-2CS-A is perfect. However I know IPv6 was just added to this platform. Can anyone confirm the quality of IPv6 functionality on this platform? Make sure what you want to do fits in the sdm profile. Carving up tcam for ipv6 steals from other areas like mac addrs, vlans, v4 routes and such. Also, no uRPF is a big step backwards in functionality. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] modular code for the 6500
My theory has been that we'll run modular only when we will have to, i.e. when monolithic is no longer a reasonable option. I figure that day will be when once of two forces collide: a) the last important big customer holding out finally gives modular their blessing and no longer demands monolithic builds. b) new hardware with only modular code. probably will require step 'a' above. Having gotten to play with the modularity features on a demo CRS-1 in 2005, modular IOS is, well, yawn. Dale On Sep 24, 2009, at 10:05 PM, Tony Varriale wrote: I've attempted it with a couple of customers and it always ended up being a train wreck. I'm not even recommending it until it gets much further along and gets some serious field experience. tv - Original Message - From: harbor235 harbor...@gmail.com To: cisco-nsp@puck.nether.net Sent: Thursday, September 24, 2009 11:15 AM Subject: [c-nsp] modular code for the 6500 Is anyone out there using 6500 modular code? Is it stable? I have a 6509 with 720-3B, I would like to use the modualr code but also do not want instability, any thoughts/experiences would be appreciated. mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HSRP/multicast help
On Sep 18, 2009, at 3:04 AM, Alexander Clouter wrote: I personally remove the standby priorities from the VLAN configs as the 'active' router will be the one with the higher IP address...which is *also* the rule for PIM. What is probably happening is the PIM router for the subnet is your standby router and you are being hit with a lot of reverse path filtering issues[1]. Also, in addition to the higher ip address tiebreaker, you can set the DR priority: primary: ip pim dr-priority 4294967294 standby: ip pim dr-priority 2147483647 (or whatever) This is very helpful if someone attaches a pim speaking device and your ip addresses are at the bottom of the range rather than the top. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enhanced download procedure
On Sep 15, 2009, at 12:39 PM, Jay Hennigan wrote: What the #$^$...@# is going on with Cisco's download site? It completely hangs Firefox with some shopping cart java thing. Is there a workaround? I found a workaround. I couldn't download a file due to some stupid java error, so I opened a tac case for them to give me the file. Maybe after this happens enough times and costs them real money it will get fixed. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Optical module transmit power
On Apr 30, 2009, at 9:37 AM, Michael Robson wrote: We have a selection of ZR modules (XENPAK-10GB-ZR) For these modules, none of them are transmitting at anything like their maximum of +4.0dBm (Cisco's figures for the maximum transmit power), they are in fact transmitting between +1.9dBm and +2.3dBm. This is to be expected. Vendors just publish a tolerable range somewhere in which the optics will operate. What determines what they will transmit at i.e. is it simply that better manufactured ones achieve a transmit value closer to the +4.0dBm power level Maybe it's luck. Anyway, how long are your fiber spans? If they are really long, and you're living on the edge now, you may end up in a sticky situation as these optics degrade over time. If they are not extremely long, you may have some horrible jumpers or splices that are eating some dB. Do you have an OTDR? Dale p.s. My fiance did her postgraduate work at Manchester. Quite a nice place! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 Multilayer switch temperature monitor via SNMP
On Feb 18, 2009, at 8:34 PM, Chris wrote: I also tried snmpwalk -o enterprises.9.9.13.1.3.1.6.1 and 1.3.6.1.4.1.9.9.13.1.3.1 and enterprises.9.9.13.1.3.1.6.1 and I get no information. What version are you running? There's tons of stuff in the ENVMON mib. snmpwalk -v2c -c foo router.example.com envmon snip CISCO-ENVMON-MIB::ciscoEnvMonTemperatureStatusValue.1 = Gauge32: 33 degrees Celsius CISCO-ENVMON-MIB::ciscoEnvMonTemperatureStatusValue.2 = Gauge32: 29 degrees Celsius CISCO-ENVMON-MIB::ciscoEnvMonTemperatureStatusValue.3 = Gauge32: 29 degrees Celsius CISCO-ENVMON-MIB::ciscoEnvMonTemperatureStatusValue.4 = Gauge32: 32 degrees Celsius snip CISCO-ENVMON-MIB::ciscoEnvMonTemperatureState.1 = INTEGER: normal(1) CISCO-ENVMON-MIB::ciscoEnvMonTemperatureState.2 = INTEGER: normal(1) CISCO-ENVMON-MIB::ciscoEnvMonTemperatureState.3 = INTEGER: normal(1) and so on... Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] high CPU with snmp IS THERE A REAL FIX
To answer your subject: no. On Feb 10, 2009, at 1:22 PM, Jeff Fitzwater wrote: We use snmp getnext and getbulk to get the ARP table from a router that has ~16K entries and it takes about 10min to complete, with ROUTER CPU at 100%. Our other routers have the same hardware and IOS but have 10K entries and work fine. Same here. It's been that way for what seems like a long time though. In the attached PDF from CISCO they explain the problem and also state the if you turn on CEF (has always been on for long time) that it is much faster since the FIB is already in a lexical order that snmp likes. Since CEF is always on, why does it still take so long. http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml That document seems pretty dated and/or doesn't fit tcam based architectures. The solution could come in a couple of different forms: - a processor faster than what shipped in my cell phone (perhaps you would have had an rsp720 by now on 6500 had the 6500/7600 customer alienation not occurred, yada yada, Gert takes a deep breath) - maintaining a new datastructure in memory just to speed up these sorts of things. - finding a better sorting algorithm. - create a new mib that returns the values in hardware order. At this point we basically cannot do any retrieval of the ARP tables. Currently we use an expect script to get the table via CLI which is much faster That's what we do too, and we also scrape the ipv6 neighbor cache. This all gets stuffed into sql. but it doesn't help tools that must use snmp. I'm guessing you're referring to something that wants to use the arp table to help with topology discovery? I'll admit we gave up on that long ago, too. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High SNMP CPU with SXH. Is SXI any better?
Hi Jeff, On Dec 12, 2008, at 9:55 AM, Jeff Fitzwater wrote: We are running 12.2SXH2a on sup720-CXL and have been having consistently high (80-100%) CPU on route processor when retrieving either the ARP table or the Bridge-mac table. No matter what program we use HP NNM or an snmp script, the CPU route process goes from 20% to 90+% with the SNMP process being the top dog when you do a sho proc cpu sort. We see this too. I'm guessing you also have a non-trivial amount of directly connected hosts? It appears that internally the route processor is doing a lot of crunching to get this table data, specifically the ARP and Bridge Mac table. I remember something about the format it's in and it had to be converted when retrieved with SNMP. See RFC 1905 4.2.2(1) which requires lexicographical ordering of retrieved values. So, if IOS stores the arp/cef/whatever datastructure in memory in any other format, which seems likely, it would have to sort the table every time to spit it out via snmp. Now, this is of course compounded by the sup720 RP having a processor that lags behind current commodity chips by at least 6 years. Q. Does anybody know if there is any change with SXI and SNMP queries? I wouldn't expect anything to change unless the sorting algorithm were dramatically improved or unless IOS specifically maintained this table in a better fashion. Maybe if Cisco hadn't alienated their customers with the 6500/7600 split, you would have an RSP720 today. I also remember reading something about a different way to retrieve this data locally on the router and push it to a host, but cannot find any reference to it now. Any ideas on this? I haven't looked into it, but perhaps you can find a cisco specific mib, maybe cef or mls specific that doesn't have this performance penalty? Otherwise, I bet a query via clogin outperforms the snmp table. Dale -- Dale W. Carder - Network Engineer University of Wisconsin / WiscNet http://net.doit.wisc.edu/~dwcarder ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI testing
On Nov 20, 2008, at 10:53 AM, Phil Mayers wrote: In case people are interested, I have tested a load of stuff as working on 12.2(33)SXI. http://cisco.cluepon.net/index.php/Ios_sxi Does anyone use mac-address-table notification threshold? It exists but is hidden in SXF. It is not in SXI. Can anyone with SXH let me know if it is in there? http://www.cisco.com/en/US/customer/docs/ios/lanswitch/command/reference/lsw_m1.html#wp1012786 Thanks, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI out
On Nov 13, 2008, at 9:44 AM, Rubens Kuhl Jr. wrote: About SXI, does it look deployable or SXI3 or SXI4 is the version to look for ? I encourage my competitors to deploy SXI. Now. ;-) Really though, I couldn't imagine touching this stuff before safe-harbor does or at least waiting for SXI attempt 2 or SXI attempt 3. The ipv6 feature set could be compelling for those of us still parked on SXF. DHCPv6 relay should be in there, maybe v6 for HSRP, too. There could be some better v6 mib support (comparable to J?), but I haven't looked yet. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM going away rumor
On May 7, 2008, at 10:37 AM, Jeff Fitzwater wrote: We currently have two FWSM running 3.2 and are awaiting new code to fix some transparent mode issues. I would like to know what you're seeing. The rumor I heard is that CISCO will only have one more release of FWSM code and thats it; No more FWSM, the future will only be the ASA. Your account team would likely know more, but in my opinion, 5 years without a hardware refresh sure seems awful damning about the platform's future. Sure there might be another software release to attempt to breathe life-support into those network processors, but there is going to be a finite limit as to what they can and can not do (example: ginormous ACL's, IPv6, handling huge flows without significant hackery). I would expect there will be a strong motivation to develop software for and sell you shinny new ASA 5580-40's instead of fwsm. The FWSM isn't that old, maybe 2-3 years. We got our 1st one in early 2003. I thought the FWSM was the latest and greatest and came from the ASA. The FWSM is sort of it's own beast, with hardware assist from network processors. The ASA is truly a next-gen PIX. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] snmp access list
.. Original Message ... On Fri, 02 May 2008 17:05:50 -0400 Jeff Fitzwater [EMAIL PROTECTED] wrote: Does anybody know how a numbered standard ACL that is applied to snmp traffic via commands shown below, actually works? Does the SNMP process still get touched when a DENY is hit? Yes. You probably want to use CoPP to have the effect I think you want. We had a host mistakenly pounding the snmp process on one of our 6500's. While the ACL stopped the traffic, the cpu was pegged. SNMP is a lower priority process and this didn't have much or any impact on production traffic, but impeded our ability to manage the box. We turned on CoPP to block snmp from all but our NMS systems and to also police it to a low rate. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP and Free/Total memory
Hi Ken, On Apr 20, 2008, at 7:46 PM, Matlock, Kenneth L wrote: I'm trying to get via snmp the free and used processor memory values of a 6506 via SNMP (same sort of things are happening on other chassis). When getting the ciscoMemoryPoolUsed and ciscoMemoryPoolFree values, with the .1 index (to get the processor values), it's not reporting the correct information. snip The version of code on the chassis is 12.2(18)SXF6 (Modular). Is there something fundamental I'm missing Yes. I think that you are only getting memory readings for the main IOS process on your SXF modular box. Same thing goes for monitoring cpu load on this code too, I believe. This should be resolved somewhere in SXH, AFAIK. We're currently parked on SXF/monolithic for a while here, so I haven't bothered to look that those release notes. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT : IPv6 - Will it hit like an avalanch?
On Apr 2, 2008, at 3:40 AM, Ted Mittelstaedt wrote: If every end user on the Internet could get a /48 directly from an RIR the global BGP table would melt any router designed into slag. It is well understood now that IPv6 really has nothing to do with solving DFZ table bloat. And with IPv6, because the globally-significant part of the number is only on the router, if the organization is properly setup, renumbering is a snap, so the poor excuse that renumbering labor would be so high as to justify not renumbering isn't available. That renumbering would be a snap is only true if you ignore real-world issues like DNS, firewalls, ACL's, etc. You can only push ULA addressing so far and we'll be back to NATing IPv6. But if you don't qualify to get a portable IPv4 now, there is nothing magical about IPv6 I've best heard IPv6 described as 96 more bits, no magic. Perhaps you have some new radical way of routing IP numbers on the Internet that your planning on introducing. But until you introduce it, or someone else does, the need will still exist to organize numbering on the Internet in a heiarchical fashion, The IRTF RRG has been exploring this problem space. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Catalyst 3750 failure - marsupial interference
On Apr 2, 2008, at 8:12 AM, Winders, Timothy A wrote: Probably should've been running service anti-possum enable read the changelog - Cisco revised this command in 12.2(30)SB1 no service possum You mean the possum service is enabled by default? I thought we had to enable it with service no possum While there is a global service no possum now, by default it also used to be interface fa0/1 no possum enable, so it's there too and can override the global command. If you do it wrong, then it's process switched. Yes, which is why it's so important to get the 3750-P model which always does possum inspection in hardware. But then you don't get any snmp stats ;-( Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CVR-X2-SFP
On Mar 13, 2008, at 11:55 AM, Michail Litvak wrote: Does anyone try to use CVR-X2-SFP (Cisco TwinGig Converter Module) with cat6500 WS-X6708-10GE module. I try to insert it but have bad EEPROM. I would not expect them to work anywhere but on the 3750E, at least for now. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Large File Transfers
On Mar 5, 2008, at 5:36 PM, Ben Steele wrote: I'm going to recommend rsync mainly for it's resume of transfer ability over scp(given your files sound large), you can tunnel it via ssh using a flag like --rsh=ssh or similar for security I would second the use of rsync for it's ability to bail you out of an incomplete transfer among other things. If you use either scp or rsync over ssh and you need it to actually perform like ftp, you probably want to install the patches available here: http://www.psc.edu/networking/projects/hpn-ssh/ These patches fix some buffer sizing issues and include a multi-threaded encryption algorithm. Cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Etherchannel bundles on CAT6509 switches spanning multiple linecards
On Feb 27, 2008, at 10:46 AM, Munroe, James (DSS/MAS) wrote: Anyone have any experience configuring etherchannel bundles across multiple, different linecards on a Cisco 6509 IOS based switch? Hi James, In general it works great. However, please take note of this Field Notice so you avoid these issues in the future: http://www.cisco.com/en/US/products/hw/modules/ps2706/ products_field_notice09186a00804093ee.shtml Cheers, Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3750 - Losing Input Service-Policy on Reload + SNMP Timeouts
Hey Craig, On Jan 25, 2008, at 6:16 AM, Craig Allen wrote: I have numerous Cisco 3750-48-PS-S in stacks consisting of either 2 members or 8 members; current IOS is C3750-IPSERVICESK9-M, Version 12.2(40)SE. A simple input service-policy has been created to mark traffic entering the port - classification is matched using extended access-lists. Applying the 'service-policy mark-dscp input' works with no issues and all works as expected. The problem is when the switch stack is rebooted the service-policy is no longer applied to some of the Ethernet ports (seems to be stack member specific); When you ever see an issue that 1 switch is doing the correct thing and the others are not, compare the running configs of all the switches in the stack via remote command switch sh run or similar. Then open a tac case. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 or Netscreen 5GT - maturity?
On Nov 29, 2007, at 5:40 PM, jacob c wrote: Does anyone have any input/recommendations with using the ASA 5505 We're doing a lot of hub/spoke with 5505's on the edge. It took a while to get it going, but it's fine enough. However, I have found the mib support for monitoring tunnels and such to be *extremely* buggy. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] netflow
On Nov 20, 2007, at 8:54 AM, Jeff Fitzwater wrote: We are runnning it on a 720-3B with aprox 30 SVIs and aprox 150 L2 ports that are associated with the SVI vlans. As soon as I enable the MLS (hardware switched flows) portion of the netflow, the switch CPU jumps up to around 50-80. I've seen 60% on the SP with a consistently full netflow table on a 3BXL. Since it is on the SP cpu, we haven't been particularly concerned. Since we want to collect all flows, we do not want to do sampled flows. Good thing you don't want it, because the 6500 can't do hardware sampling. Dale -- Dale W. Carder - Network Engineer University of Wisconsin at Madison http://net.doit.wisc.edu/~dwcarder ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OID for # of routes in TCAM
On Oct 29, 2007, at 5:51 PM, Dale W. Carder wrote: These are handy: cseTcamResourceDescr.1.3.6.1.4.1.9.9.97.1.9.1.1.2 cseTcamResourceUsed .1.3.6.1.4.1.9.9.97.1.9.1.1.3 cseTcamResourceTotal.1.3.6.1.4.1.9.9.97.1.9.1.1.4 but are not what you were looking for in the case of # of routes Take a look at cseCefAdjacencyTable, 1.3.6.1.4.1.9.9.97.1.8.3 In any case, there's lots of good stuff in cisco-switch-engine mib. Dale On Oct 29, 2007, at 4:37 PM, Jeremy Stinson wrote: Hello, Before I go diving into a MIB browser, I'm wondering if anyone has the OID for % used or total # of TCAM entries? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OID for # of routes in TCAM
These are handy: cseTcamResourceDescr.1.3.6.1.4.1.9.9.97.1.9.1.1.2 cseTcamResourceUsed .1.3.6.1.4.1.9.9.97.1.9.1.1.3 cseTcamResourceTotal.1.3.6.1.4.1.9.9.97.1.9.1.1.4 Dale On Oct 29, 2007, at 4:37 PM, Jeremy Stinson wrote: Hello, Before I go diving into a MIB browser, I'm wondering if anyone has the OID for % used or total # of TCAM entries? Thanks, Jeremy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 65xx or 76xx for 'Distribution Layer'?
On Oct 18, 2007, at 12:05 PM, Justin Shore wrote: On our 7600s one is consumed automatically with a type of Service Module Session. I haven't been able to figure out what's chewing up this one yet. Getting multicast, BPDU's, or some such packets replicated and shoved through a service module. If you don't need it, you can turn it off. Or you could run the module in bus-mode. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] GOLD results via SNMP?
I think this was asked about a month ago, but I couldn't find an answer. Are GOLD results available via SNMP? The closest thing I could find was CISCO-ENTITY-DIAG-MIB, 1.3.6.1.4.1.9.9.350, but There is no supporting images available for CISCO-ENTITY-DIAG-MIB according to CCO. Thanks, Dale -- Dale W. Carder - Network Engineer University of Wisconsin - Madison / WiscNet http://net.doit.wisc.edu/~dwcarder ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP OID for reading Sup32 SP CPU in native IOS
How to Collect CPU Utilization on Cisco IOS Devices Using SNMP Procedure for Devices with Multiple CPUs http://www.cisco.com/en/US/tech/tk648/tk362/ technologies_tech_note09186a0080094a94.shtml#multiple Dale On Sep 28, 2007, at 1:41 PM, Everton da Silva Marques wrote: Hi, May anyone please point me the SNMP OID for reading the load at the Sup32 Switch Processor CPU? IOS is native IPSERVICES 12.2(18)SXF10. I'm searching the OID with the same values as the following command: 7604#remote command switch show proc cpu CPU utilization for five seconds: 14%/6%; one minute: 21%; five minutes: 21% The following OID is not producing result: 1.3.6.1.4.1.9.12.3.1.9.5.111 CISCO-ENTITY-VENDORTYPE-OID-MIB::cevCpuCat6kWsSup32ge Since snmpwalk replied with: No Such Object available on this agent at this OID. Please advise. Many thanks, Everton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.2(18)SXF11
On Sep 25, 2007, at 3:55 PM, Euan Galloway wrote: On Tue, Sep 25, 2007 at 11:19:30AM -0700, virendra rode // wrote: http://www.cisco.com/en/US/customer/netsol/ns504/ networking_solutions_products_generic_content0900aecd80694a2a.html#sx f_ios_software_mod I like that all modular software versions have failed the safe harbor testing due to SNMP shortcomings. Reading that has given me a giggle. We saw issues along these lines, too. For example (I don't know if this has been fixed yet) querying the cpu load via snmp would only give you the cpu time spent in the main IOS thread. Sorry, we're not going to run crap like that. It's pathetic that Safe Harbor has to find this. This is basic QA, folks. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-C3750-48PS-E stackwise flap
On Sep 19, 2007, at 9:45 AM, William wrote: We have a pair of WS-C3750-48PS-E's in a standard stackwise configuration. Every so often on a daily basis we get the following msg in syslog: %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN %STACKMGR-6-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state UP Has anyone spotted this before? This is a remote site so I would like to leave the visual check/reseat of the cables last. More importantly no users are reporting an issue when these flaps happen. We have a lot of (few thousand) 3750s. I think we reseat the stack cables on at least one stack a month, but in most cases we have found the stack ports just flaked out. I would call the TAC after you confirm the cabling is fine. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DWDM for X2 optics
On Sep 18, 2007, at 5:21 PM, Richard A Steenbergen wrote: On Tue, Sep 18, 2007 at 04:28:59PM -0500, mack wrote: Does anyone know if or when Cisco will offer X2 optics with DWDM? The 3560-E and 3750-E as well as 6708-10GE have X2 optics but Cisco is only saying they are not currently available in DWDM. If this is to be the new form factor for Cisco I can't see them not offering DWDM. Does anyone have the scoop? X2 is not a popular format snip Investing in X2 technology at this point in the game is a pretty terrible idea anyways. I agree 100%. Don't waste your time with X2's. XFP is where it's at. XENPAK and X2 both use a 4-lane XAUI interface at the board interconnect. This probably made it easy for the catalyst people to reuse existing asic designs for the 6708 card and the 3750-E. XFP uses a serial interface (XFI) which requires the PHY to be moved back into the asic. So, it probably is taking them longer to bring a catalyst product to market w/ XFP's. I wouldn't bother with the 8-port 10G card. I would wait for a 16 port card w/ XFP's. I would also doubt that there will be many new products with XENPAK's or X2's, and you probably don't want to be stuck with them. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] spanning-tree optimize bpdu transmission
Looking through my notes, in 2004 I saw this show up in a config somewhere (can't recall if it was a 6500 or a dsbu switch), and it was ack'd as CSCeb13403, a cosmetic bug. Cheers, Dale On Sep 10, 2007, at 12:38 PM, Richard Stern wrote: The command spanning-tree optimize bpdu transmission is not documented at all, yet it is referenced in numerous examples in the Cisco config guides. From a posting several years ago, it was mentioned that it sends out BPDUs at the interrupt level vs. the CPU. Default is enabled, yet in the examples (typically w/ Cat 29xx, 37xx) it is disabled. Should we infer from this that smaller switches can't deal w/this? Since this is a global command, does this infer that if I have a 6500 connected to other 6500s as well as smaller switches I need to disable it? Any insights are appreciated. Can somebody at Cisco arrange to get this included in the docs? Thanks, Richard ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vty access-list
Yes. This is what we do for SNMP. Dale On Sep 13, 2007, at 10:12 AM, Fred Reimer wrote: If the device supports CPP can't you put an ACL on the control-plane to handle all interfaces at once? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM and problems with disk:/
On Jun 27, 2007, at 4:36 AM, Mark Tohill wrote: We have a 6509 running 12.2(18)SXF4. In this chassis we have a FWSM running 3.1(5) software. After a week or so of logging, I can no longer 'dir' on the disk:/ device: Has anyone had this problem before? We've seen disk corruption on 1/4th of our fwsm's. The symptom we saw was that 'write mem' didn't actually write to disk. We found it via script that happened to compare timestamps on the filesystems between active/standby modules. This was on 2.3(something). We got a bug filed. Last I heard the plan was to fix 'write mem' so you would get an error message rather than addressing the filesystem problems. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Giants on TenGig Interface
Any Ethernet packet that is greater than 1518 bytes is considered a giant. Really old 6500 code was affected by CSCeb14127. Dale On Jun 27, 2007, at 9:49 AM, christian wrote: anyone know what could be causing giants on a tengig interface? I couldnt find any bugs, etc maybe a cosmetic issue.. aggr1#sh int tengig8/1 | in gian 0 runts, 672768789 giants, 0 throttles aggr1# ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Looking for a 2000 port GigE (rj45) solution?
On Jun 25, 2007, at 9:07 AM, Gabriel Graven wrote: Im looking for suggestions for the best value to accomplish a 2000+ port of GigE RJ-45 in one central location. I am open to looking at stacking solutions, or chassis based. Force10 E1200's w/ 90 port gig-e cards. Then use structured cabling w/MRJ21's to bust out the ports where you actually need them. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast source question
On May 18, 2007, at 4:39 AM, Michael Robson wrote: We have a core of 6500s running sup720s with native IOS version 12.2(18)SXD4. I would get that to the latest SXF if you can, or the latest SXE if 'F' blows up in your face. all ports that are a member of the same VLAN as the server receive the traffic, almost as if IGMP snooping is turned off or broken. I have shown that IGMP snooping is enabled using the slightly convoluted command (as per Cisco docs) sh ip igmp int vlan 404 | inc global. It seems like there is not an igmp quering router on that vlan? You may want to verify that PIM is enabled on the router, or otherwise turn on the igmp querying feature on the switch. Furthermore, I believe the igmp snooping/flooding behavior (without a querying router) changed somewhere between SXD and SXF, as I seem to recall we got burned by that on the last upgrade. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] multicast source problem
On May 18, 2007, at 6:10 AM, Michael Robson wrote: Thanks for your help, but I've just found the problem (I missed this one earlier then I was looking around). .IGMP snooping does not constrain multicast traffic for multicast group addresses in the range x.128-255.x.x until a receiver joins the multicast group. This problem is resolved in Release 12.2(18)SXD5. (CSCeh62522) A software upgrade it is! I think that was the bug we found too, that I mentioned: Dale On May 18, 2007, at 12:58 PM, Dale W. Carder wrote: Furthermore, I believe the igmp snooping/flooding behavior (without a querying router) changed somewhere between SXD and SXF, as I seem to recall we got burned by that on the last upgrade. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] troubleshooting SVI input drops on MSFC3
Here's some commands to get you started: sh buffers input-interface sh int vlan1234 switching sh ip interface sh ip traffic sh cef drop sh ip cache flow sh cef not-cef-switched Some more help can be found here: http://www.cisco.com/warp/public/63/queue_drops.html You also might want to verify that you didn't configure a feature that causes punts. If you really want to get dirty, you can create a span session to monitor traffic destined to the RP. This has been discussed on this list once or twice, but it is a bit messy. Dale On May 9, 2007, at 9:43 AM, barney gumbo wrote: I am seeing high input interface drops on an SVI interface on an MSFC3. The MSFC3 is installed in a 6503 chassis with Sup720. The switch is running hybird mode. The traffic load has increased, and CPU is running high when the traffic load increases. I don't know why the SVI is showing increased traffic load because normally I don't see traffic through the SVI, it all get's MLS switched. Something in the last week has caused traffic to be switched through the SVI showing the high input drops. The overal load of traffic which should be routed (MLS switched) via the interface has not increased or decreased; all of a sudden in the last week traffic is being (seemingly) process switched through this SVI. Where do I begin troubleshooting high interface drops on an SVI? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Catalyst 6500 switchport input drops
What's the spanning-tree state of that port (for all vlans on that port), DTP, CDP, etc? input queue drops on L2 ports is poorly documented (if at all). I have guessed that they indicate bpdu's being thrown away or other such stuff. Dale -- Dale W. Carder - Network Engineer University of Wisconsin at Madison http://net.doit.wisc.edu/~dwcarder On Apr 23, 2007, at 12:21 PM, Matt Ryan wrote: Seeing a large number of drops on a switchport interface without any obvious reason (no errors, buffer misses, CPU load etc): Router#sh int fa2/2 FastEthernet2/2 is up, line protocol is up (connected) Hardware is C6k 100Mb 802.3, address is 0004.de84.1431 (bia 0004.de84.1431 ) MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 18w2d, output hang never Last clearing of show interface counters never Input queue: 0/2000/1158238/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 128000 bits/sec, 113 packets/sec 5 minute output rate 2000 bits/sec, 2 packets/sec 943186717 packets input, 180091004357 bytes, 0 no buffer Received 126945712 broadcasts (22133563 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 47163411 packets output, 7169043006 bytes, 0 underruns 0 output errors, 0 collisions, 4 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Router#sh int fa2/2 counters errors PortAlign-ErrFCS-Err Xmit-ErrRcv-Err UnderSize OutDiscards Fa2/2 0 0 0 0 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Fa2/2 0 0 0 0 0 0 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol- Err Fa2/20 00 0 0 Any idea's what else to look for? Matt. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/