Re: [c-nsp] (BGP) BFD on XR in vrf on sub-interface of bundle-ether interface

[David Hubbard]

What platform are you on?  I ran into numerous issues with XR + BFD on 
NCS5501-SE hardware; worked with TAC and confirmed.  It's broken for bundle 
interfaces (gives an error, won't take the config), broken for BGP (takes the 
config without error but doesn't work), and broken if VRRP is in use.  It will 
only work on a single physical link on that platform.  We swapped out for 
Arista 7280's ultimately.



On 6/28/19, 1:19 PM, "cisco-nsp on behalf of christof...@netravnen.de" 
 wrote:

c-nsp,

Anyone having tried running (BGP) BFD on XR in vrf on sub-interface of
bundle-ether interface with success? Have tried looking through
documentation at Cisco.com with no luck so far.

Currently trying to get a session up with an non-cisco device on the
other end. No avail. Luck is close to up.
Have tried reading the Cisco Documentation from 4.2 release concerning
the restrictions to BFD mentioned. But I cannot get around to be wiser
if the restrictions applies to the below mentioned situation or not. :???:



[Cisco XR <=> Cisco SW (L2) <=> Juniper SW (L2) <=> Arista SW (L3)]
[   \/\ /\   /]
[   trunktrunktrunk  trunk accessaccess   ]
[ \/\ /\   /  ]
[ #Vlan tagged# #Vlan tagged#  #untagged# ]

BFD is tried configured between XR and Arista SW.

  * Cisco XR <=> Cisco SW (L2) : trunk interface (LAG group)
  * Cisco SW (L2) <=> Juniper SW (L2) : trunk interface
  * Juniper SW (L2) <=> Arista SW (L3) : access interface

  § same Vlan tag is carried on traffic between Cisco XR <=> Juniper SW.
Juniper SW pops vlan tag before forwarding traffic to Arista SW.

Using "monitor traffic interface(...)matching "udp && (port 49152 ||
port 3784)" looking for traversing BFD packets on Juniper SW (L2)...
Returns an empty output. No packet(s) matched.



Configuration Example Snippet from XR:

bfd
 interface Bundle-Ether500.600
  no echo
 !
!
interface Bundle-Ether500.600
 vrf RED
 ipv4 mtu 1500
 ipv4 address 10.10.10.9 255.255.255.252
 encapsulation dot1q 600
!
router bgp 65000
 vrf RED
  neighbor 10.10.10.10
   remote-as 65001
   bfd fast-detect
   bfd multiplier 3
   bfd minimum-interval 3000
  !
 !
!
interface Bundle-Ether500
 mtu 9000
 bundle minimum-active links 1
!
interface Te0/0/0/0
 bundle id 500 mode active
!
interface Te0/0/1/3
 bundle id 500 mode active
!


RP/0/RSP1/CPU0:XR#sh conf run int Bundle-Ether500.600
I/f: Bundle-Ether500.600, Location: 0/RSP1/CPU0
Dest: 10.10.10.10
Src: 10.10.10.9
 State: DOWN for 0d:1h:0m:0s, number of times UP: 0
 Session type: SW/V4/SH/BL
Received parameters:
 Version: 0, desired tx interval: 0 ms, required rx interval: 0 ms
 Required echo rx interval: 0 ms, multiplier: 0, diag: None
 My discr: 0, your discr: 0, H/D/F/P/C/A: 0/0/0/0/0/0
Transmitted parameters:
 Version: 0, desired tx interval: 0 ms, required rx interval: 0 ms
 Required echo rx interval: 0 ms, multiplier: 0, diag: None
 My discr: 0, your discr: 0, H/D/F/P/C/A: 0/0/0/0/0/0
Timer Values:
 Local negotiated async tx interval: 0 ms
 Remote negotiated async tx interval: 0 s
 Desired echo tx interval: 0 s, local negotiated echo tx interval: 0 ms
 Echo detection time: 0 ms, async detection time: 0 ms
Label:
 Internal label: 289033/0x46909
Local Stats:
 Intervals between async packets:
   Tx: Number of intervals=0, min=0 s, max=0 s, avg=0 s
   Last packet transmitted 0 s ago
   Rx: Number of intervals=0, min=0 s, max=0 s, avg=0 s
   Last packet received 0 s ago
 Intervals between echo packets:
   Tx: Number of intervals=0, min=0 s, max=0 s, avg=0 s
   Last packet transmitted 0 s ago
   Rx: Number of intervals=0, min=0 s, max=0 s, avg=0 s
   Last packet received 0 s ago
 Latency of echo packets (time between tx and rx):
   Number of packets: 0, min=0 ms, max=0 ms, avg=0 ms
MP download state: BFD_MP_DOWNLOAD_NO_LC
State change time: Jun 28 14:14:14.147
Session owner information:
Desired   Adjusted
  Client   Interval   Multiplier Interval   Multiplier
   - -
  bgp-default  3 s3  3 s3


RP/0/RSP1/CPU0:XR#sh ver | i Cisco IOS XR Software
Cisco IOS XR Software, Version 5.3.4[Default]


RP/0/RSP1/CPU0:XR#show bfd counters packet
---empty_output---
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net

[c-nsp] cbgpPeer2AdvertisedPrefixes different than 'show bgp nei X advertised-routes'

[David Hubbard]

I’m curious if anyone has noticed issues with CISCO-BGP4-MIB values related to 
prefix counts on IOS XR?  I’m querying a 6.2.3 device and seeing weird results.

I’d like to monitor the number of prefixes advertised and received from eBGP 
peers.  The mib defines cbgpPeerAcceptedPrefixes as a Counter32, and 
cbgpPeerAdvertisedPrefixes as a Gauge32.  That’s the first thing that doesn’t 
make sense.  Both values should be Gauge32 since counting ongoing changes to 
the prefix counts is a useless metric for the device to be tracking.

So, first is accepted prefixes; cbgpPeerAcceptedPrefixes.  Even though it’s 
defined in the MIB as a Counter32, the data being returned appears to be a 
current reading, i.e. a Gauge32.  I can make do with the wrong data 
classification since the values seem to be what I want regardless.

Then I’ve got cbgpPeerAdvertisedPrefixes, which is defined as a Gauge32, but 
appears to be behaving like a counter, making the data completely useless.  One 
peer is showing double the advertisements of another, even though the actual 
advertisements are the same.  That particular peer has flapped once since the 
monitoring began, hence my suspicion that it’s behaving like a counter.  The 
value returned for iBGP peers, on my edge routers, is incrementing constantly, 
currently at 37 million+, adding to the evidence it’s a counter, and useless.  
I have not yet found an OID I can query that gives me a current advertised 
count.

Do other platforms behave like this or would this be a bug in the 
implementation on my particular device?

Thanks
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] IPv6 uRPF broken on NCS5500 XR 6.2.3?

[David Hubbard]

Hi all, curious if anyone has run into issues with IPv6 uRPF on NCS5500 and/or 
XR 6.2.3?  I have an interface where I added:

Ipv4 verify unicast source reachable-via any
ipv6 verify unicast source reachable-via any

and immediately lost my ability to talk to a BGP peer connected to it using a 
local /126 range; no ping, tcp, etc.  There’s obviously a route in FIB given 
it’s connected and up, but I did check.  The same issue does not occur with the 
remote IPv4 peering address on a /30 net, suggesting uRPF for ipv4 doesn’t have 
the same bug.

Thanks


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] XR on NCS5500 6.2.25 vs 6.2.3

[David Hubbard]

Ah that makes more sense; thanks!

On 2/2/18, 10:31 AM, "James Jun" <ja...@towardex.com> wrote:

Hey,

On Fri, Feb 02, 2018 at 01:46:26PM +0000, David Hubbard wrote:
> However, in the release notes, both bootloader and MB-IOFPGA have bumped 
up revisions in 6.2.3, so it???s making me think it actually is the latest of 
the 6.2.x train?


XR 6.2.3 is newer than 6.2.25 (what they meant by 25 was probably 
'6.2.2.5').  6.2.3 is currently the suggested EMR that is until 6.3.3 rolls 
later.  See 
https://supportforums.cisco.com/t5/service-providers-documents/ios-xr-release-strategy-and-deployment-recommendation/ta-p/3165422

For ASR9K, we started rolling 6.2.3 for cXR (upgrading from 6.2.25 on 
shipped boxes), as that's the minimum version required for the new 4x100GE cost 
optimized line card (Skyhammer-mini).


James



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] XR on NCS5500 6.2.25 vs 6.2.3

[David Hubbard]

I’m curious if anyone knows, specific to NCS5500 series, if there are actually 
two software trains in the 6.2.x series, where 6.2.3 and 6.2.25 are somehow 
treated differently, or, illogically, 3 is somehow higher than 25?  I noticed 
that 6.2.3 was released after 6.2.25, which seems odd given 6.2.3 seems like 
something that would have been 22 releases prior to 6.2.25.  However, in the 
release notes, both bootloader and MB-IOFPGA have bumped up revisions in 6.2.3, 
so it’s making me think it actually is the latest of the 6.2.x train?

Thanks

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Does NCS behave like Nexus w/regard to vPC+VRRP active/active?

[David Hubbard]

Thanks all, yep, discovered no vpc commands lol.  I’ve gone ahead with mc-lag, 
relevant BD’s and added BVI’s for the router interfaces.  Now I need to deploy 
a first hop redundancy option.

In an mc-lag solution, do you know if these devices will work similar to 
HSRP/VRRP in a Nexus+vPC setup where, regardless of a device being the 
‘standby’ first hop from a control plane perspective, they’ll still forward on 
the data plane rather than having to send them across the inter-device link to 
the active first hop for forwarding?

Thanks!

On 12/15/17, 3:37 AM, "adamv0...@netconsultings.com" 
<adamv0...@netconsultings.com> wrote:

Yup, using proprietary common brain was deemed as not an optimal solution to
the problem, hence why routers are rather using MC-LAG (multichassis LACP)
instead.

adam

netconsultings.com
::carrier-class solutions for the telecommunications industry::

> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
> Brian Turnbow
> Sent: Thursday, December 14, 2017 5:33 PM
> To: 'David Hubbard'; 'cisco-nsp'
> Subject: Re: [c-nsp] Does NCS behave like Nexus w/regard to vPC+VRRP
> active/active?
> 
> Hi Dave,
> 
> The ncs5501 does not support vpc nor any vss clustering  like
configuration
> afaik.
> 
> 
> Brian
> 
> > -Original Message-
> > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
> > Of David Hubbard
> > Sent: giovedì 14 dicembre 2017 18:07
> > To: cisco-nsp
> > Subject: [c-nsp] Does NCS behave like Nexus w/regard to vPC+VRRP
> > active/active?
> >
> > Hey all, before I go too far down the configuration path, was curious
> > if anyone knows off hand if the NCS5500 line (5501SE with IOS XR
> > 6.2.25) behave like Nexus when you set up vPC + VRRP where data plane
> > is active/active for forwarding?
> >
> > Thanks,
> >
> > David
> >
> >
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Does NCS behave like Nexus w/regard to vPC+VRRP active/active?

[David Hubbard]

Hey all, before I go too far down the configuration path, was curious if anyone 
knows off hand if the NCS5500 line (5501SE with IOS XR 6.2.25) behave like 
Nexus when you set up vPC + VRRP where data plane is active/active for 
forwarding?

Thanks,

David


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NCS-5501/NCS-5502 as border/core routers

[David Hubbard]

Hey Simon, I’m going to be deploying the 5501se in the edge role to replace 
some Brocade MLXe’s that can no longer fit a full v4+v6 route table in CAM 
while also supporting VRF’s.  I weighed several options but ultimately felt 
like the 2M FIB gave me a comfort level slightly higher than competing products 
that were in the “1M+” or 1.3M range.

The pricing & licensing almost killed the deal before I executed it.  I didn’t 
look at the 5502se since I won’t need more than (4) 100gig, but on the 5501se, 
the base price only includes eight of the forty 10gig ports active, and none 
(!) of the 100gig.  You have to buy license enable kits for each block of 
additional eight 10gig ports (part NC5501-80G-SE-LIC=, $14k list), and a 
license enabler for each single 100gig port (not sure of part, same list price 
as the 8x10gig, but on a single port, yikes).  A fully activated 5501se I think 
lists in the $300k range, and I know no one pays list, but it’s still just a 
stupid number for a 40/10+4/100 switch.  The lead time is inexplicably long 
currently too, which makes me think they’re either flying off the shelves, or 
no one’s buying them lol; I’m still expecting 4+ more weeks before my order 
from a few weeks ago shows up.

If it were not for the difference between 1.3M and 2M FIB, I’d have gone Arista 
7280R2A series (part 7280SR2A-48YC6) which is their Jericho+ platform and will 
do 1.3M routes, (48) 1/10/25gig ports, (6) 100gig that can also do breakout, 
all ports active, much lower cost.  I had an order for a bunch of other Cisco 
stuff going out and was able to get the overall numbers where I wanted them to 
be to execute the 5501’s, but had that not been the case, I’d likely have been 
buying more Arista (already use the 7280SE for non-edge roles) and seeing how 
long the 1.3M routes would last.

If you’re considering the 5502se, which is significantly more expensive than 
5501se of course, you may want to look at Arista’s 7280CR2K (the K is 
important).  I believe that 30 or 60-port 100gig device can do 2M and I’d be 
shocked if it were not much more cost effective than the 5502se.  Supposedly 
this fall they’re going to be pushing table size further on the lower series 
devices, so if I had the time to spare, may not be a bad idea to wait and see 
what they come out with.  I’ve got some further out projects I’m waiting on 
that for versus buying more 5501se’s now.



On 8/23/17, 2:40 AM, "cisco-nsp on behalf of Simon Lockhart" 
 wrote:

All,

I'm currently trying to plan some upgrades for one of my networks where we 
currently use Cat6500/Sup2T as both 'core' and 'border' routers, but are 
very
rapidly outgrowing them. I've recently split off the L2 transport aspects 
from
the 6500's onto 100G capable switches (I ended up using Extreme X690/X870 
here)
which has freed up some capacity, but now looking at what to do about the L3
routing aspects, working with full Internet routing tables.

I'd always planned to move up to the ASR9k for this, but the price of 100G
ports for them is eyewateringly expensive when compared to switching boxes. 
I
then stumbled across the NCS-5501-SE and NCS-5502-SE boxes. These, on paper,
look ideal - the 5501's as border routers with 100G uplinks to the core, and
the 5502's as core routers in our main datacentres. In particular, the 5502
appears to give me 48 x 100G ports for way less than the cost of ASR9k with 
just 4 x 100G ports.

I fully recognise the difference between L3 switches (which I see the NCS
boxes as) and true routers - I've been using the Cat6500 in this role for
7+ years!

Are there people on this list who are actively using these boxes like this?
Any gotchas, recommendations, scare stories? Does anyone understand the
licensing on them? I've struggled to find any Cisco published information
about what is/isn't included in each of the license options...

Many thanks,

Simon
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT Solarwinds Alternatives

[David Hubbard]

Been dramatically happier with Zabbix + ntop after moving off Solarwinds for 
both NMS and flow data analysis (NTA).  Zabbix picked up all the monitoring 
pieces and felt way more polished than Nagios.  We’re not only using zabbix for 
typical things like snmp and agent-based data collection / alerting from 
servers and devices, but have it hooked into vmware clusters via VMBIX, hooked 
into DNS servers monitoring qps, and a multitude of other things where scripts 
running on various servers trigger Zabbix alerts when conditions are met, 
whether that be helpdesk tickets aging out, all the way to developers missing 
milestones in Jira.  You can even push the alerts into different things; we 
populate channels of a corporate group chat app with alerts relevant to the 
various channel members to get them in front of the right faces instantly.

Ntop has proven to be much more useful to me than Solarwinds’ NTA (netflow) 
product because of their lack of interest in furthering the development of 
sflow analysis.  Specifically, sflow data containing remote BGP ASN’s was, as 
of early 2016, still being ignored by NTA, making it useless in watching your 
top BGP sources and destinations in case you want to make peering decisions 
based on that.  This was what used to be on their site but now seems to be 
removed:

"Explanation:  SFlow packet format is completely different from NetFlow (both 
v5 and v9). In SFlow, BGP/AS information is provided in a special/extended 
header that NTA does not parse (since there has been no previous need to do so).

Resolution:  If possible, use NetFlow v5 or v9 (with appropriate v5 compliance) 
if you need to collect and process BGP/AS traffic information. If neither 
NetFlow v5 or v9 is supported by your devices, file an enhancement request with 
SolarWinds Support.”

 
I filed enhancement requests annually from 2008 to 2015, all were ignored.  
They will spam the hell out of you endlessly if you drop them though, so I even 
kept telling the sales folks what it was missing and it still hadn’t been 
added.  Maybe their deletion of that article means it’s in there now; not sure. 
 And when I mean endlessly, I mean endlessly; it takes a great deal of work to 
get them to stop emailing you, and it’s always some new name / new title / 
whatever and you have to get fairly nasty to make them stop.

It running on Windows was of course a huge negative too; it would go into 
typical for Windows unexplained non-functioning from time to time if left up 
too long, so reboots every few months were the norm.



On 7/27/17, 3:09 PM, "cisco-nsp on behalf of Scott Granados" 
 wrote:

Hi Nick,

In my opinion anything is better than Solar Winds but that’s me.  I don’t 
understand how any serious network monitoring company only offers their 
products for the windows environment and has no Unix variants.  That’s just 
goofy to me but that aside here are some alternatives I have had good success 
with.

Open NMs http://www.opennms.org is a comprehensive open source network 
management toolkit.
Open groundwork http://www.opengroundwork.com Can be pricing depending on 
licensing but easy to set up and pretty feature packed, based on NAGIOS if 
memory serves.
NagIOS, the gold standard, Nagios is a good framework with lots of plug in 
functionality and ability to customize / expand.  It’s a very complex but 
powerful tool.  In many environment it requires a full-time admin but it 
doesn’t have to.
If you’re looking for netflow capture and analysis I’m a pretty big fan of 
nfdump and nfcapd.  Easy to get up and running and can generate powerful 
reports, also includes plugin add ons like mapping functions and anomaly 
detection.
Cacti, good prober for port stats and has the ability to take rapid probes 
in for looking at bursty traffic.
RANCID, great network archiving tool for version control and archival of 
network device configs.  Written in expect / TCL so can be modified to suit 
your needs.

THere’s a few for starters.

Thanks


On Jul 27, 2017, at 2:56 PM, Nick Griffin 
> wrote:

Sorry for the off-topic post. I'm looking for input on network management
solutions other than solarwinds, unbiased opinions. We will need all things
network related, monitoring, alerts, reporting, configuration management,
and other tools that might be handy for a NOC. If this takes multiple tools
then that is fine. Just looking for some ideas from the guys in the
trenches. Thanks!
___
cisco-nsp mailing list  
cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___

Re: [c-nsp] BGP route influence question related to multi-path iBGP

[David Hubbard]

Ah, perfect, and so obvious now that I think about it.  Easy to fix too as they 
already have an IGP on those links.

Thanks!

On 1/20/17, 12:38 PM, "Gert Doering" <g...@greenie.muc.de> wrote:

Hi,

On Fri, Jan 20, 2017 at 05:10:56PM +0000, David Hubbard wrote:
> Hello all, I have a setup where one BGP AS exists at two physical 
locations, with an edge router at each location peered to different upstreams.  
The two edge routers are interconnected with a 40gig and 10gig link, each with 
its own interface/address, so there are two iBGP sessions between the same two 
routers.  The intent of the 10gig is only to be used as backup, and when I 
first brought it up, the routers of course began treating them as equal cost 
paths (from BGP perspective) and used both.  The way I initially worked around 
that was via a route map on both sides that assigns a higher non-default weight 
to advertisements coming in via the iBGP session on the 40gig link.

"The normal way" to do iBGP is "between loopbacks" and have an IGP 
distribute loopback reachability across available links.

Which will automatically achieve what you're asking for :-) 

gert
-- 
USENET is *not* the non-clickable part of WWW!
   
//www.muc.de/~gert/
Gert Doering - Munich, Germany 
g...@greenie.muc.de
fax: +49-89-35655025
g...@net.informatik.tu-muenchen.de


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] BGP route influence question related to multi-path iBGP

[David Hubbard]

Hello all, I have a setup where one BGP AS exists at two physical locations, 
with an edge router at each location peered to different upstreams.  The two 
edge routers are interconnected with a 40gig and 10gig link, each with its own 
interface/address, so there are two iBGP sessions between the same two routers. 
 The intent of the 10gig is only to be used as backup, and when I first brought 
it up, the routers of course began treating them as equal cost paths (from BGP 
perspective) and used both.  The way I initially worked around that was via a 
route map on both sides that assigns a higher non-default weight to 
advertisements coming in via the iBGP session on the 40gig link.

The issue with this is weight of course comes before other factors in best path 
selection, including AS path length, so I’m seeing less desirable routes end up 
in my route tables, likely just based on which edge router gets an update first 
and sends it to the other.

Is there a better way for these two to be set up so they can have a backup path 
that is only used if the primary is down, without negatively influencing normal 
best path selection?

Thanks,

David


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Rec for full-table multi-peer bgp router?

[David Hubbard]

Thanks Gert & Peter.  I’m going to look into the 9001.  We have a bunch of 
Arista in the core doing ospf/ospfv3, the rep there suggested their 7280SR, 
which is 48 SFP+, 6 QSFP, and they claim it’s stable as a BGP router with 
limitations of 1.2M ipv4 / 768k ipv6 routes, simultaneously, no picking and 
choosing like Brocade.  Obviously, it’s good price point, but I’m not sure I’m 
ready to trust them in an edge router role as I don’t know anyone using them 
for BGP.  I’m also not sure how long 1.2M ipv4 routes will be good for given 
we’re already over the half way point to that and the table has been growing 
regularly after run out.   List is $66k for reference.  

David

On 11/30/16, 2:42 PM, "cisco-nsp on behalf of Gert Doering" 
 wrote:

Hi,

On Wed, Nov 30, 2016 at 08:32:02PM +0100, Peter Rathlev wrote:
> Four SFP+ interfaces, as ASR9001 has built-in, would be just what we
> need. It seems to cost around $80k list price. Is that what we should
> expect to pay for a 10G capable edge router? I'd love to know if there
> are cheaper alternatives, though I'm perfectly willing to accept if
> there are not.

This isn't exactly Cisco's sweet spot - "a few 10GE interfaces and
full BGP" - you need "real router brains" but also "fast-ish and
large-table forwarding engine".  So, Cisco-wise, this is the thing,
and the price hurts indeed if compared to something with "the fast"
but "without the brains" (like a QFX5100 with 48x 10GE for much less
moneyz).


But the moment you see it flap a few full BGP sessions in 30 seconds
without breaking a sweat, you see that the money was well-spent :-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   
//www.muc.de/~gert/
Gert Doering - Munich, Germany 
g...@greenie.muc.de
fax: +49-89-35655025
g...@net.informatik.tu-muenchen.de


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Rec for full-table multi-peer bgp router?

[David Hubbard]

Hi all, I’m looking for a recommendation of the most cost effective Cisco 
option for replacing some Brocade MLXe’s in dual stack border router roles.  
The MLXe’s have been great, but we’ve reached the point where the software is 
causing problems; specifically, you’re forced to choose a CAM profile that 
slices up the max quantity of ipv4, ipv6 and VRF’s.  The IPv6 routing table has 
grown to the point where Brocade no longer has a CAM profile that is compatible 
with full IPv4 routes, full IPv6 routes and still allowing VRF’s, so the only 
way for me to continue using Brocade would be to either do away with VRF’s, or 
double my hardware to eliminate IPv4 or IPv6 from each router and keep VRFs.  
I’d rather not complicate things like that.

I don’t need too much in the way of port density per device; eight or ten SFP+ 
ports would be fine, and if QSFP is available that would be a bonus, but not 
one I’d be willing to pay more for at this point.  Each router typically talks 
to one other ibgp, three others ospf/ospfv3, two or three ebgp peers sending 
full tables.  Nothing too exciting.

Thanks,

David
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] A switch with huge number of Mac address

[David Hubbard]

Perhaps check out Arista.  If you’re willing to run two switches as a stack, 
the 7280 would work great for this.  256k MAC/ARP and 128k IPv6 neighbor cache 
with 48 SFP+, but depending on model, you have QSFP+/QSFP100/MXP ports that you 
can use to gain more 10gig ports, so potentially up to 72 10gig per switch.  Or 
just use the 48 built in and use the 40/100 ports to link two chassis.  They do 
multi-chassis trunk and vARP.  We’re close to deploying these to replace a 
Brocade setup for a Cisco UCS/vmware cluster because we needed a huge 
MAC/ARP/v6 ND table due to all the VM’s and would have had to spend 3x/4x to 
get into Nexus 7k to get the same table sizes.

Arista 7300 chassis would work too if you didn’t want to deal with the whole 
stacking issue.  With the right profile selected, it can do 288k MAC/ARP and 
104k v6 ND.

David




On 1/8/16, 11:05 AM, "cisco-nsp on behalf of Alireza Soltanian" 
 wrote:

>Hi everybody
>We want to purchase a switch with 1G/10G ports (at least 96 ports) which
>can support up to 192k of Mac addresses.
>Is there any product in market which can provide this flexibilty? Rack unit
>is alao a factor
>
>Thank you for your help and support.
>___
>cisco-nsp mailing list  cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Remote management console servers?

[David Hubbard]

We use and really like the Opengear's as well.  Just keep in
mind that you're still running a linux box so it should be
treated as one.  We had to quickly lock all of ours down 
back when that bash exploit happened as we had the web 
interface of the units exposed to the cell modem side.

David

 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On 
 Behalf Of CiscoNSP List
 Sent: Tuesday, July 14, 2015 7:41 PM
 To: Scott Granados; cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Remote management console servers?
 
 
 We've just started using Opengear (7216's) - 16 serial 
 ports(Can use standard straight through eth, or rollover), 
 has 3G/4G, modem and 2 x Eth connections, all can be setup as 
 failover for each other as OOB...plus supports dydns(We have 
 to use this for our 4G, as we can only get dynamic IP)so 
 far, very happy with them (Our old OOB boxes were/are 
 2511's with old external modems hanging off them)Cant get 
 those modems anymore, so alternate box was needed.
 
 
 Plenty of models to choose form, if you dont need 16 serial 
 portsbut the 7216 has the 4 WAN connection 
 optionsvery handy when you cant get a pstn line installed 
 into a Data Centre...just use Eth and 4Gworks well for us
 
 
 
 
 From: cisco-nsp cisco-nsp-boun...@puck.nether.net on behalf 
 of Scott Granados sc...@granados-llc.net
 Sent: Wednesday, 15 July 2015 3:03 AM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] Remote management console servers?
 
 Hi,
 
 Wondering what people are doing / best practices for remote 
 management generally in datacenter environments.  We have 
 several datacenter with a mix of Cisco, F5, Juniper and Palo 
 Alto equipment in each.  All have a similar RJ45 type console 
 port and all are pretty much your garden variety devices.  
 Looking for a good solution to gain access when primary 
 connectivity is disrupted.  I know back in the day we used 
 2610XM routers with the octopus cables but I'm wondering if 
 there is better available now or is this still a good 
 solution?  Do you all use out of band loops for remote 
 management like DS1 / DS3 circuits from diverse providers, 
 dial in, what's the standard for remote management?  Do you 
 also have your management networks isolated on their own 
 (could be the same) management network or do you do some sort 
 of VPN / VRF deal for normal non emergency management 
 connectivity?  Any thoughts on the subject would be most 
 appreciated.  The last time I built one of these was with 
 2610XM routers in the pops and 7206 routers as aggregation 
 points in each geographic region linked together with 
 different T1s and multiplexed to the 7206 regional routers 
 with backhaul loops to the NOC.  Seems like a bit of overkill 
 for my application now but if this is still the best practice 
 then it might be worth while.  Any pointers or other 
 suggestions would be most appreciated.
 
 Thank you
 Scott
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] IPv6 ND cache size on NX9k?

[David Hubbard]

Hi all, does anyone know the IPv6 ND capacity on the Nexus 9k line?  Or
9300 and 9500 specifically?  I found ARP at 90k but can't find anything
for IPv6.

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco.com randomly broken over ipv6?

[David Hubbard]

I'm curious if anyone else finds Cisco's website to randomly malfunction
when using IPv6?  Especially in regards to support.

Sometimes I can log in, sometimes I get navigation error
(https://sso.cisco.com/autho/login/loginaction.html)

Or, IPv6 http://www.cisco.com/cgi-bin/login gives me The Page You Have
Requested Is Not Available but IPv4 gives me the actual login page with
user/pass boxes.

If I can log in, I'll get random xml output instead of pages at times.

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OOB Device for remote DC's

[David Hubbard]

I've been using OpenGear devices with great results.  Their ACM5500 is
far better than the older 5000 series units because it now does LTE
instead of only 3G.  It has eight serial ports and they are wired so you
can run ethernet directly into Cisco console ports.  It comes with, and
they sell, connectors so you can do the same to standard 9-pin ports; so
much easier than finding a serial cable during a crisis.

That being said, I have not had good results with the included rubber
antenna when used inside a rack in a data center.  The performance was
very slow because the received signal strength was too low; same issue I
had with the 3G units.  I now purchase the WMM-7-27-5SP antenna from
wpsantennas.com with my ACM5500's; it's a single mount but dual antenna
uni-directional unit that I can mount up above the equipment racks and I
get awesome signal strength.

On the Verizon side, you just have to get your sales rep to assign a
static IP and your'e good to go with ssh and vpn to your equipment.

David


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
CiscoNSP List
Sent: Monday, September 01, 2014 9:53 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] OOB Device for remote DC's

Hi Everyone,

We historically have just used Cisco 2511's with standard modem
attached, but are finding it increasingly difficult to source modems -
Can anyone recommend an alternative(reliable) OOB device? (Built in
modem + 4G as backup?)

Cheers.

  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Netflow analysis tools?

[David Hubbard]

The SolarWinds product's sflow stinks (I realize this is a Cisco list), and 
feature requests seem to go right in the trash can.  Their marketing team will 
keep calling you for years after you abandon their products though so at least 
you get the opportunity to tell them what their product is missing over and 
over and over.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Frank 
Bulk (iname.com)
Sent: Monday, May 19, 2014 9:46 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Netflow analysis tools?

Scott,

It looks like the Netflow monitoring of PRTG is only for 30 days -- if you want 
to try something that doesn't expire, but only has the last hour of 
information, look at SolarWinds' product: 
http://www.solarwinds.com/products/freetools/appflow-jflow-sflow-analyzer.aspx

Frank

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David 
beckett
Sent: Monday, May 19, 2014 12:45 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Netflow analysis tools?

Hello Scott,

PRTG Network Monitor can present Netflow monitoring in pretty graphs, including 
usage over time, and top talkers. 

It is commercial / paid for, but I think you can test up to 10 sensors 
(monitored objects) without a license.  That means 10 Netflow instances if you 
pause or stop monitoring everything else.

HTH

Yours sincerely, Sincères salutations, Mit freundlichen Grüssen, Distinti 
saluti,

David BECKETT

Network Service Delivery
Switzerland DACH IMT

IBM Suisse
IBM Banking Solutions Center
Avenue de la Vallombreuse 100
CH - 1008 PRILLY Switzerland

Hotline / Piquet Téléphone : +41 (0) 58 333 68 23 Téléphone Direct : +41 (0) 58 
333 24 07 Téléphone Mobile : +41 (0) 765 54 07 23
Fax: +41 (0) 21 683 0094
mailto: david.beck...@ch.ibm.com
http://www.ibm.ch




From:   Scott Granados sc...@granados-llc.net
To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net
Date:   16.05.2014 16:17
Subject:[c-nsp] Netflow analysis tools?
Sent by:cisco-nsp cisco-nsp-boun...@puck.nether.net



Good morning,
 I'm starting to work with Net Flow data and am looking for 
both good background documentation to get more familiar and suggestions for an 
analyzer.  I already have data collection working so I'm looking for 
suggestions for something to turn that data in to something meaningful, 
preferably open source or paid with a trial period to evaluate.  Are there any 
tools that run on the Mac that anyone would suggest for processing the nfcapd 
files or something with a web front end I can install in a *nix environment.  
Any general documentation or specific tool recommendations would be most 
welcome.

Thank you

Scott
 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Market for used ASR1k's?

[David Hubbard]

Hi all, just wondering if anyone has thoughts on whether there's a good
market for used ASR1k's?  I have a pair of ASR1004's, redundant power,
ESP10, RP2, SIP10, (2) SPA-8X1GE-V2 per chassis, bunch of copper SFP's,
firewall RTU, advanced ip services RTU.  Wasn't sure if they'd be worth
more selling outright or if I'd get something useful using them as a
trade-in later on.

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SC to LC converter

[David Hubbard]

I've had the (mis)fortune to be stuck with needing to do the same thing
in a pinch and have actually used all three of the following SC-LC
converters from Amazon:

SC-LC single mode but big ugly adapter that blocks the adjacent slots:
http://www.amazon.com/Diablo-Cable-Singlemode-Adapter-Converter/dp/B0069
VWOX0 

OM4 SC-LC dongle:

http://www.amazon.com/Diablo-Cable-Multimode-Adapter-Converter/dp/B00FQD
MMLQ

OM1 SC-LC dongle:

http://www.amazon.com/Diablo-Cable-Multimode-Adapter-Converter/dp/B00B1O
K51S

None of my runs were anywhere near the length limit and were point to
point so I did not run into loss issues.

David

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Jeff Kell
Sent: Monday, October 14, 2013 6:12 PM
To: Kenny Kant; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] SC to LC converter

Cheapest alternative is get an SC-to-SC coupler and an SC-to-LC jumper
and cross your fingers on the added loss.

Otherwise you're looking at re-termination and tolerating a Unicam quick
fix or a pigtail requiring a splice.

Jeff

On 10/14/2013 3:37 PM, Kenny Kant wrote:
 I have an older multi-mode fiber connection coming into our 7206VXR /
 NPE-G1 with a SC end.  We are moving this fiber to a new router which 
 requires a LC/SFP.  Due to some other challenges I cannot have this
cable
 re-run.Can I get some recommendations for SC to LC conversion?
Any web
 links to what you have used in the past one be greatly appreciated.

 Thanks,

 Kenny
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Best Support of Tier 1 ISP

[David Hubbard]

We've been extremely happy with Internap's support.  It is not
uncommon to call them and have the person who answers the phone
be able to give you fairly complex answers to routing and bgp
questions.  Every other provider we've used, and currently use,
the most you get out of the initial phone call is here's your
ticket number and someone will call you back soon if you're lucky.

David 

 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On 
 Behalf Of Ahmed Hilmy
 Sent: Tuesday, July 09, 2013 7:10 AM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] Best Support of Tier 1 ISP
 
 Hello Friends,
 We are going to establish a new 10GE circuit as a UP Link.
 So what you suggest a best Tier 1 ISP that provide high level 
 of support ?
 Right now we have TATA,Cogent,Interout, Turktelecom and Level3.
 
 Thanks,
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ipv6 on dot11radio interface of 1811?

[David Hubbard]

Hi all, I was wondering if there is an ios version that definitely lets
you add ipv6 to the actual dot11radio interfaces of an 1811w?  I've got
12.4(24)T8 on now and it doesn't let you but ipv6 works fine on the
wired interfaces.  I've found conflicting information online about
whether it's a hardware issue and not going to be possible, use a BVI
(not possible in my case due to how it's being used), or it's simply an
ios issue and that 15.1T possibly adds this feature.

If it's not possible, does the 1941W let you do it?  

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 1811 questions (bridging, nat, etc)

[David Hubbard]

Hi all, trying to figure out how best to implement an 1811 at a remote
office that ideally could use all three of the following:

1) Internal user NAT for ipv4 users on wired and wireless interfaces
2) site to site vpn
3) A few servers that need to be exposed/public but ideally have some
ACL's in front.

My original plan was to make Fast0 WAN, apply NAT for inside VLAN's,
ACL's for all incoming.  Make Fast1 a trunk with tagged subinterfaces
for the internal user vlan, a dmz vlan and wireless vlan; connect it
back to internal switch.  Make Fast2-9 DMZ interfaces for the couple
servers and put them in the DMZ vlan.

Interfaces Fast0 and Fast1 appear to be routed only, and the device does
not appear to forward packets between a vlan subinterface defined on
either of them and Fast2 through Fast9 if they're switchport mode access
on the same vlan, so the DMZ servers could not get out or receive
traffic in, before even getting the ACL stuff.

Can I do the following, and is it the best solution?

Don't use Fast0 and Fast1.  Instead make Fast2 a switchport mode access
for the public internet using a 'public' vlan.  Make Fast3 a switchport
mode trunk.  Define vlan's for internal users, wireless interfaces and
DMZ.  Put ports Fast4-Fast9 in the DMZ vlan mode access; connect
external-facing servers there.  Define vlan interfaces for routing from
internal to the 1811.

Can I do NAT on a vlan interface in an 1811?  I've read some things that
made me think no.  If not, any other options?

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Route map matching, tags and community question

[David Hubbard]

Hi all, we've recently set up real time blackholing via a
trigger router and a route map that applies to our
'redistribute static' clause in the BGP config.  That route
map just looks for a specific tag, changes local pref, sets
the discard route and sets some communities that correspond
to the required communities that our upstreams provide for
this.  Our neighbors are set to send-community of course.

The problem I'm running into is on some of our neighbors,
I send specific communities just for them, such as path
prepending, via an outbound route map.  I've noticed that
on the neighbors where I do that, the communities set via
the outbound route map are not added to the blackhole
community (if present) coming from the redistribution,
they replace it.

So I need a way to send certain communities to only certain
neighbors, but also send the blackhole community if needed.

Trying to accomplish this, would the following be a valid
solution?

1) Remove the upstream communities from my redistribute
route map and just keep it doing the other necessary
things like discard route, etc.

2) Create or modify the outbound route maps specific to
each neighbor so that they set any required communities
(if any) for that neighbor, followed by a sequence that
tests for my blachole tag, and if present, sets the
relevant upstream provider community; i.e.:

route-map upstream-one permit 10
 set community 1:123
route-map upstream-one permit 11
 set community 1:234
route-map upstream-one permit 12
 match tag 67
 set community 1:67

Will that successfully announce my routes to that neighbor
with 1:123 and 1:234 for all routes, and only
1:67 on the ones that are tagged 67? 

Thanks!

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Possible to talk ospfv3 with auth or encryption to Brocade?

[David Hubbard]

I'm wondering if anyone has a working ospfv3 setup
between a Cisco and Brocade device?  As best I can
tell, Brocade's only possible setup is either no
auth and no encryption, or, sha1 auth, sha1 encryption,
esp packets.

On the Cisco side, the only option that gives you
esp packets is ipv6 ospf encrypt but then
unfortunately while it does support sha1 for the
authentication, the only encryption algorithms offered
are 3des, aes-cbc, des and null, so there's not a
compatible combination.

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Possible to talk ospfv3 with auth or encryption to Brocade?

[David Hubbard]

Thanks Nathanael, I've kind of worked myself towards the same
conclusion over the past few hours.  I've found a working config
as follows:

Brocade side:

ipv6 ospf authentication ipsec spi  esp sha1 KEY

Cisco side:

 ipv6 ospf authentication null
 ipv6 ospf encryption ipsec spi  esp null sha1 KEY

This is kind of weird since I would think the two statements
on the Cisco side would conflict, but I have ospfv3 area
authentication enabled so perhaps the 'auth null' command
disables the area auth from being applied to the interface
while the encryption command does indeed set the interface
to do esp with sha1 auth and null encryption.

If I do a show ipv6 ospf int on each side, the Brocade side
thinks its doing authentication (real numbers replaced):

  Authentication Use: Enabled
   KeyRolloverTime(sec): Configured: 300 Current: 0
   KeyRolloverState: NotActive
   Outbound: SPI:500, ESP, SHA1
  Key:1234567890123456789012345678901234567890
   Inbound: SPI:500, ESP, SHA1
  Key:1234567890123456789012345678901234567890

But the Cisco side is confusing:

  NULL encryption SHA-1 auth SPI 500, secure socket UP (errors: 0)
  authentication NULL

Am I doing sha1 auth and the output is misleading, or am I
just doing ESP with no auth and the Brocade is incorrectly
accepting that even though its config should make it drop
a no-auth packet?

Thanks,

David

 -Original Message-
 From: Nathanael Law [mailto:nathanael@aimco.alberta.ca] 
 Sent: Thursday, April 18, 2013 12:06 PM
 To: David Hubbard
 Cc: cisco-nsp@puck.nether.net
 Subject: RE: Possible to talk ospfv3 with auth or encryption 
 to Brocade?
 
 Hi David,
 
 Brocade's documentation is somewhat lacking in this area, and 
 in some places very poorly worded.
 
 E.g., in table 214 of 
 http://www.brocade.com/downloads/documents/html_product_manual
 s/NI_05400a_CFG/wwhelp/wwhimpl/common/html/wwhelp.htm#context=
 NI_ConfigGuide_Netfilesfile=OSPF_Version_3.60.5.html, 
 Brocade states, authentication algorithm (currently ESP 
 only), encryption algorithm (currently SHA1 only).  However, 
 SHA1 is not an encryption algorithm; it's a hash algorithm 
 used for authentication.
 
 It would be nice if Brocade actually stated this properly, at 
 least somewhere in the document:
  - IPsec protocols:   ESP   (i.e., no AH support)
  - ESP encryption algorithms: null  (i.e., no AES, 
 3DES, DES support)
  - ESP authentication algorithms: SHA1  (i.e., no MD5 support)
 
 Cisco (at least in IOS 15.0(2)SE1) supports the following:
  - IPsec protocols:   AH, ESP
  - AH authentication algorithms:  MD5, SHA1
  - ESP encryption algorithms: null, DES, 3DES, AES (128, 
 192, 256-bit)
  - ESP authentication algorithms: MD5, SHA1
 
 Thus, the only overlap is: ESP-null-SHA1.  It's been a while 
 since I've had my hands on a Brocade device, but the 
 following should work, or at least point you toward a working 
 solution.
 
 On the Brocade:
 interface ethernet1/1/1
   ipv6 ospf authentication ipsec spi  esp sha1 
 0123456789abcdef0123456789abcdef01234567
 
 On the Cisco:
 interface gi1/0/1
   ipv6 ospf encryption ipsec spi  esp null sha1 
 0123456789abcdef0123456789abcdef01234567
 
 In IOS, ipv6 ospf authentication uses AH and ipv6 ospf 
 encryption uses ESP.
 
 Best regards,
 
 Nathanael Law
 
  -Original Message-
  From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] 
 On Behalf Of
  David Hubbard
  Sent: Thursday, April 18, 2013 00:42
  To: cisco-nsp@puck.nether.net
  Subject: [c-nsp] Possible to talk ospfv3 with auth or encryption to
  Brocade?
  
  I'm wondering if anyone has a working ospfv3 setup
  between a Cisco and Brocade device?  As best I can
  tell, Brocade's only possible setup is either no
  auth and no encryption, or, sha1 auth, sha1 encryption,
  esp packets.
  
  On the Cisco side, the only option that gives you
  esp packets is ipv6 ospf encrypt but then
  unfortunately while it does support sha1 for the
  authentication, the only encryption algorithms offered
  are 3des, aes-cbc, des and null, so there's not a
  compatible combination.
  
  Thanks,
  
  David
  
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?

[David Hubbard]

Ah, that got me close but unfortunately the command
isn't there:

fab1-A(nxos)# service unsupported-transceiver
   ^
% Invalid command at '^' marker.

Maybe it would show up if I upgrade?  It's been
about a year; currently running 2.02q:

5.0(3)N2(2.02q) 

David

 -Original Message-
 From: Ryan West [mailto:rw...@zyedge.com] 
 Sent: Friday, April 12, 2013 8:02 AM
 To: Joachim Tingvold
 Cc: David Hubbard; cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?
 
 Not entirely sure it will work, but you can enter those 
 commands on either FI by opening ssh to the shared address of 
 UCSM and typing connect nx a or connect nx b to get to the 
 CLI of either FI. 
 
 Sent from handheld. 
 
 On Apr 12, 2013, at 1:59 AM, Joachim Tingvold 
 joac...@tingvold.com wrote:
 
  On 12. apr. 2013, at 07:53, Joachim Tingvold 
 joac...@tingvold.com wrote:
  Any undocumented command to get them to work?
  service unsupported-transceiver?
  
  Maybe throw in this one as well;
  
  no errdisable detect cause gbic-invalid
  
  -- 
  Joachim
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?

[David Hubbard]

Unfortunately NXOS on the UCS fabric interconnects is
apparently limited to read only mode (according to 
TAC); any changes have to go through the web interface
and they've intentionally disabled any option of
using unsupported transceivers.

Back to the drawing board,

David


 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Maarten Carels
 Sent: Friday, April 12, 2013 10:21 AM
 To: Cisco Network Service Providers
 Subject: Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?
 
 On 12 Apr 2013, at 16:09 , David Hubbard wrote:
 
  Ah, that got me close but unfortunately the command
  isn't there:
  
  fab1-A(nxos)# service unsupported-transceiver
^
  % Invalid command at '^' marker.
  
  Maybe it would show up if I upgrade?  It's been
  about a year; currently running 2.02q:
 
 
 In configuration mode?
 
 --maarten
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?

[David Hubbard]

Sounds like in a traditional Nexus device the unsupported
transceiver command still works, just not in the bastardized
read-only interface the UCS fabric interconnects give you.

David

 -Original Message-
 From: Aaron [mailto:aar...@gvtc.com] 
 Sent: Friday, April 12, 2013 12:05 PM
 To: David Hubbard; 'Cisco Network Service Providers'
 Subject: RE: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?
 
 Are you talking about sfp/xfp 3rd party support in NXOS?  If 
 so, would this
 limitation apply to Cisco 5548UP as well ?  Asking since I'm 
 considering
 buying some of those and want to know what I'm getting myself into.
 
 Aaron
 
 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Hubbard
 Sent: Friday, April 12, 2013 10:28 AM
 To: Cisco Network Service Providers
 Subject: Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?
 
 Unfortunately NXOS on the UCS fabric interconnects is 
 apparently limited to
 read only mode (according to TAC); any changes have to go 
 through the web
 interface and they've intentionally disabled any option of 
 using unsupported
 transceivers.
 
 Back to the drawing board,
 
 David
 
 
  -Original Message-
  From: cisco-nsp-boun...@puck.nether.net 
  [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
 Maarten Carels
  Sent: Friday, April 12, 2013 10:21 AM
  To: Cisco Network Service Providers
  Subject: Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?
  
  On 12 Apr 2013, at 16:09 , David Hubbard wrote:
  
   Ah, that got me close but unfortunately the command isn't there:
   
   fab1-A(nxos)# service unsupported-transceiver
 ^
   % Invalid command at '^' marker.
   
   Maybe it would show up if I upgrade?  It's been about a year; 
   currently running 2.02q:
  
  
  In configuration mode?
  
  --maarten
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net 
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
  
  
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Way to get 3rd party optics to work in UCS/FEX?

[David Hubbard]

I've got two 6120XP's and lots of left over Avago 10gig SFP's
from an EMC deployment where too many were purchased.  I
tried to install a couple in our 6120's and it of course
reports SFP validation failed and admin state Disabled
as a result.

Any undocumented command to get them to work?  They of course
work just fine in our Brocade switches, and the EMC equipment.

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?

[David Hubbard]

We're not using a Nexus.  The error is occurring within the UCS
Management interface for the fabric interconnects if I look at
the ports where the new SFP's have been installed.  Pretty dumb
that Avago makes Cisco's SFP's but since it says Avago for
manufacturer instead of Cisco-Avago they're 'not validated'.   



 -Original Message-
 From: Gordon Smith [mailto:gor...@gswsystems.com] 
 Sent: Thursday, April 11, 2013 9:37 PM
 To: cisco-nsp@puck.nether.net
 Cc: David Hubbard
 Subject: Re: [c-nsp] Way to get 3rd party optics to work in UCS/FEX?
 
 
  Have you tried this?
 
  int x.x
   switchport mode fex-fabric
 
 
  Cheers,
  Gordon
 
 
  On Thu, 11 Apr 2013 20:46:00 -0400, David Hubbard wrote:
  I've got two 6120XP's and lots of left over Avago 10gig SFP's
  from an EMC deployment where too many were purchased.  I
  tried to install a couple in our 6120's and it of course
  reports SFP validation failed and admin state Disabled
  as a result.
 
  Any undocumented command to get them to work?  They of course
  work just fine in our Brocade switches, and the EMC equipment.
 
  Thanks,
 
  David
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Third party 10gig SFP+ in UCS fabric?

[David Hubbard]

Hi all, just curious if third party SFP+'s will work
in the UCS 6120xp fabric interconnect?  We have a
bunch of Avago optics from a different project and
I'd like to use them in the UCS.

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Swap hsrp with vrrp in mixed physical/vmware environment?

[David Hubbard]

So this should be fun; I need to swich from HSRP to
VRRP to facilitate bringing in a second vendor's
hardware to interoperate.  We run ipv4 and
ipv6 (static assignments) and the VLANs are a mix
of physical servers along with vmware guests on
Cisco UCS with the fabric interconnects in end-host
mode.  Physical and vmware guest OS's are mostly
linux with a very small number of Windows.

I've read that at least on the ipv4 side, many
Windows servers will not accept the gratuitous arp
when vrrp is brought up so they'll just sit there
happily talking to the dead hsrp MAC.  I can't find
much of any info on how they'd deal with the change on
the ipv6 side.  Not a huge deal either way since
the Windows stuff is minimal but would like to go
in knowing what to expect and what needs to be done.

On the linux side, I'm pretty sure it will accept the
arp and update the ipv4 default gateway mac; at least
it does when testing MITM attacks.  Would love to
hear real world experience with this though.  For
ipv6, I can't find much on what it does if its
previously learned router's link local address goes
unreachable, if it will replace the neighbor table
entry with the new vrrp advertised entry, do a
solicitation on its own, etc.  

I'd greatly appreciate any input, thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] low cost reliable optics

[David Hubbard]

+1 on that Axiom's.  Been using their equivalent for Cisco SFP's
and Brocade 10gig XFP's with no issues so far over the better
part of a year.

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jason Baugher
 Sent: Saturday, February 23, 2013 10:57 PM
 To: harbor235
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] low cost reliable optics
 
 I've been buying Axiom Cisco-compatible optics. So far they have been
 great, recognized by my equipment. The part number you're 
 looking for are
 right around $50 from one of our distributors.
 http://www.axiommemory.com/config/products/branded/WS-G5483-AX+.aspx
 
 
 
 On Sat, Feb 23, 2013 at 8:48 PM, harbor235 
 harbor...@gmail.com wrote:
 
  Anyone know of any low cost reliable alternatives to the
  Cisco-WS-G5483-GBIC?
 
 
  thanks,
 
  Mike
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 4500-x neighbor table size?

[David Hubbard]

Hi all, does anyone have a link to specs for the 4500-x that includes
the ND table size?  I can only find ARP.

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 4900M arp cache size?

[David Hubbard]

Does anyone have handy a reference for the 4900M's arp
cache table size?  I can only find max routes and
max MAC's on the Cisco site.  As a bonus, ipv6 neighbor
cache would be useful to know too.

Thanks!

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Small, Low Power Cisco Router Recommendation

[David Hubbard]

I'd go with a DD-WRT image http://www.dd-wrt.com/ on
a good (meaning fast cpu and 64+ MB of flash mem)
home router.  It will do far more than a typical
expensive small office router for a lot less, even
things you may not think you'll need now but might
later.  I know you said no Linksys but the Cisco
E3000, aka linksys E3000, is a pretty decent box for
running dd-wrt.  I use one at home, gig ports, I
run an ipv6 tunnel to HE out of it since Verizon 
Fios doesn't seem to understand what ipv6 is, remote
management, SSH access, etc. without expensive 
software licenses.  Here's a page with some other
soho router options that are equally good for ddwrt:

https://www.flashrouters.com/blog/2011/06/13/recommendations-of-best-rou
ters-for-using-and-installing-ddwrt-open-source-firmware/

David

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rusty Dekema
 Sent: Thursday, July 19, 2012 9:22 PM
 To: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Small, Low Power Cisco Router Recommendation
 
 Hmm. Of the options presented so far, this Mikrotik RB750 
 sounds the most
 promising.
 
 I've found that Linksys products have a tendency to partially 
 or completely
 fail on a regular basis for no apparent reason. The Cisco 
 819, however, is
 far too expensive for this penny-ante project.
 
 The Cisco 806, on the other hand, looks great, especially for 
 the 1mbit
 application. Is there another Cisco router like that but with 10/100
 Ethernet ports? If so, that would probably be the ideal. 
 [I'll be buying
 these on eBay anyway, so it doesn't matter if it's EOL. And 
 at prices like
 this, one can afford a spare or two...]
 
 Thanks again,
 Rusty D
 
 
 
 
 On Thu, Jul 19, 2012 at 8:37 PM, Roy r.engehau...@gmail.com wrote:
 
 
 
  Mikrotik :-)  The RB750 will do it
 
 
  On 7/19/2012 5:19 PM, Rusty Dekema wrote:
 
  Good evening,
 
  This question is a bit far afield for this list, but I 
 need a reliable,
  quiet-or-silent, low-power-consumption Cisco router with 
 two 10 or 10/100
  Ethernet ports. All they need to do is do a default route 
 with NAT between
  the Ethernet interfaces. One of them will only have to 
 handle 1 mbit (max)
  of traffic; the other could receive traffic bursts up to 
 30 mbit, although
  it would still be acceptable if it can only push 10-15mbit.
 
  Low cost, quiet/silent operation, and low power consumption are the
  primary
  requirements here. Any suggestions?
 
  Thanks,
  Rusty D
  __**_
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  
 https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://p
 uck.nether.net/mailman/listinfo/cisco-nsp
  archive at 
 http://puck.nether.net/**pipermail/cisco-nsp/http://puck.neth
 er.net/pipermail/cisco-nsp/
  .
 
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Command to show communities being advertised to remote peer?

[David Hubbard]

Is there something I can run that is similar to show ip bgp nei IP
advertised-routes that will include BGP communities that are being sent
with the advertisements?  Platform is ASR running 15.2.  I'm trying to
debug a remote blackhole setup that one of our upstreams is not seeing
but the others are and we're tagging them all at the same time in the
same route map.

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Possible to implement DHCP snooping and DAI in UCS environment?

[David Hubbard]

I was curious if anyone knows if it's possible to
implement DAI (and its prerequisite dhcp snooping)
in a UCS/vmware environment?  The guests are on the
same vlans as physical servers outside UCS, and that
won't change since we're doing p2v migrations, so I
think they would still be vulnerable to man in the
middle arp poisoning attacks coming from physical
servers, not sure about whether such an attack could
be launched from a vmware guest since vmware knows
what mac address each virtual nic has; it may
prevent that.

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] C4K_HWPORTMAN-4-BLOCKEDTXQUEUE on Cat 4900M

[David Hubbard]

We have a server connected to a 4900M at 10gig and it's generating the
following alerts:

Feb 21 10:19:31.992: %C4K_HWPORTMAN-4-BLOCKEDTXQUEUE: Blocked transmit
queue HwTxQId7 on Switch Phyport Te1/1, count=102512

I found https://supportforums.cisco.com/docs/DOC-4766 after some
searching:


Resolution  Perform these procedures as a workaround for this issue:
1. Issue the shut /no shut commands to recover the port and configure
both ends to operate at the same speed and duplex, as per Cisco bug ID
CSCsb62330.
2. If the problem persists, move the connected device to another port
and see if the problem also happens there.  
3. Issue the hw-module reset command to reboot the switch or reset the
line card, as a final attempt to unblock the Transmit (Tx) queue.

Alternatively, upgrade the the Cisco IOS(r) version to the 12.2(25)EWA2
and 12.2(25)SG releases, which have the fix for this problem, as per
Cisco bug ID CSCsb01311.


I'm running 12.2(44r)SG5 and do not have any qos features in the config,
so I'm running whatever is default.  The server is a centos 5 system
running an off the shelf Intel X520-SR1 nic.  It's gone unreachable so I
need to go to the data center to see what's on the server's screen but
figured I'd see if I need to make some changes to it before heading
over.

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Adjusting MTU on 802.1q links

[David Hubbard]

From: Phil Mayers
 
 On 03/12/10 13:49, Matthew Huff wrote:
  I don't know why it never occurred to me, but on 802.1q trunk links,
  non-native vlans are encapsulated within 802.1q headers, therefore
  max packets would have to be fragmented. On trunks that support it,
  should standard practice to bump up the mtu on both sides to account
  for the 802.1q header.
 
 No. 802.1q trunks do this automatically i.e. bump MTU from 
 1518 to 1522 
 to account for the extra space. I've never seen a switch 
 platform that 
 needed any special config for this to work.

Would that include a jumbo frame environment?  I'm currently
trying to troubleshoot a performance issue of a Cisco UCS
vmware cluster to EMC CX4 storage array using iscsi and 9000
byte MTU.  I've got MTU set to 9000 on the EMC, UCS and the
vmware side, and both sides are also tagging into a 4900M
they both connect to for the storage vlan; all vlan's and
interfaces on the 4900M are set to 9000 as well.  I figure
since it's all tagged end to end and all 9000 that I'm good
either way but just thought I'd check when I saw this thread.

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] UCS to 4900M to EMC iscsi performance

[David Hubbard]

Wondering if anyone has researched the same issue I'm
having or has a best practices list.  I have a Cisco UCS
platform which is not production yet, so just me doing
testing.  It has multiple ten gig links to redundant
fabrics in end host mode.  Those each have ten gig links
to a pair of 4900M's.  An EMC CX4-480 also has multiple
10 gig links to the same pair of 4900M's.  The UCS blades
are running vmware esxi 4.1 enterprise plus and EMC
powerpath multipath I/O software.  The storage is on
a dedicated vlan and each end is tagging to it, no
routing involved.

From a guest running redhat 5 with vmware tools and a
paravirtualized scsi adaptor, I can't seem to do better
than about 250 MB/sec reading or writing over iscsi.  I
have tried all MTU's the EMC supports between standard
and 9000 but I get nearly the same results except at 9000
byte where it actually gets a bit slower.  Not that
250 MB/sec is bad, but I was expecting to hit 400 MB/sec
running benchmarks since the EMC drive enclosures are
4gig FC attached and it has 8 GB of cache memory with
no other activity on the system other than my testing.
I should add that I have no issues having two virtual
machines on different IP ranges, different UCS chassis
and different blades talk to each other using network
benchmarks at nearly 10 gig wire speed, and that's
traffic that has to leave the cluster, go to the 4900's
and come back down since we're running end host mode.
So it's not a connectivity/4900 issue as far as I can
tell.

I notice a regular increase in pause frame count on the
EMC interface of the 4900's which made me think maybe
the EMC is lacking in buffers on the ten gig card?  
Would enabling/disabling a non-default flow control
help?  I've tried both on and off for tcp delayed ack
on the vmware side.

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] No DOM support for X2 optics on Cat 4900M?

[David Hubbard]

I get this on my 4900M's with SR optics 12.2(54)SG:

If device is externally calibrated, only calibrated values are printed.
++ : high alarm, +  : high warning, -  : low warning, -- : low alarm.
NA or N/A: not applicable, Tx: transmit, Rx: receive.
mA: milliamperes, dBm: decibels (milliwatts).

 Optical   Optical
   Temperature  Voltage  Tx Power  Rx Power
Port   (Celsius)(Volts)  (dBm) (dBm)
-  ---  ---    
Te1/131.0   0.00  -2.0  -2.7   
Te1/230.0   0.00  N/A  -40.0   
Te1/331.7   0.00  N/A  -26.5   
Te1/432.5   0.00  -2.7  -2.8   
Te1/535.0   0.00  -2.8  -2.7   
Te1/634.0   0.00  -2.2  -2.0   
Te1/732.0   0.00  -2.3  -2.5

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
 Gregor Friedrich
 Sent: Thursday, November 25, 2010 3:24 AM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] No DOM support for X2 optics on Cat 4900M?
 
 Hi List
 
 is there really no DOM support for x2 optics on the 4900M? I have
 X2-10GB-SR and LX4 optics and the output of sh int 
 transceiver is empty,
 IOS is 12.2(53)SG3.
 
 The Cisco Digital Optical Monitoring Compatibility Matrix says
 X2-10GB-SR, supports DOM, LX4 not??
 
 
 But on the 3650E  (12.2(50)SE3) I got this lines:
 
 
 Te0/1  connectedtrunkfull10G 10GBase-LX4
 Te0/2  notconnect   trunkfull10G 10GBase-LX4
 
   Optical   Optical
 Temperature  Voltage  Tx Power  Rx Power
 Port   (Celsius)(Volts)  (dBm) (dBm)
 -  ---  ---    
 Te0/149.8   0.00  -5.1   0.1
 Te0/250.1   0.00  -5.2 -40.0
 
 
 Thanks for any hint
 
 Gregor
 
 -- 
 Gregor Friedrich
 System Administration  Webmaster BIOTEC TU-Dresden
 Tatzberg 47/49
 01307 Dresden Germany
 phone: +49-351-463-40069
 email: gregor.friedr...@biotec.tu-dresden.de
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Jumbo frames on certain VLANs with UCS fabric?

[David Hubbard]

Hi all, I'm working on deploying a UCS system using
iscsi to an EMC with only a pair of 4900M's in
between.  I'm having a bit of trouble wrapping my
head around what I need to do to enable jumbo frames
to make it from end to end on the storage vlan.

What I've got so far:

1) Two redundant UCS fabric interconnects are each
in end host mode and each dual-home to the two 4900M's
at ten gig.

2) Within the UCS configuration, there is a virtual
nic defined as mtu 9000, the rest of the virtual nics
are defined as mtu 1500.

3) The 4900M's have a storage vlan configured with an
mtu of 9000.  All other vlan's are default 1500.

4) The ten gig interfaces to the UCS are set as mode
trunk but not mtu 9000 (I think this is an issue?).

5) The ten gig interfaces to the EMC's two service
processors on each 4900M are configured as
'switchport access vlan...' and 'mtu 9000'.

6) The two 4900M's have a trunk between them carrying
all vlan's.  (This may be an issue too?)


show int on the interfaces to the UCS fabrics and the
switch to switch trunk are both showing mtu 1500.  Do 
I need to set all of those interfaces to 9000?  I tried 
that, but did not test the EMC connectivity in between
because I noticed as soon as I set that I got a bunch
of MTU_Mismatch showing in show vlan mtu and I was
worried I was about to create a big problem.  Or, is 
it ok to have the mismatch there because any device 
talking on the 1500 byte vlans would not generate a
larger packet anyway but devices on the 9000 byte vlan
are free to talk jumbo and the interfaces will transport
it because it's mtu 9000 all the way through, including
the switch to switch trunk?

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Jumbo frames on certain VLANs with UCS fabric?

[David Hubbard]

Perfect, thanks Manu.  I switched them all to 9000 but
I would have never found the CoS setting.  I don't
have CoS defined so I read that in that case it defaults
to best effort in the UCS manager so I hand typed 9000
into the drop down and it took it and now I've got
jumbo frame storage traffic to the EMC from vmware at
ten gig.

David 

 -Original Message-
 From: Manu Chao [mailto:linux.ya...@gmail.com] 
 Sent: Tuesday, November 16, 2010 12:53 PM
 To: David Hubbard
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Jumbo frames on certain VLANs with UCS fabric?
 
 Hi David,
 
 (L2) MTU is not per VLAN but per physical interface.
 
 Make sure all interfaces in a VLAN are configured for jumbo 
 frames before configuring jumbo frame support on an SVI.
 
 You have to enable jumbo on ALL your 4900 switches interfaces.
 
 You have to enable jumbo on your UCS (The MTU is set on a per 
 CoS basis in UCS).
 
 R/
 Manu
 
 
 On Tue, Nov 16, 2010 at 5:19 PM, David Hubbard 
 dhubb...@dino.hostasaurus.com wrote:
 
 
   Hi all, I'm working on deploying a UCS system using
   iscsi to an EMC with only a pair of 4900M's in
   between.  I'm having a bit of trouble wrapping my
   head around what I need to do to enable jumbo frames
   to make it from end to end on the storage vlan.
   
   What I've got so far:
   
   1) Two redundant UCS fabric interconnects are each
   in end host mode and each dual-home to the two 4900M's
   at ten gig.
   
   2) Within the UCS configuration, there is a virtual
   nic defined as mtu 9000, the rest of the virtual nics
   are defined as mtu 1500.
   
   3) The 4900M's have a storage vlan configured with an
   mtu of 9000.  All other vlan's are default 1500.
   
   4) The ten gig interfaces to the UCS are set as mode
   trunk but not mtu 9000 (I think this is an issue?).
   
   5) The ten gig interfaces to the EMC's two service
   processors on each 4900M are configured as
   'switchport access vlan...' and 'mtu 9000'.
   
   6) The two 4900M's have a trunk between them carrying
   all vlan's.  (This may be an issue too?)
   
   
   show int on the interfaces to the UCS fabrics and the
   switch to switch trunk are both showing mtu 1500.  Do
   I need to set all of those interfaces to 9000?  I tried
   that, but did not test the EMC connectivity in between
   because I noticed as soon as I set that I got a bunch
   of MTU_Mismatch showing in show vlan mtu and I was
   worried I was about to create a big problem.  Or, is
   it ok to have the mismatch there because any device
   talking on the 1500 byte vlans would not generate a
   larger packet anyway but devices on the 9000 byte vlan
   are free to talk jumbo and the interfaces will transport
   it because it's mtu 9000 all the way through, including
   the switch to switch trunk?
   
   Thanks,
   
   David
   
   ___
   cisco-nsp mailing list  cisco-nsp@puck.nether.net
   https://puck.nether.net/mailman/listinfo/cisco-nsp
   archive at http://puck.nether.net/pipermail/cisco-nsp/
   
 
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Source for 10gb SR OM3 cable in orange?

[David Hubbard]

Any chance anyone on the list knows of a source for
10 gig multimode OM3 cable in orange instead of the
standardized aqua color?  Ideally in SC to LC and
30m lengths.  Need to connect some 4900M X2
10gb SR modules to UCS fabric extenders with
SFP-10G-SR modules, and it needs to be orange cable
for stupid reasons.  :-)

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Can UCS 6120XP be used for normal host connectivity?

[David Hubbard]

Thanks Jeremy, we're going to end up going the same route
after I looked into it more with the information Brad
posted.  We don't have a ten gig core yet so looks like
I'm buying some new core switches too just to get backup
traffic in and out since I don't want to do link
aggregation (assuming the 6120's supported it).

Thanks Brad too,

David 

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net 
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeremy Bresley
 Sent: Wednesday, July 07, 2010 11:29 PM
 To: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Can UCS 6120XP be used for normal host 
 connectivity?
 
 If you have the 6120s deployed in End Host Mode, then this is not 
 currently possible.  If you are running them in switch mode then they 
 behave like a normal switch and you can do this setup.
 
 http://www.cisco.com/en/US/products/ps10278/products_configura
 tion_example09186a0080af3171.shtml
 
 To change the mode, issue the command: set mode {end-host|switch}
 
 We tried to do almost this exact setup, with 2 primary upstream N5Ks, 
 and a separate connection using pin groups to send backup 
 traffic out a 
 separate interface.  We were unable to get this to work with 
 the M81KR 
 cards in the B250 blades, and ended up just making the backup 
 network a 
 separate VLAN on the same 10G uplinks instead of an isolated physical 
 segment.
 
 Hope this helps, let me know if you have questions and I'll try to 
 answer them from what issues we've run into with the UCS.
 
 Jeremy
 
 On 7/7/2010 5:24 PM, David Hubbard wrote:
  We're deploying a UCS setup that involves
  some of the 20 port fabric interconnect
  switches which basically connect our UCS
  blade chassis to our EMC storage.  I asked
  the sales rep today if we could plug a backup
  server at 10gig into one of the unused ports
  on one of the 6120's and she initially said
  no, but then when I questioned what the difference
  was between a backup server and our core L3
  switch or the EMC storage since all are just
  remote nodes talking IP on ethernet, she said
  well maybe I can connect a host to it.
 
  Trying to get some planning out of the way
  and haven't gotten an answer yet so I was
  wondering if anyone knows the answer to this?
  Assuming the 6120XP receives a tagged
  uplink from the core for normal network
  traffic coming and going from the UCS
  servers, can a port on a 6100 be configured
  for untagged 10gig in a specific vlan so I
  can hook a server into it?
 
  Thanks,
 
  David
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Can UCS 6120XP be used for normal host connectivity?

[David Hubbard]

We're deploying a UCS setup that involves
some of the 20 port fabric interconnect
switches which basically connect our UCS
blade chassis to our EMC storage.  I asked
the sales rep today if we could plug a backup
server at 10gig into one of the unused ports
on one of the 6120's and she initially said
no, but then when I questioned what the difference
was between a backup server and our core L3
switch or the EMC storage since all are just
remote nodes talking IP on ethernet, she said
well maybe I can connect a host to it.

Trying to get some planning out of the way
and haven't gotten an answer yet so I was
wondering if anyone knows the answer to this?
Assuming the 6120XP receives a tagged 
uplink from the core for normal network
traffic coming and going from the UCS
servers, can a port on a 6100 be configured
for untagged 10gig in a specific vlan so I
can hook a server into it?

Thanks,

David

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/