from:"Emille Blanc"

Re: [c-nsp] ASR9K to ASR920 MPLS issue

2021-01-05 Thread Emille Blanc

We have had problems with MPLS VC's on ASR's in the past, if the MTU on both 
sides don't match.
Though the behavior is erratic - sometimes the VC comes up and won't pass 
traffic, sometimes it doesn't come up at all.

We've also never tried an xconnect on an ASR physical interface. Though I don't 
have any reason to suspect it wouldn't work, try an untagged service instance?

Do all three VC segments show up/up on the 920?
(sh xconnect int Ten0/0/25)

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jerry 
Bacon
Sent: Tuesday, January 05, 2021 10:45 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ASR9K to ASR920 MPLS issue

I have added an ASR920 to my network and cannot get an MPLS VC to work 
between it and my ASR9K. The VC comes up on both sides, but no traffic 
passes through the circuit. Both the ASR9K and the ASR920 have MPLS VCs 
working with other devices.

ASR9K:

Cisco IOS XR Software, Version 6.6.2[Default]

interface TenGigE0/0/1/0.95 l2transport
  encapsulation dot1q 95
  mtu 9114

l2vpn
  xconnect group mpls1
   p2p test1
    interface TenGigE0/0/1/0.95
    neighbor ipv4 10.100.66.1 pw-id 95

ASR920:

Cisco IOS XE Software, Version 03.18.05.SP.156-2.SP5-ext

interface TenGigabitEthernet0/0/25
  mtu 9100
  no ip address
  cdp enable
  service instance 95 ethernet
   encapsulation dot1q 95

l2vpn xconnect context test1
  member TenGigabitEthernet0/0/25 service-instance 95
  member 10.100.25.11 95 encapsulation mpls

Local interface: Te0/0/25 up, line protocol up, Eth VLAN 95 up
   Interworking type is Ethernet
   Destination address: 10.100.25.11, VC ID: 95, VC status: up

   VC statistics:
     transit packet totals: receive 43471, send 0

I have tried both with and without a rewrite on each side, with no 
difference.

Ideas, thoughts, suggestions are welcome.

Thanks.

-- 

Jerry Bacon
Senior Network Engineer
StarTouch, Inc.
http://www.startouch.com
360-543-5679 ext. 111
Microwave - Fiber Optics - Internet Services

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] logging suppress duplicates

2020-09-28 Thread Emille Blanc

Logging discriminators have been hit or miss for us for as long as I can 
remember (and flat-out doesn't work in some versions of IOS).
We have had more success with TCL filters which you might want to try.
Eg;

file flash:YOURFILTER.tcl

if [string match "by\ snmp$" $::orig_msg] {
  return ""
} else {
  return $::orig_msg
}

Then apply;

logging filter flash:YOURFILTER.tcl

Might be overkill, but has given us a 100% hit rate in our environment.
Also gives you the option of replacing the string with "Log suppressed by 
filter.tcl", and then setup your discriminator on that so other maintainers can 
see what's happening, but not sure about the order-of-operation for log 
filtering stuff.

Good luck!

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Eugene 
Grosbein
Sent: Monday, September 28, 2020 8:56 AM
To: Ian Henderson
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] logging suppress duplicates

28.09.2020 16:14, Ian Henderson wrote:

> On 28 Sep 2020, at 1:38 pm, Eugene Grosbein  wrote:
>>
>> Is it possible to enable suppression of duplicate lines in the logging 
>> buffer?
>> Less preferably, disable this kind of messages altogether if it ends with 
>> "by snmp" or even "from X.X.X.X by snmp”.
> 
> The term you’re looking for to filter logs in the buffer is ‘logging 
> discriminator’.

Thanks!

It works for me, hmm, partially.

Tried several ways to discriminate the line "%SYS-5-CONFIG_I: Configured from 
X.X.X.X by snmp"
but could not make it work:

logging discriminator BYSNMP severity drops 5 mnemonics drops SYS-5-CONFIG_I 
msg-body drops by\ snmp$

It works if I omit "msg-body" part, though. How do I specify lines ending with 
"by snmp" ?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cisco ACL filter outbound only

2020-09-15 Thread Emille Blanc

> Again, the cli seems to indicate support for all the things
> necessary, which includes the idea of 'established', which is why I ask
> if THIS platform does in fact do what the cli suggests:

No, the ASR920 (Unless it's hiding in a recent IOS release), does not do any 
kind of state tracking.  You'll be better served looking at the ISR or Firewall 
families for that.

What you're seeing in the CLI is pretty commonplace these days - to be fair, 
not just with Cisco - where an un-supported feature is 'left in' the command 
line.

If in doubt, try it. Worst case it won't work, and then you can bounce the 
config off TAC to get one of their "unsupported configuration" canned 
responses. :]

From: cisco-nsp  on behalf of Mike 

Sent: Tuesday, September 15, 2020 8:52 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] cisco ACL filter outbound only

On 9/15/20 8:08 AM, Brian Turnbow wrote:
>> It just seems to me that it is indeed possible using the above to put it
>> together. Is this all just non-working on this platform?
>>
> The difference is in connection state.
> An ACL does not track it so you can do
> Permit tcp any any established
> Inbound or outbound on a port , but that will only check that the ip packet 
> has  ack or rst set for the tcp session  .
> I can still send you an inbound tcp packet with ack or rst  set even if it 
> did not originate from "inside" and pass your filter.
> It will also not help in any way for udp etc
> The ACL does not know that a first packet was sent out so it should await a 
> response
> This is why you need a firewall be it on the router or external.
>
Hi,

Again, the cli seems to indicate support for all the things
necessary, which includes the idea of 'established', which is why I ask
if THIS platform does in fact do what the cli suggests:

rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
  ack  Match on the ACK bit
  dscp Match packets with given dscp value
  eq   Match only packets on a given port number
  established  Match established connections
  fin  Match on the FIN bit
  fragmentsCheck non-initial fragments
  gt   Match only packets with a greater port number
  log  Log matches against this entry
  log-inputLog matches against this entry, including input interface
  lt   Match only packets with a lower port number
  match-allMatch if all specified flags are present
  match-anyMatch if any specified flag is present
  neq  Match only packets not on a given port number
  option   Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh  Match on the PSH bit
  rangeMatch only packets in the range of port numbers
  rst  Match on the RST bit
  syn  Match on the SYN bit
  time-range   Specify a time-range
  tos  Match packets with given TOS value
  ttl  Match packets with given TTL value
  urg  Match on the URG bit

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 is a ticking timebomb (CSCvk35460)

2019-01-27 Thread Emille Blanc

We've happily displaced the ASR901, and ASR920 with Juniper's ACX1100 in most 
parts of our network.
It has a few interesting limitations (IPSEC, NAT), but nothing that has caused 
us any problems doing P, PE and Aggregation work.

From: cisco-nsp [cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark Tinka 
[mark.ti...@seacom.mu]
Sent: Saturday, January 26, 2019 9:58 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 is a ticking timebomb (CSCvk35460)

On 26/Jan/19 17:15, James Jun wrote:

> One of the other reasons we're looking to phase out ASR920s over time is the 
> small
> buffers.
>
> We also had an issue when oversubsribing shared on-chip buffers on the box 
> (by using child
> policy-map to assign 100% queue on all ports), where sometimes, probably when 
> buffers
> are exhausted, it freezes packet transmission on ports after a while, thus 
> causing an
> outage.  We ended up removing that policy-map and are now only allocating 
> 512KiB queue-limit
> per 1G port to prevent exhaustion.

But what would you replace it with? What else is out there?

> I suppose MX104 with decent discount may be an option, but control-plane is 
> an issue.

Juniper have binned that box.

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN tunnel between two Cisco 3825's

2018-05-01 Thread Emille Blanc

Forgive the obvious question;
Are your 3800's licensed for IPSEC, and or the grace period hasn't been 
exhausted if not?
They require the SECK9 license.

I'd maybe specify the local source-address in your crypto maps. Otherwise, 
nothing stands out as erroneous to me.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott 
Miller
Sent: Tuesday, May 01, 2018 10:28 AM
To: Alex K.
Cc: cisco-nsp
Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's

Both sides show the same.
cpe-rpa-kal-gw-01#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state  conn-id status

IPv6 Crypto ISAKMP SA

cpe-rpa-kal-gw-01#


wtc-mar-gw-01#   show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state  conn-id status

IPv6 Crypto ISAKMP SA

wtc-mar-gw-01#



Debug of RPA side shows this when crypto map VPNMAP removed and added back
to gi0/0:

*May  1 17:05:57.559:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
routes from static map
*May  1 17:05:57.559:  IPSEC(rte_mgr): Delete Route found ID 3
*May  1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 3
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
GigabitEthernet0/0
*May  1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May  1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON




On Tue, May 1, 2018 at 10:45 AM, Alex K.  wrote:

> Hi Scott,
>
> What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
> seems to be correct (I didn't went over the ACLs though, I hope they're
> exact mirror of each other), Anything suspicious shows up with "debug cry
> isakmp"?
>
> Not passing traffic might be related to your no-nat configuration, but in
> my humble opinion, you can safely put it aside, till VPN reached so-called
> QM_IDLE state.
>
> Alex.
>
>
> בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller ‏ >:
>
>> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order
>> to
>> have access to eachother's network.
>>
>> On each side, I have them built as follows:
>>
>> Site WTC Inside network
>> 192.168.1.0/24
>> 192.168.2.0/24
>>
>> Site RPA Inside network
>> 192.168.3.0/24
>> 192.168.4.0/24
>>
>> WTC:
>> crypto isakmp policy 11
>>  encr 3des
>>  hash md5
>>  authentication pre-share
>>  group 2
>>  lifetime 28800
>> crypto isakmp key  address 208.123.206.17
>> crypto isakmp nat keepalive 30
>> !
>> !
>> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
>> !
>> crypto map VPNMAP 10 ipsec-isakmp
>>  description Connection to WTC
>>  set peer 208.123.206.17
>>  set transform-set MYSET
>>  match address 110
>>  reverse-route static
>>
>> interface GigabitEthernet0/0
>>  crypto map VPNMAP
>>
>> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0
>>
>> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
>> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
>> access-list 110 permit ip

Re: [c-nsp] ASR-920 - Remote UPGRADE

2017-01-13 Thread Emille Blanc

We've not run into any post-upgrade operational problems so far.  The only 
'excitement' we've encountered is some automatic FPGA upgrades between some 
images.
No problems with that process to date, but it does cause some nail biting as 
the router takes 10-15 minutes to complete this process and a couple of extra 
reboots. Fans tend to spin up 100% while this happens, something to be mindful 
of if you have a power budget.

"Cisco IOS XE on Cisco ASR 920 Series Router (ASR-920-24SZ-IM) supports 
upgradeable firmware for field programmable hardware devices such as interface 
modules (IMs) and upgrades IM FPGA when ever there is an upgrade."
http://www.cisco.com/c/en/us/td/docs/routers/asr920/hardware/chassis/guide/ASR920-Chassis-SW/SW_Install_Upgrade.html

ASR920 FPGA version support is explained a little more here;
http://www.cisco.com/c/en/us/td/docs/routers/asr920/release/notes/ASR920_rel_notes/intro.html

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick 
Cutting
Sent: January-13-17 10:27 AM
To: cisco-nsp (cisco-nsp@puck.nether.net)
Subject: [c-nsp] ASR-920 - Remote UPGRADE

If I am upgrading from 3.16s to 3.18SP - is this safe to do remotely?

I have MGT patched in, but not console cable.

Any war stories would be greatly appreciated.

Nick


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Help needed regarding the Eompls tunnel in Juniper & Cisco

2016-12-01 Thread Emille Blanc

You are describing something I ran into last week when I did some testing with 
Juniper ACX1100 and SRX300's, and a Cisco 7301 in our lab. I realize that the 
7301 is a far cry from a 6500, but perhaps the anecdote will help.

A Cisco 7301 was our P router in the lab, and had LDP propagation problems when 
the Cisco was using dot1q interfaces to talk to the Junipers. Ie; 
EX2200 <-> Juniper SRX300 <-dot1q-> Cisco 7301 <-dot1q-> Juniper ACX1100 <-> 
EX2200

The only measurable symptom - other than the l2circuit didn't function - was 
that the LDP tables on the Junipers were not showing -any- labels from the 
Cisco.
Moving the Cisco config to the parent interface, or the native/untagged 
interface solved that issue, but was not acceptable for our production 
environment.
However - the exact same config using dot1q interfaces worked fine when I 
replaced the Cisco 7301 with a Cisco ASR920.  I never got to the bottom of 
"why", nor did I investigate further as the 7301's are long EOS/EOL.

Your l2circuit appears to be up however, whereas ours would not owing to the 
missing labels.
The config snippets you provided look sane - to my tired eyes at least.

Our ACX1100 was tested fine with both 16.1R3.10, and 12.3X54-D27.1, and were 
using OSPF martini - no BGP/Kompella.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ahsan 
Rasheed
Sent: December-01-16 4:13 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Help needed regarding the Eompls tunnel in Juniper & Cisco

Hi All,

We are having some serious issue with one customer circuit.We are using
eompls vlan based & we are unable to pass traffic over eompls (l2)tunnel
between Cisco 3550 switches if we use specifically Cisco 6503 ,Cisco 6504 &
6506 etc. If we use Cisco switch 6524 instead of Cisco 6503 it is working.

{(Cisco 3550 switch)--->(Cisco 6524)>(Juniper ACX 4000)>(Cisco
3550) }-->This setup is working.I am able to pass traffic end to end
between Cisco 3550's.

{(Cisco 3550 switch1)--->(Cisco 6503 or Cisco 6506))>(Juniper ACX
4000)>(Cisco 3550 switch2) }-->This setup is not working.

Cisco 3550 switch1 vlan 1089(1.1.1.1/30)---trunk->sub interface eompls
vlan 1089(Cisco 6503)->(ACX 4000)terminating tunnel on sub interface
vlan 1089->Cisco 3550 switch2-trunk-vlan 1089(1.1.1.2/30)

We are using bgp & ospf between Cisco 6503 & Juniper ACX 4000. Vlan 1089
as svi we are using on Cisco 3550 switch1 and allowing vlan 1089 as trunk
connecting back to Cisco 6503,eompls vlan 1089 tunnel is configured on sub
int on 6503 facing Cisco 3550 switch 1.Cisco 6503 is connected with juniper
ACX 4000 & running bgp & ospf between each other.On ACX 4000 juniper eompls
vlan based tunnel is terminating on sub interface facing Cisco 3550 switch
2. With Sup720 I was unable to pass traffic over tunnels although l2 eompls
tunnel 1089 is up on both (Cisco 6503 & Juniper). See below.


Below are the outputs & commands which i was running.


ACX 4000 Juniper:

chi> show l2circuit connections
Layer-2 Circuit Connections:
Neighbor: 63.250.238.225
Interface Type  St Time last up  # Up trans
ge-1/1/0.1089(vc 1089)rmt   Up Jan  2 12:45:23 2010   1
  Remote PE: 63.250.238.225, Negotiated control-word: No
  Incoming label: 299776, Outgoing label: 19
  Negotiated PW status TLV: No
  Local interface: ge-1/1/0.1089, Status: Up, Encapsulation: VLAN
chi> show ospf neighbor
Address  Interface  State ID   Pri  Dead
10.252.0.85  xe-0/2/0.0 Full  63.250.238.225 139

chi> show bgp summary
Groups: 1 Peers: 1 Down peers: 0
Table  Tot Paths  Act Paths SuppressedHistory Damp State
Pending
inet.0
  15 13  0  0
0  0
Peer AS  InPkt OutPktOutQ   Flaps Last
Up/Dwn State|#Active/Received/Accepted/Damped...
63.250.238.22530373179200   0   0
1:21:40 13/15/15/0   0/0/0/0

show ldp neighbor
AddressInterface  Label space ID Hold time
63.250.238.225 lo0.0  63.250.238.225:0 40
63.250.250.219 lo0.0  0.0.0.0:00
10.252.0.85xe-0/2/0.0 63.250.238.225:0 11

set interfaces xe-0/2/0 mtu 9192
set interfaces xe-0/2/0 unit 0 bandwidth 10g
set interfaces xe-0/2/0 unit 0 family inet mtu 1546
set interfaces xe-0/2/0 unit 0 family inet address 10.252.0.86/30
set interfaces xe-0/2/0 unit 0 family mpls

set interfaces ge-1/1/0 vlan-tagging
set interfaces ge-1/1/0 mtu 1564
set interfaces ge-1/1/0 media-type copper
set interfaces ge-1/1/0 encapsulation flexible-ethernet-services
set interfaces ge-1/1/0 unit 0 vlan-id 2062
set interfaces ge-1/1/0 unit 0 family inet address 10.254.62.9/29 primary
set interfaces ge-1/1/0 unit 0 family inet address 63.250.226.153/30
set interfaces ge-1/1/0 unit

Re: [c-nsp] ISR4431-AX/K9

2016-07-13 Thread Emille Blanc

I happen to be staring at an ISR4431/K9 with the APPX license (purchased for 
the L2 features), and it allows nbar configuration for ipv4 and ipv6.  I have 
none without said license pre-loaded, so cannot confirm if it's required or not.
It doesn't seem to complain or spam the license EULA if I enable any NBAR2 
pieces.

Hope this helps shed some light;

Running 15.4(3)S5
router#sh ip nbar version

NBAR software version:  20
NBAR minimum backward compatible version:  20

Loaded Protocol Pack(s):

Name:Advanced Protocol Pack
Version: 12.0
Publisher:   Cisco Systems Inc.
NBAR Engine Version: 20
State:   Active

ABCPGRGBC-57-DAO-R01# sh license | inc ^Index|Permanent|Activated
Index 1 Feature: appxk9
License Type: Permanent
Index 2 Feature: uck9
Period left: Not Activated
Index 3 Feature: securityk9
Period left: Not Activated
Index 4 Feature: ipbasek9
License Type: Permanent
Index 5 Feature: cme-srst
Period left: Not Activated
Index 6 Feature: hseck9
Index 7 Feature: throughput
License Type: Permanent
Index 8 Feature: internal_service


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steve 
Mikulasik
Sent: July-13-16 12:00 PM
To: Adam Greene; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ISR4431-AX/K9

I believe NBAR 2 is in the AVX bundle, but there is normal NBAR support in the 
other bundles.


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Adam 
Greene
Sent: Tuesday, July 12, 2016 10:50 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ISR4431-AX/K9

Hey guys,

 

If I need a router that can do application based bandwidth throttling
(NBAR2) at 500M-1G aggregate throughput, ISR4431-AX/K9 should do the trick, 
right? It seems to provide the features and throughput. Please tell me if I'm 
wrong (other services enabled on the router will be limited to BGP and OSPF).

 

Thanks,

Adam

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR 901 and net-flow

2015-11-16 Thread Emille Blanc

As of 15.5(2r)S with the AdvancedMetroIPAccess license, ip flow 
ingres/egress can be enabled on SVI's, but nothing to configure anything 
useful like top talkers, or export flow data to a collector.


There's no mention of it in any of the technical deep dive powerpoints 
or software configuration guides I've seen either (I've read most of 
them start to finish over the past few months).

I've never bothered to ask TAC.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
Scott Miller

Sent: November-16-15 4:14 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ASR 901 and net-flow

Does anyone know if the ASR 901 supports net-flow?  I can't find any
documentation on it as of yet (only been searching about 30 min or so).  
I

did read a couple posts in odd-ball places stating it's not supported on
the 901.  Can anyone confirm this?

Thanks,
Scott
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BVI Configuration on 1600 Access Points

2015-08-26 Thread Emille Blanc

In my experience, 'bridge foo route ip' on BVI's other than bridge '1', 
is broken on all Aironet products that have come across my desk, since 
the 1200 series.
Moving bridge-group 1 to the VLAN you wish to use for management - 
though goofy to look at - works.
This comes with the caveat of your management VLAN having to be dot1q 
native on your subinterfaces.


Eg;
interface GigabitEthernet0.232
 encapsulation dot1Q 232 native
 no ip proxy-arp
 no ip route-cache
 no cdp enable
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning

interface BVI1
 ip address 172.30.99.207 255.255.255.0
 no ip proxy-arp
 no ip route-cache
 no keepalive

bridge 1 route ip

In attempts to work this out, I always run into issues with CEF dropping 
traffic citing wrong cable, interface BVIfoo
Removing the old BVI once configured, still leaves some stale oddness in 
CEF which has required a reboot to clean up.


If you find another way around this, I'd be interested to hear it!


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
Christopher Werny

Sent: August-26-15 9:39 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] BVI Configuration on 1600 Access Points

Good Evening,

I am currently in the process of setting up three new (autonomous) 
access
points for our office and running into an issue with the configuration 
of

the BVI interface.

What I want to achieve is creating a BVI Interface in separate VLAN (our
Management VLAN 232 in this specific case) so that the AP is tagging all
packets with the respective VLAN 232. However, after doing the 
configuration
the AP is not reachable on the configured IP address. The AP is 
connected to
a 2960 switch and the port configured as trunk. As soon as I configure 
the

native vlan to 232 on the trunk port the management IP of the AP becomes
reachable. This indicates that the AP is not tagging the packets at all.

The access points are running:

Cisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2,
RELEASE SOFTWARE (fc1)

Relevant config snippets below:

interface GigabitEthernet0.232
 encapsulation dot1Q 232
 no ip proxy-arp
 no ip route-cache
 no cdp enable
 bridge-group 232
 bridge-group 232 spanning-disabled
 no bridge-group 232 source-learning

interface BVI232
 ip address 172.30.99.207 255.255.255.0
 no ip proxy-arp
 no ip route-cache
 no keepalive

bridge 232 route ip


So, what am I missing?  It might be something completely trivial, and 
feel

free to slap me if this is the case ;)

Thanks for your time!

Best,
Christopher



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Rancid permissions

2015-01-20 Thread Emille Blanc


In our experience, RANCID requires privilege level 15.
The following from our tacacs conf works on IOS v15 devices.  I'm sure 
you could do it just as easily with a parser view or some such.



user = rancid {
# default service = permit
 name = RANCID daemon
 login = (some password)

# RANCID requires priv 15 to do it's thing
 service = exec {
   priv-lvl = 15
 }

# RANCID only uses these commands
 cmd = admin { permit .* }
 cmd = dir { permit .* }
 cmd = more { permit .* }
 cmd = show { permit .* }
 # This is redundant on all (our) devices
 #cmd = write { permit term }
}



-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
Gavin Henry

Sent: January-20-15 2:55 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Rancid permissions

Hi all,

Does anyone have a link to the permissions needs to get the full
config for IOS 15?

Thanks.

--
Kind Regards,
Gavin Henry.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9K to ASR920 MPLS issue

Re: [c-nsp] logging suppress duplicates

Re: [c-nsp] cisco ACL filter outbound only

Re: [c-nsp] ASR920 is a ticking timebomb (CSCvk35460)

Re: [c-nsp] VPN tunnel between two Cisco 3825's

Re: [c-nsp] ASR-920 - Remote UPGRADE

Re: [c-nsp] Help needed regarding the Eompls tunnel in Juniper & Cisco

Re: [c-nsp] ISR4431-AX/K9

Re: [c-nsp] ASR 901 and net-flow

Re: [c-nsp] BVI Configuration on 1600 Access Points

Re: [c-nsp] Rancid permissions

11 matches

Site Navigation

Mail list logo

Footer information