Re: [c-nsp] ASR9K to ASR920 MPLS issue
We have had problems with MPLS VC's on ASR's in the past, if the MTU on both sides don't match. Though the behavior is erratic - sometimes the VC comes up and won't pass traffic, sometimes it doesn't come up at all. We've also never tried an xconnect on an ASR physical interface. Though I don't have any reason to suspect it wouldn't work, try an untagged service instance? Do all three VC segments show up/up on the 920? (sh xconnect int Ten0/0/25) -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jerry Bacon Sent: Tuesday, January 05, 2021 10:45 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASR9K to ASR920 MPLS issue I have added an ASR920 to my network and cannot get an MPLS VC to work between it and my ASR9K. The VC comes up on both sides, but no traffic passes through the circuit. Both the ASR9K and the ASR920 have MPLS VCs working with other devices. ASR9K: Cisco IOS XR Software, Version 6.6.2[Default] interface TenGigE0/0/1/0.95 l2transport encapsulation dot1q 95 mtu 9114 l2vpn xconnect group mpls1 p2p test1 interface TenGigE0/0/1/0.95 neighbor ipv4 10.100.66.1 pw-id 95 ASR920: Cisco IOS XE Software, Version 03.18.05.SP.156-2.SP5-ext interface TenGigabitEthernet0/0/25 mtu 9100 no ip address cdp enable service instance 95 ethernet encapsulation dot1q 95 l2vpn xconnect context test1 member TenGigabitEthernet0/0/25 service-instance 95 member 10.100.25.11 95 encapsulation mpls Local interface: Te0/0/25 up, line protocol up, Eth VLAN 95 up Interworking type is Ethernet Destination address: 10.100.25.11, VC ID: 95, VC status: up VC statistics: transit packet totals: receive 43471, send 0 I have tried both with and without a rewrite on each side, with no difference. Ideas, thoughts, suggestions are welcome. Thanks. -- Jerry Bacon Senior Network Engineer StarTouch, Inc. http://www.startouch.com 360-543-5679 ext. 111 Microwave - Fiber Optics - Internet Services ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] logging suppress duplicates
Logging discriminators have been hit or miss for us for as long as I can remember (and flat-out doesn't work in some versions of IOS). We have had more success with TCL filters which you might want to try. Eg; file flash:YOURFILTER.tcl if [string match "by\ snmp$" $::orig_msg] { return "" } else { return $::orig_msg } Then apply; logging filter flash:YOURFILTER.tcl Might be overkill, but has given us a 100% hit rate in our environment. Also gives you the option of replacing the string with "Log suppressed by filter.tcl", and then setup your discriminator on that so other maintainers can see what's happening, but not sure about the order-of-operation for log filtering stuff. Good luck! -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Eugene Grosbein Sent: Monday, September 28, 2020 8:56 AM To: Ian Henderson Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] logging suppress duplicates 28.09.2020 16:14, Ian Henderson wrote: > On 28 Sep 2020, at 1:38 pm, Eugene Grosbein wrote: >> >> Is it possible to enable suppression of duplicate lines in the logging >> buffer? >> Less preferably, disable this kind of messages altogether if it ends with >> "by snmp" or even "from X.X.X.X by snmp”. > > The term you’re looking for to filter logs in the buffer is ‘logging > discriminator’. Thanks! It works for me, hmm, partially. Tried several ways to discriminate the line "%SYS-5-CONFIG_I: Configured from X.X.X.X by snmp" but could not make it work: logging discriminator BYSNMP severity drops 5 mnemonics drops SYS-5-CONFIG_I msg-body drops by\ snmp$ It works if I omit "msg-body" part, though. How do I specify lines ending with "by snmp" ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco ACL filter outbound only
> Again, the cli seems to indicate support for all the things > necessary, which includes the idea of 'established', which is why I ask > if THIS platform does in fact do what the cli suggests: No, the ASR920 (Unless it's hiding in a recent IOS release), does not do any kind of state tracking. You'll be better served looking at the ISR or Firewall families for that. What you're seeing in the CLI is pretty commonplace these days - to be fair, not just with Cisco - where an un-supported feature is 'left in' the command line. If in doubt, try it. Worst case it won't work, and then you can bounce the config off TAC to get one of their "unsupported configuration" canned responses. :] From: cisco-nsp on behalf of Mike Sent: Tuesday, September 15, 2020 8:52 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco ACL filter outbound only On 9/15/20 8:08 AM, Brian Turnbow wrote: >> It just seems to me that it is indeed possible using the above to put it >> together. Is this all just non-working on this platform? >> > The difference is in connection state. > An ACL does not track it so you can do > Permit tcp any any established > Inbound or outbound on a port , but that will only check that the ip packet > has ack or rst set for the tcp session . > I can still send you an inbound tcp packet with ack or rst set even if it > did not originate from "inside" and pass your filter. > It will also not help in any way for udp etc > The ACL does not know that a first packet was sent out so it should await a > response > This is why you need a firewall be it on the router or external. > Hi, Again, the cli seems to indicate support for all the things necessary, which includes the idea of 'established', which is why I ask if THIS platform does in fact do what the cli suggests: rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ? ack Match on the ACK bit dscp Match packets with given dscp value eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragmentsCheck non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-inputLog matches against this entry, including input interface lt Match only packets with a lower port number match-allMatch if all specified flags are present match-anyMatch if any specified flag is present neq Match only packets not on a given port number option Match packets with given IP Options value precedence Match packets with given precedence value psh Match on the PSH bit rangeMatch only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value ttl Match packets with given TTL value urg Match on the URG bit ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR920 is a ticking timebomb (CSCvk35460)
We've happily displaced the ASR901, and ASR920 with Juniper's ACX1100 in most parts of our network. It has a few interesting limitations (IPSEC, NAT), but nothing that has caused us any problems doing P, PE and Aggregation work. From: cisco-nsp [cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark Tinka [mark.ti...@seacom.mu] Sent: Saturday, January 26, 2019 9:58 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASR920 is a ticking timebomb (CSCvk35460) On 26/Jan/19 17:15, James Jun wrote: > One of the other reasons we're looking to phase out ASR920s over time is the > small > buffers. > > We also had an issue when oversubsribing shared on-chip buffers on the box > (by using child > policy-map to assign 100% queue on all ports), where sometimes, probably when > buffers > are exhausted, it freezes packet transmission on ports after a while, thus > causing an > outage. We ended up removing that policy-map and are now only allocating > 512KiB queue-limit > per 1G port to prevent exhaustion. But what would you replace it with? What else is out there? > I suppose MX104 with decent discount may be an option, but control-plane is > an issue. Juniper have binned that box. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN tunnel between two Cisco 3825's
Forgive the obvious question; Are your 3800's licensed for IPSEC, and or the grace period hasn't been exhausted if not? They require the SECK9 license. I'd maybe specify the local source-address in your crypto maps. Otherwise, nothing stands out as erroneous to me. -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Miller Sent: Tuesday, May 01, 2018 10:28 AM To: Alex K. Cc: cisco-nsp Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's Both sides show the same. cpe-rpa-kal-gw-01#show cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status IPv6 Crypto ISAKMP SA cpe-rpa-kal-gw-01# wtc-mar-gw-01# show cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status IPv6 Crypto ISAKMP SA wtc-mar-gw-01# Debug of RPA side shows this when crypto map VPNMAP removed and added back to gi0/0: *May 1 17:05:57.559: IPSEC(rte_mgr): ID: 3 Event: Delete ident remove routes from static map *May 1 17:05:57.559: IPSEC(rte_mgr): Delete Route found ID 3 *May 1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1 GigabitEthernet0/0 *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 3 Event: Delete ident remove routes from static map *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 3 *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0 GigabitEthernet0/0 *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident remove routes from static map *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 4 *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1 GigabitEthernet0/0 *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident remove routes from static map *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 4 *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0 GigabitEthernet0/0 *May 1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on GigabitEthernet0/0 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - create for 66.135.65.98 *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1 *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on GigabitEthernet0/0 *May 1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON On Tue, May 1, 2018 at 10:45 AM, Alex K.wrote: > Hi Scott, > > What state "show cry isa sa" the VPN ends on? Anyhow, your configuration > seems to be correct (I didn't went over the ACLs though, I hope they're > exact mirror of each other), Anything suspicious shows up with "debug cry > isakmp"? > > Not passing traffic might be related to your no-nat configuration, but in > my humble opinion, you can safely put it aside, till VPN reached so-called > QM_IDLE state. > > Alex. > > > בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller >: > >> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order >> to >> have access to eachother's network. >> >> On each side, I have them built as follows: >> >> Site WTC Inside network >> 192.168.1.0/24 >> 192.168.2.0/24 >> >> Site RPA Inside network >> 192.168.3.0/24 >> 192.168.4.0/24 >> >> WTC: >> crypto isakmp policy 11 >> encr 3des >> hash md5 >> authentication pre-share >> group 2 >> lifetime 28800 >> crypto isakmp key address 208.123.206.17 >> crypto isakmp nat keepalive 30 >> ! >> ! >> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac >> ! >> crypto map VPNMAP 10 ipsec-isakmp >> description Connection to WTC >> set peer 208.123.206.17 >> set transform-set MYSET >> match address 110 >> reverse-route static >> >> interface GigabitEthernet0/0 >> crypto map VPNMAP >> >> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0 >> >> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255 >> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 >> access-list 110 permit ip
Re: [c-nsp] ASR-920 - Remote UPGRADE
We've not run into any post-upgrade operational problems so far. The only 'excitement' we've encountered is some automatic FPGA upgrades between some images. No problems with that process to date, but it does cause some nail biting as the router takes 10-15 minutes to complete this process and a couple of extra reboots. Fans tend to spin up 100% while this happens, something to be mindful of if you have a power budget. "Cisco IOS XE on Cisco ASR 920 Series Router (ASR-920-24SZ-IM) supports upgradeable firmware for field programmable hardware devices such as interface modules (IMs) and upgrades IM FPGA when ever there is an upgrade." http://www.cisco.com/c/en/us/td/docs/routers/asr920/hardware/chassis/guide/ASR920-Chassis-SW/SW_Install_Upgrade.html ASR920 FPGA version support is explained a little more here; http://www.cisco.com/c/en/us/td/docs/routers/asr920/release/notes/ASR920_rel_notes/intro.html -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick Cutting Sent: January-13-17 10:27 AM To: cisco-nsp (cisco-nsp@puck.nether.net) Subject: [c-nsp] ASR-920 - Remote UPGRADE If I am upgrading from 3.16s to 3.18SP - is this safe to do remotely? I have MGT patched in, but not console cable. Any war stories would be greatly appreciated. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help needed regarding the Eompls tunnel in Juniper & Cisco
You are describing something I ran into last week when I did some testing with Juniper ACX1100 and SRX300's, and a Cisco 7301 in our lab. I realize that the 7301 is a far cry from a 6500, but perhaps the anecdote will help. A Cisco 7301 was our P router in the lab, and had LDP propagation problems when the Cisco was using dot1q interfaces to talk to the Junipers. Ie; EX2200 <-> Juniper SRX300 <-dot1q-> Cisco 7301 <-dot1q-> Juniper ACX1100 <-> EX2200 The only measurable symptom - other than the l2circuit didn't function - was that the LDP tables on the Junipers were not showing -any- labels from the Cisco. Moving the Cisco config to the parent interface, or the native/untagged interface solved that issue, but was not acceptable for our production environment. However - the exact same config using dot1q interfaces worked fine when I replaced the Cisco 7301 with a Cisco ASR920. I never got to the bottom of "why", nor did I investigate further as the 7301's are long EOS/EOL. Your l2circuit appears to be up however, whereas ours would not owing to the missing labels. The config snippets you provided look sane - to my tired eyes at least. Our ACX1100 was tested fine with both 16.1R3.10, and 12.3X54-D27.1, and were using OSPF martini - no BGP/Kompella. -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ahsan Rasheed Sent: December-01-16 4:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Help needed regarding the Eompls tunnel in Juniper & Cisco Hi All, We are having some serious issue with one customer circuit.We are using eompls vlan based & we are unable to pass traffic over eompls (l2)tunnel between Cisco 3550 switches if we use specifically Cisco 6503 ,Cisco 6504 & 6506 etc. If we use Cisco switch 6524 instead of Cisco 6503 it is working. {(Cisco 3550 switch)--->(Cisco 6524)>(Juniper ACX 4000)>(Cisco 3550) }-->This setup is working.I am able to pass traffic end to end between Cisco 3550's. {(Cisco 3550 switch1)--->(Cisco 6503 or Cisco 6506))>(Juniper ACX 4000)>(Cisco 3550 switch2) }-->This setup is not working. Cisco 3550 switch1 vlan 1089(1.1.1.1/30)---trunk->sub interface eompls vlan 1089(Cisco 6503)->(ACX 4000)terminating tunnel on sub interface vlan 1089->Cisco 3550 switch2-trunk-vlan 1089(1.1.1.2/30) We are using bgp & ospf between Cisco 6503 & Juniper ACX 4000. Vlan 1089 as svi we are using on Cisco 3550 switch1 and allowing vlan 1089 as trunk connecting back to Cisco 6503,eompls vlan 1089 tunnel is configured on sub int on 6503 facing Cisco 3550 switch 1.Cisco 6503 is connected with juniper ACX 4000 & running bgp & ospf between each other.On ACX 4000 juniper eompls vlan based tunnel is terminating on sub interface facing Cisco 3550 switch 2. With Sup720 I was unable to pass traffic over tunnels although l2 eompls tunnel 1089 is up on both (Cisco 6503 & Juniper). See below. Below are the outputs & commands which i was running. ACX 4000 Juniper: chi> show l2circuit connections Layer-2 Circuit Connections: Neighbor: 63.250.238.225 Interface Type St Time last up # Up trans ge-1/1/0.1089(vc 1089)rmt Up Jan 2 12:45:23 2010 1 Remote PE: 63.250.238.225, Negotiated control-word: No Incoming label: 299776, Outgoing label: 19 Negotiated PW status TLV: No Local interface: ge-1/1/0.1089, Status: Up, Encapsulation: VLAN chi> show ospf neighbor Address Interface State ID Pri Dead 10.252.0.85 xe-0/2/0.0 Full 63.250.238.225 139 chi> show bgp summary Groups: 1 Peers: 1 Down peers: 0 Table Tot Paths Act Paths SuppressedHistory Damp State Pending inet.0 15 13 0 0 0 0 Peer AS InPkt OutPktOutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped... 63.250.238.22530373179200 0 0 1:21:40 13/15/15/0 0/0/0/0 show ldp neighbor AddressInterface Label space ID Hold time 63.250.238.225 lo0.0 63.250.238.225:0 40 63.250.250.219 lo0.0 0.0.0.0:00 10.252.0.85xe-0/2/0.0 63.250.238.225:0 11 set interfaces xe-0/2/0 mtu 9192 set interfaces xe-0/2/0 unit 0 bandwidth 10g set interfaces xe-0/2/0 unit 0 family inet mtu 1546 set interfaces xe-0/2/0 unit 0 family inet address 10.252.0.86/30 set interfaces xe-0/2/0 unit 0 family mpls set interfaces ge-1/1/0 vlan-tagging set interfaces ge-1/1/0 mtu 1564 set interfaces ge-1/1/0 media-type copper set interfaces ge-1/1/0 encapsulation flexible-ethernet-services set interfaces ge-1/1/0 unit 0 vlan-id 2062 set interfaces ge-1/1/0 unit 0 family inet address 10.254.62.9/29 primary set interfaces ge-1/1/0 unit 0 family inet address 63.250.226.153/30 set interfaces ge-1/1/0 unit
Re: [c-nsp] ISR4431-AX/K9
I happen to be staring at an ISR4431/K9 with the APPX license (purchased for the L2 features), and it allows nbar configuration for ipv4 and ipv6. I have none without said license pre-loaded, so cannot confirm if it's required or not. It doesn't seem to complain or spam the license EULA if I enable any NBAR2 pieces. Hope this helps shed some light; Running 15.4(3)S5 router#sh ip nbar version NBAR software version: 20 NBAR minimum backward compatible version: 20 Loaded Protocol Pack(s): Name:Advanced Protocol Pack Version: 12.0 Publisher: Cisco Systems Inc. NBAR Engine Version: 20 State: Active ABCPGRGBC-57-DAO-R01# sh license | inc ^Index|Permanent|Activated Index 1 Feature: appxk9 License Type: Permanent Index 2 Feature: uck9 Period left: Not Activated Index 3 Feature: securityk9 Period left: Not Activated Index 4 Feature: ipbasek9 License Type: Permanent Index 5 Feature: cme-srst Period left: Not Activated Index 6 Feature: hseck9 Index 7 Feature: throughput License Type: Permanent Index 8 Feature: internal_service -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steve Mikulasik Sent: July-13-16 12:00 PM To: Adam Greene; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ISR4431-AX/K9 I believe NBAR 2 is in the AVX bundle, but there is normal NBAR support in the other bundles. -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Adam Greene Sent: Tuesday, July 12, 2016 10:50 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ISR4431-AX/K9 Hey guys, If I need a router that can do application based bandwidth throttling (NBAR2) at 500M-1G aggregate throughput, ISR4431-AX/K9 should do the trick, right? It seems to provide the features and throughput. Please tell me if I'm wrong (other services enabled on the router will be limited to BGP and OSPF). Thanks, Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 901 and net-flow
As of 15.5(2r)S with the AdvancedMetroIPAccess license, ip flow ingres/egress can be enabled on SVI's, but nothing to configure anything useful like top talkers, or export flow data to a collector. There's no mention of it in any of the technical deep dive powerpoints or software configuration guides I've seen either (I've read most of them start to finish over the past few months). I've never bothered to ask TAC. -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Miller Sent: November-16-15 4:14 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASR 901 and net-flow Does anyone know if the ASR 901 supports net-flow? I can't find any documentation on it as of yet (only been searching about 30 min or so). I did read a couple posts in odd-ball places stating it's not supported on the 901. Can anyone confirm this? Thanks, Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BVI Configuration on 1600 Access Points
In my experience, 'bridge foo route ip' on BVI's other than bridge '1', is broken on all Aironet products that have come across my desk, since the 1200 series. Moving bridge-group 1 to the VLAN you wish to use for management - though goofy to look at - works. This comes with the caveat of your management VLAN having to be dot1q native on your subinterfaces. Eg; interface GigabitEthernet0.232 encapsulation dot1Q 232 native no ip proxy-arp no ip route-cache no cdp enable bridge-group 1 bridge-group 1 spanning-disabled no bridge-group 1 source-learning interface BVI1 ip address 172.30.99.207 255.255.255.0 no ip proxy-arp no ip route-cache no keepalive bridge 1 route ip In attempts to work this out, I always run into issues with CEF dropping traffic citing wrong cable, interface BVIfoo Removing the old BVI once configured, still leaves some stale oddness in CEF which has required a reboot to clean up. If you find another way around this, I'd be interested to hear it! -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Christopher Werny Sent: August-26-15 9:39 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BVI Configuration on 1600 Access Points Good Evening, I am currently in the process of setting up three new (autonomous) access points for our office and running into an issue with the configuration of the BVI interface. What I want to achieve is creating a BVI Interface in separate VLAN (our Management VLAN 232 in this specific case) so that the AP is tagging all packets with the respective VLAN 232. However, after doing the configuration the AP is not reachable on the configured IP address. The AP is connected to a 2960 switch and the port configured as trunk. As soon as I configure the native vlan to 232 on the trunk port the management IP of the AP becomes reachable. This indicates that the AP is not tagging the packets at all. The access points are running: Cisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1) Relevant config snippets below: interface GigabitEthernet0.232 encapsulation dot1Q 232 no ip proxy-arp no ip route-cache no cdp enable bridge-group 232 bridge-group 232 spanning-disabled no bridge-group 232 source-learning interface BVI232 ip address 172.30.99.207 255.255.255.0 no ip proxy-arp no ip route-cache no keepalive bridge 232 route ip So, what am I missing? It might be something completely trivial, and feel free to slap me if this is the case ;) Thanks for your time! Best, Christopher ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rancid permissions
In our experience, RANCID requires privilege level 15. The following from our tacacs conf works on IOS v15 devices. I'm sure you could do it just as easily with a parser view or some such. user = rancid { # default service = permit name = RANCID daemon login = (some password) # RANCID requires priv 15 to do it's thing service = exec { priv-lvl = 15 } # RANCID only uses these commands cmd = admin { permit .* } cmd = dir { permit .* } cmd = more { permit .* } cmd = show { permit .* } # This is redundant on all (our) devices #cmd = write { permit term } } -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gavin Henry Sent: January-20-15 2:55 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Rancid permissions Hi all, Does anyone have a link to the permissions needs to get the full config for IOS 15? Thanks. -- Kind Regards, Gavin Henry. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/