Re: [c-nsp] SD-WAN design for large scale
Look at Aryaka SDWAN which solves all these problems. Cheers Hitesh On Tue, Mar 24, 2020 at 12:38 AM omar parihuana wrote: > Guys I've just read the follow document: > > > https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/sd-wan/white-paper-c11-743108.html > > > So i am asking about the IPsec tunnel scalability in SD-WAN large > deployments. One benefit of L3VPN in MPLS are the full mesh connectivity. > From point of view of CE one default route could be enough. Now in SDWAN > data plane if I want a full mesh topology a lot of IPsec tunnels are > established... maybe I am wrong but I will expect n(n-1)/2 IPsec Tunnels > (without consider the second path) then for example if I have 300 branch I > could expect 37350 tunnels... really? So hub-and-spoke will be the > solution... comments please... maybe it is time to say goodbye to full mesh > in SD-WAN deployments? > > -- > Omar E.P.T > - > Certified Networking Professionals make better Connections! > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DSL-Qos
Hi, I am trying to mark packets at VAI interfaces and then use this markings to classify traffic in different classes when they exit the router downstream to carrier. I dont see packet being classified at physical interface yet the ip precedence accounting shows correct marking this is on 7200 12.2(33)SRE6 SP services. Scenario: Traffic IN LNS VAI (policy outbound mark traffic) Physical interface (Shaping + queueing) Configuration VAI Class-maps and policy-map class-map match-all GOLD match access-group 101 class-map match-all SILVER match access-group 102 access-list 101 permit icmp host 111.111.111.111 any access-list 102 permit icmp host 222.222.222.222 any policy-map STD_POLICY1 class GOLD set dscp af21 class SILVER set dscp af22 class class-default Show commands for VAI LNS#show policy-map session SSS session identifier 7 - Service-policy output: STD_POLICY1 Class-map: GOLD (match-all) 4135 packets, 4522926 bytes 30 second offered rate 9000 bps, drop rate bps Match: access-group 101 QoS Set dscp af21 Packets marked 4138 Class-map: SILVER (match-all) 3649 packets, 3831450 bytes 30 second offered rate 9000 bps, drop rate bps Match: access-group 102 QoS Set dscp af22 Packets marked 3653 Class-map: class-default (match-any) 418 packets, 37270 bytes 30 second offered rate bps, drop rate bps Match: any LNS# show access-lists Extended IP access list 101 10 permit icmp host 111.111.111.111 any (4171 matches) Extended IP access list 102 10 permit icmp host 222.222.222.222 any (3685 matches) Physical Interface Class-map and policy-map Configuration: class-map match-all EF match dscp ef class-map match-any CS1 match dscp af11 match dscp af12 match dscp af13 class-map match-any CS2 match dscp af21 match dscp af22 match dscp af23 match dscp cs2 class-map match-any CS3 match dscp af31 match dscp af32 match dscp af33 class-map match-any CS4 match dscp af41 match dscp af42 match dscp af43 policy-map CHILD_POLICY class EF priority percent 10 class CS4 bandwidth percent 30 random-detect dscp-based fair-queue class CS3 bandwidth percent 20 random-detect dscp-based fair-queue class CS2 bandwidth percent 10 fair-queue random-detect dscp-based class CS1 bandwidth percent 5 fair-queue random-detect dscp-based class class-default Shaping policy policy-map PARENT_1M_POLICY class class-default shape average 100 service-policy CHILD_POLICY SHOW COMMANDS FOR PHYSICAL INT LNS# show policy-map interface FastEthernet0/0 Service-policy output: PARENT_1M_POLICY Class-map: class-default (match-any) 1148 packets, 90689 bytes 5 minute offered rate bps, drop rate bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 8439/7685662 shape (average) cir 100, bc 4000, be 4000 target shape rate 100 Service-policy : CHILD_POLICY queue stats for all priority classes: Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: EF (match-all) 0 packets, 0 bytes 5 minute offered rate bps, drop rate bps Match: dscp ef (46) Priority: 10% (100 kbps), burst bytes 2500, b/w exceed drops: 0 Class-map: CS4 (match-any) 0 packets, 0 bytes 5 minute offered rate bps, drop rate bps Match: dscp af41 (34) 0 packets, 0 bytes 5 minute rate 0 bps Match: dscp af42 (36) 0 packets, 0 bytes 5 minute rate 0 bps Match: dscp af43 (38) 0 packets, 0 bytes 5 minute rate 0 bps Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0 (pkts output/bytes output) 0/0 bandwidth 30% (300 kbps) Exp-weight-constant: 9 (1/512) Mean queue depth: 0 packets dscp Transmitted Random drop Tail/Flow drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob Fair-queue: per-flow queue limit 16 Class-map: CS3 (match-any) 0 packets, 0 bytes 5 minute offered rate bps, drop rate bps Match: dscp af31 (26) 0 packets, 0 bytes 5 minute rate 0 bps Match: dscp af32 (28) 0 packets, 0 bytes 5 minute rate 0 bps Match: dscp af33 (30) 0 packets, 0 bytes 5 minute rate 0 bps
[c-nsp] asr1001 4 full bgp feed
hi all, could anyone confirm if asr1001 can take 4 full bgp feed of 450k routes each. i know that it has limitation of 512k for fib but not sure if thats for only forwarding table which i reckon would be all best routes around 450k but assuming that we can hold 1.4 million routes that is 450k from each peer in rib using more ram. please comment thanks Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] asr1001 4 full bgp feed
Thanks guys, What license do we need for BGP, MPLS? would Advanced IP services will suffice as software advisor tool on Cisco is not much of help Thanks Hitesh On Thu, Aug 1, 2013 at 12:45 PM, Łukasz Bromirski luk...@bromirski.netwrote: Yes, FIB only stores best paths (400k+), so you need to make sure you have at least 8GB of RAM and should be good to go. On the other hand, having better ESP would make sense in terms of future growth, so take a look at ASR 1002X. -- ./ Dnia 1 sie 2013 o godz. 08:09 Hitesh Vinzoda vinzoda.hit...@gmail.com napisał(a): hi all, could anyone confirm if asr1001 can take 4 full bgp feed of 450k routes each. i know that it has limitation of 512k for fib but not sure if thats for only forwarding table which i reckon would be all best routes around 450k but assuming that we can hold 1.4 million routes that is 450k from each peer in rib using more ram. please comment thanks Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] asr1001 4 full bgp feed
I think its better to go for 1002-x instead of 1001 as we have to take IPv6 route table growth in calculation as well. any comments on licensing. Thanks Hitesh On Thu, Aug 1, 2013 at 1:44 PM, Adam Vitkovsky adam.vitkov...@swan.skwrote: Given the relentless growth of the global v4 table, I wouldn't feel comfortable with a FIB capability of 512K. How long do you think that'll suffice? Well looking at the weekly GRT report for past few weeks it's roughly 41 weeks. 456943, 457245, 458665, 459588, 460435, adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] asr1001 4 full bgp feed
Thanks all, Looks like we are sorted at the moment. Cheers Hitesh On Thu, Aug 1, 2013 at 2:17 PM, Chris Balmain ch...@team.dcsi.net.auwrote: You will need advipservices for MPLS On 01/08/2013, at 6:18 PM, Hitesh Vinzoda vinzoda.hit...@gmail.com mailto:vinzoda.hit...@gmail.com wrote: I think its better to go for 1002-x instead of 1001 as we have to take IPv6 route table growth in calculation as well. any comments on licensing. Thanks Hitesh On Thu, Aug 1, 2013 at 1:44 PM, Adam Vitkovsky adam.vitkov...@swan.sk mailto:adam.vitkov...@swan.sk wrote: Given the relentless growth of the global v4 table, I wouldn't feel comfortable with a FIB capability of 512K. How long do you think that'll suffice? Well looking at the weekly GRT report for past few weeks it's roughly 41 weeks. 456943, 457245, 458665, 459588, 460435, adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VTP and shared medium
hi there, Can you please share the output of show interface xxx trunk Thanks On Mon, Dec 24, 2012 at 10:34 AM, Victor Sudakov v...@mpeks.tomsk.su wrote: And second question. If one port is in trunk mode and the other in access mode, shouldn't the untagged native Vlan1 traffic still flow as normal? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VTP and shared medium
Hi Victor, Can you post the configuration on the other end. Seems like it hasn't negotiated the trunk. Further you can also DTP using below command Switchport nonegotiate Thanks Hitesh Vinzoda On Fri, Dec 21, 2012 at 9:50 AM, Victor Sudakov v...@mpeks.tomsk.su wrote: I have configured a VTP domain and a VTP password on all the switches, however changes to the vlan database and other VTP information are not propagated to all the switches, or sometimes to some of the switches. The possible reason is that some ports are in access mode though configured for trunk mode? Why could that be? ! interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk #sh int GigabitEthernet0/1 switchport Switchport: Enabled Administrative Mode: trunk Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Why is the port in static access mode while it is configured as switchport mode trunk and has the administrative mode trunk? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] me3600x - g0/25 ?!
Looks like a cosmetic bug.. Thanks Hitesh Vinzoda On Thu, Dec 20, 2012 at 8:01 PM, Aaron aar...@gvtc.com wrote: Doesn't seem to get rid of it. Here's what I just now did... - Rebooted.still there. - Tried to conf tno int g0/25got message that I can't remove hardware int - Downloaded nvram:startup-configremoved g0/25 from ascii fileuploaded startup-config to nvram...verified g0/25 wasn't in therereloadedguess what, g0/25 is not in startup config even after reload, but g0/25 is in running config. Also... conf t, int g0/? Shows options 1-25 Funny and weird Aaron -Original Message- From: Christian Meutes [mailto:christ...@errxtx.net] Sent: Wednesday, December 19, 2012 7:39 PM To: Aaron Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] me3600x - g0/25 ?! Happens when you insert SFPs in the SFP+ interfaces. Only way to get rid of them is a reboot. -- Christian On 20.12.2012, at 03:29, Aaron aar...@gvtc.com wrote: Any idea why I see an interface g0/25 on my me3600x? this may be following the ios upgrade to 15.3(1)S There are only 24 physical sfp interfaces on this box Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] client VPN
Whats is the purpose of Cisco router here? Just set internet modem in bridged mode and let Cisco ASA have the public IP Address ( ASA can do pppoe if required) HTH Hitesh Vinzoda On Wed, Dec 19, 2012 at 12:25 AM, osama hammoudeh osama.hammou...@ad-tech.com.jo wrote: Dears I have cisco router connected to internet modem and the public ip modem , and cisco router connected to cisco ASA as the following : Modem : Public ip on wan interface 2.2.2.2 Private ip 192.168.200.1 (this interface connected to cisco router ) Cisco router : External interface IP 192.168.200.2 (this interface connected to the modem) Internal interface ip 192.168.201.1 ((this interface connected to the ASA) Cisco ASA : External interface IP 192.168.201.2 ((this interface connected to the cisco router) Internal interface IP 192.168.1.1 (this interface used as LAN getaway ) We need to configure client vpn on ASA , how can we do this setup on ASA and the Public IP on modem. Best Regards, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] private vlan ports
This could be helpful. its excerpt from Cisco's website.. Follow these guidelines when configuring PVLANs: •To configure a PVLAN correctly, enable VTP in transparent mode. •Do not include VLAN 1 or VLANs 1002 through 1005 in PVLANs. •Use only PVLAN commands to assign ports to primary, isolated, or community VLANs. Layer 2 interfaces on primary, isolated, or community VLANs are inactive in PVLANs. Layer 2 trunk interfaces remain in the STP forwarding state. •You cannot configure Layer 3 VLAN interfaces for secondary VLANs. Layer 3 VLAN interfaces for isolated and community (secondary) VLANs are inactive while the VLAN is configured as an isolated or community VLAN. •Do not configure PVLAN ports as EtherChannel. EtherChannel ports in PVLANs are inactive. •Do not configure private VLAN ports as EtherChannels. While a port is part of the private VLAN configuration, its associated EtherChannel configuration is inactive. •Do not apply dynamic access control entries (ACEs) to primary VLANs. Cisco IOS dynamic ACL configuration applied to a primary VLAN is inactive while the VLAN is part of the PVLAN configuration. •To prevent spanning tree loops due to misconfigurations, enable PortFast on the PVLAN trunk ports with the *spanning-tree portfast trunk* command. •Any VLAN ACL configured on a secondary VLAN is effective in the input direction, and any VLAN ACL configured on the primary VLAN associated with the secondary VLAN is effective in the output direction. •You can stop Layer 3 switching on an isolated or community VLAN by deleting the mapping of that VLAN with its primary VLAN. •PVLAN ports can be on different network devices as long as the devices are trunk-connected and the primary and secondary VLANs remain associated with the trunk. •Isolated ports on two different devices cannot communicate with each other, but community VLAN ports can. •Private VLANs support the following SPAN features: –You can configure a private VLAN port as a SPAN source port. –You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use SPAN on only one VLAN to monitor egress or ingress traffic separately. For more information about SPAN, see Chapter 37, Configuring SPAN and RSPAN.http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ew/configuration/guide/span.html#wpxref25516 •A primary VLAN can be associated with multiple community VLANs, but only one isolated VLAN. •An isolated or community VLAN can be associated with only one primary VLAN. •If you delete a VLAN used in a private VLAN configuration, the private VLAN ports associated with the VLAN become inactive. •VTP does not support private VLANs. You must configure private VLANs on each device in which you plan to use private VLAN ports. •To maintain the security of your PVLAN configuration and avoid other use of VLANs configured as PVLANs, configure PVLANs on all intermediate devices, even if the devices have no PVLAN ports. •Prune the PVLANs from trunks on devices that carry no traffic in the PVLANs. •With port ACLS functionality available, you can apply Cisco IOS ACLS to secondary VLAN ports and Cisco IOS ACLS to PVLANS (VACLs). For more information on VACLs, see Chapter 32, Configuring Network Security with ACLs.http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ew/configuration/guide/secure.html#wpxref26976 •You can apply different quality of service (QoS) configurations to primary, isolated, and community VLANs. (See Chapter 26, Configuring QoS.http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ew/configuration/guide/qos.html#wpxref73710) Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to the associated isolated and community VLANs. •On a PVLAN trunk port a secondary VLAN ACL is applied on ingress traffic and a primary VLAN ACL is applied on egress traffic. •On a promiscuous port the primary VLAN ACL is applied on ingress traffic. •PVLAN trunk ports support only IEEE 802.1q encapsulation. •You cannot change the VTP mode to client or server for PVLANs. •An isolated or community VLAN can have only one primary VLAN associated with it. •VTP does not support PVLANs. You must configure PVLANs on each device where you want PVLAN ports. •Community VLANs cannot be propagated or carried over private VLAN trunks. Thanks Hitesh On Thu, Dec 13, 2012 at 7:29 PM, Christian Bösch boe...@fhv.at wrote: Hi, Two questions regarding Cisco private vlan ports: _I have a switch with a couple of vlans which are carried over 2 trunk ports bundled to an etherchannel to the upper router where they are routed with L3 vlan interfaces. On the switch I want some isolated private vlan ports, but I cannot set a promicious port because it is an etherchannel. Is there a workaround how to solve this or is this setup impossible? _I think private ports are working with an ingress ACL in the background? So what about IPv6 if the switch does not
Re: [c-nsp] pptp connection to 2600 with Windows VPN failing.
just remove the MPPE configuration under virtual-template and try...! Thanks Hitesh Vinzoda On Fri, Dec 14, 2012 at 1:23 AM, Gert Doering g...@greenie.muc.de wrote: Hi, On Thu, Dec 13, 2012 at 04:59:10PM +0100, Christophe Lucas wrote: interface Virtual-Template1 ip unnumbered FastEthernet0/0 autodetect encapsulation ppp peer default ip address pool vpn ppp encrypt mppe auto ppp authentication ms-chap-v2 JFTR, I hope everybody on this list is aware that PPTP with MPPE/MS-CHAP-v2 is about as secure as using PAP and no encryption. If someone is able to sniff your PPTP/MPPE-Session, all they need is to insert $200 into cloudcracker.com, and next morning they will have the NTLM HASH needed to authenticate against the server, impersonating the VPN client. See here for a detailed description: http://www.h-online.com/security/features/A-death-blow-for-PPTP-1716768.html Use IPSEC, SSL-VPN or OpenVPN. gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multicast through Cisco ME-3600
Hi, I have recently noticed that routers running OSPF connected to two different ports and communicating via EFP's configured on Cisco ME3600 can not form OSPF neighborship. I cant see hello sent from other end while the unicast and broadcast does work as i can see the arp on both the ends and we have end to end pings. Does anyone has faced the same issue. I don't think its limitation. My configuration for the setup is as below TEST-RTR01 PORT21- ME3600- PORT22 TEST-RTR2 Relevant configuration and code. interface GigabitEthernet0/21 description TEST-JUNIPER-2200 port-type nni switchport trunk allowed vlan none switchport mode trunk service instance 1 ethernet description OSPF-TEST encapsulation dot1q 80 bridge-domain 5050 ! end thn-me09#show run int gi0/22 Building configuration... Current configuration : 255 bytes ! interface GigabitEthernet0/22 description TEST-4200-1-0-22 port-type nni switchport trunk allowed vlan none switchport mode trunk service instance 1 ethernet description OSPF-TEST encapsulation dot1q 80 bridge-domain 5050 ! Cisco IOS Software, ME360x Software (ME360x-UNIVERSAL-M), Version 12.2(52)EY3, RELEASE SOFTWARE (fc1) Thanks in advance Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast through Cisco ME-3600
HI Reuben, This is what i thought that we are on very early release of IOS. Show commands of OSPF doesn't reveal much, while the OSPF debugs reveals that they are sending hello's but neighbors hello's are not seen on both devices. This pretty much suggests that ME3600 is unable to handle Multicast through EFP. MTU is fine and i also think that it will come only in picture during DBD exchage, and they get stuck in exstart state, which is not the case here. Further i don't see any special configuration exists under EFP where we have to define supportive config for Multicast. Thanks for the inputs though. Best regards, Hitesh On Sat, Nov 24, 2012 at 4:12 PM, Reuben Farrelly reuben-cisco-...@reub.netwrote: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Half duplex VRF
Hi Gerald, I have tested this and worked like charm.. thanks for sharing the working configuration. Best Regards Hitesh On Fri, Oct 12, 2012 at 9:02 AM, Hitesh Vinzoda vinzoda.hit...@gmail.comwrote: Hi Gerald, Thanks for your inputs. Will try this configuration and let you know how it goes..! Cheers Hitesh On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause g...@ax.tc wrote: Hi Hitesh, just to let you know how our working config looks like. We had some problems in the beginning with Half duplex VRF on earlier IOS versions. Now we're running 122-33.SRE on a NPE-G2 and it works as expected. Traffic from site1 to site2 (both terminated via L2TP/PPP on the same LNS) will be directed (egress) to port GE0/3.148 towards the firewall 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall permit the traffic. LNS CONFIG == LNS1#sh run vrf CUSTVRF-DOWN Building configuration... Current configuration : 603 bytes ip vrf CUSTVRF-DOWN rd 100:2 route-target export 100:2 route-target import 100:2 ! ! interface GigabitEthernet0/3.149 encapsulation dot1Q 149 ip vrf forwarding CUSTVRF-DOWN ip address 10.99.16.227 255.255.255.240 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-DOWN no synchronization redistribute connected redistribute static exit-address-family ! end LNS1#sh run vrf CUSTVRF-UP Building configuration... Current configuration : 816 bytes ip vrf CUSTVRF-UP rd 100:3 route-target export 100:3 route-target import 100:1 ! ! interface GigabitEthernet0/3.148 encapsulation dot1Q 148 ip vrf forwarding CUSTVRF-UP ip address 10.99.16.243 255.255.255.240 ! interface Loopback102 description CUSTVRF ip vrf forwarding CUSTVRF-UP ip address 10.99.17.254 255.255.255.255 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-UP no synchronization redistribute connected redistribute static default-information originate exit-address-family ! ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254 end RADIUS ACCOUNTS (freeRadius) === cust-vrfsite1 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.68 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0 cust-vrfsite2 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.69 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0 Gerald Am 11.10.2012 07:45, schrieb Hitesh Vinzoda: Hi Arie, This is already in place and the virtual-access interfaces belongs to this vrf and so do their PPP host router. This routes are not visible in upstream vrt U which is great but these routes do appear in Downstream vrf D so that is the reason they route locally and doesnt go towards hub CE. The illustrations that i have seen before have CE sites connected on different PE routers whereas in my case the CE routers are connected to same PE and hence we want to avoid local routing on the LNS. Please let me know your thoughts over this. Thanks Hitesh On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner) avay...@cisco.comwrote: So basically your PPP connections are in the global routing table… What is the profile you are downloading from RADIUS (debug radius) for them? ** ** You most likely should be downloading the “ip vrf forwarding U downstream D” command using the RADIUS attribute “lcp:interface-config=ip vrf forwarding U downstream D”… http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907 ** ** Arie ** ** *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Wednesday, October 10, 2012 00:44 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF ** ** Hi Arie, ** ** Below is the desired excerpt. We can't see the VRF config being applied to the interfaces but its visible in show ip int virtual-access. I have tried two different way in RADIUS attributes but the results are the same. ** ** LNS#show ppp all Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name - --- Vi4 LCP+ CHAP+ IPCP+ LocalT 192.168.254.200 \ sp...@cerberusnetworks.co.uk Vi3 LCP+ CHAP+ IPCP+ LocalT 192.168.254.100 \ m...@cerberusnetworks.co.uk LNS#show run int vir LNS#show run int virtual-acc LNS#show run int virtual-access 3 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access3 ip mtu 1492 ip verify unicast reverse-path end
Re: [c-nsp] Half duplex VRF
Hi Gerald, Thanks for your inputs. Will try this configuration and let you know how it goes..! Cheers Hitesh On Thu, Oct 11, 2012 at 9:50 PM, Gerald Krause g...@ax.tc wrote: Hi Hitesh, just to let you know how our working config looks like. We had some problems in the beginning with Half duplex VRF on earlier IOS versions. Now we're running 122-33.SRE on a NPE-G2 and it works as expected. Traffic from site1 to site2 (both terminated via L2TP/PPP on the same LNS) will be directed (egress) to port GE0/3.148 towards the firewall 10.99.16.254 and then back (ingress) on port GE0/3.149 if the firewall permit the traffic. LNS CONFIG == LNS1#sh run vrf CUSTVRF-DOWN Building configuration... Current configuration : 603 bytes ip vrf CUSTVRF-DOWN rd 100:2 route-target export 100:2 route-target import 100:2 ! ! interface GigabitEthernet0/3.149 encapsulation dot1Q 149 ip vrf forwarding CUSTVRF-DOWN ip address 10.99.16.227 255.255.255.240 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-DOWN no synchronization redistribute connected redistribute static exit-address-family ! end LNS1#sh run vrf CUSTVRF-UP Building configuration... Current configuration : 816 bytes ip vrf CUSTVRF-UP rd 100:3 route-target export 100:3 route-target import 100:1 ! ! interface GigabitEthernet0/3.148 encapsulation dot1Q 148 ip vrf forwarding CUSTVRF-UP ip address 10.99.16.243 255.255.255.240 ! interface Loopback102 description CUSTVRF ip vrf forwarding CUSTVRF-UP ip address 10.99.17.254 255.255.255.255 ! router bgp 1 ! address-family ipv4 vrf CUSTVRF-UP no synchronization redistribute connected redistribute static default-information originate exit-address-family ! ip route vrf CUSTVRF-UP 0.0.0.0 0.0.0.0 10.99.16.254 end RADIUS ACCOUNTS (freeRadius) === cust-vrfsite1 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.68 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.8.0 255.255.255.0 cust-vrfsite2 Password == Cisco-AVPair += ip:ip-unnumbered=Loopback102 Cisco-AVPair += ip:addr=10.99.17.69 Cisco-AVPair += ip:vrf-id=CUSTVRF-UP downstream CUSTVRF-DOWN Cisco-AVPair += ip:route=10.98.9.0 255.255.255.0 Gerald Am 11.10.2012 07:45, schrieb Hitesh Vinzoda: Hi Arie, This is already in place and the virtual-access interfaces belongs to this vrf and so do their PPP host router. This routes are not visible in upstream vrt U which is great but these routes do appear in Downstream vrf D so that is the reason they route locally and doesnt go towards hub CE. The illustrations that i have seen before have CE sites connected on different PE routers whereas in my case the CE routers are connected to same PE and hence we want to avoid local routing on the LNS. Please let me know your thoughts over this. Thanks Hitesh On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner) avay...@cisco.comwrote: So basically your PPP connections are in the global routing table… What is the profile you are downloading from RADIUS (debug radius) for them? ** ** You most likely should be downloading the “ip vrf forwarding U downstream D” command using the RADIUS attribute “lcp:interface-config=ip vrf forwarding U downstream D”… http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907 ** ** Arie ** ** *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Wednesday, October 10, 2012 00:44 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF ** ** Hi Arie, ** ** Below is the desired excerpt. We can't see the VRF config being applied to the interfaces but its visible in show ip int virtual-access. I have tried two different way in RADIUS attributes but the results are the same. ** ** LNS#show ppp all Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name - --- Vi4 LCP+ CHAP+ IPCP+ LocalT 192.168.254.200 \ sp...@cerberusnetworks.co.uk Vi3 LCP+ CHAP+ IPCP+ LocalT 192.168.254.100 \ m...@cerberusnetworks.co.uk LNS#show run int vir LNS#show run int virtual-acc LNS#show run int virtual-access 3 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access3 ip mtu 1492 ip verify unicast reverse-path end ** ** LNS#show run int virtual-access 4 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access4 ip mtu 1492
Re: [c-nsp] Half duplex VRF
Hi Arie, Below is the desired excerpt. We can't see the VRF config being applied to the interfaces but its visible in show ip int virtual-access. I have tried two different way in RADIUS attributes but the results are the same. LNS#show ppp all Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name - --- Vi4 LCP+ CHAP+ IPCP+ LocalT 192.168.254.200 \ sp...@cerberusnetworks.co.uk Vi3 LCP+ CHAP+ IPCP+ LocalT 192.168.254.100 \ m...@cerberusnetworks.co.uk LNS#show run int vir LNS#show run int virtual-acc LNS#show run int virtual-access 3 Building configuration... Current configuration : 78 bytes ! interface Virtual-Access3 ip mtu 1492 ip verify unicast reverse-path end LNS#show run int virtual-access 4 Building configuration... Current configuration : 78 bytes ! interface Virtual-Access4 ip mtu 1492 ip verify unicast reverse-path end = LNS#show ip int virtual-access 3 Virtual-Access3 is up, line protocol is up Interface is unnumbered. Using address of Loopback2 (2.2.2.1) Broadcast address is 255.255.255.255 Peer address is 192.168.254.100 MTU is 1492 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP CEF turbo switching turbo vector VPN Routing/Forwarding U Downstream VPN Routing/Forwarding D Associated unicast routing topologies: ipv4 topologies in downstream VRF D : Topology base, operation state is UP ipv4 topologies in upstream(forwarding) VRF U: Topology base, operation state is UP === Thanks Hitesh On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) avay...@cisco.comwrote: Hitesh, how does your virtual-access look like for the spokes? Can you please share the “show run interface virtual-access xx” for the spokes? ** ** Tnx Arie ** ** *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Tuesday, October 09, 2012 09:05 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF ** ** Hi Arie, ** ** I have attached topology, .Net file and configs of related devices. R8 and R9 are simulating spokes whereas Internet-RTR is simulating Hub. ** ** Cheers ** ** Hitesh On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) avay...@cisco.com wrote: Hitesh, can you maybe share some of your configs? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Tuesday, October 09, 2012 07:04 To: Cisco Mailing list Subject: [c-nsp] Half duplex VRF I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone has working configuration for spokes and Hub connected on the same PE router i.e. LNS. So far i able to export-import the routes but the traces from one spoke to other goes directly via LNS instead of via Hub. Please advise. TIA Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ** ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Half duplex VRF
Hi Arie, This is already in place and the virtual-access interfaces belongs to this vrf and so do their PPP host router. This routes are not visible in upstream vrt U which is great but these routes do appear in Downstream vrf D so that is the reason they route locally and doesnt go towards hub CE. The illustrations that i have seen before have CE sites connected on different PE routers whereas in my case the CE routers are connected to same PE and hence we want to avoid local routing on the LNS. Please let me know your thoughts over this. Thanks Hitesh On Wed, Oct 10, 2012 at 11:27 PM, Arie Vayner (avayner) avay...@cisco.comwrote: So basically your PPP connections are in the global routing table… What is the profile you are downloading from RADIUS (debug radius) for them? ** ** You most likely should be downloading the “ip vrf forwarding U downstream D” command using the RADIUS attribute “lcp:interface-config=ip vrf forwarding U downstream D”… http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html#wp1099907 ** ** Arie ** ** *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Wednesday, October 10, 2012 00:44 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF ** ** Hi Arie, ** ** Below is the desired excerpt. We can't see the VRF config being applied to the interfaces but its visible in show ip int virtual-access. I have tried two different way in RADIUS attributes but the results are the same. ** ** LNS#show ppp all Interface/ID OPEN+ Nego* Fail- StagePeer AddressPeer Name - --- Vi4 LCP+ CHAP+ IPCP+ LocalT 192.168.254.200 \ sp...@cerberusnetworks.co.uk Vi3 LCP+ CHAP+ IPCP+ LocalT 192.168.254.100 \ m...@cerberusnetworks.co.uk LNS#show run int vir LNS#show run int virtual-acc LNS#show run int virtual-access 3 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access3 ip mtu 1492 ip verify unicast reverse-path end ** ** LNS#show run int virtual-access 4 Building configuration... ** ** Current configuration : 78 bytes ! interface Virtual-Access4 ip mtu 1492 ip verify unicast reverse-path end = ** ** LNS#show ip int virtual-access 3 Virtual-Access3 is up, line protocol is up Interface is unnumbered. Using address of Loopback2 (2.2.2.1) Broadcast address is 255.255.255.255 Peer address is 192.168.254.100 MTU is 1492 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP Flow switching is disabled IP CEF switching is enabled IP CEF switching turbo vector IP CEF turbo switching turbo vector VPN Routing/Forwarding U Downstream VPN Routing/Forwarding D Associated unicast routing topologies: ipv4 topologies in downstream VRF D : Topology base, operation state is UP ipv4 topologies in upstream(forwarding) VRF U: Topology base, operation state is UP === Thanks Hitesh ** ** On Tue, Oct 9, 2012 at 9:52 PM, Arie Vayner (avayner) avay...@cisco.com wrote: Hitesh, how does your virtual-access look like for the spokes? Can you please share the “show run interface virtual-access xx” for the spokes? Tnx Arie *From:* Hitesh Vinzoda [mailto:vinzoda.hit...@gmail.com] *Sent:* Tuesday, October 09, 2012 09:05 *To:* Arie Vayner (avayner) *Cc:* Cisco Mailing list *Subject:* Re: [c-nsp] Half duplex VRF Hi Arie, I have attached topology, .Net file and configs of related devices. R8 and R9 are simulating spokes whereas Internet-RTR is simulating Hub. Cheers Hitesh On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) avay...@cisco.com wrote: Hitesh, can you maybe share some of your configs? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Tuesday, October 09, 2012 07:04 To: Cisco Mailing list Subject: [c-nsp] Half duplex VRF I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone has working
[c-nsp] Half duplex VRF
I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone has working configuration for spokes and Hub connected on the same PE router i.e. LNS. So far i able to export-import the routes but the traces from one spoke to other goes directly via LNS instead of via Hub. Please advise. TIA Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Half duplex VRF
Hi Arie, I have attached topology, .Net file and configs of related devices. R8 and R9 are simulating spokes whereas Internet-RTR is simulating Hub. Cheers Hitesh On Tue, Oct 9, 2012 at 8:37 PM, Arie Vayner (avayner) avay...@cisco.comwrote: Hitesh, can you maybe share some of your configs? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Tuesday, October 09, 2012 07:04 To: Cisco Mailing list Subject: [c-nsp] Half duplex VRF I am trying to setup half duplex vrf to save vrf's on the LNS. Does anyone has working configuration for spokes and Hub connected on the same PE router i.e. LNS. So far i able to export-import the routes but the traces from one spoke to other goes directly via LNS instead of via Hub. Please advise. TIA Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7200 LNS Multilink per-user RADIUS attributes
Hi, Try using Radreply as Cisco-Avpair += multilink:max-links=2 instead of = HTH Thanks Hitesh Vinzoda On Tue, Aug 7, 2012 at 8:27 PM, Steve Glendinning st...@netthatworks.comwrote: Hi all, I'm trying to configure multilink PPP on a Cisco 7200 (NPE-G2) LNS (12.4(4)XD11), but the LNS is refusing to create the bundle: Aug 7 15:44:19 BST: Vi714 MLP: Request add link to bundle Aug 7 15:44:19 BST: Vi714 MLP: Adding link to bundle Aug 7 15:44:19 BST: Vi714 MLP: Missing AAA per-user attributes Aug 7 15:44:19 BST: Vi714 MLP: Bundle failed in creation/cloning Aug 7 15:44:19 BST: Vi714 MLP: Link not added to bundle Aug 7 15:44:19 BST: Vi714 IPCP: LCP not open, discarding packet Aug 7 15:44:21 BST: Vi714 IPCP: LCP not open, discarding packet Aug 7 15:44:23 BST: Vi714 IPCP: LCP not open, discarding packet Aug 7 15:44:25 BST: Vi714 IPCP: LCP not open, discarding packet Any idea how I can find out which AAA per-user attribute(s) it's missing and complaining about? The RADIUS server is returning these attributes for the account: Aug 7 15:16:58 BST: RADIUS: Service-Type[6] 6 Framed [2] Aug 7 15:16:58 BST: RADIUS: Framed-Protocol [7] 6 PPP [1] Aug 7 15:16:58 BST: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255 Aug 7 15:16:58 BST: RADIUS: Framed-IP-Address [8] 6 xx.xx.xx.xx Aug 7 15:16:58 BST: RADIUS: Vendor, Cisco [26] 46 Aug 7 15:16:58 BST: RADIUS: Cisco AVpair [1] 40 ip:dns-servers=xx.xx.xx.xx yy.yy.yy.yy Aug 7 15:16:58 BST: RADIUS: Vendor, Cisco [26] 45 Aug 7 15:16:58 BST: RADIUS: Cisco AVpair [1] 39 ipv6:prefix#1=:::::/64 Aug 7 15:16:58 BST: RADIUS: Vendor, Cisco [26] 39 Aug 7 15:16:58 BST: RADIUS: Cisco AVpair [1] 33 ipv6:route#1=::::/48 Aug 7 15:16:58 BST: RADIUS: Acct-Interim-Interva[85] 6 3600 And I've tried also adding these with no joy: Cisco-Avpair = multilink:max-links=2 Cisco-Avpair = multilink:min-links=1 Cisco-Avpair = multilink:load-threshold=10 Cisco-Avpair = preauth:ppp-multilink=1 Thanks, -- Steve Glendinning ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 7600 with MWAM as a LNS
Hi, I am researching Cisco MWAM with Cisco 7600 for LNS deployment and have few questions in mind, Hope some one had already worked on it or may be someone from Cisco can tell me about it, as there are less resources available for MWAM on Cisco website as well as Internet. What we are trying to achieve here is traditional wholesale DSL where L2TP tunnels are handed over to us and we provide them the PPP connections over VPDN as well as some MLPPP stuff whenever required. I know that MWAM are end of sale and are replaced by SAMI but still i believe they may fit our requirement till Dec 2014 when the support for MWAM ends and later we can move to some other Cisco Kit. Here is the list of the features or services that we currently use on Cisco 7206 VXR acting as a LNS. 1. PPPoVPDN 2. OSPF 3. VRF over DSL using Cisco Vendor Specific Attribute 4. VPDN Multi-hop 5. Multilink PPP 6. AAA accounting periodic update 7. PE-CE dynamic routing over PPPoVPDN or just per vrf OSPF/RIP/EIGRP 8. Some basic subinterfaces for dot1q VLAN tagging to transit VRF's through the core. 9. DHCP Proxy client Are the above requirement can be accommodated with 7600 with MWAM. I would appreciate if someone can shed some light on this and share their experience as well as thoughts on this. Thanks is advance Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco SAMI modules
Hi, Could anyone confirm whether Cisco SAMI module on 7600 supports traditional ppp over vpdn wholesale broadband? Thanks Hitesh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] router does not see IGMP joins
Hi, Is PIM enabled on that interface ? Thanks Hitesh On Thu, Apr 19, 2012 at 8:06 AM, Victor Sudakov v...@mpeks.tomsk.su wrote: Victor Sudakov wrote: What could be the reason that a Cisco 1841 router (IOS 12.4(13r)T) does not see IGMP joins to a particular group? tcpdump shows that the joins are being sent to the network, however debug ip igmp 224.0.1.3 does not show them. It seems that the problem disappeared after the host sending IGMP joins was moved from a hub (10BASE-T HD) to a switch (100BASE-T FD). I am still confused about the possible cause of the problem. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP address assignment to pppoe clients - Radius or DHCP
Thanks for all your support, Now the scenario is that how to achieve redundancy in LNS environment, I have heard that HSRP doesnt work in this case. TIA Hitesh On Wed, Mar 9, 2011 at 12:28 AM, Bjørn Mork bj...@mork.no wrote: Hitesh Vinzoda vinzoda.hit...@gmail.com writes: But the problem is How to assign the DNS ip addresses and default gateway or default route Framed-route using Radius, though I m carrying wrong perception as there is as such no attribute in Radius which assigns DNS ip addresses from Radius. these makes me to think that it is the job of DHCP servers. There are no standard RADIUS attributes for DNS server assignment, but many vendors have vendor specific solutions. Cisco's would be Cisco-AVPair := ip:dns-servers=10.0.0.1 10.0.0.2 Most ppp clients will point their default route to the other end of the ppp link, i.e. whatever unnumbered interface you are referring to in your Virtual-Template. I don't understand why you would want to set via RADIUS. AFAIK, IPCP doesn't include any routing information, so you would have to run some other protocol over the PPP link to communicate the route to the client. DHCP would fit. Bjørn ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IP address assignment to pppoe clients - Radius or DHCP
Hi all, I am trying to assign the ip address to pppoe client using Radius. The scenario is basically we will have pppoe clients (Not Cisco AFAIK) and they will authenticated against FreeRadius from LNS. I tried to find out some documentation about it but found none. Especially i have seen scenarios where ADSL clients retrieves IP address automatically with DNS server and default gateway to reach to internet as soon as pppoe is up, I tried it using Radius using Framed-IPaddress attribute and it works like a charm. But the problem is How to assign the DNS ip addresses and default gateway or default route Framed-route using Radius, though I m carrying wrong perception as there is as such no attribute in Radius which assigns DNS ip addresses from Radius. these makes me to think that it is the job of DHCP servers. Anyone out there who are running ADSL ISP setup are requested to share how do they basically assign the IP addresses to ADSL PPPOE client, using Radius or DHCP? and how? Thanks in Advance Hitesh Vinzoda ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] High Memory Usage due to NAT
I m facing a strange issue regarding the NAT. The problem statement is as below NAT configured on 3845 with 12.4.24 T ADV ENT SERVICES - Have got 64 /25 inside subnets to do the nat with 64 Live IP's. one each for /25 inside subnet. - I checked the processes and memory on freshly loaded router which comes out to be 49 MB of free memory. - started the NAT on router with 8 of /25 inside ip pool with policy NAT to 8 live IP's. The router withing 3 hours hanged due to no availability of free memory. Rebooted it and removed the NAT. - Checked Cisco website for NAT it says 312 bytes per translation that gives us around 3 MB for 1 translations. Checked the logs and found peak translation only to be 15000. - Found that problem was NAT ACL with any statement in destination portion ( extended one). Changed it with standard ACL with no any statement. - Reviewed and resumed the NAT on router. it works now but it uses around 20 MB of memory for just 1 translation entries. - Checked the UDP, TCP and ICMP timeout Limited UDP to 4 Mins. TCP to 25 Mins and ICMP- 5 Mins. was able to free only 2 MB of so from 20 MB. - Changed the IOS from ADV ent services to IP base to get rid of unwanted processess and services as main AIM of this router is to run NAT. - Freshly loaded router gave me 120 MB of free space and was happy now to test out the things. - Againg started the NAT for 8 pools of /25 inside subnet with 8 live IP's ( Policy nat ). - At 25000 translations it eats up memory of around 24 MB. - Turned of Virtual Reassembly as it was reaching to thresold very often. - Migrated another 8 pools of /25 which comes to total of 16 /25 Inside subnets and free memory left to 64 MB. with the peak translation upto 42000 and active translation to 15000 on an average. - It often gives the I/O memory errors too ( with only 16 /25 Pools configured on it). - All this stuff works fine with Netscreen firewall overloaded with only 4 IP's for all 64 /25 pools. . ( Is netscreen had an edge over cisco when it comes to NAT _?? ) I wonder..! If Cisco says that only 312 bytes are required for storing a single translation Why i m not able to free my DRAM memory. Tried my luck with everything. Need some expert advice on this to figure out the High Memory usage of NAT NOTE : Only default router and no other services are used on router apart from Netflow Thanks in Advance Regards Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Not Allowing Vlan 1 on trunk ports
Dear All Is there a way to supress vlan 1 from passing from a trunk link coz i m not able to shutdown the L2 vlan 1. Regards Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VLAN 1 through routed ports
Can vlan 1 pass through routed ports between layer 3 switches. ..?? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN 1 through routed ports
I m havin old setup of two 6509 connected together by means of routed ports. On one of the 6509 i have vlan 1 with user subnet configured on it along with DHCP. now when i connect anything on vlan 1 on 2nd 6509, the desktop is leased with the IP of vlan 1 configured on 6509-1. any idea why i m gettin ip leased through DHCP. note: no helper commands are used on vlan 1 of 6509-2 and no ip address exists on SVI vlan 1. Regards On Thu, Jan 8, 2009 at 5:07 PM, Gert Doering g...@greenie.muc.de wrote: Hi, On Thu, Jan 08, 2009 at 04:48:37PM +0530, Hitesh Vinzoda wrote: Can vlan 1 pass through routed ports between layer 3 switches. ..?? By definition a VLAN (which is a L2 thing) can't pass through routed ports. If you need that, you need to setup some sort of bridging-over-L3, either with EoMPLS or L2TPv3. gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA AIP-SSM-10
I m thru. Thanks Ronnie On Thu, Nov 27, 2008 at 5:58 AM, Joerg Mayer [EMAIL PROTECTED] wrote: On Thu, Nov 27, 2008 at 03:28:38AM -0800, Hitesh Vinzoda wrote: Does that tftp server need to be of the same subnet for which i had one for IPS or nothing to be done. That tftp-server can be any box reachable by IP (you can set a default-gw as well). The commands are: hw module 1 recover configure (then answer the questions about tftp-server, default-gw etc) debug module (just to have something to watch when running the next command :-) hw module 1 recover boot (this will actually *do* the recovery). Ciao Joerg -- Joerg Mayer [EMAIL PROTECTED] We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA AIP-SSM-10
Does that tftp server need to be of the same subnet for which i had one for IPS or nothing to be done. Regards On 11/26/08, Joerg Mayer [EMAIL PROTECTED] wrote: On Wed, Nov 26, 2008 at 01:30:32AM -0800, Hitesh Vinzoda wrote: We were upgrading the patches on AIP-SSM-10 and IPS seems not to be coming up after reload. the module status is UNRESPONSIVE. more over we havent configure recovery on it. please suggest to bring up the IDS from scratch. You configure the recovery on the asa (hw module configure recover or something to that end). Make sure you have a tftp-server connected to the external ge-port of the aip. Start recovery (hw module recover or whatever). The commands all need to be typed from the asa command line, the asa acts as the rommon replacement for the SSMs. There's also a debug (on the asa) that let's you watch the recovery process but I currently don't remember the exact debug command. ciao Joerg -- Joerg Mayer [EMAIL PROTECTED] We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA AIP-SSM-10
Dear all, We were upgrading the patches on AIP-SSM-10 and IPS seems not to be coming up after reload. the module status is UNRESPONSIVE. more over we havent configure recovery on it. please suggest to bring up the IDS from scratch. Thanks Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multicast issue
Hi all, I had configured multicast in my lan using sparse-dense mode. RP and group is defined statically on each L3 switches. I'm receiving the multicast beyond all L3's except ones running HSRP. Any ideas guyz Regards Hitesh Vinzoda ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Fwd: Delivery Status Notification (Failure)
-- Forwarded message -- From: Mail Delivery Subsystem [EMAIL PROTECTED] Date: Nov 10, 2008 2:01 AM Subject: Delivery Status Notification (Failure) To: [EMAIL PROTECTED] This is an automatically generated Delivery Status Notification Delivery to the following recipient failed permanently: [EMAIL PROTECTED] Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.1.1 [EMAIL PROTECTED]... User unknown (state 14). - Original message - Received: by 10.141.115.6 with SMTP id s6mr3480514rvm.58.1226311300539; Mon, 10 Nov 2008 02:01:40 -0800 (PST) Received: by 10.141.198.17 with HTTP; Mon, 10 Nov 2008 02:01:40 -0800 (PST) Message-ID: [EMAIL PROTECTED] Date: Mon, 10 Nov 2008 02:01:40 -0800 From: Hitesh Vinzoda [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Cisco ASA 5510 VPN problem MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_Part_47910_25183294.1226311300543 --=_Part_47910_25183294.1226311300543 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline i have a cisco ASA 5510 and i had configured remote access VPN on it. but for some reason i m not able to ping inside interface from VPN although i get connected everytime i tried. please advice. Also, - Message truncated - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FWSM Access-control lists
Dear All, Im having a production server subnet of around 150 servers ( 172.16.2.0/24) and all of them are sitting behind FWSM. Current ACL applied is permit ip any any. Now we have got the details of one server communicating on some ports for that we are going to apply the ACL. I came to know about the Line numbers in ACE but for me its not working. Say e.g. my LAN is untrusted (192.168.0.0/16) access-list test line 1 extended permit ip 192.168.2.0 host 172.16.2.20 eq www access-list test line 2 extended permit ip 192.168.2.0 host 172.16.2.20 eq smtp access-list test line 3 extended permit ip 192.168.2.0 host 172.16.2.20 eq 445 now for any other traffic for particular server will be denied access-list test line 500 extended permit ip any host 172.16.2.20 access-list test line 501 extended permit ip any any the fascinating thing here is that when i issue sh access-list command. it shows the line numbers for 500 and 501 as 4 5 respectively. i.e. any thing added later is appended. I want to have ip any any at line 15000 which will removed once all ACE for each server are in place. FWSM is running of 3.2 any ideas about getting line 500 501 and fixed at there respective places. Thanks in advance Hitesh Vinzoda ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2VPN Interworking
Check for MTU size on interfaces. Regards Hitesh Vinzoda On 11/10/08, Mohammad Khalil [EMAIL PROTECTED] wrote: Dears i have the following setup: CE1 -- PE1 -- MPLS Cloud -- PE2 -- CE2 PE1 is 7609 and has the IOS image c7600rsp72043-advipservices-mz.122-33.SRD.bin PE2 is a VXR G2 and has the IOS image c7200p-spservicesk9-mz.122-33.SRC1.bin CE1 -- PE1 is ATM connection CE2 -- PE2 Vlan connection (Sub interface) i have established xconnect between the 2 sides the xconnect is up and there is a ping between the 2 sides but the problem is in the size when i issue the command ping x.x.x.x repeat 1000 size 1500 i face remarkable packet drop !! any ideas ?? knowing that there is no congestion at all in my links nor through the MPLS cloud _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] HSRP With Multicast
Hi, I m having a HSRP running between two 4507 and PIM Sparse on SVI's of both the interface. I had configured Static RP for multicast for a specific group. Now the problem is when PIM Sparse is enabled on HSRP interfaces (SVI's on both 4507 ) multicast doesnt work. when i remove from any one of them, it works !!! Can neone tell me that whether it is problem with DR ( Designated router) or what... i want to have PIM Sparse enabled on both the SVI's. Thanks in advance Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 2811
Can Anyone please tell me the switching fabric capabilities for Cisco 2811. As due to high IP input rate my CPU utilization is getting high. Thanks in advance Regards Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] High CPU Utilization
Dear All, I have got a cisco 2800 router. its CPU is continously monitored to be 99%. it has got only two fast ethernet ports and traffic on these ports reaches to maximum. when you analyze the traffic goin thru these ports, Max is IP traffic.(98%). i tried fast switching on these ports using ip route cache on interfaces . but it didnt help in lowering the CPU utilization. Advice to lower down the CPU utilization. Thanks in advance Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Routed Vlans
Dear All, I have got a Layer 3 switch attached to a layer 3 switch and ospf running between them. the link between them is a layer 2 trunk.just because i have to extend a vlan which is behind the trunk. when i perform TRACERT i can see the ip of the interfaces of both switches. does this mean the traffic is routed even if it is going L2 trunk. I want to route the Vlan over routed link and function as layer 2 vlan. is it possible...? means *PC (VLAN 25) L3 SwitchTrunk + OSPFL3 switch PC (VLAN25)* I want the VLans to travel to a routed link instead of that right now it is going through a configured trunk. Please advice. Thanks Regards Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Fwd: %SCHED-3-STUCKMTMR: Sleep with expired managed timer
-- Forwarded message -- From: Hitesh Vinzoda [EMAIL PROTECTED] Date: Aug 2, 2007 8:16 AM Subject: %SCHED-3-STUCKMTMR: Sleep with expired managed timer To: Cisco Mailing list cisco-nsp@puck.nether.net Hi guyz, I m getting the error Aug 2 07:56:04.321: %SCHED-3-STUCKMTMR: Sleep with expired managed timer 528346D0, time 0x32D50DB30 ( 16:02:04 ago). -Process= SNMP Timers, ipl= 5, pid= 158 -Traceback= 41052F18 410534B0 40E95EB0 I think its a SNMP error. it is also not allowing my NMS to poll the interfaces of the device. Any idea how to get rid of it. Thanks Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] %SCHED-3-STUCKMTMR: Sleep with expired managed timer
Hi guyz, I m getting the error Aug 2 07:56:04.321: %SCHED-3-STUCKMTMR: Sleep with expired managed timer 528346D0, time 0x32D50DB30 ( 16:02:04 ago). -Process= SNMP Timers, ipl= 5, pid= 158 -Traceback= 41052F18 410534B0 40E95EB0 I think its a SNMP error. it is also not allowing my NMS to poll the interfaces of the device. Any idea how to get rid of it. Thanks Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP Config
hey Guyz, Thanks for your suggestions... but we are going pretty deep inside. i dont want to sync my 6509 to sync with any public time sources. i want 1 out of 4 6509 to act as NTP master and want redundancy in the core for NTP and want my 350 LAN devices to be able to update the time from NTP server (6509). Please advice thank in advance Ronnie On 7/12/07, Tony Li [EMAIL PROTECTED] wrote: I tend to use tick and tock (.usno.navy.mil) for my stratum-2 servers. There are others which allow public access, but why not just go to the horse's mouth? The horse can pretty far away. If you're topologically distant, then access to tick and tock might have substantial amounts of jitter that might affect the quality of time that you're able to maintain. Other nearby servers may provide you better chime. Tony ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NTP Config
I have got 4 6509 cisco in mesh for the core and i want to enable NTP on those to act as a master. i went thru the config, the only option there is configntp master stratum 8 ( 8 is the default value ) does only this command will enable the device to act as a NTP server and suggestions are invited for config of NTP in mesh of 6509 with etherchannels for redundancy of NTP. thanks in advance Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/