Re: [c-nsp] Weird Frame-relay / L3 connectivity problem
Hello Kenny what was Cisco reply for this problem ? Thanks Ibrahim Abo Zaid , CCIE#27702 On Tue, Apr 13, 2010 at 1:00 AM, Kenny Sallee kenny.sal...@gmail.comwrote: What's the providers take on this? The problem initially appears to be in their end according to what you write. -- Peter I've worked with the provider and Cisco today. Looks like perhaps a new(?) bug that has to do with the way the provider applied QoS and our request to use frame relay encapsulation (over P2P links). Cisco removed the service-policy from the PE router sub-interface and voila! L3 connectivity was restored. Cisco and the provider are still investigating. I have requested a change to HDLC for the affected customers. Thanks for the reply, Kenny ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Backup edge port
Hi All I have a server connected to 2 switches and need to implement primary/backup scenario on the ports connected to the server from both switches so edge port in switch 1 is primary and edge port in switch 2 is backup and don't forward traffic unless port of switch 1 fails how can be achieved ? I think of using STP but I'm not sure if edge ports can help if edge port of switch 2 is in blocking state Any suggestion ? Thanks Ibrahim Abo Zaid CCIE#27702 (Service Provider) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Question about LLQ
Hello I'm bit confused about bandwidth assigned for priority queue when using LLQ , if the assigned amount of BW for PQ is high percentage from interface bandwidth say 50% and the offered priority traffic rate don't consume that much my question is about unused amount for BW can be assigned to other non-priority classes i read couple of papers in Cisco and some said YES the total amount of unused BW is proportional shared between classes according to the configured bandwidth and some considers the concept of total available bandwidth which is the maximum amount of interface bandwidth can be used by non-priority classes and this amount = total interface bw - [ Reserved BW ( Def is 25% of interface bw) + priority classes BW] I need to know if both are correct ? is it depends on interface types ? Thanks Ibrahim Abo Zaid , CCIE#27707 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RSVP and TE bandwidth management
Hi all I need to know if RSVP supports over-provisioning of TE tunnels on links or there is CAC mechanism ? can the current reservation on a single link exceed maximum-bandwidth also if auto-bw adjustment isn't enabled , is the signaled BW is reserved for good even if no traffic load uses the tunnel ? and if RSVP isn't used as QoS to guarantee BW in TE-links , how BW can be reserved for different LSP on TE-link ? i can think only about assigning each tunnel with EXP value and apply policy-map matches different EXP and assign BW , any other thoughts ? Thanks --Ibrahim Abo Zaid ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] neighbor remove-private-as don't work on PE-CE
Hi all I was labbing some bgp features and i have PE-CE and there is eBGP peering between them using private-asn on CE I tried to remove private as numbers from updates advertised to PE with no chance any ideas why that don't work ? I think this features don't work with PE-CE but works normally between global eBGP neighbors thanks ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] neighbor remove-private-as don't work on PE-CE
Hi heath sorry i didn't make it clear but i was using local-as between them and i want PE router to appear to CE as it belongs to different AS (with private ASN) but the updates from PE to CE contains real ASN number only not the private one plz ignore the previous description thanks On Wed, Oct 6, 2010 at 4:41 PM, Heath Jones hj1...@gmail.com wrote: Ibrahim, a link for you: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080093f29.shtml ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] neighbor remove-private-as don't work on PE-CE
yes you got me now but as you know , in route-map configuration i can only prepend to the as-path no delete i mean that prepend action adds a given number of occurrence of specific ASN to the current AS-Path but it doesn't modify it it can't be used to remove/delete some AS strings from it so how i can edit AS-path for received updates ? On Wed, Oct 6, 2010 at 5:16 PM, Heath Jones hj1...@gmail.com wrote: sorry i didn't make it clear but i was using local-as between them and i want PE router to appear to CE as it belongs to different AS (with private ASN) but the updates from PE to CE contains real ASN number only not the private one plz ignore the previous description There are 2 places where you see a neighboring eBGP router's AS number. - neighbor configuration on the local router - nlri's sent from the neighbor It sounds from this new description that you want the CE 65510 to neighbor with PE 65530, but updates from PE 65530 will show it's public AS number? According to BGP specification, the CE should receive nlri's containing 65530 in the path. You could configure filtering on the CE router to remove 65530 and prepend the real AS number. Does that help? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] neighbor remove-private-as don't work on PE-CE
sorry guys , but i already tried as-override and remove private before posting :) here is the topology to give you a wider image about the topology Cory plz check the topology as i said before , i need CE1 to see the routes of CE2 without 64550 in as-path i hope you got me now On Wed, Oct 6, 2010 at 6:05 PM, Heath Jones hj1...@gmail.com wrote: If the customer is provisioned inside a VRF you could use the AS-override feature to rewrite each AS Hop in the path to the configured BGP neighbor ASN. http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_n1.html#wp1034057 Yep, looks like you should use either of these, depending on scenario: as-override = Override matching AS-number while sending update remove-private-as = Remove private AS number from outbound updates I think Cory is probably correct as this does sound like a VRF scenario... Why do you need to manipulate the path attribute? What are you trying to accomplish? Perhaps there is another approach. Otherwise ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] neighbor remove-private-as don't work on PE-CE
yes and it is still here and that is normal because it is eBGP session at the end so PE1 will attach it is ASN in outbound updates , but as you know with local-as feature we can manipulate real ASN and make it replaced with local ASN but i can't do the reverse and that is what i want any ideas ? On Wed, Oct 6, 2010 at 7:08 PM, Roger Wiklund co...@xy.org wrote: Have you tried local-as no-prepend replace-as. That should only show the local-as in the path, and thus you can manipulate it that way. Regards Roger On Wed, Oct 6, 2010 at 6:23 PM, Ibrahim Abo Zaid ibrahim.aboz...@gmail.com wrote: sorry guys , but i already tried as-override and remove private before posting :) here is the topology to give you a wider image about the topology Cory plz check the topology as i said before , i need CE1 to see the routes of CE2 without 64550 in as-path i hope you got me now On Wed, Oct 6, 2010 at 6:05 PM, Heath Jones hj1...@gmail.com wrote: If the customer is provisioned inside a VRF you could use the AS-override feature to rewrite each AS Hop in the path to the configured BGP neighbor ASN. http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_n1.html#wp1034057 Yep, looks like you should use either of these, depending on scenario: as-override = Override matching AS-number while sending update remove-private-as = Remove private AS number from outbound updates I think Cory is probably correct as this does sound like a VRF scenario... Why do you need to manipulate the path attribute? What are you trying to accomplish? Perhaps there is another approach. Otherwise ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CCIE lab in Hong Kong
Hi all I'm planning to schedule my CCIE SP lab in Hong kong but i need some information about the lab location there for those who attend there can tell me more about their impression about lab location ? best hotels with affordable rates and near Cisco office ? is it better or Sydeny or US locations ? Thanks for your help ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SP seat in Brusseles
Hello Gents i looking for SP seat in brusseles in Dec but the earliest avaialble seats in April 2010 does any one have a seat end of Dec and will drop it ? i need it urgently and ready to take it over thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multiple virtual-templates under one bba-group
Hi group I have a problem and need to know is it possible to define multiple virtual-templates under single bba-group and if yes , how BRAS selects between them ? based on what conditions ? thanks for your help --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] nccm tools
Hi i'm looking for a light and free nccm tool , can you advise if anyone has a suggestion thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] open-source nccm tool
Hi i'm looking for open-source nccm tool , can you advise if anyone has a suggestion thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] dynamic global-vrf leaking
Hi group Iam looking for a feature can be used to route VPN internet traffic from global interface into VRF interface (or global and add VPN label) normaly , that is done using static route to perform global-vrf leaking but i'm looking for a more scalable and dynamic solution any ideas ? thanks --ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] dynamic global-vrf leaking
also is there any feature supports dynamic export of VPN routes to global ? i knew the reverse exist (importing IPv4 routes into VRF) but i'm looking for the reverse On Tue, May 25, 2010 at 10:03 AM, Ibrahim Abo Zaid ibrahim.aboz...@gmail.com wrote: Hi group Iam looking for a feature can be used to route VPN internet traffic from global interface into VRF interface (or global and add VPN label) normaly , that is done using static route to perform global-vrf leaking but i'm looking for a more scalable and dynamic solution any ideas ? thanks --ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] combing 7600 power supplies
hi group i have a problem and will need to combine the power supplies of 7609 router (changing the mode from redundant to combine) based on your experience , is this step can take the router down if one power supply is enough now but i need to insert new modules so i need to combine the other one ? thanks --ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMPv3 bug on 3550
Hi All Iam facing the same below issue on 7200 with 12.2(25)S image does anyone face the same problem ? is it a bug ? thanks --Ibrahim On Thu, Feb 7, 2008 at 1:33 AM, Peter Rathlev pe...@rathlev.dk wrote: Sorry about the empty mail before, was busy wiping up coffee from my keyboard. :-) I've tested the same on our 3550/SEE2's and with the same results. Trial and error shows that if I exclude the auth md5 blah part of the user definition, everything works as expected. It doesn't help using SHA. When creating the user I get this log message by the way: Feb 7 00:16:56.657 met: Configuring snmpv3 USM user, persisting snmpEngineBoots. Please Wait... It never gets further. It also seems to be the snmp-server host ... command that creates the snmp-server group testuser command. I'm no expert in SNMPv3, but that may or may not be an error. So I'd say it's a bug. (Just use v2c, hacky sacks never really died so why should v2c? :-) Regards, Peter On Wed, 2008-02-06 at 15:03 -0600, Church, Charles wrote: Thanks. I did try it that way too. Long log shows it doing this: PSRB-U00-OS-03(config)#do sh run | i test PSRB-U00-OS-03(config)#do sh snmp user PSRB-U00-OS-03(config)#do sh snmp group PSRB-U00-OS-03(config)#snmp-server group testgroup v3 auth access 98 PSRB-U00-OS-03(config)#do sh run | i test snmp-server group testgroup v3 auth access 98 PSRB-U00-OS-03(config)#snmp-server user testuser testgroup v3 auth md5 blah access 98 PSRB-U00-OS-03(config)#do sh run | i test snmp-server group testgroup v3 auth access 98 PSRB-U00-OS-03(config)#snmp-server host 172.24.4.5 version 3 auth testuser PSRB-U00-OS-03(config)#snmp-server host 172.24.5.6 version 3 auth testuser PSRB-U00-OS-03(config)#snmp-server host 172.26.4.7 version 3 auth testuser PSRB-U00-OS-03(config)#do sh run | i test snmp-server group testuser v3 auth notify *tv....0F snmp-server group testgroup v3 auth access 98 snmp-server host 172.24.4.5 version 3 auth testuser snmp-server host 172.24.5.6 version 3 auth testuser snmp-server host 172.26.4.7 version 3 auth testuser PSRB-U00-OS-03(config)#do sh snmp group groupname: testuser security model:v3 auth readview : no readview specified writeview: no writeview specified notifyview: *tv....F row status: active groupname: testgroupsecurity model:v3 auth readview : v1defaultwriteview: no writeview specified notifyview: no notifyview specified row status: active access-list: 98 PSRB-U00-OS-03(config)#do sh snmp user User name: testuser Engine ID: 8009030D65D8D281 storage-type: nonvolatileactive access-list: 98 Authentication Protocol: MD5 Privacy Protocol: None Group-name: testgroup PSRB-U00-OS-03(config)# So it would appear that the configuration of the trap destinations is what's causing the group with the user name to be created. Same result if you do the user first, and then the group. Any ideas? Thanks, Chuck -Original Message- From: Tassos Chatzithomaoglou [mailto:ach...@forthnet.gr] Sent: Wednesday, February 06, 2008 3:42 PM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SNMPv3 bug on 3550 I think you have to create group first, then user. -- Tassos Church, Charles wrote on 6/2/2008 9:27 μμ: Hey all, I'm seeing the following behavior on 3550s running c3550-ipbasek9-mz.122-25.SEE2.bin: Commands entered: snmp-server user testuser testgroup v3 auth md5 (password) access 98 snmp-server group testgroup v3 auth not *tv....FF access 98 snmp-server host 172.24.4.5 version 3 auth testuser Results of commands: snmp-server group testuser v3 auth notify *tv....0F snmp-server group testgroup v3 auth notify *tv....FF snmp-server host 172.24.4.5 version 3 auth testuser So the configuration of a user called 'testuser' is creating a group called 'testuser'. We should only be seeing 'testgroup' exist as a group, right? I did a search through bug navigator, didn't see anything involving snmp and user or group listed. Is this a known issue? We use the same command set on 6500s running 12.2(18)SXF9, don't see that happen. Thanks, Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at
[c-nsp] IP route analysis solution
Hi all i'm looking for IP route analysis solution that can discover and draw a topology for the network and helps in planning process by simulating any modifications i did some googling and find 2 solutions in this area , Packet Design Route Explorer and HP RAMS do u have other ideas ? what are you impressions about these tools if you tried any ? thanks --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF LSA Type 11
HI Hash i already knew that Cisco support Inter-AS TE but without IGP running between ASBRs and it still depend on LSA 10 to flood TE attributes internally check this link http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/gsintast.html so i want to know if Cisco supports Inter-AS TE with OSPF running between ASBRs ? and if yes that means LSA 11 is used to flood attributes if not i think there is no need for any router to generate such LSA if it isn't needed for any application thnx --Ibrahim On Mon, Apr 19, 2010 at 11:49 PM, Hash Aminu has...@gmail.com wrote: you will see type 11 if you have inter-AS TE which i believe is not widely deployed. Your Questions should be Does Cisco Supports Inter-AS TE ? Regrds Hash ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF LSA Type 11
Thanks all for all your replies and now i think we all agree that Opaque LSA types and purpose but is Cisco IOS supports all types or Type 10 only ? thnx On Sat, Apr 17, 2010 at 10:45 PM, Hash Aminu has...@gmail.com wrote: To answer your question : Opaque LSA type 9 has a flooding scope limited to* local-link.* Opaque LSA type 10 has a flooding scope limited to the area *(intra-area)* and Opaque LSA type 11 has a flooding scope that is autonomous system wide (inter-area like LSA type 5). HTH Hash On Sat, Apr 17, 2010 at 11:40 PM, Hash Aminu has...@gmail.com wrote: RFC 3630 is silent about type 11 LSA as an extension to MPLS TE, you can read RFC 2370 to know more on Opaque LSAs Good luck Hash On Tue, Apr 13, 2010 at 9:15 PM, Ibrahim Abo Zaid ibrahim.aboz...@gmail.com wrote: Hi i want to know the role of OSPF Opaque LSA Type 11 in MPLS TE ? thanks _ Subscription information: http://www.groupstudy.com/list/comserv.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OSPF LSA Type 11
Hi i want to know the role of OSPF Opaque LSA Type 11 in MPLS TE ? thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS TE and PIM
sorry if my question wasn't clear enough i tried it with 2 tunnels between two PEs and enabled sparse-mode under tunnels so in this case , should traffic flows over the tunnel ? thanks swap On Wed, Jan 13, 2010 at 7:21 PM, swap m ccie19...@gmail.com wrote: ask yourself this way - 1. are TE tunnels bi-directional? answer is no 2. can a TE tunnel receive traffic? again the answer is no. A TE tunnel is for sending traffic, not for receiving. PIM neighborship hence is established on physical interface, not on the TE interface coz you need bidirectional flow between the neighbors. RPF failures may happen when you receive multicast traffic via physical interface while the routing table has a route via TE interface. Either mpls traffic-eng multicast-intact or static mroutes can be used to solve these RPF issues. Forwarding adj doesnt work with multicast-intact feature. HTH Swap #19804 On Tue, Jan 12, 2010 at 11:38 PM, Ibrahim Abo Zaid ibrahim.aboz...@gmail.com wrote: Hi I have a question about PIM , is PIM messages can flow across MPLS TE Tunnel ? why PIM neighborship can't be established over the tunnel ? thanks --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS TE and PIM
Hi I have a question about PIM , is PIM messages can flow across MPLS TE Tunnel ? why PIM neighborship can't be established over the tunnel ? thanks --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SP seat in brussels in May
Hi All is there anyone booked a seat for SP in brussels in end of feb or start of Martch and will drop it ? thanks --ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISIS Adj-filter problem
Thanks Victor but why applying the filter on all routers except DIS solves the problem ? is there any explainsion best regards --Ibrahim On Tue, Sep 8, 2009 at 3:56 PM, Victor Cappuccio vcapp...@cisco.com wrote: Hi, Did you tried the same command but not on the DIS?? On a LAN, one of the routers elects itself the DIS, based on interface priority (the default is 64). If all interface priorities are the same, the router with the highest subnetwork point of attachment (SNPA) is selected I did your same configuration, but now I applied the filter to all the router but the DIS. R2 in this case is the DIS! R2#show run int f0/0 Building configuration... Current configuration : 132 bytes ! interface FastEthernet0/0 ip address 10.10.123.2 255.255.255.0 ip router isis duplex auto speed auto isis priority 127 end R2#show clns neigh System Id Interface SNPAState Holdtime Type Protocol R3 Fa0/0 c003.163c. Up 25L1 IS-IS R1 Fa0/0 c001.163c. Up 29L1 IS-IS R2#show clns is- System Id Interface State Type Priority Circuit Id Format R3 Fa0/0 Up L1 64R2.01 Phase V R1 Fa0/0 Up L1 64R2.01 Phase V R2# R2#show ip route isis 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks i L110.10.3.3/32 [115/10] via 10.10.123.3, FastEthernet0/0 i L110.10.1.1/32 [115/10] via 10.10.123.1, FastEthernet0/0 --- R1#show run int f0/0 Building configuration... Current configuration : 140 bytes ! interface FastEthernet0/0 ip address 10.10.123.1 255.255.255.0 ip router isis duplex auto speed auto isis adjacency-filter R2 end R1#show run | in clns filter clns filter-set R2 permit 49.0001...0002.00 R1#show isis neigh System Id Type Interface IP Address State Holdtime Circuit Id R2 L1 Fa0/0 10.10.123.2 UP9R2.01 R1#show ip route isis 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks i L110.10.2.2/32 [115/10] via 10.10.123.2, FastEthernet0/0 R1# R3#show run int f0/0 Building configuration... Current configuration : 140 bytes ! interface FastEthernet0/0 ip address 10.10.123.3 255.255.255.0 ip router isis duplex auto speed auto isis adjacency-filter R2 end R3#show run | in clns filter clns filter-set R2 permit 49.0001...0002.00 R3#show clns neigh System Id Interface SNPAState Holdtime Type Protocol R2 Fa0/0 c002.163c. Up 7 L1 IS-IS R3# R3#show clns is-neighbors System Id Interface State Type Priority Circuit Id Format R2 Fa0/0 Up L1 127 R2.01 Phase V R3#show ip route isis 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks i L110.10.2.2/32 [115/10] via 10.10.123.2, FastEthernet0/0 R3# Thanks, Victor Cappuccio.- vcapp...@cisco.com CCIE(R/S) #20657 STAC Support Engineer Cisco Small Business Support. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dave Kruger Sent: martes, 08 de septiembre de 2009 15:04 To: Ibrahim Abo Zaid Cc: cisco_nsp Subject: Re: [c-nsp] ISIS Adj-filter problem Hi there have u managed to figure out what was causing that? Did you see that your clns filter references 49.0001...0100.00 where as your R1 router's Sys ID is 49.0001...0001.00 Regards, Dave Ibrahim Abo Zaid wrote: Hi All I was testing ISIS Adj-filter option , R1,R2 and R3 are connected over ethernet switch (using dynamips) with the below configuration the configuration works for adj point and both R2 and R3 have ADJ with R1 only , the problem is R2 is droping R1 and R3 LSPs and debug shows it is dropped due to invalid adj . can you help to resolve that ? Configuration R1 interface Loopback0 ip address 10.10.1.1 255.255.255.255 ! interface FastEthernet0/0 ip address 10.10.123.1 255.255.255.0 ip router isis router isis net is-type level-1 passive-interface Loopback0 R2 interface Loopback0 ip address 10.10.2.2 255.255.255.255 ! interface FastEthernet0/0 ip address 10.10.123.2 255.255.255.0 ip router isis isis adjacency-filter A1 ! router isis net 49.0001...0002.00 is-type level-1 passive-interface Loopback0 clns filter-set A1 permit 49.0001...0100.00 R3 interface Loopback0 ip address 10.10.3.3 255.255.255.255 ! interface FastEthernet0/0 ip address 10.10.123.3 255.255.255.0 ip router isis isis adjacency-filter A1 router isis net 49.0001...0003.00 is-type level-1 passive-interface Loopback0 clns filter-set A1 permit 49.0001...0100.00
[c-nsp] ISIS Adj-filter problem
Hi All I was testing ISIS Adj-filter option , R1,R2 and R3 are connected over ethernet switch (using dynamips) with the below configuration the configuration works for adj point and both R2 and R3 have ADJ with R1 only , the problem is R2 is droping R1 and R3 LSPs and debug shows it is dropped due to invalid adj . can you help to resolve that ? Configuration R1 interface Loopback0 ip address 10.10.1.1 255.255.255.255 ! interface FastEthernet0/0 ip address 10.10.123.1 255.255.255.0 ip router isis router isis net 49.0001...0001.00 is-type level-1 passive-interface Loopback0 R2 interface Loopback0 ip address 10.10.2.2 255.255.255.255 ! interface FastEthernet0/0 ip address 10.10.123.2 255.255.255.0 ip router isis isis adjacency-filter A1 ! router isis net 49.0001...0002.00 is-type level-1 passive-interface Loopback0 clns filter-set A1 permit 49.0001...0100.00 R3 interface Loopback0 ip address 10.10.3.3 255.255.255.255 ! interface FastEthernet0/0 ip address 10.10.123.3 255.255.255.0 ip router isis isis adjacency-filter A1 router isis net 49.0001...0003.00 is-type level-1 passive-interface Loopback0 clns filter-set A1 permit 49.0001...0100.00 verification R1#sh clns neighbors System Id Interface SNPAState Holdtime Type Protocol R2 Fa0/0 c201.0544. Up 8 L1 IS-IS R3 Fa0/0 c202.0544. Up 7 L1 IS-IS R1 has R2 and R3 LSPs R1#sh isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00* 0x0010 0x2D88849 0/0/0 R2.00-00 0x0009 0x80371036 0/0/0 R2.01-00 0x0003 0x78D81036 0/0/0 R3.00-00 0x0005 0x4470552 0/0/0 R3.01-00 0x0006 0x78D31091 0/0/0 but has R3-Lo0 route ONLY !! R1#sh ip route isis 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks i L110.10.3.3/32 [115/10] via 10.10.123.3, FastEthernet0/0 R2#sh clns neighbors System Id Interface SNPAState Holdtime Type Protocol R1 Fa0/0 c200.0544. Up 21L1 IS-IS R2 don't have R1 and R3 LSPs !!! R2#sh isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R2.00-00* 0x0009 0x8037985 0/0/0 R2.01-00* 0x0003 0x78D8986 0/0/0 NO ISIS Route , it normal no LSP :) R2#sh ip route isis R2# R3 R3#sh clns neighbors System Id Interface SNPAState Holdtime Type Protocol R1 Fa0/0 c200.0544. Up 26L1 IS-IS R3#sh isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 0x0013 0x278B1181 0/0/0 R2.00-00 0x0009 0x8037845 0/0/0 R2.01-00 0x0003 0x78D8846 0/0/0 R3.00-00* 0x0006 0x42711186 0/0/0 R3.01-00* 0x0007 0x76D41185 0/0/0 route to R1-Lo0 only !! R3#sh ip route isis 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks i L110.10.1.1/32 [115/10] via 10.10.123.1, FastEthernet0/0 debug isis update-packets shows update is dropped due to invalid ADJ *Mar 1 00:30:16.751: ISIS-Upd: Invalid adjacency *Mar 1 00:30:26.619: ISIS-Upd: Invalid adjacency *Mar 1 00:30:34.151: ISIS-Upd: Invalid adjacency any ideas best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ISIS partition avoidance
Hi All Does any one knows why ISIS partition avoidance is needed ? according to DocCD To cause an Intermediate System-to-Intermediate System (IS-IS) Level 1-2 border router to stop advertising the Level 1 area prefix into the Level 2 backbone when full connectivity is lost between the border router, all adjacent Level 1 routers, and end hosts but that occur automatically without enabling the feature so what extra benefit it provide ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISIS Problem
Hi All R1 isn't setting ATT bit in its LSP it is like that R1 forwards L1 default route to all its L1 neighbors in DEF the originatation area (but it is not shown in R1-LSP) , I connected R4 to R1 with L2 ADJ between them and there is no DEF route !! any explainsion ? R1#sh isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00* 0x0003 0xD80B1161 0/0/0 R2.00-00 0x0003 0xDE591165 1/0/0 R3.00-00 0x0003 0xDF771165 1/0/0 R1#sh isis database R1.00-00 detail IS-IS Level-1 LSP R1.00-00 LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00* 0x0007 0x2B0C629 0/0/0 Area Address: 49.0001 NLPID:0xCC Hostname: R1 IP Address: 10.10.13.1 Metric: 10 IP 10.10.12.0/24 Metric: 10 IP 10.10.13.0/24 Metric: 10 IS-Extended R3.00 Metric: 10 IS-Extended R2.00 IS-IS Level-2 LSP R1.00-00 LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00* 0x0005 0x6E681199 0/0/0 Area Address: 49.0001 NLPID:0xCC Hostname: R1 IP Address: 10.10.13.1 Metric: 10 IP 10.14.1.0/24 Metric: 10 IS-Extended R4.01 Metric: 10 IP 10.10.12.2/32 Metric: 10 IP 10.10.12.0/24 Metric: 10 IP 10.10.13.3/32 Metric: 10 IP 10.10.13.0/24 R2#sh isis database Area 2: IS-IS Level-2 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R2.00-00* 0x0004 0x6D771156 0/0/0 R3.00-00 0x0004 0x934E1154 0/0/0 Area null: IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 0x0003 0xD80B1143 0/0/0 R2.00-00* 0x0003 0xDE591150 1/0/0 R3.00-00 0x0003 0xDF771147 1/0/0 R3#sh isis database Area 3: IS-IS Level-2 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R2.00-00 0x0004 0x6D771137 0/0/0 R3.00-00* 0x0004 0x934E1138 0/0/0 Area null: IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 0x0003 0xD80B1125 0/0/0 R2.00-00 0x0003 0xDE591129 1/0/0 R3.00-00* 0x0003 0xDF771132 1/0/0 On Tue, Aug 18, 2009 at 1:51 AM, BRYAN BARTIK bbar...@uen.org wrote: Hello, Do a show isis database and you will see who is setting the ATT bit. R2 and R3 are setting the ATT bits and these get flooded to R1 and then across to each other in L1. Probably looks like this: R1#sho isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00* 0x0003 0x55241173 0/0/0 R2.00-00 0x0003 0x7E421161 1/0/0 R3.00-00 0x0003 0xC8F21179 1/0/0 -Bryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Ibrahim Abo Zaid Sent: Monday, August 17, 2009 2:47 PM To: cisco_nsp; ci...@groupstudy.com Subject: [c-nsp] ISIS Problem Hi All I have a problem with the below ISIS toplogy , All ADJ of R1 are L1 and interface between R2 is in A2 from R2 side and in A3 side from R3 side so R2 and R3 have L2-ADJ betwene them , as expected both R2 and R3 send LSP with ATT bit set so R1 has 2 L1 default routes point to both R2 and R3 , the wired result there is L1 on both R2 and R3 points to R1 !! but R1 don't set ATT bit in its LSP do you explainsation why R1 sends this default route ? and how we can stop it Topology R2L-1 | | | | L2 A-1 R1 | | | | R3-L-1--- Configuration R1 ! interface Serial1/0 description to R2 ip address 10.10.12.1 255.255.255.0 ip router isis encapsulation ppp ! interface Serial1/1 description to R3 ip address 10.10.13.1 255.255.255.0 ip router isis encapsulation ppp ! router isis net 49.0001...0001.00 is-type level-1 R2 interface Serial1/0 description to R1 ip address 10.10.12.2 255.255.255.0 ip router isis encapsulation ppp ! interface Serial1/1 description to R3 ip address 10.10.23.2 255.255.255.0 ip router isis 2
Re: [c-nsp] ISIS Problem
Hi all To make it clearer , i don't have a problem with default route on R1 i have a problem with the default route on R2 and R3 best regards --Ibrahim On Tue, Aug 18, 2009 at 10:24 AM, Ibrahim Abo Zaid ibrahim.aboz...@gmail.com wrote: Hi All R1 isn't setting ATT bit in its LSP it is like that R1 forwards L1 default route to all its L1 neighbors in DEF the originatation area (but it is not shown in R1-LSP) , I connected R4 to R1 with L2 ADJ between them and there is no DEF route !! any explainsion ? R1#sh isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00* 0x0003 0xD80B1161 0/0/0 R2.00-00 0x0003 0xDE591165 1/0/0 R3.00-00 0x0003 0xDF771165 1/0/0 R1#sh isis database R1.00-00 detail IS-IS Level-1 LSP R1.00-00 LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00* 0x0007 0x2B0C629 0/0/0 Area Address: 49.0001 NLPID:0xCC Hostname: R1 IP Address: 10.10.13.1 Metric: 10 IP 10.10.12.0/24 Metric: 10 IP 10.10.13.0/24 Metric: 10 IS-Extended R3.00 Metric: 10 IS-Extended R2.00 IS-IS Level-2 LSP R1.00-00 LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00* 0x0005 0x6E681199 0/0/0 Area Address: 49.0001 NLPID:0xCC Hostname: R1 IP Address: 10.10.13.1 Metric: 10 IP 10.14.1.0/24 Metric: 10 IS-Extended R4.01 Metric: 10 IP 10.10.12.2/32 Metric: 10 IP 10.10.12.0/24 Metric: 10 IP 10.10.13.3/32 Metric: 10 IP 10.10.13.0/24 R2#sh isis database Area 2: IS-IS Level-2 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R2.00-00* 0x0004 0x6D771156 0/0/0 R3.00-00 0x0004 0x934E1154 0/0/0 Area null: IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 0x0003 0xD80B1143 0/0/0 R2.00-00* 0x0003 0xDE591150 1/0/0 R3.00-00 0x0003 0xDF771147 1/0/0 R3#sh isis database Area 3: IS-IS Level-2 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R2.00-00 0x0004 0x6D771137 0/0/0 R3.00-00* 0x0004 0x934E1138 0/0/0 Area null: IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 0x0003 0xD80B1125 0/0/0 R2.00-00 0x0003 0xDE591129 1/0/0 R3.00-00* 0x0003 0xDF771132 1/0/0 On Tue, Aug 18, 2009 at 1:51 AM, BRYAN BARTIK bbar...@uen.org wrote: Hello, Do a show isis database and you will see who is setting the ATT bit. R2 and R3 are setting the ATT bits and these get flooded to R1 and then across to each other in L1. Probably looks like this: R1#sho isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00* 0x0003 0x55241173 0/0/0 R2.00-00 0x0003 0x7E421161 1/0/0 R3.00-00 0x0003 0xC8F21179 1/0/0 -Bryan -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Ibrahim Abo Zaid Sent: Monday, August 17, 2009 2:47 PM To: cisco_nsp; ci...@groupstudy.com Subject: [c-nsp] ISIS Problem Hi All I have a problem with the below ISIS toplogy , All ADJ of R1 are L1 and interface between R2 is in A2 from R2 side and in A3 side from R3 side so R2 and R3 have L2-ADJ betwene them , as expected both R2 and R3 send LSP with ATT bit set so R1 has 2 L1 default routes point to both R2 and R3 , the wired result there is L1 on both R2 and R3 points to R1 !! but R1 don't set ATT bit in its LSP do you explainsation why R1 sends this default route ? and how we can stop it Topology R2L-1 | | | | L2 A-1 R1 | | | | R3-L-1--- Configuration R1 ! interface Serial1/0 description to R2 ip address 10.10.12.1 255.255.255.0 ip router isis encapsulation ppp ! interface Serial1/1 description to R3 ip address 10.10.13.1 255.255.255.0 ip router isis encapsulation ppp
[c-nsp] ISIS Problem
Hi All I have a problem with the below ISIS toplogy , All ADJ of R1 are L1 and interface between R2 is in A2 from R2 side and in A3 side from R3 side so R2 and R3 have L2-ADJ betwene them , as expected both R2 and R3 send LSP with ATT bit set so R1 has 2 L1 default routes point to both R2 and R3 , the wired result there is L1 on both R2 and R3 points to R1 !! but R1 don't set ATT bit in its LSP do you explainsation why R1 sends this default route ? and how we can stop it Topology R2L-1 | | | | L2 A-1 R1 | | | | R3-L-1--- Configuration R1 ! interface Serial1/0 description to R2 ip address 10.10.12.1 255.255.255.0 ip router isis encapsulation ppp ! interface Serial1/1 description to R3 ip address 10.10.13.1 255.255.255.0 ip router isis encapsulation ppp ! router isis net 49.0001...0001.00 is-type level-1 R2 interface Serial1/0 description to R1 ip address 10.10.12.2 255.255.255.0 ip router isis encapsulation ppp ! interface Serial1/1 description to R3 ip address 10.10.23.2 255.255.255.0 ip router isis 2 encapsulation ppp ! router isis 2 net 49.0002...0002.00 is-type level-2-only ! router isis net 49.0001...0002.00 is-type level-1 R3 interface Serial 1/0 description to R1 ip address 10.10.13.3 255.255.255.0 ip router isis encapsulation ppp ! interface Serial 1/1 description to R2 ip address 10.10.23.3 255.255.255.0 ip router isis 3 encapsulation ppp ! router isis 3 net 49.0003...0003.00 is-type level-2-only ! router isis net 49.0001...0003.00 is-type level-1 Logs --- R1#sh clns neighbors System Id Interface SNPAState Holdtime Type Protocol R2 Se1/0 *PPP* Up 22L1 IS-IS R3 Se1/1 *PPP* Up 23L1 IS-IS R2#sh clns neighbors Area 2: System Id Interface SNPAState Holdtime Type Protocol R3 Se1/1 *PPP* Up 28L2 IS-IS Area null: System Id Interface SNPAState Holdtime Type Protocol R1 Se1/0 *PPP* Up 26L1 IS-IS R3#sh clns neighbors Area 3: System Id Interface SNPAState Holdtime Type Protocol R2 Se1/1 *PPP* Up 22L2 IS-IS Area null: System Id Interface SNPAState Holdtime Type Protocol R1 Se1/0 *PPP* Up 28L1 IS-IS routing tables - R1#sh ip route isis i*L1 0.0.0.0/0 [115/10] via 10.10.13.3, Serial1/1 [115/10] via 10.10.12.2, Serial1/0 R2#sh ip route isis i L210.10.13.1/32 [115/20] via 10.10.23.3, Serial1/0 i L110.10.13.0/24 [115/20] via 10.10.12.1, Serial1/0 i*L1 0.0.0.0/0 [115/20] via 10.10.12.1, Serial1/0 R3#sh ip route isis i L110.10.12.0/24 [115/20] via 10.10.13.1, Serial1/0 i L210.10.12.1/32 [115/20] via 10.10.23.2, Serial1/1 i*L1 0.0.0.0/0 [115/20] via 10.10.13.1, Serial1/0 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ISIS Mesh group question
Hi All I have a question about ISIS mesh groups which is used to reduce LSP flooding in full-mesh p2p enviroments , that means we lose redudacny for sake of LSP flooding reducation hence it affects forwarding and traffic is forced to inactive or interfaces in different groups only . is that right ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] HSRP and Standby router
Hi All I was studying some HSRP senario which is little bit different than what used to work on , we have 2 routers connected with access ports to internal box which has 2 direct physical layer-2 links to both routers and HSRP is running between VLAN SVIs on both routers across L2 ether-channel between them if physical link to active router fail , the client will ARP stanby router for MAC of HSRP group IP , my question here is stanby router will answer ARP requests while it still detect that active router is still alive from HSRP over etherchannel between them ? and if yes , what MAC address it will answer with ? the active router owns group vmac address so if standby reply it will reply with bia address and L2-switch the traffic to active router ? waiting for opinions and your experience share best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] HSRP and Standby router
Hi All I was studying some HSRP senario which is little bit different than what used to work on , we have 2 routers connected with access ports to internal box which has 2 direct physical layer-2 links to both routers and HSRP is running between VLAN SVIs on both routers across L2 ether-channel between them if physical link to active router fail , the client will ARP stanby router for MAC of HSRP group IP , my question here is stanby router will answer ARP requests while it still detect that active router is still alive from HSRP over etherchannel between them ? and if yes , what MAC address it will answer with ? the active router owns group vmac address so if standby reply it will reply with bia address and L2-switch the traffic to active router ? waiting for opinions and your experience share best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7600 router and Etherchannel across multiple line card
Hi All I am trying to establish L2 Etherchannel between 2 7609 routers , SUP720-MSFC3 , PFC is 3BXL and Line cards WS-X6148-GE and IOS is * 12.2(33)SRD* are there any concerns to establish this etherchannel between ports in different line cards ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Dynamic NAT on router and ASA
Hi All i have NAT and PAT configured on ASA 5520 and it works as expcted from ASA , NAT all incoming connection 1:1 untill NAT pool is depepated than PAT all next connections but actually , NAT pool never get depelated and ASA started to use PAT pool although there are free IPs in NAT pool and that is strange so i think to transfer NAT to the edge router and use dynamic NAT instead of dynmic NAT on ASA but i need to know is dynamic NAT on router will do that 1- configure NAT pool with N global address 2- NAT first N connection to NAT pool 1:1 3- for next connections , begin from start again so N+1 connection will get the same translation as first connection that seems like Rotatary NAT but it works for outside connection not inside , does anyone has practical experience it will work as described above ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on Sup720-3BXL?
Hi Peter If 2 upstream provider provides exactly same routes with same attributes so BGP will select 2 routes to each destination then TCAM will reach its maximum as installed BGP routes will be doubled but if some destination are preferely reachable from one of them and 2nd route will be backup route , so BGP routes won't be doubled but that depends on percentage but if you have exactly the same routes from both of them , why u don't use default ? otherwise u will have to upgrade Sup . best regards --Ibrahim On Thu, May 21, 2009 at 5:40 AM, Peter Kranz pkr...@unwiredltd.com wrote: Setup is as follows; 2 edge routers, each with a BGP session receiving full routes to the same provider router. The provider is load balancing inbound traffic to our AS nicely, 50/50 between the edge routers.. I would also like to load balance the outbound traffic.. I've considered adding 'maximum-paths 2' to install the two equal paths, but an concerned about FIB TCAM impacts. Will adding this command cause each equal cost route to take one additional TCAM entry, i.e. full routing table x 2 524k TCAM limit = EPIC meltdown? Current FIB TCAM: L3 Forwarding Resources FIB TCAM usage: TotalUsed %Used 72 bits (IPv4, MPLS, EoM) 524288 285506 54% 144 bits (IP mcast, IPv6) 262144 5 1% Peter Kranz http://www.UnwiredLtd.com http://www.unwiredltd.com/ www.UnwiredLtd.com http://www.unwiredltd.com/ Desk: 510-868-1614 x100 Mobile: 510-207- mailto:pkr...@unwiredltd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C4K_PKTPROCESSING-5-NOTAPPLYINGACL
Hi David from Cisco Error MessageC4K_PKTPROCESSING-5-NOTAPPLYINGACL:Not applying [input/output] Acl for packet [packet-info] ExplanationThe software has not taken the ACL actions because it could not determine the correct ACL entry indicated by the hardware. The hardware-provided index of the ACL content addressable memory (CAM) indicates that the software needs to take the actions for the entry at that index. If the packet was queued in the hardware before being processed by the software, the index is out-of-date. Recommended ActionThis message is informational only. No action is required. the only thing i am wondering about is ACL HW-Index is temp and has expiration timer ? so do have any QoS policy applied at the same interface ? do u have any CPU problem on this gear ? best regards --Ibrahim On Wed, May 20, 2009 at 4:03 PM, David Freedman david.freed...@uk.clara.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No ACL changes being made at the time, a block of these occur randomly at once, could there be a CAM problem? Dave. Richard Gallagher wrote: David, How often did the message occur? Were any ACL changes being made at the time? Rich On 20 May 2009, at 01:35, David Freedman wrote: Anybody seen these messages occur frequently? May 18 09:19:31 box 575: May 18 08:20:37 UTC: %C4K_PKTPROCESSING-5-NOTAPPLYINGACL: Not applying Output Acl for packet udp srcHost 1.1.1.1 dstHost 2.2.2.2 tos 0 srcPort 934 dstPort 2049 According the error decoder, they are CAM programming issue but that is about the level of detail it goes into, I would infer from this that they should only be seen rarely but I'm starting to see them frequently, box is 4948 running 12.2(25)EWA10, bugtool as usual has nothing. Any pointers appreciated. Regards, David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoT/7sACgkQtFWeqpgEZrIloQCgnn03i5uxmNuN6ia1jsq5g5qD kF4An1mG6qPuCYaZebsJ3dnDvjbsIDsP =8N8V -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SVI always up !
Hi Peter I tested it and it works -:) thanks for your advice best regards --Ibrahim On Mon, May 18, 2009 at 11:20 PM, Peter Rathlev pe...@rathlev.dk wrote: On Sun, 2009-05-17 at 14:53 +0300, Ibrahim Abo Zaid wrote: That seems it will work but it is applied globally for all VLAN , is there any way to apply it per-VLAN ? Not that I know of no. It can only be per port. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SVI always up !
Thanks Peter That seems it will work but it is applied globally for all VLAN , is there any way to apply it per-VLAN ? best regards --Ibrahim On Sat, May 16, 2009 at 2:24 PM, Peter Rathlev pe...@rathlev.dk wrote: On Sat, 2009-05-16 at 13:12 +0300, Ibrahim Abo Zaid wrote: I have a strange situation and i think it is normal but i need a solution for it I have 2 MLS and VLAN x is created on both and there is L2 etherchannel between both and it allows all VLANs , when all access ports in VLAN x in any MLS got down SVI is always up although all access ports are down and that is normal due to trunk ports always all VLANs . so is there any command to bind SVI status to access ports status only so when access port got down , SVI got down also ? You can use switchport autostate exclude on the trunk port. http://www.cisco.com/en/US/docs/ios/interface/command/reference/ir_s7.html#wp1012922 Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SVI always up !
Hi All I have a strange situation and i think it is normal but i need a solution for it I have 2 MLS and VLAN x is created on both and there is L2 etherchannel between both and it allows all VLANs , when all access ports in VLAN x in any MLS got down SVI is always up although all access ports are down and that is normal due to trunk ports always all VLANs . so is there any command to bind SVI status to access ports status only so when access port got down , SVI got down also ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720 Errors - Revisited
Hi Paul I think it is a phsyical problem with this chases , may be due to the position or electrical conditions causes some sort of biasing for memory ASIC and leads to this reload loop you can start check chaises postition , electrical isolation , grounding and supply and tenperature and if it didn't work , might be persistent problem with backplane best regards --Ibrahim On Sat, May 9, 2009 at 9:51 PM, Paul Stewart p...@paulstewart.org wrote: Hi folks. I posted about this before and was told it was either bad memory or bad sup cards.. Have a pair of 7606's with sup720-3bxl . these errors occur on one system and not the other. To top it off, we got these same errors showing up a couple of times now on 6509 with sup2/msfc2 recently.. May 9 07:16:21: %SYSTEM_CONTROLLER-SP-STDBY-3-ERROR: Error condition detected: TM_DATA_PARITY_ERROR May 9 07:16:21: %SYSTEM_CONTROLLER-SP-STDBY-3-EXCESSIVE_RESET: System Controller is getting reset so frequently Both 7606 chassis are running 12.2(33)SRA7 and this also occurred when they were running SXF train. We have many 6500's and only one of them so far has exhibited the same errors and it is running 12.2(18)SXF16 Just looking for thoughts. we swapped spare supervisors between the 7600 showing issues and the one that doesn't log any errors, kicked it over and still see these issues.. Bad chassis?? Are these errors critical in nature or more just informative? Thanks for your time, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] The mechanics of SSO
Hi Ross actually i can't get if SUP running SSO why you think configuration will be loaded from active to standby during switchover ? ! SSO maintains control plane and data plane resiliency and both SUP have active IOS image and synchronized configuration best regards --Ibrahim On Wed, May 6, 2009 at 11:50 PM, Ross Vandegrift r...@kallisti.us wrote: On Wed, May 06, 2009 at 04:39:40PM -0400, Jared Mauch wrote: I would recommend trying to get the devices on SXF16 or SXI1 if possible. You may need to send a break and interrupt the boot process on one (hope you have good OOB and know how to do this). What do you mean you may need to send a break and interrupt the boot process on one? I mean, I know how to do that, and know why I might under a variety of conditions, but what circumstances are you referring to? We've been stuck on SXF becasue of the CSM, but after hitting this bug, we'll be spinning up our CSMs in a spare chassis just so we can avoid the bug that started the whole damn thing. This is also reinforces the reason some people do not run dual processor systems. They sometimes fail in really bad ways. Indeed, though honestly, it was no worse than the reboot time we'd see from a single SUP. And it has saved me before. I can imagine that others may have seen much worse from dual SUPs :) -- Ross Vandegrift r...@kallisti.us If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher. --Woody Guthrie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSR12008|GRP-B|4OC12/ATM-MM-SC|3GE-GBIC-SC throughput?
Dear Jason I think ATM cell tax will be about 13% on average based on the following ATM cell tax is composed of 2 parts 1- ATM over-header (5 bytes for each 53 byte cell and that is a fixed percnt ) 2- cell padding which depends packet distribution so ATM overhead will be 5/53 = ~ 4% and cell padding can be calculated as IP Packet size is 690 bytes will be padded with 30 bytes and transported as 720 bytes (15 cell x 48 payload size) so padding percentage will be ~ 9% (30 / 720 ) so overall ATM cell tax will be 13% based on the given packet size and for sure it will vary for other packet size values best regards --Ibrahim On Thu, Apr 16, 2009 at 12:35 AM, Jason Lixfeld ja...@lixfeld.ca wrote: On 15-Apr-09, at 2:58 PM, Lamar Owen wrote: Incidentally, the 'show fabric' undocumented command shows internal latencies across the fabric. Highest latency on the fabric is 84ms, over two months ago. The ATM SAR tax may be hitting you, too. Not being an ATM guru, I hope someone will clue-bat me if I get too far gone with my calculations below... An ATM cell payload is 48 bytes long. On top of each cell, there's a 5 byte ATM header. If my average packet size is 690 bytes, one packet would be stuffed into 15 cells. Each of those 15 cells would have an additional 5 bytes of overhead for the header. So, 5 bytes header for 15 cells = 75 bytes per 1 690 byte packet = 765 bytes/6120 bits. At the time the sample was taken, I was pulling in 27131pps over my two GSR ATM interfaces and pushing 32478pps over the same two interfaces. If my cell tax calculations are right, that would equal 166041720bps in and 198765360bps out across the GSR, but equally importantly, that would equal the same amount being put over the OC12 to Toronto. Correct me if I'm wrong, but based on this estimation, ATM cell tax wouldn't be an issue, would it? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] stateful dynamic traffic forwarding solution
Hi All I am looking for IOS feature or solution can do the following , there are 2 hosts A and B from the same subnet , when host A connects to host B , router should forward traffic to next-hop X while when host B connects to A , router should forward traffic to next-hop Y both A and B are random IPs from the same subnet and X and Y are fixed next-hop is there any kind of dynamic access-list can be used in PBR so ACL-AB forward traffic to X and a reverse version created automatically ACL-BA forwards the traffic to Y ? can that be done with FW or ASA instead of router ? or can that be done using content switch or content networking feature ? your suggestions are highly appreciated . best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] default route and PBR set ip next-hop
Hi All I was checking when routers PBR traffic to certain NH , it checks if NH route exit in routing table or not , if exist , traffic is PBR and if not traffic is normally routed so my question is , if there is a default route , will it considered a valid route to reach the specified NH or this check depends on specific routes ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multicast RPF check and unicast default route
Hi All i have a question about multicast RPF check that checks routing table for source address and ensure traffic incoming interface is the same as route next hop does this check supports default routes ? is there a feature like allow-default used in uRPF ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast RPF check and unicast default route [7:134602]
yes Rohynas that what i mean but my question is that work with multicast RPF check or works for unicast only ? best regards --Ibrahim On Sat, Mar 7, 2009 at 6:30 PM, Rohyans, Aaron arohy...@dpsciences.comwrote: I believe you're referring to: interface fastEthernet 0/0 ip verify unicast source reachable-via any ...this allows the router to use the default route for Reverse Path check. Hope this helps, Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IDS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ -Original Message- From: nob...@groupstudy.com [mailto:nob...@groupstudy.com] On Behalf Of Ibrahim Abo Zaid Sent: Saturday, March 07, 2009 10:11 AM To: ci...@groupstudy.com Subject: Multicast RPF check and unicast default route [7:134602] Hi All i have a question about multicast RPF check that checks routing table for source address and ensure traffic incoming interface is the same as route next hop does this check supports default routes ? is there a feature like allow-default used in uRPF ? best regards --Ibrahim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=134602t=134602 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] rotary-like dynamic NAT pool
Dear All i was searching for dynamic NAT technology that utilize the NAT pool in rotary fashion for inside source addresses like rotary NAT technology does for destination addresses best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CCIE Lab tools
Hi All I have a question about CCIE Lab exam , we heard many stories about some exam trick and IOS bugs which causes technologies to fail and losing point so is there any tool available in the exam to identify if there is IOS bug cause this problem ? i know there is documentation tool but that states technologies configuration task list not technologies interworking problems ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mpls Troubleshooting Question
sorry as both sites have different networks so you can't use this technology On Tue, Feb 24, 2009 at 9:54 AM, Ibrahim Abo Zaid ibrahim.aboz...@gmail.com wrote: Hi Rocker that doesn't seem to me as MPLS VPN topology as both PE1 interfaces to CE1 and CEZ are non-MPLS interfaces , it is much like local-switching scenario try using CONNECT command best regards --Ibrahim On Tue, Feb 24, 2009 at 2:11 AM, Rocker Feller rocker.rockerfel...@gmail.com wrote: Hi, My full scenario CE1 --- PE1 --- PE2 - CEZ On the PE1 interface I have a tunnel to CEZ . nb: PE2 is not mpls enabled. CEZ has a ptp link to PE2 LSP - tunnel is up from PE1--- CEZ and I can reach the CEZ router via the tunnel ptp. - from the CEZ lan CE1 lan is reacheable. It is only from the CE1 router and from the PE1 that I cannot reach CEZ lan. Please note this customer has 6 other branches which are working well. Thanks On Tue, Feb 24, 2009 at 1:11 AM, schilling schilling2...@gmail.com wrote: check no ip unreachable on the PE interface? I got bite once. verify the LSP? Ivan's blog for rescue :-) http://wiki.nil.com/PE-to-PE_troubleshooting_in_MPLS_VPN_networks Schilling On Mon, Feb 23, 2009 at 4:51 PM, Rocker Feller rocker.rockerfel...@gmail.com wrote: Hi, I work in an ISP environment and in it I found developed MPLS delivering ip vpns. There is one client with 5 branches. All work fine except for 1. This is the scenario. The default route is derived from the corporate office (HQ). Its network range is 172.16.0.0/16 Say branch with problem is branch Z ip range is 172.16.7.0/24 From Z Lan I can ping HQ Lan ok ping 172.16.1.1 source 172.16.7.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: Packet sent with a source address of 172.16.7.1 ! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms From HQ I cannot ping Z apart from reaching the Z router.the lan ping 172.16.7.1 PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data. 64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms Any other connections are dropped from branch Z router A trace reveals packets are dropped from the main MPLS PE router. The PE router can reach the CE router but not any pc behind it. Your input appreciated Regards Rocker ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mpls Troubleshooting Question
Hi Rocker that doesn't seem to me as MPLS VPN topology as both PE1 interfaces to CE1 and CEZ are non-MPLS interfaces , it is much like local-switching scenario try using CONNECT command best regards --Ibrahim On Tue, Feb 24, 2009 at 2:11 AM, Rocker Feller rocker.rockerfel...@gmail.com wrote: Hi, My full scenario CE1 --- PE1 --- PE2 - CEZ On the PE1 interface I have a tunnel to CEZ . nb: PE2 is not mpls enabled. CEZ has a ptp link to PE2 LSP - tunnel is up from PE1--- CEZ and I can reach the CEZ router via the tunnel ptp. - from the CEZ lan CE1 lan is reacheable. It is only from the CE1 router and from the PE1 that I cannot reach CEZ lan. Please note this customer has 6 other branches which are working well. Thanks On Tue, Feb 24, 2009 at 1:11 AM, schilling schilling2...@gmail.com wrote: check no ip unreachable on the PE interface? I got bite once. verify the LSP? Ivan's blog for rescue :-) http://wiki.nil.com/PE-to-PE_troubleshooting_in_MPLS_VPN_networks Schilling On Mon, Feb 23, 2009 at 4:51 PM, Rocker Feller rocker.rockerfel...@gmail.com wrote: Hi, I work in an ISP environment and in it I found developed MPLS delivering ip vpns. There is one client with 5 branches. All work fine except for 1. This is the scenario. The default route is derived from the corporate office (HQ). Its network range is 172.16.0.0/16 Say branch with problem is branch Z ip range is 172.16.7.0/24 From Z Lan I can ping HQ Lan ok ping 172.16.1.1 source 172.16.7.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: Packet sent with a source address of 172.16.7.1 ! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/29/36 ms From HQ I cannot ping Z apart from reaching the Z router.the lan ping 172.16.7.1 PING 172.16.7.1 (172.16.7.1) 56(84) bytes of data. 64 bytes from 172.16.7.1: icmp_seq=0 ttl=253 time=19.8 ms Any other connections are dropped from branch Z router A trace reveals packets are dropped from the main MPLS PE router. The PE router can reach the CE router but not any pc behind it. Your input appreciated Regards Rocker ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS Trains differnces
Hi All I'd like to know the differneces between IOS trains according to your experices with them SXI , SXH , SXF and SXD best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS Trains differnces
Thanks all to your replies but my question was about the major differences like is each train runs over spesific platforms ? standard supported features sets ? recommended deployment senarios , SP ,Data ceneter . etc .. On Thu, Feb 19, 2009 at 2:58 PM, Mark Mckillop (mmckillo) mmcki...@cisco.com wrote: Hi Ibrahim, I suggest you check out Feature Navigator: http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp (CCO Login Needed) You can do a comparison of different trains of code to see which features are overlapping and which are unique to each image. One very useful thing is the ability to compare the feature sets, Base / Services / Advanced Enterprise etc.. Mark. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: 19 February 2009 10:43 To: Ibrahim Abo Zaid Cc: ci...@groupstudy.com; cisco_nsp Subject: Re: [c-nsp] IOS Trains differnces On Thu, Feb 19, 2009 at 10:34:06AM +, Ibrahim Abo Zaid wrote: Hi All I'd like to know the differneces between IOS trains according to your experices with them SXI , SXH , SXF and SXD Age. Seriously though, that's a big question. Can you narrow it down a bit? If you really do want to know all the differences I suggest you google: site:cisco.com 12.2sx release notes ...and spend an hour poring over the SX release notes, which document in great detail the new software and hardware features of each release. But ignore SXD - there's no reason to be running it, it's years and filled with bugs. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VRF-Lite and VRF Source-select
Hi All I was reading about VRF Source-select feature and want to know is this this supported with VRF-Lite or needs MPLS-VPN backbone ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] AToM Lab Problem
Dear All Many thanks for your replies -:) I think now i have to rent a rack to finish that -:) best regards --Ibrahim On Thu, Feb 5, 2009 at 2:47 AM, Antonio Soares amsoa...@netcabo.pt wrote: There's another problem: ATM AAL5 over MPLS and ATM Cell Relay over MPLS are not supported with the PA-A1, the only ATM interface supported by Dynamips. http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/atom25s.html#wp1068980 Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Wayne Lee Sent: quarta-feira, 4 de Fevereiro de 2009 21:11 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] AToM Lab Problem On Wed, Feb 4, 2009 at 8:51 PM, Ibrahim Abo Zaid ibrahim.aboz...@gmail.com wrote: Hi All I was labbing AToM scenario and uses IOS 12.2(33)SRC for ATM AAL5 and ATM Cell-relay feature but i can't get dynamips run for this image , it always results *** Error: 209-unable to start VM instance error messages any body lab this feature using different image or know how to fix this error message ? complete image name c7200p-spservicesk9-mz.122-33.SRC3_3.bin best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ I used the following in my .net file to get a p image to work [localhost:7201] workingdir = /tmp udp = 10100 [[7200]] image = /home/dynamips/c7200-spserv.image ghostios = True # sparsemem = True npe = npe-g2 Wayne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] AToM Lab Problem
Hi All I was labbing AToM scenario and uses IOS 12.2(33)SRC for ATM AAL5 and ATM Cell-relay feature but i can't get dynamips run for this image , it always results *** Error: 209-unable to start VM instance error messages any body lab this feature using different image or know how to fix this error message ? complete image name c7200p-spservicesk9-mz.122-33.SRC3_3.bin best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] network connection tool
Hi All Thanks All for your kind replies I checked these tools and i think hping can do it but is there any front-end interface tool for this great tool hping ? best regards --Ibrahim On Thu, Jan 22, 2009 at 4:49 PM, Jorge Evangelista netsecured...@gmail.comwrote: Hi, Not sure what you are looking for, but you could use ossec, it is a hids. http://www.ossec.net/ On Thu, Jan 22, 2009 at 3:51 AM, Dave Kruger dave.kru...@za.verizonbusiness.com wrote: also see hping: http://www.hping.org/ hth Dave Andrew Gristina wrote: netcat http://siliconrust.blogspot.com/2006/04/what-do-you-do-to-emulate-server.html Quick tutorial on how to emulate a server. I guess that is what you are asking. On Wed, Jan 21, 2009 at 12:46 PM, Ibrahim Abo Zaid ibrahim.aboz...@gmail.com wrote: Hi All i want to know if there any network connectivity tool can be configured to respond to spesific TCP/UDP port number ? sometimes we do modifiy our security policy in FWs but the application level still have problem so we need to use this tool to configure it to respond to application port (that will be different for each application) and try some sort of ping or connect-attempt across FW to isolate is it FW problem or application problem ? is there any tool out there can help in that best regards --Ibrahim Abo Zaid ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- The network is the computer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] network connection tool
Hi All i want to know if there any network connectivity tool can be configured to respond to spesific TCP/UDP port number ? sometimes we do modifiy our security policy in FWs but the application level still have problem so we need to use this tool to configure it to respond to application port (that will be different for each application) and try some sort of ping or connect-attempt across FW to isolate is it FW problem or application problem ? is there any tool out there can help in that best regards --Ibrahim Abo Zaid ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS Label question
Hi All MPLS Lable Untag removes all labels from MPLS packets and sent it as native IP packet my question is packets with untag label will be sent over IP interface not MPLS interface and FIB lookup occur prefixes with this tag ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS VPN Problem - EoS conflict
Hi All I was implementing MPLS VPN topology and by mistake i was configuring PE-LP used for MP-BGP peering with a worng mask /24 instead of /32 (remote PE-LP mask is /32) . by T.S , i discovered that P router upstream of this PE was dropping incoming MPLS packets with the below error message tagsw_replace_header: Pkt drop -- EoS conflict, incg label 18 hwinput Fa0/0 discovering FIB 3#sh mpls forwarding-table | in 18 18 Untagged150.1.3.3/32 1230 Se0/1 point2point so when the mask was /24 , PE advertise label as untag label so incoming traffic over MPLS interface will be conveted to IP traffic and looking up in LFIB , it will forward it down MPLS interface to PE as native IP packet while it should MPLS packet with label-3 I need to know why that happens ? , does LDP-Adv tells S-bit setting in incoming packets according to label type ? BTW , the problem solved after changing LO mask to /32 and it has been advertised as Imp-Null 18 Pop tag 150.1.3.3/32 0 Se0/1 point2point your responses is highly appreciated best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPLS Question
Dear All i have a small question about VPLS , MAC address of remote CE hosts learned from remote PE are assigned the same VC label at local PE or each mac address has VC label assigned or each CE VLAN has the same VC label ? best regards --ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS
Dear All I have a question about a IOS Command and i can't find alot of documentation around about it , the command is *service internal* from global configuration mode , i can see it provides extra show and debug commands but like what ? when it should be used ? thanks for help --Ibrahim Abo Zaid ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Strange beahvior of Catalyst 6509
Hi All we had Cat 6509 gear running 12.0(7)XE1 image on MSFC , we faced a strange behavior as all servers and clients connected to a VLAN can't exchange any packet size exceeding a certain limit although no configuration is used to limit that and no IP reachability problem exist the problem has solved after deleting VLAN SVI and create it again any one has any idea what can be the problem is ? i searched IOS bugs and can't get any bug with this symptoms thanks --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] hierarchical MPLS VPN
Hi All i have a small question about the set up of hierarchical MPLS VPN (carrier-of-carriers VPN) , the customer carrier will establish MP-iBGP sessions between its PEs directly to exchange VPNv4 routes and all LDP or BGP between customer carrier CE and backbone provider PE to exchange IPv4 routes and labels my question is , i believe there will be some command needed at backbone provide PE to enable carrier-of-carriers support and allow PE to tag incoming labeled packets with double-label based on 2 lookups , lookup for incoming label and lookup for NH network in Juniper , this feature is supported by *mpls topology-driven-lsp *command , what about Cisco IOS ? ** ** best regards --Ibrahim Abo Zaid ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Interface Queues
Hi Rodeny Thanks for your reply , i think this isn't specific for a given platform but it is common on low-end CE routers especially with serial interfaces best regards --Ibrahim On Sun, Jul 27, 2008 at 9:49 PM, Rodney Dunn [EMAIL PROTECTED] wrote: On what platform? On Sat, Jul 26, 2008 at 06:05:49PM +0300, Ibrahim Abo Zaid wrote: Hi All i am a bit confused between Interface queues that can be configured using tx-queue-limit and hold-queue , what is the difference between these queues ? appreciate your replies . best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Interface Queues
Hi All i am a bit confused between Interface queues that can be configured using tx-queue-limit and hold-queue , what is the difference between these queues ? appreciate your replies . best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] giant packets troubleshooting
Dear Palis check interface MTU configuration and its default state from both sides best regards --Ibrahim On Tue, Jul 15, 2008 at 9:22 AM, Michalis Palis [EMAIL PROTECTED] wrote: On one link for example where we have an etherchannel between a GSR and a 4510 switch, we see a lot of giant packets on the router side and no giant packets on the switch side - Original Message - From: Pavel Skovajsa [EMAIL PROTECTED] To: Michalis Palis [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Tuesday, July 15, 2008 9:09 AM Subject: Re: [c-nsp] giant packets troubleshooting Just to be aware, there has been a cosmetic bug on many cisco platforms two years ago that clasified all dot1q trunked frame as giants. The way to see verify this is by looking whether you don't see giants on all trunk ports. Pavel On Tue, Jul 15, 2008 at 7:56 AM, Michalis Palis [EMAIL PROTECTED] wrote: Hello all I have some interfaces on my networks (gigabit / ethernet) which report a huge amount of giant packets. What is the cause of giant packets? Is their any methodology or any good document which details the way to troubleshoot giant packets? All responses will be appreciated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP auto-summary [7:131926]
Hi Ajay if auto-summary is enabled with classful network command, all spesfic routes will be summarized to class boundary so for the below example , only 10.0.0.0/8 will be advertised best regards --Ibrahim On Mon, Jul 14, 2008 at 8:39 PM, Ajay Chenampara [EMAIL PROTECTED] wrote: Hi, I was reading the wendell-odom exam guide and have teh following doubt: When auto-summary is enabled in bgp and the network command has only a classful network, what happens if the router has more specific routes? eg: ip routing table has routes to 10.10.10.0/24, 10.20.0.0/16 router bgp 1 network 10.0.0.0 auto-summary what will the bgp table contain? will it just be the summary route ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=131926t=131926 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP route-orgination
Dear All i just want to share a point with you , if we used network command to originate BGP route , the route NH will be automatically set to local BGP router-id while if we used redistrbtion the route preserves into NH independent of local router-id so next-hop-self should be used is that completely right or it depends on IOS version ? best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Frame-relay broadcast queue
Dear All i was reading about Frame-relay broadcast queue which reserves by default 25% of PVC CIR and takes precedence over normal traffic as it queue routing updates by default , 25% of interface bandwidth is reserved for control traffic , does this reserved bandwidth is the broadcast queue ? you comments are highly appreciated . best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Frame-relay broadcast queue
Dear All i was reading about Frame-relay broadcast queue which reserves by default 25% of PVC CIR and takes precedence over normal traffic as it queue routing updates by default , 25% of interface bandwidth is reserved for control traffic , does this reserved bandwidth is the broadcast queue ? you comments are highly appreciated . best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RIP Sanity check
Hi All i have a question about RIP sanity check and FR hub and spoke topology , when exchaning routing updates between spokes through the hub , hub relies the updates not re-generated them so these updates are discarded @ spokes due to sanity check and so it needs to be disabled @ spokes interfaces is that right ? your answers are highly appreciated . best regards --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ICMP PAT
Oliver many thanks for this info . i really appreciate that :) best regards --Ibrahim On Mon, Jun 16, 2008 at 10:33 AM, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Ibrahim, sorry for the delay. I checked with NAT folks, and the ICMP ALG behaviour is not as described in this link, it says sequence number while it should say identifier. So IOS only creates a single flow for continuous pings (ping -s foo), but creates multiple flows if you execute ping multiple times (as the identifier changes).. oli Ibrahim Abo Zaid mailto:[EMAIL PROTECTED] wrote on Tuesday, June 03, 2008 11:24 PM: Hi Oli I read that @ http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_w hite_paper09186a00801af2b9.htmlhttp://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a00801af2b9.html best regards --Abo Zaid On Tue, Jun 3, 2008 at 7:03 PM, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Ibrahim Abo Zaid wrote on Tuesday, June 03, 2008 10:46 AM: Hi All according to Cisco docs , if ICMP PAT is configured , ICMP packets sequence numbers are associated to ports in NAT table means a continuous traffic between a source and a destination can create up to 65535 entries in NAT table !!! is that right , 65K entries for single flow ? no, a continuous ping creates a single entry in the NAT table (just checked).. where did you read the above? oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IGP iBGP Configuration Problem in Transit AS
Hi Vira the simplest solution for both problem i can think about is GRE tunnels between A , G , H headed at A which will act as RR as well best regards --Ibrahim On Mon, Jun 16, 2008 at 12:20 PM, Vira W [EMAIL PROTECTED] wrote: Hi Cisco gurus, I have a network topology in this URL : http://www.4freeimagehost.com/show.php?i=3f0ac19164c9.png My first problem is in IGP configuration inside AS 100. I'm using OSPF. I still confused how to make non-BGP router (C,E,B,D) understand how route the packet transitting this AS. I have tried default route advertisement via OSPF, but since AS 100 is multihomed, there still any chance looping is happened there. How to configure it properly, without redistributing BGP route into OSPF. Second, I understand that iBGP inside AS 100 needs to be configured in mesh topology. Otherwise, use route reflector or confederation. But, if I use route reflector, I'm confused because the each route reflector itself must be meshed, in the other side, from the physical topology (as in the picture), there is none router that is connected mesh. So, which router should I choose as RR. Then, if I choose BGP confederation, still inside sub-AS the router must be connected in mesh topology, which impossible from the topology. So guys, what is your suggestion for my problem in IGP and iBGP configuration inside AS 100? I've read many books about BGP, particularly about transit AS, but their examples is always simple networks. I have found none complex case study network similar my topology. Thanks a lot. Every your comment, suggestion, criticism, will be very much appreciated. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Split Horizon defaults
Hi All i was reading about RIP route summerization which requires Split horizon to be disabled in order to advertise summaries (auto or interface summaries) but as i know Split horizon is enabled or disabled by default based on interface type so i want to know the default settings of split horizon under different interface types thanks for help --Ibrahim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] eBGP via loopback
also i want to draw attention that when establishing eBGP over loopback it will need ebgp multihop to be configured as well because the default TTL over directly connected interfaces is 1 and in case of loopback it is reachable over just single hop some IOS version defaults multihop to 255 so the neighbor loopback can be reachable by any route not just the directly connected link which causes sub-optimal or routing loops so you need to configure ebgp multihop x where x is the actual IP hops to the neighbor best regards --Ibrahim On Fri, Jun 13, 2008 at 6:07 PM, Steve Bertrand [EMAIL PROTECTED] wrote: Aaron wrote: Did you setup ebgp multihop since you are doing peering to the loopbacks? Yes. Curious on why you would want to use the loopback instead of the interface for ebgp. Definitely not the recommended way unless you are trying to load balance on multiple links. Here is my (slightly edited) response to someone else who emailed me off-list: To be honest, the loopback over eBGP was not an intended design goal. It just so happened that I had this particular router in an iBGP mesh (lab environment), and realized I wanted to push the router to a remote location and gain practical experience on how to conceptually implement a no-export community for a private ASN. I overlooked the loopback addresses when I put the router in its own AS, due to the fact the PtP addresses did not need to change. I just threw in the ebgp-multihop blindingly instead of renumbering the neighbors and the update-source. Most likely, I would not have even payed any attention to the configuration until later review if I hadn't have had the packet loss problem. --- For the sake of completeness, the router that was swallowing the packets is running Quagga on FreeBSD. I had forgotten to set the ip.forwarding sysctl variable to true. Steve ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ICMP PAT
Hi Oli I read that @ http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a00801af2b9.html best regards --Abo Zaid On Tue, Jun 3, 2008 at 7:03 PM, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Ibrahim Abo Zaid wrote on Tuesday, June 03, 2008 10:46 AM: Hi All according to Cisco docs , if ICMP PAT is configured , ICMP packets sequence numbers are associated to ports in NAT table means a continuous traffic between a source and a destination can create up to 65535 entries in NAT table !!! is that right , 65K entries for single flow ? no, a continuous ping creates a single entry in the NAT table (just checked).. where did you read the above? oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] If BGP is running on a circuit, if you ping the other end you get loss. kill the BGP (and thus the traffic..) no more loss.
Hi Drew when you shut the peering with a neighbor , the routes was received from this neighbor withdrawn from both BGP or IP routing tables so traffic will take other available routes so it is normal that the traffic over the trunks will drop and hence ICMP traffic will find a room . but the question here , are these links are congested or not ? is there any QoS policy priorities IP traffic over ICMP traffic ? is locally originated ICMP traffic is process switched or CEF ? does IOS has a default policy lessen ICMP priority for sake of IP/TCP/UDP traffic especially in such high end gears ? so you need to see the traffic level before and after peering shutdown and discuss IOS and QoS issues possibilities . best regards --Abo Zaid On 4/29/08, Drew Weaver [EMAIL PROTECTED] wrote: Hi there, I've seen this a few times in the past and its always been chalked up to a line or upstream issue but a couple of times I've noticed that if I do a ping ip with say 1000 repeats of size 100 I'll hit maybe 60% loss on circuits which have BGP neighbors, but if I shutdown the BGP neighbor and repeat the test the circuit is clean. I am trying to find a 'definitive' way to determine whether or not the issue is that: A) When I shutdown BGP the traffic on the line dropped to a level in which the circuit or the device on the other end could actually handle it. B) My Router/Line card could handle sending the ICMP because I shut down the BGP session on the circuit. The circuit sizes have ranged from a POS (622Mbps) and a Gig-E So two different types of line cards (this is a GSR) so I did a 'show ip cef resources' and its all 'G' so I assume that means I am not pushing the line cards too hard. I'm assuming the issue is A but I'd like a way to really know for certain, any thoughts? -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS MTU and Jumbo frames
Hi Alaerte the answer depends on your hardware platform and used IOS so send us your cisco gear show version best regards --Abo Zaid On 4/26/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Any restriction regarding enabling MPLS MTU when using ethernet frames of up to 1548 bytes (data, without considering MPLS tag and Ethernet headers)? (besides using MPLS MTU less than or equal interface MTU) Tks, Alaerte ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS MTU and Jumbo frames
Hi Alaerte yes , for 2950 the maximum transported frame size can't exceed 1530 (baby-giant frame) and that is applied for some 2950 running EI images and LRE and 2955 serieses not for starndard image for 3350 , both Fastethernet and Giga covers ur maximim of 1548 and for PE/P routers , i believe both series covers that size for Giga interfaces and most IOS 12.4 trains and you can test it with interface command mpls mtu which overrides interface physical MTU best regards --Abo Zaid On 4/27/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi Zaid, There are a mix - 7609/12410 on the P/PE, and on access (before MPLS), 3550 and 2950. I saw that 2950 has limitation on the maximum frame size: 2950G(config)#*system mtu ?* 1500-1530 MTU size in bytes tks, Alaerte -- *From:* ext Ibrahim Abo Zaid [mailto:[EMAIL PROTECTED] *Sent:* Sunday, April 27, 2008 3:51 AM *To:* Vidali Alaerte (NSN - BR/Rio de Janeiro) *Cc:* cisco-nsp@puck.nether.net *Subject:* Re: [c-nsp] MPLS MTU and Jumbo frames Hi Alaerte the answer depends on your hardware platform and used IOS so send us your cisco gear show version best regards --Abo Zaid On 4/26/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Any restriction regarding enabling MPLS MTU when using ethernet frames of up to 1548 bytes (data, without considering MPLS tag and Ethernet headers)? (besides using MPLS MTU less than or equal interface MTU) Tks, Alaerte ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2801 bandwidth limiting
Hi Dan add bandwidth 100 command under the ethernet interface terminates this connection and shaping should work , we'll need shaping instead of policing best regards --Abo Zaid On 4/25/08, Dan Letkeman [EMAIL PROTECTED] wrote: Luan, I have tried this, but it doesn't seem to take effect. My connection is on an HWIC-4ESW. Could that be a problem? If I use police cir 1000 it works and seems to take effect. Thanks, Dan. On Thu, Apr 24, 2008 at 7:27 PM, Luan Nguyen [EMAIL PROTECTED] wrote: I would say you need to use CBWFQ for this. Create an ACL match everything or whatever interested you out of your network and assigned to a class-map, then create a policy map policy-map out class out bandwidth 10M shape peak 13M interface WAN service out out -lmn On Thu, Apr 24, 2008 at 6:48 PM, Dan Letkeman [EMAIL PROTECTED] wrote: Bizarre response. It just so happens that it's a shared connection and there is more than 10 available now, and will be getting 20+ in the future. :) On Thu, Apr 24, 2008 at 5:23 PM, Adam Armstrong [EMAIL PROTECTED] wrote: Dan Letkeman wrote: Hello, We have changed our internet connection over from 4 dsl lines to one connection. We have a 25mbit connection provided by a neighboring company and we have an agreement with them that we will only use 10mbit bursting to 12 or 13mbit. What would I need to do on our 2801 to limit our bandwidth to 10 bursting to 13? What a bizarre arrangement! If you had just taken 10mbit you could have just done speed 10 :) adam. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GbE over SDH
Hi MKS does your EOS ESP supports Link capacity adjustment Scheme (LCAS) ? if yes , so its SNMP MIB should contain some objects about links failures and restoration so you can monitor these condition via SNMP Traps . best regards --Abo Zaid On 4/23/08, MKS [EMAIL PROTECTED] wrote: Hi list We are getting N times STM-1 connections delivered over GbE (SDH network). Currently we are running MPLS-TE over these GbE for loadbalancing. The problem is that we have seen failures where we loose part of the capacity, e.g. loose 2 STM out of 4, and we are unable to detect this failure, just a flatline when looking at mrtg graphs. The obvious flaw in this scheme is that QoS basically stops working, since my equipment sends more high priority traffic than is available. One way of solving that is to have QoS also on the SDH GbE. This kind of failure is something that I would like to detect but don't see how it can be done. I don't know the capabilities of the SDH GbE equipment. Is there a creative network engineer out there that has a solution for this problem? Regards MKS ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Redistributing static routes in BGP
Yes Gary this is a default behavior performed by BGP Scanner process which validates NH reachability and manages BGP advertisements and BGP doesn't advertise routes not exist in RIB but if u configure a static route with NH as IP instead of interface , even if the interface went down and its connected route removed from RIB , IOS assumes NH IP will still reachable over supernet or default route and so the route still in RIB although it is stale and still advertised in BGP . but if you need to make BGP process reacts faster to NH reachability , you can deploy NH address tracking feature (which is enabled by default in newer IOS but its timers are tunable) best regards --Abo Zaid On 4/23/08, Tassos Chatzithomaoglou [EMAIL PROTECTED] wrote: Peter Rathlev wrote on 23/4/2008 8:48 μμ: (Or convince Cisco to implement BFD for static routes in regular IOS...) Regards, Peter Isn't that supported in SRC? Or maybe i misunderstood the regular keyword... -- Tassos ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Core to access links. Use single etherchannel?
Hi Grant i think there is no way to do that in software unless u can get Giga Ethernet bundling modules but the other way is to rely on routing protocols instead of L2 features best regards --Abo Zaid On 4/23/08, Grant Moerschel [EMAIL PROTECTED] wrote: Greetings all. We have a 6509 core with dual trunked layer 2 access switches connected on gig ports. So we use spanning tree in case one of the core to access connections fails therefore one link is always blocking. I'd like to get some opinions about improving this. Is it a viable and recommended option to instead portchannel those two gig ports on both sides to both double the bandwidth and eliminate spanning tree issues? If so, on the core switch side should one gig link be on, for example, 4/1 and the other on 5/1 in case a 6509 module fails? Thanks Grant P. Moerschel gm -at- wavegard -dot- com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP - modify distribute-list and EIGRP neighbor drops
Dear Rodney yes that is EIGRP graceful restart feature which is supported since IOS 12.2(15)T . and i believe it is supported in all platforms Jeff , can u provide us with show ip protocols and show version from your router . best regards --Abo Zaid On 4/22/08, Rodney Dunn [EMAIL PROTECTED] wrote: resync is one thingdrop is another. In newer code we don't drop but we do resync. ;) R1_#sh run | section router eigrp router eigrp 1 network 0.0.0.0 auto-summary R1_#config t Enter configuration commands, one per line. End with CNTL/Z. R1_(config)#router ei 1 R1_(config-router)#distribute-list 1 out R1_(config-router)#exit R1_(config)#access-list 1 deny 4.0.0.0 R1_(config)#access-list 1 permit 2.2.2.0 R1_(config)#end R1_# *Apr 22 13:24:16.184: %SYS-5-CONFIG_I: Configured from console by console R1_# *Apr 22 13:24:20.972: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 2.2.2.2(Ethernet1/0) is resync: route configuration changed R1_# and on the peer: *Apr 22 13:24:20.544: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 2.2.2.1(Ethernet1/0) is resync: peer graceful-restart Rodney On Tue, Apr 22, 2008 at 07:08:46AM +0200, Ibrahim Abo Zaid wrote: Hi All Yes , this is a normal behaviour to EIGRP to resync topology table between neighbors after modifying the redistribute-list best regards --Abo Zaid On 4/21/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Sadly, it is. -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Jeff Cartier [EMAIL PROTECTED] Ah nevermind. Looks like its normal behaviour... *sigh* -Original Message- From: [EMAIL PROTECTED] on behalf of Jeff Cartier Sent: Mon 4/21/2008 3:59 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EIGRP - modify distribute-list and EIGRP neighbor drops Greetings! I've coming into an unfamiliar issue where I'm modifying the distribution list on a Cisco router running EIGRP...I'm creating a vlan management subnet using loopbacks and vlan SVIs; the thing I'm having trouble explaining is when I modify the ACL, which is a standard ACL, to permit the subnets that I want to redistribute, the EIGRP neighbors drop and then re-connect. Why is this? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3550-12G VSI stops routing traffic
Hi Randal it is really a wired problem but i can suggest 2 causes 1- it might due to VSI interfaces or ARP table limitation problem 2- if you are running PVST , it might be due to PVST instances limitation at this IOS release but to make it clear lets gather some logs and statistcis 1- u mentioned u transferred the affected VLANs to another distribution switch , what is the active number of VLANs on this switch ? 2- as i got from ur description , the switch always drops the traffic of only 2 VLANs randomly . get the output of show vlan and show spanning tree during the problem time 3- u mentioned that the problem solved when u cleared ARP table , can u get show arp | in incomplete to see which entries are incomplete before and after the clearing and which VLAN it belongs to . i hope to hear from u soon . best regards --Abo Zaid On 4/22/08, randal k [EMAIL PROTECTED] wrote: Hey guys, I've ran into a ridiculous problem that has me completely stumped. Network is a standard edge/core/access/distribution network comprised of 7206,6509-sup7203bxls, 3550s3750s, and 3550s/2950s, respectively. Distribution is pure OSPF, with 226 routes currently in area 0, while the cores edges run full mesh bgp. The cores originate defaults for the distribution layer, distribution layer carries all of the customer gateways and communicates those networks to OSPF. The distribution 3550-12G in question is running c3550-ipservices-mz.122-25.SEB4.bin. It's configured with 22 VSIs, carries all of Area 0 (226 routes), and has 354 mac addresses listed and just shy of 300 arp entries. Average traffic through the switch is approximately 120mbps. Not very loaded. This switches decided to randomly stop routing traffic two two completely separate VSIs (vlan 602, vlan 149). These two VLANs are attached to the same port downstream access switch, G0/4 and a 2960. The Internet can see the VSI IP addresses without issue, OSPF still advertises the routes without issue, everything is great up to the switch. Hosts attached to the 3550-12G are able to see their appropriate VSI gateway IP, but cannot see anything past it. Attached hosts are, however, able to see all of the other 21 VSI IP addresses on the switch -- just nothing off of the switch. No traffic is able to pass from off-switch/Internet to affected attached hosts, period. Resolution was to move the VSI/customer gateway to a different distribution switch. Although the affected/broken 3550-12G is still in the switching path, it does Layer 2 forwarding without issue -- just that those 2 VSIs just stopped forwarding traffic. So this morning, we lost two more networks, the primary and secondary IP address on a VSI for a completely different customer (vlan 609). On a lark, I clear arp'd and the two networks came back, but two other different VSIs went down (vlan 122, 167)! The only thing that all of the VSIs have in common is that they are all servicing customers attached to the 3550-12G's port G0/4. As mentioned earlier, there was a 2960 switch attached to G0/4, which has been replaced to no avail. Host configuration on affected VSI makes no difference - swapping in different servers, my laptop, etc, all yield the same problem. However, as of right now, if I plug my laptop into an access switch on g0/7 configured for the same now-broken vlan 167, it works just fine. It's almost as if the VSI's dealing specifically with g0/4 were having problems. Fearing a broken g0/4 - 2960 trunk, my config has been reduced to 4 lines, no change in service: ! interface GigabitEthernet0/4 description down_acc12.fac01.cos switchport trunk encapsulation dot1q switchport mode trunk load-interval 30 ! If I move the VSI Gateway to different distribution switch, it works fine. If I move the access to a different port, it works fine. I have not reloaded the switch yet, as there is some other stuff on there that I don't want to incur 3-4 minutes of downtime on -- but I am fearing that the problem may jump and cause more harm. Am I dealing with a randomly screwed up g0/4 that's smoking VSIs (how?), a buggy IOS that does this or ???. I've been searching the Internet the world over and would love to hear some ideas and anecdotes. Thanks for reading my wall of text, Randal ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Managed internet VPN solution
Thanks Oliver for your interset , you'll find the topology attached both HQ and Site A connect to the internet through managed internet CE and the customer needs Site B to connect through Site A then managed internet CE , about the PBR point , i plan to configure it under Site B PE interface i hope that will clarify my whole solution and thanks for your help :) best regards --Abo Zaid On 4/21/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Ibrahim Abo Zaid wrote on Sunday, April 20, 2008 10:30 PM: Hi All one of my clients has a managed Internet solution with his simple MPLS VPN and Internet access in granted to a selected group of sites including HQ through managed internet router hosted at his ISP but he has a bit weired request as he needs a site to connect to the Internet using Internet connection of other site not directly to provider Internet gateway I'm not entirely sure I understand the topology. Can you put a diagram somewhere? i thought about two solution how this solution can be implemented 1-use PBR under this site PE interface and direct the Internet traffic to the other site network using set key *set next-hop recursive* and point to one of the remote site IPs so MPLS labels will do the work and route the traffic to the remote CE and then to the Internet and of course reverse reachability will be maintained . Where exactly are you planning to apply the PBR route-map? Not sure if this will work on the PE. 2- isolate these two site into a different VRF and set up overlapping VPN between the overall simple VPN and the special managed Internet VPN composed of those 2 sites sounds like a feasible approach (need to understand the topology better). any suggestion how this solution can be met will be welcomed :) If the hub site has the Internet connection, you could also have this site inject a default-route into the VPN so all sites can follow it (and use ACLs or route filters if you want to restrict this access to only certain sites). oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Managed internet VPN solution
Hi Oliver Site A connects to the Internet through managed Internet CE which acts as Internet GW for all VPN sites but the customer don't want Site B to connect in that way , he need Site B Internet traffic to pass through Site A first then back to Site B , so Site A will be Internet GW for Site A instead of managed CE . and regarding PBR point , for sure i agree with you that PE has other many routing tasks to take care about so its resources should be directed to major core routing tasks aside of any customers solutions and that will drive us to the 2nd solution of overlapping VPN but is there any IOS feature can be used in this setup ? Thanks --Abo Zaid On 4/21/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Thanks for the addtl. info. How does Site A connect to the Internet? Can't you just replicate whatever you did there and apply it to Site B? I don't know of PBR is a solution, it really depends on the routing setup. Please bear in mind that the PE performs another routing lookup, so PBR on the CE site B alone will likely not help. oli Ibrahim Abo Zaid mailto:[EMAIL PROTECTED] wrote on Monday, April 21, 2008 10:09 AM: Thanks Oliver for your interset , you'll find the topology attached both HQ and Site A connect to the internet through managed internet CE and the customer needs Site B to connect through Site A then managed internet CE , about the PBR point , i plan to configure it under Site B PE interface i hope that will clarify my whole solution and thanks for your help :) best regards --Abo Zaid On 4/21/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Ibrahim Abo Zaid wrote on Sunday, April 20, 2008 10:30 PM: Hi All one of my clients has a managed Internet solution with his simple MPLS VPN and Internet access in granted to a selected group of sites including HQ through managed internet router hosted at his ISP but he has a bit weired request as he needs a site to connect to the Internet using Internet connection of other site not directly to provider Internet gateway I'm not entirely sure I understand the topology. Can you put a diagram somewhere? i thought about two solution how this solution can be implemented 1-use PBR under this site PE interface and direct the Internet traffic to the other site network using set key *set next-hop recursive* and point to one of the remote site IPs so MPLS labels will do the work and route the traffic to the remote CE and then to the Internet and of course reverse reachability will be maintained . Where exactly are you planning to apply the PBR route-map? Not sure if this will work on the PE. 2- isolate these two site into a different VRF and set up overlapping VPN between the overall simple VPN and the special managed Internet VPN composed of those 2 sites sounds like a feasible approach (need to understand the topology better). any suggestion how this solution can be met will be welcomed :) If the hub site has the Internet connection, you could also have this site inject a default-route into the VPN so all sites can follow it (and use ACLs or route filters if you want to restrict this access to only certain sites). oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLAN
Hi Manaf what do u mean reach global vlan at L3 ? private VLAN provides L2 isolation and L3 should be transparent i mean you can keep hosts ip planning and routing policy should match with the L2 topolgy after configuring private VLANs . if you added more info about your problem or solution , it'd be better best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: I want to segregate traffic between some VLANs at layer 2 using private but still can reach the global vlan at layer 3. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLAN
Dear Manaf i assume all VLANs on the same switch , i will prepare a configuration template and send it shortly best luck :) Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: thank u Abo Zaid for the reply. what i want to do is to isolate vlans on L2 which they are sharing the same primary VLAN, and at the same time, the hosts on these isolated vlans can reach L3 ip address of the primary VLAN. it is like this interface VLAN100 | -VLAN100 (Primary) | - | | VLAN200 (isolated) VLAN300 (isolated) On Mon, Apr 21, 2008 at 2:58 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Hi Manaf what do u mean reach global vlan at L3 ? private VLAN provides L2 isolation and L3 should be transparent i mean you can keep hosts ip planning and routing policy should match with the L2 topolgy after configuring private VLANs . if you added more info about your problem or solution , it'd be better best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: I want to segregate traffic between some VLANs at layer 2 using private but still can reach the global vlan at layer 3. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Managed internet VPN solution
Thanks Oliver for your help and detailed reply :) best luck to you --Abo Zaid On 4/21/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Hi Ibrahim, I would use VPN topology options to address this, not sure if you can use regular hub spoke route-target import/export to address this, but it's worth looking at. An alternative would be a GRE tunnel between Site B and A, but watch for MTU issues (http://www.cisco.com/en/US/ts/fn/610/fn61935.html). I don't know if PBR on the PE would help, I doubt next-hop recursive can be used on the PE (haven't looked at the vrf-aware PBR feature which is relatively new). oli Ibrahim Abo Zaid mailto:[EMAIL PROTECTED] wrote on Monday, April 21, 2008 10:46 AM: Hi Oliver Site A connects to the Internet through managed Internet CE which acts as Internet GW for all VPN sites but the customer don't want Site B to connect in that way , he need Site B Internet traffic to pass through Site A first then back to Site B , so Site A will be Internet GW for Site A instead of managed CE . and regarding PBR point , for sure i agree with you that PE has other many routing tasks to take care about so its resources should be directed to major core routing tasks aside of any customers solutions and that will drive us to the 2nd solution of overlapping VPN but is there any IOS feature can be used in this setup ? Thanks --Abo Zaid On 4/21/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Thanks for the addtl. info. How does Site A connect to the Internet? Can't you just replicate whatever you did there and apply it to Site B? I don't know of PBR is a solution, it really depends on the routing setup. Please bear in mind that the PE performs another routing lookup, so PBR on the CE site B alone will likely not help. oli Ibrahim Abo Zaid mailto:[EMAIL PROTECTED] wrote on Monday, April 21, 2008 10:09 AM: Thanks Oliver for your interset , you'll find the topology attached both HQ and Site A connect to the internet through managed internet CE and the customer needs Site B to connect through Site A then managed internet CE , about the PBR point , i plan to configure it under Site B PE interface i hope that will clarify my whole solution and thanks for your help :) best regards --Abo Zaid On 4/21/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Ibrahim Abo Zaid wrote on Sunday, April 20, 2008 10:30 PM: Hi All one of my clients has a managed Internet solution with his simple MPLS VPN and Internet access in granted to a selected group ofsites including HQ through managed internet router hosted at his ISP but he has a bit weired request as he needs a site to connect to the Internet using Internet connection of other site not directly to provider Internet gateway I'm not entirely sure I understand the topology. Can you put adiagram somewhere? i thought about two solution how this solution can be implemented 1-use PBR under this site PE interface and direct the Internet traffic to the other site network using set key *set next-hop recursive* and point to one of the remote site IPs so MPLS labels will do the work and route the traffic to the remote CE and then to the Internet and of course reverse reachability will be maintained . Where exactly are you planning to apply the PBR route-map? Not sure if this will work on the PE. 2- isolate these two site into a different VRF and set up overlapping VPN between the overall simple VPN and the specialmanaged Internet VPN composed of those 2 sites sounds like a feasible approach (need to understand the topologybetter). any suggestion how this solution can be met will be welcomed :) If the hub site has the Internet connection, you could also have this site inject a default-route into the VPN so all sites canfollow it (and use ACLs or route filters if you want to restrictthis access to only certain sites). oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
Re: [c-nsp] Private VLAN
Hi Manaf as you know primary VLAN can have one isolated VLAN only but have multiple community VLANs , so we have 2 options here 1- make VLANs 200 and 300 isolated VLANs and create other primary VLAN say 110 so VLAN 200 has VLAN 100 as primary VLAN and VLAN 300 has VLAN 110 as primary 2- make either VLAN 200 or 300 isolated and the other community and both have the VLAN 100 as primary VLAN which one you will choose best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: yes they are on the same switch thanks a lot On Mon, Apr 21, 2008 at 3:54 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Dear Manaf i assume all VLANs on the same switch , i will prepare a configuration template and send it shortly best luck :) Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: thank u Abo Zaid for the reply. what i want to do is to isolate vlans on L2 which they are sharing the same primary VLAN, and at the same time, the hosts on these isolated vlans can reach L3 ip address of the primary VLAN. it is like this interface VLAN100 | -VLAN100 (Primary) | - | | VLAN200 (isolated) VLAN300 (isolated) On Mon, Apr 21, 2008 at 2:58 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Hi Manaf what do u mean reach global vlan at L3 ? private VLAN provides L2 isolation and L3 should be transparent i mean you can keep hosts ip planning and routing policy should match with the L2 topolgy after configuring private VLANs . if you added more info about your problem or solution , it'd be better best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: I want to segregate traffic between some VLANs at layer 2 using private but still can reach the global vlan at layer 3. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLAN
if the number of hosts is great , assigning a pair of private primary and isolated vlan to each host will be unscalable at all so it would be better to configure single primary VLAN serves a group of community VLANs (each for each host) and not more than 1 host is placed in each community VLAN . otherwise if you can group some hosts with matched communications requirements into a single community VLAN , it would be better i think this is the most feasible solution from my opinion , do you need the configuration of this setup? best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: Hi Abo Zaid, I will choose option 2 because i want to separate hosts on layer 2 for multiple VLANs but at the same time they should have the same network and same gateway if it is possible. it would be great if you can advice me with another scenario. Regards, Manaf On Mon, Apr 21, 2008 at 4:37 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Hi Manaf as you know primary VLAN can have one isolated VLAN only but have multiple community VLANs , so we have 2 options here 1- make VLANs 200 and 300 isolated VLANs and create other primary VLAN say 110 so VLAN 200 has VLAN 100 as primary VLAN and VLAN 300 has VLAN 110 as primary 2- make either VLAN 200 or 300 isolated and the other community and both have the VLAN 100 as primary VLAN which one you will choose best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: yes they are on the same switch thanks a lot On Mon, Apr 21, 2008 at 3:54 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Dear Manaf i assume all VLANs on the same switch , i will prepare a configuration template and send it shortly best luck :) Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: thank u Abo Zaid for the reply. what i want to do is to isolate vlans on L2 which they are sharing the same primary VLAN, and at the same time, the hosts on these isolated vlans can reach L3 ip address of the primary VLAN. it is like this interface VLAN100 | -VLAN100 (Primary) | - | | VLAN200 (isolated) VLAN300 (isolated) On Mon, Apr 21, 2008 at 2:58 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Hi Manaf what do u mean reach global vlan at L3 ? private VLAN provides L2 isolation and L3 should be transparent i mean you can keep hosts ip planning and routing policy should match with the L2 topolgy after configuring private VLANs . if you added more info about your problem or solution , it'd be better best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: I want to segregate traffic between some VLANs at layer 2 using private but still can reach the global vlan at layer 3. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLAN
Hi Manaf and Pedro currenly i am preparing the configuration and will feed you shortly best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: would you please send me the configuration in brief thank you On Mon, Apr 21, 2008 at 5:03 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: if the number of hosts is great , assigning a pair of private primary and isolated vlan to each host will be unscalable at all so it would be better to configure single primary VLAN serves a group of community VLANs (each for each host) and not more than 1 host is placed in each community VLAN . otherwise if you can group some hosts with matched communications requirements into a single community VLAN , it would be better i think this is the most feasible solution from my opinion , do you need the configuration of this setup? best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: Hi Abo Zaid, I will choose option 2 because i want to separate hosts on layer 2 for multiple VLANs but at the same time they should have the same network and same gateway if it is possible. it would be great if you can advice me with another scenario. Regards, Manaf On Mon, Apr 21, 2008 at 4:37 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Hi Manaf as you know primary VLAN can have one isolated VLAN only but have multiple community VLANs , so we have 2 options here 1- make VLANs 200 and 300 isolated VLANs and create other primary VLAN say 110 so VLAN 200 has VLAN 100 as primary VLAN and VLAN 300 has VLAN 110 as primary 2- make either VLAN 200 or 300 isolated and the other community and both have the VLAN 100 as primary VLAN which one you will choose best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: yes they are on the same switch thanks a lot On Mon, Apr 21, 2008 at 3:54 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Dear Manaf i assume all VLANs on the same switch , i will prepare a configuration template and send it shortly best luck :) Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: thank u Abo Zaid for the reply. what i want to do is to isolate vlans on L2 which they are sharing the same primary VLAN, and at the same time, the hosts on these isolated vlans can reach L3 ip address of the primary VLAN. it is like this interface VLAN100 | -VLAN100 (Primary) | - | | VLAN200 (isolated) VLAN300 (isolated) On Mon, Apr 21, 2008 at 2:58 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Hi Manaf what do u mean reach global vlan at L3 ? private VLAN provides L2 isolation and L3 should be transparent i mean you can keep hosts ip planning and routing policy should match with the L2 topolgy after configuring private VLANs . if you added more info about your problem or solution , it'd be better best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: I want to segregate traffic between some VLANs at layer 2 using private but still can reach the global vlan at layer 3. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLAN
Hi All below is a template of the configuration can be used in this solution Configuration guidances vlan 100 - primary VLAN secodary VLAN range say from 200 - 210 - 220 and so 1- set VTP mode to transparent mode vtp mode transparent 2- create primary VLAN vlan 100 private-vlan primary 3- configure as many community VLANs as the hosts number vlan 200 private-vlan community vlan 210 private-vlan community 4-secondary VLAN association with primary VLAN vlan 100 private-vlan association 200 (start community vlan) - xxx (end community vlan) 5- mapping community VLAN to primary VLAN SVI so all hosts can use the same gateway interface vlan 100 private-vlan mapping add 200-xxx (end community vlan) 6- interfaces configuration a- primary vlan configuration int fa or giga x/x switchport mode private-vlan promiscuous switchport private-vlan mapping 100 200-xxx add b- associating host ports to community vlans (for community vlan 200) -- no more than single interface should be placed in each commuinty VLAN int fa x/x or giga x/x switchport mode private-vlan host switchport private-vlan host-association 100 200 for any more details about this template , kindly feed me back best regards --Abo Zaid On 4/21/08, Pedro Matusse [EMAIL PROTECTED] wrote: Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ibrahim Abo Zaid Sent: Monday, April 21, 2008 4:13 PM To: Manaf Oqlah Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Private VLAN Hi Manaf and Pedro currenly i am preparing the configuration and will feed you shortly best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: would you please send me the configuration in brief thank you On Mon, Apr 21, 2008 at 5:03 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: if the number of hosts is great , assigning a pair of private primary and isolated vlan to each host will be unscalable at all so it would be better to configure single primary VLAN serves a group of community VLANs (each for each host) and not more than 1 host is placed in each community VLAN . otherwise if you can group some hosts with matched communications requirements into a single community VLAN , it would be better i think this is the most feasible solution from my opinion , do you need the configuration of this setup? best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: Hi Abo Zaid, I will choose option 2 because i want to separate hosts on layer 2 for multiple VLANs but at the same time they should have the same network and same gateway if it is possible. it would be great if you can advice me with another scenario. Regards, Manaf On Mon, Apr 21, 2008 at 4:37 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Hi Manaf as you know primary VLAN can have one isolated VLAN only but have multiple community VLANs , so we have 2 options here 1- make VLANs 200 and 300 isolated VLANs and create other primary VLAN say 110 so VLAN 200 has VLAN 100 as primary VLAN and VLAN 300 has VLAN 110 as primary 2- make either VLAN 200 or 300 isolated and the other community and both have the VLAN 100 as primary VLAN which one you will choose best regards --Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: yes they are on the same switch thanks a lot On Mon, Apr 21, 2008 at 3:54 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Dear Manaf i assume all VLANs on the same switch , i will prepare a configuration template and send it shortly best luck :) Abo Zaid On 4/21/08, Manaf Oqlah [EMAIL PROTECTED] wrote: thank u Abo Zaid for the reply. what i want to do is to isolate vlans on L2 which they are sharing the same primary VLAN, and at the same time, the hosts on these isolated vlans can reach L3 ip address of the primary VLAN. it is like this interface VLAN100 | -VLAN100 (Primary) | - | | VLAN200 (isolated) VLAN300 (isolated) On Mon, Apr 21, 2008 at 2:58 PM, Ibrahim Abo Zaid [EMAIL PROTECTED] wrote: Hi Manaf what do u mean reach global vlan at L3 ? private VLAN provides L2 isolation and L3 should be transparent i mean you can keep hosts ip planning and routing policy should match with the L2 topolgy after configuring private
Re: [c-nsp] Route reflectors, BGP router redundancy et. Al.
Hi Chris to complete this general discussion , i believe the other thing you need to do to to determine and configure your BGP peering policy Main/Backup ISP , route advertised to each peer , recieved routes . i believe the below link can be useful http://www.cisco.com/warp/public/459/hsrp_bgp.html but as Jay said , a network topology will be better . best regards --Abo Zaid On 4/22/08, Jay Hennigan [EMAIL PROTECTED] wrote: Dracul wrote: Hi All, I'm building a design that involves having a 2nd BGP router to act as a backup if something goes wrong with the main router (heaven forbid). I have two peers to different ISP's. There are some questions I have in mind: a. Should my configuration involve route reflectors? No, not with just two routers. b. Do I need interconnectivity between the 2 routers? ethernet or serial? Yes. If in the same building, ethernet makes more sense. c. Where would the two ISP links attach? Router A or B? For best redundancy, one to each. IBGP between them, HSRP/VRRP towards the LAN. Note that the above is very generic, much more information is needed to come up with a sensible design. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP - modify distribute-list and EIGRP neighbor drops
Hi All Yes , this is a normal behaviour to EIGRP to resync topology table between neighbors after modifying the redistribute-list best regards --Abo Zaid On 4/21/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Sadly, it is. -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Jeff Cartier [EMAIL PROTECTED] Ah nevermind. Looks like its normal behaviour... *sigh* -Original Message- From: [EMAIL PROTECTED] on behalf of Jeff Cartier Sent: Mon 4/21/2008 3:59 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] EIGRP - modify distribute-list and EIGRP neighbor drops Greetings! I've coming into an unfamiliar issue where I'm modifying the distribution list on a Cisco router running EIGRP...I'm creating a vlan management subnet using loopbacks and vlan SVIs; the thing I'm having trouble explaining is when I modify the ACL, which is a standard ACL, to permit the subnets that I want to redistribute, the EIGRP neighbors drop and then re-connect. Why is this? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Managed internet VPN solution
Hi All one of my clients has a managed Internet solution with his simple MPLS VPN and Internet access in granted to a selected group of sites including HQ through managed internet router hosted at his ISP but he has a bit weired request as he needs a site to connect to the Internet using Internet connection of other site not directly to provider Internet gateway i thought about two solution how this solution can be implemented 1-use PBR under this site PE interface and direct the Internet traffic to the other site network using set key *set next-hop recursive* and point to one of the remote site IPs so MPLS labels will do the work and route the traffic to the remote CE and then to the Internet and of course reverse reachability will be maintained . 2- isolate these two site into a different VRF and set up overlapping VPN between the overall simple VPN and the special managed Internet VPN composed of those 2 sites any suggestion how this solution can be met will be welcomed :) best regards --Abo Zaid ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7200vxr-npe400/512mb - how much BGP?
I agree with Justin , currently it seems you don't have any memory problem but you need to worry about box CPU especially BGP isn't the only active process here and you need to monitor processor utilization closely and if you faced sporadic peaks you can use show process cpu sorted command to catch up the process eating the resource and isolate the peak trigger , is it BGP scanner or IP Input process etc , .. and finally in such cases there are some processes appears as the *reason*behind high CPU but actually those ara *results* of other causes so these problems needs accurate investigation and always check IOS caveats as sometimes processing problems yields of coding caveats On 4/13/08, Justin M. Streiner [EMAIL PROTECTED] wrote: On Mon, 14 Apr 2008, Skeeve Stevens wrote: Just how much BGP should a 7200vxr-NPE400 with 512MB of RAM be able to handle. The router currently says Total: 466497056, Used: 200153224, Free: 266343832 When should I start worrying about how big the tables are growing and so on? 512 MB is the minimum I'd consider using for a router that will be carrying full BGP feeds, but in this case, the limiting factor might not be memory availability, but rather the CPU, since everything in the 7200 series is done in software. Do you notice your CPU usage spiking periodically (around once a minute), and is a large chunk of the CPU tied up un the BGP Scanner process? If you have a tool for graphing and trending stuff like that over time (MRTG, Cricket, many others), you may want to set up something to monitor that CPU utilization, paying attnetion to both the 5 second and 5 minute CPU utilization values in the MIBs. The 5 second value will help you catch transient spikes that get washed out of the 5-minute average values. The output ends up more closely resembling the output of show proc cpu hist. When the utilization starts regularly getting close to 100%, it's time to think about an upgrade. I wouldn't worry so much about one or two errant spikes, but when things regularly get that high, it could manifest itself in the form of increased latency in getting traffic through the box, or if things get bad enough, the router starts missing BGP update messages or similar messages for your IGP, and sessions/adjacencies can start dropping, which only makes the CPU thrashing problem worse. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/