Re: [c-nsp] DNA -- How do I justify the expense to mgmt when we'll never use it?
I mean a lot of it is discovery based on what you may know, people leak, etc.. https://www.ebay.com/itm/334605205968?hash=item4de80641d0:g:2mcAAOSwgSFihATj=enc%3AAQAHoFS6a5FMPKMFewpCgtU23dVU0SQFQ%2BDr46sAaS19QJn2vSCgqcG%2BN6yyHrRh0IDsAGIeG7Dz2twn%2FdTtCy7a%2BKayr837Q5G6DtQ5wSecZpCxQE45s8vx7CBvrackFH%2FNJqIMimw%2Bci2v57%2BNMEjpVOJMRs4Ne5BPUtExJ416nVmYslj8lFgmXbkQ9S9vCmfU0wOapWkgN5BzWJx4FXnOw5k%3D%7Ctkp%3ABk9SR8LdvomxYQ Is an item that (for example) I can tell you I’ve seen vendors license their software to run on. There’s software that you can run on top of SONIC etc as well to get features you might want/need as well. Keep in mind the sw + hw devs for new products do need to be fed and the vendors often have hybrid ways to collect the monies, free hardware but pay in opex (support, RMA etc) or buy for higher price but get support free. That discovery process takes awhile, but if you have volume and options to go elsewhere it may be possible to determine it. - Jared > On Jan 6, 2023, at 9:15 AM, Drew Weaver via cisco-nsp > wrote: > > Also is there any way to figure out what this stuff should cost? > > The resellers could just be trying to take way too much out of us. I'm not > sure and I have no idea how to find out. > > Thanks, > -Drew > > > -Original Message- > From: cisco-nsp On Behalf Of Drew Weaver > via cisco-nsp > Sent: Friday, January 6, 2023 9:02 AM > To: 'Paul' ; 'Gert Doering' > Cc: 'cisco-nsp@puck.nether.net' > Subject: Re: [c-nsp] DNA -- How do I justify the expense to mgmt when we'll > never use it? > > If the price of the hardware wasn't already juiced beyond belief then maybe > it would make sense but ... yeah I am just going to have to find another > vendor. > > Thanks, > -Drew > > > -Original Message- > From: Paul > Sent: Thursday, January 5, 2023 3:58 PM > To: Gert Doering ; Drew Weaver > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] DNA -- How do I justify the expense to mgmt when we'll > never use it? > > I'm with you on that one, licensing kills any interest in it for us too. > Goes for a large number of cisco products now , where before was only limited > to a few. > > It's sad because I love cisco switches and routers, but it's a huge deterrent > now with the forced licensing and support > > On 1/4/2023 10:50 AM, Gert Doering via cisco-nsp wrote: >> Hi, >> >> On Wed, Jan 04, 2023 at 03:45:51PM +, Drew Weaver via cisco-nsp wrote: >>> I'm trying to put together an order for some Cisco switches. >> Cisco licensing shit has made us decide that we're just not going to >> buy any new Cisco products. Period. >> >> Yes, these really look nice, and the base price is quite attractive >> (guess why)... >> >> gert >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m >> ailman_listinfo_cisco-2Dnsp=DwICaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A >> _CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=PRv3_-qOO >> hUOMZsFnCFG4uVQnPsgYPCtQl0BB_XxHpg=uqRG1Eseinm6yrxQLDY48bSAwK0fsRe86 >> 8NE_ofnpqE= archive at >> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi >> permail_cisco-2Dnsp_=DwICaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV >> fiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=PRv3_-qOOhUOMZsF >> nCFG4uVQnPsgYPCtQl0BB_XxHpg=6it9k1UOikBdQrvqhRCve41ZJJGAgA88MDdg_93V >> JA0= > > -- > GloboTech Communications > Phone: 1-514-907-0050 x 215 > Toll Free: 1-(888)-GTCOMM1 > Fax: 1-(514)-907-0750 > p...@gtcomm.net > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.gtcomm.net=DwICaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=PRv3_-qOOhUOMZsFnCFG4uVQnPsgYPCtQl0BB_XxHpg=bzG0UW9Xxt9sq-f4YcJ6dZGUuBUNSpiDYCfDTxTZeAY= > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=0nakOEayskiDCF77b4CWL-Ta1iGVs_fHDq2fl4vGQpk=DVGzTsPYCcpLTVhO4q3wUaHf42b8MBVuss_8vNx-rnc= > archive at > https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=0nakOEayskiDCF77b4CWL-Ta1iGVs_fHDq2fl4vGQpk=innpoqNaWDw_UQ3HzzBf9AiAJY2eCiI5ohiUPd0bTms= > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl
I’ll say this in public (now) - Changing the security posture on the VTYs is a great reason to not use this product at the moment. I’ve seen many people not monitor their devices for these types of changes, and this is a great case to study. Time for some retraining of people. - Jared > On Aug 26, 2019, at 9:07 AM, Aaron wrote: > > Any unexpected config change should be an automatic tac case. > Totally unexpected. Reminds me of the days when swapping a flash card on a > gsr could crash it. > This is a new one . > > On Monday, August 26, 2019, Gert Doering wrote: > >> Hi, >> >> does anyone know what "EEM:Mandatory.dualrate_eem.tcl" is? >> >> We have an ASR920 that grew an unexpected config change upon insertion >> of a DAC cable into port ten0/0/12, and "unexpected config change" always >> triggers an investigation here (who, why, what). One part of it was >> somewhat related >> >> interface TenGigabitEthernet0/0/12 >> description ... >> no ip address >> + negotiation auto >> service instance 200 ethernet >> >> ... but the other part was more interesting >> >> line vty 0 4 >> access-class 9 in >> - exec-timeout 240 0 >> ipv6 access-class VTY-v6 in >> - transport input telnet ssh >> + transport preferred none >> + transport input none >> + transport output none >> escape-character 3 >> >> "uh, what?". So we investigated and found a few log messages about that >> script... >> >> Aug 20 13:45:30 CEST: %TRANSCEIVER-6-INSERTED: F0: iomd: transceiver >> module inserted in TenGigabitEthernet0/0/12 >> >> Aug 20 13:45:45 CEST: %IOSXE_SPA-6-DUAL_RATE_CHANGE: >> TenGigabitEthernet0/0/12: MODE_1G >> Aug 20 13:45:47 CEST: %SYS-5-CONFIG_I: Configured from console by on vty1 >> (EEM:Mandatory.dualrate_eem.tcl) >> Aug 20 13:46:14 CEST: %SYS-5-CONFIG_I: Configured from console by on vty1 >> (EEM:Mandatory.dualrate_eem.tcl) >> Aug 20 13:46:15 CEST: %SYS-5-CONFIG_I: Configured from console by on vty0 >> (EEM:Mandatory.dualrate_eem.tcl) >> Aug 20 13:46:17 CEST: %TRANSCEIVER-6-REMOVED: F0: iomd: Transceiver >> module removed from TenGigabitEthernet0/0/12 >> Aug 20 13:46:20 CEST: %IOSXE-5-PLATFORM: F0: Aug 20 13:46:20 >> %SYSTEM-3-SYSTEM_SHELL_LOG: Shell started: vty 1 >> Aug 20 13:46:20 CEST: %IOSXE-5-PLATFORM: F0: Aug 20 13:46:20 >> %SYSTEM-3-SYSTEM_SHELL_LOG: 2019/08/20 13:46:19 : Shell access was granted >> to user ; Trace file: , /harddisk/tracelogs/system_ >> shell_R0-0.2264_0.20190820134619.bin >> ug 20 13:46:26 CEST: %HA_EM-6-LOG: Mandatory.dualrate_eem.tcl: >> DUAL_RATE_CHANGE Re-configuration of interface TenGigabitEthernet0/0/12 to >> start re-configuring >> Aug 20 13:46:28 CEST: %SYS-5-CONFIG_I: Configured from console by on vty1 >> (EEM:Mandatory.dualrate_eem.tcl) >> Aug 20 13:46:39 CEST: %SYS-5-CONFIG_C: Running-config file is Modified >> >> >> ... and 441 (!!) lines in the tacacs command accounting log, which >> mostly looked like "it replayed the whole config, line by line"... >> until it hit the vty section, which then got messed up... >> >> Aug 20 13:47:08 router unknown tty3EEM:Mandatory.dualrate_eem.tcl >> stoptask_id=2166timezone=CEST service=shell >> start_time=1566301628priv-lvl=15 cmd=configure terminal >> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl >> stoptask_id=2167timezone=CEST service=shell >> start_time=1566301629priv-lvl=15 cmd=line vty 0 4 >> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl >> stoptask_id=2168timezone=CEST service=shell >> start_time=1566301629priv-lvl=15 cmd=no login authentication >> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl >> stoptask_id=2169timezone=CEST service=shell >> start_time=1566301629priv-lvl=15 cmd=no authorization exec >> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl >> stoptask_id=2170timezone=CEST service=shell >> start_time=1566301629priv-lvl=15 cmd=no authorization commands 15 >> >> Aug 20 13:47:10 router unknown tty3EEM:Mandatory.dualrate_eem.tcl >> stoptask_id=2171timezone=CEST service=shell >> start_time=1566301630priv-lvl=15 cmd=no transport preferred >> ... >> Aug 20 13:47:10 router unknown tty3EEM:Mandatory.dualrate_eem.tcl >> stoptask_id=2174timezone=CEST service=shell >> start_time=1566301630priv-lvl=15 cmd=no exec-timeout >> Aug 20 13:47:11 router unknown tty3EEM:Mandatory.dualrate_eem.tcl >> stoptask_id=2175timezone=CEST service=shell >> start_time=1566301631priv-lvl=1 cmd=no length >> Aug 20 13:47:11 router unknown tty2EEM:Mandatory.dualrate_eem.tcl >> stoptask_id=2177timezone=CEST service=shell >> start_time=1566301631priv-lvl=15 cmd=write memory >> >> >> shall I state that I find this a somewhat surprising behaviour? >> >> Haven't opened a TAC case yet (no time) but hopefully someone
Re: [c-nsp] ASR9900 - Copy files from USB key
> On Jun 2, 2019, at 3:50 AM, James Bensley > wrote: > > > I recently upgraded from eXR 6.5.2 to 6.5.3 and pushed the files using > SCP to the router from a jump box, which was on the same LAN as the > management interface on the RSP. It was copying at 100Mbps (the speed > of the OOB switch) so I think in eXR these issues are more or less > fixed. I don’t believe you have enough data to conclude that. When copying data from longer distances away (eg: global network with centralized file server/images) I previously saw bad behavior, but when the latency was low it worked well. This is what led me down the path to determine what was going on with the XR TCP stack. I suggest capturing a PCAP and figuring out if it’s doing SACK or window scaling with appropriate sized buffers. Even from bash/run on eXR you may also want to check this out. This led to an effort to internally anycast resources as it was a problem that was easier solved that way as Cisco was afraid to fix the TCP stack, and got even more worried when we saw issues with their SACK implementation and reported the details. (It was doing an ACK of the wrong number of bytes, which caused drama with super strict stateful firewalls that tried to be too smart for their own good). Also beware TCP disconnects as they don’t do TCP keepalives by default so any session that drops in the middle of a transfer would cause it to act like a file transfer is ongoing even though TCP was dead). - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9900 - Copy files from USB key
> On May 20, 2019, at 11:03 PM, Erik Sundberg wrote: > > Little follow up. > > On a ASR9906 6.3.3 (32bit) the usb key comes up as usb: but on 6.3.3 (64-bit) > it's disk2: > > > Copying the 6.3.3 migration files from a USB Key was 182 seconds, with HTTP > it was around 1 hour. (1.3 G File) > Doing a install add source 6.5.3 64-bit from a USB Key was 15 minutes and > using http was an 1 1/2 hours. (1.5 G File) > > So sourcing files from a USB key are 4x times... Which is to be expected. > > The bandwidth to the HTTP server is 100M and <30msec latency, but the circuit > was never maxed. For some reason coping from a HTTP server is just super slow… > Do you have selective-ack enabled? Try these and see if your TCP is better: tcp selective-ack tcp window-size 65535 We had issues with this in the past at my prior employer and these options solved much of it. I’m trying to recall if we ever got the window scaling stuff fixed but I forget. I think their TCP stack didn’t do window scaling if you tcpdump it. It might be different in eXR. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Internet speed
Host your own. Here’s a good one: https://github.com/adolfintel/speedtest Jared Mauch > On Aug 12, 2018, at 7:00 AM, ring...@mail.com wrote: > > Hi everyone, > > I wanted to ask how do you guys handle the customer complains about slow > Internet speed? Today almost everyone takes the measurement from > speedtest.net and reports that as the speed their getting. > > As far as how speedtest works is that is uses multiple TCP connections which > is not real measurement as opposed to Iperf for example. > > It also selects a public server which is outside of your AS thus taking into > consideration the busy international links which are outside of your > administration andas a result for a 30Mbps package the measure shows 15 for > example. > > Do you ask customers to select the local server when doing speedtests? Would > like to know how do you treat those cases, any special tool or measurement? > > Thanks, > Ton > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Outdoor switch
> On Oct 19, 2017, at 1:54 PM, Charles Sprickman <sp...@bway.net> wrote: > >> >> On Oct 19, 2017, at 1:49 PM, Jared Mauch <ja...@puck.nether.net> wrote: >> >> Take a look at the UBNT Edgepoint gear as well. Fairly cool, comes in >> 10G/1G speed varieties with both routed and switched options. > > Just be very careful with fencing UBNT gear off from anything malicious, it’s > swiss cheese. UBNT you save on capital costs and sometimes trade in operational costs. This can cut in a few different ways if you’re not monitoring or automating tasks. - jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Outdoor switch
Take a look at the UBNT Edgepoint gear as well. Fairly cool, comes in 10G/1G speed varieties with both routed and switched options. I have one lying around that I need to poke at sooner rather than later.. - Jared > On Oct 19, 2017, at 1:26 PM, Christina Klam <ck...@ias.edu> wrote: > > Buz and Jared, > > I will take a look. > > I realized in my initial list of requirements, I missed a key one, POE. Do > you have any experience with > https://www.microsemi.com/products/poe-systems/pds-104go-4-1-outdoor-switch ? > My google-foo found them. > > Thanks, > Christina > > - Original Message - > From: "Harold 'Buz' Dale" <buz.d...@usg.edu> > To: "Jared Mauch" <ja...@puck.nether.net>, "C. Klam" <ck...@ias.edu> > Cc: cisco-nsp@puck.nether.net > Sent: Thursday, October 19, 2017 12:11:00 PM > Subject: Re: [c-nsp] Outdoor switch > > Might also look at > https://www.balticnetworks.com/mikrotik-routerboard-rb-260gs-complete-with-enclosure-and-power-supply-fiber-enabled.html > > I’ve had good luck with Mikrotik in the past but they are very different from > IOS devices. > > Buz > > On 10/19/17, 12:03 PM, "cisco-nsp on behalf of Jared Mauch" > <cisco-nsp-boun...@puck.nether.net on behalf of ja...@puck.nether.net> wrote: > >If you just need one port, there is this box that works quite well: > >https://www.balticnetworks.com/mikrotik-fiber-to-copper-converter.html > >It does not have an integrated splice tray though. > >- Jared > >> On Oct 19, 2017, at 12:00 PM, Christina Klam <ck...@ias.edu> wrote: >> >> All, >> >> I am hoping for some ideas. We are running fiber to an outdoor pole (for >> cameras and wireless access-points) and need a switch that can be configured >> remotely, does 802.1q, Qos, and has 3 - 5 ports. We are in the MidAtlantic >> so the temperatures range from well below freezing to 100 deg F. >> >> What do people use in these situations? >> >> Thank you, >> Christina >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >___ >cisco-nsp mailing list cisco-nsp@puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Outdoor switch
If you just need one port, there is this box that works quite well: https://www.balticnetworks.com/mikrotik-fiber-to-copper-converter.html It does not have an integrated splice tray though. - Jared > On Oct 19, 2017, at 12:00 PM, Christina Klamwrote: > > All, > > I am hoping for some ideas. We are running fiber to an outdoor pole (for > cameras and wireless access-points) and need a switch that can be configured > remotely, does 802.1q, Qos, and has 3 - 5 ports. We are in the MidAtlantic > so the temperatures range from well below freezing to 100 deg F. > > What do people use in these situations? > > Thank you, > Christina > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6716-10GE in a 7600
I’ve found if you go a few rounds with Cisco they will blame 3rd party, then realize their driver is buggy and fix. Or you have a bad card :-) I’d opt for the latter, but the former does occur at times. - Jared > On Sep 6, 2017, at 7:57 PM, Bryan Hollowaywrote: > > I should add that these are genuine Cisco optics, and they work in other > modules within the same chassis. > > > On 9/6/17 6:07 PM, Bryan Holloway wrote: >> Anyone have any experience using a WS-X6716-10GE-3C in a 7600 chassis? >> The docs indicate that support was added in IOS 15.2(2)S ... we're running >> 15.5(3)S1. >> Card boots fine, diagnostics pass, and interfaces appear in the config. >> However, known working X2 GBICs we install show up as "Unknown", and the "sh >> int transceiver" output shows very odd values (e.g., -18.1 Celsius >> temperature (!) and 2231.8 mA (!) of current.) >> Curious if anyone has used this module in that chassis successfully. >> Should we just assume we have a bum card? >> Thank you, >> - bryan >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Broadband Aggregation/Termination
What’s helpful is rolling v6 while doing nat on V4. Reduces your state on v4 and avoids issues like the google captcha problem that heavy NAT environments encounter. - Jared > On Apr 19, 2017, at 5:47 PM, CBLwrote: > > Any problems with Google saying there are too many requests from your IP? > > Do you log all your NAT translations for future subpoena requests? > > On Wed, Apr 19, 2017 at 1:15 PM, Aaron Gould wrote: > >> Juniper MX104 with MS-MIC-16G >> >> >> >> I lab tested Cisco ASR9000 with VSM-500 service module also >> >> >> >> In the end, we liked what we saw with the Juniper solution more >> >> >> >> It’s sweet, ~7,000 dsl customers behind a /24 ! I rarely/never touch >> those nat nodes… they pur along. Per node, they run low cpuload and >> carry over 100,000 translations at peak time and about ~2 gbps of traffic >> >> >> >> -Aaron >> >> >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9000 SFP/XFP Input Error troubleshooting
On Tue, Apr 04, 2017 at 10:44:52AM -0400, Curtis Piehler wrote: > Thank you Jean but I am looking for more stats on Input Errors which is > different than Total Drops. None of these Input Errors seems to be service > affecting so I'm wondering where they are from. I second the NP direction of research. Also, what type of optics, etc are involved? There may be additional diagnostic data you can extract from the XFPs to determine what is going on based on the INF-8077 type data in the EEPROM. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] administrative inquiry
Greetings, Do people still want to receive PSIRT notices here? This has long been ciscos policy to send to the list, but they are changing that. I can subscribe the list to their list, I'm not a big fan of doing that type of meta-list activity as that may break some spam filtering technologies. I see this as an inelegant change on the part of Cisco, but ultimately we have little control of this. Thoughts? Please honor reply-to and send your requests to me directly. Thanks, - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Which one is the stable version of Cisco IOS XR?
Nothing inherently wrong with 6.x aside from it's still Cisco. You likely want 5.3.4 if you have any trident based linecards. Jared Mauch > On Mar 9, 2017, at 5:23 AM, Mark Tinka <mark.ti...@seacom.mu> wrote: > > > >> On 9/Mar/17 00:54, Ted Johansson wrote: >> >> 5.3.4 is the Extended Maintenance Release (EMR) and there is also a Service >> Pack SP1 available, so that would be my recommendation. > > I'd stay very far away from 6, unless you're my competitor, of course :-)... > > Mark. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Route Reflector Case
> On Feb 23, 2017, at 4:37 AM, Pierre Emeriaudwrote: > > 2017-02-23 5:49 GMT+01:00 Curtis Piehler : >> Local market route >> reflectors do solve the issue of sub-optimal routing from a local market >> perspective. > > > There is another solution to that. Use Add-path > (https://tools.ietf.org/html/rfc7911) and Optimal route reflexion > (https://tools.ietf.org/html/draft-ietf-idr-bgp-optimal-route-reflection-13) > on the central RR. > > Each peer group with an IGP reference (to compute a "local spf") can > replace a local RR. We're using it with IS-IS, not sure about ospf > support. I would urge some caution here depending on what number of routes you are doing this with, keep a close eye on the 32-bit boundaries of BGP on XR. While your RP may have >4G of memory, the level where BGP will choke upon itself is much lower. Additionally you need to know to restart the BPM process vs the BGP process when this happens as it will not automatically recover. Few people know about the BPM process and the role it plays. - jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tabo Topic? Third party Maintenance
On Mon, Jan 23, 2017 at 02:28:37PM -0500, Shawn L wrote: > I guess it all depends on what you utilize support for. We tend to have > in-house spares, etc. that we can swap in in the event of a failure. But, > there are times when you need to talk to someone at TAC to get the bottom > of an issue. These types of issues if not solved by the obligatory upgrade to the latest software are the big value of direct vendor support. If you're doing vanilla IP routing features (and I do mean that, anything that says MPLS/VPN/VRF, etc.. are not vanilla) you should be fine. If you have anything more complex, don't expect it to be easy. They presume you're doing it wrong, and you must be open to that as a concept. Remember the KISS principle. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tabo Topic? Third party Maintenance
On Mon, Jan 23, 2017 at 05:16:01PM +, Rick Martin wrote: > > I am under pressure to consider third party maintenance providers for our > significant Cisco inventory, and I am quite leery of such an arrangement. I > suppose third party maintenance may be OK for products that we have plenty of > spare inventory for such as customer edge routers or switches but the bigger > core, aggregation or data center devices that provide critical services I > have great concern. Our normal policy is to keep OEM maintenance in the > following order; > > 1. Critical Devices which includes core routing, aggregation devices, data > center hardware and larger building routers - 24X7X4 hour RMA (Smartnet > Premium) > 2. Customer edge devices - 8X5XNBD (Smartnet) > > That methodology applies to Cisco and Juniper hardware. > > So my question is - do any of you that have larger enterprise or service > provider networks currently utilize third party (Non OEM) maintenance > contracts? If so what has been your experience with them? Or do you stick > strictly to OEM maintenance? If you purchase your own spares, you can often make due with a return to factory model of parts replacement. They will return you a new/refurbished part about 10 days after receipt of the failed one. Much of this depends on the commonality of the parts, any logistics you or a partner may have in providing that yourself. Of course this depends on the ability to triage yourself. I've generally not had any issues with a vendor when we say it failed, we swapped with spare, here's the serial. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2 port 100 gig module - ASR9000
I would slide it in. If it doesn't work load 5.3.4. It will perform the best it can under those circumstances. Jared Mauch > On Jan 5, 2017, at 6:08 PM, Aaron <aar...@gvtc.com> wrote: > > What I'm trying to figure out is how to put this (2) port 100 gig module into > my existing asr9k chassis *with as little changes as possible* > > Thanks for all the recommendations, but I really just want to know the bare > minimum I *must* do to slide the module into the chassis and have it function. > > I have ASR9006 with A9K-RSP-4G > > -Aaron > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2 port 100 gig module - ASR9000
What RSP do you have? If it’s the older one, you will want to upgrade to use the card at full rate. If you are only expecting under 50% utilization you will likely be fine, but upgrading to RSP880 is recommended. Otherwise you may want to talk about a trade-in for the 55xx devices. If you’re buying it refurb/used and don’t expect to do run both ports > 40-50% you’ll be fine. There are a number of other minor technical limits, eg: small numbers of 10G flows may congest the fabric based on hashing. This means you may want to look at some chassis, fan, power or other upgrades. - Jared > On Jan 5, 2017, at 5:38 PM, Aaron <aar...@gvtc.com> wrote: > > Thanks Adam, you lost me with that. Please elaborate. > > -Aaron > > -Original Message- > From: adamv0...@netconsultings.com [mailto:adamv0...@netconsultings.com] > Sent: Thursday, January 5, 2017 4:18 PM > To: 'Aaron' <aar...@gvtc.com>; 'Tom Hill' <t...@ninjabadger.net>; > cisco-nsp@puck.nether.net; 'Jared Mauch' <ja...@puck.nether.net> > Subject: RE: [c-nsp] 2 port 100 gig module - ASR9000 > > I think cisco does these backwards compatible but it has only 80Gbps worth > of fabric connections per slot so you'll may be able to get max ~160 if you > disable the redundancy mode. > > > netconsultings.com > ::carrier-class solutions for the telecommunications industry:: > >> -Original Message- >> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf >> Of Aaron >> Sent: Thursday, January 05, 2017 9:55 PM >> To: 'Tom Hill'; cisco-nsp@puck.nether.net; 'Jared Mauch' >> Subject: Re: [c-nsp] 2 port 100 gig module - ASR9000 >> >> Thanks Tom and Jared, >> >> >> >> Copied from the cisco website. >> >> "The Cisco ASR 9000 Series 2-Port 100 Gigabit Ethernet Line Cards are > fully >> compatible with all Cisco ASR 9000 Series chassis, route switch >> processors (RSPs), and line cards. No hardware upgrade to the chassis >> or cooling > system >> is required." >> >> >> >> ..fully compatible with all rsp's.. that would seem like all rsp's > meaning >> all. from 4g up to 880 or whatever the newest is. Just want to make >> sure > this >> is true that this (2) port 100 gig module will work with A9K-RSP-4G >> >> >> >> -Aaron >> >> >> >> >> >> >> >> >> >> >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2 port 100 gig module - ASR9000
I would not run anything earlier than 5.3.4 these days personally. These are fine cards and work well. - jared > On Jan 5, 2017, at 3:54 PM, Aaronwrote: > > Is anyone using this or familiar with it ? > > > > If so, please let me know what the minimum RSP and IOS XR versions required > for both of these cards. I read below that they are fully compatible with > all Cisco ASR9000 chassis, rsp's and linecards, and no upgrades required to > chassis or cooling system. > > > > Cisco ASR 9000 2-Port 100GE Service Edge Optimized Line Card, Requires CFP > optics > > A9K-2X100GE-SE > > > > Cisco ASR 9000 2-Port 100GE Packet Transport Optimized Line Card, Requires > CFP optics > > A9K-2X100GE-TR > > > > http://www.cisco.com/c/en/us/products/collateral/routers/asr-9000-series-agg > regation-services-routers/datasheet_C78-662709.html > > > > - Aaron > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rec for full-table multi-peer bgp router?
> On Dec 5, 2016, at 2:46 PM, Raphael Mazelierwrote: > > > Very interesting. > > 7280SR look perfect for us. (if the price is OK; I will call my local Arista > representative). > > We are another content AS and we push 150gps approx in peak. > We plan to upgrade from our current routers to something with a lower TCO by > port (which is our currently limiting factor). > > We do need full view in RIB as we target only 5/6 ASes for 99% of our > traffic, so we are not concerned by the RIB size. > > So do you recommended them ? or another model from Arista ? > What kind of bug did you encounter or discover ? are the platform enough > stable for using them in production without any action ? (we are a really > small team, and we have no to time to spend in the network side, > unfortunately). Be mindful of how you do your control plane filtering and testing on such a device. Many people forget about this until you are on the wrong-side of a three digit (in gigabits) attack pointed at a link-ip address. Some devices handle it well, others poorly. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SFP DOM SNMP Polling?
> On Nov 22, 2016, at 9:32 AM, Tim Durackwrote: > > I have a vendor that does not support SFP DOM SNMP polling. They state this > is due to EEPROM read life cycle. Constant reads will damage the SFP. > > We SNMP poll SFP DOM from Cisco equipment without issue. > > Not heard this one before. Trying to see if there is some validity to the > statement. Thoughts? It’s entirely possible some people implement it poorly and the read cycles count. With 100k cycles somewhat typical for those bytes, it’s certainly something that could be seen if polling every 5 minutes in 347 days, but I think that’s a datapoint that most SFPs are warranted for much longer than 347 days. As the DDM data is stored not at 0x50 but at 0x51/0x52 in optics this is more likely done with a micro controller presenting the ram backed data via reads to/from those specific bytes. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router memory problem
On Thu, Oct 27, 2016 at 05:37:35PM +, Justin Krejci wrote: > What is wrong with distribute-lists? You should be using a prefix-list, as it was designed for this type of function. distribute-lists (and a bunch of other IOS crutches) should go away as part of the legacy. If you see examples on the internet using them or access-lists to do route filtering, please don't copy those examples. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3rd party dwdm 80km optics in asr 9001
On Wed, Sep 28, 2016 at 11:38:55AM +, Adam Vitkovsky wrote: > > Gustav Ulander > > Sent: Wednesday, September 28, 2016 12:09 PM > > > > Yepp > > We actually got an error that says unsupported transceiver so that's why we > > are going to try a different supplier. > > > Can you ask your supplier to code the transceiver to be supported by your > box, then you shouldn't even need the below? > > I presume you have tried these commands already: > Interface: > "transceiver permit pid all" > Or > global (hidden): > "service unsupported-tranceiver" BTW, Cisco has indiciated to me you may need both as the global command doesn't unlock certain code paths because bad developers. The 9K team thinks they're a unique snowflake so deserve to set 2 bars vs the single global bar. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3rd party dwdm 80km optics in asr 9001
> https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 9000 Upgrade Expectations
We see around 1 hour of traffic loss due to upgrade times before adding in FPD and others, which can extend to more like 3 hours. There were improvements that went in 533+ which should improve your experience. I haven't checked if 602 hit CCO but you may want to look at that, or wait for 534. Jared Mauch > On Jul 13, 2016, at 6:31 AM, Nick Griffin <nick.jon.grif...@gmail.com> wrote: > > Hello, looking for some details in regards to an ASR9000 code upgrade. > Currently running software version 5.1.1 with the following packages: > > Committed Packages: > > disk0:asr9k-mini-px-5.1.1 > > disk0:asr9k-k9sec-px-5.1.1 > > disk0:asr9k-mpls-px-5.1.1 > > disk0:asr9k-mgbl-px-5.1.1 > > disk0:asr9k-optic-px-5.1.1 > > disk0:asr9k-fpd-px-5.1.1 > > disk0:asr9k-li-px-5.1.1 > > > Installed are RSP-440TR's. We are currently looking to upgrade to version > 5.3.3, or perhaps another version if one is recommended, looking for input > here as well, in addition to an estimate as to how long this process is > expected to take, along with perceived customer impact. If further details > are necessary please let me know. I've referenced the following > documentation for installation instructions. If there is something better > or any best practices not covered, please feel free to advise! > > > http://www.cisco.com/web/Cisco_IOS_XR_Software/pdf/ASR9K_Upgrade_Downgrade_Procedure_IOSXR_Rel_533.pdf > > > Thanks in advance! > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP blackhole community config
> On Jun 20, 2016, at 1:38 PM, Satish Patelwrote: > > I have tried that too and got this error. > > R1(config-router)#neighbor xx.xx.xx.xx route-map RTBH out > % "RTBH" used as BGP outbound route-map, tag match not supported > % not supported match will behave as route-map with no match > R1(config-router)# Tags are specific to Cisco, you should be using a community instead. You can use something like redistribute static against a route-map that matches the tag and marks your (local) discard community. This is what I recommend you do. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP blackhole community config
> On Jun 19, 2016, at 10:07 PM, Satish Patelwrote: > > I have added "ip bgp-community new-format" in global config, but i > don't have following command in my ASR1006 router > > neighbor xx.xx.xx.xx remote-as 200 send-community > > so i have added > > neighbor xx.xx.xx.xx send-community > Did you clear the BGP session after adding that? It negotiates at the initial OPEN. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] netflow real AS instead of uplink provider?
I would consider upgrading to at least 5.3.1 + SMUs or 6.0.1. I seem to recall a number of issues back in the 4.3.x images. 4.3.1 is quite crusty. If you need to stay in 4.3.x perhaps 4.3.4. I would avoid 5.3.3. - Jared > On Jun 15, 2016, at 9:09 AM, Nemeth Laszlowrote: > > Hello > > Yes, it is in my BGP session. > > Laszlo > > 2016-06-15 15:04 időpontban Christian Kildau ezt írta: > >> Do you have "bgp attribute-download" under router bgp ? >> >> Best regards, >> Chris >> >> On Wed, Jun 15, 2016 at 2:57 PM, Nemeth Laszlo wrote: >> >>> Hello >>> >>> I tried to get the source or destianton AS of a flow from our ASR9001 >>> (iosxr 4.3.1) router. >>> >>> But i got this: >>> >>> RP/0/RSP0/CPU0:asr0#sh flow monitor netflow-monitor cache location 0/0/CPU >>> >>> IPV4SrcAddr IPV4DstAddr L4SrcPort L4DestPort BGPDstPeerAS >>> BGPSrcPeerAS BGPNextHopV4 IPV4DstPrfxLen IPV4SrcPrfxLen IPV4Prot >>> IPV4TOS InputInterface OutputInterface L4TCPFlags ForwardStatus >>> FirstSwitched LastSwitchedByteCountPacketCount Dir SamplerID >>> >>> 12.76.231.21 15.24.11.13 25 43473 01234 >>> 0.0.0.0 32 18 tcp 0x40 >>> Te0/0/2/1 BE100.79A|R| Fwd 43 >>> 07:23:34:199 43 07:23:34:199 40 1Ing 1 >>> >>> So in every flow DstPeerAs or SrcPeerAS is 1234 (my uplink provider) or 0 >>> not the real source AS where the package coming from. Because of it the >>> nfdump (flow collector) doesn't get any info about the real AS of the >>> destination or source. I would like to receive it because i have to >>> generate OurAS<->OtherAS traffic graphs. >>> >>> Of course i use the "bgp attribute-download" in the BGP section but it >>> doesn't help. >>> >>> Any ideas? >>> >>> Thanks >>> Laszlo >>> ___ >>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] A9K Netflow export drops
We have had no more severe issues than prior releases. Make sure you load the IPv6 PSIRT SMU of course. Jared Mauch > On Jun 14, 2016, at 7:44 AM, Robert Williams <rob...@custodiandc.com> wrote: > > have you had any significant issues on 6.0.1? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] A9K Netflow export drops
> On Jun 14, 2016, at 8:32 AM, Robert Williamswrote: > > Hi Chris, > > Thanks for this, we’ve not considered 6.0.1 yet, mainly due to it being > relatively new and I’m not aware currently of anyone running it in production > on a 90xx, so slightly apprehensive :) We are running 6.0.1 in production. > I wonder if there will be a patch for 5.3.3 to stop the drops?... There is a 5.3.4 release that is forthcoming, but unless you have some of the older hardware that is not supported in 6.x, you should be looking at 6.0.1 instead. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9010 end of life?
If you are buying new look at the 9910. Jared Mauch > On May 17, 2016, at 4:16 PM, Satish Patel <satish@gmail.com> wrote: > > So we are good with those parts or i need to worry? > >> On Tue, May 17, 2016 at 3:27 PM, Jeremy Bresley <b...@brezworks.com> wrote: >> Current ASR9K EOL notices are listed at: >> http://www.cisco.com/c/en/us/products/routers/asr-9000-series-aggregation-services-routers/eos-eol-notice-listing.html >> >> The chassis/power/fans you have listed are fine, the RSP440 is a current >> generation RSP, the first generation RSPs were announced for EOL early last >> year, and will be LDoS in 2020. The Mod80 and MPAs have not been announced >> for EOL. >> >> Jeremy >> >> >>> On 5/17/16 15:00, Satish Patel wrote: >>> >>> I was looking some specs and found ASR9010 is end of life? Should it >>> be good to buy it? >>> >>> I planning buying following pre-owned hardware. Should i be worry? >>> >>> Cisco ASR-9010-AC Cisco ASR 9010 Chassis - >>> Cisco A9K-3KW-AC Cisco 3KW AC Power Module 3 >>> Cisco ASR-9010-FAN CISCO ASR-9010-FAN Fan 2 >>> Cisco A9k-RSP440-TR Cisco ASR 9000 Seriese >>> Cisco A9K-MOD80-TR Cisco Mod80 Modular Line 1 Optimized >>> Cisco A9K-MPA-4X10GE >>> ___ >>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] testing
please ignore. -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9k Bundle QoS in 6.0.1
> On May 12, 2016, at 1:58 PM, Saku Yttiwrote: > > On 12 May 2016 at 17:42, Mark Tinka wrote: > > Hey, > >> Has not worked out for us. >> >> Elephant flows (particularly of a non-IP nature) cannot be solved with >> Juniper's adaptive load balancing. I spent a year working on this... > > I've not used it, curious to hear why it does not work? Of course if > you don't have any entropy, then there is nothing you can do, if there > is just single fat flow which needs more than single member has > capacity, no flows, no flow balancing. What should work, is if in > addition to fat flows you have others. My understanding is this is common in mobile backhaul where the traffic is all encapsulated, or in site-to-site VPN configs where there is no port data to balance traffic with. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS-XR 5.3.3 add Yang Models
> On May 11, 2016, at 12:06 PM, quinn snyder <snyd...@gmail.com> wrote: > > >> On May 11, 2016, at 08:43, Jared Mauch <ja...@puck.nether.net> wrote: >> >> FYI: you may want to look at 6.0.1 which was just (re)-posted to CCO as >> well. For us it fixes a number of critical issues which are not in the >> 5.3.3 EMR. > > +1 for 6.0.1. working with it in the lab now using both nso as well as some > home grown apps. > the support is much larger and the github posted earlier has a lot of solid > models to build from. make sure you got the “May 10th” version vs the one last week that was deferred and won’t be supported. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS-XR 5.3.3 add Yang Models
FYI: you may want to look at 6.0.1 which was just (re)-posted to CCO as well. For us it fixes a number of critical issues which are not in the 5.3.3 EMR. - Jared > On May 11, 2016, at 6:24 AM, Christian Kildauwrote: > > Hi cisco-nsp, > > we're currently experimenting with netconf/yang on IOS-XR 5.3.3 (asr9k). > The out of the box supported yang models are somewhat limited. E.g. there > is no model that supports editing ACLs. > > I have found https://github.com/YangModels/yang which lists lots of yang > models, but have not yet found a way to upload these models via > $searchengine. > > Anyone experienced with netconf/yang that can shed some light on this? > > Best regards, > Chris > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1004 Used
When you say fiber, do you mean ethernet or any STM-4/STM-1 type interfaces? I would seriously look at something like the Arista 7150 or similar. I’m not sure what other features you need, but a 24 port 10GE router/switch combo can be had for cheap on eBay: http://www.ebay.com/itm/Arista-DCS-7124S-24-Port-10-Gigabit-Ethernet-Managed-Switch-/141984188598?hash=item210eeac8b6:g:wHwAAOSw3mpXH528 - Jared > On May 8, 2016, at 2:02 PM, Satish Patel <satish@gmail.com> wrote: > > I need all fiber interface with 20G ingress and 20G egress. > > On Sun, May 8, 2016 at 1:36 PM, Jared Mauch <ja...@puck.nether.net> wrote: >> If you purchase via enterprise channel you will get those prices. Are you >> doing only Ethernet? >> >> If so check someone like Arista or Brocade. >> >> Jared Mauch >> >>> On May 8, 2016, at 1:20 PM, Satish Patel <satish@gmail.com> wrote: >>> >>> Seriously? >>> >>> I check with CDW and price was around double with 40G throughput. Are you >>> guys sure new ASR 1004 cost same? >>> >>> -- >>> Sent from my iPhone >>> >>>> On May 8, 2016, at 6:58 AM, Jared Mauch <ja...@puck.nether.net> wrote: >>>> >>>> You can buy nice new routers for less than that. Hopefully you don't need >>>> TDM interfaces. >>>> >>>> Jared Mauch >>>> >>>>> On May 5, 2016, at 2:41 PM, Satish Patel <satish@gmail.com> wrote: >>>>> >>>>> Need your input or suggestion, I have check with one of company and >>>>> they sales *used Cisco equipments so i have asked for ASR1004 and its >>>>> around $30k so question is what would be the disadvantage or buying >>>>> used equipments? >>>>> ___ >>>>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1004 Used
If you purchase via enterprise channel you will get those prices. Are you doing only Ethernet? If so check someone like Arista or Brocade. Jared Mauch > On May 8, 2016, at 1:20 PM, Satish Patel <satish@gmail.com> wrote: > > Seriously? > > I check with CDW and price was around double with 40G throughput. Are you > guys sure new ASR 1004 cost same? > > -- > Sent from my iPhone > >> On May 8, 2016, at 6:58 AM, Jared Mauch <ja...@puck.nether.net> wrote: >> >> You can buy nice new routers for less than that. Hopefully you don't need >> TDM interfaces. >> >> Jared Mauch >> >>> On May 5, 2016, at 2:41 PM, Satish Patel <satish@gmail.com> wrote: >>> >>> Need your input or suggestion, I have check with one of company and >>> they sales *used Cisco equipments so i have asked for ASR1004 and its >>> around $30k so question is what would be the disadvantage or buying >>> used equipments? >>> ___ >>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1004 Used
You can buy nice new routers for less than that. Hopefully you don't need TDM interfaces. Jared Mauch > On May 5, 2016, at 2:41 PM, Satish Patel <satish@gmail.com> wrote: > > Need your input or suggestion, I have check with one of company and > they sales *used Cisco equipments so i have asked for ASR1004 and its > around $30k so question is what would be the disadvantage or buying > used equipments? > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9K Upgrade
On Sun, Mar 13, 2016 at 02:10:58PM +, Nick Hilliard wrote: > Mohammad Khalil wrote: > > admin install add tftp://x.x.x.x/asr9k-mini-px.pie-5.3.2 synchronous > > if you can, you should use ftp instead of tftp for XR upgrades. It's > much faster. I asked Cisco to remove TFTP support for this reason. You should make sure you do all the right things to make TCP faster, including selective-ack amongst other options. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tail-f / NCS
You need the culture of automation before an automation tool makes sense. Cut and paste only takes you so far, notepad, vim, pico and others as well. Parameterized templates are the better path to be on. XR and JunOS support commit replace type operations, as do others like Arista. Building your culture must come first, so it outlives the one or two people who make it, as many a provider have failed to remember how to do things, or use the tools of their predecessors. Here's a link to emphasize my point :-) http://www.dreamstime.com/stock-photo-wrong-tool-diy-using-project-can-do-more-damages-here-someone-using-wrench-to-drive-nail-image58686199 Jared Mauch > On Mar 12, 2016, at 3:03 PM, CiscoNSP List <cisconsp_l...@hotmail.com> wrote: > > > Hi Guys - Have some of our "sales" team at Cisco Live atm, and they are > raving about Tail-f / NCS and how we need to purchase it, and it will improve > our provisioning efficiency by a whopping 90% (lol)anyway, just after > some "real world" feedback on this product...anyone tried it/using itor > is it way too early to be even considering these types of > automation/orchestration productsIm very sceptical about handing > provisioning control over to "another" software platform... > > notepad might be slow, but at least I know what commands are being issued on > our switches and routers :) > > Cheers > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DWDM Passive or Active Multiplexing
https://ripe67.ripe.net/presentations/131-ripe2-2.pdf Jared Mauch On Mar 11, 2016, at 5:32 AM, Lukas Tribus <luky...@hotmail.com> wrote: >> We are running dwdm with just splitters and amplifiers at 100 GE with no >> issues. > > You run multiple 100GE circuits over (semi) passive DWDM, how does that > work? > > Do you have 100GE DWDM transceivers on different DWDM wavelengths? > > > Thanks, > > Lukas > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DWDM Passive or Active Multiplexing
If you are only doing 10g there are a lot of inexpensive solutions in this space for the distances you mentioned. Jared Mauch On Mar 9, 2016, at 4:55 PM, Lukas Tribus <luky...@hotmail.com> wrote: >> Hi Tim, thanks for your great info! Appreciate it. >> >> Hey Bill, thanks for your offline email and confirming that the passive >> DWDM should work in our environment. All great info!! >> >> Our ring is east and westbound within 30km and in between, we currently >> have like 6 drops active and looking to add another 4 drops on it. Yeah, I >> know when we add site, it will loses some dB, but I guess we should be >> fine. >> I am going back to Cisco SE and his technical team and have a debate about >> Passive vs Active again. Since they are forcing me to go with Active >> solution only. > > I would suggest you talk to some other vendor as well, specifically a vendor > how cares about passive solutions. > > I may be wrong, but my impression is that Cisco is EOL'ing the entire > *passive* CWDM and DWDM gear. Whens the last time Cisco shipped > a new *passive* CWDM or DWDM product? > > It is probably in their commercial interest to promote their active gear. > > > Careful with vendors advice. > > > Lukas > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS-5001 - MPLS L3VPN Issue
> On Mar 9, 2016, at 3:27 PM, Tom Hillwrote: > > On 08/03/16 09:27, James Bensley wrote: >> This issue didn't show up in lab testing and we haven't been able to >> replicate it (nor have TAC). It seems to be something about the >> ordering of patching and that was the point I wanted to highlight but >> poorly eluded to. >> >> A fresh 4.3.4 install then add SP10 and it "just works". This box was >> 4.3.4 default, then some SMUs, then SP6 and then SP10 (each upgrade >> was suggested by TAC because of a different issue ocuring over the >> lifecycle of the box). > > Presumably to "prove" this (or rather, to add any evidence at all) it's > wipe & reinstall time for the affected 9001? > > I'm not trying to get your back up here - I'm more concerned about FUD > vs. actual, operational experience. XR is not perfect, but this doesn't > appear to be a problem affecting anyone other than yourself? We’ve seen odd issues which we have not yet root caused around the software installation and troubles. Cisco has not been able to reproduce, but we have seen it numerous times. It’s still possible there is some PBCAK but given the nature of other issues we’ve seen, it’s unlikely. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS-5001 - MPLS L3VPN Issue
On Fri, Mar 04, 2016 at 08:58:23AM -0800, Yury Shefer wrote: > But who is really using Compass products? > > The last press release has been published back in August 2015. Blog/in news > section has been untouched since 2014. Are they still alive? We have customers connected to these devices. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS-5001 - MPLS L3VPN Issue
> On Feb 26, 2016, at 5:54 PM, James Bensleywrote: > > On 26 February 2016 at 22:43, Phil Bedard wrote: >> How you upgrade the whole OS is still a bit hazy though. They have said it >> involves using a self-extracting ISO distribution similar to other Linux >> distros. They are supporting PXE so theoretically you could automate the >> upgrades. > > We are not upgrading between versions only appying SMUs and service > packs to the current version. In the case of moving from 4.3.4 to > 5.1.3 and now moving to 5.3.3 (since that is the new extended > maintenance release); the process is erase the box, and install from > fresh, then upload the full config. I would not load 5.3.3 until at least SP1 hits the street, there are a lot of defects Cisco is working through. Just because something says EMR doesn’t mean it’s good, there were some very catastrophic issues in the 5.1.3 EMR, most notably that if you logged into the router twice at the same time over SSH you would no longer be able to login any more. If you haven’t seen the TCP crash in 5.1.3 where that runs out of memory, CSCup67367 take a look at your memory usage. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720: dumb question
The key question is what software are you attempting to boot and what images are in the bootflash/sup-bootflash/disk0: etc Having console output here is key to understanding what’s going on. - Jared > On Feb 17, 2016, at 1:52 PM, Dave McGuirewrote: > > > Hey folks. This is sure to be a dumb question, but I'm stumped. I am > new to the 6500/7600 platform, but not new to Cisco in general. > > I've received a 7603 chassis with a Sup720 and I'm trying to get it > running. I get nothing at all on the console port when I power it up. > Known-good cabling, etc. All the LEDs eventually turn green and things > look good otherwise. No amount of poking/prodding/power-cycling will > produce any output on the console port. > > At first I thought maybe I just got a fried Sup720 board, but I have a > second one from another source, also represented as being functional, > and it exhibits identical behavior. > > There's no CF card installed in either Sup720 board. (haven't gotten > that far..) > > Am I missing something? > > Also...I have an existing 6503; the 7603 chassis looks identical to > the 6503. Are they in fact interchangeable? > > Thanks, > -Dave > > -- > Dave McGuire, AK4HZ > New Kensington, PA > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
We’ve been having some interesting issues with the ASA that have kept us pegged at a specific release. Upgrading even a minor release causes all traffic to be dropped without any clear explanation and TAC was not much help. I’m thinking of just replacing the ASA with something that is easier to troubleshoot. - Jared > On Feb 16, 2016, at 10:35 AM, David White, Jr. (dwhitejr) >wrote: > > Sounds like CSCux15273 - inaccurate reporting of memory usage in 9.5(2)+ > > Sincerely, > > David. > > On 2/16/16 10:28 AM, Don Nightingale wrote: >> I'm seeing this as well on our pair we upgraded 2/11 to 9.5(2)2. >> Memory usage is slowly reported as increasing. It's currently >> breaking the asdm memory graph, displaying 450% memory utilization to >> syslog and showing ridiculous numbers from the cli: >> >> ciscoasa# sho mem >> Free memory: 18446744044457691540 bytes (248730157%) >> Used memory: 37261147072 bytes (-248730057%) >> - -- >> Total memory: 7416356372 bytes (100%) >> >> >> >> It's still operating so it may be either a cosmetic bug or a canary >> that will keep me busy sometime in the near future. >> >> We have an open tac case as well. >> >> -- >> Don >> >>> On Feb 16, 2016, at 3:08 AM, Andrew (Andy) Ashley >>> wrote: >>> >>> Hi, >>> >>> We upgraded a pair of 5515-X’s from 9.2(1) to 9.5(2)2, the interim release, >>> on Saturday. >>> Since then the free memory on the primary unit has been steadily decreasing >>> (30% -> 95% in 3 days). >>> These small increases appear to be happening around every 30 minutes or so. >>> We failed over to the standby, which had much lower memory usage but that >>> too is now creeping up. >>> The previous primary unit did not reclaim any memory and did not stop >>> climbing either after fail over. >>> >>> Have opened a TAC case but Wondering if it’s just us, or if this is >>> affecting others.. >>> >>> Regards, >>> Andrew Ashley >>> >>> >>> >>> >>> -Original Message- >>> From: cisco-nsp on behalf of Garry >>> >>> Date: Tuesday, 16 February 2016 at 14:49 >>> To: "cisco-nsp@puck.nether.net" >>> Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and >>> IKEv2 Buffer Overflow Vulnerability >>> Hi, >> On Wed, 2016-02-10 at 08:06 -0800, ps...@cisco.com wrote: >> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer >> Overflow Vulnerability >> >> Advisory ID: cisco-sa-20160210-asa-ike > Poor bastards stuck at 8.2 (like us) might be relieved to know that > there actually is a 8.2(5)59 version with the fix. Reading the SA page > I got the impression that there was no fixed software for 8.2(5). Thanks for the find, same situation we were in (well, several of our customers rather) - reading the advisory, it clearly states anything 8.x except 8.4 is recommended to go to 9.1 (yeah, right! Not opening that can^H^H^H crate of worms! Or more like Pandora's box?). Apart from at least one system that only has 256M of RAM (and therefore can't go to anything higher than 8.2 AFAIK), even going to the mentioned 8.4.7(30) caused some problems due to incorrectly (or incomplete) config migration for several systems ... of course it could be fixed, but still ... And yes, the systems should be kept more current, but seeing what happens when you do update more or less confirms the old saying "never change a running system" ... sadly ... Still, if Cisco publishes an interim that fixes this disastrous flaw and is not at least following up on their announcement (8.2.5(59) was released 3 days after the initial notification was published), it's sort of a pain for users ... even the advisory on the web page hasn't been updated to at least list the option of using the interim ... :( -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> ___ >>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list
Re: [c-nsp] SFP compatibility
> On Feb 3, 2016, at 9:06 PM, Wilmerwrote: > > Hey Guys, > > Probably a stupid question, but I can't find an obvious answer on Cisco. > > Are the following SFP's able to be used to together: > > One device is using at GLC-FE-100EX & the other end is using > a 1000BASE-LX/LH (Single Mode fibre). > > I "think" these SFP's are compatible with each other.. But if someone can > confirm this it would be great. I would say no. You can get 1000Base-LX/LH optics for around $7 + shipping these days, so I would just swap both sides to be 1G. There’s even cool devices like this to do the 1G <-> RJ45 if you need it: http://www.balticnetworks.com/mikrotik-fiber-to-copper-converter.html - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Most cost effective 100G router?
> On Jan 20, 2016, at 5:34 PM, James Bensleywrote: > > Sorry I missed the full table requirement. I’ve used 9904 for this before. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Junk Message Apology
Apologies for the spam overnight. Rules are now in place to block these messages. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Equipment for a large-ish LAN event
> On Dec 9, 2015, at 8:13 AM, Chuck Churchwrote: > > Isn't game traffic fairly small in bandwidth need, but very latency > dependent? QOS seems like a good fit here. Priority queue the game traffic > based on matched ACL, and best effort everything else, re-marking it as > necessary. Based on previous years, what are the true bandwidth needs? If bandwidth isn’t an issue QoS adds no value and increases complexity unnecessarily. I recall when our IT department first tried to talk to us about QoS with one of their vendors. Once the vendor realized we had 10G links everywhere they stopped worrying about it. (This was 10+ years ago when most people were doing OC48 backbones). The biggest thing I’ve always seen is the need for accurate and realtime traffic stats, as well as ability to do port testing. You may want to also get some of the armored fiber cables as they are tolerant to being stepped on and a cart running over them. I’ve seen them at ecablemart.com as well as other places like fiberstore. A word of caution on fiberstore, they may use your name without your permission in marketing, and steal your title off LinkedIn as well even if you didn’t purchase for $dayjob. There’s a lot of smaller tips for configuring things I’ll leave for another thread called “fixing broken cisco defaults” (eg: mismatch in layer-2 timers vs layer-3, disabling nd and proxy-arp, etc). - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cache DNS servers
You may also find useful help at the dns-operations list. - Jared > On Dec 1, 2015, at 1:05 PM, Murat Kaipovwrote: > > Hello folks! > > I have little question about DNS servers that you use in your environment? > We use bind on freebsd servers now. I did some benchmarks and found that > google public DNS is 8 - 10 time faster than my own. So I decide change BIND > for something more faster. I'm in MNO market. Any suggestions? > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
> On Nov 23, 2015, at 9:42 AM, Aaronwrote: > > and scp/sftp > The issue I’ve seen here is a directional one, there is no SCP/SFTP support to copy data out: RP/0/RSP0/CPU0:Router#copy ? /recurseRecursively list subdirectories encountered WORDCopy from file access-list Access lists bootflash: Copy from bootflash: file system disk0: Copy from disk0: file system disk0a: Copy from disk0a: file system disk1: Copy from disk1: file system disk1a: Copy from disk1a: file system disk2: Copy from disk2: file system ftp:Copy from ftp: file system harddisk: Copy from harddisk: file system harddiska: Copy from harddiska: file system harddiskb: Copy from harddiskb: file system lcdisk0:Copy from lcdisk0: file system lcdisk0a: Copy from lcdisk0a: file system nvram: Copy from nvram: file system prefix-list Prefix lists rcp:Copy from rcp: file system running-config Copy from current system configuration tftp: Copy from tftp: file system xml-schema Copy XML schema files as a tar ball file (.tar.gz) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
Sure, please describe how to automate that :) It’s a bit more complex than you think. The way the system constructs the URLs underneath for the KSH to transfer data is quite problematic when you add in more slashes. It’s also very user-unfriendly to interact with the filesystem. I’m sure many of you have experienced the difference between copy harddisk:filename vs copy harddisk:/filename The lack of a model to directly interact with SFTP/SCP from the CLI is a problem, the run stuff is really meant for troubleshooting not for daily use. - Jared > On Nov 23, 2015, at 9:49 AM, Darin Herteen <syn...@live.com> wrote: > > This might work... > > RP/0/RSP0/CPU0:LAB_9904#run > Mon Nov 23 14:48:05.274 UTC > # sftp > usage: sftp [[user@]{host1[:]}][filename1]... > [[user@]{host2[:]}][filename2]# > > > From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> on behalf of Jared Mauch > <ja...@puck.nether.net> > Sent: Monday, November 23, 2015 8:46 AM > To: Aaron > Cc: John Heasley; cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] TFTP/SCP > >> On Nov 23, 2015, at 9:42 AM, Aaron <dudep...@gmail.com> wrote: >> >> and scp/sftp >> > > The issue I’ve seen here is a directional one, there is no SCP/SFTP support > to copy data out: > > RP/0/RSP0/CPU0:Router#copy ? > /recurseRecursively list subdirectories encountered > WORDCopy from file > access-list Access lists > bootflash: Copy from bootflash: file system > disk0: Copy from disk0: file system > disk0a: Copy from disk0a: file system > disk1: Copy from disk1: file system > disk1a: Copy from disk1a: file system > disk2: Copy from disk2: file system > ftp:Copy from ftp: file system > harddisk: Copy from harddisk: file system > harddiska: Copy from harddiska: file system > harddiskb: Copy from harddiskb: file system > lcdisk0:Copy from lcdisk0: file system > lcdisk0a: Copy from lcdisk0a: file system > nvram: Copy from nvram: file system > prefix-list Prefix lists > rcp:Copy from rcp: file system > running-config Copy from current system configuration > tftp: Copy from tftp: file system > xml-schema Copy XML schema files as a tar ball file (.tar.gz) > > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
> On Nov 23, 2015, at 9:52 AM, Aaronwrote: > > sftp isn't under copy. Not sure why it isn't. > > RP/0/RSP0/CPU0:2051a-lab#sftp ? > WORD [[user@][host[:]]][source-filename] > It’s not made accessible to any other parts of the system either, so isn’t properly supported. I’m not saying this is right, but considering the number of times I’ve encountered ssh breakage with XR, i wouldn’t use it for something meant to be reliable. RP/0/RSP0/CPU0:Router(config)#load ? WORD Load from file bootflash: Load from bootflash: file system commit Load commit changes configuration Contents of configuration diff Load from diff file disk0: Load from disk0: file system disk0a:Load from disk0a: file system disk1: Load from disk1: file system disk1a:Load from disk1a: file system ftp: Load from ftp: file system harddisk: Load from harddisk: file system harddiska: Load from harddiska: file system harddiskb: Load from harddiskb: file system lcdisk0: Load from lcdisk0: file system lcdisk0a: Load from lcdisk0a: file system nvram: Load from nvram: file system rcp: Load from rcp: file system rollback Load rollback changes tftp: Load from tftp: file system ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
I've suggested removing TFTP as its a crutch and has many shortcomings, more so when any latency is involved. People used a custom RCPD in the past to solve this as well. Beware as the CIsco FTP clients behave strangely across all versions and may request the file multiple times. They don't seem to test it often so if you report a bug, it takes quite some time to find the code caretaker. Jared Mauch > On Nov 19, 2015, at 8:14 AM, Mark Tinka <mark.ti...@seacom.mu> wrote: > > > >> On 19/Nov/15 15:54, Jared Mauch wrote: >> >> We use FTP as the image isn't something that needs to be protected from >> eavesdroppers. > > We use FTP also, as SCP support was non-uniform across various versions > of IOS for a while. > > Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
Yup. You can filter by IP address and check image checksum after if it's something without a crypto signature. Jared Mauch > On Nov 19, 2015, at 8:54 AM, Daniel Brisson <dbris...@uvm.edu> wrote: > > What about protecting credentials? Do you use a service account that has 0 > access other than FTP'ing images? > > -dan > > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jared > Mauch > Sent: Thursday, November 19, 2015 8:54 AM > To: Mark Tinka <mark.ti...@seacom.mu> > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] TFTP/SCP > > We use FTP as the image isn't something that needs to be protected from > eavesdroppers. > > Jared Mauch > >> On Nov 19, 2015, at 6:46 AM, Mark Tinka <mark.ti...@seacom.mu> wrote: >> >> >> >>> On 19/Nov/15 12:25, Harry Hambi - Atos wrote: >>> >>> Hi All, >>> Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This proved >>> very slow, so I decided to use SCP which was a lot quicker. However, SCP >>> caused a cpu spike on the switch which caused snmp drops. Has anyone ever >>> experience this?, the switch was passing data traffic normally. >> >> Might make sense. >> >> SCP is exception traffic, as is SNMP traffic to the switch. >> >> Mark. >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TFTP/SCP
We use FTP as the image isn't something that needs to be protected from eavesdroppers. Jared Mauch > On Nov 19, 2015, at 6:46 AM, Mark Tinka <mark.ti...@seacom.mu> wrote: > > > >> On 19/Nov/15 12:25, Harry Hambi - Atos wrote: >> >> Hi All, >> Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This proved >> very slow, so I decided to use SCP which was a lot quicker. However, SCP >> caused a cpu spike on the switch which caused snmp drops. Has anyone ever >> experience this?, the switch was passing data traffic normally. > > Might make sense. > > SCP is exception traffic, as is SNMP traffic to the switch. > > Mark. > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] default maximum-prefix limits on XR!
Some of these limits are per-platform, so remember there is no “generic ios-xr”. On the 9K you may need to set your profile to match your use case. It’s less obvious compared to a generic central CPU platform like most XE devices are. - Jared > On Sep 17, 2015, at 9:24 AM, Adam Vitkovsky> wrote: > > Hi folks, > > Today I learned that XR has default maximum-prefix limits -on a contrary to > regular IOS/XE where there are no default limits. > For most of the folks it's really just an early heads up, maybe relevant for > lab tests, but the VPNv4 number is pretty low for big folks or those who are > doing Internet in a VRF. > > IPv4 Unicast: 1048576 > IPv4 Labeled-unicast: 131072 > IPv6 Unicast: 524288 > IPv6 Labeled-unicast: 131072 > IPv4 Tunnel: 1048576 > IPv4 Multicast: 131072 > IPv6 Multicast: 131072 > VPNv4 Unicast: 2097152 > IPv4 MDT: 131072 > VPNv6 Unicast: 1048576 > L2VPN EVPN: 2097152 > > Found a old thread from Will Hargrave | 26 Apr 03:17 2012 An observation: > 512k default max-prefix in IOS-XR > > adam > > >Adam Vitkovsky >IP Engineer > > T: 0333 006 5936 > E: adam.vitkov...@gamma.co.uk > W: www.gamma.co.uk > > This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of > this email are confidential to the ordinary user of the email address to > which it was addressed. This email is not intended to create any legal > relationship. No one else may place any reliance upon it, or copy or forward > all or any of it in any form (unless otherwise notified). If you receive this > email in error, please accept our apologies, we would be obliged if you would > telephone our postmaster on +44 (0) 808 178 9652 or email > postmas...@gamma.co.uk > > Gamma Telecom Limited, a company incorporated in England and Wales, with > limited liability, with registered number 04340834, and whose registered > office is at 5 Fleet Place London EC4M 7RD and whose principal place of > business is at Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY. > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird config changes on C2621XM with AIM-VPN/BPII
On Thu, Sep 17, 2015 at 01:47:46PM +, Nick Nauwelaerts wrote: > i would guess to join our nexus fex's in the pub, the also like to go missing > in between rancid checkups. > > in our case it seems to be a wonky nx-os revision in combination with > datacenter manager which seems to cause quite some load with its checkups. > > anything in the router's logs during the disappeances? I've seen similar issues before with various hardware. Usually it's a software bug where two people are talking to the microcontroller at the same time and there's no concurrency checking. We've exposed a lot of bugs by having two scripts do the same thing at the same time. Often a cisco device doesn't expect concurrent memory/device access. Recommendation: Figure out how to make it happen, either in a tight loop, or having 3 windows open doing while [1 == 1]: do clogin -x /tmp/rancid-commands hostname done it might be as simple as finding the show controller or show inventory commands and running those in a loop. make sure cisco knows how you login and they reproduce it the same way themselves with these critical variables in mind: 1) via SSH 2) via IPv6 3) where SSH uses specific terminal types 4) where the SSH client offers keys We had issues where optics would report odd things for a year or so and filled a lot of rancid logs. This was because Cisco wasn't expecting a certain older flavor of their own optic and their EEPROM validation code wasn't perfect. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] %NTP: Multicast peer 224.0.1.1 does not exist
Is pim enabled on the interface? On Aug 21, 2015, at 3:39 AM, Victor Sudakov v...@mpeks.tomsk.su wrote: Colleagues, A 7206VXR (NPE-G2) is not sending ntp broadcasts nor multicasts, and I even cannot recofigure ntp settings on an interface (see below). Any idea what the problem could be? debug ntp packet|events does not show anything of interest. tcpdump shows that the router is simply not sending any NTP packets out GigabitEthernet0/2. Google does not even know the phrase Cannot reconfigure the multicast peer, nor does cisco.com/search gw2(config-if)#do sh run int GigabitEthernet0/2 Building configuration... Current configuration : 428 bytes ! interface GigabitEthernet0/2 [dd] ntp broadcast key 2 destination 10.14.141.255 ntp broadcast key 2 ntp multicast key 2 ttl 1 end gw2(config-if)#no ntp multicast key 2 ttl 1 %NTP: Multicast peer 224.0.1.1 does not exist gw2(config-if)#no ntp multicast %NTP: Multicast peer 224.0.1.1 does not exist gw2(config-if)#ntp multicast key 2 ttl 6 %NTP: Cannot reconfigure the multicast peer. gw2(config-if)#ntp multicast ? A.B.C.D Multicast group IP address X:X:X:X::X Multicast group IPv6 address client Listen to NTP multicasts keyConfigure multicast authentication key ttlTTL of the multicast packet version Configure NTP version cr gw2(config-if)#ntp multicast 224.0.1.1 ? key Configure multicast authentication key ttl TTL of the multicast packet version Configure NTP version cr gw2(config-if)#ntp multicast 224.0.1.1 ttl 6 %NTP: Cannot reconfigure the multicast peer. gw2(config-if)# -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Peering + Transit Circuits
On Aug 18, 2015, at 8:47 AM, Gert Doering g...@greenie.muc.de wrote: XR doesn't do it at all, hrmph) We have been asking about this as well, it might be worth revisiting. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Utility to identify orphaned ACLs and such?
Cisco really needs to implement a 'show config dead' or similar type command that displays all these orphaned policies. I have a hard enough time with cisco parsing their own configs though I can't push on this now, perhaps someone else can? - Jared On Thu, Aug 06, 2015 at 07:47:01AM +0300, Hank Nussbacher wrote: Does anyone know of a Cisco IOS utility that can identify orphaned objects like ACLs, route policies, prefix-lists, etc? Thanks, Hank ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] putty SSH errors on IOS-XR 5.1.1
On Thu, Aug 06, 2015 at 11:12:20AM +0200, Lukas Tribus wrote: Hi, Hello, I've got a pair of new ASR-9904 routers running IOS-XR 5.1.1 [...] When a lot of data is being sent at once from the router to my client, putty will disconnect and give me the error: Disconnected: Server protocol violation: unexpected SSH2_MSG_CHANNEL_FAILURE packet. Hi Vinny, On PuTTY go to: Configuration - Connection - SSH - Bugs And set “Chokes on PuTTY’s SSH-2 ‘windadj’ requests” to On (the default is Auto). Full disclosure: this is CSCup31447, IOS XR's ssh server erroneously disconnects the TCP session after sending SSH_MSG_CHANNEL_FAILURE. Its pretty obvious that the SSH server is not supposed to do that, but because its not explicitly prohibited in the RFC, the developers seem unwilling to fix this (quote It could be a simple fix from our side [...] but bringing this change will impact the behavior which we exhibited for long years). You really need to look at 5.3.1 as that fixes a lot of the SSH defects that were in 5.1.x. We identified quite a number of defects such as if two people were logged in at the same time (eg: rancid, someone else) you would not be able to login anymore. Took Cisco quite some time to address this issue and properly fix it as they were unable to duplicate it without someone thinking hey lets log in multiple times. Cisco seems to think of a device as a single monolithic login session without the need for concurrency protection or other protections or auto-restoration. I'm thinking we need a good community test-suite that simulates actual activities in a device. After over a decade of asking cisco has not tried to use any industry standard tools in its testing such as RANCID for fetching the configurations. SSH for login as another example. Paranoia about breaking things when you're not standards compliant is pure lazy gamesmanship. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Utility to identify orphaned ACLs and such?
On Thu, Aug 13, 2015 at 09:37:34AM -0400, Jared Mauch wrote: Cisco really needs to implement a 'show config dead' or similar type command that displays all these orphaned policies. I have a hard enough time with cisco parsing their own configs though I can't push on this now, perhaps someone else can? Apparently RPL in IOS-XR can do this: RP/0/RP0/CPU0:Router#show rpl unused ? as-path-set Display as-path-set objects community-set Display community-set objects extcommunity-set Display extended community objects ospf-area-set Display ospf-area-set objects prefix-setDisplay prefix-set objects rd-setDisplay rd-set objects route-policy Display route-policy objects tag-set Display tag-set objects This doesn't solve the problem of the OP, but may help others identify dead policy. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OT: Honest Networker
While off-topic, I thought this would be of interest for people who see issues with their routers as this captures many of the situations we operators see on a regular basis. http://honestnetworker.wordpress.com - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Remote management console servers?
On Tue, Jul 14, 2015 at 05:03:33PM +, Scott Granados wrote: Hi, Wondering what people are doing / best practices for remote management generally in datacenter environments. We have several datacenter with a mix of Cisco, F5, Juniper and Palo Alto equipment in each. All have a similar RJ45 type console port and all are pretty much your garden variety devices. Looking for a good solution to gain access when primary connectivity is disrupted. I know back in the day we used 2610XM routers with the octopus cables but I’m wondering if there is better available now or is this still a good solution? Do you all use out of band loops for remote management like DS1 / DS3 circuits from diverse providers, dial in, what’s the standard for remote management? Many people have their own solutions. What I've generally seen is that you can connect to routers inband over IP to a console server. If the network is down, there is some other backup method to get into the console server, be it a modem or similar. Some people have taken to doing this over cellular data but often this is not reliable within datacenters with a lot of RF or similar issues. Some people use DSL in the datacenter, but some buildings are outside the DSL footprint of telcos, so you are left with something else. Do you also have your management networks isolated on their own (could be the same) management network or do you do some sort of VPN / VRF deal for normal non emergency management connectivity? I've started to think that this is a solution where LISP would actually add value/come into play. LISP allows prefix mobility across multiple providers, so could have cellular + inband-ethernet + dsl + datacenter wifi, and make that work. You can run LISP on your router or on a raspberry PI as well. Check out lispers.net Any thoughts on the subject would be most appreciated. The last time I built one of these was with 2610XM routers in the pops and 7206 routers as aggregation points in each geographic region linked together with different T1s and multiplexed to the 7206 regional routers with backhaul loops to the NOC. Seems like a bit of overkill for my application now but if this is still the best practice then it might be worth while. Any pointers or other suggestions would be most appreciated. The cases where I have used console are generally to recover a device that has gone south in a really-bad way. Trying to use a console port for anything more than that will result in frustration. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SFPs (Third party) - ordered standard LH, but got ZX
Cisco does a poor job of reading the SFF MSA fields from their own optics let alone what they describe as “3rd party”. You may find it easier to use something to read/validate the optics yourself if that works for your logistics. (shameless plug: i have something that might be interesting showing you within this space, contact me off-list). There’s plenty of people who read and implement the SFF specification properly so reporting the bug against the platform and asking why there isn’t just a common library is where I would drive your discussion. This is very generic code that is 75% cut+paste from the SFF-8472, SFF-8024, SFF-8636 tables. 8431, 8690, 8079 also cover some other details that may be useful. - Jared On Jul 6, 2015, at 7:32 AM, CiscoNSP List cisconsp_l...@hotmail.com wrote: Thanks Nic - Ive already contacted them earlierawaiting there response. Cheers. From: cisco-nsp cisco-nsp-boun...@puck.nether.net on behalf of Nick Hilliard n...@foobar.org Sent: Monday, 6 July 2015 9:26 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SFPs (Third party) - ordered standard LH, but got ZX On 06/07/2015 12:22, CiscoNSP List wrote: So, it would appear that they are all LHhopefully someone can confirm based of the TX/RX readings I provided? you need a multi-frequency light meter to confirm this. I would contact the transceiver supplier and ask them to confirm the situation. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SFPs (Third party) - ordered standard LH, but got ZX
On Jul 6, 2015, at 4:50 AM, CiscoNSP List cisconsp_l...@hotmail.com wrote: Hi Everyone, As per titleordered a bunch of our usual single mode SFP's. and they are badged as LH, but when inserted into router/switch, they report as ZX.can I connect our LH to the new ZX ones (I dont have a router/switch handy to test), and have to ship them interstate.but obviously dont want to if they are no compatible with our existing LH SFP's Oh one more thing: I’ve noticed that some 10KM SFPs come as 20km capable: Date Code: 150213 1000Base-LX extended compliance_code 0 Distances: SMF - 20 km SMF - 2 meters OM4 - 320 meters Wavelength: 1310.00nm It’s possible that the router interprets 10km as ZX. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Fibre Channel over SDH STM64
I would have to imagine something like this would be up your alley: http://www.mrv.com/sites/default/files/datasheets/us_pdfs/mrv-fd-dmr10g.pdf This should take an 8G fiber channel SFP+ and allow it to come out in a 10G SDH framing. Reverse on the other side and it should just work. - Jared On Tue, Jul 07, 2015 at 08:46:52AM +1000, Feedly Reader wrote: Hi all, I was looking for some insight around carrying 8G Fibre Channel data over third party P2P links. We would like to connect Fibre Channel switching to each other between two locations and the only available options are 10G Ethernet or an SDH link provided by local carrier. They will not provide dark fibre or wavelength for us to use. I have looked in to using Nexus 5600 and carrying 8G FC as FCOE traffic over 10G Ethernet. However, this requires another switching device (Nexus 5600) between the two Fibre Channel Switches (MDS 9200). I have also looked in to using FCIP, which is the currently the only option we can do without having another set of devices. So, it is possible to carry 8G FC traffic over STM64 transparently, possibly using a transponder card or have I lost the plot? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] test...list lag, or down?
mailman was not running and I since restarted it. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] New IOS release time frame, when bug is identified
On May 15, 2015, at 1:28 AM, CiscoNSP List cisconsp_l...@hotmail.com wrote: Bug is still private(i.e. Details not publicly viewable) - but located here: https://tools.cisco.com/bugsearch/bug/CSCuu32800 Can provide SR if needed. It’s cisco policy that any defect hit by customer in production result in that bug getting a proper release note (RNE) and be flagged so it can be seen on CCO. This should happen within 24 hours. You should tell the TAC engineer their policy. It’s quite common that they don’t know this as they spend most of their time working on configuration related issues vs actual software defects. It’s not uncommon for Cisco to take a long time to fix a defect. I recommend calling your account team and having them contact release operations and PM for the platform and set up a call for you to discuss the business impact. If this halts your ability to purchase/deploy equipment or even operate it, you should make sure to classify it as very dire. You should ask ask about if this will be added to the TCATS or an analysis of the Test Escape. Testing software is very hard and some options make it a complete n*2 testing problem or worse as they are mutually exclusive. Right now we have at least 3 p1 cases open with Cisco that are unresolved and fairly catastrophic in nature. Sometimes the developers can only code so fast, and quite often we find it necessary to teach cisco what SCALE truly means. Multiple people logged in at once is not something they think of (as an example). 2-4 weeks is about as fast as they can reasonably move, so keep that in mind. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Preventive Maintenance Template
We collect things along the following lines: a) interface status b) BGP status (for all address families) c) interface descriptions d) interface IPs e) ISIS/OSPF neighbor(s) This is fairly easy to script and automate if you have an existing RANCID installation. You can then snapshot pre+post states and just diff the outputs. - Jared On May 5, 2015, at 6:09 AM, M K gunner_...@live.com wrote: Hi allI was searching for the most important commands to use for devices health check , I found a lot of lists but I just want to use your experience to get the most precise and valuable check in order to build my template Thanks in advance ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question for TAC
The solution is simple. Call the engineer. When they say they are going to research say I'll hold. Works wonders to motivate them. Don't be afraid to ask for their manager or the duty manager. Jared Mauch On Apr 30, 2015, at 5:20 AM, Adam Vitkovsky adam.vitkov...@gamma.co.uk wrote: Does anyone else have this problem? It's frustrating because I either have to wait until the engineer comes back from vacation for my problem to get worked on more, or I have to reassign it to someone else and explain the problem all over again, only to be told that they, too, will be going on vacation for two weeks. Wow that's interesting same was happening to me on many IOS related TAC cases. That's why every time I have a chance (IOS box talking to XR box) I open up a case with XR team as those guys are the best. adam --- This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCP MSS on IOS XR
What version of IOS-XR? What are the interface MTUs? There were a number of TCP enhancements that went in around the 5.1 timeframe which impact the way window scaling works as well. Also, do you have path-mtu enabled on all the devices? on XR you want something like this: tcp selective-ack tcp window-size 65535 tcp path-mtu-discovery IOS: ip tcp path-mtu-discovery ip tcp window-size 65535 - Jared On Apr 28, 2015, at 12:46 PM, Jordi Magrané Roig jordimagr...@hotmail.com wrote: Dear colleagues, I have an ASR9000 and I have a BGP session with an IOS device. The output of the command show tcp detail pcb shows the following information: output omitted Datagrams (in bytes): MSS 1460, peer MSS 1460, min MSS 1946, max MSS 1946 output omitted The IOS device is using MSS 1460 bytes but I don't know exactly the MSS that the IOS XR device is using, 1460 or 1946. Do you know how the command must be interpreted? Thanks, Jordi. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] sip trunk to asterisk
On Sun, Mar 29, 2015 at 09:05:50AM +0430, s m wrote: hello everybody, i want to configure a sip trunk between a cisco router and my system which has asterisk. this is my scenario: Freepbx-my system-cisco-routerFreepbx my system acts like a router. in cisco, if i set just one codec in dial-peers, every thing is ok and i can make a call. but if i set different codecs in a voice class codec and assign it to dial-peers, i can make call but call is terminated. i think there is some difference in sip options (maybe sip headers) between cisco and asterisk which causes to codec negotiation fail. as a result of it, call terminate. any body try it before? any comments or hints are really appreciated. What codec are you trying to use? I've had good success with using g711ulaw on both sides. We've had issues with some providers and DTMF working as well and it seems that Cisco you need to configure the dtmf relay in about 25 different places to make it all work right, eg: voice service voip dtmf-interworking rtp-nte signaling forward unconditional h323 call service stop sip ! and ! dial-peer voice 1 voip preference 1 destination-pattern my_regex session protocol sipv2 session target ipv4:1.2.3.4 session transport udp dtmf-relay rtp-nte codec g711ulaw fax-relay ecm disable fax rate disable fax protocol pass-through g711ulaw no vad ! - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Asset Management Software
Rancid seems to work well for our network. We can get the location of any serial number from the history in CVS as an example. On Mar 26, 2015, at 2:25 AM, M K gunner_...@live.com wrote: Hi allWhat is the best Asset Management (free) software to use ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP SLA?
On Mar 24, 2015, at 8:27 AM, Dan Brisson dbris...@gmail.com wrote: I'm curious what folks do in the situation where you have redundant links to your customers. I'm speaking primarily in co-lo environments where you offer redundant Internet connectivity to co-lo customers. So for example, you give a customer 2 ethernet handoffs from two separate Layer 2 switches. Now what do you do if the customer wants to go to a routed model using both links. I could allocate /30s for both links, but then I have the issue of how to reliably route their block to them w/out running a routing protocol that will detect if one of the links goes down. That's where I came to static routes with IP SLA but I wanted to make sure I wasn't missing something easier. Do they have two routers as well, or a simpler subnet config? Perhaps something like VRRP and using a protocol to inject these ‘connected’ routes to the rest of your network? - jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Restrictions NetFlow v9 for IPv6
On Wed, Mar 18, 2015 at 09:47:22AM +0100, Erik Klaassen wrote: From the cisco netflow v9 guide: NDE v9 records for IPv6 do not contain Autonomous System (AS) numbers and prefix length information. Is this still the case? my src and dst AS ipv6 flow fields from my c7600 are 0. Is there some solution? This will depend on the platform. you may need to enable bgp attribute-download depending on what you are using. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco regex puzzle of the day
We've long had some feature requests open against JunOS for as-path matching. The challenges faced are they don't treat these AS numbers as strings, and certainly not in the case of some elements like a paren (confed) or { for AS_SET. In IOS-XR you can much more easily match against the origin-asn in a policy as well which isn't quite as easy in other routing operating systems. - Jared On Wed, Mar 11, 2015 at 05:28:06PM +, Mack McBride wrote: There is no back tracking in the junos regex nor would backtracking really help. Doing this is complicated on cisco due to the lack of negating a full as. However loop avoidance should prevent 64500 from occurring twice with an intervening AS. If you have turned off loop avoidance with allowas-in then you have a lot More complexity to worry about. I haven't tested this but it should work: (65400_)+([1-57-9][0-9]*_|6[01-35-9][0-9]*_|64[01-46-9][0-9]*_|645[1-9][0-9]*_|6450[1-9][0-9]*_|64500[0-9]+_)+ Mack McBride | Network Architect | ViaWest, Inc. O: 720.891.2502 | mack.mcbr...@viawest.com | www.viawest.com | LinkedIn | Twitter | YouTube -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Saku Ytti Sent: Wednesday, March 11, 2015 10:38 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco regex puzzle of the day On (2015-03-10 20:29 +0100), Job Snijders wrote: ^64500+ [^64500] This junos beauty will match for example: 64500 64500 123 123 444, but not 64500 64500 or 64500. Can any of you come up with a single line regex that works on IOS or XR (ios-regex) to mimick the above described behaviour? Follow-up question. Is there use-case for regular expression backtracking in AS_PATH? It would be simpler to implement without backtracking and it would fix this specific use-case, as simple '(64500_)+.+' would work. But perhaps it's still stupid idea, perhaps it'll break lot of really common use-cases. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Packet Fragmentation
This all varies depending on the platform, perhaps more details about the platforms involved? Ideally you should not be fragmenting at all, or doing mss adjust to avoid it. - Jared On Thu, Feb 12, 2015 at 11:59:50AM -0500, Brian Christopher Raaen wrote: Are there any specs from Cisco about the impact of Packet Fragmentation. I have a pair of routers where I believe fragmentation may be causing issues. I am trying to understand the impact of the fragments, and what router upgrade options we may have of the impact of an upgrade. -- Brian Christopher Raaen Network Architect Zcorum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Non Cisco SFP
And why is that? We have many non-cisco optics deployed without trouble. I would avoid the cheapest-of-the-cheap optics, as those have been rumored to have trouble, slow i2c responses, or other issues that the software is poorly coded to handle. We’ve done this with SFP, XFP, SFP+ and CFP without issues. Do you have details of what your issues were Warren? I’ve had more issues with Cisco optics in Cisco than non-Cisco optics in Cisco. - jared On Feb 2, 2015, at 7:02 AM, Warren Jackson wrjack1...@gmail.com wrote: Highly recommend you do not use this in production. On Mon, Feb 2, 2015 at 6:50 AM Mark Tinka mark.ti...@seacom.mu wrote: On 2/Feb/15 13:23, Harry Hambi - Atos wrote: Hi all , I have a non-cisco SFP can someone remind me of the command to run in order to use the SFP in a cisco chassis. Is the command a hidden command?, do you need to run in interface config mode?, will the switch require a reboot?. Thanks in advance service unsupported-transceiver Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Non Cisco SFP
On Feb 2, 2015, at 11:16 AM, Gert Doering g...@greenie.muc.de wrote: Hi, On Mon, Feb 02, 2015 at 03:29:41PM +, Rick Martin wrote: I am glad to see this thread, we are on the cusp of making the plunge into aftermarket optics Whatever aftermarket optics are - I would not go and by *used* optics, because that's about the only thing in modern hardware that truly ages, aka optics burn out over time. Agreed, general use optics shouldn’t cost you more than $300, and that is being quite generous. If you wanted to program your own optics, apparently you can get one of these new raspberry pis: http://eoinpk.blogspot.com/2014/05/raspberry-pi-and-programming-eeproms-on.html It includes a link at the bottom for how to program the optics to be ‘cisco compatible’. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Non Cisco SFP
I was offering something for the super-geeks :) at $dayjob we purchase from champion one, but have also tested other optics from OSI hardware and others. I’ve even heard of good luck from fiberstore.com as well, which is super-cheap. - Jared On Feb 2, 2015, at 11:46 AM, Matthew Crocker matt...@corp.crocker.com wrote: You could buy http://www.flexoptix.net/en/flexbox-v3-transceiver-programmer.html and save the rPi headaches. I haven’t used this but it does look interesting. Or, you could just go here: http://approvedoptics.com/ Cisco, Juniper every SFP, XFP, SFP+ i’ve ordered has worked 100% and they are priced right. -- Matthew S. Crocker President Crocker Communications, Inc. PO BOX 710 Greenfield, MA 01302-0710 E: matt...@crocker.com P: (413) 746-2760 F: (413) 746-3704 W: http://www.crocker.com On Feb 2, 2015, at 11:31 AM, Jared Mauch ja...@puck.nether.net wrote: On Feb 2, 2015, at 11:16 AM, Gert Doering g...@greenie.muc.de wrote: Hi, On Mon, Feb 02, 2015 at 03:29:41PM +, Rick Martin wrote: I am glad to see this thread, we are on the cusp of making the plunge into aftermarket optics Whatever aftermarket optics are - I would not go and by *used* optics, because that's about the only thing in modern hardware that truly ages, aka optics burn out over time. Agreed, general use optics shouldn’t cost you more than $300, and that is being quite generous. If you wanted to program your own optics, apparently you can get one of these new raspberry pis: http://eoinpk.blogspot.com/2014/05/raspberry-pi-and-programming-eeproms-on.html It includes a link at the bottom for how to program the optics to be ‘cisco compatible’. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Non Cisco SFP
On Feb 2, 2015, at 11:46 AM, Warren Jackson wrjack1...@gmail.com wrote: Sure, no problem! 1) Lack of Cisco support. You will find yourself behind the eight-ball dealing with the TAC if you have these in your chassis. Sounds like a small deal, but I for one don't have the time to deal with it. Sounds like you work for Cisco or were properly ingrained in their marketing thinking. 2) Cost. If you buy through a Cisco gold provider then you are going to get a good price on the optics, enough to where the difference pays off in support, as these can been wrapped in through your smartnet converage. If you have optics from another vendor you are dealing with their support and Cisco support, keeps things simple. Makes it worth paying the bit extra you would pay. We aren't talking about thousands of dollars difference in price here. Not really. 3) Who? Which SFP manufacturer(s) would you recommend besides Cisco? Finisar (for examples). 4) Several of the Cisco SFP's provide the show tranceiver telemetry that aid in troubeshooting the physical layer, which you won't get with the off-market brand tranceivers. Actually, not true, this is the problem I have with their first party optics. We’ve met with their TMG group several times and have outstanding software defects that are unresolved. Just my 2 cents based on my experience. How about the rest of you guys? We’ve had great luck with 3rd party and better support for DOM than their first party optics. - Jared -Warjack On Mon Feb 02 2015 at 11:37:59 AM Jared Mauch ja...@puck.nether.net wrote: On Feb 2, 2015, at 11:16 AM, Gert Doering g...@greenie.muc.de wrote: Hi, On Mon, Feb 02, 2015 at 03:29:41PM +, Rick Martin wrote: I am glad to see this thread, we are on the cusp of making the plunge into aftermarket optics Whatever aftermarket optics are - I would not go and by *used* optics, because that's about the only thing in modern hardware that truly ages, aka optics burn out over time. Agreed, general use optics shouldn’t cost you more than $300, and that is being quite generous. If you wanted to program your own optics, apparently you can get one of these new raspberry pis: http://eoinpk.blogspot.com/2014/05/raspberry-pi-and-programming-eeproms-on.html It includes a link at the bottom for how to program the optics to be ‘cisco compatible’. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP and interface description - IOS-XR
On Jan 20, 2015, at 4:27 PM, Peter Rathlev pe...@rathlev.dk wrote: On Tue, 2015-01-20 at 19:13 +0200, Hank Nussbacher wrote: In IOS 12.2(33)SRE7a in order to read an interface description we did: snmpwalk -v 2c -c snmp read community rtr1 .1.3.6.1.4.1.9.2.2.1.1.28 [This is the Cisco specific locIfDescr] SNMPv2-SMI::enterprises.9.2.2.1.1.28.3 = STRING: vidcast via vidcast-pix (Rack #6) but we can't find the proper MIB in Cisco IOS XR Software, Version 5.1.3. This might be a stupid question but is there any specific reason not to just use IF-MIB::ifAlias? The locIfDescr is from OLD-CISCO-INTERFACES-MIB and has probably been deprecated for some time now. This is what we use, we collect some information from interfaces MIB and the balance from the ifMIB. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ios-xr asr9k ipv6IfAdminStatus does return next instance if it does not exist
On Tue, Dec 16, 2014 at 10:28:26AM +0100, Florian Lohoff wrote: After digging into this a bit more On Tue, Dec 16, 2014 at 05:40:43AM +0100, Florian Lohoff wrote: Hi, did anyone see something like this? $ snmpget -c public -v 2c asr9k-corerouter ipv6IfAdminStatus.77 IPV6-MIB::ipv6IfAdminStatus.79 = INTEGER: up(1) Asking for instance .77 and get .79. It seems this is a clear violation of the SNMPv2 RFC 1905 RFC1905 4.2.1. The GetRequest-PDU [ ... ] (1) If the variable binding's name exactly matches the name of a variable accessible by this request, then the variable binding's value field is set to the value of the named variable. (2) Otherwise, if the variable binding's name does not have an OBJECT IDENTIFIER prefix which exactly matches the OBJECT IDENTIFIER prefix of any (potential) variable accessible by this request, then its value field is set to `noSuchObject'. (3) Otherwise, the variable binding's value field is set to `noSuchInstance'. So it should return with `noSuchInstance' not some other random interfaces IPv6 status. Did you report the issue to Cisco so they can fix this? We've ended up building a regression suite to test the SNMP stack of any new release that checks for these types of defects. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Capturing remote trafic / RSPAN through non-Cisco
On Dec 12, 2014, at 12:38 PM, David Deutsch david.deut...@telna.com wrote: Hello all, I have a 7201 router running an ITP image that is used as an SS7 STP, it in turn is connected to a Cisco 4948E which is trunked into a series of Dell M8024K blade switches (I know, I know). I've been tasked with capturing all of the IP traffic from the 7201 to a Wireshark machine, running on a blade server. Naturally I first looked to use RSPAN on the 4948 to capture the physical port connecting the 7201 and capture it via RSPAN on the blade. Does the 4948E support ERSPAN? If so, you can make the span destination go to a remote IP address and decapsulate the traffic there. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco transceiver's maintenance service
save money and use 3rd party transcievers, talk to folks like Champion One, Finisar or OSI Hardware for example. For the cost, you can even purchase them from Fiberstore as well. For what cisco charges, you can purchase a ton of spares. - Jared On Mon, Dec 01, 2014 at 10:29:48AM +0800, Xuhu NSP wrote: But the thing is I bought maintenance already, few months later, I want to purchase these transceivers, apparently I cannot add these new items inside right? So any solutions? Br, Xuhu On 1 Dec 2014, at 02:15, Octavio Alvarez alvar...@alvarezp.ods.org wrote: On 11/29/2014 10:40 PM, Xuhu NSP wrote: Hi folks, just want to check that if we just purchase few new transceivers from Cisco, how are you going to purchase the maintenance service, because I didn't see the list price only for transceivers, normally purchase with line cards or chassis. It's covered by the service contract for the device to which the transceiver is attached [1]. [1] Cisco SFP Modules for Gigabit Ethernet Applications http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/gigabit-ethernet-gbic-sfp-modules/product_data_sheet0900aecd8033f885.pdf Best regards. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Single core fibre question
Do you mean single strand of fiber? If so many people make and sell these bx/bi-di optics for both 1 and 10G. Keep in mind there are two types up vs down and note the frequencies and transmit power for these as there are 10/20/40 and 80km varieties out there. Of course make sure you have spares etc. - jared On Nov 29, 2014, at 3:44 PM, CiscoNSP List cisconsp_l...@hotmail.com wrote: Hi Everyone, A customer has ordered a single core fibre x-connect to our rack in a remote DCwe only have 4948's in our rack...will a single core fibre work to a Single mode SFP? (i.e. all other fibre x-connects in the DC are dual core, and work fine) Cheers ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9K XR 5.1.3 Experience
There are a number of SMUs you should load if using 5.1.3, I don't think they all have been posted publicly. Happy to provide you a list in private. Jared Mauch On Nov 24, 2014, at 3:30 AM, Alfred Wandati wandati.li...@gmail.com wrote: Hello list, We are looking at upgrading a number of boxes to 5.1.3 as it's the recommended release in the 5.1.x train and would like to hear any thoughts from those running it on it's stability. We're running dual stack ISIS,MP-BGP,LDP,MPLS-TE, vpls. Regards, Alfred Wandati ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco recommendation for distribution layer campus network
I would say avoid Cisco. The IOS-XE based switches take *forever* to boot and can easily last 5-10 minutes during the entire process. We have tried for nearly a decade now to educate Cisco on why this is important and they have often missed the boat in what is feasible or otherwise. (boot time should be under 120 seconds as most people are just doing OEM of a Broadcom box anyways). If it takes too long for them to program the BCM sub-system, they are doing something majorly wrong and there’s unlikely any hope of them understanding what. - Jared On Sep 28, 2014, at 3:11 PM, Pete Templin peteli...@templin.org wrote: On 9/28/14 11:53 AM, Randy Manning wrote: Chassis vs 1u layer 3 switches for distribution layer on campus network This is my first post. I have used stack switches for access layer and nexus vpc in data center. Why is cisco proposing nexus for distribution layer? To eliminate spanning tree Vpc still needs hsrp, why not a stack solution? I am used to chassis and was wanting pro cons Stack switches leaves you vulnerable to a single-typo outage, or even a single software crash outage. VPC has its risks, but at least leaves one device up while the other recovers. Software upgrades can be real tricky on the stack devices too. Doing it by the book on a 3750X often means 35+ minutes of no-packet-forwarding. The missed heartbeats while you hope the stack returns are potentially reason enough to go with VPC. ;) pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Connecting PoP's with long distance
You should be able to do 120km with a ZR XFP @ 10G without anything. If you later want to add equipment to the sites, you can look at doubling your optics and something like this: http://www.perle.com/products/10-Gigabit-Standalone-Media-Converters.shtml - Jared On Sep 4, 2014, at 5:36 AM, Murat Kaipov mkkai...@gmail.com wrote: Hello Guys. I need connect two PoP's with 10G links. Distance between PoP's nearly 120km. We have fiber optic between PoP's with two regeneration points located nearly in 40 km between each other. We have not DWDM. Can you advise some equipment (May be like EDFA) for fiber optic regeneration points Scheme like this PoP-1 ---40km---[Regeneration point1]---40km[Regeneration point2]-40km--PoP2 Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Experience on ASR9k XR 5.1.2
On Sun, Aug 24, 2014 at 07:13:05PM +0200, Mark Tinka wrote: On Thursday, August 21, 2014 02:17:43 PM Jared Mauch wrote: Wait for 5.1.3 it will be out soon. We have had a number of minor issues in 5.1.2 including the vtys not working. Now that I recall - I did have the console manager sporadically crash and restart on the ASR9001. So I lost the SSH connection and had to reconnect. https://tools.cisco.com/bugsearch/bug/CSCuo70584 is their fake ddts on the issue where they only call it sev2, then there is another ddts I don't have handy where they properly categorize it as sev1 and fix it. The box was still running fine, but that happened twice a couple of weeks ago. 5.1.3 should be out this week, so i would wait and load that. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Experience on ASR9k XR 5.1.2
Wait for 5.1.3 it will be out soon. We have had a number of minor issues in 5.1.2 including the vtys not working. Jared Mauch On Aug 21, 2014, at 5:43 AM, Mattias Gyllenvarg matt...@gyllenvarg.se wrote: Dear List I would love to hear some feed back on the 5.1.2 Train of IOS XR. This was preloaded in a few boxes (9010) and I am looking for the most stable train without downgrading (fingers crossed). Will be running: MP-BGP VRF OSPF -- *Med Vänliga Hälsningar / Best Regards* *Mattias Gyllenvarg* ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Experience on ASR9k XR 5.1.2
There are many reasons to wait until 5.1.3 if you are on 4.3.4. 5.1.3 has numerous fixes we have been working with cisco to fix, including some really basic ones like: CSCuo25887 CSCuo93835 CSCuo70584 (vty crashes) CSCum12533 Either way, 5.1.3 is coming out very soon, you should wait for it and it may be the best release for 9000V as well if you use those. - Jared On Thu, Aug 21, 2014 at 07:56:42AM -0500, Bill Foster wrote: We are currently running 4.3.4 and are looking at upgrading to the 5.x.x train. FWIW, our local SE recommended against 5.1.2 and waiting for 5.1.3 mainly because of the bug fixes and how they relate to what we do here. Supposedly 5.1.3 is due out in the next couple of weeks if you're not in a rush to deploy into production. -- Message: 4 Date: Thu, 21 Aug 2014 11:43:49 +0200 From: Mattias Gyllenvarg matt...@gyllenvarg.se To: cisco-nsp cisco-nsp@puck.nether.net Subject: [c-nsp] Experience on ASR9k XR 5.1.2 Message-ID: CAEYLRFqVA=r_BgiVxoHi+6rucMfyyPgW-n3HU0D8j=pwryr...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 Dear List I would love to hear some feed back on the 5.1.2 Train of IOS XR. This was preloaded in a few boxes (9010) and I am looking for the most stable train without downgrading (fingers crossed). Will be running: MP-BGP VRF OSPF ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Experience on ASR9k XR 5.1.2
Wait a week or two and load 5.1.3 when it comes out. - Jared On Thu, Aug 21, 2014 at 04:24:19PM +0200, Mattias Gyllenvarg wrote: Thanks for all your input! Machines came with 5.1.2. As I am not in production with these machines I can, if it is better, turbo boot to 4.3.4. Is this the wisest path? //Mattias On Thu, Aug 21, 2014 at 4:15 PM, Aleksandr Gurbo gu...@golas.ru wrote: Hello list, I had negative experience with 5.1.2 especially in cluster configuration. Release 5.1.1 is awful. I had so many bugs on it. Nick, do you have problems on 5.1.1 with telnet access to ip address which is on Loopback interface in vpnv4 table? Also I had problems with MPLS, where remote PE routers have two links to P routers. All of this should be fixed in 5.1.3. They promised :) I wait 5.1.3 release. On Thu, 21 Aug 2014 11:24:19 +0100 Nick Hilliard n...@foobar.org wrote: On 21/08/2014 10:43, Mattias Gyllenvarg wrote: I would love to hear some feed back on the 5.1.2 Train of IOS XR. This was preloaded in a few boxes (9010) and I am looking for the most stable train without downgrading (fingers crossed). Hi Mattias, I've had no problems so far on a relatively small deployment of 5.1.1 with mp-bgp / isis / mpls-pw / l3vpn / v4/v6. Has worked without incident. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Aleksandr Gurbo -- *Med Vänliga Hälsningar / Best Regards* *Mattias Gyllenvarg* ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9k 4.3.4 vs 5.1.3
On Thu, Aug 21, 2014 at 03:48:06PM +, Vitkovský Adam wrote: Hi folks, Jared, Nick, I'm wondering what influenced your decision to go/risk it with 5.1.x rather than 4.3.4 ? Was it any must have feature, hardware support requirement or bug fixes or a bit of all please? I'm asking as personally I'm really afraid of the 5.x.x train and thus decided to go with 4.3.4 which is being evaluated currently. What is your rational fear about 5.x? We have 5.1.2 operational and hit some defects, they are all fixed in 5.1.3 through very close work with Cisco. We never ran 4.3 but I have heard that 4.3.4 is fairly stable as well. I would hold off on 5.1 until 5.1.3 is released, which should be soon. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange corrupt DNS Cache in IOS
On Aug 15, 2014, at 10:34 AM, Frank Bulk frnk...@iname.com wrote: Don't use a router as a DNS resolver for customers. Just don't. Or if you are, use something that is properly designed for that function. Check out the UBNT EdgeRouter stuff, cheap, vyatta (JunOS-like), and gives you shell access to do other more advanced stuff. Basically, you can't lose at the unit cost, etc. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange corrupt DNS Cache in IOS
Can get more luck with voodoo dolls some days. Jared Mauch On Aug 15, 2014, at 4:12 PM, Łukasz Bromirski luk...@bromirski.net wrote: Open a case with TAC. That's what they are for, right? -- ./ On 15 Aug 2014, at 18:05, Sascha E. Pollok s...@iphh.net wrote: Frank, Jared, I understand your point and I even share it. Sometimes there are setups that do not make much sense any other way (this box with DNS server mainly serves one single device and no other DNS server around that is suitable for the job). And before I go ahead and try to deploy some other device for that purpose I simply wanted to see if I can make it work with what there is. Thanks Sascha Am 15.08.2014 16:46, schrieb Frank Bulk: Right, but that's all non-Cisco. My comments were intended to be constrained to Cisco. Frank -Original Message- From: Jared Mauch [mailto:ja...@puck.nether.net] Sent: Friday, August 15, 2014 9:42 AM To: Frank Bulk Cc: Sascha E. Pollok; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Strange corrupt DNS Cache in IOS On Aug 15, 2014, at 10:34 AM, Frank Bulk frnk...@iname.com wrote: Don't use a router as a DNS resolver for customers. Just don't. Or if you are, use something that is properly designed for that function. Check out the UBNT EdgeRouter stuff, cheap, vyatta (JunOS-like), and gives you shell access to do other more advanced stuff. Basically, you can't lose at the unit cost, etc. - Jared ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/