from:"Jared Mauch"

Re: [c-nsp] DNA -- How do I justify the expense to mgmt when we'll never use it?

2023-01-06 Thread Jared Mauch via cisco-nsp

I mean a lot of it is discovery based on what you may know, people leak, etc.. 

https://www.ebay.com/itm/334605205968?hash=item4de80641d0:g:2mcAAOSwgSFihATj=enc%3AAQAHoFS6a5FMPKMFewpCgtU23dVU0SQFQ%2BDr46sAaS19QJn2vSCgqcG%2BN6yyHrRh0IDsAGIeG7Dz2twn%2FdTtCy7a%2BKayr837Q5G6DtQ5wSecZpCxQE45s8vx7CBvrackFH%2FNJqIMimw%2Bci2v57%2BNMEjpVOJMRs4Ne5BPUtExJ416nVmYslj8lFgmXbkQ9S9vCmfU0wOapWkgN5BzWJx4FXnOw5k%3D%7Ctkp%3ABk9SR8LdvomxYQ

Is an item that (for example) I can tell you I’ve seen vendors license their 
software to run on.

There’s software that you can run on top of SONIC etc as well to get features 
you might want/need as well.

Keep in mind the sw + hw devs for new products do need to be fed and the 
vendors often have hybrid ways to collect the monies, free hardware but pay in 
opex (support, RMA etc) or buy for higher price but get support free.

That discovery process takes awhile, but if you have volume and options to go 
elsewhere it may be possible to determine it.

- Jared

> On Jan 6, 2023, at 9:15 AM, Drew Weaver via cisco-nsp 
>  wrote:
> 
> Also is there any way to figure out what this stuff should cost?
> 
> The resellers could just be trying to take way too much out of us. I'm not 
> sure and I have no idea how to find out.
> 
> Thanks,
> -Drew
> 
> 
> -Original Message-
> From: cisco-nsp  On Behalf Of Drew Weaver 
> via cisco-nsp
> Sent: Friday, January 6, 2023 9:02 AM
> To: 'Paul' ; 'Gert Doering' 
> Cc: 'cisco-nsp@puck.nether.net' 
> Subject: Re: [c-nsp] DNA -- How do I justify the expense to mgmt when we'll 
> never use it?
> 
> If the price of the hardware wasn't already juiced beyond belief then maybe 
> it would make sense but ... yeah I am just going to have to find another 
> vendor.
> 
> Thanks,
> -Drew
> 
> 
> -Original Message-
> From: Paul 
> Sent: Thursday, January 5, 2023 3:58 PM
> To: Gert Doering ; Drew Weaver 
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] DNA -- How do I justify the expense to mgmt when we'll 
> never use it?
> 
> I'm with you on that one, licensing kills any interest in it for us too. 
> Goes for a large number of cisco products now , where before was only limited 
> to a few.
> 
> It's sad because I love cisco switches and routers, but it's a huge deterrent 
> now with the forced licensing and support
> 
> On 1/4/2023 10:50 AM, Gert Doering via cisco-nsp wrote:
>> Hi,
>> 
>> On Wed, Jan 04, 2023 at 03:45:51PM +, Drew Weaver via cisco-nsp wrote:
>>> I'm trying to put together an order for some Cisco switches.
>> Cisco licensing shit has made us decide that we're just not going to 
>> buy any new Cisco products.  Period.
>> 
>> Yes, these really look nice, and the base price is quite attractive 
>> (guess why)...
>> 
>> gert
>> 
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m
>> ailman_listinfo_cisco-2Dnsp=DwICaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A
>> _CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=PRv3_-qOO
>> hUOMZsFnCFG4uVQnPsgYPCtQl0BB_XxHpg=uqRG1Eseinm6yrxQLDY48bSAwK0fsRe86
>> 8NE_ofnpqE= archive at
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi
>> permail_cisco-2Dnsp_=DwICaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV
>> fiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=PRv3_-qOOhUOMZsF
>> nCFG4uVQnPsgYPCtQl0BB_XxHpg=6it9k1UOikBdQrvqhRCve41ZJJGAgA88MDdg_93V
>> JA0=
> 
> --
> GloboTech Communications
> Phone: 1-514-907-0050 x 215
> Toll Free: 1-(888)-GTCOMM1
> Fax: 1-(514)-907-0750
> p...@gtcomm.net
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.gtcomm.net=DwICaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=PRv3_-qOOhUOMZsFnCFG4uVQnPsgYPCtQl0BB_XxHpg=bzG0UW9Xxt9sq-f4YcJ6dZGUuBUNSpiDYCfDTxTZeAY=
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=0nakOEayskiDCF77b4CWL-Ta1iGVs_fHDq2fl4vGQpk=DVGzTsPYCcpLTVhO4q3wUaHf42b8MBVuss_8vNx-rnc=
> archive at 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_=DwICAg=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=0nakOEayskiDCF77b4CWL-Ta1iGVs_fHDq2fl4vGQpk=innpoqNaWDw_UQ3HzzBf9AiAJY2eCiI5ohiUPd0bTms=
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl

2019-08-26 Thread Jared Mauch

I’ll say this in public (now) - Changing the security posture on the VTYs is a 
great reason to not use this product at the moment.  I’ve seen many people not 
monitor their devices for these types of changes, and this is a great case to 
study.

Time for some retraining of people.

- Jared

> On Aug 26, 2019, at 9:07 AM, Aaron  wrote:
> 
> Any unexpected config change should be an automatic tac case.
> Totally unexpected. Reminds me of the days when swapping a flash card on a
> gsr could crash it.
> This is a new one .
> 
> On Monday, August 26, 2019, Gert Doering  wrote:
> 
>> Hi,
>> 
>> does anyone know what "EEM:Mandatory.dualrate_eem.tcl" is?
>> 
>> We have an ASR920 that grew an unexpected config change upon insertion
>> of a DAC cable into port ten0/0/12, and "unexpected config change" always
>> triggers an investigation here (who, why, what).  One part of it was
>> somewhat related
>> 
>> interface TenGigabitEthernet0/0/12
>>  description ...
>>  no ip address
>> + negotiation auto
>>  service instance 200 ethernet
>> 
>> ... but the other part was more interesting
>> 
>> line vty 0 4
>>  access-class 9 in
>> - exec-timeout 240 0
>>  ipv6 access-class VTY-v6 in
>> - transport input telnet ssh
>> + transport preferred none
>> + transport input none
>> + transport output none
>>  escape-character 3
>> 
>> "uh, what?".  So we investigated and found a few log messages about that
>> script...
>> 
>> Aug 20 13:45:30 CEST: %TRANSCEIVER-6-INSERTED:  F0: iomd:  transceiver
>> module inserted in TenGigabitEthernet0/0/12
>> 
>> Aug 20 13:45:45 CEST: %IOSXE_SPA-6-DUAL_RATE_CHANGE:
>> TenGigabitEthernet0/0/12: MODE_1G
>> Aug 20 13:45:47 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty1
>> (EEM:Mandatory.dualrate_eem.tcl)
>> Aug 20 13:46:14 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty1
>> (EEM:Mandatory.dualrate_eem.tcl)
>> Aug 20 13:46:15 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty0
>> (EEM:Mandatory.dualrate_eem.tcl)
>> Aug 20 13:46:17 CEST: %TRANSCEIVER-6-REMOVED:  F0: iomd:  Transceiver
>> module removed from TenGigabitEthernet0/0/12
>> Aug 20 13:46:20 CEST: %IOSXE-5-PLATFORM:  F0: Aug 20 13:46:20
>> %SYSTEM-3-SYSTEM_SHELL_LOG: Shell started: vty 1
>> Aug 20 13:46:20 CEST: %IOSXE-5-PLATFORM:  F0: Aug 20 13:46:20
>> %SYSTEM-3-SYSTEM_SHELL_LOG: 2019/08/20 13:46:19 : Shell access was granted
>> to user ; Trace file: , /harddisk/tracelogs/system_
>> shell_R0-0.2264_0.20190820134619.bin
>> ug 20 13:46:26 CEST: %HA_EM-6-LOG: Mandatory.dualrate_eem.tcl:
>> DUAL_RATE_CHANGE Re-configuration of interface TenGigabitEthernet0/0/12 to
>> start re-configuring
>> Aug 20 13:46:28 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty1
>> (EEM:Mandatory.dualrate_eem.tcl)
>> Aug 20 13:46:39 CEST: %SYS-5-CONFIG_C: Running-config file is Modified
>> 
>> 
>> ... and 441 (!!) lines in the tacacs command accounting log, which
>> mostly looked like "it replayed the whole config, line by line"...
>> until it hit the vty section, which then got messed up...
>> 
>> Aug 20 13:47:08 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
>> stoptask_id=2166timezone=CEST   service=shell
>> start_time=1566301628priv-lvl=15 cmd=configure terminal 
>> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
>> stoptask_id=2167timezone=CEST   service=shell
>> start_time=1566301629priv-lvl=15 cmd=line vty 0 4 
>> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
>> stoptask_id=2168timezone=CEST   service=shell
>> start_time=1566301629priv-lvl=15 cmd=no login authentication 
>> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
>> stoptask_id=2169timezone=CEST   service=shell
>> start_time=1566301629priv-lvl=15 cmd=no authorization exec 
>> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
>> stoptask_id=2170timezone=CEST   service=shell
>> start_time=1566301629priv-lvl=15 cmd=no authorization commands 15
>> 
>> Aug 20 13:47:10 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
>> stoptask_id=2171timezone=CEST   service=shell
>> start_time=1566301630priv-lvl=15 cmd=no transport preferred 
>> ...
>> Aug 20 13:47:10 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
>> stoptask_id=2174timezone=CEST   service=shell
>> start_time=1566301630priv-lvl=15 cmd=no exec-timeout 
>> Aug 20 13:47:11 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
>> stoptask_id=2175timezone=CEST   service=shell
>> start_time=1566301631priv-lvl=1  cmd=no length 
>> Aug 20 13:47:11 router unknown tty2EEM:Mandatory.dualrate_eem.tcl
>> stoptask_id=2177timezone=CEST   service=shell
>> start_time=1566301631priv-lvl=15 cmd=write memory 
>> 
>> 
>> shall I state that I find this a somewhat surprising behaviour?
>> 
>> Haven't opened a TAC case yet (no time) but hopefully someone

Re: [c-nsp] ASR9900 - Copy files from USB key

2019-06-02 Thread Jared Mauch

> On Jun 2, 2019, at 3:50 AM, James Bensley  
> wrote:
> 
> 
> I recently upgraded from eXR 6.5.2 to 6.5.3 and pushed the files using
> SCP to the router from a jump box, which was on the same LAN as the
> management interface on the RSP. It was copying at 100Mbps (the speed
> of the OOB switch) so I think in eXR these issues are more or less
> fixed.

I don’t believe you have enough data to conclude that.  When copying data from 
longer distances away (eg: global network with centralized file server/images) 
I previously saw bad behavior, but when the latency was low it worked well.

This is what led me down the path to determine what was going on with the XR 
TCP stack.  I suggest capturing a PCAP and figuring out if it’s doing SACK or 
window scaling with appropriate sized buffers.

Even from bash/run on eXR you may also want to check this out.  This led to an 
effort to internally anycast resources as it was a problem that was easier 
solved that way as Cisco was afraid to fix the TCP stack, and got even more 
worried when we saw issues with their SACK implementation and reported the 
details.  (It was doing an ACK of the wrong number of bytes, which caused drama 
with super strict stateful firewalls that tried to be too smart for their own 
good).

Also beware TCP disconnects as they don’t do TCP keepalives by default so any 
session that drops in the middle of a transfer would cause it to act like a 
file transfer is ongoing even though TCP was dead).

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9900 - Copy files from USB key

2019-05-21 Thread Jared Mauch



> On May 20, 2019, at 11:03 PM, Erik Sundberg  wrote:
> 
> Little follow up.
> 
> On a ASR9906 6.3.3 (32bit) the usb key comes up as usb: but on 6.3.3 (64-bit) 
> it's disk2:
> 
> 
> Copying the 6.3.3 migration files from a USB Key was 182 seconds, with HTTP 
> it was around 1 hour. (1.3 G File)
> Doing a install add source 6.5.3 64-bit from a USB Key was 15 minutes and 
> using http was an 1 1/2 hours.  (1.5 G File)
> 
> So sourcing files from a USB key are 4x times... Which is to be expected.
> 
> The bandwidth to the HTTP server is 100M and <30msec latency, but the circuit 
> was never maxed. For some reason coping from a HTTP server is just super slow…
> 

Do you have selective-ack enabled?

Try these and see if your TCP is better:

tcp selective-ack
tcp window-size 65535

We had issues with this in the past at my prior employer and these options 
solved much of it.  I’m trying to recall if we ever got the window scaling 
stuff fixed but I forget.  I think their TCP stack didn’t do window scaling if 
you tcpdump it.  It might be different in eXR.

- Jared

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Internet speed

2018-08-12 Thread Jared Mauch

Host your own. Here’s a good one:

https://github.com/adolfintel/speedtest

Jared Mauch

> On Aug 12, 2018, at 7:00 AM, ring...@mail.com wrote:
> 
> Hi everyone,
> 
> I wanted to ask how do you guys handle the customer complains about slow 
> Internet speed? Today almost everyone takes the measurement from 
> speedtest.net and reports that as the speed their getting. 
> 
> As far as how speedtest works is that is uses multiple TCP connections which 
> is not real measurement as opposed to Iperf for example.
> 
> It also selects a public server which is outside of your AS thus taking into 
> consideration the busy international links which are outside of your 
> administration andas a result for a 30Mbps package the measure shows 15 for 
> example.
> 
> Do you ask customers to select the local server when doing speedtests? Would 
> like to know how do you treat those cases, any special tool or measurement? 
> 
> Thanks,
> Ton
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Outdoor switch

2017-10-19 Thread Jared Mauch



> On Oct 19, 2017, at 1:54 PM, Charles Sprickman <sp...@bway.net> wrote:
> 
>> 
>> On Oct 19, 2017, at 1:49 PM, Jared Mauch <ja...@puck.nether.net> wrote:
>> 
>> Take a look at the UBNT Edgepoint gear as well.  Fairly cool, comes in 
>> 10G/1G speed varieties with both routed and switched options.
> 
> Just be very careful with fencing UBNT gear off from anything malicious, it’s 
> swiss cheese.

UBNT you save on capital costs and sometimes trade in operational costs.  This 
can cut in a few different ways if you’re not monitoring or automating tasks.

- jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Outdoor switch

2017-10-19 Thread Jared Mauch

Take a look at the UBNT Edgepoint gear as well.  Fairly cool, comes in 10G/1G 
speed varieties with both routed and switched options.

I have one lying around that I need to poke at sooner rather than later..

- Jared

> On Oct 19, 2017, at 1:26 PM, Christina Klam <ck...@ias.edu> wrote:
> 
> Buz and Jared,
> 
> I will take a look.  
> 
> I realized in my initial list of requirements, I missed a key one, POE.  Do 
> you have any experience with 
> https://www.microsemi.com/products/poe-systems/pds-104go-4-1-outdoor-switch ? 
>  My google-foo found them.
> 
> Thanks,
> Christina
> 
> - Original Message -
> From: "Harold 'Buz' Dale" <buz.d...@usg.edu>
> To: "Jared Mauch" <ja...@puck.nether.net>, "C. Klam" <ck...@ias.edu>
> Cc: cisco-nsp@puck.nether.net
> Sent: Thursday, October 19, 2017 12:11:00 PM
> Subject: Re: [c-nsp] Outdoor switch
> 
> Might also look at 
> https://www.balticnetworks.com/mikrotik-routerboard-rb-260gs-complete-with-enclosure-and-power-supply-fiber-enabled.html
> 
> I’ve had good luck with Mikrotik in the past but they are very different from 
> IOS devices.
> 
> Buz
> 
> On 10/19/17, 12:03 PM, "cisco-nsp on behalf of Jared Mauch" 
> <cisco-nsp-boun...@puck.nether.net on behalf of ja...@puck.nether.net> wrote:
> 
>If you just need one port, there is this box that works quite well:
> 
>https://www.balticnetworks.com/mikrotik-fiber-to-copper-converter.html
> 
>It does not have an integrated splice tray though.
> 
>- Jared
> 
>> On Oct 19, 2017, at 12:00 PM, Christina Klam <ck...@ias.edu> wrote:
>> 
>> All,
>> 
>> I am hoping for some ideas.   We are running fiber to an outdoor pole (for 
>> cameras and wireless access-points) and need a switch that can be configured 
>> remotely, does 802.1q, Qos, and has 3 - 5 ports.  We are in the MidAtlantic 
>> so the temperatures range from well below freezing to 100 deg F.  
>> 
>> What do people use in these situations?
>> 
>> Thank you,
>> Christina
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>___
>cisco-nsp mailing list  cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Outdoor switch

2017-10-19 Thread Jared Mauch

If you just need one port, there is this box that works quite well:

https://www.balticnetworks.com/mikrotik-fiber-to-copper-converter.html

It does not have an integrated splice tray though.

- Jared

> On Oct 19, 2017, at 12:00 PM, Christina Klam  wrote:
> 
> All,
> 
> I am hoping for some ideas.   We are running fiber to an outdoor pole (for 
> cameras and wireless access-points) and need a switch that can be configured 
> remotely, does 802.1q, Qos, and has 3 - 5 ports.  We are in the MidAtlantic 
> so the temperatures range from well below freezing to 100 deg F.  
> 
> What do people use in these situations?
> 
> Thank you,
> Christina
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WS-X6716-10GE in a 7600

2017-09-06 Thread Jared Mauch

I’ve found if you go a few rounds with Cisco they will blame 3rd party, then 
realize their driver is buggy and fix.

Or you have a bad card :-)

I’d opt for the latter, but the former does occur at times.

- Jared

> On Sep 6, 2017, at 7:57 PM, Bryan Holloway  wrote:
> 
> I should add that these are genuine Cisco optics, and they work in other 
> modules within the same chassis.
> 
> 
> On 9/6/17 6:07 PM, Bryan Holloway wrote:
>> Anyone have any experience using a WS-X6716-10GE-3C in a 7600 chassis?
>> The docs indicate that support was added in IOS 15.2(2)S ... we're running 
>> 15.5(3)S1.
>> Card boots fine, diagnostics pass, and interfaces appear in the config.
>> However, known working X2 GBICs we install show up as "Unknown", and the "sh 
>> int transceiver" output shows very odd values (e.g., -18.1 Celsius 
>> temperature (!) and 2231.8 mA (!) of current.)
>> Curious if anyone has used this module in that chassis successfully.
>> Should we just assume we have a bum card?
>> Thank you,
>> - bryan
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Broadband Aggregation/Termination

2017-04-19 Thread Jared Mauch

What’s helpful is rolling v6 while doing nat on V4.  Reduces your state on v4 
and avoids issues like the google captcha problem that heavy NAT environments 
encounter.

- Jared

> On Apr 19, 2017, at 5:47 PM, CBL  wrote:
> 
> Any problems with Google saying there are too many requests from your IP?
> 
> Do you log all your NAT translations for future subpoena requests?
> 
> On Wed, Apr 19, 2017 at 1:15 PM, Aaron Gould  wrote:
> 
>> Juniper MX104 with MS-MIC-16G
>> 
>> 
>> 
>> I lab tested Cisco ASR9000 with VSM-500 service module also
>> 
>> 
>> 
>> In the end, we liked what we saw with the Juniper solution more
>> 
>> 
>> 
>> It’s sweet, ~7,000 dsl customers behind a /24 !  I rarely/never touch
>> those nat nodes… they pur along.  Per node, they run low cpuload and
>> carry over 100,000 translations at peak time and about ~2 gbps of traffic
>> 
>> 
>> 
>> -Aaron
>> 
>> 
>> 
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9000 SFP/XFP Input Error troubleshooting

2017-04-04 Thread Jared Mauch

On Tue, Apr 04, 2017 at 10:44:52AM -0400, Curtis Piehler wrote:
> Thank you Jean but I am looking for more stats on Input Errors which is
> different than Total Drops.  None of these Input Errors seems to be service
> affecting so I'm wondering where they are from.

I second the NP direction of research.

Also, what type of optics, etc are involved?  There may be
additional diagnostic data you can extract from the XFPs to determine
what is going on based on the INF-8077 type data in the EEPROM.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] administrative inquiry

2017-03-30 Thread Jared Mauch

Greetings,

Do people still want to receive PSIRT notices here?  This has long been
ciscos policy to send to the list, but they are changing that.  I can subscribe
the list to their list, I'm not a big fan of doing that type of meta-list
activity as that may break some spam filtering technologies.

I see this as an inelegant change on the part of Cisco, but ultimately
we have little control of this.

Thoughts?  Please honor reply-to and send your requests to me directly.

Thanks,

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Which one is the stable version of Cisco IOS XR?

2017-03-09 Thread Jared Mauch

Nothing inherently wrong with 6.x aside from it's still Cisco. You likely want 
5.3.4 if you have any trident based linecards. 

Jared Mauch

> On Mar 9, 2017, at 5:23 AM, Mark Tinka <mark.ti...@seacom.mu> wrote:
> 
> 
> 
>> On 9/Mar/17 00:54, Ted Johansson wrote:
>> 
>> 5.3.4 is the Extended Maintenance Release (EMR) and there is also a Service 
>> Pack SP1 available, so that would be my recommendation.
> 
> I'd stay very far away from 6, unless you're my competitor, of course :-)...
> 
> Mark.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BGP Route Reflector Case

2017-02-23 Thread Jared Mauch

> On Feb 23, 2017, at 4:37 AM, Pierre Emeriaud  wrote:
> 
> 2017-02-23 5:49 GMT+01:00 Curtis Piehler :
>> Local market route
>> reflectors do solve the issue of sub-optimal routing from a local market
>> perspective.
> 
> 
> There is another solution to that. Use Add-path
> (https://tools.ietf.org/html/rfc7911) and Optimal route reflexion
> (https://tools.ietf.org/html/draft-ietf-idr-bgp-optimal-route-reflection-13)
> on the central RR.
> 
> Each peer group with an IGP reference (to compute a "local spf") can
> replace a local RR. We're using it with IS-IS, not sure about ospf
> support.

I would urge some caution here depending on what number of routes you are doing 
this with, keep a close eye on the 32-bit boundaries of BGP on XR.  While your 
RP may have >4G of memory, the level where BGP will choke upon itself is much 
lower.  Additionally you need to know to restart the BPM process vs the BGP 
process when this happens as it will not automatically recover.  Few people 
know about the BPM process and the role it plays.

- jared

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Tabo Topic? Third party Maintenance

2017-01-23 Thread Jared Mauch

On Mon, Jan 23, 2017 at 02:28:37PM -0500, Shawn L wrote:
> I guess it all depends on what you utilize support for.  We tend to have
> in-house spares, etc. that we can swap in in the event of a failure.  But,
> there are times when you need to talk to someone at TAC to get the bottom
> of an issue.

These types of issues if not solved by the obligatory
upgrade to the latest software are the big value of direct vendor support.

If you're doing vanilla IP routing features (and I do mean that,
anything that says MPLS/VPN/VRF, etc.. are not vanilla) you should be fine.

If you have anything more complex, don't expect it to be easy.
They presume you're doing it wrong, and you must be open to that as a
concept.  Remember the KISS principle.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Tabo Topic? Third party Maintenance

2017-01-23 Thread Jared Mauch

On Mon, Jan 23, 2017 at 05:16:01PM +, Rick Martin wrote:
> 
> I am under pressure to consider third party maintenance providers for our 
> significant Cisco inventory, and I am quite leery of such an arrangement.  I 
> suppose third party maintenance may be OK for products that we have plenty of 
> spare inventory for such as customer edge routers or switches but the bigger 
> core, aggregation or data center devices that provide critical services I 
> have great concern. Our normal policy is to keep OEM maintenance in the 
> following order;
> 
> 1. Critical Devices which includes core routing, aggregation devices, data 
> center hardware and larger building routers - 24X7X4 hour RMA (Smartnet 
> Premium)
> 2. Customer edge devices - 8X5XNBD (Smartnet)
> 
> That methodology applies to Cisco and Juniper hardware. 
> 
> So my question is - do any of you that have larger enterprise or service 
> provider networks currently utilize third party (Non OEM) maintenance 
> contracts? If so what has been your experience with them? Or do you stick 
> strictly to OEM maintenance?

If you purchase your own spares, you can often make due with a return 
to factory
model of parts replacement.  They will return you a new/refurbished part about
10 days after receipt of the failed one.

Much of this depends on the commonality of the parts, any logistics 
you or a partner may have in providing that yourself.  Of course this depends
on the ability to triage yourself.  I've generally not had any issues with a
vendor when we say it failed, we swapped with spare, here's the serial.

- Jared


-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 2 port 100 gig module - ASR9000

2017-01-05 Thread Jared Mauch

I would slide it in. If it doesn't work load 5.3.4. It will perform the best it 
can under those circumstances. 

Jared Mauch

> On Jan 5, 2017, at 6:08 PM, Aaron <aar...@gvtc.com> wrote:
> 
> What I'm trying to figure out is how to put this (2) port 100 gig module into 
> my existing asr9k chassis *with as little changes as possible*
> 
> Thanks for all the recommendations, but I really just want to know the bare 
> minimum I *must* do to slide the module into the chassis and have it function.
> 
> I have ASR9006 with A9K-RSP-4G
> 
> -Aaron
> 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 2 port 100 gig module - ASR9000

2017-01-05 Thread Jared Mauch

What RSP do you have?  If it’s the older one, you will want to upgrade to use 
the card at full rate.

If you are only expecting under 50% utilization you will likely be fine, but 
upgrading to RSP880 is recommended.  Otherwise you may want to talk about a 
trade-in for the 55xx devices.

If you’re buying it refurb/used and don’t expect to do run both ports > 40-50% 
you’ll be fine.  

There are a number of other minor technical limits, eg: small numbers of 10G 
flows may congest the fabric based on hashing.  This means you may want to look 
at some chassis, fan, power or other upgrades.

- Jared

> On Jan 5, 2017, at 5:38 PM, Aaron <aar...@gvtc.com> wrote:
> 
> Thanks Adam, you lost me with that.  Please elaborate.
> 
> -Aaron
> 
> -Original Message-
> From: adamv0...@netconsultings.com [mailto:adamv0...@netconsultings.com] 
> Sent: Thursday, January 5, 2017 4:18 PM
> To: 'Aaron' <aar...@gvtc.com>; 'Tom Hill' <t...@ninjabadger.net>;
> cisco-nsp@puck.nether.net; 'Jared Mauch' <ja...@puck.nether.net>
> Subject: RE: [c-nsp] 2 port 100 gig module - ASR9000
> 
> I think cisco does these backwards compatible but it has only 80Gbps worth
> of fabric connections per slot so you'll may be able to get max ~160 if you
> disable the redundancy mode.
> 
> 
> netconsultings.com
> ::carrier-class solutions for the telecommunications industry::
> 
>> -Original Message-
>> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf 
>> Of Aaron
>> Sent: Thursday, January 05, 2017 9:55 PM
>> To: 'Tom Hill'; cisco-nsp@puck.nether.net; 'Jared Mauch'
>> Subject: Re: [c-nsp] 2 port 100 gig module - ASR9000
>> 
>> Thanks Tom and Jared,
>> 
>> 
>> 
>> Copied from the cisco website.
>> 
>> "The Cisco ASR 9000 Series 2-Port 100 Gigabit Ethernet Line Cards are
> fully
>> compatible with all Cisco ASR 9000 Series chassis, route switch 
>> processors (RSPs), and line cards. No hardware upgrade to the chassis 
>> or cooling
> system
>> is required."
>> 
>> 
>> 
>> ..fully compatible with all rsp's..   that would seem like all rsp's
> meaning
>> all. from 4g up to 880 or whatever the newest is.  Just want to make 
>> sure
> this
>> is true that this (2) port 100 gig module will work with A9K-RSP-4G
>> 
>> 
>> 
>> -Aaron
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 2 port 100 gig module - ASR9000

2017-01-05 Thread Jared Mauch

I would not run anything earlier than 5.3.4 these days personally.

These are fine cards and work well.

- jared


> On Jan 5, 2017, at 3:54 PM, Aaron  wrote:
> 
> Is anyone using this or familiar with it ?
> 
> 
> 
> If so, please let me know what the minimum RSP and IOS XR versions required
> for both of these cards.  I read below that they are fully compatible with
> all Cisco ASR9000 chassis, rsp's and linecards, and no upgrades required to
> chassis or cooling system.
> 
> 
> 
> Cisco ASR 9000 2-Port 100GE Service Edge Optimized Line Card, Requires CFP
> optics
> 
> A9K-2X100GE-SE
> 
> 
> 
> Cisco ASR 9000 2-Port 100GE Packet Transport Optimized Line Card, Requires
> CFP optics
> 
> A9K-2X100GE-TR
> 
> 
> 
> http://www.cisco.com/c/en/us/products/collateral/routers/asr-9000-series-agg
> regation-services-routers/datasheet_C78-662709.html
> 
> 
> 
> - Aaron
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Rec for full-table multi-peer bgp router?

2016-12-05 Thread Jared Mauch


> On Dec 5, 2016, at 2:46 PM, Raphael Mazelier  wrote:
> 
> 
> Very interesting.
> 
> 7280SR look perfect for us. (if the price is OK; I will call my local Arista 
> representative).
> 
> We are another content AS and we push 150gps approx in peak.
> We plan to upgrade from our current routers to something with a lower TCO by 
> port (which is our currently limiting factor).
> 
> We do need full view in RIB as we target only 5/6 ASes for 99% of our 
> traffic, so we are not concerned by the RIB size.
> 
> So do you recommended them ? or another model from Arista ?
> What kind of bug did you encounter or discover ? are the platform enough 
> stable for using them in production without any action ? (we are a really 
> small team, and we have no to time to spend in the network side, 
> unfortunately).

Be mindful of how you do your control plane filtering and testing on such a 
device.  Many people forget about this until you are on the wrong-side of a 
three digit (in gigabits) attack pointed at a link-ip address.  Some devices 
handle it well, others poorly.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SFP DOM SNMP Polling?

2016-11-22 Thread Jared Mauch

> On Nov 22, 2016, at 9:32 AM, Tim Durack  wrote:
> 
> I have a vendor that does not support SFP DOM SNMP polling. They state this
> is due to EEPROM read life cycle. Constant reads will damage the SFP.
> 
> We SNMP poll SFP DOM from Cisco equipment without issue.
> 
> Not heard this one before. Trying to see if there is some validity to the
> statement. Thoughts?

It’s entirely possible some people implement it poorly and the read cycles 
count.  With 100k cycles somewhat typical for those bytes, it’s certainly 
something that could be seen if polling every 5 minutes in 347 days, but I 
think that’s a datapoint that most SFPs are warranted for much longer than 347 
days.

As the DDM data is stored not at 0x50 but at 0x51/0x52 in optics this is more 
likely done with a micro controller presenting the ram backed data via reads 
to/from those specific bytes.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Router memory problem

2016-10-27 Thread Jared Mauch

On Thu, Oct 27, 2016 at 05:37:35PM +, Justin Krejci wrote:
> What is wrong with distribute-lists?

You should be using a prefix-list,
as it was designed for this type of function.

distribute-lists (and a bunch of other IOS
crutches) should go away as part of the legacy.

If you see examples on the internet using them
or access-lists to do route filtering, please don't copy
those examples.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3rd party dwdm 80km optics in asr 9001

2016-09-28 Thread Jared Mauch

On Wed, Sep 28, 2016 at 11:38:55AM +, Adam Vitkovsky wrote:
> > Gustav Ulander
> > Sent: Wednesday, September 28, 2016 12:09 PM
> >
> > Yepp
> > We actually got an error that says unsupported transceiver so that's why we
> > are going to try a different supplier.
> >
> Can you ask your supplier to code the transceiver to be supported by your 
> box, then you shouldn't even need the below?
> 
> I presume you have tried these commands already:
> Interface:
> "transceiver permit pid all"
> Or
> global (hidden):
> "service unsupported-tranceiver"

BTW, Cisco has indiciated to me you may need both as
the global command doesn't unlock certain code paths because bad
developers.  The 9K team thinks they're a unique snowflake so
deserve to set 2 bars vs the single global bar.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3rd party dwdm 80km optics in asr 9001

2016-09-28 Thread Jared Mauch

> https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR 9000 Upgrade Expectations

2016-07-13 Thread Jared Mauch

We see around 1 hour of traffic loss due to upgrade times before adding in FPD 
and others, which can extend to more like 3 hours. 

There were improvements that went in 533+ which should improve your experience. 
I haven't checked if 602 hit CCO but you may want to look at that, or wait for 
534. 

Jared Mauch

> On Jul 13, 2016, at 6:31 AM, Nick Griffin <nick.jon.grif...@gmail.com> wrote:
> 
> Hello, looking for some details in regards to an ASR9000 code upgrade.
> Currently running software version 5.1.1 with the following packages:
> 
> Committed Packages:
> 
> disk0:asr9k-mini-px-5.1.1
> 
> disk0:asr9k-k9sec-px-5.1.1
> 
> disk0:asr9k-mpls-px-5.1.1
> 
> disk0:asr9k-mgbl-px-5.1.1
> 
> disk0:asr9k-optic-px-5.1.1
> 
> disk0:asr9k-fpd-px-5.1.1
> 
> disk0:asr9k-li-px-5.1.1
> 
> 
> Installed are RSP-440TR's. We are currently looking to upgrade to version
> 5.3.3, or perhaps another version if one is recommended, looking for input
> here as well, in addition to an estimate as to how long this process is
> expected to take, along with perceived customer impact. If further details
> are necessary please let me know. I've referenced the following
> documentation for installation instructions. If there is something better
> or any best practices not covered, please feel free to advise!
> 
> 
> http://www.cisco.com/web/Cisco_IOS_XR_Software/pdf/ASR9K_Upgrade_Downgrade_Procedure_IOSXR_Rel_533.pdf
> 
> 
> Thanks in advance!
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BGP blackhole community config

2016-06-20 Thread Jared Mauch

> On Jun 20, 2016, at 1:38 PM, Satish Patel  wrote:
> 
> I have tried that too and got this error.
> 
> R1(config-router)#neighbor xx.xx.xx.xx route-map RTBH out
> % "RTBH" used as BGP outbound route-map, tag match not supported
> % not supported match will behave as route-map with no match
> R1(config-router)#

Tags are specific to Cisco, you should be using a community instead.

You can use something like redistribute static against a route-map that matches 
the tag and marks your (local) discard community.

This is what I recommend you do.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BGP blackhole community config

2016-06-20 Thread Jared Mauch


> On Jun 19, 2016, at 10:07 PM, Satish Patel  wrote:
> 
> I have added "ip bgp-community new-format" in global config, but i
> don't have following command in my ASR1006 router
> 
> neighbor xx.xx.xx.xx remote-as 200 send-community
> 
> so i have added
> 
> neighbor xx.xx.xx.xx send-community
> 

Did you clear the BGP session after adding that?  It negotiates at the initial 
OPEN.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] netflow real AS instead of uplink provider?

2016-06-15 Thread Jared Mauch

I would consider upgrading to at least 5.3.1 + SMUs or 6.0.1.  I seem to recall 
a number of issues back in the 4.3.x images.

4.3.1 is quite crusty.  If you need to stay in 4.3.x perhaps 4.3.4.  I would 
avoid 5.3.3.

- Jared

> On Jun 15, 2016, at 9:09 AM, Nemeth Laszlo  wrote:
> 
> Hello 
> 
> Yes, it is in my BGP session.  
> 
> Laszlo 
> 
> 2016-06-15 15:04 időpontban Christian Kildau ezt írta:
> 
>> Do you have "bgp attribute-download" under router bgp ? 
>> 
>> Best regards, 
>> Chris 
>> 
>> On Wed, Jun 15, 2016 at 2:57 PM, Nemeth Laszlo  wrote:
>> 
>>> Hello
>>> 
>>> I tried to get the source or destianton AS of a flow from our ASR9001 
>>> (iosxr 4.3.1) router.
>>> 
>>> But i got this:
>>> 
>>> RP/0/RSP0/CPU0:asr0#sh flow monitor netflow-monitor cache location 0/0/CPU
>>> 
>>> IPV4SrcAddr  IPV4DstAddr  L4SrcPort  L4DestPort BGPDstPeerAS 
>>> BGPSrcPeerAS BGPNextHopV4 IPV4DstPrfxLen  IPV4SrcPrfxLen  IPV4Prot 
>>> IPV4TOS  InputInterface  OutputInterface L4TCPFlags   ForwardStatus
>>> FirstSwitched   LastSwitchedByteCountPacketCount  Dir SamplerID
>>> 
>>> 12.76.231.21 15.24.11.13  25 43473  01234   
>>>   0.0.0.0  32  18  tcp  0x40 
>>> Te0/0/2/1   BE100.79A|R| Fwd  43 
>>> 07:23:34:199 43 07:23:34:199 40   1Ing 1
>>> 
>>> So in every flow DstPeerAs or SrcPeerAS is 1234 (my uplink provider) or 0 
>>> not the real source AS where the package coming from. Because of it the 
>>> nfdump (flow collector) doesn't get any info about the real AS of the 
>>> destination or source. I would like to receive it because i have to 
>>> generate OurAS<->OtherAS traffic graphs.
>>> 
>>> Of course i use the "bgp attribute-download" in the BGP section but it 
>>> doesn't help.
>>> 
>>> Any ideas?
>>> 
>>> Thanks
>>> Laszlo
>>> ___
>>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] A9K Netflow export drops

2016-06-14 Thread Jared Mauch

We have had no more severe issues than prior releases. Make sure you load the 
IPv6 PSIRT SMU of course. 

Jared Mauch

> On Jun 14, 2016, at 7:44 AM, Robert Williams <rob...@custodiandc.com> wrote:
> 
> have you had any significant issues on 6.0.1?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] A9K Netflow export drops

2016-06-14 Thread Jared Mauch


> On Jun 14, 2016, at 8:32 AM, Robert Williams  wrote:
> 
> Hi Chris,
> 
> Thanks for this, we’ve not considered 6.0.1 yet, mainly due to it being 
> relatively new and I’m not aware currently of anyone running it in production 
> on a 90xx, so slightly apprehensive :)

We are running 6.0.1 in production.

> I wonder if there will be a patch for 5.3.3 to stop the drops?...

There is a 5.3.4 release that is forthcoming, but unless you have some of the 
older hardware that is not supported in 6.x, you should be looking at 6.0.1 
instead.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9010 end of life?

2016-05-17 Thread Jared Mauch

If you are buying new look at the 9910. 

Jared Mauch

> On May 17, 2016, at 4:16 PM, Satish Patel <satish@gmail.com> wrote:
> 
> So we are good with those parts or i need to worry?
> 
>> On Tue, May 17, 2016 at 3:27 PM, Jeremy Bresley <b...@brezworks.com> wrote:
>> Current ASR9K EOL notices are listed at:
>> http://www.cisco.com/c/en/us/products/routers/asr-9000-series-aggregation-services-routers/eos-eol-notice-listing.html
>> 
>> The chassis/power/fans you have listed are fine, the RSP440 is a current
>> generation RSP, the first generation RSPs were announced for EOL early last
>> year, and will be LDoS in 2020.  The Mod80 and MPAs have not been announced
>> for EOL.
>> 
>> Jeremy
>> 
>> 
>>> On 5/17/16 15:00, Satish Patel wrote:
>>> 
>>> I was looking some specs and found ASR9010 is end of life? Should it
>>> be good to buy it?
>>> 
>>> I planning buying following pre-owned hardware. Should i be worry?
>>> 
>>> Cisco ASR-9010-AC Cisco ASR 9010 Chassis -
>>> Cisco A9K-3KW-AC Cisco 3KW AC Power Module 3
>>> Cisco ASR-9010-FAN CISCO ASR-9010-FAN Fan 2
>>> Cisco A9k-RSP440-TR Cisco ASR 9000 Seriese
>>> Cisco A9K-MOD80-TR Cisco Mod80 Modular Line 1 Optimized
>>> Cisco A9K-MPA-4X10GE
>>> ___
>>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
>> 
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] testing

2016-05-13 Thread Jared Mauch


please ignore.

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9k Bundle QoS in 6.0.1

2016-05-12 Thread Jared Mauch


> On May 12, 2016, at 1:58 PM, Saku Ytti  wrote:
> 
> On 12 May 2016 at 17:42, Mark Tinka  wrote:
> 
> Hey,
> 
>> Has not worked out for us.
>> 
>> Elephant flows (particularly of a non-IP nature) cannot be solved with
>> Juniper's adaptive load balancing. I spent a year working on this...
> 
> I've not used it, curious to hear why it does not work? Of course if
> you don't have any entropy, then there is nothing you can do, if there
> is just single fat flow which needs more than single member has
> capacity, no flows, no flow balancing. What should work, is if in
> addition to fat flows you have others.

My understanding is this is common in mobile backhaul where the traffic
is all encapsulated, or in site-to-site VPN configs where there is no
port data to balance traffic with.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS-XR 5.3.3 add Yang Models

2016-05-11 Thread Jared Mauch


> On May 11, 2016, at 12:06 PM, quinn snyder <snyd...@gmail.com> wrote:
> 
> 
>> On May 11, 2016, at 08:43, Jared Mauch <ja...@puck.nether.net> wrote:
>> 
>> FYI: you may want to look at 6.0.1 which was just (re)-posted to CCO as 
>> well.  For us it fixes a number of critical issues which are not in the 
>> 5.3.3 EMR.
> 
> +1 for 6.0.1. working with it in the lab now using both nso as well as some 
> home grown apps. 
> the support is much larger and the github posted earlier has a lot of solid 
> models to build from. 

make sure you got the “May 10th” version vs the one last week that was deferred 
and won’t be supported.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS-XR 5.3.3 add Yang Models

2016-05-11 Thread Jared Mauch

FYI: you may want to look at 6.0.1 which was just (re)-posted to CCO as well.  
For us it fixes a number of critical issues which are not in the 5.3.3 EMR.

- Jared

> On May 11, 2016, at 6:24 AM, Christian Kildau  wrote:
> 
> Hi cisco-nsp,
> 
> we're currently experimenting with netconf/yang on IOS-XR 5.3.3 (asr9k).
> The out of the box supported yang models are somewhat limited. E.g. there
> is no model that supports editing ACLs.
> 
> I have found https://github.com/YangModels/yang which lists lots of yang
> models, but have not yet found a way to upload these models via
> $searchengine.
> 
> Anyone experienced with netconf/yang that can shed some light on this?
> 
> Best regards,
> Chris
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1004 Used

2016-05-08 Thread Jared Mauch

When you say fiber, do you mean ethernet or any STM-4/STM-1 type interfaces?

I would seriously look at something like the Arista 7150 or similar.

I’m not sure what other features you need, but a 24 port 10GE router/switch 
combo can be had for cheap on eBay:

http://www.ebay.com/itm/Arista-DCS-7124S-24-Port-10-Gigabit-Ethernet-Managed-Switch-/141984188598?hash=item210eeac8b6:g:wHwAAOSw3mpXH528

- Jared

> On May 8, 2016, at 2:02 PM, Satish Patel <satish@gmail.com> wrote:
> 
> I need all fiber interface with 20G ingress and 20G egress.
> 
> On Sun, May 8, 2016 at 1:36 PM, Jared Mauch <ja...@puck.nether.net> wrote:
>> If you purchase via enterprise channel you will get those prices. Are you 
>> doing only Ethernet?
>> 
>> If so check someone like Arista or Brocade.
>> 
>> Jared Mauch
>> 
>>> On May 8, 2016, at 1:20 PM, Satish Patel <satish@gmail.com> wrote:
>>> 
>>> Seriously?
>>> 
>>> I check with CDW and price was around double with 40G throughput. Are you 
>>> guys sure new ASR 1004 cost same?
>>> 
>>> --
>>> Sent from my iPhone
>>> 
>>>> On May 8, 2016, at 6:58 AM, Jared Mauch <ja...@puck.nether.net> wrote:
>>>> 
>>>> You can buy nice new routers for less than that. Hopefully you don't need 
>>>> TDM interfaces.
>>>> 
>>>> Jared Mauch
>>>> 
>>>>> On May 5, 2016, at 2:41 PM, Satish Patel <satish@gmail.com> wrote:
>>>>> 
>>>>> Need your input or suggestion, I have check with one of company and
>>>>> they sales *used Cisco equipments so i have asked for ASR1004 and its
>>>>> around $30k so question is what would be the disadvantage or buying
>>>>> used equipments?
>>>>> ___
>>>>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>> 
>> 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1004 Used

2016-05-08 Thread Jared Mauch

If you purchase via enterprise channel you will get those prices. Are you doing 
only Ethernet?

If so check someone like Arista or Brocade. 

Jared Mauch

> On May 8, 2016, at 1:20 PM, Satish Patel <satish@gmail.com> wrote:
> 
> Seriously? 
> 
> I check with CDW and price was around double with 40G throughput. Are you 
> guys sure new ASR 1004 cost same? 
> 
> --
> Sent from my iPhone
> 
>> On May 8, 2016, at 6:58 AM, Jared Mauch <ja...@puck.nether.net> wrote:
>> 
>> You can buy nice new routers for less than that. Hopefully you don't need 
>> TDM interfaces. 
>> 
>> Jared Mauch
>> 
>>> On May 5, 2016, at 2:41 PM, Satish Patel <satish@gmail.com> wrote:
>>> 
>>> Need your input or suggestion, I have check with one of company and
>>> they sales *used Cisco equipments so i have asked for ASR1004 and its
>>> around $30k so question is what would be the disadvantage or buying
>>> used equipments?
>>> ___
>>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1004 Used

2016-05-08 Thread Jared Mauch

You can buy nice new routers for less than that. Hopefully you don't need TDM 
interfaces. 

Jared Mauch

> On May 5, 2016, at 2:41 PM, Satish Patel <satish@gmail.com> wrote:
> 
> Need your input or suggestion, I have check with one of company and
> they sales *used Cisco equipments so i have asked for ASR1004 and its
> around $30k so question is what would be the disadvantage or buying
> used equipments?
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9K Upgrade

2016-03-14 Thread Jared Mauch

On Sun, Mar 13, 2016 at 02:10:58PM +, Nick Hilliard wrote:
> Mohammad Khalil wrote:
> > admin install add tftp://x.x.x.x/asr9k-mini-px.pie-5.3.2 synchronous
> 
> if you can, you should use ftp instead of tftp for XR upgrades.  It's
> much faster.

I asked Cisco to remove TFTP support for this reason.  You should
make sure you do all the right things to make TCP faster, including 
selective-ack
amongst other options.

    - Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Tail-f / NCS

2016-03-12 Thread Jared Mauch

You need the culture of automation before an automation tool makes sense. Cut 
and paste only takes you so far, notepad, vim, pico and others as well. 

Parameterized templates are the better path to be on. XR and JunOS support 
commit replace type operations, as do others like Arista.

Building your culture must come first, so it outlives the one or two people who 
make it, as many a provider have failed to remember how to do things, or use 
the tools of their predecessors. 

Here's a link to emphasize my point :-) 
http://www.dreamstime.com/stock-photo-wrong-tool-diy-using-project-can-do-more-damages-here-someone-using-wrench-to-drive-nail-image58686199

Jared Mauch

> On Mar 12, 2016, at 3:03 PM, CiscoNSP List <cisconsp_l...@hotmail.com> wrote:
> 
> 
> Hi Guys - Have some of our "sales" team at Cisco Live atm, and they are 
> raving about Tail-f / NCS and how we need to purchase it, and it will improve 
> our provisioning efficiency by a whopping 90% (lol)anyway, just after 
> some "real world" feedback on this product...anyone tried it/using itor 
> is it way too early to be even considering these types of 
> automation/orchestration productsIm very sceptical about handing 
> provisioning control over to "another" software platform...
> 
> notepad might be slow, but at least I know what commands are being issued on 
> our switches and routers :)
> 
> Cheers
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DWDM Passive or Active Multiplexing

2016-03-11 Thread Jared Mauch

https://ripe67.ripe.net/presentations/131-ripe2-2.pdf

Jared Mauch

On Mar 11, 2016, at 5:32 AM, Lukas Tribus <luky...@hotmail.com> wrote:

>> We are running dwdm with just splitters and amplifiers at 100 GE with no
>> issues.
> 
> You run multiple 100GE circuits over (semi) passive DWDM, how does that
> work?
> 
> Do you have 100GE DWDM transceivers on different DWDM wavelengths?
> 
> 
> Thanks,
> 
> Lukas
> 
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DWDM Passive or Active Multiplexing

2016-03-09 Thread Jared Mauch

If you are only doing 10g there are a lot of inexpensive solutions in this 
space for the distances you mentioned. 

Jared Mauch

On Mar 9, 2016, at 4:55 PM, Lukas Tribus <luky...@hotmail.com> wrote:

>> Hi Tim, thanks for your great info! Appreciate it.
>> 
>> Hey Bill, thanks for your offline email and confirming that the passive
>> DWDM should work in our environment. All great info!!
>> 
>> Our ring is east and westbound within 30km and in between, we currently
>> have like 6 drops active and looking to add another 4 drops on it. Yeah, I
>> know when we add site, it will loses some dB, but I guess we should be
>> fine.
>> I am going back to Cisco SE and his technical team and have a debate about
>> Passive vs Active again. Since they are forcing me to go with Active
>> solution only.
> 
> I would suggest you talk to some other vendor as well, specifically a vendor
> how cares about passive solutions.
> 
> I may be wrong, but my impression is that Cisco is EOL'ing the entire
> *passive* CWDM and DWDM gear. Whens the last time Cisco shipped
> a new *passive* CWDM or DWDM product?
> 
> It is probably in their commercial interest to promote their active gear.
> 
> 
> Careful with vendors advice.
> 
> 
> Lukas
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NCS-5001 - MPLS L3VPN Issue

2016-03-09 Thread Jared Mauch


> On Mar 9, 2016, at 3:27 PM, Tom Hill  wrote:
> 
> On 08/03/16 09:27, James Bensley wrote:
>> This issue didn't show up in lab testing and we haven't been able to
>> replicate it (nor have TAC). It seems to be something about the
>> ordering of patching and that was the point I wanted to highlight but
>> poorly eluded to.
>> 
>> A fresh 4.3.4 install then add SP10 and it "just works". This box was
>> 4.3.4 default, then some SMUs, then SP6 and then SP10 (each upgrade
>> was suggested by TAC because of a different issue ocuring over the
>> lifecycle of the box).
> 
> Presumably to "prove" this (or rather, to add any evidence at all) it's
> wipe & reinstall time for the affected 9001?
> 
> I'm not trying to get your back up here - I'm more concerned about FUD
> vs. actual, operational experience. XR is not perfect, but this doesn't
> appear to be a problem affecting anyone other than yourself?

We’ve seen odd issues which we have not yet root caused around the software
installation and troubles.  Cisco has not been able to reproduce, but we have
seen it numerous times.  It’s still possible there is some PBCAK but given
the nature of other issues we’ve seen, it’s unlikely.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NCS-5001 - MPLS L3VPN Issue

2016-03-04 Thread Jared Mauch

On Fri, Mar 04, 2016 at 08:58:23AM -0800, Yury Shefer wrote:
> But who is really using Compass products?
> 
> The last press release has been published back in August 2015. Blog/in news
> section has been untouched since 2014. Are they still alive?

We have customers connected to these devices.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NCS-5001 - MPLS L3VPN Issue

2016-02-27 Thread Jared Mauch

> On Feb 26, 2016, at 5:54 PM, James Bensley  wrote:
> 
> On 26 February 2016 at 22:43, Phil Bedard  wrote:
>> How you upgrade the whole OS is still a bit hazy though.  They have said it 
>> involves using a self-extracting ISO distribution similar to other Linux 
>> distros.  They are supporting PXE so theoretically you could automate the 
>> upgrades.
> 
> We are not upgrading between versions only appying SMUs and service
> packs to the current version. In the case of moving from 4.3.4 to
> 5.1.3 and now moving to 5.3.3 (since that is the new extended
> maintenance release); the process is erase the box, and install from
> fresh, then upload the full config.

I would not load 5.3.3 until at least SP1 hits the street, there are a lot of 
defects Cisco is working through.  

Just because something says EMR doesn’t mean it’s good, there were some very 
catastrophic issues in the 5.1.3 EMR, most notably that if you logged into the 
router twice at the same time over SSH you would no longer be able to login any 
more.

If you haven’t seen the TCP crash in 5.1.3 where that runs out of memory, 
CSCup67367 take a look at your memory usage.

- Jared

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup720: dumb question

2016-02-17 Thread Jared Mauch

The key question is what software are you attempting to boot and what images 
are in the bootflash/sup-bootflash/disk0: etc

Having console output here is key to understanding what’s going on.

- Jared

> On Feb 17, 2016, at 1:52 PM, Dave McGuire  wrote:
> 
> 
>  Hey folks.  This is sure to be a dumb question, but I'm stumped.  I am
> new to the 6500/7600 platform, but not new to Cisco in general.
> 
>  I've received a 7603 chassis with a Sup720 and I'm trying to get it
> running.  I get nothing at all on the console port when I power it up.
> Known-good cabling, etc.  All the LEDs eventually turn green and things
> look good otherwise.  No amount of poking/prodding/power-cycling will
> produce any output on the console port.
> 
>  At first I thought maybe I just got a fried Sup720 board, but I have a
> second one from another source, also represented as being functional,
> and it exhibits identical behavior.
> 
>  There's no CF card installed in either Sup720 board. (haven't gotten
> that far..)
> 
>  Am I missing something?
> 
>  Also...I have an existing 6503; the 7603 chassis looks identical to
> the 6503.  Are they in fact interchangeable?
> 
>   Thanks,
>   -Dave
> 
> -- 
> Dave McGuire, AK4HZ
> New Kensington, PA
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

2016-02-16 Thread Jared Mauch

We’ve been having some interesting issues with the ASA that have kept us pegged 
at a specific release.  Upgrading even a minor release causes all traffic to be 
dropped without any clear explanation and TAC was not much help.  I’m thinking 
of just replacing the ASA with something that is easier to troubleshoot.

- Jared

> On Feb 16, 2016, at 10:35 AM, David White, Jr. (dwhitejr) 
>  wrote:
> 
> Sounds like CSCux15273 - inaccurate reporting of memory usage in 9.5(2)+
> 
> Sincerely,
> 
> David.
> 
> On 2/16/16 10:28 AM, Don Nightingale wrote:
>> I'm seeing this as well on our  pair we upgraded 2/11 to 9.5(2)2.
>> Memory usage is slowly reported as increasing.  It's currently
>> breaking the asdm memory graph, displaying 450% memory utilization to
>> syslog and showing ridiculous numbers from the cli:
>> 
>> ciscoasa# sho mem
>> Free memory:  18446744044457691540 bytes (248730157%)
>> Used memory:   37261147072 bytes (-248730057%)
>> - --
>> Total memory:   7416356372 bytes (100%)
>> 
>> 
>> 
>> It's still operating so it may be either a cosmetic bug or a canary
>> that will keep me busy sometime in the near future.
>> 
>> We have an open tac case as well.
>> 
>> --
>> Don
>> 
>>> On Feb 16, 2016, at 3:08 AM, Andrew (Andy) Ashley  
>>> wrote:
>>> 
>>> Hi,
>>> 
>>> We upgraded a pair of 5515-X’s from 9.2(1) to 9.5(2)2, the interim release, 
>>> on Saturday.
>>> Since then the free memory on the primary unit has been steadily decreasing 
>>> (30% -> 95% in 3 days).
>>> These small increases appear to be happening around every 30 minutes or so.
>>> We failed over to the standby, which had much lower memory usage but that 
>>> too is now creeping up.
>>> The previous primary unit did not reclaim any memory and did not stop 
>>> climbing either after fail over.
>>> 
>>> Have opened a TAC case but Wondering if it’s just us, or if this is 
>>> affecting others..
>>> 
>>> Regards,
>>> Andrew Ashley
>>> 
>>> 
>>> 
>>> 
>>> -Original Message-
>>> From: cisco-nsp  on behalf of Garry 
>>> 
>>> Date: Tuesday, 16 February 2016 at 14:49
>>> To: "cisco-nsp@puck.nether.net" 
>>> Subject: Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and 
>>> IKEv2 Buffer Overflow Vulnerability
>>> 
 Hi,
>> On Wed, 2016-02-10 at 08:06 -0800, ps...@cisco.com wrote:
>> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer
>> Overflow Vulnerability
>> 
>> Advisory ID: cisco-sa-20160210-asa-ike
> Poor bastards stuck at 8.2 (like us) might be relieved to know that
> there actually is a 8.2(5)59 version with the fix. Reading the SA page
> I got the impression that there was no fixed software for 8.2(5).
 Thanks for the find, same situation we were in (well, several of our
 customers rather) - reading the advisory, it clearly states anything 8.x
 except 8.4 is recommended to go to 9.1 (yeah, right! Not opening that
 can^H^H^H crate of worms! Or more like Pandora's box?). Apart from at
 least one system that only has 256M of RAM (and therefore can't go to
 anything higher than 8.2 AFAIK), even going to the mentioned 8.4.7(30)
 caused some problems due to incorrectly (or incomplete) config migration
 for several systems ... of course it could be fixed, but still ...
 And yes, the systems should be kept more current, but seeing what
 happens when you do update more or less confirms the old saying "never
 change a running system" ... sadly ...
 
 Still, if Cisco publishes an interim that fixes this disastrous flaw and
 is not at least following up on their announcement (8.2.5(59) was
 released 3 days after the initial notification was published), it's sort
 of a pain for users ... even the advisory on the web page hasn't been
 updated to at least list the option of using the interim ... :(
 
 -garry
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> ___
>>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list

Re: [c-nsp] SFP compatibility

2016-02-03 Thread Jared Mauch


> On Feb 3, 2016, at 9:06 PM, Wilmer  wrote:
> 
> Hey Guys,
> 
> Probably a stupid question, but I can't find an obvious answer on Cisco.
> 
> Are the following SFP's able to be used to together:
> 
> One device is using at GLC-FE-100EX & the other end is using
> a 1000BASE-LX/LH (Single Mode fibre).
> 
> I "think" these SFP's are compatible with each other.. But if someone can
> confirm this it would be great.

I would say no.

You can get 1000Base-LX/LH optics for around $7 + shipping these days, so I 
would just swap both sides to be 1G.

There’s even cool devices like this to do the 1G <-> RJ45 if you need it:

http://www.balticnetworks.com/mikrotik-fiber-to-copper-converter.html

- Jared

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Most cost effective 100G router?

2016-01-20 Thread Jared Mauch


> On Jan 20, 2016, at 5:34 PM, James Bensley  wrote:
> 
> Sorry I missed the full table requirement.

I’ve used 9904 for this before.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Junk Message Apology

2015-12-09 Thread Jared Mauch


Apologies for the spam overnight.  Rules are now in place to block these 
messages.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Equipment for a large-ish LAN event

2015-12-09 Thread Jared Mauch

> On Dec 9, 2015, at 8:13 AM, Chuck Church  wrote:
> 
> Isn't game traffic fairly small in bandwidth need, but very latency
> dependent?  QOS seems like a good fit here.  Priority queue the game traffic
> based on matched ACL, and best effort everything else, re-marking it as
> necessary.  Based on previous years, what are the true bandwidth needs?  

If bandwidth isn’t an issue QoS adds no value and increases complexity
unnecessarily.  I recall when our IT department first tried to talk to us about
QoS with one of their vendors.  Once the vendor realized we had 10G links
everywhere they stopped worrying about it.  (This was 10+ years ago when most
people were doing OC48 backbones).

The biggest thing I’ve always seen is the need for accurate and realtime traffic
stats, as well as ability to do port testing.

You may want to also get some of the armored fiber cables as they are tolerant 
to
being stepped on and a cart running over them.  I’ve seen them at 
ecablemart.com as
well as other places like fiberstore.  A word of caution on fiberstore, they 
may use
your name without your permission in marketing, and steal your title off 
LinkedIn
as well even if you didn’t purchase for $dayjob.

There’s a lot of smaller tips for configuring things I’ll leave for another 
thread
called “fixing broken cisco defaults” (eg: mismatch in layer-2 timers vs 
layer-3, 
disabling nd and proxy-arp, etc).

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cache DNS servers

2015-12-01 Thread Jared Mauch

You may also find useful help at the dns-operations list.

- Jared

> On Dec 1, 2015, at 1:05 PM, Murat Kaipov  wrote:
> 
> Hello folks!
> 
> I have little question about DNS servers that you use in your environment?
> We use bind on freebsd servers now. I did some benchmarks and found that
> google public DNS is 8 - 10 time faster than my own. So I decide change BIND
> for something more faster. I'm in MNO market.  Any suggestions?
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TFTP/SCP

2015-11-23 Thread Jared Mauch

> On Nov 23, 2015, at 9:42 AM, Aaron  wrote:
> 
> and scp/sftp
> 

The issue I’ve seen here is a directional one, there is no SCP/SFTP support to 
copy data out:

RP/0/RSP0/CPU0:Router#copy ?
  /recurseRecursively list subdirectories encountered
  WORDCopy from file
  access-list Access lists
  bootflash:  Copy from bootflash: file system
  disk0:  Copy from disk0: file system
  disk0a: Copy from disk0a: file system
  disk1:  Copy from disk1: file system
  disk1a: Copy from disk1a: file system
  disk2:  Copy from disk2: file system
  ftp:Copy from ftp: file system
  harddisk:   Copy from harddisk: file system
  harddiska:  Copy from harddiska: file system
  harddiskb:  Copy from harddiskb: file system
  lcdisk0:Copy from lcdisk0: file system
  lcdisk0a:   Copy from lcdisk0a: file system
  nvram:  Copy from nvram: file system
  prefix-list Prefix lists
  rcp:Copy from rcp: file system
  running-config  Copy from current system configuration
  tftp:   Copy from tftp: file system
  xml-schema  Copy XML schema files as a tar ball file (.tar.gz)

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TFTP/SCP

2015-11-23 Thread Jared Mauch

Sure, please describe how to automate that :)

It’s a bit more complex than you think.  The way the system constructs the URLs 
underneath for the KSH to transfer data is quite problematic when you add in 
more slashes.  It’s also very user-unfriendly to interact with the filesystem.  
I’m sure many of you have experienced the difference between copy 
harddisk:filename vs copy harddisk:/filename 

The lack of a model to directly interact with SFTP/SCP from the CLI is a 
problem, the run stuff is really meant for troubleshooting not for daily use.

- Jared


> On Nov 23, 2015, at 9:49 AM, Darin Herteen <syn...@live.com> wrote:
> 
> This might work...
> 
> RP/0/RSP0/CPU0:LAB_9904#run  
> Mon Nov 23 14:48:05.274 UTC
> # sftp  
> usage: sftp [[user@]{host1[:]}][filename1]...  
> [[user@]{host2[:]}][filename2]# 
> 
> 
> From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> on behalf of Jared Mauch 
> <ja...@puck.nether.net>
> Sent: Monday, November 23, 2015 8:46 AM
> To: Aaron
> Cc: John Heasley; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] TFTP/SCP
> 
>> On Nov 23, 2015, at 9:42 AM, Aaron <dudep...@gmail.com> wrote:
>> 
>> and scp/sftp
>> 
> 
> The issue I’ve seen here is a directional one, there is no SCP/SFTP support 
> to copy data out:
> 
> RP/0/RSP0/CPU0:Router#copy ?
>  /recurseRecursively list subdirectories encountered
>  WORDCopy from file
>  access-list Access lists
>  bootflash:  Copy from bootflash: file system
>  disk0:  Copy from disk0: file system
>  disk0a: Copy from disk0a: file system
>  disk1:  Copy from disk1: file system
>  disk1a: Copy from disk1a: file system
>  disk2:  Copy from disk2: file system
>  ftp:Copy from ftp: file system
>  harddisk:   Copy from harddisk: file system
>  harddiska:  Copy from harddiska: file system
>  harddiskb:  Copy from harddiskb: file system
>  lcdisk0:Copy from lcdisk0: file system
>  lcdisk0a:   Copy from lcdisk0a: file system
>  nvram:  Copy from nvram: file system
>  prefix-list Prefix lists
>  rcp:Copy from rcp: file system
>  running-config  Copy from current system configuration
>  tftp:   Copy from tftp: file system
>  xml-schema  Copy XML schema files as a tar ball file (.tar.gz)
> 
> 
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TFTP/SCP

2015-11-23 Thread Jared Mauch

> On Nov 23, 2015, at 9:52 AM, Aaron  wrote:
> 
> sftp isn't under copy. Not sure why it isn't.
> 
> RP/0/RSP0/CPU0:2051a-lab#sftp ?
>   WORD  [[user@][host[:]]][source-filename]
> 

It’s not made accessible to any other parts of the system either, so isn’t 
properly supported.  I’m not saying this is right, but considering the number 
of times I’ve encountered ssh breakage with XR, i wouldn’t use it for something 
meant to be reliable.

RP/0/RSP0/CPU0:Router(config)#load ?
  WORD   Load from file
  bootflash: Load from bootflash: file system
  commit Load commit changes
  configuration  Contents of configuration
  diff   Load from diff file
  disk0: Load from disk0: file system
  disk0a:Load from disk0a: file system
  disk1: Load from disk1: file system
  disk1a:Load from disk1a: file system
  ftp:   Load from ftp: file system
  harddisk:  Load from harddisk: file system
  harddiska: Load from harddiska: file system
  harddiskb: Load from harddiskb: file system
  lcdisk0:   Load from lcdisk0: file system
  lcdisk0a:  Load from lcdisk0a: file system
  nvram: Load from nvram: file system
  rcp:   Load from rcp: file system
  rollback   Load rollback changes
  tftp:  Load from tftp: file system

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TFTP/SCP

2015-11-19 Thread Jared Mauch

I've suggested removing TFTP as its a crutch and has many shortcomings, more so 
when any latency is involved. 

People used a custom RCPD in the past to solve this as well. 

Beware as the CIsco FTP clients behave strangely across all versions and may 
request the file multiple times. They don't seem to test it often so if you 
report a bug, it takes quite some time to find the code caretaker. 

Jared Mauch

> On Nov 19, 2015, at 8:14 AM, Mark Tinka <mark.ti...@seacom.mu> wrote:
> 
> 
> 
>> On 19/Nov/15 15:54, Jared Mauch wrote:
>> 
>> We use FTP as the image isn't something that needs to be protected from 
>> eavesdroppers.
> 
> We use FTP also, as SCP support was non-uniform across various versions
> of IOS for a while.
> 
> Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TFTP/SCP

2015-11-19 Thread Jared Mauch

Yup. You can filter by IP address and check image checksum after if it's 
something without a crypto signature. 

Jared Mauch

> On Nov 19, 2015, at 8:54 AM, Daniel Brisson <dbris...@uvm.edu> wrote:
> 
> What about protecting credentials?  Do you use a service account that has 0 
> access other than FTP'ing images?
> 
> -dan
> 
> 
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jared 
> Mauch
> Sent: Thursday, November 19, 2015 8:54 AM
> To: Mark Tinka <mark.ti...@seacom.mu>
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] TFTP/SCP
> 
> We use FTP as the image isn't something that needs to be protected from 
> eavesdroppers. 
> 
> Jared Mauch
> 
>> On Nov 19, 2015, at 6:46 AM, Mark Tinka <mark.ti...@seacom.mu> wrote:
>> 
>> 
>> 
>>> On 19/Nov/15 12:25, Harry Hambi - Atos wrote:
>>> 
>>> Hi All,
>>> Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This proved 
>>> very slow, so I decided to use SCP which was a lot quicker. However, SCP 
>>> caused a cpu spike on the switch which caused snmp drops. Has anyone ever 
>>> experience this?, the switch was passing data traffic normally.
>> 
>> Might make sense.
>> 
>> SCP is exception traffic, as is SNMP traffic to the switch.
>> 
>> Mark.
>> 
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TFTP/SCP

2015-11-19 Thread Jared Mauch

We use FTP as the image isn't something that needs to be protected from 
eavesdroppers. 

Jared Mauch

> On Nov 19, 2015, at 6:46 AM, Mark Tinka <mark.ti...@seacom.mu> wrote:
> 
> 
> 
>> On 19/Nov/15 12:25, Harry Hambi - Atos wrote:
>> 
>> Hi All,
>> Uploading IOS 15.2.SE7 to a number of 3750 switches using tftp. This proved 
>> very slow, so I decided to use SCP which was a lot quicker. However, SCP 
>> caused a cpu spike on the switch which caused snmp drops. Has anyone ever 
>> experience this?, the switch was passing data traffic normally.
> 
> Might make sense.
> 
> SCP is exception traffic, as is SNMP traffic to the switch.
> 
> Mark.
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] default maximum-prefix limits on XR!

2015-09-17 Thread Jared Mauch

Some of these limits are per-platform, so remember there is no “generic ios-xr”.

On the 9K you may need to set your profile to match your use case.  It’s less 
obvious compared to a generic central CPU platform like most XE devices are.

- Jared

> On Sep 17, 2015, at 9:24 AM, Adam Vitkovsky  
> wrote:
> 
> Hi folks,
> 
> Today I learned that XR has default maximum-prefix limits -on a contrary to 
> regular IOS/XE where there are no default limits.
> For most of the folks it's really just an early heads up, maybe relevant for 
> lab tests, but the VPNv4 number is pretty low for big folks or those who are 
> doing Internet in a VRF.
> 
> IPv4 Unicast: 1048576
> IPv4 Labeled-unicast: 131072
> IPv6 Unicast: 524288
> IPv6 Labeled-unicast: 131072
> IPv4 Tunnel: 1048576
> IPv4 Multicast: 131072
> IPv6 Multicast: 131072
> VPNv4 Unicast: 2097152
> IPv4 MDT: 131072
> VPNv6 Unicast: 1048576
> L2VPN EVPN: 2097152
> 
> Found a old thread from Will Hargrave | 26 Apr 03:17 2012 An observation: 
> 512k default max-prefix in IOS-XR
> 
> adam
> 
> 
>Adam Vitkovsky
>IP Engineer
> 
> T:  0333 006 5936
> E:  adam.vitkov...@gamma.co.uk
> W:  www.gamma.co.uk
> 
> This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of 
> this email are confidential to the ordinary user of the email address to 
> which it was addressed. This email is not intended to create any legal 
> relationship. No one else may place any reliance upon it, or copy or forward 
> all or any of it in any form (unless otherwise notified). If you receive this 
> email in error, please accept our apologies, we would be obliged if you would 
> telephone our postmaster on +44 (0) 808 178 9652 or email 
> postmas...@gamma.co.uk
> 
> Gamma Telecom Limited, a company incorporated in England and Wales, with 
> limited liability, with registered number 04340834, and whose registered 
> office is at 5 Fleet Place London EC4M 7RD and whose principal place of 
> business is at Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.
> 
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Weird config changes on C2621XM with AIM-VPN/BPII

2015-09-17 Thread Jared Mauch

On Thu, Sep 17, 2015 at 01:47:46PM +, Nick Nauwelaerts wrote:
> i would guess to join our nexus fex's in the pub, the also like to go missing 
> in between rancid checkups.
> 
> in our case it seems to be a wonky nx-os revision in combination with 
> datacenter manager which seems to cause quite some load with its checkups.
> 
> anything in the router's logs during the disappeances?

I've seen similar issues before with various hardware.  Usually it's a 
software bug
where two people are talking to the microcontroller at the same time
and there's no concurrency checking.  We've exposed a lot of bugs by having two 
scripts
do the same thing at the same time.  Often a cisco device doesn't expect
concurrent memory/device access.

Recommendation: 

Figure out how to make it happen, either in a tight loop, or having 3 
windows
open doing while [1 == 1]: do clogin -x /tmp/rancid-commands hostname done

it might be as simple as finding the show controller or show inventory commands 
and running those
in a loop.  make sure cisco knows how you login and they reproduce it the same 
way themselves with
these critical variables in mind:

1) via SSH
2) via IPv6
3) where SSH uses specific terminal types
4) where the SSH client offers keys

We had issues where optics would report odd things for a year or so and 
filled a lot
of rancid logs.  This was because Cisco wasn't expecting a certain older flavor 
of their own
optic and their EEPROM validation code wasn't perfect.

    - Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] %NTP: Multicast peer 224.0.1.1 does not exist

2015-08-21 Thread Jared Mauch

Is pim enabled on the interface?

 On Aug 21, 2015, at 3:39 AM, Victor Sudakov v...@mpeks.tomsk.su wrote:
 
 Colleagues,
 
 A 7206VXR (NPE-G2) is not sending ntp broadcasts nor multicasts, and I
 even cannot recofigure ntp settings on an interface (see below). 
 
 Any idea what the problem could be? 
 
 debug ntp packet|events does not show anything of interest. tcpdump
 shows that the router is simply not sending any NTP packets out
 GigabitEthernet0/2. Google does not even know the phrase Cannot
 reconfigure the multicast peer, nor does cisco.com/search
 
 
 gw2(config-if)#do sh run int GigabitEthernet0/2
 Building configuration...
 
 Current configuration : 428 bytes
 !
 interface GigabitEthernet0/2
 [dd]
 ntp broadcast key 2 destination 10.14.141.255
 ntp broadcast key 2
 ntp multicast key 2 ttl 1
 end
 
 gw2(config-if)#no  ntp multicast key 2 ttl 1
 %NTP: Multicast peer 224.0.1.1 does not exist
 gw2(config-if)#no ntp multicast
 %NTP: Multicast peer 224.0.1.1 does not exist
 gw2(config-if)#ntp multicast key 2 ttl 6
 %NTP: Cannot reconfigure the multicast peer.
 gw2(config-if)#ntp multicast ?
  A.B.C.D Multicast group IP address
  X:X:X:X::X  Multicast group IPv6 address
  client  Listen to NTP multicasts
  keyConfigure multicast authentication key
  ttlTTL of the multicast packet
  version Configure NTP version
  cr
 
 gw2(config-if)#ntp multicast 224.0.1.1 ?
  key Configure multicast authentication key
  ttl TTL of the multicast packet
  version  Configure NTP version
  cr
 
 gw2(config-if)#ntp multicast 224.0.1.1 ttl 6
 %NTP: Cannot reconfigure the multicast peer.
 gw2(config-if)#
 
 -- 
 Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
 sip:suda...@sibptus.tomsk.ru
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Peering + Transit Circuits

2015-08-18 Thread Jared Mauch


 On Aug 18, 2015, at 8:47 AM, Gert Doering g...@greenie.muc.de wrote:
 
 XR doesn't do it at all,
 hrmph)
 

We have been asking about this as well, it might be worth revisiting.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Utility to identify orphaned ACLs and such?

2015-08-13 Thread Jared Mauch

Cisco really needs to implement a 'show config dead' or similar type
command that displays all these orphaned policies.

I have a hard enough time with cisco parsing their own
configs though I can't push on this now, perhaps someone else can?

- Jared

On Thu, Aug 06, 2015 at 07:47:01AM +0300, Hank Nussbacher wrote:
 Does anyone know of a Cisco IOS utility that can identify orphaned objects
 like ACLs, route policies, prefix-lists, etc?
 
 Thanks,
 Hank
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] putty SSH errors on IOS-XR 5.1.1

2015-08-13 Thread Jared Mauch

On Thu, Aug 06, 2015 at 11:12:20AM +0200, Lukas Tribus wrote:
 Hi,
 
 
  Hello,
 
  I've got a pair of new ASR-9904 routers running IOS-XR 5.1.1
 [...]
  When a lot of data is being sent at once from the router to my client,
  putty will disconnect and give me the error: Disconnected: Server
  protocol violation: unexpected SSH2_MSG_CHANNEL_FAILURE packet.
  Hi Vinny,
 
  On PuTTY go to:
 
  Configuration - Connection - SSH - Bugs
 
  And set “Chokes on PuTTY’s SSH-2 ‘windadj’ requests” to On (the default
  is Auto).
 
 Full disclosure: this is CSCup31447, IOS XR's ssh server erroneously
 disconnects the TCP session after sending SSH_MSG_CHANNEL_FAILURE.
 
 Its pretty obvious that the SSH server is not supposed to do that, but
 because its not explicitly prohibited in the RFC, the developers seem
 unwilling to fix this (quote It could be a simple fix from our side [...]
 but bringing this change will impact the behavior which we exhibited for
 long years).

You really need to look at 5.3.1 as that fixes a lot of the SSH defects
that were in 5.1.x.  We identified quite a number of defects such as if two 
people
were logged in at the same time (eg: rancid, someone else) you would not be
able to login anymore.

Took Cisco quite some time to address this issue and properly fix it
as they were unable to duplicate it without someone thinking hey lets log in
multiple times.  Cisco seems to think of a device as a single monolithic
login session without the need for concurrency protection or other
protections or auto-restoration.

I'm thinking we need a good community test-suite that simulates actual
activities in a device.  After over a decade of asking cisco has not tried to
use any industry standard tools in its testing such as RANCID for fetching the
configurations.  SSH for login as another example.

Paranoia about breaking things when you're not standards compliant is
pure lazy gamesmanship.

- Jared


-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Utility to identify orphaned ACLs and such?

2015-08-13 Thread Jared Mauch

On Thu, Aug 13, 2015 at 09:37:34AM -0400, Jared Mauch wrote:
   Cisco really needs to implement a 'show config dead' or similar type
 command that displays all these orphaned policies.
 
   I have a hard enough time with cisco parsing their own
 configs though I can't push on this now, perhaps someone else can?

Apparently RPL in IOS-XR can do this:

RP/0/RP0/CPU0:Router#show rpl unused ?
  as-path-set   Display as-path-set objects
  community-set Display community-set objects
  extcommunity-set  Display extended community objects
  ospf-area-set Display ospf-area-set objects
  prefix-setDisplay prefix-set objects
  rd-setDisplay rd-set objects
  route-policy  Display route-policy objects
  tag-set   Display tag-set objects

This doesn't solve the problem of the OP, but may help others identify dead
policy.

- Jared
-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] OT: Honest Networker

2015-07-20 Thread Jared Mauch

While off-topic, I thought this would be of interest for people who see issues 
with their routers as this captures many of the situations we operators see on 
a regular basis.

http://honestnetworker.wordpress.com

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Remote management console servers?

2015-07-14 Thread Jared Mauch

On Tue, Jul 14, 2015 at 05:03:33PM +, Scott Granados wrote:
 Hi,
 
 Wondering what people are doing / best practices for remote management 
 generally in datacenter environments.  We have several datacenter with a 
 mix of Cisco, F5, Juniper and Palo Alto equipment in each.  All have a 
 similar RJ45 type console port and all are pretty much your garden 
 variety devices.  Looking for a good solution to gain access when 
 primary connectivity is disrupted.  I know back in the day we used 
 2610XM routers with the octopus cables but I’m wondering if there is 
 better available now or is this still a good solution?  Do you all use 
 out of band loops for remote management like DS1 / DS3 circuits from 
 diverse providers, dial in, what’s the standard for remote management?  

Many people have their own solutions.  What I've generally seen
is that you can connect to routers inband over IP to a console server.
If the network is down, there is some other backup method to get into
the console server, be it a modem or similar.

Some people have taken to doing this over cellular data but
often this is not reliable within datacenters with a lot of RF or
similar issues.

Some people use DSL in the datacenter, but some buildings are
outside the DSL footprint of telcos, so you are left with something else.

 Do you also have your management networks isolated on their own 
 (could be the same) management network or do you do some sort of 
 VPN / VRF deal for normal non emergency management connectivity?  

I've started to think that this is a solution where LISP
would actually add value/come into play.  LISP allows prefix mobility
across multiple providers, so could have cellular + inband-ethernet + dsl + 
datacenter wifi, and make that work.  You can run LISP on your router or
on a raspberry PI as well.  Check out lispers.net

 Any thoughts on the subject would be most appreciated.  The last 
 time I built one of these was with 2610XM routers in the pops and 
 7206 routers as aggregation points in each geographic region linked 
 together with different T1s and multiplexed to the 7206 regional 
 routers with backhaul loops to the NOC.  Seems like a bit of overkill 
 for my application now but if this is still the best practice then it 
 might be worth while.  Any pointers or other suggestions would be most 
 appreciated.

The cases where I have used console are generally to
recover a device that has gone south in a really-bad way.

Trying to use a console port for anything more than that
will result in frustration.

- Jared


-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SFPs (Third party) - ordered standard LH, but got ZX

2015-07-06 Thread Jared Mauch

Cisco does a poor job of reading the SFF MSA fields from their own optics let 
alone
what they describe as “3rd party”.

You may find it easier to use something to read/validate the optics yourself
if that works for your logistics.  (shameless plug: i have something that might
be interesting showing you within this space, contact me off-list).

There’s plenty of people who read and implement the SFF specification properly
so reporting the bug against the platform and asking why there isn’t just
a common library is where I would drive your discussion.

This is very generic code that is 75% cut+paste from the SFF-8472, SFF-8024,
SFF-8636 tables.  8431, 8690, 8079 also cover some other details that may be
useful.

- Jared

 On Jul 6, 2015, at 7:32 AM, CiscoNSP List cisconsp_l...@hotmail.com wrote:
 
 
 Thanks Nic - Ive already contacted them earlierawaiting there response.
 
 
 Cheers.
 
 
 
 
 From: cisco-nsp cisco-nsp-boun...@puck.nether.net on behalf of Nick 
 Hilliard n...@foobar.org
 Sent: Monday, 6 July 2015 9:26 PM
 To: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] SFPs (Third party) - ordered standard LH, but got ZX
 
 On 06/07/2015 12:22, CiscoNSP List wrote:
 So, it would appear that they are all LHhopefully someone can
 confirm based of the TX/RX readings I provided?
 
 you need a multi-frequency light meter to confirm this.
 
 I would contact the transceiver supplier and ask them to confirm the 
 situation.
 
 Nick
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SFPs (Third party) - ordered standard LH, but got ZX

2015-07-06 Thread Jared Mauch


 On Jul 6, 2015, at 4:50 AM, CiscoNSP List cisconsp_l...@hotmail.com wrote:
 
 
 Hi Everyone,
 
 
 
 As per titleordered a bunch of our usual single mode SFP's. and they are 
 badged as LH, but when inserted into router/switch, they report as ZX.can 
 I connect our LH to the new ZX ones (I dont have a router/switch handy to 
 test), and have to ship them interstate.but obviously dont want to if 
 they are no compatible with our existing LH SFP's

Oh one more thing:  I’ve noticed that some 10KM SFPs come as 20km capable:

Date Code: 150213 
1000Base-LX
extended compliance_code 0
Distances:
SMF - 20 km
SMF - 2 meters
OM4 - 320 meters
Wavelength: 1310.00nm

It’s possible that the router interprets 10km as ZX.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Fibre Channel over SDH STM64

2015-07-06 Thread Jared Mauch

I would have to imagine something like this would be up your alley:

http://www.mrv.com/sites/default/files/datasheets/us_pdfs/mrv-fd-dmr10g.pdf

This should take an 8G fiber channel SFP+ and allow it to come out
in a 10G SDH framing.  Reverse on the other side and it should just work.

- Jared

On Tue, Jul 07, 2015 at 08:46:52AM +1000, Feedly Reader wrote:
 Hi all,
 
  
 
 I was looking for some insight around carrying 8G Fibre Channel data over
 third party P2P links. We would like to connect Fibre Channel switching to
 each other between two locations and the only available options are 10G
 Ethernet or an SDH link provided by local carrier. They will not provide
 dark fibre or wavelength for us to use.
 
  
 
 I have looked in to using Nexus 5600 and carrying 8G FC as FCOE traffic over
 10G Ethernet. However, this requires another switching device (Nexus 5600)
 between the two Fibre Channel Switches (MDS 9200). 
 
  
 
 I have also looked in to using FCIP, which is the currently the only option
 we can do without having another set of devices.
 
  
 
 So, it is possible to carry 8G FC traffic over STM64 transparently, possibly
 using a transponder card or have I lost the plot?
 
  
 
 Thanks!
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] test...list lag, or down?

2015-05-21 Thread Jared Mauch

mailman was not running and I since restarted it.

- Jared


-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] New IOS release time frame, when bug is identified

2015-05-18 Thread Jared Mauch


 On May 15, 2015, at 1:28 AM, CiscoNSP List cisconsp_l...@hotmail.com wrote:
 
 Bug is still private(i.e. Details not publicly viewable) - but located 
 here:  https://tools.cisco.com/bugsearch/bug/CSCuu32800
 
 Can provide SR if needed.


It’s cisco policy that any defect hit by customer in production result in that 
bug getting a proper release note (RNE) and be flagged so it can be seen on 
CCO.  This should happen within 24 hours.  You should tell the TAC engineer 
their policy.

It’s quite common that they don’t know this as they spend most of their time 
working on configuration related issues vs actual software defects.

It’s not uncommon for Cisco to take a long time to fix a defect.  I recommend 
calling your account team and having them contact release operations and PM for 
the platform and set up a call for you to discuss the business impact.

If this halts your ability to purchase/deploy equipment or even operate it, you 
should make sure to classify it as very dire.  You should ask ask about if this 
will be added to the TCATS or an analysis of the Test Escape.

Testing software is very hard and some options make it a complete n*2 testing 
problem or worse as they are mutually exclusive.

Right now we have at least 3 p1 cases open with Cisco that are unresolved and 
fairly catastrophic in nature.  Sometimes the developers can only code so fast, 
and quite often we find it necessary to teach cisco what SCALE truly means.  
Multiple people logged in at once is not something they think of (as an 
example).

2-4 weeks is about as fast as they can reasonably move, so keep that in mind.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Preventive Maintenance Template

2015-05-05 Thread Jared Mauch

We collect things along the following lines:

a) interface status
b) BGP status (for all address families)
c) interface descriptions
d) interface IPs
e) ISIS/OSPF neighbor(s)

This is fairly easy to script and automate if you have an existing RANCID 
installation.  You can then snapshot pre+post states and just diff the outputs.

- Jared

 On May 5, 2015, at 6:09 AM, M K gunner_...@live.com wrote:
 
 Hi allI was searching for the most important commands to use for devices 
 health check , I found a lot of lists but I just want to use your experience 
 to get the most precise and valuable check in order to build my template
 Thanks in advance   
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Question for TAC

2015-04-30 Thread Jared Mauch

The solution is simple. Call the engineer. When they say they are going to 
research say I'll hold. 

Works wonders to motivate them. 

Don't be afraid to ask for their manager or the duty manager. 

Jared Mauch

On Apr 30, 2015, at 5:20 AM, Adam Vitkovsky adam.vitkov...@gamma.co.uk wrote:

 Does anyone else have this problem?  It's frustrating because I either have 
 to
 wait until the engineer comes back from vacation for my problem to get
 worked on more, or I have to reassign it to someone else and explain the
 problem all over again, only to be told that they, too, will be going on
 vacation for two weeks.
 Wow that's interesting same was happening to me on many IOS related TAC 
 cases. 
 That's why every time I have a chance (IOS box talking to XR box) I open up a 
 case with XR team as those guys are the best.
 
 
 adam 
 ---
 This email has been scanned for email related threats and delivered safely by 
 Mimecast.
 For more information please visit http://www.mimecast.com
 ---
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TCP MSS on IOS XR

2015-04-28 Thread Jared Mauch

What version of IOS-XR?  What are the interface MTUs?

There were a number of TCP enhancements that went in around the 5.1 timeframe 
which impact the way window scaling works as well.

Also, do you have path-mtu enabled on all the devices?

on XR you want something like this:

tcp selective-ack
tcp window-size 65535
tcp path-mtu-discovery

IOS:

ip tcp path-mtu-discovery
ip tcp window-size 65535

- Jared

 On Apr 28, 2015, at 12:46 PM, Jordi Magrané Roig jordimagr...@hotmail.com 
 wrote:
 
 Dear colleagues,
 
 I have an ASR9000 and I have a BGP session with an IOS device. The output of 
 the command show tcp detail pcb shows the following information:
 
 output omitted
 
 
 Datagrams (in bytes): MSS 1460, peer MSS 1460, min MSS 1946, max MSS
 1946
 
 output omitted
 
 The IOS device is using MSS 1460 bytes but I don't know exactly the MSS that 
 the IOS XR device is using, 1460 or 1946.
 
 Do you know how the command must be interpreted?
 
 Thanks,
 Jordi.
 
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] sip trunk to asterisk

2015-03-30 Thread Jared Mauch

On Sun, Mar 29, 2015 at 09:05:50AM +0430, s m wrote:
 hello everybody,
 
 i want to configure a sip trunk between a cisco router and my system which
 has asterisk. this is my scenario:
 
 Freepbx-my system-cisco-routerFreepbx
 
 my system acts like a router. in cisco, if i set just one codec in
 dial-peers, every thing is ok and i can make a call. but if i set different
 codecs in a voice class codec and assign it to dial-peers, i can make call
 but call is terminated.
 i think there is some difference in sip options (maybe sip headers) between
 cisco and asterisk which causes to codec negotiation fail. as a result of
 it, call terminate.
 
 any body try it before? any comments or hints are really appreciated.

What codec are you trying to use?  I've had good success
with using g711ulaw on both sides.

We've had issues with some providers and DTMF working as well
and it seems that Cisco you need to configure the dtmf relay
in about 25 different places to make it all work right, eg:

voice service voip
 dtmf-interworking rtp-nte
 signaling forward unconditional
 h323
  call service stop
 sip
!

and

!
dial-peer voice 1  voip
 preference 1
 destination-pattern my_regex
 session protocol sipv2
 session target ipv4:1.2.3.4
 session transport udp
 dtmf-relay rtp-nte
 codec g711ulaw
 fax-relay ecm disable
 fax rate disable
 fax protocol pass-through g711ulaw
 no vad
!



- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Asset Management Software

2015-03-26 Thread Jared Mauch

Rancid seems to work well for our network. We can get the location of any 
serial number from the history in CVS as an example. 


 On Mar 26, 2015, at 2:25 AM, M K gunner_...@live.com wrote:
 
 Hi allWhat is the best Asset Management (free) software to use ?  

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IP SLA?

2015-03-24 Thread Jared Mauch


 On Mar 24, 2015, at 8:27 AM, Dan Brisson dbris...@gmail.com wrote:
 
 I'm curious what folks do in the situation where you have redundant links to 
 your customers.  I'm speaking primarily in co-lo environments where you offer 
 redundant Internet connectivity to co-lo customers.  So for example, you give 
 a customer 2 ethernet handoffs from two separate Layer 2 switches.   Now what 
 do you do if the customer wants to go to a routed model using both links.  I 
 could allocate /30s for both links, but then I have the issue of how to 
 reliably route their block to them w/out running a routing protocol that will 
 detect if one of the links goes down.  That's where I came to static routes 
 with IP SLA but I wanted to make sure I wasn't missing something easier.

Do they have two routers as well, or a simpler subnet config?  Perhaps 
something like VRRP and using a protocol to inject these ‘connected’ routes to 
the rest of your network?

- jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Restrictions NetFlow v9 for IPv6

2015-03-18 Thread Jared Mauch

On Wed, Mar 18, 2015 at 09:47:22AM +0100, Erik Klaassen wrote:
 From the cisco netflow v9 guide:
 
 NDE v9 records for IPv6 do not contain Autonomous System (AS) numbers and 
 prefix length
 information.
 
 Is this still the case? my src and dst AS ipv6 flow fields from my c7600 are 
 0.
 Is there some solution? 

This will depend on the platform.  you may need to enable
bgp attribute-download depending on what you are using.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cisco regex puzzle of the day

2015-03-11 Thread Jared Mauch

We've long had some feature requests open against JunOS for
as-path matching.  The challenges faced are they don't treat these
AS numbers as strings, and certainly not in the case of some elements
like a paren (confed) or { for AS_SET.

In IOS-XR you can much more easily match against the origin-asn
in a policy as well which isn't quite as easy in other routing operating
systems.

- Jared

On Wed, Mar 11, 2015 at 05:28:06PM +, Mack McBride wrote:
 There is no back tracking in the junos regex nor would backtracking really 
 help.
 Doing this is complicated on cisco due to the lack of negating a full as.
 
 However loop avoidance should prevent 64500 from occurring twice with an 
 intervening AS.
 If you have turned off loop avoidance with allowas-in then you have a lot
 More complexity to worry about.
 
 I haven't tested this but it should work:
 
 (65400_)+([1-57-9][0-9]*_|6[01-35-9][0-9]*_|64[01-46-9][0-9]*_|645[1-9][0-9]*_|6450[1-9][0-9]*_|64500[0-9]+_)+
 
 Mack McBride | Network Architect | ViaWest, Inc.
 O: 720.891.2502 | mack.mcbr...@viawest.com | www.viawest.com | LinkedIn | 
 Twitter | YouTube
 
 
 
 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Saku 
 Ytti
 Sent: Wednesday, March 11, 2015 10:38 AM
 To: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] cisco regex puzzle of the day
 
 On (2015-03-10 20:29 +0100), Job Snijders wrote:
 
  ^64500+ [^64500]
 
  This junos beauty will match for example: 64500 64500 123 123 444,
  but not 64500 64500 or 64500.
 
  Can any of you come up with a single line regex that works on IOS or
  XR
  (ios-regex) to mimick the above described behaviour?
 
 Follow-up question. Is there use-case for regular expression backtracking in 
 AS_PATH?
 It would be simpler to implement without backtracking and it would fix this 
 specific use-case, as simple '(64500_)+.+' would work. But perhaps it's still 
 stupid idea, perhaps it'll break lot of really common use-cases.
 
 --
   ++ytti
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net 
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 This message contains information that may be confidential, privileged or 
 otherwise protected by law from disclosure. It is intended for the exclusive 
 use of the addressee(s). Unless you are the addressee or authorized agent of 
 the addressee, you may not review, copy, distribute or disclose to anyone the 
 message or any information contained within. If you have received this 
 message in error, please contact the sender by electronic reply and 
 immediately delete all copies of the message.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Packet Fragmentation

2015-02-12 Thread Jared Mauch

This all varies depending on the platform, perhaps more details
about the platforms involved?

Ideally you should not be fragmenting at all, or doing mss
adjust to avoid it.

- Jared

On Thu, Feb 12, 2015 at 11:59:50AM -0500, Brian Christopher Raaen wrote:
 Are there any specs from Cisco about the impact of Packet Fragmentation.  I
 have a pair of routers where I believe fragmentation may be causing
 issues.  I am trying to understand the impact of the fragments, and what
 router upgrade options we may have of the impact of an upgrade.
 
 -- 
 Brian Christopher Raaen
 Network Architect
 Zcorum
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Non Cisco SFP

2015-02-02 Thread Jared Mauch


And why is that?

We have many non-cisco optics deployed without trouble. 

I would avoid the cheapest-of-the-cheap optics, as those have been rumored to 
have trouble, slow i2c responses, or other issues that the software is poorly 
coded to handle.

We’ve done this with SFP, XFP, SFP+ and CFP without issues.

Do you have details of what your issues were Warren?  I’ve had more issues with 
Cisco optics in Cisco than non-Cisco optics in Cisco.

- jared

 On Feb 2, 2015, at 7:02 AM, Warren Jackson wrjack1...@gmail.com wrote:
 
 Highly recommend you do not use this in production.
 On Mon, Feb 2, 2015 at 6:50 AM Mark Tinka mark.ti...@seacom.mu wrote:
 
 
 On 2/Feb/15 13:23, Harry Hambi - Atos wrote:
 Hi all ,
 I have a non-cisco SFP can someone remind me of the command to run in
 order to use the SFP in a cisco chassis. Is the command a hidden command?,
 do you need to run in interface config mode?, will the switch require a
 reboot?. Thanks in advance
 
 service unsupported-transceiver
 
 Mark.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Non Cisco SFP

2015-02-02 Thread Jared Mauch


 On Feb 2, 2015, at 11:16 AM, Gert Doering g...@greenie.muc.de wrote:
 
 Hi,
 
 On Mon, Feb 02, 2015 at 03:29:41PM +, Rick Martin wrote:
 I am glad to see this thread, we are on the cusp of making the plunge into 
 aftermarket optics 
 
 Whatever aftermarket optics are - I would not go and by *used* optics,
 because that's about the only thing in modern hardware that truly ages,
 aka optics burn out over time.

Agreed, general use optics shouldn’t cost you more than $300, and that is being 
quite generous.

If you wanted to program your own optics, apparently you can get one of these 
new raspberry pis:

http://eoinpk.blogspot.com/2014/05/raspberry-pi-and-programming-eeproms-on.html

It includes a link at the bottom for how to program the optics to be ‘cisco 
compatible’.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Non Cisco SFP

2015-02-02 Thread Jared Mauch

I was offering something for the super-geeks :)

at $dayjob we purchase from champion one, but have also tested other optics 
from OSI hardware and others.

I’ve even heard of good luck from fiberstore.com as well, which is super-cheap.

- Jared

 On Feb 2, 2015, at 11:46 AM, Matthew Crocker matt...@corp.crocker.com wrote:
 
 
 
 You could buy 
 http://www.flexoptix.net/en/flexbox-v3-transceiver-programmer.html and save 
 the rPi headaches.   I haven’t used this but it does look interesting.
 
 Or,  you could just go here: http://approvedoptics.com/   Cisco, Juniper 
 every SFP, XFP, SFP+ i’ve ordered has worked 100% and they are priced right.
 
 
 --
 Matthew S. Crocker
 President
 Crocker Communications, Inc.
 PO BOX 710
 Greenfield, MA 01302-0710
 
 E: matt...@crocker.com
 P: (413) 746-2760
 F: (413) 746-3704
 W: http://www.crocker.com
 
 
 
 On Feb 2, 2015, at 11:31 AM, Jared Mauch ja...@puck.nether.net wrote:
 
 
 On Feb 2, 2015, at 11:16 AM, Gert Doering g...@greenie.muc.de wrote:
 
 Hi,
 
 On Mon, Feb 02, 2015 at 03:29:41PM +, Rick Martin wrote:
 I am glad to see this thread, we are on the cusp of making the plunge into 
 aftermarket optics 
 
 Whatever aftermarket optics are - I would not go and by *used* optics,
 because that's about the only thing in modern hardware that truly ages,
 aka optics burn out over time.
 
 Agreed, general use optics shouldn’t cost you more than $300, and that is 
 being quite generous.
 
 If you wanted to program your own optics, apparently you can get one of 
 these new raspberry pis:
 
 http://eoinpk.blogspot.com/2014/05/raspberry-pi-and-programming-eeproms-on.html
 
 It includes a link at the bottom for how to program the optics to be ‘cisco 
 compatible’.
 
 - Jared
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Non Cisco SFP

2015-02-02 Thread Jared Mauch


 On Feb 2, 2015, at 11:46 AM, Warren Jackson wrjack1...@gmail.com wrote:
 
 Sure, no problem!
 
 1)  Lack of Cisco support.  You will find yourself behind the eight-ball 
 dealing with the TAC if you have these in your chassis.  Sounds like a small 
 deal, but I for one don't have the time to deal with it.

Sounds like you work for Cisco or were properly ingrained in their marketing 
thinking.

 2)  Cost.  If you buy through a Cisco gold provider then you are going to get 
 a good price on the optics, enough to where the difference pays off in 
 support, as these can been wrapped in through your smartnet converage.  If 
 you have optics from another vendor you are dealing with their support and 
 Cisco support, keeps things simple. Makes it worth paying the bit extra you 
 would pay.  We aren't talking about thousands of dollars difference in price 
 here.

Not really.

 3)  Who?  Which SFP manufacturer(s) would you recommend besides Cisco?

Finisar (for examples).

 4)  Several of the Cisco SFP's provide the show tranceiver telemetry that aid 
 in troubeshooting the physical layer, which you won't get with the off-market 
 brand tranceivers.

Actually, not true, this is the problem I have with their first party optics.  
We’ve met with their TMG group several times and have outstanding software 
defects that are unresolved.


 Just my 2 cents based on my experience.  How about the rest of you guys?

We’ve had great luck with 3rd party and better support for DOM than their first 
party optics.

- Jared

 
 -Warjack
 
 On Mon Feb 02 2015 at 11:37:59 AM Jared Mauch ja...@puck.nether.net wrote:
 
  On Feb 2, 2015, at 11:16 AM, Gert Doering g...@greenie.muc.de wrote:
 
  Hi,
 
  On Mon, Feb 02, 2015 at 03:29:41PM +, Rick Martin wrote:
  I am glad to see this thread, we are on the cusp of making the plunge into 
  aftermarket optics
 
  Whatever aftermarket optics are - I would not go and by *used* optics,
  because that's about the only thing in modern hardware that truly ages,
  aka optics burn out over time.
 
 Agreed, general use optics shouldn’t cost you more than $300, and that is 
 being quite generous.
 
 If you wanted to program your own optics, apparently you can get one of these 
 new raspberry pis:
 
 http://eoinpk.blogspot.com/2014/05/raspberry-pi-and-programming-eeproms-on.html
 
 It includes a link at the bottom for how to program the optics to be ‘cisco 
 compatible’.
 
 - Jared
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SNMP and interface description - IOS-XR

2015-01-20 Thread Jared Mauch


 On Jan 20, 2015, at 4:27 PM, Peter Rathlev pe...@rathlev.dk wrote:
 
 On Tue, 2015-01-20 at 19:13 +0200, Hank Nussbacher wrote:
 In IOS 12.2(33)SRE7a in order to read an interface description we did:
  snmpwalk -v 2c -c snmp read community rtr1 .1.3.6.1.4.1.9.2.2.1.1.28
 
 [This is the Cisco specific  locIfDescr]
 
 SNMPv2-SMI::enterprises.9.2.2.1.1.28.3 = STRING: vidcast via 
 vidcast-pix  (Rack #6)
 
 but we can't find the proper MIB in Cisco IOS XR Software, Version 5.1.3.
 
 This might be a stupid question but is there any specific reason not to
 just use IF-MIB::ifAlias?
 
 The locIfDescr is from OLD-CISCO-INTERFACES-MIB and has probably been
 deprecated for some time now.

This is what we use, we collect some information from interfaces MIB
and the balance from the ifMIB.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ios-xr asr9k ipv6IfAdminStatus does return next instance if it does not exist

2014-12-16 Thread Jared Mauch

On Tue, Dec 16, 2014 at 10:28:26AM +0100, Florian Lohoff wrote:
 
 After digging into this a bit more
 
 On Tue, Dec 16, 2014 at 05:40:43AM +0100, Florian Lohoff wrote:
  
  Hi,
  did anyone see something like this?
  
  $ snmpget -c public -v 2c asr9k-corerouter ipv6IfAdminStatus.77
  IPV6-MIB::ipv6IfAdminStatus.79 = INTEGER: up(1)
  
  Asking for instance .77 and get .79.
 
 It seems this is a clear violation of the SNMPv2 RFC 1905
 
 RFC1905 4.2.1. The GetRequest-PDU
 [ ... ]
 (1)  If the variable binding's name exactly matches the name of a
  variable accessible by this request, then the variable binding's
  value field is set to the value of the named variable.
 
 (2)  Otherwise, if the variable binding's name does not have an OBJECT
  IDENTIFIER prefix which exactly matches the OBJECT IDENTIFIER
  prefix of any (potential) variable accessible by this request, then
  its value field is set to `noSuchObject'.
 
 (3)  Otherwise, the variable binding's value field is set to
  `noSuchInstance'.
 
 So it should return with `noSuchInstance' not some other random interfaces
 IPv6 status.

Did you report the issue to Cisco so they can fix this?

We've ended up building a regression suite to test the SNMP stack of any
new release that checks for these types of defects.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Capturing remote trafic / RSPAN through non-Cisco

2014-12-12 Thread Jared Mauch


 On Dec 12, 2014, at 12:38 PM, David Deutsch david.deut...@telna.com wrote:
 
 Hello all,
 
 I have a 7201 router running an ITP image that is used as an SS7 STP, it in
 turn is connected to a Cisco 4948E which is trunked into a series of Dell
 M8024K blade switches (I know, I know). I've been tasked with capturing all
 of the IP traffic from the 7201 to a Wireshark machine, running on a blade
 server. Naturally I first looked to use RSPAN on the 4948 to capture the
 physical port connecting the 7201 and capture it via RSPAN on the blade.

Does the 4948E support ERSPAN?  If so, you can make the span destination
go to a remote IP address and decapsulate the traffic there.

- Jared


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco transceiver's maintenance service

2014-12-05 Thread Jared Mauch

save money and use 3rd party transcievers, talk to folks like
Champion One, Finisar or OSI Hardware for example.  For the cost, you can
even purchase them from Fiberstore as well.  For what cisco charges, you
can purchase a ton of spares.

- Jared

On Mon, Dec 01, 2014 at 10:29:48AM +0800, Xuhu NSP wrote:
 But the thing is I bought maintenance already, few months later, I want to 
 purchase these transceivers, apparently I cannot add these new items inside 
 right? So any solutions?
 
 Br,
 Xuhu
 
  On 1 Dec 2014, at 02:15, Octavio Alvarez alvar...@alvarezp.ods.org wrote:
  
  On 11/29/2014 10:40 PM, Xuhu NSP wrote:
  Hi folks, just want to check that if we just purchase few new
  transceivers from Cisco, how are you going to purchase the
  maintenance service, because I didn't see the list price only for
  transceivers, normally purchase with line cards or chassis.
  
  It's covered by the service contract for the device to which the 
  transceiver is attached [1].
  
  [1] Cisco SFP Modules for Gigabit Ethernet Applications
  http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/gigabit-ethernet-gbic-sfp-modules/product_data_sheet0900aecd8033f885.pdf
  
  Best regards.
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Single core fibre question

2014-11-29 Thread Jared Mauch

Do you mean single strand of fiber? If so many people make and sell these 
bx/bi-di optics for both 1 and 10G. Keep in mind there are two types up vs down 
and note the frequencies and transmit power for these as there are 10/20/40 and 
80km varieties out there. 

Of course make sure you have spares etc. 

- jared


 On Nov 29, 2014, at 3:44 PM, CiscoNSP List cisconsp_l...@hotmail.com wrote:
 
 Hi Everyone,
 
 A customer has ordered a single core fibre x-connect to our rack in a remote 
 DCwe only have 4948's in our rack...will a single core fibre work to a 
 Single mode SFP? (i.e. all other fibre x-connects in the DC are dual core, 
 and work fine)
 
 Cheers 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9K XR 5.1.3 Experience

2014-11-24 Thread Jared Mauch

There are a number of SMUs you should load if using 5.1.3, I don't think they 
all have been posted publicly. 

Happy to provide you a list in private. 

Jared Mauch

 On Nov 24, 2014, at 3:30 AM, Alfred Wandati wandati.li...@gmail.com wrote:
 
 Hello list,
 
 We are looking at upgrading a number of boxes to 5.1.3 as it's the
 recommended release in the 5.1.x train and would like to hear any
 thoughts from those running it on it's stability.
 
 We're running dual stack ISIS,MP-BGP,LDP,MPLS-TE, vpls.
 
 Regards,
 Alfred Wandati
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco recommendation for distribution layer campus network

2014-09-28 Thread Jared Mauch

I would say avoid Cisco.

The IOS-XE based switches take *forever* to boot and can easily last 5-10 
minutes during the entire process.

We have tried for nearly a decade now to educate Cisco on why this is important 
and they have often missed the boat in what is feasible or otherwise.

(boot time should be under 120 seconds as most people are just doing OEM of a 
Broadcom box anyways).  If it takes too long for them to program the BCM 
sub-system, they are doing something majorly wrong and there’s unlikely any 
hope of them understanding what.

- Jared

 On Sep 28, 2014, at 3:11 PM, Pete Templin peteli...@templin.org wrote:
 
 
 On 9/28/14 11:53 AM, Randy Manning wrote:
 Chassis vs 1u layer 3 switches for distribution layer on campus network
 
 This is my first post. I have used stack switches for access layer and nexus 
 vpc in data center. Why is cisco proposing nexus for distribution layer?
 To eliminate spanning tree
 Vpc still needs hsrp, why not a stack solution?
 
 I am used to chassis and was wanting pro cons
 
 Stack switches leaves you vulnerable to a single-typo outage, or even a 
 single software crash outage.  VPC has its risks, but at least leaves one 
 device up while the other recovers.
 
 Software upgrades can be real tricky on the stack devices too. Doing it by 
 the book on a 3750X often means 35+ minutes of no-packet-forwarding. The 
 missed heartbeats while you hope the stack returns are potentially reason 
 enough to go with VPC. ;)
 
 pt
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Connecting PoP's with long distance

2014-09-04 Thread Jared Mauch

You should be able to do 120km with a ZR XFP @ 10G without anything.

If you later want to add equipment to the sites, you can look at doubling your 
optics and something like this:

http://www.perle.com/products/10-Gigabit-Standalone-Media-Converters.shtml

- Jared


 On Sep 4, 2014, at 5:36 AM, Murat Kaipov mkkai...@gmail.com wrote:
 
 Hello Guys.
 
 I need connect two PoP's with 10G links. Distance between PoP's nearly
 120km.  We have fiber optic  between PoP's with two regeneration points
 located nearly in 40 km between each other. We have not DWDM. Can you advise
 some equipment (May be like EDFA) for fiber optic regeneration points
 
 Scheme like this
 
 PoP-1 ---40km---[Regeneration point1]---40km[Regeneration
 point2]-40km--PoP2
 
 Thank you.
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Experience on ASR9k XR 5.1.2

2014-08-25 Thread Jared Mauch

On Sun, Aug 24, 2014 at 07:13:05PM +0200, Mark Tinka wrote:
 On Thursday, August 21, 2014 02:17:43 PM Jared Mauch wrote:
 
  Wait for 5.1.3 it will be out soon. We have had a number
  of minor issues in 5.1.2 including the vtys not working.
 
 Now that I recall - I did have the console manager 
 sporadically crash and restart on the ASR9001. So I lost the 
 SSH connection and had to reconnect.

https://tools.cisco.com/bugsearch/bug/CSCuo70584

is their fake ddts on the issue where they only call it
sev2, then there is another ddts I don't have handy where
they properly categorize it as sev1 and fix it.

 The box was still running fine, but that happened twice a 
 couple of weeks ago.

5.1.3 should be out this week, so i would wait and load that.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Experience on ASR9k XR 5.1.2

2014-08-21 Thread Jared Mauch

Wait for 5.1.3 it will be out soon. We have had a number of minor issues in 
5.1.2 including the vtys not working. 

Jared Mauch

 On Aug 21, 2014, at 5:43 AM, Mattias Gyllenvarg matt...@gyllenvarg.se wrote:
 
 Dear List
 
 I would love to hear some feed back on the 5.1.2 Train of IOS XR.
 
 This was preloaded in a few boxes (9010) and I am looking for the most
 stable train without downgrading (fingers crossed).
 
 Will be running:
 MP-BGP
 VRF
 OSPF
 
 -- 
 *Med Vänliga Hälsningar / Best Regards*
 *Mattias Gyllenvarg*
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Experience on ASR9k XR 5.1.2

2014-08-21 Thread Jared Mauch

There are many reasons to wait until 5.1.3 if you are on 4.3.4.

5.1.3 has numerous fixes we have been working with cisco to fix, including
some really basic ones like:

CSCuo25887
CSCuo93835
CSCuo70584 (vty crashes)
CSCum12533 

Either way, 5.1.3 is coming out very soon, you should wait for it and
it may be the best release for 9000V as well if you use those.

- Jared

On Thu, Aug 21, 2014 at 07:56:42AM -0500, Bill Foster wrote:
 We are currently running 4.3.4 and are looking at upgrading to the 5.x.x 
 train.  FWIW, our local SE recommended against 5.1.2 and waiting for 5.1.3
 mainly because of the bug fixes and how they relate to what we do here.  
 Supposedly 5.1.3 is due out in the next couple of weeks if you're not in a
 rush to deploy into production.
 
 
  --
 
 Message: 4
 Date: Thu, 21 Aug 2014 11:43:49 +0200
 From: Mattias Gyllenvarg matt...@gyllenvarg.se
 To: cisco-nsp cisco-nsp@puck.nether.net
 Subject: [c-nsp] Experience on ASR9k XR 5.1.2
 Message-ID:
   CAEYLRFqVA=r_BgiVxoHi+6rucMfyyPgW-n3HU0D8j=pwryr...@mail.gmail.com
 Content-Type: text/plain; charset=UTF-8
 
 Dear List
 
 I would love to hear some feed back on the 5.1.2 Train of IOS XR.
 
 This was preloaded in a few boxes (9010) and I am looking for the most
 stable train without downgrading (fingers crossed).
 
 Will be running:
 MP-BGP
 VRF
 OSPF
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Experience on ASR9k XR 5.1.2

2014-08-21 Thread Jared Mauch

Wait a week or two and load 5.1.3 when it comes out.

- Jared

On Thu, Aug 21, 2014 at 04:24:19PM +0200, Mattias Gyllenvarg wrote:
 Thanks for all your input!
 
 Machines came with 5.1.2.
 As I am not in production with these machines I can, if it is better,
 turbo boot to 4.3.4.
 
 Is this the wisest path?
 
 //Mattias
 
 
 On Thu, Aug 21, 2014 at 4:15 PM, Aleksandr Gurbo gu...@golas.ru wrote:
 
  Hello list,
 
  I had negative experience with 5.1.2 especially in cluster configuration.
  Release 5.1.1 is awful. I had so many bugs on it. Nick, do you have
  problems on 5.1.1 with telnet access to ip address which is on Loopback
  interface in vpnv4 table?
  Also I had problems with MPLS, where remote PE routers have two links to P
  routers.
  All of this should be fixed in 5.1.3. They promised :) I wait 5.1.3
  release.
 
 
  On Thu, 21 Aug 2014 11:24:19 +0100
  Nick Hilliard n...@foobar.org wrote:
 
   On 21/08/2014 10:43, Mattias Gyllenvarg wrote:
I would love to hear some feed back on the 5.1.2 Train of IOS XR.
   
This was preloaded in a few boxes (9010) and I am looking for the most
stable train without downgrading (fingers crossed).
  
   Hi Mattias,
  
   I've had no problems so far on a relatively small deployment of 5.1.1
  with
   mp-bgp / isis / mpls-pw / l3vpn / v4/v6.  Has worked without incident.
  
   Nick
  
  
   ___
   cisco-nsp mailing list  cisco-nsp@puck.nether.net
   https://puck.nether.net/mailman/listinfo/cisco-nsp
   archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
  --
  Aleksandr Gurbo
 
 
 
 
 -- 
 *Med Vänliga Hälsningar / Best Regards*
 *Mattias Gyllenvarg*
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9k 4.3.4 vs 5.1.3

2014-08-21 Thread Jared Mauch

On Thu, Aug 21, 2014 at 03:48:06PM +, Vitkovský Adam wrote:
 Hi folks, Jared, Nick,
 
 I'm wondering what influenced your decision to go/risk it with 5.1.x rather 
 than 4.3.4 ? 
 Was it any must have feature, hardware support requirement or bug fixes or a 
 bit of all please? 
 I'm asking as personally I'm really afraid of the 5.x.x train and thus 
 decided to go with 4.3.4 which is being evaluated currently. 


What is your rational fear about 5.x?

We have 5.1.2 operational and hit some defects, they are all fixed in 
5.1.3
through very close work with Cisco.

We never ran 4.3 but I have heard that 4.3.4 is fairly stable as well.

I would hold off on 5.1 until 5.1.3 is released, which should be soon.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Strange corrupt DNS Cache in IOS

2014-08-15 Thread Jared Mauch


 On Aug 15, 2014, at 10:34 AM, Frank Bulk frnk...@iname.com wrote:
 
 Don't use a router as a DNS resolver for customers.  Just don't.
 

Or if you are, use something that is properly designed for that function.  
Check out the UBNT EdgeRouter stuff, cheap, vyatta (JunOS-like), and gives you 
shell access to do other more advanced stuff.  Basically, you can't lose at the 
unit cost, etc.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Strange corrupt DNS Cache in IOS

2014-08-15 Thread Jared Mauch

Can get more luck with voodoo dolls some days. 

Jared Mauch

 On Aug 15, 2014, at 4:12 PM, Łukasz Bromirski luk...@bromirski.net wrote:
 
 Open a case with TAC. That's what they are for, right?
 
 -- 
 ./
 
 On 15 Aug 2014, at 18:05, Sascha E. Pollok s...@iphh.net wrote:
 
 Frank, Jared,
 
 I understand your point and I even share it. Sometimes there are setups
 that do not make much sense any other way (this box with DNS server
 mainly serves one single device and no other DNS server around that is
 suitable for the job).
 
 And before I go ahead and try to deploy some other device for that
 purpose I simply wanted to see if I can make it work with what there is.
 
 Thanks
 Sascha
 
 Am 15.08.2014 16:46, schrieb Frank Bulk:
 Right, but that's all non-Cisco.  My comments were intended to be
 constrained to Cisco.  
 
 Frank
 
 -Original Message-
 From: Jared Mauch [mailto:ja...@puck.nether.net] 
 Sent: Friday, August 15, 2014 9:42 AM
 To: Frank Bulk
 Cc: Sascha E. Pollok; cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Strange corrupt DNS Cache in IOS
 
 
 On Aug 15, 2014, at 10:34 AM, Frank Bulk frnk...@iname.com wrote:
 
 Don't use a router as a DNS resolver for customers.  Just don't.
 
 Or if you are, use something that is properly designed for that function.
 Check out the UBNT EdgeRouter stuff, cheap, vyatta (JunOS-like), and gives
 you shell access to do other more advanced stuff.  Basically, you can't lose
 at the unit cost, etc.
 
 - Jared
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

1 2 3 4 5 >

1 - 100 of 471 matches

Mail list logo