Re: [c-nsp] Cisco ASA5516-x DATAPATH-0-1648 and DATAPATH-0-1648 CPU hog
So, this was tracked down to be an issue with the ASA doing debug logging. As soon as we changed the logging back down to alert level logging, the issue resolved. Only caught the issue when watching the Process CPU-Usage and saw that the logger process pop up at 52%, then 64% and then 84% CPU usage before falling off in a 10 second period. vpn-gw# sh proc cpu-usage non-zero Hardware: ASA5516 Cisco Adaptive Security Appliance Software Version 9.16(4)57 ASLR enabled, text region 56474105f000-564744cef285 PC Thread 5Sec 1Min 5Min Process 0x564743c1c050 0x7f2cef4bbe80 1.0% 1.5% 1.0% Unicorn Proxy Thread 0x564743a1b57b 0x7f2cef4bb000 0.0% 0.2% 0.3% 0x5647439821d6 0x7f2cef4bbae0 0.0% 0.2% 0.1% snmp_master_callback_thread 0x564743982226 0x7f2cef4bb740 0.0% 0.4% 0.4% snmp_client_callback_thread 0x5647437cf58c 0x7f2cef4be2c0 0.0% 0.1% 0.1% radius_snd 0x5647421c5dd4 0x7f2cef4dc4e052.1%11.5%11.1% Logger 0x5647427c3cb6 0x7f2cef4c5e00 0.0% 0.1% 0.1% ARP Thread 0x564743c1c050 0x7f2cef4ebf00 0.0% 0.1% 0.1% aaa_shim_thread 0x564741cdf31c 0x7f2cef4ec640 0.0% 0.1% 0.1% aaa - - 0.8% 2.1% 2.2% DATAPATH-0-1665 - - 2.6% 2.3% 2.4% DATAPATH-1-1666 vpn-gw# sh proc cpu-usage non-zero Hardware: ASA5516 Cisco Adaptive Security Appliance Software Version 9.16(4)57 ASLR enabled, text region 56474105f000-564744cef285 PC Thread 5Sec 1Min 5Min Process 0x564743bf433f 0x7f2cef4bbe80 0.0% 1.2% 1.0% Unicorn Proxy Thread 0x564743a1b57b 0x7f2cef4bb000 0.0% 0.1% 0.2% 0x5647439821d6 0x7f2cef4bbae0 0.0% 0.1% 0.1% snmp_master_callback_thread 0x564743982226 0x7f2cef4bb740 0.0% 0.2% 0.4% snmp_client_callback_thread 0x5647421c5dd4 0x7f2cef4dc4e064.1%12.7%11.3% Logger 0x5647427c3cb6 0x7f2cef4c5e00 0.0% 0.1% 0.1% ARP Thread - - 1.3% 2.1% 2.2% DATAPATH-0-1665 - - 4.7% 2.5% 2.4% DATAPATH-1-1666 vpn-gw# sh proc cpu-usage non-zero Hardware: ASA5516 Cisco Adaptive Security Appliance Software Version 9.16(4)57 ASLR enabled, text region 56474105f000-564744cef285 PC Thread 5Sec 1Min 5Min Process 0x564743c1c050 0x7f2cef4bbe80 0.0% 0.9% 0.9% Unicorn Proxy Thread 0x564743a1b57b 0x7f2cef4bb000 0.0% 0.1% 0.2% 0x5647439821d6 0x7f2cef4bbae0 0.0% 0.1% 0.0% snmp_master_callback_thread 0x564743982226 0x7f2cef4bb740 0.0% 0.1% 0.3% snmp_client_callback_thread 0x5647421c5dd4 0x7f2cef4dc4e084.0%15.1%11.8% Logger - - 3.0% 2.3% 2.3% DATAPATH-0-1665 - - 0.4% 2.3% 2.4% DATAPATH-1-1666 vpn-gw# sh proc cpu-usage non-zero Hardware: ASA5516 Cisco Adaptive Security Appliance Software Version 9.16(4)57 ASLR enabled, text region 56474105f000-564744cef285 PC Thread 5Sec 1Min 5Min Process 0x564743c1c050 0x7f2cef4bbe80 1.3% 1.0% 0.9% Unicorn Proxy Thread 0x564743a1b57b 0x7f2cef4bb000 0.0% 0.1% 0.2% 0x564743982226 0x7f2cef4bb740 0.0% 0.1% 0.3% snmp_client_callback_thread 0x5647421c5dd4 0x7f2cef4dc4e0 0.0%12.8%11.4% Logger 0x56474221df82 0x7f2cef4bc5c0 0.1% 0.1% 0.1% emweb/https 0x5647427c3cb6 0x7f2cef4c5e00 0.1% 0.0% 0.0% ARP Thread - - 2.2% 2.3% 2.3% DATAPATH-0-1665 - - 2.4% 2.3% 2.4% DATAPATH-1-1666 vpn-gw# sh proc cpu-usage non-zero Best, -Lee On Wed, Jun 5, 2024 at 2:22 PM Lee Starnes wrote: > Thank you for the link and info. Unfortunately can['t open a TAC case as > this model (5516-X) is not under support. We have a 5508-X under contract > which is how we are able to get the firmware. > > I will check out the links. Thank you for your help. > > Best, > > -Lee > > On Wed, Jun 5, 2024 at 6:15 AM harbor235 wrote: > >> Here is an overall performance troubleshooting oc: >> >> >> https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113185-asaperformance.html >> >> Mike >> >> On Wed, Jun 5, 2024 at 9:12 AM harbor235 wrote: >> >>> If you cannot open a TAc case I would look through your syslog messages >>> looking for errors/critcals/warnings. Also look at all interfaces to ensure >>> there are no input or output errors as well. After that I would verify >>> traffic is hitting your box and is not an
[c-nsp] Cisco ASA5516-x DATAPATH-0-1648 and DATAPATH-0-1648 CPU hog
Hello Everyone, I have an odd issue trying to track down. We are seeing issue whereby traffic just "pauses" through the ASA for about 2-4 seconds before resuming. We started seeing this when the device was low on memory (about 600M available). we rebooted it and did an firmware update the current version. Still seeing this behavior. After another reboot, still seeing this. Process: DATAPATH-0-1665, PROC_PC_TOTAL: 407, MAXHOG: 10, LASTHOG: 5 MAXHOG At:15:31:54 PDT Jun 4 2024 LASTHOG At: 15:37:48 PDT Jun 4 2024 PC: 0x (suspend) Process: DATAPATH-0-1665, NUMHOG: 385, MAXHOG: 10, LASTHOG: 5 MAXHOG At:15:31:54 PDT Jun 4 2024 LASTHOG At: 15:37:48 PDT Jun 4 2024 PC: 0x (suspend) Call stack: 0x564741c98c49 0x564742188996 0x5647436c2d28 0x5647436d2abc 0x5647436e2ae0 0x7f2d2067bff5 0x7f2d1f88416f Process: DATAPATH-1-1666, PROC_PC_TOTAL: 402, MAXHOG: 12, LASTHOG: 5 MAXHOG At:15:31:48 PDT Jun 4 2024 LASTHOG At: 15:37:41 PDT Jun 4 2024 PC: 0x (suspend) Process: DATAPATH-1-1666, NUMHOG: 376, MAXHOG: 12, LASTHOG: 5 MAXHOG At:15:31:48 PDT Jun 4 2024 LASTHOG At: 15:37:41 PDT Jun 4 2024 PC: 0x (suspend) Call stack: 0x564741c98c49 0x564742188996 0x5647436c2d28 0x5647436d2abc 0x5647436e2ae0 0x7f2d2067bff5 0x7f2d1f88416f I did disable logging flash-bufferwrap to stop it from writing to flash. The logging process stopped using 29% CPU, but still the issue persists. Anyone got any Ideas on what the cause is and how to resolve it? Best, -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vPC members use identical virtual addresses without HSRP
Cisco support VRRP as well. Sent from my iPhone > On Apr 18, 2024, at 10:08 PM, Chen Jiang via cisco-nsp > wrote: > > Hi! Experts > > I wonder if Cisco support vPC members use identical virtual addresses as > host's layer 3 gateway? > > Just like Arista or Juniper, > > Arista for example: > ... > interface Vlan100 > vrf v101 > ip address virtual 192.168.100.254/24 > interface Vlan101 > vrf v101 > ip address virtual 192.168.101.254/24 > ... > > From the Cisco document it seems all examples use HSRP and it needs to > occupy 3 IP addresses. > > Thanks for your help. > > -- > BR! > > > > James Chen > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco IOS switch SSH connections not working
Hello everyone, We started seeing an issue starting at 1:45am Sunday whereby we can no longer connect to one of our switches via SSH. all the normal functions seem fine, just can't get onto the switch. When trying to connect to it, the session just hangs for about 30 seconds and then says connection timed out. No login prompt. So I did a little troubleshooting and I am not seeing the attempts even make it to the ACL. No logs of failed or attempted connections. Additionally, there are no active ssh or any vty sessions. So then just to get the switch to restart ssh, I generated a new rsa key. It stopped and restarted ssh, but nothing. So attempted to just remove the ACL and try. Still nothing. Lastly, I enabled telnet and tried to connect via telnet. Still nothing. I really don't want to restart the switch if there is any other way to resolve this. Anyone have any suggestions? This is a 6509-e with dual SUPs, so possible to fail over to the other SUP, but that also carries downtime with it as it causes the OSPF and BGP sessions to reset. Nothing in the logs either other than the last successful SSH alive check from nagios. Best, -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 9k reserved vlans and MST
Hello We have several Nexus 9K's which we have changed the system reserved vlans from the defaut to 3600-3727. We now have a requirement to migrate to MST. The Cisco docs state “You cannot map VLANs 3968 to 4095 to an MST instance. These VLANs are reserved for internal use by the device.” The doc does not mention if those vlans can be used for MST if they are no longer reserved. As a test I created the the below MST config but not enabled MST yet, spanning-tree mst configuration name TEST-MST revision 1 instance 1 vlan 2-3599 instance 2 vlan 3729-4092 exit end I didn't see any errors but as MST is not actually enabled yet I'm not convinced so I tried the below by adding in vlan 3601 which is part of the currently reserved vlans. spanning-tree mst configuration name TEST-MST revision 1 instance 1 vlan 2-3599 instance 2 vlan 3729-4092 instance 3 vlan 3601 exit end Again I don't see any errors when I expected to by using a known reserved vlan. Has anybody changed the system reserved vlans and enabled vlans 3968 and above in MST ? The current RSTP setup is working well with the reserved vlans but the rack switches are reaching the RSTP limit (128) Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR9010 fan tray upgrade
Hello everyone, I have some ASK9010 chassis that are getting upgraded fan trays from v1 to v2. My question is to upgrade these, is it possible to pull one and replace it and then pull the other and replace or will the system have issues with mixed fan trays during that short period? If it can't be swapped 1 at a time, will the chassis need to shutdown to swap both or will the chassis continue to run for the 30 - 60 seconds it takes to swap the new ones in? Best, -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [External] Cisco 6509-E SSH and Telnet not allowing connections
Hello Hunter, It does respond to ping and all other functions are working including responding to SNMP RO and RW. -Lee On Sat, Feb 27, 2021 at 12:31 PM Hunter Fuller wrote: > I have no idea, but just curious, does the box respond to other > control plane traffic from outside, like pings? > > -- > Hunter Fuller (they) > Router Jockey > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering > > On Sat, Feb 27, 2021 at 1:05 PM Lee Starnes > wrote: > > > > Hello all, > > > > Ran into an issue that I can't seem to resolve and really don't want to > > reboot the chassis. Have 1 of our 6509-e units that has decided it is not > > going to allow connections to it via ssh or telnet. I can get access via > > console. When trying to connect, you do not get connection refused. You > > just hang for several seconds before getting a connection timed out > > message. > > > > On the switch, I show no connection attempts. > > > > A check to see if the ssh server is running and have any connections > shows > > normal. > > #sh ip ssh > > SSH Enabled - version 1.99 > > Authentication timeout: 120 secs; Authentication retries: 3 > > #sh ssh > > %No SSHv1 server connections running. > > %No SSHv2 server connections running. > > > > Doing debugs, I see nothing show up for connection attempts. Also if I > > attempt to connect to itself from itself it also just hangs before > getting > > a connection timed out message. I would expect the normal response of > > connection refused when trying to connect to itself. > > > > There is an ACL in place on the VTY lines and even removing that, still > > gets the same results. I have removed the input transport on the vty > lines > > and then read added them. > > > > Is there anything else I can try before having to reboot/switch to the > > standby SUP? > > > > This was all working normally until sometime around 4am. and nothing was > > logged before or after the issue started other than my login via console > > and various changes/commands issued in an attempt to debug/resolve this > > issue. > > > > Any help would be greatly appreciated. > > > > -Lee > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6509-E SSH and Telnet not allowing connections
Hi Lukas, Thanks for the reply. So sh users list none. sh line list all 16. #sh line sum 0: U--- ? 1 character mode users. (U) 13 lines never used(?) 1 total lines in use,0 not authenticated (lowercase) Tried to remove the vty config and add them back. No joy. Best, -Lee On Sat, Feb 27, 2021 at 12:58 PM Lukas Tribus wrote: > Hello, > > > On Sat, 27 Feb 2021 at 20:03, Lee Starnes wrote: > > > > Hello all, > > > > Ran into an issue that I can't seem to resolve and really don't want to > > reboot the chassis. Have 1 of our 6509-e units that has decided it is not > > going to allow connections to it via ssh or telnet. I can get access via > > console. When trying to connect, you do not get connection refused. You > > just hang for several seconds before getting a connection timed out > > message. > > > > On the switch, I show no connection attempts. > > > > A check to see if the ssh server is running and have any connections > shows > > normal. > > #sh ip ssh > > SSH Enabled - version 1.99 > > Authentication timeout: 120 secs; Authentication retries: 3 > > #sh ssh > > %No SSHv1 server connections running. > > %No SSHv2 server connections running. > > > > Doing debugs, I see nothing show up for connection attempts. Also if I > > attempt to connect to itself from itself it also just hangs before > getting > > a connection timed out message. I would expect the normal response of > > connection refused when trying to connect to itself. > > > > There is an ACL in place on the VTY lines and even removing that, still > > gets the same results. I have removed the input transport on the vty > lines > > and then read added them. > > > > Is there anything else I can try before having to reboot/switch to the > > standby SUP? > > > > This was all working normally until sometime around 4am. and nothing was > > logged before or after the issue started other than my login via console > > and various changes/commands issued in an attempt to debug/resolve this > > issue. > > show users > show line > show line summary > show tcp brief | inc \.23 |\.22 ||Foreign > > How many VTY lines are actually configured? > > I'm thinking about hung VTY sessions. Use "clear line ..." and "clear > tcp tcb ..." to kill orphan sessions and TCP connections. You can also > try raising the number of VTY lines. > > > > > There is an ACL in place on the VTY lines and even removing that, still > > gets the same results. I have removed the input transport on the vty > lines > > and then read added them. > > Instead of removing and adding "input transport" again, try removing > the line vty section (in its entirety), and reconfigure it from > scratch. > > > > Lukas > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 6509-E SSH and Telnet not allowing connections
Hello all, Ran into an issue that I can't seem to resolve and really don't want to reboot the chassis. Have 1 of our 6509-e units that has decided it is not going to allow connections to it via ssh or telnet. I can get access via console. When trying to connect, you do not get connection refused. You just hang for several seconds before getting a connection timed out message. On the switch, I show no connection attempts. A check to see if the ssh server is running and have any connections shows normal. #sh ip ssh SSH Enabled - version 1.99 Authentication timeout: 120 secs; Authentication retries: 3 #sh ssh %No SSHv1 server connections running. %No SSHv2 server connections running. Doing debugs, I see nothing show up for connection attempts. Also if I attempt to connect to itself from itself it also just hangs before getting a connection timed out message. I would expect the normal response of connection refused when trying to connect to itself. There is an ACL in place on the VTY lines and even removing that, still gets the same results. I have removed the input transport on the vty lines and then read added them. Is there anything else I can try before having to reboot/switch to the standby SUP? This was all working normally until sometime around 4am. and nothing was logged before or after the issue started other than my login via console and various changes/commands issued in an attempt to debug/resolve this issue. Any help would be greatly appreciated. -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR9010 and monitor port
Hello Everyone, We have an issue we are trying to track down with a IPv6 BGP peer. The session resets randomly sometimes 4-5 times a day and sometimes doesn't reset for several days. We are trying to run a monitor session to mirror the traffic of the port to another port for the purposes of capturing it with TCPDUMP. The problem we are running into is that it seems that it is not mirroring the egress BGP traffic on the port. Additionally, it would seem that we are not able to see two way traffic. If we specify ingress ACL, we see the BGP traffic. If we specify ingress and egress ACLs, we get no traffic. If we specify egress we see no BGP traffic. Below is what we are using to mirror this traffic. Is there something that is being done wrong or is this something that does not mirror both directions at the same time? Not sure why if we set to only do egress, it does not see BGP traffic. We tested this by setting the ACL to capture all IPv6 traffic and there was no BGP traffic. Best regards, Lee monitor-session TEST ethernet destination interface TenGigE0/0/1/1 ipv6 access-list span 10 permit ipv6 host 2001:xxx:::212 host 2001:xxx:::213 capture 15 permit ipv6 host 2001:xxx:::213 host 2001:xxx:::212 capture 20 permit ipv6 any any interface TenGigE0/0/1/0 description COX 10G Circuit ID: ipv4 address X.X.X.X ipv6 address 2001:xxx:::213/127 monitor-session TEST ethernet acl ! load-interval 30 flow ipv4 monitor NFAmonitor sampler NFAsampler ingress flow ipv4 monitor NFAmonitor sampler NFAsampler egress flow ipv6 monitor NFAmonitorIPv6 sampler NFAsampler ingress flow ipv6 monitor NFAmonitorIPv6 sampler NFAsampler egress ipv6 access-group span ingress ipv6 access-group span egress ! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 w/SUP720-3BXL and high CPU load
Hello Nathan, So what I find interesting is that a process that shows 13% CPU is actually using 60% CPU. Using a "show proc cpu sorted 5sec" I was able to see that SNMP was coming up with 13 and 15% CPU on the process when this is going on (all the time), but on the other switches, that would only appear once for about 5 seconds and then go away. Leaving a brief. spike and then drop to normal on the CPU load. So started to investigate and the machine that was hitting it with 25K packets each time was our machine that runs MRTG. A little research into that and found that the config for this switch was old and had some interfaces that were not in the chassis anymore and missing some that were new in the chassis. Rebuilt that and the issue resolved. Packets went from 25K to 746 and completed its poll of the interfaces within 5-7 seconds. Thanks for the response. -Lee On Thu, Mar 19, 2020 at 11:39 AM Nathan Lannine wrote: > >> First thing I'd try is to capture punted packets. >> >> Per the document the you linked, I've found netdr or cpu span to be > helpful in this regard. That community post pretty much mirrors an > official doc on the same topic. I think the last time I saw something like > this it was some kind of link local IPv6 stuff. Either way, it would be > nice to know what you find the problem to be. > > Thank you, > Nathan > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 w/SUP720-3BXL and high CPU load
Hello Gert, Thanks for the reply. All come up false. I did finally track it down to mrtg hitting it with 25K packet requests with some old interfaces that were in its config that are not in the chassis anymore. Once re-created this, the issue resolved. -Lee On Thu, Mar 19, 2020 at 12:00 PM Gert Doering wrote: > Hi, > > On Thu, Mar 19, 2020 at 10:28:58AM -0700, Lee Starnes wrote: > > We are seeing on one of our 6509 chassis high CPU load (50-90%). We are > not > > As ytti said, you're software switching. > > Are you carrying full tables, and have hit MLS CEF limits? > > ("show mls cef exception status") > > If this is showing "TRUE", you've hit "too many prefixes" and need to > reduce the number of routes this box sees, and then reload (no way to > normalize without reboot). > > If this is showing all FALSE, something else is causing software > switching. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 w/SUP720-3BXL and high CPU load
Hello Ytti, Looks like the 6509 does not have the show platform cap. It only has show platform buffers. But I did find that this was an issue with SNMP. Thanks for the pointers. -Lee On Thu, Mar 19, 2020 at 11:22 AM Saku Ytti wrote: > On Thu, 19 Mar 2020 at 19:33, Lee Starnes wrote: > > > > CPU on 6509b: CPU utilization for five seconds: 62%/22%; one minute: 42%; > > five minutes: 42% > > The 2nd number is I/O, so you're software switching something. What > and why may be complex to answer and my 7600 memories seem to be > ethanol soluble. > > First thing I'd try is to capture punted packets. > > show plat cap buffer asic pinnacle slot N port 4 direction out priority lo > show plat cap buffer collect for 5 > show plat cap buffer data filt > show plat cap buffer data sample X > > N == your SUP slot > 4 is direction out (out from fabric to rp). > > Then look something which shouldn't have been punted, and look at > that prefix in mls cef. > > -- > ++ytti > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6509 w/SUP720-3BXL and high CPU load
Hello, We are seeing on one of our 6509 chassis high CPU load (50-90%). We are not seeing this on our other chassis and they are all optioned the same. The one difference is that this chassis is sending traffic on one incoming 10gig interface out to another 6509 where that traffic is destine to hit its gateway and then out to the internet. Simple diagram is below. 10G serverB - 6509b - 6509a - asr9000 - internet 10G serverA - 6509a - asr9000 - internet While I know this is not ideal, it is what it is until B server can get moved to a different vlan. The issue is that 6509b has got high CPU load of 50-90% while 6509a has CPU load of 4%. Traffic from server B is about 4.8G and traffic from server B is about 5G. I have gone through the troubleshooting high CPU load on sup720 document here: https://community.cisco.com/t5/networking-documents/troubleshooting-high-cpu-on-a-6500-with-sup720/ta-p/3126932 and every time I find something that give me that Ah-ha moment, I check it on the other switch and see that it is the same or higher as to ACL usage or other items. So my question is, what is the best way to track down what this high CPU load is? CPU on 6509b: CPU utilization for five seconds: 62%/22%; one minute: 42%; five minutes: 42% CPU on 6509a: CPU utilization for five seconds: 3%/1%; one minute: 14%; five minutes: 14% Any help would be greatly appreciated. Pulling my hair out trying to figure out why. Thanks, -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9K XR 6.4.2 and SNMP monitoring
Hello Bruce, I did check out both the alarm and environment MIBs and none of the OIDs in them come back as valid. In fact, a walk of those enterprise OIDs results in no such object on this agent. Best, -Lee On Tue, Dec 17, 2019 at 2:44 PM Bruce Pinsky wrote: > On 12/17/2019 2:30 PM, Lee Starnes wrote: > > Hello everyone, > > > > I am trying to find out if there is a way to monitor the CRIT, MAJ, MIN > and > > Fail alarms via SNMP. I read through a boatload of documentation on SNMP > > monitoring for the ASR but was not able to find anything on these > alarms. I > > want to poll the system for status, bit trap send them. > > > > Does anyone know if this is possible? > > These are the alarms we are looking for, > > #sh environment leds > > Tue Dec 17 14:25:26.016 PST > > R/S/I Modules LED Status > > 0/RSP0/* > > hostCritical-Alarm Off > > hostMajor-Alarm Off > > hostMinor-Alarm Off > > hostACO Off > > hostFailOff > > 0/RSP1/* > > hostCritical-Alarm Off > > hostMajor-Alarm Off > > hostMinor-Alarm Off > > hostACO Off > > hostFailOff > > > > Have you looked at the Entity Alarm MIB? > > ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENTITY-ALARM-MIB.my > > Full list of ASR1K MIBs here > ftp://ftp.cisco.com/pub/mibs/supportlists/asr1000/asr1000-supportlist.html > > -- > = > bep > > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR9K XR 6.4.2 and SNMP monitoring
Hello everyone, I am trying to find out if there is a way to monitor the CRIT, MAJ, MIN and Fail alarms via SNMP. I read through a boatload of documentation on SNMP monitoring for the ASR but was not able to find anything on these alarms. I want to poll the system for status, bit trap send them. Does anyone know if this is possible? These are the alarms we are looking for, #sh environment leds Tue Dec 17 14:25:26.016 PST R/S/I Modules LED Status 0/RSP0/* hostCritical-Alarm Off hostMajor-Alarm Off hostMinor-Alarm Off hostACO Off hostFailOff 0/RSP1/* hostCritical-Alarm Off hostMajor-Alarm Off hostMinor-Alarm Off hostACO Off hostFailOff Best, -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 SUP720 ROMMON upgrade troubles
Thank you Ron. That was exactly what it was. First time I have run into needing to replace a battery on any Cisco blades. Makes we wonder if I have failed batteries in chassis that have been in service for 4+ years. Thanks again for your help. -Lee On Sat, Feb 23, 2019 at 5:36 PM Ron M. wrote: > You might check the little CMOS battery on the left side of the MSFC3. > I've run into NVRAM corruption issues that generally revolve around that > battery being low/dead. It's definitely replaceable, I've done that a > couple times already. > > On Fri, Feb 22, 2019 at 5:50 PM Lee Starnes > wrote: > >> Hello, >> >> I have a SUP720-3BXL that us running ROMMON 8.1 and am trying to upgrade >> to >> 8.5(3). I have gone through the upgrade steps, and upon reload it retains >> the correct version. However, if I power cycle the chassis, it reverts >> back >> to 8.1. and lands in ROMMON. >> >> If I boot the OS and do an *upgrade rom slot 6 pref region1* and >> then reload, version 8.5(3) ROMMON is now active again. But again if I >> power cycle, it goes away. Is there something that I am doing wrong? >> >> In all cases, it always drops into ROMMON on boot and I have to issue >> boot to get it to boot. However if I insert a different SUP of the >> same model with the upgraded ROMMON, the chassis boots fine. >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6509 SUP720 ROMMON upgrade troubles
Hello, I have a SUP720-3BXL that us running ROMMON 8.1 and am trying to upgrade to 8.5(3). I have gone through the upgrade steps, and upon reload it retains the correct version. However, if I power cycle the chassis, it reverts back to 8.1. and lands in ROMMON. If I boot the OS and do an *upgrade rom slot 6 pref region1* and then reload, version 8.5(3) ROMMON is now active again. But again if I power cycle, it goes away. Is there something that I am doing wrong? In all cases, it always drops into ROMMON on boot and I have to issue boot to get it to boot. However if I insert a different SUP of the same model with the upgraded ROMMON, the chassis boots fine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PBR or ABF on XR for 12000 series
Hello all, I have a need to be able to do policy based routing for next hop set, but can't find anything that works in XR. We presently are doing this with VRFs but need to move away from the VRFs because this causes the ipv6_io to crash over and over when doing this for IPv6 traffic. Are there any options on the 12000 besides the VRFs? This is on a 12410 chassis. LC/0/2/CPU0:Feb 15 13:23:18.287 : dumper[52]: %OS-DUMPER-7-DUMP_REQUEST : Dump request for process pkg/bin/ipv6_io LC/0/2/CPU0:Feb 15 13:23:18.300 : dumper[52]: %OS-DUMPER-7-DUMP_ATTRIBUTE : Dump request with attribute 7 for process pkg/bin/ipv6_io LC/0/2/CPU0:Feb 15 13:23:18.306 : dumper[52]: %OS-DUMPER-4-SIGSEGV : Thread 4 received SIGSEGV - Segmentation Fault LC/0/2/CPU0:Feb 15 13:23:18.306 : dumper[52]: %OS-DUMPER-4-SIGSEGV_INFO : Accessed BadAddr 0x7c479003 at PC 0x7831e254. Signal code 1 - SEGV_MAPPER. Address not mapped. LC/0/2/CPU0:Feb 15 13:23:18.306 : dumper[52]: %OS-DUMPER-4-CRASH_INFO : Crashed pid = 6045792 (pkg/bin/ipv6_io) Thank in advance, -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco ASA 5512x VPN to Cradlepoint
Hello All, Does anyone have any good links on how to best setup an IPSec VPN tunnel from an ASA to a Cradlepoint that is on an LTE connection with a Dynamic IP? I have all the configuration for the Cradlepoint side done, but having difficulty with the ASA side since the cradlepoint is on an Dynamic IP. Best Regards, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] A9K-SIP-700 and SPA compatibility
Hello everyone. I am having difficulty in finding any documentation on Cisco's site that would provide a compatibility matrix on what Cisco SPAs are supported on the A9k-SIP-700. Trying to find out if we can use some existing SPA-1x10GE-WL-V2 and SPA-1x10GE-L-V2 adapters in the SIP-700 in the 9010 chassis with an RSP-440. Does anyone have a link to a Cisco document that lists the SPAs supported or know if these are supported? Best regards, -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF routing question
Thank you all for the distance change to 254. That resolved the issue. On Tue, Jul 17, 2018 at 7:57 PM, Erik Sundberg wrote: > Lee, > > > Change the Floating static route to an administrative distance of 254, so > it is higher than OSPF. > > > router static > address-family ipv4 unicast > 45.x.x.0/22 Null0 *254* > > > When the route is learned via OSPF it will have a metric of 110 and the > ospf route will be installed into the routing table. > > When the route is not learned via OSPF the floating static router on your > Edge router will be active. This will still allow BGP to advertise the > route. > > > > Also, if you don't want to advertise the floating static route to other > devices in your network you can do the following. > > Add the tag 1 on the static route will stop it from being redistributed in > your network. > > > router static > address-family ipv4 unicast > 45.x.x.0/22 Null0 254 *tag 1* > > > router ospf 1 > log adjacency changes > redistribute static* route-policy **IPV4-OSPF-REDIST-STATIC* > > *route-policy IPV4-OSPF-REDIST-STATIC* > > * if tag eq 1 then * > *drop* > * endif* > * done* > > If a static route has the tag of 1 it will not be redistributed into OSPF, > so the rest of the network will not learn about the route. > > > - > > Side note, most ISP's will only advertise there Loopback and Core > "Circuits" IPs in there IGP. They will run iBGP between all of the there > devices and allow BGP to redistribute the static and connected interfaces. > BGP is also easier to manipulate routes on your network. Send me an email > if you would like to know more. > > Here is an old but still very relevant power point on this. > > https://www.pacnog.org/pacnog2/track2/routing/a3-1up.pdf > 3 - OSPF for ISPs - PacNOG > <https://www.pacnog.org/pacnog2/track2/routing/a3-1up.pdf> > www.pacnog.org > © 2005 Cisco Systems, Inc. All rights reserved. 1 Session Number > Presentation_ID Cisco Confidential Deploying OSPF for ISPs ISP/IXP Workshops > > > > > > > > > > > > -- > *From:* cisco-nsp on behalf of Lee > Starnes > *Sent:* Tuesday, July 17, 2018 4:17:25 PM > *To:* cisco-nsp@puck.nether.net > *Subject:* [c-nsp] OSPF routing question > > Hello everyone, > > I have a question about OSPF route redistribution. We have no issues > redistributing subnets in the network out of our /19 blocks. But we have a > /22 block that the entire /22 is allocated to a single client. The routes > redistribute across all the all switches except back to the edge routers > that announce them via BGP to our upstream carriers. This being because > there are holdown routes for the BGP on this of the same size IP block. Is > there a way to allow the /22 block to propagate to the edge routers and > still maintain the hold down routes we need to announce that /22 via BGP to > our various upstream carriers? > > Edge routers are configured as such: > > router static > address-family ipv4 unicast > 45.x.x.0/22 Null0 19 > > router bgp ASNUMBER > address-family ipv4 unicast > network 45.x.x.0/22 > > > router ospf NUMBER > log adjacency changes > redistribute connected > redistribute static > area W.X.Y.Z > ! > interface TenGigE0/3/0/0 >passive disable > ! > interface TenGigE0/3/3/0 >passive disable > ! > > > Any ideas are greatly appreciated. > > -Lee > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- > > CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files > or previous e-mail messages attached to it may contain confidential > information that is legally privileged. If you are not the intended > recipient, or a person responsible for delivering it to the intended > recipient, you are hereby notified that any disclosure, copying, > distribution or use of any of the information contained in or attached to > this transmission is STRICTLY PROHIBITED. If you have received this > transmission in error please notify the sender immediately by replying to > this e-mail. You must destroy the original transmission and its attachments > without reading or saving in any manner. Thank you. > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OSPF routing question
Hello everyone, I have a question about OSPF route redistribution. We have no issues redistributing subnets in the network out of our /19 blocks. But we have a /22 block that the entire /22 is allocated to a single client. The routes redistribute across all the all switches except back to the edge routers that announce them via BGP to our upstream carriers. This being because there are holdown routes for the BGP on this of the same size IP block. Is there a way to allow the /22 block to propagate to the edge routers and still maintain the hold down routes we need to announce that /22 via BGP to our various upstream carriers? Edge routers are configured as such: router static address-family ipv4 unicast 45.x.x.0/22 Null0 19 router bgp ASNUMBER address-family ipv4 unicast network 45.x.x.0/22 router ospf NUMBER log adjacency changes redistribute connected redistribute static area W.X.Y.Z ! interface TenGigE0/3/0/0 passive disable ! interface TenGigE0/3/3/0 passive disable ! Any ideas are greatly appreciated. -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 7k Upgrade Path
Sorry, memory served me wrong, should use long timeout, not short. Sent from my iPhone > On Feb 23, 2018, at 7:49 PM, Hunter Fuller <hf0...@uah.edu> wrote: > > We were required to use long LACP timers for one upgrade. The show impact > command will tell all, in this regard. > > As Mike mentioned, if an stp change occurs it will rollback the ISSU. > >> On Fri, Feb 23, 2018 at 21:39 Michael Lee <fwis...@gmail.com> wrote: >> Make sure use short lacp timeout, no spanning-tree change during the upgrade >> >> Also boot disk array status >> >> Mike >> >> Sent from my iPhone >> >> > On Feb 23, 2018, at 4:16 PM, Hunter Fuller <hf0...@uah.edu> wrote: >> > >> > On Fri, Feb 23, 2018 at 8:06 AM Justin M. Streiner >> > <strei...@cluebyfour.org> >> > wrote: >> > >> >> Vendors also sometimes conflate "ISSU" and "hitless", or their >> >> documentation doesn't always make it clear that an ISSU carries the >> >> potential of outages. >> > >> > >> > For what it is worth - there is a NX-OS command for checking whether an >> > ISSU will be hitless: "show install all impact ?" will show you what you >> > need to know. >> > >> > We don't run much Nexus stuff, but we did upgrade our Nexus 7010 from >> > version 4.something all the way to 7.2 with only ISSU. We had to do some >> > careful planning, and some ISSU did fail, but the failure and rollback was >> > just as hitless as the successes, and it told us what needed to be >> > corrected for the future. >> > >> > So far so good, with this strategy. I am very surprised to hear people >> > talking about their problems with the ISSU process. I could not be happier >> > with it. >> > >> > # show system uptime >> > System start time: Sat Dec 20 17:54:34 2014 >> > System uptime: 1161 days, 4 hours, 36 minutes, 22 seconds >> > >> > -- >> > >> > -- >> > Hunter Fuller >> > Network Engineer >> > VBH Annex B-5 >> > +1 256 824 5331 >> > >> > Office of Information Technology >> > The University of Alabama in Huntsville >> > Systems and Infrastructure >> > ___ >> > cisco-nsp mailing list cisco-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- > > -- > Hunter Fuller > Network Engineer > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 7k Upgrade Path
Make sure use short lacp timeout, no spanning-tree change during the upgrade Also boot disk array status Mike Sent from my iPhone > On Feb 23, 2018, at 4:16 PM, Hunter Fullerwrote: > > On Fri, Feb 23, 2018 at 8:06 AM Justin M. Streiner > wrote: > >> Vendors also sometimes conflate "ISSU" and "hitless", or their >> documentation doesn't always make it clear that an ISSU carries the >> potential of outages. > > > For what it is worth - there is a NX-OS command for checking whether an > ISSU will be hitless: "show install all impact ?" will show you what you > need to know. > > We don't run much Nexus stuff, but we did upgrade our Nexus 7010 from > version 4.something all the way to 7.2 with only ISSU. We had to do some > careful planning, and some ISSU did fail, but the failure and rollback was > just as hitless as the successes, and it told us what needed to be > corrected for the future. > > So far so good, with this strategy. I am very surprised to hear people > talking about their problems with the ISSU process. I could not be happier > with it. > > # show system uptime > System start time: Sat Dec 20 17:54:34 2014 > System uptime: 1161 days, 4 hours, 36 minutes, 22 seconds > > -- > > -- > Hunter Fuller > Network Engineer > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic IP to Port finding question on Cisco 3850
On 7/26/17, Aaron Gould <aar...@gvtc.com> wrote: > Are you talking about like this ? does "show ip arp 10.101.15.21" work? Lee > > > 3750#sh ip arp vlan 4000 > Protocol Address Age (min) Hardware Addr Type Interface > Internet 10.101.15.1 171 4055.3970.f265 ARPA Vlan4000 > Internet 10.101.15.7 171 0cd5.02c0.cd4c ARPA Vlan4000 > Internet 10.101.15.16- 0013.8039.eac1 ARPA Vlan4000 > Internet 10.101.15.21 185 001c.5779.d841 ARPA Vlan4000 > > 3750#sh mac address-table dynamic | in 4055.3970.f265 > 40004055.3970.f265DYNAMIC Gi1/0/26 > > -Aaron > > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > Scott Granados > Sent: Wednesday, July 26, 2017 11:16 AM > To: cisco-nsp <cisco-nsp@puck.nether.net> > Subject: [c-nsp] Basic IP to Port finding question on Cisco 3850 > > I think this is a basic question but Googling has not helped me much so I’m > hopeful someone can shed the clue light on me a bit. > > I’m trying to find the specific port an IP address is attached to on a 3850 > in L3 mode with SVI interfaces. SO for example if I do a show arp a.b.c.d > I’ll get the MAC and the SVI attached. If I do a show VLAN ID X I see the > port members but there are many, let’s say 10 or more per VLAN. Is there an > easy way to detect which port either the IP is received on or the MAC > address that is displayed in the show arp? Everything I’m doing seems to > show the SVI that’s in play but not the specific gig port that the device is > attached to and mapped to the VLAN as a member. This seems like the sort of > thing that would be easy to figure out but I’m stumped. Any pointers would > be most appreciated. > > Thanks and sorry for such a rudimentary question. > > Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus OIDs
On 3/13/17, Paul Koch <paul.koch...@gmail.com> wrote: > On Mon, 27 Feb 2017 14:05:24 -0500 > Lee <ler...@gmail.com> wrote: > >> ... >> I can almost understand the people that insist on using OIDs instead >> of names for polling, but not using names it makes it somewhere >> between difficult & impossible to figure out from an snmpwalk which >> mib variables one wants to look at. The MIB files are here >> ftp://ftp.cisco.com/pub/mibs/v1/v1.tar.gz >> ftp://ftp.cisco.com/pub/mibs/v2/v2.tar.gz > > Yer, OID numbers are "only" meant to be used under the hood. People should > really be using MIB module/object names. Here's a useful list of oid > numbers/module/object names from our MIB parser/compile. It contains 3838 > MIBs and 465009 objects. > > https://www.akips.com/downloads/akips_mibs.txt.gz Sweet! I'd get the Cisco OID files ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz along with the v[12].tar.gz files and then create a master list: $ cat create-oids-all.txt delete everything in directory OIDs unzip oid.tar.gz to OIDs from a cygwin command prompt cd /cygdrive/c/ ..whatever.. /OIDs cat * | sort -k 2,2 -k 1 | uniq | awk '{printf("%-50s %s\n", $1, $2) }' >| ../oids_all.txt unix2dos ../oids_all.txt Not as extensive as your list, but an exact match for the mibs I just downloaded. Regards, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus OIDs
On 2/27/17, Mike Hammett <cisco-...@ics-il.net> wrote: > I apparently don't have oid2name on my system, nor can I figure out how to > get it into Ubuntu 16.04. Sorry - I forgot it's one of my aliases: alias oid2name='snmptranslate $@' > However... > > I got iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.12.3.1.3.1508 $ snmptranslate iso.3.6.1.4.1.9.12.3.1.3.1508 CISCO-ENTITY-VENDORTYPE-OID-MIB::cevChassisN9KC9396PX $ grep 1508 CISCO-ENTITY-VENDORTYPE-OID-MIB.my cevChassisN9KC9396PXOBJECT IDENTIFIER ::= { cevChassis 1508 } -- Cisco chassis for 2RU TOR, 48x10GF+12x40G QSFP > > iso.3.6.1.4.1.9.12.3.1.3.1508 = No Such Object available on this agent at > this OID > > I poked around in some MIBs, but yeah, all I could find was the basic > reference to each of what I posted, but up one level. I mean I know what it > is by looking at the data, but I'm trying to do the legwork for the OSS_SNMP > guys to be able follow a sort of chain of command to get to those results. I can almost understand the people that insist on using OIDs instead of names for polling, but not using names it makes it somewhere between difficult & impossible to figure out from an snmpwalk which mib variables one wants to look at. The MIB files are here ftp://ftp.cisco.com/pub/mibs/v1/v1.tar.gz ftp://ftp.cisco.com/pub/mibs/v2/v2.tar.gz Regards, Lee > Then again, maybe Cisco doesn't support that. > > > > - > Mike Hammett > Intelligent Computing Solutions > > Midwest Internet Exchange > > The Brothers WISP > > - Original Message - > > From: "Lee" <ler...@gmail.com> > To: "Mike Hammett" <cisco-...@ics-il.net> > Cc: cisco-nsp@puck.nether.net > Sent: Monday, February 27, 2017 11:35:59 AM > Subject: Re: [c-nsp] Nexus OIDs > > what does this get you > snmpget .1.3.6.1.2.1.1.2.0 > > $ oid2name .1.3.6.1.2.1.1.2.0 > RFC1213-MIB::sysObjectID.0 > > from the mib: > sysObjectID OBJECT-TYPE > SYNTAX OBJECT IDENTIFIER > ACCESS read-only > STATUS mandatory > DESCRIPTION > "The vendor's authoritative identification of the > network management subsystem contained in the > entity. This value is allocated within the SMI > enterprises subtree (1.3.6.1.4.1) and provides an > easy and unambiguous means for determining `what > kind of box' is being managed. For example, if > vendor `Flintstones, Inc.' was assigned the > subtree 1.3.6.1.4.1.4242, it could assign the > identifier 1.3.6.1.4.1.4242.1.1 to its `Fred > Router'." > ::= { system 2 } > > > everything you listed is in the entity mib, which is a bit of a pain > to figure out > > + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.2.149 > ENTITY-MIB::entPhysicalDescr.149 > + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.7.149 > ENTITY-MIB::entPhysicalName.149 > + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.10 > ENTITY-MIB::entPhysicalModelName.10 > + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.22 > ENTITY-MIB::entPhysicalModelName.22 > + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.149 > ENTITY-MIB::entPhysicalModelName.149 > + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.10 > ENTITY-MIB::entPhysicalSerialNum.10 > + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.22 > ENTITY-MIB::entPhysicalSerialNum.22 > + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.149 > ENTITY-MIB::entPhysicalSerialNum.149 > > Regards, > Lee > > > On 2/27/17, Mike Hammett <cisco-...@ics-il.net> wrote: >> I did an SNMPWalk of two of my Nexus switches looking for what has the >> model >> and serial numbers. I found several, sometimes with slightly different >> information. The MIBs on Cisco's site don't go down this far either. I was >> >> wondering if someone could point me as to the differences among them >> and\or >> which one would be "more standard" across product lines. >> >> iso.3.6.1.2.1.47.1.1.1.1.2.149 = STRING: "Nexus 3548 Chassis" >> iso.3.6.1.2.1.47.1.1.1.1.7.149 = STRING: "Nexus 3548 Chassis" >> iso.3.6.1.2.1.47.1.1.1.1.13.10 = STRING: "N3K-C3548P-10GX" >> iso.3.6.1.2.1.47.1.1.1.1.13.22 = STRING: "N3K-C3548P-10GX" >> iso.3.6.1.2.1.47.1.1.1.1.13.149 = STRING: "N3K-C3548P-10GX" >> iso.3.6.1.2.1.47.1.1.1.1.11.10 = STRING: "[redacted]" >> iso.3.6.1.2.1.47.1.1.1.1.11.149 = STRING: "[redacted]" >> >> >> >> iso.3.6.1.2.1.47.1.1.1.1.2.149 = STRING: "N9K-C9396PX" >> iso.3.6.1.2.1.47.1.1.1.1.7.149 = STRING: "N9K-C9396PX" >> iso.3.6.1.2.1.47.1.1.1.1.13.10 = STRING: "N9K-C9396PX" >> iso.3.6.1.2.1.47.1.1.1.1.13.22 = STRING: "N9K-C9396PX" >> iso.
Re: [c-nsp] Nexus OIDs
what does this get you snmpget .1.3.6.1.2.1.1.2.0 $ oid2name .1.3.6.1.2.1.1.2.0 RFC1213-MIB::sysObjectID.0 from the mib: sysObjectID OBJECT-TYPE SYNTAX OBJECT IDENTIFIER ACCESS read-only STATUS mandatory DESCRIPTION "The vendor's authoritative identification of the network management subsystem contained in the entity. This value is allocated within the SMI enterprises subtree (1.3.6.1.4.1) and provides an easy and unambiguous means for determining `what kind of box' is being managed. For example, if vendor `Flintstones, Inc.' was assigned the subtree 1.3.6.1.4.1.4242, it could assign the identifier 1.3.6.1.4.1.4242.1.1 to its `Fred Router'." ::= { system 2 } everything you listed is in the entity mib, which is a bit of a pain to figure out + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.2.149 ENTITY-MIB::entPhysicalDescr.149 + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.7.149 ENTITY-MIB::entPhysicalName.149 + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.10 ENTITY-MIB::entPhysicalModelName.10 + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.22 ENTITY-MIB::entPhysicalModelName.22 + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.149 ENTITY-MIB::entPhysicalModelName.149 + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.10 ENTITY-MIB::entPhysicalSerialNum.10 + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.22 ENTITY-MIB::entPhysicalSerialNum.22 + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.149 ENTITY-MIB::entPhysicalSerialNum.149 Regards, Lee On 2/27/17, Mike Hammett <cisco-...@ics-il.net> wrote: > I did an SNMPWalk of two of my Nexus switches looking for what has the model > and serial numbers. I found several, sometimes with slightly different > information. The MIBs on Cisco's site don't go down this far either. I was > wondering if someone could point me as to the differences among them and\or > which one would be "more standard" across product lines. > > iso.3.6.1.2.1.47.1.1.1.1.2.149 = STRING: "Nexus 3548 Chassis" > iso.3.6.1.2.1.47.1.1.1.1.7.149 = STRING: "Nexus 3548 Chassis" > iso.3.6.1.2.1.47.1.1.1.1.13.10 = STRING: "N3K-C3548P-10GX" > iso.3.6.1.2.1.47.1.1.1.1.13.22 = STRING: "N3K-C3548P-10GX" > iso.3.6.1.2.1.47.1.1.1.1.13.149 = STRING: "N3K-C3548P-10GX" > iso.3.6.1.2.1.47.1.1.1.1.11.10 = STRING: "[redacted]" > iso.3.6.1.2.1.47.1.1.1.1.11.149 = STRING: "[redacted]" > > > > iso.3.6.1.2.1.47.1.1.1.1.2.149 = STRING: "N9K-C9396PX" > iso.3.6.1.2.1.47.1.1.1.1.7.149 = STRING: "N9K-C9396PX" > iso.3.6.1.2.1.47.1.1.1.1.13.10 = STRING: "N9K-C9396PX" > iso.3.6.1.2.1.47.1.1.1.1.13.22 = STRING: "N9K-C9396PX" > iso.3.6.1.2.1.47.1.1.1.1.13.149 = STRING: "N9K-C9396PX" > iso.3.6.1.2.1.47.1.1.1.1.11.10 = STRING: "[redacted]" > iso.3.6.1.2.1.47.1.1.1.1.11.22 = STRING: "[redacted]" > iso.3.6.1.2.1.47.1.1.1.1.11.149 = STRING: "[redacted]" > > > > > > - > Mike Hammett > Intelligent Computing Solutions > > Midwest Internet Exchange > > The Brothers WISP > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tabo Topic? Third party Maintenance
On 1/24/17, James Bensley <jwbens...@gmail.com> wrote: > On 24 January 2017 at 10:04, <adamv0...@netconsultings.com> wrote: >>> Simon Lockhart >>> Sent: Tuesday, January 24, 2017 8:09 AM >>> >>> On Tue Jan 24, 2017 at 09:02:18AM +0100, Gert Doering wrote: >>> > On Mon, Jan 23, 2017 at 07:33:08PM -0500, Charles Sprickman via >> cisco-nsp >>> wrote: >>> > > I have to say, I haven???t been impressed with their support in a >>> > > long time. We have smartnet really just for hardware, and recently >>> > > I figured that since we have support, I???d actually try and offload >>> > > a task that I hate - picking a stable version of IOS that has all >>> > > the security issues resolved. >>> > >>> > Bwahahaha. Sorry. >>> >>> We were also told that if we wanted Cisco to do a 'bug scrub', to see if >> we >>> would be affected by any known bugs, then they offer this as a >>> seperately >>> chargeable service. Yes, really, they want us to pay them more money to >> find >>> out how buggy their code releases are... >>> >> How it works is > ... >> It's a long and tedious process and it costs a small fortune, but I think >> it's worth it. >> At least you get a more detailed map of the minefield. > > In the case of Cisco a bug scrub comes from Cisco AS. I could have > bought a house for the amount we spent with AS and not only that, we > could have just rented all the kit we need, done this ourselves in the > lab and probably had change for beer at the end. > > Also a month or two after our bug scrub was completed the new major > milestone/stable versions of code for the devices we had tested was > released (our scrub was finished when "X" was the stable recommend > version) so we said to our AS engineer "now that X+1 is out, and you > recommended X, do you think we should go for X" and they obviously > said "yes". Interesting.. I'd get an offer for a bug scrub on the new version. > If you have the resources then I'm not such a fan of this service. On the other hand, when Cisco does a bug scrub they see _all_ the bugs, not just the publicly visible ones. There's been a couple of times I've gone back & forth with our AS engineer about the details of some bug that had no public description & a time or two when he suggested we hold off on an upgrade until after the psirt announcement. Regards, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco WAAS on DICMOM image transfer - Clarifications and recommendations
> a. With compression enabled, this would also improve the transfer time of > images. Only if the images aren't already compressed & it seems like they might be: https://en.wikipedia.org/wiki/DICOM Pixel data can be compressed using a variety of standards, including JPEG, Lossless JPEG, JPEG 2000, and Run-length encoding (RLE). Regards, Lee On 12/27/16, Arun Kumar <narain.a...@gmail.com> wrote: > Hi Netpros, > > We have been doing a POC with one of our healthcare customers who are using > radiation imaging using DICOM/PACS standards. We are evaluating benefits of > WAAS with respect to this specific application. Expectations from the > customer are two-fold: > > a. Reduce the transfer time of images between application and endhost > (radiation device) > > b. Optimize WAN bandwidth and perform consistently with varying network > performance (latency and packet loss) > > Referring to this Cisco whitepaper on this topic: > http://www-v6.cisco.com/c/dam/en/us/td/docs/solutions/Verticals/waasapno... > <http://www-v6.cisco.com/c/dam/en/us/td/docs/solutions/Verticals/waasapnotes.pdf> > > POC is conducted with various features turned on in WAAS - 1. TFO only 2. > TFO with LZ and LZ 3. TFO with DRE-adaptive > > Observations are below: > > 1. TFO only - Could not see any benefit compared to without WAAS turn on > > 2. TFO and LZ - Could see benefits shown in WAAS CM (18% between original > and optimized traffic). But there is no improvement on the transfer time. > Also the peak bandwidth remains the same on the WAN > > 3. TFO, DRE adaptive and LZ - See huge benefits due caching - both on > bandwidth savings and transfer time > > Since customer would not typically re-transmit the same images multiple > times in a day, caching is not applicable to customer network. > > Below are the clarifications and recommendations that we seek after the > POC: > > a. With compression enabled, this would also improve the transfer time of > images. We are not seeing it though. Can this be related to compression and > decompression time taken by vWAAS which is off-setting the end to end WAN > latency (50ms). Or any settings to be enabled to see transfer time > improvements? > > b. For TFO to be effective, do we have to increase the buffer size and > window size? > > c. Any recommendations on the WAAS settings specific to DICOM image > transfer? > > Thanks in advance, > > Arun > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] leap sec adjust. may crash linux based platforms
On 12/22/16, Roland Dobbins <rdobb...@arbor.net> wrote: > > On 21 Dec 2016, at 23:45, Lukas Tribus wrote: > >> Some Linux based platforms (IOS-XE, NX-OS) may crash on December 31st >> 23:59:59 due to the upcoming leap second adjustment. > > 'Following a comprehensive review by the Cisco leap second team, we are > pleased to offer the following information. Our experience of the 2008, > 2012 and 2015 leap second introductions, combined with our recent > assessment of potential impacts for our current solutions, suggest that > the leap second introduction is unlikely to represent a material event > for Cisco products in our customers’ networks.' > > Doesn't quite add up . . . ? ... assessment of potential impacts for our >>current<< solutions None of the versions listed at http://www.nts.eu/en/networksecurity-en/linux-kernel-crashes-due-leap-second-injection/ are current solutions - correct? Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 routing vs IPv4 Nating
On 8/22/16, Scott Voll <svoll.v...@gmail.com> wrote: > I'm not really able to wrap my mind around what best practice would be. > > Currently I have two exit points in my network. BGP / iBGP. Two Firewalls > behind those. Each Firewall has a IPv4 Class C to NAT to. > > With publicly Routed IPv6 not nat'ing how do I setup the firewalls / bgp to > route correctly? Do I have to leak all IPv6 routes to the internal network > to make sure the IPv6 address comes back to the correct Firewall? Also > thinking about redundancy if one ISP / BGP router / Firewall goes down, I > need it to dynamically reroute to the other side. See attached. > > Thank for your input. maybe I'm just missing something easy. Nope - you're not missing anything. I had the same question: https://mailman.nanog.org/pipermail/nanog/2012-July/050324.html I never did get a good answer for how to deal with multiple exits, statefull firewalls, automatic failover & asymmetric routing on the list. What we ended up with was http proxies at each exit doing DLP, a/v, web reputation filtering, etc. The Internet traffic came back to the proxies so everything Just Worked. Regards, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA for IPv6
Hi, Currently I have ASA 5580 with IPv4 NAT setup (public IP outside and RFC 1918 inside), I am considering to run IPv6 with Public IPv6 outside and Public IPv6 inside (routing mode) Just wondering there is anything I would need to consider except CPU, memory and sessions) Thanks, ~mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500/7600 TCAM Usage
--- Begin Message --- > In my 5 year old experience, the badness would continue even if you removed some routes and TCAM usage dropped to (let's say) 95% again. The problem would only be solved by reboot. Is this still the case? Yup, a reboot is still required to recover. --- End Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ios tcp defaults
On 4/22/16, Sebastian Beutel wrote: > Hi List, > > in some kind of spring-cleaning of our configuration collection, i > encountered some lines that differ from Ciscos defaults in many of our > switches. The Cisco default for the lines in question is like this: > > no ip tcp selective-ack > no ip tcp path-mtu-discovery > > This makes me wonder because i believe that pmtu discovery and selective > ack > are good things. Furthermore, in our heritage config defaults selective-ack > and path-mtu-discovery are explicitly enabled. > > The question i like to ask is therefore: Does anyone know why Cisco chose > to disable this by default and am i right that it's safe these days to enable > it? My attitude is that every feature enabled = another attack surface enabled. So the question is how likely is the attack vs. how much benefit is the feature. I don't know what attack[s] enabling selective-ack opens up, but there's probably something. Enabling path MTU discovery [used to? still does??] open up the possibility of an attacker dropping the MTU down to 68 bytes. On the other hand, if the do not fragment bit is clear (ie. path mtu discovery off) you're supposed to assume an MTU of 576 bytes for off-subnet traffic, so maybe something bad will happen vs. guaranteed performance hit with pmtud disabled. have a look at http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20050412-icmp.html All that said, I like having pmtud & selective ack enabled. Your security office might have a different opinion. Regards, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] necessity of nowadays
On 3/23/16, Sebastian Beutel <sebastian.beu...@rus.uni-stuttgart.de> wrote: > Hi List, > > i've been pondering about the real need for udld nowadays, each time it > bites me in a case of false positive. At least since we have gigabit SFPs > it > became almost impossible to willfully provoke an unidirectinal link: The > physical port allready detects missing light and goes down. > Moreover, the main use of udld (prevent unidirectional loops in an stp > topology) has also lost importance since link aggregation has replaced load > balancing via multiple or per vlan stp topologys. > That's why i am asking myself whether udld is a residue that nowadays > causes more harm than it prevents and should therefore not be used anymore. > At least on gigabit and faster links and if there are no really dumb > media converters involved. > > What do you think? I had almost the same question http://puck.nether.net/pipermail/cisco-nsp/2016-January/101487.html and the same experience of udld shutdowns always being a false positive on Gb links. & it is worth you time to take a look at BRKDCT-2333 Regards, lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CVE-2016-1287 and old pix units
On 2/19/16, Joe Pruettwrote: > i can't find any mention of older pix sytems (515 and friends). are they > too old for cisco to care about? or are they actually not affected? even > if cisco won't provide a fix, at least knowing if they are vulnerable > would be nice. > > anyone on the list have any knowledge one way or the other? Too old: http://www.cisco.com/c/en/us/products/collateral/security/pix-500-series-security-appliances/pix_eos.html As of July 28, 2008, Cisco PIX Security Appliance platforms/bundles are no longer being sold. Customers can still purchase accessories and licenses until January 27, 2009. It is important to note that Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] loop guard still useful?
Thanks for the response. On 1/18/16, Michele Bergonzoni <berg...@labs.it> wrote: >> Using the dispute mechanism included in the IEEE 802.1D-2004 RSTP >> standard... I'm wondering if there's any reason to keep loop guard >> configured > > I think the dispute mechanism can detect unidirectionality where data out of > the designated bridge is lost (which is enough to prevent loops), not the > unidirectionality in the other direction. Which is my point .. or question - enable RSTP on all the switches in the network and you don't need loop guard. Correct? > So the dispute does half of what UDLD does, if I got it right. > > Loop guard is different, it protects only from self-looped ports. My understanding is that it keeps stp blocked ports blocking if the other side stops sending BPDUs: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10596-84.html The loop guard feature makes additional checks. If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Without the loop guard feature, the port assumes the designated port role. The port moves to the STP forwarding state and creates a loop. and a lot further down loop guard does not work on shared links or in situations where the link has been unidirectional since the link-up. So it seems like loop guard isn't needed if rstp is enabled. > I don't > know if the wording of RSTP are written in a way to protect you from that, > but I'm sure that the original STP standard was written in such a way that > any compliant implementation was unable to block the loop caused by a > self-looped port. If self-looped means the port sends a frame and then receives the same frame, you're right, stp doesn't protect you from that. > Most vendors quietly worked around this, and I don't know if 802.1d > corrected this error in the previous standard. I know that it is very > unlikely to find a switch whose STP can't protect you from such a > situation. > > So I bet that if you use RSTP you can disable loopguard, and if you like > UDLD there is still a reason to use it. No, I don't like UDLD at all - too many bad experiences with it. It was a necessary evil with cat5500s and 100Mb fiber connections, but you don't need UDLD on 1Gb fiber links. Thanks, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] loop guard still useful?
On 1/18/16, Saku Ytti <s...@ytti.fi> wrote: > On 18 January 2016 at 10:57, Michele Bergonzoni <berg...@labs.it> wrote: > > Hey, > >> So the dispute does half of what UDLD does, if I got it right. > > Ethernet with autonegotiation on should detect unidirectional links > automatically and go down on both ends at RTT/2 delay. I remember 100Mb fiber connections on cat5500s could have unidirectional links, but a quick search gives me this http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10591-77.html Most recently, fiber FastEthernet hardware implementations have Far End Fault Indication (FEFI) functions in order to bring the link down on both sides in these situations. so apparently 100Mb fiber doesn't have that problem any more. I don't think 1 or 10Gb fiber ever did.. Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] loop guard still useful?
On 1/18/16, Saku Ytti <s...@ytti.fi> wrote: > On 18 January 2016 at 21:22, Lee <ler...@gmail.com> wrote: >> so apparently 100Mb fiber doesn't have that problem any more. I don't >> think 1 or 10Gb fiber ever did.. > > > I believe if you implement autonego, you have to implement RFI. But > I'm not 100% sure about that. > > IEEE 802.3 standard isn't exactly easiest standard to read. But there > are quite many surprising goodies in autonego which are usually not > known, not just RFI. Autonego can assert when link is configured > operationally down, meaning far-end could produce syslog information > about link going down, because far end was configured down, which > would help lot with troubleshooting, when you can know if far-side is > intentionally down or not. > My understanding of reading hardware specs is that this feature is > even supported in typical PHY, however I've NEVER seen software using > this feature. > > I'd love recommendation on good, modern book about 802.3, with > irrelevant bits not addressed, relevant bit discussed and practical > view offered on how things are actually implemented in modern, common > hardware. So far any book I've read, does not even discuss autonego in > satisfactory detail, and I fear what else am I missing due to my > unwillingness to weed through 802.3. If you get any off-list replies please post a summary. I haven't seen any good books about ethernet in ages, but I haven't really been looking either. Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] loop guard still useful?
On 1/18/16, Michele Bergonzoni <berg...@labs.it> wrote: >> So it seems like loop guard isn't needed if rstp is enabled. > > I have no operational experience with loop guard, but from the description > it seems to me that in order to trigger it the interface must become > unidirectional *after* link up. Right > Thus, if your Joe Average while > troubleshooting does a shut/no shut, he actually gets the loop. I'm not sure about shut/no shut but a reboot after the link goes unidirectional -- yes, you get a loop. > So it will protect you on the other unidirectionality side, but not in all > possible sequences of events. > > If you are operating an all-cisco net you might take a look at bridge > assurance. I have no operational experience with it as well (apart from > disabling it in the nexus), but looks much more like a bidirectional > keepalive at the STP layer. It is proprietary and violates the standard as I > understand it. Sounds like loop guard except there's now edge, normal and network port types with network ports going into blocking/inconsistent state if they don't see BPDUs. Loop guard puts a port into blocking/inconsistent state if it _stops_ seeing BPDUs on a port. >> No, I don't like UDLD at all - too many bad experiences with it > > In fact after what Saku said I would consider trusting the layer 1, but I > usually work in a multivendor environment, YMMV. Right - it does sound like rstp might be good enuf. Regards, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] loop guard still useful?
I just saw this bit about RSTP detecting unidirectional links: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/spantree.html#wp1098785 Detecting Unidirectional Link Failure Using the dispute mechanism included in the IEEE 802.1D-2004 RSTP standard, the switch checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops. When a designated port detects a conflict, it keeps its role, but reverts to a discarding (blocking) state because disrupting connectivity in case of inconsistency is preferable to opening a bridging loop. So I'm wondering if there's any reason to keep loop guard configured on a switch? Any current hardware that doesn't support rapidSTP? Some other reason?? Thanks, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF flapping ME3400
Thanks Lukas. We are running SDM default. The attacks are to IPs that are routed by the switch but are on the other end of the ethernet link to the client. No attack on the switch itself. As to TCAM warnings, would not have any in the logs at this time. This took place last a couple weeks ago and was more interested in blocking the traffic that was causing the problem at the time. Since the traffic was 800Kpps I suspect it was just too much for the switch to deal with. I will have to see what shows up in the logs for TCAM issues and processes next time. While we have since put rate limits in at the all our core routers, I suspect this will help prevent this from happening as often. Just wondered if there was a best practice on dampening the flaps should that happen. show sdm prefer The current template is "default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. Best regards, -Lee On Tue, Dec 8, 2015 at 1:56 AM, Lukas Tribus <luky...@hotmail.com> wrote: > Hi! > > > > Hello everyone, > > > > We have some ME3400 switches that are doing OSPF. These work fine and > have > > for a couple years now. However, if a link on them (100M) gets hit with a > > ddos attack, the switch will start OSPF flapping. This in turn causes all > > the others to do the same. Is there a way to dampen the flapping affect > so > > that it does not cause a massive network outage? > > Does the DDoS target a customer routed by this ME3400 or does the DDoS > target the ME3400 itself? > > Do you have "show proc cpuc sort" from the DoS and in normal production? > > > Honestly, this sounds like the ME3400 would route in software. Any TCAM > warnings in the log? Do you use the correct sdm template? > > Provide outputs: > show proc cpuc sort > show ip route summary > show log | inc TCAM > show sdm prefer > > > In case the SDM template is layer 2, switch to "default": > > > http://www.cisco.com/c/en/us/td/docs/switches/metro/me3400/software/release/12-2_55_se/configuration/guide/ME3400_scg/swsdm.html > > > > Regards, > > Lukas > > > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OSPF flapping ME3400
Hello everyone, We have some ME3400 switches that are doing OSPF. These work fine and have for a couple years now. However, if a link on them (100M) gets hit with a ddos attack, the switch will start OSPF flapping. This in turn causes all the others to do the same. Is there a way to dampen the flapping affect so that it does not cause a massive network outage? Is there a best practices for this? Any pointers or config best practices would be greatly appreciated. Thank you. -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] N5K Auto Qos
On 10/25/15, Mohammad Khalil <eng_m...@hotmail.com> wrote: > Hi all > I am looking for configuring auto qos voip trust on my switched network > My issue is that I have several uplinks (trunks) connected to my N5K box > According to what I know the command does not exist on the NX-OS , and by > default Nexus will trust Cos and DSCP values > So , if I have configured auto qos voip trust from my IOS switch and left > the Nexus uplink as it is , the QoS will work ? For various definitions of "work" Traffic will be treated differently on the IOS boxes with QOS enabled, there will be no change on the NX-OS boxes but at least the cos/dscp markings won't be changed so that if/when the traffic gets to another IOS box your QOS settings will also work there. Regards, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Spanning Tree works great - except when it doesn't
On 10/16/15, Jason Lixfeld <ja...@lixfeld.ca> wrote: > You could use RANCID, or you could use something like Ansible. Right - I can probably do it with RANCID. On every switch, collect the output from sh int trunk sh cdp nei and then save list of vlans defined (ie. "vlan xxx" or "xxx-yyy" lines) by switch for every trunk port flag ports where 'vlans allowed' does not match 'vlans allowed & active' save device name, port, vlans allowed, cdp neighbor, cdp neighbor port run thru the list of vlans allowed & check every one is defined run thru the list of cdp neighbors & flag ports where 'vlans allowed' != neighbor port 'vlans allowed' But I was hoping that someone had already written that script :) > Bronwyn and > Matt did a great NetDevOps presentation that described how you could use > Ansible for things like that in Montreal a couple weeks back. > > https://www.youtube.com/watch?v=ArqvSGRzUBw I managed to watch almost 30 minutes & bailed; for mass updates I tend to use rancid: $ cat doit #!/bin/sh # apply the same command to a set of devices cat > ~/cmdList < >> On Oct 15, 2015, at 8:23 PM, Lee <ler...@gmail.com> wrote: >> >>>> The downstream switchport was also configured for native vlan of 999 - >>>> BUT >>>> vlan999 was not created in the vlan database so defaulted to ... >> >> Does anyone know of a program that will check all of the trunk ports >> on switches for vlans allowed + vlans allowed and active on both sides >> of a trunk port? >> >> Seems like it shouldn't be all _that_ hard to write, but downloading >> an already written program is easier still :) >> >> Thanks, >> Lee >> >> >> >> On 10/15/15, Patrick M. Hausen <hau...@punkt.de> wrote: >>> Hi, Nick, >>> >>>> Am 15.10.2015 um 13:43 schrieb Nick Cutting <ncutt...@edgetg.co.uk>: >>>> I came across a curly one like this a few months back - turned out the >>>> STP >>>> handling of native VLan frames VS a non-created but configured native >>>> vlan >>>> on the downstream switch port. >>>> The downstream switchport was also configured for native vlan of 999 - >>>> BUT >>>> vlan999 was not created in the vlan database so defaulted to expecting >>>> STP >>>> frames untagged I think - it was something like that. >>> >>> You nailed it! for some reason that I now need to investigate >>> I do not have VLAN 999 in my VLAN database. >>> >>> *argh* >>> >>> Thanks, everyone. >>> Patrick >>> -- >>> punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe >>> Tel. 0721 9109 0 * Fax 0721 9109 100 >>> i...@punkt.de http://www.punkt.de >>> Gf: Jürgen Egeling AG Mannheim 108285 >>> >>> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Spanning Tree works great - except when it doesn't
On 10/16/15, Ian Henderson <i...@ianh.net.au> wrote: > On 16 Oct 2015, at 11:23 AM, Lee <ler...@gmail.com> wrote: >> Does anyone know of a program that will check all of the trunk ports >> on switches for vlans allowed + vlans allowed and active on both sides >> of a trunk port? > > Netdisco. I can't tell from the docs if netdisco will catch the situation where switch1 is connected to switch2 & they have a mismatched vlans allowed list. In other words, can netdisco flag this misconfiguration: -- switch1 int g0/0 desc link_to_switch2.g0/0 switchport trunk allowed vlans 1-9 -- switch2 int g0/0 desc link_to_switch1.g0/0 switchport trunk allowed vlans 1 And can Netdisco flag the situation where >>> I do not have VLAN 999 in my VLAN database. (earlier context stripped; basically the problem was something like both switch ports had "switchport trunk allowed vlans 1-9" but one switch didn't have vlan 9 defined) Thanks, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Spanning Tree works great - except when it doesn't
>> The downstream switchport was also configured for native vlan of 999 - BUT >> vlan999 was not created in the vlan database so defaulted to ... Does anyone know of a program that will check all of the trunk ports on switches for vlans allowed + vlans allowed and active on both sides of a trunk port? Seems like it shouldn't be all _that_ hard to write, but downloading an already written program is easier still :) Thanks, Lee On 10/15/15, Patrick M. Hausen <hau...@punkt.de> wrote: > Hi, Nick, > >> Am 15.10.2015 um 13:43 schrieb Nick Cutting <ncutt...@edgetg.co.uk>: >> I came across a curly one like this a few months back - turned out the STP >> handling of native VLan frames VS a non-created but configured native vlan >> on the downstream switch port. >> The downstream switchport was also configured for native vlan of 999 - BUT >> vlan999 was not created in the vlan database so defaulted to expecting STP >> frames untagged I think - it was something like that. > > You nailed it! for some reason that I now need to investigate > I do not have VLAN 999 in my VLAN database. > > *argh* > > Thanks, everyone. > Patrick > -- > punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe > Tel. 0721 9109 0 * Fax 0721 9109 100 > i...@punkt.de http://www.punkt.de > Gf: Jürgen Egeling AG Mannheim 108285 > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP Setup
On 3/8/15, M K gunner_...@live.com wrote: HiWhat is the best setup for NTP to be implemented in a network ?Linux server with ntpd package installed and all devices pointing to it ? or a core router with public access synchronized with public clock and all devices pointing to it ? You should have at least three NTP servers. Not sure what core router with public access means, but I wouldn't want anything outside my network being able to access a service on a core router. If you really want to go that way, I'd suggest using a couple of 7200s that aren't doing anything else. I'd say the better setup* would be 3 or 5 servers running ntpd getting their clock from GPS or wireless cell phone towers using Internet time servers as a backup Regards, Lee * wrt price/performance. even better would be each ntp server having it's own high quality clock ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP for ip virtual-reassembly
On 2/6/15, Brian Christopher Raaen mailing-li...@brianraaen.com wrote: Does anyone know an OID I can poll to track the ip virtual-reassembly counters. If you mean ip packet reassembly, there's the rfc-1213 mib ipReasmReqds OBJECT-TYPE SYNTAX Counter ACCESS read-only STATUS mandatory DESCRIPTION The number of IP fragments received which needed to be reassembled at this entity. ::= { ip 14 } ipReasmOKs OBJECT-TYPE SYNTAX Counter ACCESS read-only STATUS mandatory DESCRIPTION The number of IP datagrams successfully re- assembled. ::= { ip 15 } ipReasmFails OBJECT-TYPE SYNTAX Counter ACCESS read-only STATUS mandatory DESCRIPTION The number of failures detected by the IP re- assembly algorithm (for whatever reason: timed out, errors, etc). Note that this is not necessarily a count of discarded IP fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received. ::= { ip 16 } Also is there a reliable method to determine how much CPU is being consumed by this process? dunno, but since you asked the question on a cisco specific mailing list, try looking at CISCO-PROCESS-MIB.my Regards, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS-XR and PBR
Hi Oliver, Since we have no default routes and all backbone links are full BGP minus default route, I am going to assume that the second permit statement won't work here. Would this just get specified as any since the first entry would be matched for local netblocks and it would not go further in the ACL? These special case customers all are fed from a single 6509 to the border router that contains their one carrier of choice, but that border router contains several backbone links and each border router also having links to each other. I suspect that for simplifying this, we can match against traffic on the link coming from that 6509 to the border router. Thanks for the pointers. -Lee On Wed, Sep 10, 2014 at 11:09 PM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: I am looking to setup some policy based routing on an IOS-XR router. From what I understand, XR does not have PBR, but ABF. When looking at how ABF works, I don¹t see how to set a next hop route (only next hop per TCP port). well, you can direct any traffic matching an ACE (be it layer 3 or 4) to a chosen next-hop. My question then would be, how does one accomplish this on XR? What I need to do is allow a particular IP block to only have access to one of our backbone carriers and not the others. We have their /24 only announced out the one carrier, but for outbound traffic, I want to make sure their traffic remains on that carrier but also have access to our local routes (all our local customers and local networks). Is this something that can be done with ABF Yes, it can be done, but possibly a bit more difficult: ipv4 access-list ABF permit CUST/24 your-own-netblocks permit CUST/24 0.0.0.0/0 next-hop your-upstream-provider not sure how your topology looks and where you would need to apply this forwarding rule, but the next-hop can be directly connected or resolve via some form of tunnel (including LDP/LSP). oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS-XR and PBR
Looks like I may not have this feature as these are 12410XR chassis. Here is what I have in our lab environment. RP/0/9/CPU0:lab-router(config)#ipv4 access-list ABF RP/0/9/CPU0:lab-router(config-ipv4-acl)#permit ipv4 10.10.10.0/24 172.16.0.0/19 RP/0/9/CPU0:lab-router(config-ipv4-acl)#permit ipv4 10.10.10.0/24 any ? dscp Match packets with given DSCP value fragments Check non-initial fragments logLog matches against this entry log-input Log matches against this entry, including input interface packet-length Check packet length precedence Match packets with given precedence cr RP/0/9/CPU0:lab-router(config-ipv4-acl)#permit ipv4 10.10.10.0/24 any -Lee On Thu, Sep 11, 2014 at 12:37 AM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: Since we have no default routes and all backbone links are full BGP minus default route, I am going to assume that the second permit statement won't work here. Would this just get specified as any since the first entry would be matched for local netblocks and sorry, 0.0.0.0/0 should be any.. so the first line matches traffic to your networks (and it just passes through normally and will be forwarded according to your RIB/FIB), and the 2nd matches traffic from this customer block to anything else, which then will be ABF'ed to your upstream. it would not go further in the ACL? it actually would, so I missed a permit ipv4 any any catch-all at the end of the ACL to ensure traffic from other sources is forwarded normally.. it is a regular ACL, the ABF directives are just inserted into it. Need more coffee.. These special case customers all are fed from a single 6509 to the border router that contains their one carrier of choice, but that border router contains several backbone links and each border router also having links to each other. I suspect that for simplifying this, we can match against traffic on the link coming from that 6509 to the border router. exactly, that sounds straight-forward, just apply this inbound and you're set.. oli Thanks for the pointers. -Lee On Wed, Sep 10, 2014 at 11:09 PM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: I am looking to setup some policy based routing on an IOS-XR router. From what I understand, XR does not have PBR, but ABF. When looking at how ABF works, I don¹t see how to set a next hop route (only next hop per TCP port). well, you can direct any traffic matching an ACE (be it layer 3 or 4) to a chosen next-hop. My question then would be, how does one accomplish this on XR? What I need to do is allow a particular IP block to only have access to one of our backbone carriers and not the others. We have their /24 only announced out the one carrier, but for outbound traffic, I want to make sure their traffic remains on that carrier but also have access to our local routes (all our local customers and local networks). Is this something that can be done with ABF Yes, it can be done, but possibly a bit more difficult: ipv4 access-list ABF permit CUST/24 your-own-netblocks permit CUST/24 0.0.0.0/0 http://0.0.0.0/0 next-hop your-upstream-provider not sure how your topology looks and where you would need to apply this forwarding rule, but the next-hop can be directly connected or resolve via some form of tunnel (including LDP/LSP). oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS-XR and PBR
Hello, I am looking to setup some policy based routing on an IOS-XR router. From what I understand, XR does not have PBR, but ABF. When looking at how ABF works, I don’t see how to set a next hop route (only next hop per TCP port). My question then would be, how does one accomplish this on XR? What I need to do is allow a particular IP block to only have access to one of our backbone carriers and not the others. We have their /24 only announced out the one carrier, but for outbound traffic, I want to make sure their traffic remains on that carrier but also have access to our local routes (all our local customers and local networks). Is this something that can be done with ABF or is this something that has to be done with VRF or VRF lite? If VRF/lite, does anyone have an example config that might be able to be shared as a starting point? We are running XR 4.3.0. Thank you for your time. -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7301 - copper vs fibre port throughput
On 9/1/14, Tom Storey t...@snnap.net wrote: The other end was a Cisco 3750 switch. Originally just a straight copper patch, but with only 10/100 ports on the 3750 it autoneg'd at 100/full on both ends just fine After moving the ISP link over to fibre, the throughput shot up to 500-600mbit (NATed.) fibre port is 1Gb, right? Lee They are happy with the fibre uplink and will leave it that way. I was hoping someone might have been aware of some kind of obvious limitation of the copper ports or something. On 31 August 2014 22:39, Łukasz Bromirski luk...@bromirski.net wrote: On 31 Aug 2014, at 23:00, Tom Storey t...@snnap.net wrote: Hi all. Been watching a thread on a forum where someone using a 7301 was suffering rather lousey speeds through a 7301 when using an onboard copper port between him and his ISP - only able to obtain about 25mbit or so of throughput (all traffic NATed.) After moving the ISP link over to fibre, the throughput shot up to 500-600mbit (NATed.) Theres not much room for playing around with the setup at this stage, but does anyone have any ideas why this might be so? The onboard ports are all gigabit as far as I know, whether or not you use copper or fibre, and the copper port augo negotiated at 100/full with the remote device so I cant think of a reason for the disparity. And how was the fiber connected on the other end? It looks like problem with the autonegotiation. Or maybe flow control - is the remote device using fiber natively and going to copper through some intermediate converter? Those can cause such problems also. We need way more info to get this through troubleshooting. Or maybe they should involve TAC? -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Spantree .1Q packets received on non-trunk port.
Thanks Chris for breaking it down. Makes sense. On Wed, Aug 27, 2014 at 6:14 AM, Chris Marget ch...@marget.com wrote: On Tue, Aug 26, 2014 at 7:32 PM, Lee Starnes lee.t.star...@gmail.com wrote: they are providing an access port for us. This is un-tagged traffic at the remote site if I connect a cisco switch to it with the port on the cisco configured as an access port, I get the error below. 00:06:52: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernet0/3 VLAN638. 00:06:52: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet0/3 on VLAN0638. Inconsistent port type. untagged != access in Cisco land. Cisco switches (at least those running rapid-pvst+) send an extra TLV in their spanning tree BPDUs. The TLV indicates the VLAN associated with the STP instance. The switch configuration probably looks something like: interface x/y switchport mode trunk switchport trunk native vlan 638 switchport trunk allowed vlan 638 The configuration you're expecting is: interface x/y switch port mode access switchport access vlan 638 Transit traffic in vlan 638 is handled identically by both configurations. The spanning tree BPDUs are not the same. The first case (untagged traffic via native VLAN on a trunk) marks the VLAN number in the extra TLV in the BPDU, which will upset Cisco STP speakers which know to interpret it. I think the error which results is the one you're seeing. /chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Spantree .1Q packets received on non-trunk port.
Thanks Mike. Lot of great information. Thanks for taking the time to post this. Very helpful. -Lee On Tue, Aug 26, 2014 at 10:56 PM, Mike Hale eyeronic.des...@gmail.com wrote: when the handoff is an access port Because I don't think it's actually configured as an access port. The behavior of the interface mimics exactly what you had to configure on yours...that is, a trunk port with a native VLAN defined. If the configuration is what I think it is, the reason the tech's equipment functioned the way it did was two fold. First, the gear didn't care about STP packets. So when configured as an access port, the test gear sent untagged packets onto the interface which the upstream provider's switch put into VLAN 638 (because their interface had 638 configured as a native vlan). The reason it didn't work when configured as a trunk is because the device didn't have the native vlan configured. So it tried to send packets, tagged with VLAN 638; this failed because the default behavior on the Cisco gear I've worked with is to drop packets that are tagged with the native VLAN. Aren't BPDU's normally part of STP's chatter? Yes, but in my experience BPDUs are only sent on 'infrastructure' ports. That is, ports that are trunked or have special STP settings applied for uplinks. Access ports die (as the OP experienced) when they notice STP packets in order to prevent a loop. On Tue, Aug 26, 2014 at 7:55 PM, Brielle Bruns br...@2mbit.com wrote: On 8/26/14 7:34 PM, Lee Starnes wrote: Thanks Mike. That took care of the problem, but still not sure why I would have to set the port up as a trunk port when the handoff is an access port. When the carrier tested the port, they tested it as an access port and then tried to test it as a trunk port and their test set failed when in trunk mode. Very odd. Anyway, thanks again. Aren't BPDU's normally part of STP's chatter? I get errors like that when my MSTP instance settings are mismatched between switches. Perhaps its a mix of issues. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Spantree .1Q packets received on non-trunk port.
Hello, Been fighting with a carrier about a problem that we are seeing that I have not been able to get resolved. They are handing off an Metro-E circuit at one of our remote sites and they are providing an access port for us. This is un-tagged traffic at the remote site and tagged at our NNI. I can plug in a laptop to this port at the remote site and pass traffic all the way through our NNI. However, if I connect a cisco switch to it with the port on the cisco configured as an access port, I get the error below. 00:06:52: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernet0/3 VLAN638. 00:06:52: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet0/3 on VLAN0638. Inconsistent port type. Now this happens on a cisco ME3400, an 2950, and 3750g. Is there something that I am doing wrong? The config is as follows on the ME and 2950. Swap out the fastethernet for gigabit. ! interface fastethernet0/3 switchport mode access switchport access vlan 638 ! interface vlan 638 ip address 10.20.30.40 255.255.255.0 ! ip default-gateway 10.20.30.1 ! -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Spantree .1Q packets received on non-trunk port.
Thanks Mike. That took care of the problem, but still not sure why I would have to set the port up as a trunk port when the handoff is an access port. When the carrier tested the port, they tested it as an access port and then tried to test it as a trunk port and their test set failed when in trunk mode. Very odd. Anyway, thanks again. On Tue, Aug 26, 2014 at 4:59 PM, Mike Hale eyeronic.des...@gmail.com wrote: Have you tried turning it into a trunk port and defining 638 as the native vlan? I know it doesn't solve the underlying problem of them not giving you an access port, but it should bring up the interface and let traffic flow (unless their interface is truly trunked without the native vlan config). On Tue, Aug 26, 2014 at 4:32 PM, Lee Starnes lee.t.star...@gmail.com wrote: Hello, Been fighting with a carrier about a problem that we are seeing that I have not been able to get resolved. They are handing off an Metro-E circuit at one of our remote sites and they are providing an access port for us. This is un-tagged traffic at the remote site and tagged at our NNI. I can plug in a laptop to this port at the remote site and pass traffic all the way through our NNI. However, if I connect a cisco switch to it with the port on the cisco configured as an access port, I get the error below. 00:06:52: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernet0/3 VLAN638. 00:06:52: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet0/3 on VLAN0638. Inconsistent port type. Now this happens on a cisco ME3400, an 2950, and 3750g. Is there something that I am doing wrong? The config is as follows on the ME and 2950. Swap out the fastethernet for gigabit. ! interface fastethernet0/3 switchport mode access switchport access vlan 638 ! interface vlan 638 ip address 10.20.30.40 255.255.255.0 ! ip default-gateway 10.20.30.1 ! -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pppoe user tool contribution
On 7/4/14, Mike mike-cisconspl...@tiedyenetworks.com wrote: Hi, I have a helpful script designed for a service provider environment which queries a 7200/asr1000 and displays information per session for pppoe subscribers including their mac address, and pppoe intermediate agent 'circuit-id' and 'remote-id' strings. I am wondering if there is a repository somewhere where this kind of stuff would find a welcome home? do you know about http://sourceforge.net/projects/cosi-nms/?source=directory ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5512x VPN route issue
One final reply on this. All works if you setup everything as described in the link you provided Ulrik. The issue we had was caused by the remote side of the IPsec tunnel ACL not allowing access for the VPN clients IP block. Thanks again. -Lee On Tue, Jul 1, 2014 at 4:43 PM, Lee Starnes lee.t.star...@gmail.com wrote: Thanks Ulrik. Confirmed that how that shows to setup is how I have it but still can't pass traffic. I suspect the remote office might be filtering it. This was a cutover from a Fortinet to an ASA but the other side is till a Fortinet when they created the new tunnel. Great link. Thanks for the help. -Lee On Tue, Jul 1, 2014 at 12:58 AM, Ulrik Ivers ulrik.iv...@excanto.se wrote: Hi, Two things to check: 1. Make sure you have the following in the config: same-security-traffic permit intra-interface 2. Make sure you have a the NAT rules configured correctly so that the traffic between the VPN clients and the remote LAN is NOT translated (or in fact are NAT:ed to themselves Also, the order of the NAT rules are important. Here's a pretty good writeup: http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/ /Ulrik -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lee Starnes Sent: den 30 juni 2014 23:23 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5512x VPN route issue Hello, We just setup a new ASA 5512x running v9.1(2). We have about 30 remote Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able to get all the VPN connections up and passing traffic such that remote VPNs can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs can get Internet access via NAT. The one thing we can't seem to get working is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these IP blocks. Doing a packet-tracer, It hangs on the following. Phase: 7 Type: WEBVPN-SVC Subtype: in Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule VPN clients are in 192.168.95.0/24 LAN is on 10.158.95.0/24 REMOTE LAN is on 10.158.58.0/24 VPN clients are setup to tunnel all traffic. Any idea where to look to resolve this one issue? -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5512x VPN route issue
Thanks Ulrik. Confirmed that how that shows to setup is how I have it but still can't pass traffic. I suspect the remote office might be filtering it. This was a cutover from a Fortinet to an ASA but the other side is till a Fortinet when they created the new tunnel. Great link. Thanks for the help. -Lee On Tue, Jul 1, 2014 at 12:58 AM, Ulrik Ivers ulrik.iv...@excanto.se wrote: Hi, Two things to check: 1. Make sure you have the following in the config: same-security-traffic permit intra-interface 2. Make sure you have a the NAT rules configured correctly so that the traffic between the VPN clients and the remote LAN is NOT translated (or in fact are NAT:ed to themselves Also, the order of the NAT rules are important. Here's a pretty good writeup: http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/ /Ulrik -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lee Starnes Sent: den 30 juni 2014 23:23 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5512x VPN route issue Hello, We just setup a new ASA 5512x running v9.1(2). We have about 30 remote Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able to get all the VPN connections up and passing traffic such that remote VPNs can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs can get Internet access via NAT. The one thing we can't seem to get working is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these IP blocks. Doing a packet-tracer, It hangs on the following. Phase: 7 Type: WEBVPN-SVC Subtype: in Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule VPN clients are in 192.168.95.0/24 LAN is on 10.158.95.0/24 REMOTE LAN is on 10.158.58.0/24 VPN clients are setup to tunnel all traffic. Any idea where to look to resolve this one issue? -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA5512x VPN route issue
Hello, We just setup a new ASA 5512x running v9.1(2). We have about 30 remote Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able to get all the VPN connections up and passing traffic such that remote VPNs can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs can get Internet access via NAT. The one thing we can't seem to get working is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these IP blocks. Doing a packet-tracer, It hangs on the following. Phase: 7 Type: WEBVPN-SVC Subtype: in Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=outside, output_ifc=any Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule VPN clients are in 192.168.95.0/24 LAN is on 10.158.95.0/24 REMOTE LAN is on 10.158.58.0/24 VPN clients are setup to tunnel all traffic. Any idea where to look to resolve this one issue? -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco model recommendation
Hello everyone, I am in the need of a recommendation for a Cisco switch that is Layer 2/3, 1U, AC powered and has the same rate limit capability as the ME3400 series has and has 48 ports of 10/100/1000. Does anyone have any experience with a model that would best fit this need? These would not be deployed in remote sites as CPE devices like the ME switches. I just need the ability to do rate limiting and policing of traffic in several office departments. I was looking at the 3650 series, but not sure if this has the same ability to rate limit as the ME switches have. Any advice or input would be greatly appreciated. Best. -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MTU packet loss problem 12410 XR and 6509
Hello everyone, A strange MTU issue has popped up and for the life of me I am unable to figure out why. This seems to only affect one Metro-E carrier and only when the traffic passes between the 6500 and the 12410. ME Carrier A --- 10G 6509 bundle-ether1(4G)---12410A ME Carrier B ---/ \-bundle-ether2(4G)---12410B ME Carrier C --/ Traffic that passes from either 12410 to customer links on ME carrier A are seeing MTU issues and packet loss. Traffic across those same links for carriers B and C have no issue. To test this, we can ping from from the 12410 to a site on ME carrier A with 1500byte packet size and get packet loss. The same test to clients on ME carrier B and C have no issues. Now, since no changes were made on our end and the carrier states no changes were made on their end, we are at a standstill. However, I did see that the MTU size on the 12410's is by default 1514 and the MTU on the 6500 is 1500. Changing this to match 1500 on both sides causes no traffic to pass. I'm not sure why both sides of the bundle-ether interfaces matching MTU causes 100% packet loss. Anybody have any ideas on why matching MTU size would cause no traffic to pass? Ultimately the carrier will need to fix their issue, but I would like to understand why this problem of matched MTU sizes causes no traffic. Thanks. -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Peering between route reflectors
Cydon, Your RRs should (must?) be fully meshed to meet IBGP requirements. The full mesh requirement is relaxed toward clients. I believe the current best practice is assigning each RR its own cluster ID and having each client router peered with at least two RRs for redundancy. This set up results in the clients receiving two (or more) copies of the same route, something to keep in mind if your clients are carrying full Internet routes. Depending on the size and configuration of your network a scenario like this might apply: RR1/RR2 are assigned unique cluster IDs and are fully meshed. Client A is peered RR1 and client B is peered with RR2. RR1 and RR2 must be peered with one another (as non-clients) to exchange routes learned from clients A and B. RR1 will reflect the routes from client B to client A. RR2 will reflect the routes from client A to client B. Without the RR/RR peering there is no way to propagate routes between clients A and B. Peering both clients to both RRs that would solve the problem but is not scalable in a large network where there are many RRs and significant # of clients. As always, ymmv. Lee -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Cydon Satyr Sent: Monday, April 07, 2014 1:02 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Peering between route reflectors Guys, Could you help me clear this out. Basically, if there are multiple route reflectors NOT in the forwarding path of the traffic, is there ANY reason to peer between them? I don't see a reason why they should peer, but I'd like to get this confirmed. Also, if they are NOT in the forwarding path, regardless of whether they are peering between themselves or not, it shouldn't matter if they are all in the same CLUSTER, correct ? I know the questions might look simple to you but I've seen designs where the questions pop out, and I'd like to be sure about this. regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Peering between route reflectors
For sure, minimum 2 sessions to 2 different RRs per client. I may have over-simplified the example to show why the IBGP session between RRs is needed. A more realistic example would have been 10 RRs, 100s of clients. In that case peering each client with all 10 RRs in the absence of an RR full mesh wouldn't be scalable. Lee -Original Message- From: Mark Tinka [mailto:mark.ti...@seacom.mu] Sent: Monday, April 07, 2014 1:54 PM To: cisco-nsp@puck.nether.net Cc: Lee Clark; Cydon Satyr Subject: Re: [c-nsp] Peering between route reflectors On Monday, April 07, 2014 09:43:05 PM Lee Clark wrote: Without the RR/RR peering there is no way to propagate routes between clients A and B. Peering both clients to both RRs that would solve the problem but is not scalable in a large network where there are many RRs and significant # of clients. Agree that having 2x iBGP sessions per client scales poorer than one, but it scales better than a full mesh between routers, which is the problem route reflectors solve. As you rightly point out, YMMV, but from where I'm standing, 2x iBGP sessions per client to 2x different route reflectors is fine for us. It's a reasonable compromise between redundancy and administration. Mar. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Peering between route reflectors
What about building RR trees... Parent RRs serving some child RRs? I think I heard something like this sometime... Hierarchical route reflection may be what you're thinking of. A top level of fully meshed RRs with a second tier of RR clients which act as RRs to another subset of clients. Gert's got it, a network with a massive # of clients may justify hierarchical RRs although the design might be a throwback to the days of small boxes with minimal memory. Today's control plane only systems can scale to hundreds if not thousands of clients. Hierarchy might be useful if the second tier RRs are in the forwarding path and need to conserve resources for something other than BGP. Just curious, anyone out there using hierarchical RRs? Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RAM thing
On 2/17/14, Saku Ytti s...@ytti.fi wrote: On (2014-02-17 12:24 +), Phil Mayers wrote: So nothing has changed except we know about it. For anyone who assumed devices could fail at any time, this isn't *that* worrying. For anyone who assumed devices would run forever, this should be a wake-up call - it was never true, and will likely never be so ;o) Should we expect devices to be build so that broken memory is detected and reported to operator? Or is it OK that broken memory is undetected and mangles packets without us being aware? The impression I got was that the memory doesn't die until the device is power cycled. Is that incorrect? Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSR 12410XR SmartNet contracts
Thanks Everyone. Now the real challenge. Cards SPA-1X10GE-WL-V2 are listed as supported on the 12000 XR series chassis but require version 4.3.0 or later. I can find no such version on CCO. Did Cisco release a card with no OS to support it or am I just looking in the wrong place? The last version I see that is a full version is 4.2.3. The SMUs seem to be WAY too small for an upgrade as they are 0.17M in size. Anyone got an idea where to look? http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/install_upgrade/XR12000/12ovspa.htmlshows in table 2-1 That this card is supported on this chassis under minimum IOS XR release of 4.3.0. Best. Lee On Thu, Dec 19, 2013 at 5:56 PM, Xuhu jstuxuhu0...@gmail.com wrote: Since u had spare hardware already, just get the new OS and upgrade it yourself, done. Br, On 20 Dec, 2013, at 3:38 am, Lee Starnes lee.t.star...@gmail.com wrote: Hello everyone, I am looking to get a SmartNet contract on our GSR 12410XR routers and am having a VERY hard time finding anyone that can come up with the SKU for it. I need to be able to upgrade our IOS-XR software but can't until I have the contract. Does anyone have the SKU for it or know where I can get this from a known good Cisco vendor? Thanks, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] GSR 12410XR SmartNet contracts
Hello everyone, I am looking to get a SmartNet contract on our GSR 12410XR routers and am having a VERY hard time finding anyone that can come up with the SKU for it. I need to be able to upgrade our IOS-XR software but can't until I have the contract. Does anyone have the SKU for it or know where I can get this from a known good Cisco vendor? Thanks, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSR 12410XR SmartNet contracts
Hi Nathaniel, Basic 8x5NBD is fine. One year. The only thing we need it for is software updates. We keep spares on hand so slow replacement of hardware is not critical for us. Thanks, Lee On Thu, Dec 19, 2013 at 12:11 PM, Nathaniel Bernadeau nbernad...@gallantsys.com wrote: Which kind? 8X5NBD, 24X7. 1yr 3yr? We are Cisco authorized resellers. I can check for you. regards, Nathaniel Bernadeau Gallant Systems, LLC 11064 Livingston RD Suite 106-C Fort Washington, MD 20744 Ph: 301-627-6358 Fax: 240-823-6897 Cell: 202-246-2229 nbernad...@gallantsys.com www.gallantsys.com On 12/19/2013 2:38 PM, Lee Starnes wrote: Hello everyone, I am looking to get a SmartNet contract on our GSR 12410XR routers and am having a VERY hard time finding anyone that can come up with the SKU for it. I need to be able to upgrade our IOS-XR software but can't until I have the contract. Does anyone have the SKU for it or know where I can get this from a known good Cisco vendor? Thanks, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ - No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.3462 / Virus Database: 3658/6934 - Release Date: 12/19/13 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] N5500 v6.x orphan ports one-arm traffic
Somewhere I heard that version 6.x NX-OS improved handling of orphan ports in the N5500 series. But the peer link still drops non-IGMP transit traffic. Any improvements in v6.x with respect to supporting one-armed devices upstream or downstream? Also are there any caveats for creating a dedicated non-vpc trunk (with STP of course) between two Nexus 5500 to pass one-armed traffic? Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] reload command doesn't check command line parameters
On 10/7/13, Pete Lumbis alum...@gmail.com wrote: The other options besides in include LINE or what should we put in the syslog as to why the reload is occurring. This means it will pick up anything that isn't already a keyword (for example in provides an option, int is a reason). If we fix the behavior what does the fix look like? reload now [LINE] Regards, Lee Do we not allow any reason that starts with i(in) c (cancel) or a(at)? But then what if you want a reload reason of reload installing new software? Should this be blocked? On Mon, Oct 7, 2013 at 6:56 AM, Luis Miguel Cruz Miranda luis...@imasd.netwrote: Hi all, I am not sure if this this an IOS version related issue. The issue is... - reload in X schedules a reload in X minutes (that is the correct behaviour) - reload intasdajxjxhaajsa X just goes ahead with an inmediate reload, it is the same as reload command. It shouldn't be a problem since there are some confirmations but... I just did reload int 10 and pushed enter few times thinking the command was right... :-( imagine... Saw in... c3825-spservicesk9-mz.124-24.T5.bin c2600-advsecurityk9-mz.124-15.T13.bin Does anyone know if this was fixed or the expected behaviour? I think IOS CLI should complain about it as it does with other commands. Luis ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] switching of monitored traffic
On 9/29/13, Ben Hammadi, Kayssar (NSN - TN/Tunis) kayssar.ben_hamm...@nsn.com wrote: Hi lee, Even for egress-only SPAN , 6509 accept only two session not 14 : TSA3-PACOSWB9002(config)#monitor session 1 source vlan 1346 tx TSA3-PACOSWB9002(config)#monitor session 2 source vlan 1347 tx TSA3-PACOSWB9002(config)#monitor session 3 source vlan 3836 tx % Local Egress Session limit has been exceeded Like I said, I've never tried it, but it looks like you missed a step. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1089465 Router(config)# monitor session local_SPAN_session_number type [local | local-tx] • Enter the local-tx keyword to configure egress-only SPAN sessions. My version is 12.2 SXI8 ! I'm guessing it's 12.2(33)SXI8. The output from show version would say for sure.. And unrelated to span - http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/caveats_SXI_rebuilds.html shows there's a 12.2(33)SXI8 and 12.2(33)SXI8a Usually a rebuild fixes a serious problem. I'd suggest at least checking out the release notes for 12.2(33)SXI8a Regards, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] switching of monitored traffic
On 9/28/13, Ben Hammadi, Kayssar (NSN - TN/Tunis) kayssar.ben_hamm...@nsn.com wrote: Thanks Pavel , We are thinking about this solution to be able to monitor the traffic again with more granularity on Switch B since Switch A is 6509 and have a max of 2 monitor session . Are you aware about any Cisco platform that don't have the limitation of two SPAN session ? 6500s allow up to 14 egress-only span sessions: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1110714 I've never tried it there look to be lots 'o caveats, so dunno it it will meet your needs or no. And I haven't looked at the documentation in ages -- I don't remember this caveat: Use SPAN for troubleshooting. Except in carefully planned topologies, SPAN consumes too many switch and network resources to enable permanently. wrt Does Switch B treat this traffic as normal traffic pay attention to the note about replicated traffic: SPAN copies Layer 2 Ethernet frames, but SPAN does not copy source trunk port ISL or 802.1Q tags. You can configure destinations as trunks to send locally tagged traffic to the traffic analyzer. SPAN has the charming property of being free, but it comes with caveats. There are situations where it's worth paying for a tap and seeing exactly what's on the wire (fiber :) Regards, Lee Br. BEN HAMMADI Kayssar NOKIA SIEMENS NETWORKS Lead Engineer -BroadBand Connectivity JNCIE-M (#471), JNCIE-SP (#1147), CCIP Mobile : +216 29 349 952 / +216 98 349 952 FIX : +216 71 108 173 Skype : kayssar ben hammadi kayssar.ben_hamm...@nsn.commailto:kayssar.ben_hamm...@nsn.com From: ext Pavel Skovajsa [mailto:pavel.skova...@gmail.com] Sent: Saturday, September 28, 2013 10:39 AM To: Ben Hammadi, Kayssar (NSN - TN/Tunis) Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] switching of monitored traffic It will switch it as any other incoming traffic. -pavel On Saturday, September 28, 2013, Ben Hammadi, Kayssar (NSN - TN/Tunis) wrote: Dears, We are monitoring traffic from Switch A to Switch B with monitor session , Switch B receive now all traffic handled by Switch A . Does Switch B treat this traffic as normal traffic and continue to switch it according to configured Vlans or it has a way to know that it come from a monitor session not from a regular switching ? Br. BEN HAMMADI Kayssar NOKIA SIEMENS NETWORKS Lead Engineer -BroadBand Connectivity JNCIE-M (#471), JNCIE-SP (#1147), CCIP Mobile : +216 29 349 952 / +216 98 349 952 FIX : +216 71 108 173 Skype : kayssar ben hammadi kayssar.ben_hamm...@nsn.comjavascript:; ___ cisco-nsp mailing list cisco-nsp@puck.nether.netjavascript:; https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] T-1 errors, unable to pinpoint if CSU or circuit issue
Hello, From looking at your output and based on you replacing your cables I suspect you are seeing issues that the carrier is not seeing from their basic remote tests or circuit monitoring. We have seen this many times. Ask for them to pull PMs on the circuit. If this is a CLEC circuit, have them pull the ILEC PMs. depending on the circuit and how far from the CO you are, you may be seeing issues with the repeater (if in use) and their normal tests typically will not show any issues. In some cases, the LEC will need to dispatch out to the site to pull PMs which may take them a day to get out to you. Let us know what they come back with. -Lee On Tue, May 7, 2013 at 8:53 AM, false jct...@yahoo.com wrote: Hello, Let me just first say Thank you to everybody that has helped in my previous post. This list is awesome. AS for the curren problem, I keep getting voip issues, including the occasional phone call drop. I have a dedicated T-1 or voip traffic and minor site-to-site vpn traffic with a QoS policy applied to handle voice traffic. These problems have occured even when I took the vpn offline. The telco provider always states the line is clean. I replaced the cable from the smartjack to the CSU in the router as well. I have only gotten a few errors over the past week so the issue looks to be brief and intermittent. The logs in the router never show any issues with CSU. 1) any idea on verify the CSU is causing the Line Errors below? 2) Any ideas on the cause or how to isolate the issue? I will probalby turn on debug for the interface in hopes of getting time stamps for the interface resets so I can tie them to any voip issues. #sho service-module serial 0/1/0 Interface Serial0/1/0 Module type is T1/fractional Hardware revision is 1.0, Software revision is 001, Image checksum is 0x0, Protocol revision is 0.1 Receiver has no alarms. Framing is ESF, Line Code is B8ZS, Current clock source is line, Fraction has 24 timeslots (64 Kbits/sec each), Net bandwidth is 1536 Kbits/sec. Last module self-test (done at startup): Passed Last clearing of alarm counters 3d01h loss of signal:0, loss of frame :0, AIS alarm :0, Remote alarm :0, Module access errors :0, Total Data (last 0 15 minute intervals): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 37 Line Err Secs, 0 Degraded Mins 4 Errored Secs, 0 Bursty Err Secs, 14 Severely Err Secs, 20 Unavail Secs Data in current interval (0 seconds elapsed): 0 Line Code Violations, 0 Path Code Violations 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs sh int s0/1/0 Serial0/1/0 is up, line protocol is up Hardware is GT96K with integrated T1 CSU/DSU Internet address is x.x.x./30 MTU 1500 bytes, BW 1544 Kbit/sec, DLY 2 usec, reliability 255/255, txload 4/255, rxload 5/255 Encapsulation PPP, LCP Open Listen: CDPCP Open: IPCP, loopback not set Keepalive set (10 sec) Last input 00:00:01, output 00:00:00, output hang never Last clearing of show interface counters 3d01h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 557 Queueing strategy: Class-based queueing Output queue: 0/1000/0 (size/max total/drops) 5 minute input rate 35000 bits/sec, 10 packets/sec 5 minute output rate 28000 bits/sec, 7 packets/sec 3132198 packets input, 1283936661 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 289 input errors, 289 CRC, 39 frame, 3 overrun, 0 ignored, 67 abort 2561565 packets output, 793225489 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 unknown protocol drops 6 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up show controllers s0/1/0 67 input aborts on receiving flag sequence 0 throttles, 0 enables 3 overruns 0 transmitter underruns 0 transmitter CTS losts 3122313 rxintr, 2544022 txintr, 0 rxerr, 0 txerr 5517559 mpsc_rx, 0 mpsc_rxerr, 66 mpsc_rlsc, 524 mpsc_rhnt, 5517442 mpsc_rfsc 5 mpsc_rcsc, 0 mpsc_rovr, 0 mpsc_rcdl, 0 mpsc_rckg, 0 mpsc_bper 0 mpsc_txerr, 1882006 mpsc_teidl, 0 mpsc_tudr, 0 mpsc_tctsl, 0 mpsc_tckg 0 sdma_rx_sf, 0 sdma_rx_mfl, 3 sdma_rx_or, 67 sdma_rx_abr, 39 sdma_rx_no 0 sdma_rx_de, 0 sdma_rx_cdl, 289 sdma_rx_ce, 0 sdma_tx_rl, 0 sdma_tx_ur, 0 sdma_tx_ctsl 0 sdma_rx_reserr, 0 sdma_tx_reserr 0 rx_bogus_pkts, rx_bogus_flag FALSE 0 sdma_tx_ur_processed tx_limited = 1(2), errata19 count1 - 0, count2 - 0 Receive Ring rxr head (21)(0x0F06E930), rxr tail (0)(0x0F06E7E0) rmd(F06E7E0): nbd F06E7F0 cmd_sts 8080 buf_sz 0600 buf_ptr F07D1E0 rmd(F06E7F0): nbd F06E800 cmd_sts 8080 buf_sz 0600 buf_ptr F073F40
Re: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2
Hi Andrew, We have not tried any multimode xfp's. While the documentation shows a table with only single mode optics, at the end of the document, it lists an XFP-10G-MM-SR in the ordering info table. On Thu, Apr 25, 2013 at 4:09 PM, Andrew Jones andrew.jo...@alphawest.com.au wrote: Whilst we are talking about SPA-110GE cards, has anyone got these to work with a multimode sr xfp? Andrew Jones -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Edward Salonia Sent: Friday, 26 April 2013 1:25 AM To: Lee Starnes Cc: cisco-nsp@puck.nether.net; cisco-nsp Subject: Re: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2 Sure. Future-proofing, when capable, is a good idea. -Original Message- From: Lee Starnes lee.t.star...@gmail.com Date: Wed, 24 Apr 2013 22:53:03 To: e...@edgeoc.net Cc: cisco-nspcisco-nsp-boun...@puck.nether.net; cisco-nsp@puck.nether.netcisco-nsp@puck.nether.net Subject: Re: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2 Hi Ed, So there should be no issue if they are used for what we do other than they cost more? We may have some SONET applications in the near future, so if I wanted to standardize on one card, this should work both ways? This was my understanding based on what I read, but I don't want to assume that things not clearly stated were there. Our main use being etherchannel stuff. -Lee On Wed, Apr 24, 2013 at 10:21 PM, Edward Salonia e...@edgeoc.net wrote: WL does LANPHY, WANPHY, and SONET/SDH. L does only LANPHY If you are just using this for 10gige LAN interconnect, use the L. If you need WAN/SONET support, get the WL. - Ed -Original Message- From: Lee Starnes lee.t.star...@gmail.com Sender: cisco-nsp cisco-nsp-boun...@puck.nether.netDate: Wed, 24 Apr 2013 16:12:26 To: cisco-nsp@puck.nether.netcisco-nsp@puck.nether.net Subject: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2 Hello, I was wondering if anyone here has used the SPA-1X10GE-WL-V2 and if so how it differs with the non W version with relation to Ethernet and EtherBundles. We currently use the non W versions for our ethernet uplinks to backbone connections as well as between our switches and routers. In some cases, we do EtherBundles for 20 or 30G links. I was wondering if the W version would have any issues with this or if it's only difference is the ability to do POS. -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF admin distance not working on IOS-XR.
Thanks everyone who responded. Very helpful. Sorry for the delay in responding back. On Thu, Apr 4, 2013 at 6:24 AM, Adrian Turcu adri...@domeit.net wrote: Are you sure is not just your filtering at the show route ospf command, that leads you to believe there you only send over the 2nd bundle? From the show ip route command it looks like both paths are installed and you are sending traffic over both paths equally. Did you try the following config: router ospf 12345 area ! --- your area number where the Bundle-Ether interfaces are interface Bundle-Ether1 cost 10 interface Bundle-Ether2 cost 20 The above will affect all prefixes learned from these paths, i.e. routes will be preferred via Bundle-Ether1 , while Bundle-Ether2 will be just a backup path. On 4 Apr 2013, at 11:42, Lee Starnes wrote: Hello, We are trying to change the administrative distance on one of the OSPF neighbors of our router and no matter what it is set to, the value does not seem to change. #sh ip route x.x.0.102 Thu Apr 4 02:36:05.122 Routing entry for x.x.0.102/32 Known via ospf 12345, distance 110, metric 2, type intra area Installed Apr 4 02:14:55.059 for 00:21:10 Routing Descriptor Blocks x.x.25.19, from x.x.0.102, via Bundle-Ether1 Route metric is 2 x.x.25.34, from x.x.0.102, via Bundle-Ether2 Route metric is 2 No advertising protos. #sh route ospf | incl x.x.0.102 Thu Apr 4 03:31:36.554 Ox.x.0.102/32 [110/2] via x.x.25.34, 01:16:40, Bundle-Ether2 The issue here is that we are trying to avoid sending a majority of our traffic through Bundle-Ether2 which it seems OSPF has decided is the best Path. The 0.102 address is a loopback interface of a neighbor (6500b) directly connected to Bundle-Ether1, where Bundle-Ether2 is connected to 6500a with less capacity on it's links. This is causing the links on bundle2 to get saturated at peak times. XR-bundle2---6500a---6500b XR-bundle1---6500b---6500a Configured XR router: router ospf 12345 log adjacency changes distance 120 x.x.25.34 0.0.0.0 Is this a bug or am I going about this all wrong? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2
Hello, I was wondering if anyone here has used the SPA-1X10GE-WL-V2 and if so how it differs with the non W version with relation to Ethernet and EtherBundles. We currently use the non W versions for our ethernet uplinks to backbone connections as well as between our switches and routers. In some cases, we do EtherBundles for 20 or 30G links. I was wondering if the W version would have any issues with this or if it's only difference is the ability to do POS. -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2
Hi Ed, So there should be no issue if they are used for what we do other than they cost more? We may have some SONET applications in the near future, so if I wanted to standardize on one card, this should work both ways? This was my understanding based on what I read, but I don't want to assume that things not clearly stated were there. Our main use being etherchannel stuff. -Lee On Wed, Apr 24, 2013 at 10:21 PM, Edward Salonia e...@edgeoc.net wrote: WL does LANPHY, WANPHY, and SONET/SDH. L does only LANPHY If you are just using this for 10gige LAN interconnect, use the L. If you need WAN/SONET support, get the WL. - Ed -Original Message- From: Lee Starnes lee.t.star...@gmail.com Sender: cisco-nsp cisco-nsp-boun...@puck.nether.netDate: Wed, 24 Apr 2013 16:12:26 To: cisco-nsp@puck.nether.netcisco-nsp@puck.nether.net Subject: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2 Hello, I was wondering if anyone here has used the SPA-1X10GE-WL-V2 and if so how it differs with the non W version with relation to Ethernet and EtherBundles. We currently use the non W versions for our ethernet uplinks to backbone connections as well as between our switches and routers. In some cases, we do EtherBundles for 20 or 30G links. I was wondering if the W version would have any issues with this or if it's only difference is the ability to do POS. -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] uRPF Core Internet Routers
On 4/16/13, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, I looking for Information about anti-spoofing measures namely uRPF. [.. snip old references ..] Now my question, is it appropriate to use uRPF loose mode on Core Routers (Full Routing Tables) ? It's an easy way to drop traffic with RFC-1918 addresses, so it is nice that way. But the IPv4 address space is close to all allocated, so enabling it for IPv4 doesn't seem like a huge win. IPv6 may be a different story tho.. How about the impact/restrictions ? No idea. I use an input access list or strict uRPF on the edge haven't paid much attention to loose uRPF. http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html says Reference the Implementing Cisco Express Forwarding on Cisco IOS XR Software section of the Cisco IOS XR IP Addresses and Services Configuration Guide for more information. so that sounds like a good place to look. Regards, Lee I was able to find a few restrictions when comparing the SUP720 with the SUP-2T but I'm more interested on IOS-XR Platforms. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] uRPF Core Internet Routers
On 4/16/13, Dobbins, Roland rdobb...@arbor.net wrote: On Apr 17, 2013, at 8:42 AM, Lee wrote: But the IPv4 address space is close to all allocated, so enabling it for IPv4 doesn't seem like a huge win. This is incorrect, and is actually harmful misinformation. The value of antispoofing has nothing to do with allocated address space percentages. It has everything to do with removing the ability to launch high-volume reflection/amplification DDoS attacks, spoofed SYN-floods, et. al. The topic was about enabling loose uRPF. Quoting from http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html again Loose mode Unicast RPF: Loose mode searches for the source address of a packet in the FIB table. If the address exists and matches a real and valid forwarding entry (not necessarily pointing to the ingress interface on which the packet was received), then the packet is further processed, otherwise it is dropped. Seems to me that the utility of filtering just packets supposedly coming from unannounced IPv4 address space is not all that useful in ... removing the ability to launch high-volume reflection/amplification DDoS attacks, spoofed SYN-floods, et. al. If someone is going to spoof traffic, it's no harder for them to spoof traffic from advertised than non-advertised space. Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560g switch - tagged vlans and untagged frames
On 4/9/13, Damian Higgins linnew...@gmail.com wrote: Hi Mike, How about this scenario. Let's say you want a VLAN tagged on all the ports, but also want different untagged VLANs on those ports (e.g. port 10 tagged vlan 306 and untagged vlan 6, port 11 tagged vlan 306 and untagged vlan 7). int g0/10 switchport trunk allowed vlan 6,306 switchport trunk native vlan 6 int g0/11 switchport trunk allowed vlan 7,306 switchport trunk native vlan 7 So native VLAN is out of question here since all ports would be untagged in the same VLAN ID. native vlan is per port Can you please test the following setup and tell me if it works? : shouldn't work - 'switchport access vlan nnn' is for non-trunking ports. Regards, Lee interface GigabitEthernet0/10 description testing cisco vlans switchport trunk encapsulation dot1q switchport trunk allowed vlan 306 switchport mode trunk switchport access vlan 6 interface GigabitEthernet0/11 description testing cisco vlans switchport trunk encapsulation dot1q switchport trunk allowed vlan 306 switchport mode trunk switchport access vlan 7 I don't have any cisco switches at the moment that I could do this test on, but I can tell you for sure that this setup is possibile on other switches (HP procurve for example, and they're way cheaper :) Regards, On Tue, Apr 9, 2013 at 8:21 PM, Mike mike-cisconspl...@tiedyenetworks.comwrote: On 04/08/2013 09:48 PM, sth...@nethelp.no wrote: I would like to be able to accept both tagged and untagged frames on my 3560g. For the untagged frames, I'd like to be able to say these are a member of some vlan - say 100 - otherwise I want to be able to allow tagged frames from some list. In testing, it doesn't appear that switchport trunk native vlan is doing the job; anything I send untagged is dropped and doesn't show up in the switch mac address tables. Here is my config: Similar configs work for us. interface GigabitEthernet0/45 description testing cisco vlans switchport trunk encapsulation dot1q switchport trunk native vlan 6 switchport trunk allowed vlan 306 switchport mode trunk It it helps. I do also have dot1q native vlan tagging enabled. I believe you need to drop that - it tells the switch that the native VLAN should be tagged. Also, add the native VLAN to the list of allowed VLANs (so you'd get switchport trunk allowed vlan 6,306 here). I removed dot1q tag native and that seems to have worked. Unfortunately, it caused other problems requiring me to set the native vlans on some ports to something other than default. In the end it's working but I just don't see why I can't say 'hey, got an untagged frame? throw it into this vlan for me...'. Maybe I need more expensive switches. Thanks all. Mike- __**_ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OSPF admin distance not working on IOS-XR.
Hello, We are trying to change the administrative distance on one of the OSPF neighbors of our router and no matter what it is set to, the value does not seem to change. #sh ip route x.x.0.102 Thu Apr 4 02:36:05.122 Routing entry for x.x.0.102/32 Known via ospf 12345, distance 110, metric 2, type intra area Installed Apr 4 02:14:55.059 for 00:21:10 Routing Descriptor Blocks x.x.25.19, from x.x.0.102, via Bundle-Ether1 Route metric is 2 x.x.25.34, from x.x.0.102, via Bundle-Ether2 Route metric is 2 No advertising protos. #sh route ospf | incl x.x.0.102 Thu Apr 4 03:31:36.554 Ox.x.0.102/32 [110/2] via x.x.25.34, 01:16:40, Bundle-Ether2 The issue here is that we are trying to avoid sending a majority of our traffic through Bundle-Ether2 which it seems OSPF has decided is the best Path. The 0.102 address is a loopback interface of a neighbor (6500b) directly connected to Bundle-Ether1, where Bundle-Ether2 is connected to 6500a with less capacity on it's links. This is causing the links on bundle2 to get saturated at peak times. XR-bundle2---6500a---6500b XR-bundle1---6500b---6500a Configured XR router: router ospf 12345 log adjacency changes distance 120 x.x.25.34 0.0.0.0 Is this a bug or am I going about this all wrong? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPN firewall
Hello, Anyone has any recommendation for 5-10g performance 3des VPN firewalls? Not udp throughput.. Thanks, Regards -mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6509 LACP
On 2/9/13, Mack McBride mack.mcbr...@viawest.com wrote: Portfast doesn't err disable, unless you have spanning-tree portfast bpduguard default Regards, Lee it simply converts to a non-portfast port when it detects a PDU (which is sent first on the link before data). Mack From: Rogelio Gamino [mailto:rgam...@gmail.com] Sent: Friday, February 08, 2013 5:46 PM To: Mack McBride Cc: Andrew Miehs; Mario Ruiz; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco 6509 LACP I'm surprised portfast is not causing the interfaces to errdisable. Do you see MAC addresses for the source/destination devices on both switches? Rogelio Gamino On Feb 8, 2013 6:11 PM, Mack McBride mack.mcbr...@viawest.commailto:mack.mcbr...@viawest.com wrote: Not on a trunk. That is for an access port. LR Mack McBride Network Architect -Original Message- From: cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mario Ruiz Sent: Friday, February 08, 2013 3:05 PM To: Andrew Miehs Cc: cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco 6509 LACP Don't you need the vlan statement too. switchport access vlan 2 On Fri, Feb 8, 2013 at 4:41 PM, Andrew Miehs and...@2sheds.demailto:and...@2sheds.de wrote: Which VLANs do you want to trunk? Have you created the vlan Number name VlanName entries on the Cisco side yet? show interface trunk would also be interesting. On Sat, Feb 9, 2013 at 7:25 AM, Mike Glass mgl...@lccountymt.govmailto:mgl...@lccountymt.gov wrote: I hope somebody can help me, I am trying to configure a 6509 as the passive receiver from a Dell Force10 10Ge switch with 2 sfp to 2 gig ports on our 6509 switch, I see LACP is up on both sides but cannot pass traffic, I have only 2 vlans that will carry across the aggregate link from our vmware boxes, this is just a temp until I get a 10ge in our 6509 chassis. Attached is the config on both sides. Make sense? --- Cisco 6509 Config --- interface GigabitEthernet6/7 switchport no ip address spanning-tree portfast switchport mode trunk channel-protocol lacp channel-group 1 mode passive ! interface GigabitEthernet6/8 switchport no ip address spanning-tree portfast switchport mode trunk channel-protocol lacp channel-group 1 mode passive interface Port-channel1 description lacp Force10 switchport switchport trunk encapsulation dot1q Switchport mode trunk no ip address logging event link-status - -- show etherchannel detail - -- Channel-group listing: --- Group: 1 -- Group state = L2 Ports: 2 Maxports = 16 Port-channels: 1 Max Port-channels = 16 Protocol: LACP Minimum Links: 0 Ports in the group: --- Port: Gi6/7 Port state= Up Mstr In-Bndl Channel group = 1 Mode = Active Gcchange = - Port-channel = Po1 GC = - Pseudo port-channel = Po1 Port index= 0 Load = 0x55Protocol = LACP Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode.P - Device is in passive mode. Local information: LACP port Admin OperPort Port Port Flags State Priority Key Key Number State Gi6/7 SA bndl 32768 0x1 0x1 0x607 0x3D Partner's information: Partner Partner LACP Partner Partner Partner Partner Partner Port Flags State Port Priority Admin Key Oper Key Port Number Port State Gi6/7 FA bndl 32768 0x0 0x1 0xA5 0x3F Age of the port in the current state: 0d:00h:08m:06s Port: Gi6/8 Port state= Up Mstr In-Bndl Channel group = 1 Mode = Active Gcchange = - Port-channel = Po1 GC = - Pseudo port-channel = Po1 Port index= 1 Load = 0xAAProtocol = LACP Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode.P - Device is in passive mode. Local information: LACP port Admin OperPort Port Port Flags State Priority Key Key Number State Gi6/8 SA bndl 32768 0x1 0x1 0x608 0x3D Partner's information: Partner Partner
[c-nsp] IOS-XR and SIP600/601 with etherbundles
Hello, I was wondering if there are any known issues with XR 4.0.1 running a SIP600 or SIP601 with ether bundles. We have a couple chassis that still need to upgrade to newer versions of the OS, but I can't do that right away and need to expand link capacity before I will be able to deploy newer OS. I understand that IPv6 does not work for bundles until version 4.1.0. Does anyone have experience with these blades and the version of XR we are running? These would be either SIP-600 or SIP-601 blades with SPA-8X1GE-V2 or SPA-10X1GE-V2 port adapters. I'd prefer the SIP-600 for this site as I have more on hand then the 601's in case of failure. Thanks, -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS-XR OSPF rapid repeating error.
Thanks Oliver. I will login and download it. -Lee On Sat, Jan 26, 2013 at 12:20 AM, Oliver Boehmer (oboehmer) oboeh...@cisco.com wrote: Lee, I was wondering if anyone has seen this and if it is caused by a bug or a security hole. OSPF process is in an endless loop of errors that I was only able to fix with a reboot. I could not restart the OSPF process as it would just hang for 60 seconds and then give up. This problem takes the CPU to 100% when this OSPF problem happens and for whatever reason, happened on two routers at the same time. I did some searching but was never able to find an actual answer as to the cause. What I find odd is that two routers would end up with the same problem at the same exact time if it is a bug and if it is a security hole, that I was not able to find the details on it. RP/0/9/CPU0:Jan 15 19:27:40.781 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range you're hitting a known issue CSCtn00523 (details on CCO), there is an OSPF Umbrella SMU avaliable for download on CCO, which fixes this an other OSPF issues in 4.0.1 (CSCts31308). oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Confirmation of Gigabit Ethernet autonegotiation behavior
I don't think it's technical TBH. I suspect it's just telco mindset - force all the params to on/fast/full and it's better, right? Virgin do the same thing. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS-XR OSPF rapid repeating error.
Hello everyone. I was wondering if anyone has seen this and if it is caused by a bug or a security hole. OSPF process is in an endless loop of errors that I was only able to fix with a reboot. I could not restart the OSPF process as it would just hang for 60 seconds and then give up. This problem takes the CPU to 100% when this OSPF problem happens and for whatever reason, happened on two routers at the same time. I did some searching but was never able to find an actual answer as to the cause. What I find odd is that two routers would end up with the same problem at the same exact time if it is a bug and if it is a security hole, that I was not able to find the details on it. RP/0/9/CPU0:Jan 15 19:27:40.781 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.782 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.782 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.783 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.784 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.784 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.785 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.785 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.825 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.827 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.827 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.828 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.856 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.856 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.858 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.858 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.859 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.859 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.890 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.891 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range Thanks for your time. -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS-XR OSPF rapid repeating error.
we are running 4.0.1 currently. -Lee On Fri, Jan 25, 2013 at 9:12 PM, Xu Hu jstuxuhu0...@gmail.com wrote: It seems is a bug, which version you are using? http://status.ovh.es/?do=detailsid=1152PHPSESSID=63f1ab780c97e64284a260a17828a53c 2013/1/26 Lee Starnes lee.t.star...@gmail.com Hello everyone. I was wondering if anyone has seen this and if it is caused by a bug or a security hole. OSPF process is in an endless loop of errors that I was only able to fix with a reboot. I could not restart the OSPF process as it would just hang for 60 seconds and then give up. This problem takes the CPU to 100% when this OSPF problem happens and for whatever reason, happened on two routers at the same time. I did some searching but was never able to find an actual answer as to the cause. What I find odd is that two routers would end up with the same problem at the same exact time if it is a bug and if it is a security hole, that I was not able to find the details on it. RP/0/9/CPU0:Jan 15 19:27:40.781 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.782 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.782 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.783 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.784 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.784 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.785 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.785 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.825 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.827 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.827 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.828 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.856 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.856 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.858 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.858 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.859 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.859 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.890 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range RP/0/9/CPU0:Jan 15 19:27:40.891 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR : Internal error, path id out of range Thanks for your time. -Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] unknown unicast flooding - particularly regarding fhrp's
On 1/21/13, Aaron aar...@gvtc.com wrote: What do y'all know about the effects of implementing fhrp's (glbp, hsrp, vrrp) WITH route diversity from the distribution (fhrp router) to the internet. (which I'd imagine is a pretty typical scenario in HA nets) Do you have enough bandwidth to the Internet that it might be a problem? Is the topology such that you could have unicast flooding? If you don't allow the same vlan on multiple access layer switches that eliminates most unicast flooding. In any case, I like increasing the mac address table timeout, others like decreasing the ARP table timeout I remember one recommendation to configure the hosts to send broadcasts every few minutes (I think it was ntp to the subnet broadcast address??). And be sure to enable portfast on all the host ports - otherwise when a user reboots their machine you get a topology change notification, all the switches set the fast aging timer for that vlan and you're back to unicast flooding. have you seen http://www.cisco.com/en/US/customer/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml Regards, Lee I mean as packets arrive from the internet to the non-active fhrp router, then this router probably won't have arp entries (perhaps at 4 hour timeouts it will) but it more than likely won't have bridge table entries, nor will the L2 distribution / access devices have bridge table entries (at 300 secs aging probably not) How does constant unknown unicast flooding affect networks? Better yet, how to design in mitigation ? is it all about lower arp timeouts below 300 secs so to artificially prop-up bridge tables and keep them fresh? My goodness that's making arp very busy. This is also being asked since I'm suspecting this behavior on my asr9k's via their bvi's (hsrp'd) since they have separate internet uplinks and I'm suspecting unknown unicast flooding from the non-active hsrp asr9k over the vpls domain towards customers. (but ugh, my dual 7609's over my legacy net have been running like this forever!) Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] unknown unicast flooding - particularly regarding fhrp's
On 1/21/13, Aaron aar...@gvtc.com wrote: Arp timers are central, bridge timers are more distributed Arp timers I believe are specific to svi/bvi/routed interfaces, bridge timers I believe are more global and may not be vlan specific Those 2 items would lead me to think arp timers would be the best place to adjust What happens when the router doesn't have an arp entry? When I ping an idle host I don't get an answer to the first ping. So if you set the arp timeout to 5 minutes does that mean the 1st packet to a host that's been idle = 5 minutes is dropped? Thanks, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Advice for automating changs to asr 1001
On 1/15/13, Bryan Tabb bryan.t...@nztechnologygroup.com wrote: Hi all I was looking for some advice on what technology to use to automate small config changes to an asr1001 Changes will be small, such as adding removing subinterfaces \ IPs and adding \ removing the odd static route for customers. Through googling so far what i've found 1. SSH based connection - e.g. clogin \ expect type process clogin is really nice but you have to escape TCL special characters, so tasks like setting the snmp community string can be a real pain 2. Dropping the config onto a tftp server then using snmp to trigger config download and wr mem easier than clogin since you don't have to worry about special characters, but our security office sees 'clear text protocol' (ie. tftp) and has a fit 3. I've seen IOS XR XML for the asr 9000 but since asr used ios xe this may not be an option never tried it supposedly another option is to scp a config snippet to the running-config. haven't gotten around to trying that yet either regards, lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6509 with SUP720-3BXL and WS-X6704-10GE with DFC3BXL
Hello, After wading through hours of pages on Cisco's site I was not able to determine if the following configuration will work without having to upgrade either the DFC or the IOS. We have some switches that I need to install some 10G ports in. I have some WS-X6704-10GE blades with 3BXL DFC boards on them. I don't have a chassis to test with, and don't want to ship these out to have them installed if they are not going to work. The chassis have SUP720-3BXL's in them and are running s72033-advipservicesk9_wan-mz.122-33.SXH. Aside from the fact that the IOS is older, does anyone see any issues with this IOS and SUP working with the WS-X6704-10GE? Thanks, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 with SUP720-3BXL and WS-X6704-10GE with DFC3BXL
Thanks Robert for the quick reply. On Fri, Jan 4, 2013 at 3:48 PM, Robert Hass robh...@gmail.com wrote: On Sat, Jan 5, 2013 at 12:39 AM, Lee Starnes lee.t.star...@gmail.com wrote: s72033-advipservicesk9_wan-mz.122-33.SXH. Aside from the fact that the IOS is older, does anyone see any issues with this IOS and SUP working with the WS-X6704-10GE? It will work without problems. I used same configuration some time ago (Now I'm using SXI release). Rob ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 with SUP720-3BXL and WS-X6704-10GE with DFC3BXL
Thank you Nick. -Lee On Fri, Jan 4, 2013 at 3:48 PM, Nick Hilliard n...@foobar.org wrote: On 04/01/2013 23:39, Lee Starnes wrote: is older, does anyone see any issues with this IOS and SUP working with the WS-X6704-10GE? should work fine. the X6704 cards have been supported since the sup720 came out. The 3bxl DFC will work fine with the 3bxl sup. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 with SUP720-3BXL and WS-X6704-10GE with DFC3BXL
Thanks Jeff. -Lee On Fri, Jan 4, 2013 at 3:49 PM, Jeff Kell jeff-k...@utc.edu wrote: If all the cards in the chassis are DFC3BXL compatible, it should. I just added a 6716-10GE with DFC3C to a chassis that had some CFC-only SFP gig blades in it (6724/6748 I think). It works, but not in DFC3C mode, and leaves a slurry of warnings at startup. Jeff On 1/4/2013 6:39 PM, Lee Starnes wrote: Hello, After wading through hours of pages on Cisco's site I was not able to determine if the following configuration will work without having to upgrade either the DFC or the IOS. We have some switches that I need to install some 10G ports in. I have some WS-X6704-10GE blades with 3BXL DFC boards on them. I don't have a chassis to test with, and don't want to ship these out to have them installed if they are not going to work. The chassis have SUP720-3BXL's in them and are running s72033-advipservicesk9_wan-mz.122-33.SXH. Aside from the fact that the IOS is older, does anyone see any issues with this IOS and SUP working with the WS-X6704-10GE? Thanks, Lee ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS-XR SNMP interface packets per second OID.
Hello everyone, Does anyone know if there is an IOS equivalent to the locIfInpktsSec and locIfoutPktsSec for IOS-XR? Doing an SNMP walk of the XR system and MIB browser, I was not able to find the Packets Per Second OID for any interfaces. Am I just missing something? Thank you for your time. -Lee. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/