Re: [c-nsp] Cisco ASA5516-x DATAPATH-0-1648 and DATAPATH-0-1648 CPU hog

[Lee Starnes via cisco-nsp]

So, this was tracked down to be an issue with the ASA doing debug logging.
As soon as we changed the logging back down to alert level logging, the
issue resolved.

Only caught the issue when watching the Process CPU-Usage and saw that the
logger process pop up at 52%, then 64% and then 84% CPU usage before
falling off in a 10 second period.

vpn-gw# sh proc cpu-usage non-zero
Hardware:   ASA5516
Cisco Adaptive Security Appliance Software Version 9.16(4)57
ASLR enabled, text region 56474105f000-564744cef285
PC Thread   5Sec 1Min 5Min   Process
0x564743c1c050   0x7f2cef4bbe80 1.0% 1.5% 1.0%
Unicorn Proxy Thread
0x564743a1b57b   0x7f2cef4bb000 0.0% 0.2% 0.3%
0x5647439821d6   0x7f2cef4bbae0 0.0% 0.2% 0.1%
snmp_master_callback_thread
0x564743982226   0x7f2cef4bb740 0.0% 0.4% 0.4%
snmp_client_callback_thread
0x5647437cf58c   0x7f2cef4be2c0 0.0% 0.1% 0.1%
radius_snd
0x5647421c5dd4   0x7f2cef4dc4e052.1%11.5%11.1%   Logger
0x5647427c3cb6   0x7f2cef4c5e00 0.0% 0.1% 0.1%   ARP
Thread
0x564743c1c050   0x7f2cef4ebf00 0.0% 0.1% 0.1%
aaa_shim_thread
0x564741cdf31c   0x7f2cef4ec640 0.0% 0.1% 0.1%   aaa
   -  - 0.8% 2.1% 2.2%   DATAPATH-0-1665
   -  - 2.6% 2.3% 2.4%   DATAPATH-1-1666
vpn-gw# sh proc cpu-usage non-zero
Hardware:   ASA5516
Cisco Adaptive Security Appliance Software Version 9.16(4)57
ASLR enabled, text region 56474105f000-564744cef285
PC Thread   5Sec 1Min 5Min   Process
0x564743bf433f   0x7f2cef4bbe80 0.0% 1.2% 1.0%
Unicorn Proxy Thread
0x564743a1b57b   0x7f2cef4bb000 0.0% 0.1% 0.2%
0x5647439821d6   0x7f2cef4bbae0 0.0% 0.1% 0.1%
snmp_master_callback_thread
0x564743982226   0x7f2cef4bb740 0.0% 0.2% 0.4%
snmp_client_callback_thread
0x5647421c5dd4   0x7f2cef4dc4e064.1%12.7%11.3%   Logger
0x5647427c3cb6   0x7f2cef4c5e00 0.0% 0.1% 0.1%   ARP
Thread
   -  - 1.3% 2.1% 2.2%   DATAPATH-0-1665
   -  - 4.7% 2.5% 2.4%   DATAPATH-1-1666
vpn-gw# sh proc cpu-usage non-zero
Hardware:   ASA5516
Cisco Adaptive Security Appliance Software Version 9.16(4)57
ASLR enabled, text region 56474105f000-564744cef285
PC Thread   5Sec 1Min 5Min   Process
0x564743c1c050   0x7f2cef4bbe80 0.0% 0.9% 0.9%
Unicorn Proxy Thread
0x564743a1b57b   0x7f2cef4bb000 0.0% 0.1% 0.2%
0x5647439821d6   0x7f2cef4bbae0 0.0% 0.1% 0.0%
snmp_master_callback_thread
0x564743982226   0x7f2cef4bb740 0.0% 0.1% 0.3%
snmp_client_callback_thread
0x5647421c5dd4   0x7f2cef4dc4e084.0%15.1%11.8%   Logger
   -  - 3.0% 2.3% 2.3%   DATAPATH-0-1665
   -  - 0.4% 2.3% 2.4%   DATAPATH-1-1666
vpn-gw# sh proc cpu-usage non-zero
Hardware:   ASA5516
Cisco Adaptive Security Appliance Software Version 9.16(4)57
ASLR enabled, text region 56474105f000-564744cef285
PC Thread   5Sec 1Min 5Min   Process
0x564743c1c050   0x7f2cef4bbe80 1.3% 1.0% 0.9%
Unicorn Proxy Thread
0x564743a1b57b   0x7f2cef4bb000 0.0% 0.1% 0.2%
0x564743982226   0x7f2cef4bb740 0.0% 0.1% 0.3%
snmp_client_callback_thread
0x5647421c5dd4   0x7f2cef4dc4e0 0.0%12.8%11.4%   Logger
0x56474221df82   0x7f2cef4bc5c0 0.1% 0.1% 0.1%
emweb/https
0x5647427c3cb6   0x7f2cef4c5e00 0.1% 0.0% 0.0%   ARP
Thread
   -  - 2.2% 2.3% 2.3%   DATAPATH-0-1665
   -  - 2.4% 2.3% 2.4%   DATAPATH-1-1666
vpn-gw# sh proc cpu-usage non-zero

Best,

-Lee


On Wed, Jun 5, 2024 at 2:22 PM Lee Starnes  wrote:

> Thank you for the link and info. Unfortunately can['t open a TAC case as
> this model (5516-X) is not under support. We have a 5508-X under contract
> which is how we are able to get the firmware.
>
> I will check out the links. Thank you for your help.
>
> Best,
>
> -Lee
>
> On Wed, Jun 5, 2024 at 6:15 AM harbor235  wrote:
>
>> Here is an overall performance troubleshooting oc:
>>
>>
>> https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113185-asaperformance.html
>>
>> Mike
>>
>> On Wed, Jun 5, 2024 at 9:12 AM harbor235  wrote:
>>
>>> If you cannot open a TAc case I would look through your syslog messages
>>> looking for errors/critcals/warnings. Also look at all interfaces to ensure
>>> there are no input or output errors as well. After that I would verify
>>> traffic is hitting your box and is not an 

[c-nsp] Cisco ASA5516-x DATAPATH-0-1648 and DATAPATH-0-1648 CPU hog

[Lee Starnes via cisco-nsp]

Hello Everyone,

I have an odd issue trying to track down. We are seeing issue whereby
traffic just "pauses" through the ASA for about 2-4 seconds before resuming.

We started seeing this when the device was low on memory (about 600M
available). we rebooted it and did an firmware update the current version.

Still seeing this behavior.

After another reboot, still seeing this.

Process:  DATAPATH-0-1665, PROC_PC_TOTAL: 407, MAXHOG: 10, LASTHOG: 5
MAXHOG At:15:31:54 PDT Jun 4 2024
LASTHOG At:   15:37:48 PDT Jun 4 2024
PC:   0x (suspend)

Process:  DATAPATH-0-1665, NUMHOG: 385, MAXHOG: 10, LASTHOG: 5
MAXHOG At:15:31:54 PDT Jun 4 2024
LASTHOG At:   15:37:48 PDT Jun 4 2024
PC:   0x (suspend)
Call stack:   0x564741c98c49  0x564742188996  0x5647436c2d28
  0x5647436d2abc  0x5647436e2ae0  0x7f2d2067bff5
  0x7f2d1f88416f


Process:  DATAPATH-1-1666, PROC_PC_TOTAL: 402, MAXHOG: 12, LASTHOG: 5
MAXHOG At:15:31:48 PDT Jun 4 2024
LASTHOG At:   15:37:41 PDT Jun 4 2024
PC:   0x (suspend)

Process:  DATAPATH-1-1666, NUMHOG: 376, MAXHOG: 12, LASTHOG: 5
MAXHOG At:15:31:48 PDT Jun 4 2024
LASTHOG At:   15:37:41 PDT Jun 4 2024
PC:   0x (suspend)
Call stack:   0x564741c98c49  0x564742188996  0x5647436c2d28
  0x5647436d2abc  0x5647436e2ae0  0x7f2d2067bff5
  0x7f2d1f88416f



I did disable logging flash-bufferwrap to stop it from writing to flash.
The logging process stopped using 29% CPU, but still the issue persists.

Anyone got any Ideas on what the cause is and how to resolve it?

Best,

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] vPC members use identical virtual addresses without HSRP

[Michael Lee via cisco-nsp]

Cisco support VRRP as well.

Sent from my iPhone

> On Apr 18, 2024, at 10:08 PM, Chen Jiang via cisco-nsp 
>  wrote:
> 
> Hi! Experts
> 
> I wonder if Cisco support vPC members use identical virtual addresses as
> host's layer 3 gateway?
> 
> Just like Arista or Juniper,
> 
> Arista for example:
> ...
> interface Vlan100
>   vrf v101
>   ip address virtual 192.168.100.254/24
> interface Vlan101
>   vrf v101
>   ip address virtual 192.168.101.254/24
> ...
> 
> From the Cisco document it seems all examples use HSRP and it needs to
> occupy 3 IP addresses.
> 
> Thanks for your help.
> 
> --
> BR!
> 
> 
> 
>   James Chen
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco IOS switch SSH connections not working

[Lee Starnes via cisco-nsp]

Hello everyone,

We started seeing an issue starting at 1:45am Sunday whereby we can no
longer connect to one of our switches via SSH. all the normal functions
seem fine, just can't get onto the switch.

When trying to connect to it, the session just hangs for about 30 seconds
and then says connection timed out. No login prompt.

So I did a little troubleshooting and I am not seeing the attempts even
make it to the ACL. No logs of failed or attempted connections.
Additionally, there are no active ssh or any vty sessions.

So then just to get the switch to restart ssh, I generated a new rsa key.
It stopped and restarted ssh, but nothing.

So attempted to just remove the ACL and try. Still nothing. Lastly, I
enabled telnet and tried to connect via telnet. Still nothing. I really
don't want to restart the switch if there is any other way to resolve this.

Anyone have any suggestions?

This is a 6509-e with dual SUPs, so possible to fail over to the other SUP,
but that also carries downtime with it as it causes the OSPF and BGP
sessions to reset.

Nothing in the logs either other than the last successful SSH alive check
from nagios.

Best,

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Nexus 9k reserved vlans and MST

[Wayne Lee via cisco-nsp]

Hello

We have several Nexus 9K's which we have changed the system reserved
vlans from the defaut to 3600-3727. We now have a requirement to
migrate to MST.

The Cisco docs state “You cannot map VLANs 3968 to 4095 to an MST
instance. These VLANs are reserved for internal use by the device.”

The doc does not mention if those vlans can be used for MST if they
are no longer reserved. As a test I created the the below MST config
but not enabled MST yet,


spanning-tree mst configuration
name TEST-MST
revision 1
instance 1 vlan 2-3599
instance 2 vlan 3729-4092
exit
end

I didn't see any errors but as MST is not actually enabled yet I'm not
convinced so I tried the below by adding in vlan 3601 which is part of
the currently reserved vlans.

spanning-tree mst configuration
name TEST-MST
revision 1
instance 1 vlan 2-3599
instance 2 vlan 3729-4092
instance 3 vlan 3601
exit
end

Again I don't see any errors when I expected to by using a known reserved vlan.

Has anybody changed the system reserved vlans and enabled vlans 3968
and above in MST ?

The current RSTP setup is working well with the reserved vlans but the
rack switches are reaching the RSTP limit (128)

Thanks
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR9010 fan tray upgrade

[Lee Starnes]

Hello everyone,

I have some ASK9010 chassis that are getting upgraded fan trays from v1 to
v2. My question is to upgrade these, is it possible to pull one and replace
it and then pull the other and replace or will the system have issues with
mixed fan trays during that short period?

If it can't be swapped 1 at a time, will the chassis need to shutdown to
swap both or will the chassis continue to run for the 30 - 60 seconds it
takes to swap the new ones in?

Best,

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] [External] Cisco 6509-E SSH and Telnet not allowing connections

[Lee Starnes]

Hello Hunter,

It does respond to ping and all other functions are working including
responding to SNMP RO and RW.

-Lee

On Sat, Feb 27, 2021 at 12:31 PM Hunter Fuller  wrote:

> I have no idea, but just curious, does the box respond to other
> control plane traffic from outside, like pings?
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering
>
> On Sat, Feb 27, 2021 at 1:05 PM Lee Starnes 
> wrote:
> >
> > Hello all,
> >
> > Ran into an issue that I can't seem to resolve and really don't want to
> > reboot the chassis. Have 1 of our 6509-e units that has decided it is not
> > going to allow connections to it via ssh or telnet. I can get access via
> > console. When trying to connect, you do not get connection refused. You
> > just hang for several seconds before getting a connection timed out
> > message.
> >
> > On the switch, I show no connection attempts.
> >
> > A check to see if the ssh server is running and have any connections
> shows
> > normal.
> > #sh ip ssh
> > SSH Enabled - version 1.99
> > Authentication timeout: 120 secs; Authentication retries: 3
> > #sh ssh
> > %No SSHv1 server connections running.
> > %No SSHv2 server connections running.
> >
> > Doing debugs, I see nothing show up for connection attempts. Also if I
> > attempt to connect to itself from itself it also just hangs before
> getting
> > a connection timed out message. I would expect the normal response of
> > connection refused when trying to connect to itself.
> >
> > There is an ACL in place on the VTY lines and even removing that, still
> > gets the same results. I have removed the input transport on the vty
> lines
> > and then read added them.
> >
> > Is there anything else I can try before having to reboot/switch to the
> > standby SUP?
> >
> > This was all working normally until sometime around 4am. and nothing was
> > logged before or after the issue started other than my login via console
> > and various changes/commands issued in an attempt to debug/resolve this
> > issue.
> >
> > Any help would be greatly appreciated.
> >
> > -Lee
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 6509-E SSH and Telnet not allowing connections

[Lee Starnes]

Hi Lukas,

Thanks for the reply. So sh users list none. sh line list all 16.

#sh line sum
0: U---    ?


   1 character mode users.   (U)
  13 lines never used(?)
   1 total lines in use,0 not authenticated (lowercase)

Tried to remove the vty config and add them back. No joy.

Best,

-Lee

On Sat, Feb 27, 2021 at 12:58 PM Lukas Tribus  wrote:

> Hello,
>
>
> On Sat, 27 Feb 2021 at 20:03, Lee Starnes  wrote:
> >
> > Hello all,
> >
> > Ran into an issue that I can't seem to resolve and really don't want to
> > reboot the chassis. Have 1 of our 6509-e units that has decided it is not
> > going to allow connections to it via ssh or telnet. I can get access via
> > console. When trying to connect, you do not get connection refused. You
> > just hang for several seconds before getting a connection timed out
> > message.
> >
> > On the switch, I show no connection attempts.
> >
> > A check to see if the ssh server is running and have any connections
> shows
> > normal.
> > #sh ip ssh
> > SSH Enabled - version 1.99
> > Authentication timeout: 120 secs; Authentication retries: 3
> > #sh ssh
> > %No SSHv1 server connections running.
> > %No SSHv2 server connections running.
> >
> > Doing debugs, I see nothing show up for connection attempts. Also if I
> > attempt to connect to itself from itself it also just hangs before
> getting
> > a connection timed out message. I would expect the normal response of
> > connection refused when trying to connect to itself.
> >
> > There is an ACL in place on the VTY lines and even removing that, still
> > gets the same results. I have removed the input transport on the vty
> lines
> > and then read added them.
> >
> > Is there anything else I can try before having to reboot/switch to the
> > standby SUP?
> >
> > This was all working normally until sometime around 4am. and nothing was
> > logged before or after the issue started other than my login via console
> > and various changes/commands issued in an attempt to debug/resolve this
> > issue.
>
> show users
> show line
> show line summary
> show tcp brief | inc \.23 |\.22 ||Foreign
>
> How many VTY lines are actually configured?
>
> I'm thinking about hung VTY sessions. Use "clear line ..." and "clear
> tcp tcb ..." to kill orphan sessions and TCP connections. You can also
> try raising the number of VTY lines.
>
>
>
> > There is an ACL in place on the VTY lines and even removing that, still
> > gets the same results. I have removed the input transport on the vty
> lines
> > and then read added them.
>
> Instead of removing and adding "input transport" again, try removing
> the line vty section (in its entirety), and reconfigure it from
> scratch.
>
>
>
> Lukas
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco 6509-E SSH and Telnet not allowing connections

[Lee Starnes]

Hello all,

Ran into an issue that I can't seem to resolve and really don't want to
reboot the chassis. Have 1 of our 6509-e units that has decided it is not
going to allow connections to it via ssh or telnet. I can get access via
console. When trying to connect, you do not get connection refused. You
just hang for several seconds before getting a connection timed out
message.

On the switch, I show no connection attempts.

A check to see if the ssh server is running and have any connections shows
normal.
#sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
#sh ssh
%No SSHv1 server connections running.
%No SSHv2 server connections running.

Doing debugs, I see nothing show up for connection attempts. Also if I
attempt to connect to itself from itself it also just hangs before getting
a connection timed out message. I would expect the normal response of
connection refused when trying to connect to itself.

There is an ACL in place on the VTY lines and even removing that, still
gets the same results. I have removed the input transport on the vty lines
and then read added them.

Is there anything else I can try before having to reboot/switch to the
standby SUP?

This was all working normally until sometime around 4am. and nothing was
logged before or after the issue started other than my login via console
and various changes/commands issued in an attempt to debug/resolve this
issue.

Any help would be greatly appreciated.

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR9010 and monitor port

[Lee Starnes]

Hello Everyone,

We have an issue we are trying to track down with a IPv6 BGP peer. The
session resets randomly sometimes 4-5 times a day and sometimes doesn't
reset for several days. We are trying to run a monitor session to mirror
the traffic of the port to another port for the purposes of capturing it
with TCPDUMP.

The problem we are running into is that it seems that it is not mirroring
the egress BGP traffic on the port. Additionally, it would seem that we are
not able to see two way traffic. If we specify ingress ACL, we see the BGP
traffic. If we specify ingress and egress ACLs, we get no traffic. If we
specify egress we see no BGP traffic. Below is what we are using to mirror
this traffic. Is there something that is being done wrong or is this
something that does not mirror both directions at the same time? Not sure
why if we set to only do egress, it does not see BGP traffic. We tested
this by setting the ACL to capture all IPv6 traffic and there was no BGP
traffic.

Best regards,

Lee

monitor-session TEST ethernet
 destination interface TenGigE0/0/1/1

ipv6 access-list span
 10 permit ipv6 host 2001:xxx:::212 host 2001:xxx:::213 capture
 15 permit ipv6 host 2001:xxx:::213 host 2001:xxx:::212 capture
 20 permit ipv6 any any

interface TenGigE0/0/1/0
 description COX 10G Circuit ID:
 ipv4 address X.X.X.X
 ipv6 address 2001:xxx:::213/127
 monitor-session TEST ethernet
  acl
 !
 load-interval 30
 flow ipv4 monitor NFAmonitor sampler NFAsampler ingress
 flow ipv4 monitor NFAmonitor sampler NFAsampler egress
 flow ipv6 monitor NFAmonitorIPv6 sampler NFAsampler ingress
 flow ipv6 monitor NFAmonitorIPv6 sampler NFAsampler egress
 ipv6 access-group span ingress
 ipv6 access-group span egress
!
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6509 w/SUP720-3BXL and high CPU load

[Lee Starnes]

Hello Nathan,

So what I find interesting is that a process that shows 13% CPU is actually
using 60% CPU. Using a "show proc cpu sorted 5sec" I was able to see that
SNMP was coming up with 13 and 15% CPU on the process when this is going on
(all the time), but on the other switches, that would only appear once for
about 5 seconds and then go away. Leaving a brief. spike and then drop to
normal on the CPU load. So started to investigate and the machine that was
hitting it with 25K packets each time was our machine that runs MRTG. A
little research into that and found that the config for this switch was old
and had some interfaces that were not in the chassis anymore and missing
some that were new in the chassis. Rebuilt that and the issue resolved.
Packets went from 25K to 746 and completed its poll of the interfaces
within 5-7 seconds.

Thanks for the response.

-Lee


On Thu, Mar 19, 2020 at 11:39 AM Nathan Lannine 
wrote:

>
>> First thing I'd try is to capture punted packets.
>>
>> Per the document the you linked, I've found netdr or cpu span to be
> helpful in this regard.  That community post pretty much mirrors an
> official doc on the same topic.  I think the last time I saw something like
> this it was some kind of link local IPv6 stuff.  Either way, it would be
> nice to know what you find the problem to be.
>
> Thank you,
> Nathan
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6509 w/SUP720-3BXL and high CPU load

[Lee Starnes]

Hello Gert,

Thanks for the reply. All come up false. I did finally track it down to
mrtg hitting it with 25K packet requests with some old interfaces that were
in its config that are not in the chassis anymore. Once re-created this,
the issue resolved.

-Lee


On Thu, Mar 19, 2020 at 12:00 PM Gert Doering  wrote:

> Hi,
>
> On Thu, Mar 19, 2020 at 10:28:58AM -0700, Lee Starnes wrote:
> > We are seeing on one of our 6509 chassis high CPU load (50-90%). We are
> not
>
> As ytti said, you're software switching.
>
> Are you carrying full tables, and have hit MLS CEF limits?
>
> ("show mls cef exception status")
>
> If this is showing "TRUE", you've hit "too many prefixes" and need to
> reduce the number of routes this box sees, and then reload (no way to
> normalize without reboot).
>
> If this is showing all FALSE, something else is causing software
> switching.
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6509 w/SUP720-3BXL and high CPU load

[Lee Starnes]

Hello Ytti,

Looks like the 6509 does not have the show platform cap. It only has show
platform buffers. But I did find that this was an issue with SNMP. Thanks
for the pointers.

-Lee

On Thu, Mar 19, 2020 at 11:22 AM Saku Ytti  wrote:

> On Thu, 19 Mar 2020 at 19:33, Lee Starnes  wrote:
>
>
> > CPU on 6509b: CPU utilization for five seconds: 62%/22%; one minute: 42%;
> > five minutes: 42%
>
> The 2nd number is I/O, so you're software switching something. What
> and why may be complex to answer and my 7600 memories seem to be
> ethanol soluble.
>
> First thing I'd try is to capture punted packets.
>
> show plat cap buffer asic pinnacle slot N port 4 direction out priority lo
> show plat cap buffer collect for 5
> show plat cap buffer data filt
> show plat cap buffer data sample X
>
> N == your SUP slot
> 4 is direction out (out from fabric to rp).
>
>  Then look something which shouldn't have been punted, and look at
> that prefix in mls cef.
>
> --
>   ++ytti
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 6509 w/SUP720-3BXL and high CPU load

[Lee Starnes]

Hello,

We are seeing on one of our 6509 chassis high CPU load (50-90%). We are not
seeing this on our other chassis and they are all optioned the same. The
one difference is that this chassis is sending traffic on one incoming
10gig interface out to another 6509 where that traffic is destine to hit
its gateway and then out to the internet.

Simple diagram is below.

10G serverB - 6509b - 6509a - asr9000 - internet
10G serverA - 6509a - asr9000 - internet

While I know this is not ideal, it is what it is until B server can get
moved to a different vlan. The issue is that 6509b has got high CPU load of
50-90% while 6509a has CPU load of 4%.

Traffic from server B is about 4.8G and traffic from server B is about 5G.

I have gone through the troubleshooting high CPU load on sup720 document
here:
https://community.cisco.com/t5/networking-documents/troubleshooting-high-cpu-on-a-6500-with-sup720/ta-p/3126932

and every time I find something that give me that Ah-ha moment, I check it
on the other switch and see that it is the same or higher as to ACL usage
or other items.

So my question is, what is the best way to track down what this high CPU
load is?

CPU on 6509b: CPU utilization for five seconds: 62%/22%; one minute: 42%;
five minutes: 42%
CPU on 6509a: CPU utilization for five seconds: 3%/1%; one minute: 14%;
five minutes: 14%

Any help would be greatly appreciated. Pulling my hair out trying to figure
out why.

Thanks,

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9K XR 6.4.2 and SNMP monitoring

[Lee Starnes]

Hello Bruce,

I did check out both the alarm and environment MIBs and none of the OIDs in
them come back as valid. In fact, a walk of those enterprise OIDs results
in no such object on this agent.

Best,

-Lee

On Tue, Dec 17, 2019 at 2:44 PM Bruce Pinsky  wrote:

> On 12/17/2019 2:30 PM, Lee Starnes wrote:
> > Hello everyone,
> >
> > I am trying to find out if there is a way to monitor the CRIT, MAJ, MIN
> and
> > Fail alarms via SNMP. I read through a boatload of documentation on SNMP
> > monitoring for the ASR but was not able to find anything on these
> alarms. I
> > want to poll the system for status, bit trap send them.
> >
> > Does anyone know if this is possible?
> > These are the alarms we are looking for,
> > #sh environment leds
> > Tue Dec 17 14:25:26.016 PST
> > R/S/I   Modules LED Status
> > 0/RSP0/*
> >  hostCritical-Alarm  Off
> >  hostMajor-Alarm Off
> >  hostMinor-Alarm Off
> >  hostACO Off
> >  hostFailOff
> > 0/RSP1/*
> >  hostCritical-Alarm  Off
> >  hostMajor-Alarm Off
> >  hostMinor-Alarm Off
> >  hostACO Off
> >  hostFailOff
> >
>
> Have you looked at the Entity Alarm MIB?
>
> ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENTITY-ALARM-MIB.my
>
> Full list of ASR1K MIBs here
> ftp://ftp.cisco.com/pub/mibs/supportlists/asr1000/asr1000-supportlist.html
>
> --
> =
> bep
>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR9K XR 6.4.2 and SNMP monitoring

[Lee Starnes]

Hello everyone,

I am trying to find out if there is a way to monitor the CRIT, MAJ, MIN and
Fail alarms via SNMP. I read through a boatload of documentation on SNMP
monitoring for the ASR but was not able to find anything on these alarms. I
want to poll the system for status, bit trap send them.

Does anyone know if this is possible?
These are the alarms we are looking for,
#sh environment leds
Tue Dec 17 14:25:26.016 PST
R/S/I   Modules LED Status
0/RSP0/*
hostCritical-Alarm  Off
hostMajor-Alarm Off
hostMinor-Alarm Off
hostACO Off
hostFailOff
0/RSP1/*
hostCritical-Alarm  Off
hostMajor-Alarm Off
hostMinor-Alarm Off
hostACO Off
hostFailOff

Best,

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6509 SUP720 ROMMON upgrade troubles

[Lee Starnes]

Thank you Ron. That was exactly what it was. First time I have run into
needing to replace a battery on any Cisco blades. Makes we wonder if I have
failed batteries in chassis that have been in service for 4+ years.

Thanks again for your help.

-Lee

On Sat, Feb 23, 2019 at 5:36 PM Ron M.  wrote:

> You might check the little CMOS battery on the left side of the MSFC3.
> I've run into NVRAM corruption issues that generally revolve around that
> battery being low/dead. It's definitely replaceable, I've done that a
> couple times already.
>
> On Fri, Feb 22, 2019 at 5:50 PM Lee Starnes 
> wrote:
>
>> Hello,
>>
>> I have a SUP720-3BXL that us running ROMMON 8.1 and am trying to upgrade
>> to
>> 8.5(3). I have gone through the upgrade steps, and upon reload it retains
>> the correct version. However, if I power cycle the chassis, it reverts
>> back
>> to 8.1. and lands in ROMMON.
>>
>> If I boot the OS and do an *upgrade rom slot 6 pref region1* and
>> then reload, version 8.5(3) ROMMON is now active again. But again if I
>> power cycle, it goes away. Is there something that I am doing wrong?
>>
>> In all cases, it always drops into ROMMON on boot and I have to issue
>> boot to get it to boot. However if I insert a different SUP of the
>> same model with the upgraded ROMMON, the chassis boots fine.
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 6509 SUP720 ROMMON upgrade troubles

[Lee Starnes]

Hello,

I have a SUP720-3BXL that us running ROMMON 8.1 and am trying to upgrade to
8.5(3). I have gone through the upgrade steps, and upon reload it retains
the correct version. However, if I power cycle the chassis, it reverts back
to 8.1. and lands in ROMMON.

If I boot the OS and do an *upgrade rom slot 6 pref region1* and
then reload, version 8.5(3) ROMMON is now active again. But again if I
power cycle, it goes away. Is there something that I am doing wrong?

In all cases, it always drops into ROMMON on boot and I have to issue
boot to get it to boot. However if I insert a different SUP of the
same model with the upgraded ROMMON, the chassis boots fine.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] PBR or ABF on XR for 12000 series

[Lee Starnes]

Hello all,

I have a need to be able to do policy based routing  for next hop set, but
can't find anything that works in XR. We presently are doing this with VRFs
but need to move away from the VRFs because this causes the ipv6_io to
crash over and over when doing this for IPv6 traffic. Are there any options
on the 12000 besides the VRFs?

This is on a 12410 chassis.


LC/0/2/CPU0:Feb 15 13:23:18.287 : dumper[52]: %OS-DUMPER-7-DUMP_REQUEST :
Dump request for process pkg/bin/ipv6_io
LC/0/2/CPU0:Feb 15 13:23:18.300 : dumper[52]: %OS-DUMPER-7-DUMP_ATTRIBUTE :
Dump request with attribute 7 for process pkg/bin/ipv6_io
LC/0/2/CPU0:Feb 15 13:23:18.306 : dumper[52]: %OS-DUMPER-4-SIGSEGV : Thread
4 received SIGSEGV - Segmentation Fault
LC/0/2/CPU0:Feb 15 13:23:18.306 : dumper[52]: %OS-DUMPER-4-SIGSEGV_INFO :
Accessed BadAddr 0x7c479003 at PC 0x7831e254. Signal code 1 - SEGV_MAPPER.
Address not mapped.
LC/0/2/CPU0:Feb 15 13:23:18.306 : dumper[52]: %OS-DUMPER-4-CRASH_INFO :
Crashed pid = 6045792 (pkg/bin/ipv6_io)


Thank in advance,

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco ASA 5512x VPN to Cradlepoint

[Lee Starnes]

Hello All,

Does anyone have any good links on how to best setup an IPSec VPN tunnel
from an ASA to a Cradlepoint that is on an LTE connection with a Dynamic
IP? I have all the configuration for the Cradlepoint side done, but having
difficulty with the ASA side since the cradlepoint is on an Dynamic IP.

Best Regards,

Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] A9K-SIP-700 and SPA compatibility

[Lee Starnes]

Hello everyone. I am having difficulty in finding any documentation on
Cisco's site that would provide a compatibility matrix on what Cisco SPAs
are supported on the A9k-SIP-700. Trying to find out if we can use some
existing SPA-1x10GE-WL-V2 and SPA-1x10GE-L-V2 adapters in the SIP-700 in
the 9010 chassis with an RSP-440.

Does anyone have a link to a Cisco document that lists the SPAs supported
or know if these are supported?

Best regards,

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF routing question

[Lee Starnes]

Thank you all for the distance change to 254. That resolved the issue.

On Tue, Jul 17, 2018 at 7:57 PM, Erik Sundberg 
wrote:

> Lee,
>
>
> Change the Floating static route to an administrative distance of 254, so
> it is higher than OSPF.
>
>
> router static
>  address-family ipv4 unicast
>  45.x.x.0/22 Null0 *254*
>
>
> When the route is learned via OSPF it will have a metric of 110 and the
> ospf route will be installed into the routing table.
>
> When the route is not learned via OSPF the floating static router on your
> Edge router will be active. This will still allow BGP to advertise the
> route.
>
>
>
> Also, if you don't want to advertise the floating static route to other
> devices in your network you can do the following.
>
> Add the tag 1 on the static route will stop it from being redistributed in
> your network.
>
>
> router static
>  address-family ipv4 unicast
>  45.x.x.0/22 Null0 254 *tag 1*
>
>
> router ospf 1
>  log adjacency changes
>  redistribute static* route-policy **IPV4-OSPF-REDIST-STATIC*
>
> *route-policy IPV4-OSPF-REDIST-STATIC*
>
> *  if tag eq 1 then *
> *drop*
> *  endif*
> *  done*
>
> If a static route has the tag of 1 it will not be redistributed into OSPF,
> so the rest of the network will not learn about the route.
>
>
> -
>
> Side note, most ISP's will only advertise there Loopback and Core
> "Circuits" IPs in there IGP.  They will run iBGP between all of the there
> devices and allow BGP to redistribute the static and connected interfaces.
> BGP is also easier to manipulate routes on your network. Send me an email
> if you would like to know more.
>
> Here is an old but still very relevant power point on this.
>
> https://www.pacnog.org/pacnog2/track2/routing/a3-1up.pdf
> 3 - OSPF for ISPs - PacNOG
> <https://www.pacnog.org/pacnog2/track2/routing/a3-1up.pdf>
> www.pacnog.org
> © 2005 Cisco Systems, Inc. All rights reserved. 1 Session Number
> Presentation_ID Cisco Confidential Deploying OSPF for ISPs ISP/IXP Workshops
>
>
>
>
>
>
>
>
>
>
>
> --
> *From:* cisco-nsp  on behalf of Lee
> Starnes 
> *Sent:* Tuesday, July 17, 2018 4:17:25 PM
> *To:* cisco-nsp@puck.nether.net
> *Subject:* [c-nsp] OSPF routing question
>
> Hello everyone,
>
> I have a question about OSPF route redistribution. We have no issues
> redistributing subnets in the network out of our /19 blocks. But we have a
> /22 block that the entire /22 is allocated to a single client. The routes
> redistribute across all the all switches except back to the edge routers
> that announce them via BGP to our upstream carriers. This being because
> there are holdown routes for the BGP on this of the same size IP block. Is
> there a way to allow the /22 block to propagate to the edge routers and
> still maintain the hold down routes we need to announce that /22 via BGP to
> our various upstream carriers?
>
> Edge routers are configured as such:
>
> router static
>  address-family ipv4 unicast
>  45.x.x.0/22 Null0 19
>
> router bgp ASNUMBER
> address-family ipv4 unicast
> network 45.x.x.0/22
>
>
> router ospf NUMBER
>  log adjacency changes
>  redistribute connected
>  redistribute static
>  area W.X.Y.Z
>   !
>   interface TenGigE0/3/0/0
>passive disable
>   !
>   interface TenGigE0/3/3/0
>passive disable
>   !
>
>
> Any ideas are greatly appreciated.
>
> -Lee
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --
>
> CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files
> or previous e-mail messages attached to it may contain confidential
> information that is legally privileged. If you are not the intended
> recipient, or a person responsible for delivering it to the intended
> recipient, you are hereby notified that any disclosure, copying,
> distribution or use of any of the information contained in or attached to
> this transmission is STRICTLY PROHIBITED. If you have received this
> transmission in error please notify the sender immediately by replying to
> this e-mail. You must destroy the original transmission and its attachments
> without reading or saving in any manner. Thank you.
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] OSPF routing question

[Lee Starnes]

Hello everyone,

I have a question about OSPF route redistribution. We have no issues
redistributing subnets in the network out of our /19 blocks. But we have a
/22 block that the entire /22 is allocated to a single client. The routes
redistribute across all the all switches except back to the edge routers
that announce them via BGP to our upstream carriers. This being because
there are holdown routes for the BGP on this of the same size IP block. Is
there a way to allow the /22 block to propagate to the edge routers and
still maintain the hold down routes we need to announce that /22 via BGP to
our various upstream carriers?

Edge routers are configured as such:

router static
 address-family ipv4 unicast
 45.x.x.0/22 Null0 19

router bgp ASNUMBER
address-family ipv4 unicast
network 45.x.x.0/22


router ospf NUMBER
 log adjacency changes
 redistribute connected
 redistribute static
 area W.X.Y.Z
  !
  interface TenGigE0/3/0/0
   passive disable
  !
  interface TenGigE0/3/3/0
   passive disable
  !


Any ideas are greatly appreciated.

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 7k Upgrade Path

[Michael Lee]

Sorry, memory served me wrong, should use long timeout, not short.

Sent from my iPhone

> On Feb 23, 2018, at 7:49 PM, Hunter Fuller <hf0...@uah.edu> wrote:
> 
> We were required to use long LACP timers for one upgrade. The show impact 
> command will tell all, in this regard. 
> 
> As Mike mentioned, if an stp change occurs it will rollback the ISSU. 
> 
>> On Fri, Feb 23, 2018 at 21:39 Michael Lee <fwis...@gmail.com> wrote:
>> Make sure use short lacp timeout, no spanning-tree change during the upgrade
>> 
>> Also boot disk array status
>> 
>> Mike
>> 
>> Sent from my iPhone
>> 
>> > On Feb 23, 2018, at 4:16 PM, Hunter Fuller <hf0...@uah.edu> wrote:
>> >
>> > On Fri, Feb 23, 2018 at 8:06 AM Justin M. Streiner 
>> > <strei...@cluebyfour.org>
>> > wrote:
>> >
>> >> Vendors also sometimes conflate "ISSU" and "hitless", or their
>> >> documentation doesn't always make it clear that an ISSU carries the
>> >> potential of outages.
>> >
>> >
>> > For what it is worth - there is a NX-OS command for checking whether an
>> > ISSU will be hitless: "show install all impact ?" will show you what you
>> > need to know.
>> >
>> > We don't run much Nexus stuff, but we did upgrade our Nexus 7010 from
>> > version 4.something all the way to 7.2 with only ISSU. We had to do some
>> > careful planning, and some ISSU did fail, but the failure and rollback was
>> > just as hitless as the successes, and it told us what needed to be
>> > corrected for the future.
>> >
>> > So far so good, with this strategy. I am very surprised to hear people
>> > talking about their problems with the ISSU process. I could not be happier
>> > with it.
>> >
>> > # show system uptime
>> > System start time:  Sat Dec 20 17:54:34 2014
>> > System uptime:  1161 days, 4 hours, 36 minutes, 22 seconds
>> >
>> > --
>> >
>> > --
>> > Hunter Fuller
>> > Network Engineer
>> > VBH Annex B-5
>> > +1 256 824 5331
>> >
>> > Office of Information Technology
>> > The University of Alabama in Huntsville
>> > Systems and Infrastructure
>> > ___
>> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> -- 
> 
> --
> Hunter Fuller
> Network Engineer
> VBH Annex B-5
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 7k Upgrade Path

[Michael Lee]

Make sure use short lacp timeout, no spanning-tree change during the upgrade

Also boot disk array status

Mike

Sent from my iPhone

> On Feb 23, 2018, at 4:16 PM, Hunter Fuller  wrote:
> 
> On Fri, Feb 23, 2018 at 8:06 AM Justin M. Streiner 
> wrote:
> 
>> Vendors also sometimes conflate "ISSU" and "hitless", or their
>> documentation doesn't always make it clear that an ISSU carries the
>> potential of outages.
> 
> 
> For what it is worth - there is a NX-OS command for checking whether an
> ISSU will be hitless: "show install all impact ?" will show you what you
> need to know.
> 
> We don't run much Nexus stuff, but we did upgrade our Nexus 7010 from
> version 4.something all the way to 7.2 with only ISSU. We had to do some
> careful planning, and some ISSU did fail, but the failure and rollback was
> just as hitless as the successes, and it told us what needed to be
> corrected for the future.
> 
> So far so good, with this strategy. I am very surprised to hear people
> talking about their problems with the ISSU process. I could not be happier
> with it.
> 
> # show system uptime
> System start time:  Sat Dec 20 17:54:34 2014
> System uptime:  1161 days, 4 hours, 36 minutes, 22 seconds
> 
> -- 
> 
> --
> Hunter Fuller
> Network Engineer
> VBH Annex B-5
> +1 256 824 5331
> 
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Basic IP to Port finding question on Cisco 3850

[Lee]

On 7/26/17, Aaron Gould <aar...@gvtc.com> wrote:
> Are you talking about like this ?

does "show ip arp 10.101.15.21" work?
Lee

>
>
> 3750#sh ip arp vlan 4000
> Protocol  Address  Age (min)  Hardware Addr   Type   Interface
> Internet  10.101.15.1   171   4055.3970.f265  ARPA   Vlan4000
> Internet  10.101.15.7   171   0cd5.02c0.cd4c  ARPA   Vlan4000
> Internet  10.101.15.16-   0013.8039.eac1  ARPA   Vlan4000
> Internet  10.101.15.21  185   001c.5779.d841  ARPA   Vlan4000
>
> 3750#sh mac address-table dynamic | in 4055.3970.f265
> 40004055.3970.f265DYNAMIC Gi1/0/26
>
> -Aaron
>
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
> Scott Granados
> Sent: Wednesday, July 26, 2017 11:16 AM
> To: cisco-nsp <cisco-nsp@puck.nether.net>
> Subject: [c-nsp] Basic IP to Port finding question on Cisco 3850
>
> I think this is a basic question but Googling has not helped me much so I’m
> hopeful someone can shed the clue light on me a bit.
>
> I’m trying to find the specific port an IP address is attached to on a 3850
> in L3 mode with SVI interfaces.  SO for example if I do a show arp a.b.c.d
> I’ll get the MAC and the SVI attached.  If I do a show VLAN ID X I see the
> port members but there are many, let’s say 10 or more per VLAN.  Is there an
> easy way to detect which port either the IP is received on or the MAC
> address that is displayed in the show arp?  Everything I’m doing seems to
> show the SVI that’s in play but not the specific gig port that the device is
> attached to and mapped to the VLAN as a member.  This seems like the sort of
> thing that would be easy to figure out but I’m stumped.  Any pointers would
> be most appreciated.
>
> Thanks and sorry for such a rudimentary question.
>
> Scott
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus OIDs

[Lee]

On 3/13/17, Paul Koch <paul.koch...@gmail.com> wrote:
> On Mon, 27 Feb 2017 14:05:24 -0500
> Lee <ler...@gmail.com> wrote:
>
>> ...
>> I can almost understand the people that insist on using OIDs instead
>> of names for polling, but not using names it makes it somewhere
>> between difficult & impossible to figure out from an snmpwalk which
>> mib variables one wants to look at.  The MIB files are here
>>   ftp://ftp.cisco.com/pub/mibs/v1/v1.tar.gz
>>   ftp://ftp.cisco.com/pub/mibs/v2/v2.tar.gz
>
> Yer, OID numbers are "only" meant to be used under the hood.  People should
> really be using MIB module/object names.  Here's a useful list of oid
> numbers/module/object names from our MIB parser/compile.  It contains 3838
> MIBs and 465009 objects.
>
>  https://www.akips.com/downloads/akips_mibs.txt.gz

Sweet!  I'd get the Cisco OID files
  ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz
along with the v[12].tar.gz files and then create a master list:

$ cat create-oids-all.txt
delete everything in directory OIDs
unzip oid.tar.gz to OIDs
from a cygwin command prompt
  cd /cygdrive/c/ ..whatever.. /OIDs
  cat * | sort -k 2,2 -k 1 | uniq | awk '{printf("%-50s  %s\n", $1,
$2) }' >| ../oids_all.txt
  unix2dos ../oids_all.txt

Not as extensive as your list, but an exact match for the mibs I just
downloaded.

Regards,
Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus OIDs

[Lee]

On 2/27/17, Mike Hammett <cisco-...@ics-il.net> wrote:
> I apparently don't have oid2name on my system, nor can I figure out how to
> get it into Ubuntu 16.04.

Sorry - I forgot it's one of my aliases:
alias oid2name='snmptranslate $@'

> However...
>
> I got iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.12.3.1.3.1508

$ snmptranslate  iso.3.6.1.4.1.9.12.3.1.3.1508
CISCO-ENTITY-VENDORTYPE-OID-MIB::cevChassisN9KC9396PX

$ grep 1508 CISCO-ENTITY-VENDORTYPE-OID-MIB.my
cevChassisN9KC9396PXOBJECT IDENTIFIER ::= {
cevChassis 1508 } -- Cisco chassis for 2RU TOR, 48x10GF+12x40G QSFP


>
> iso.3.6.1.4.1.9.12.3.1.3.1508 = No Such Object available on this agent at
> this OID
>
> I poked around in some MIBs, but yeah, all I could find was the basic
> reference to each of what I posted, but up one level. I mean I know what it
> is by looking at the data, but I'm trying to do the legwork for the OSS_SNMP
> guys to be able follow a sort of chain of command to get to those results.

I can almost understand the people that insist on using OIDs instead
of names for polling, but not using names it makes it somewhere
between difficult & impossible to figure out from an snmpwalk which
mib variables one wants to look at.  The MIB files are here
  ftp://ftp.cisco.com/pub/mibs/v1/v1.tar.gz
  ftp://ftp.cisco.com/pub/mibs/v2/v2.tar.gz

Regards,
Lee

> Then again, maybe Cisco doesn't support that.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
>
> Midwest Internet Exchange
>
> The Brothers WISP
>
> - Original Message -
>
> From: "Lee" <ler...@gmail.com>
> To: "Mike Hammett" <cisco-...@ics-il.net>
> Cc: cisco-nsp@puck.nether.net
> Sent: Monday, February 27, 2017 11:35:59 AM
> Subject: Re: [c-nsp] Nexus OIDs
>
> what does this get you
> snmpget  .1.3.6.1.2.1.1.2.0
>
> $ oid2name .1.3.6.1.2.1.1.2.0
> RFC1213-MIB::sysObjectID.0
>
> from the mib:
> sysObjectID OBJECT-TYPE
> SYNTAX OBJECT IDENTIFIER
> ACCESS read-only
> STATUS mandatory
> DESCRIPTION
> "The vendor's authoritative identification of the
> network management subsystem contained in the
> entity. This value is allocated within the SMI
> enterprises subtree (1.3.6.1.4.1) and provides an
> easy and unambiguous means for determining `what
> kind of box' is being managed. For example, if
> vendor `Flintstones, Inc.' was assigned the
> subtree 1.3.6.1.4.1.4242, it could assign the
> identifier 1.3.6.1.4.1.4242.1.1 to its `Fred
> Router'."
> ::= { system 2 }
>
>
> everything you listed is in the entity mib, which is a bit of a pain
> to figure out
>
> + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.2.149
> ENTITY-MIB::entPhysicalDescr.149
> + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.7.149
> ENTITY-MIB::entPhysicalName.149
> + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.10
> ENTITY-MIB::entPhysicalModelName.10
> + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.22
> ENTITY-MIB::entPhysicalModelName.22
> + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.149
> ENTITY-MIB::entPhysicalModelName.149
> + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.10
> ENTITY-MIB::entPhysicalSerialNum.10
> + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.22
> ENTITY-MIB::entPhysicalSerialNum.22
> + snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.149
> ENTITY-MIB::entPhysicalSerialNum.149
>
> Regards,
> Lee
>
>
> On 2/27/17, Mike Hammett <cisco-...@ics-il.net> wrote:
>> I did an SNMPWalk of two of my Nexus switches looking for what has the
>> model
>> and serial numbers. I found several, sometimes with slightly different
>> information. The MIBs on Cisco's site don't go down this far either. I was
>>
>> wondering if someone could point me as to the differences among them
>> and\or
>> which one would be "more standard" across product lines.
>>
>> iso.3.6.1.2.1.47.1.1.1.1.2.149 = STRING: "Nexus 3548 Chassis"
>> iso.3.6.1.2.1.47.1.1.1.1.7.149 = STRING: "Nexus 3548 Chassis"
>> iso.3.6.1.2.1.47.1.1.1.1.13.10 = STRING: "N3K-C3548P-10GX"
>> iso.3.6.1.2.1.47.1.1.1.1.13.22 = STRING: "N3K-C3548P-10GX"
>> iso.3.6.1.2.1.47.1.1.1.1.13.149 = STRING: "N3K-C3548P-10GX"
>> iso.3.6.1.2.1.47.1.1.1.1.11.10 = STRING: "[redacted]"
>> iso.3.6.1.2.1.47.1.1.1.1.11.149 = STRING: "[redacted]"
>>
>>
>>
>> iso.3.6.1.2.1.47.1.1.1.1.2.149 = STRING: "N9K-C9396PX"
>> iso.3.6.1.2.1.47.1.1.1.1.7.149 = STRING: "N9K-C9396PX"
>> iso.3.6.1.2.1.47.1.1.1.1.13.10 = STRING: "N9K-C9396PX"
>> iso.3.6.1.2.1.47.1.1.1.1.13.22 = STRING: "N9K-C9396PX"
>> iso.

Re: [c-nsp] Nexus OIDs

[Lee]

what does this get you
snmpget  .1.3.6.1.2.1.1.2.0

$ oid2name .1.3.6.1.2.1.1.2.0
RFC1213-MIB::sysObjectID.0

from the mib:
 sysObjectID OBJECT-TYPE
 SYNTAX  OBJECT IDENTIFIER
 ACCESS  read-only
 STATUS  mandatory
 DESCRIPTION
 "The vendor's authoritative identification of the
 network management subsystem contained in the
 entity.  This value is allocated within the SMI
 enterprises subtree (1.3.6.1.4.1) and provides an
 easy and unambiguous means for determining `what
 kind of box' is being managed.  For example, if
 vendor `Flintstones, Inc.' was assigned the
 subtree 1.3.6.1.4.1.4242, it could assign the
 identifier 1.3.6.1.4.1.4242.1.1 to its `Fred
 Router'."
 ::= { system 2 }


everything you listed is in the entity mib, which is a bit of a pain
to figure out

+ snmptranslate iso.3.6.1.2.1.47.1.1.1.1.2.149
ENTITY-MIB::entPhysicalDescr.149
+ snmptranslate iso.3.6.1.2.1.47.1.1.1.1.7.149
ENTITY-MIB::entPhysicalName.149
+ snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.10
ENTITY-MIB::entPhysicalModelName.10
+ snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.22
ENTITY-MIB::entPhysicalModelName.22
+ snmptranslate iso.3.6.1.2.1.47.1.1.1.1.13.149
ENTITY-MIB::entPhysicalModelName.149
+ snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.10
ENTITY-MIB::entPhysicalSerialNum.10
+ snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.22
ENTITY-MIB::entPhysicalSerialNum.22
+ snmptranslate iso.3.6.1.2.1.47.1.1.1.1.11.149
ENTITY-MIB::entPhysicalSerialNum.149

Regards,
Lee


On 2/27/17, Mike Hammett <cisco-...@ics-il.net> wrote:
> I did an SNMPWalk of two of my Nexus switches looking for what has the model
> and serial numbers. I found several, sometimes with slightly different
> information. The MIBs on Cisco's site don't go down this far either. I was
> wondering if someone could point me as to the differences among them and\or
> which one would be "more standard" across product lines.
>
> iso.3.6.1.2.1.47.1.1.1.1.2.149 = STRING: "Nexus 3548 Chassis"
> iso.3.6.1.2.1.47.1.1.1.1.7.149 = STRING: "Nexus 3548 Chassis"
> iso.3.6.1.2.1.47.1.1.1.1.13.10 = STRING: "N3K-C3548P-10GX"
> iso.3.6.1.2.1.47.1.1.1.1.13.22 = STRING: "N3K-C3548P-10GX"
> iso.3.6.1.2.1.47.1.1.1.1.13.149 = STRING: "N3K-C3548P-10GX"
> iso.3.6.1.2.1.47.1.1.1.1.11.10 = STRING: "[redacted]"
> iso.3.6.1.2.1.47.1.1.1.1.11.149 = STRING: "[redacted]"
>
>
>
> iso.3.6.1.2.1.47.1.1.1.1.2.149 = STRING: "N9K-C9396PX"
> iso.3.6.1.2.1.47.1.1.1.1.7.149 = STRING: "N9K-C9396PX"
> iso.3.6.1.2.1.47.1.1.1.1.13.10 = STRING: "N9K-C9396PX"
> iso.3.6.1.2.1.47.1.1.1.1.13.22 = STRING: "N9K-C9396PX"
> iso.3.6.1.2.1.47.1.1.1.1.13.149 = STRING: "N9K-C9396PX"
> iso.3.6.1.2.1.47.1.1.1.1.11.10 = STRING: "[redacted]"
> iso.3.6.1.2.1.47.1.1.1.1.11.22 = STRING: "[redacted]"
> iso.3.6.1.2.1.47.1.1.1.1.11.149 = STRING: "[redacted]"
>
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
>
> Midwest Internet Exchange
>
> The Brothers WISP
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Tabo Topic? Third party Maintenance

[Lee]

On 1/24/17, James Bensley <jwbens...@gmail.com> wrote:
> On 24 January 2017 at 10:04,  <adamv0...@netconsultings.com> wrote:
>>> Simon Lockhart
>>> Sent: Tuesday, January 24, 2017 8:09 AM
>>>
>>> On Tue Jan 24, 2017 at 09:02:18AM +0100, Gert Doering wrote:
>>> > On Mon, Jan 23, 2017 at 07:33:08PM -0500, Charles Sprickman via
>> cisco-nsp
>>> wrote:
>>> > > I have to say, I haven???t been impressed with their support in a
>>> > > long time.  We have smartnet really just for hardware, and recently
>>> > > I figured that since we have support, I???d actually try and offload
>>> > > a task that I hate - picking a stable version of IOS that has all
>>> > > the security issues resolved.
>>> >
>>> > Bwahahaha.  Sorry.
>>>
>>> We were also told that if we wanted Cisco to do a 'bug scrub', to see if
>> we
>>> would be affected by any known bugs, then they offer this as a
>>> seperately
>>> chargeable service. Yes, really, they want us to pay them more money to
>> find
>>> out how buggy their code releases are...
>>>
>> How it works is 
> ...
>> It's a long and tedious process and it costs a small fortune, but I think
>> it's worth it.
>> At least you get a more detailed map of the minefield.
>
> In the case of Cisco a bug scrub comes from Cisco AS. I could have
> bought a house for the amount we spent with AS and not only that, we
> could have just rented all the kit we need, done this ourselves in the
> lab and probably had change for beer at the end.
>
> Also a month or two after our bug scrub was completed the new major
> milestone/stable versions of code for the devices we had tested was
> released (our scrub was finished when "X" was the stable recommend
> version) so we said to our AS engineer "now that X+1 is out, and you
> recommended X, do you think we should go for X" and they obviously
> said "yes".

Interesting..  I'd get an offer for a bug scrub on the new version.

> If you have the resources then I'm not such a fan of this service.

On the other hand, when Cisco does a bug scrub they see _all_ the
bugs, not just the publicly visible ones.  There's been a couple of
times I've gone back & forth with our AS engineer about the details of
some bug that had no public description & a time or two when he
suggested we hold off on an upgrade until after the psirt
announcement.

Regards,
Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco WAAS on DICMOM image transfer - Clarifications and recommendations

[Lee]

> a. With compression enabled, this would also improve the transfer time of
> images.

Only if the images aren't already compressed & it seems like they might be:
https://en.wikipedia.org/wiki/DICOM
  Pixel data can be compressed using a variety of standards, including
JPEG, Lossless JPEG, JPEG 2000, and Run-length encoding (RLE).

Regards,
Lee


On 12/27/16, Arun Kumar <narain.a...@gmail.com> wrote:
> Hi Netpros,
>
> We have been doing a POC with one of our healthcare customers who are using
> radiation imaging using DICOM/PACS standards. We are evaluating benefits of
> WAAS with respect to this specific application. Expectations from the
> customer are two-fold:
>
> a. Reduce the transfer time of images between application and endhost
> (radiation device)
>
> b. Optimize WAN bandwidth and perform consistently with varying network
> performance (latency and packet loss)
>
> Referring to this Cisco whitepaper on this topic:
> http://www-v6.cisco.com/c/dam/en/us/td/docs/solutions/Verticals/waasapno...
> <http://www-v6.cisco.com/c/dam/en/us/td/docs/solutions/Verticals/waasapnotes.pdf>
>
> POC is conducted with various features turned on in WAAS - 1. TFO only 2.
> TFO with LZ and LZ 3. TFO with DRE-adaptive
>
> Observations are below:
>
> 1. TFO only - Could not see any benefit compared to without WAAS turn on
>
> 2. TFO and LZ - Could see benefits shown in WAAS CM (18% between original
> and optimized traffic). But there is no improvement on the transfer time.
> Also the peak bandwidth remains the same on the WAN
>
> 3. TFO, DRE adaptive and LZ - See huge benefits due caching - both on
> bandwidth savings and transfer time
>
> Since customer would not typically re-transmit the same images multiple
> times in a day, caching is not applicable to customer network.
>
> Below are the clarifications and recommendations that we seek after the
> POC:
>
> a. With compression enabled, this would also improve the transfer time of
> images. We are not seeing it though. Can this be related to compression and
> decompression time taken by vWAAS which is off-setting the end to end WAN
> latency (50ms). Or any settings to be enabled to see transfer time
> improvements?
>
> b. For TFO to be effective, do we have to increase the buffer size and
> window size?
>
> c. Any recommendations on the WAAS settings specific to DICOM image
> transfer?
>
> Thanks in advance,
>
> Arun
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] leap sec adjust. may crash linux based platforms

[Lee]

On 12/22/16, Roland Dobbins <rdobb...@arbor.net> wrote:
>
> On 21 Dec 2016, at 23:45, Lukas Tribus wrote:
>
>> Some Linux based platforms (IOS-XE, NX-OS) may crash on December 31st
>> 23:59:59 due to the upcoming leap second adjustment.
>
> 'Following a comprehensive review by the Cisco leap second team, we are
> pleased to offer the following information. Our experience of the 2008,
> 2012 and 2015 leap second introductions, combined with our recent
> assessment of potential impacts for our current solutions, suggest that
> the leap second introduction is unlikely to represent a material event
> for Cisco products in our customers’ networks.'
>
> Doesn't quite add up . . . ?

... assessment of potential impacts for our >>current<< solutions
None of the versions listed at
 
http://www.nts.eu/en/networksecurity-en/linux-kernel-crashes-due-leap-second-injection/
are current solutions - correct?

Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IPv6 routing vs IPv4 Nating

[Lee]

On 8/22/16, Scott Voll <svoll.v...@gmail.com> wrote:
> I'm not really able to wrap my mind around what best practice would be.
>
> Currently I have two exit points in my network.  BGP / iBGP.  Two Firewalls
> behind those.  Each Firewall has a IPv4 Class C to NAT to.
>
> With publicly Routed IPv6 not nat'ing how do I setup the firewalls / bgp to
> route correctly?  Do I have to leak all IPv6 routes to the internal network
> to make sure the IPv6 address comes back to the correct Firewall?  Also
> thinking about redundancy if one ISP / BGP router / Firewall goes down, I
> need it to dynamically reroute to the other side.  See attached.
>
> Thank for your input. maybe I'm just missing something easy.

Nope - you're not missing anything.  I had the same question:
https://mailman.nanog.org/pipermail/nanog/2012-July/050324.html

I never did get a good answer for how to deal with multiple exits,
statefull firewalls, automatic failover & asymmetric routing on the
list.  What we ended up with was http proxies at each exit doing DLP,
a/v, web reputation filtering, etc.  The Internet traffic came back to
the proxies so everything Just Worked.

Regards,
Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASA for IPv6

[Michael Lee]

Hi,

 Currently I have ASA 5580 with IPv4 NAT setup (public IP outside and RFC
1918 inside), I am considering to run IPv6 with Public IPv6 outside and
Public IPv6 inside (routing mode)

Just wondering there is anything I would need to consider except CPU,
memory and sessions)

Thanks,

~mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6500/7600 TCAM Usage

[Wayne Lee via cisco-nsp]

--- Begin Message ---
> In my 5 year old experience, the badness would continue even if you
removed some routes and TCAM usage dropped to (let's say) 95% again. The
problem would only be solved by reboot. Is this still the case?


Yup, a reboot is still required to recover.
--- End Message ---
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ios tcp defaults

[Lee]

On 4/22/16, Sebastian Beutel wrote:
> Hi List,
>
> in some kind of spring-cleaning of our configuration collection, i
> encountered some lines that differ from Ciscos defaults in many of our
> switches. The Cisco default for the lines in question is like this:
>
> no ip tcp selective-ack
> no ip tcp path-mtu-discovery
>
> This makes me wonder because i believe that pmtu discovery and selective
> ack
> are good things. Furthermore, in our heritage config defaults selective-ack
> and path-mtu-discovery are explicitly enabled.
>
> The question i like to ask is therefore: Does anyone know why Cisco chose
> to disable this by default and am i right that it's safe these days to enable
> it?

My attitude is that every feature enabled = another attack surface
enabled.  So the question is how likely is the attack vs. how much
benefit is the feature.

I don't know what attack[s] enabling selective-ack opens up, but
there's probably something.

Enabling path MTU discovery [used to? still does??] open up the
possibility of an attacker dropping the MTU down to 68 bytes.   On the
other hand, if the do not fragment bit is clear (ie. path mtu
discovery off) you're supposed to assume an MTU of 576 bytes for
off-subnet traffic, so maybe something bad will happen vs. guaranteed
performance hit with pmtud disabled.

have a look at
http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20050412-icmp.html

All that said, I like having pmtud & selective ack enabled.  Your
security office might have a different opinion.

Regards,
Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] necessity of nowadays

[Lee]

On 3/23/16, Sebastian Beutel <sebastian.beu...@rus.uni-stuttgart.de> wrote:
> Hi List,
>
> i've been pondering about the real need for udld nowadays, each time it
> bites me in a case of false positive. At least since we have gigabit SFPs
> it
> became almost impossible to willfully provoke an unidirectinal link: The
> physical port allready detects missing light and goes down.
> Moreover, the main use of udld (prevent unidirectional loops in an stp
> topology) has also lost importance since link aggregation has replaced load
> balancing via multiple or per vlan stp topologys.
> That's why i am asking myself whether udld is a residue that nowadays
> causes more harm than it prevents and should therefore not be used anymore.
> At least on gigabit and faster links and if there are no really dumb
> media converters involved.
>
> What do you think?

I had almost the same question
http://puck.nether.net/pipermail/cisco-nsp/2016-January/101487.html
and the same experience of udld shutdowns always being a false
positive on Gb links.

& it is worth you time to take a look at BRKDCT-2333

Regards,
lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CVE-2016-1287 and old pix units

[Lee]

On 2/19/16, Joe Pruett  wrote:
> i can't find any mention of older pix sytems (515 and friends). are they
> too old for cisco to care about? or are they actually not affected? even
> if cisco won't provide a fix, at least knowing if they are vulnerable
> would be nice.
>
> anyone on the list have any knowledge one way or the other?

Too old:
http://www.cisco.com/c/en/us/products/collateral/security/pix-500-series-security-appliances/pix_eos.html

As of July 28, 2008, Cisco PIX Security Appliance platforms/bundles
are no longer being sold. Customers can still purchase accessories and
licenses until January 27, 2009. It is important to note that Cisco
will continue to support Cisco PIX Security Appliance customers
through July 27, 2013.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] loop guard still useful?

[Lee]

Thanks for the response.

On 1/18/16, Michele Bergonzoni <berg...@labs.it> wrote:
>>  Using the dispute mechanism included in the IEEE 802.1D-2004 RSTP
>> standard... I'm wondering if there's any reason to keep loop guard
>> configured
>
> I think the dispute mechanism can detect unidirectionality where data out of
> the designated bridge is lost (which is enough to prevent loops), not the
> unidirectionality in the other direction.

Which is my point .. or question - enable RSTP on all the switches in
the network and you don't need loop guard.  Correct?


> So the dispute does half of what UDLD does, if I got it right.
>
> Loop guard is different, it protects only from self-looped ports.

My understanding is that it keeps stp blocked ports blocking if the
other side stops sending BPDUs:

  
http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10596-84.html

  The loop guard feature makes additional checks. If BPDUs are not
received on a non-designated port, and loop guard is enabled, that
port is moved into the STP loop-inconsistent blocking state, instead
of the listening / learning / forwarding state. Without the loop guard
feature, the port assumes the designated port role. The port moves to
the STP forwarding state and creates a loop.

and a lot further down

  loop guard does not work on shared links or in situations where the
link has been unidirectional since the link-up.


So it seems like loop guard isn't needed if rstp is enabled.


> I don't
> know if the wording of RSTP are written in a way to protect you from that,
> but I'm sure that the original STP standard was written in such a way that
> any compliant implementation was unable to block the loop caused by a
> self-looped port.

If self-looped means the port sends a frame and then receives the same
frame, you're right, stp doesn't protect you from that.

> Most vendors quietly worked around this, and I don't know if 802.1d
> corrected this error in the previous standard. I know that it is very
> unlikely to find a switch whose STP can't protect you from such a
> situation.
>
> So I bet that if you use RSTP you can disable loopguard, and if you like
> UDLD there is still a reason to use it.

No, I don't like UDLD at all - too many bad experiences with it.  It
was a necessary evil with cat5500s and 100Mb fiber connections, but
you don't need UDLD on 1Gb fiber links.

Thanks,
Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] loop guard still useful?

[Lee]

On 1/18/16, Saku Ytti <s...@ytti.fi> wrote:
> On 18 January 2016 at 10:57, Michele Bergonzoni <berg...@labs.it> wrote:
>
> Hey,
>
>> So the dispute does half of what UDLD does, if I got it right.
>
> Ethernet with autonegotiation on should detect unidirectional links
> automatically and go down on both ends at RTT/2 delay.

I remember 100Mb fiber connections on cat5500s could have
unidirectional links, but a quick search gives me this

  
http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10591-77.html
  Most recently, fiber FastEthernet hardware implementations have Far
End Fault Indication (FEFI) functions in order to bring the link down
on both sides in these situations.

so apparently 100Mb fiber doesn't have that problem any more.  I don't
think 1 or 10Gb fiber ever did..

Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] loop guard still useful?

[Lee]

On 1/18/16, Saku Ytti <s...@ytti.fi> wrote:
> On 18 January 2016 at 21:22, Lee <ler...@gmail.com> wrote:
>> so apparently 100Mb fiber doesn't have that problem any more.  I don't
>> think 1 or 10Gb fiber ever did..
>
>
> I believe if you implement autonego, you have to implement RFI. But
> I'm not 100% sure about that.
>
> IEEE 802.3 standard isn't exactly easiest standard to read. But there
> are quite many surprising goodies in autonego which are usually not
> known, not just RFI. Autonego can assert when link is configured
> operationally down, meaning far-end could produce syslog information
> about link going down, because far end was configured down, which
> would help lot with troubleshooting, when you can know if far-side is
> intentionally down or not.
> My understanding of reading hardware specs is that this feature is
> even supported in typical PHY, however I've NEVER seen software using
> this feature.
>
> I'd love recommendation on good, modern book about 802.3, with
> irrelevant bits not addressed, relevant bit discussed and practical
> view offered on how things are actually implemented in modern, common
> hardware. So far any book I've read, does not even discuss autonego in
> satisfactory detail, and I fear what else am I missing due to my
> unwillingness to weed through 802.3.

If you get any off-list replies please post a summary.  I haven't seen
any good books about ethernet in ages, but I haven't really been
looking either.

Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] loop guard still useful?

[Lee]

On 1/18/16, Michele Bergonzoni <berg...@labs.it> wrote:

>> So it seems like loop guard isn't needed if rstp is enabled.
>
> I have no operational experience with loop guard, but from the description
> it seems to me that in order to trigger it the interface must become
> unidirectional *after* link up.

Right

> Thus, if your Joe Average while
> troubleshooting does a shut/no shut, he actually gets the loop.

I'm not sure about shut/no shut but a reboot after the link goes
unidirectional -- yes, you get a loop.

> So it will protect you on the other unidirectionality side, but not in all
> possible sequences of events.
>
> If you are operating an all-cisco net you might take a look at bridge
> assurance. I have no operational experience with it as well (apart from
> disabling it in the nexus), but looks much more like a bidirectional
> keepalive at the STP layer. It is proprietary and violates the standard as I
> understand it.

Sounds like loop guard except there's now edge, normal and network
port types with network ports going into blocking/inconsistent state
if they don't see BPDUs.   Loop guard puts a port into
blocking/inconsistent state if it _stops_ seeing BPDUs on a port.

>> No, I don't like UDLD at all - too many bad experiences with it
>
> In fact after what Saku said I would consider trusting the layer 1, but I
> usually work in a multivendor environment, YMMV.

Right - it does sound like rstp might be good enuf.

Regards,
Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] loop guard still useful?

[Lee]

I just saw this bit about RSTP detecting unidirectional links:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/spantree.html#wp1098785

  Detecting Unidirectional Link Failure

  Using the dispute mechanism included in the IEEE 802.1D-2004 RSTP
standard, the switch checks the consistency of the port role and state
in the received BPDUs to detect unidirectional link failures that
could cause bridging loops.

  When a designated port detects a conflict, it keeps its role, but
reverts to a discarding (blocking) state because disrupting
connectivity in case of inconsistency is preferable to opening a
bridging loop.


So I'm wondering if there's any reason to keep loop guard configured
on a switch?
Any current hardware that doesn't support rapidSTP?  Some other reason??

Thanks,
Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF flapping ME3400

[Lee Starnes]

Thanks Lukas.

We are running SDM default. The attacks are to IPs that are routed by the
switch but are on the other end of the ethernet link to the client. No
attack on the switch itself. As to TCAM warnings, would not have any in the
logs at this time. This took place last a couple weeks ago and was more
interested in blocking the traffic that was causing the problem at the
time. Since the traffic was 800Kpps I suspect it was just too much for the
switch to deal with. I will have to see what shows up in the logs for TCAM
issues and processes next time.

While we have since put rate limits in at the all our core routers, I
suspect this will help prevent this from happening as often. Just wondered
if there was a best practice on dampening the flaps should that happen.

show sdm prefer
 The current template is "default" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.


Best regards,

-Lee

On Tue, Dec 8, 2015 at 1:56 AM, Lukas Tribus <luky...@hotmail.com> wrote:

> Hi!
>
>
> > Hello everyone,
> >
> > We have some ME3400 switches that are doing OSPF. These work fine and
> have
> > for a couple years now. However, if a link on them (100M) gets hit with a
> > ddos attack, the switch will start OSPF flapping. This in turn causes all
> > the others to do the same. Is there a way to dampen the flapping affect
> so
> > that it does not cause a massive network outage?
>
> Does the DDoS target a customer routed by this ME3400 or does the DDoS
> target the ME3400 itself?
>
> Do you have "show proc cpuc sort" from the DoS and in normal production?
>
>
> Honestly, this sounds like the ME3400 would route in software. Any TCAM
> warnings in the log? Do you use the correct sdm template?
>
> Provide outputs:
> show proc cpuc sort
> show ip route summary
> show log | inc TCAM
> show sdm prefer
>
>
> In case the SDM template is layer 2, switch to "default":
>
>
> http://www.cisco.com/c/en/us/td/docs/switches/metro/me3400/software/release/12-2_55_se/configuration/guide/ME3400_scg/swsdm.html
>
>
>
> Regards,
>
> Lukas
>
>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] OSPF flapping ME3400

[Lee Starnes]

Hello everyone,

We have some ME3400 switches that are doing OSPF. These work fine and have
for a couple years now. However, if a link on them (100M) gets hit with a
ddos attack, the switch will start OSPF flapping. This in turn causes all
the others to do the same. Is there a way to dampen the flapping affect so
that it does not cause a massive network outage?

Is there a best practices for this?

Any pointers or config best practices would be greatly appreciated.

Thank you.

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N5K Auto Qos

[Lee]

On 10/25/15, Mohammad Khalil <eng_m...@hotmail.com> wrote:
> Hi all
> I am looking for configuring auto qos voip trust on my switched network
> My issue is that I have several uplinks (trunks) connected to my N5K box
> According to what I know the command does not exist on the NX-OS , and by
> default Nexus will trust Cos and DSCP values
> So , if I have configured auto qos voip trust from my IOS switch and left
> the Nexus uplink as it is , the QoS will work ?

For various definitions of "work"

Traffic will be treated differently on the IOS boxes with QOS enabled,
there will be no change on the NX-OS boxes but at least the cos/dscp
markings won't be changed so that if/when the traffic gets to another
IOS box your QOS settings will also work there.

Regards,
Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Spanning Tree works great - except when it doesn't

[Lee]

On 10/16/15, Jason Lixfeld <ja...@lixfeld.ca> wrote:
> You could use RANCID, or you could use something like Ansible.

Right - I can probably do it with RANCID.  On every switch, collect
the output from
  sh int trunk
  sh cdp nei
and then
  save list of vlans defined (ie. "vlan xxx" or "xxx-yyy" lines) by switch
  for every trunk port flag ports where 'vlans allowed' does not match
'vlans allowed & active'
  save device name, port, vlans allowed, cdp neighbor, cdp neighbor port
  run thru the list of vlans allowed & check every one is defined
  run thru the list of cdp neighbors & flag ports where 'vlans
allowed' != neighbor port 'vlans allowed'

But I was hoping that someone had already written that script :)


>  Bronwyn and
> Matt did a great NetDevOps presentation that described how you could use
> Ansible for things like that in Montreal a couple weeks back.
>
> https://www.youtube.com/watch?v=ArqvSGRzUBw

I managed to watch almost 30 minutes & bailed; for mass updates I tend
to use rancid:

$ cat doit
#!/bin/sh
# apply the same command to a set of devices

cat > ~/cmdList <
>> On Oct 15, 2015, at 8:23 PM, Lee <ler...@gmail.com> wrote:
>>
>>>> The downstream switchport was also configured for native vlan of 999 -
>>>> BUT
>>>> vlan999 was not created in the vlan database so defaulted to ...
>>
>> Does anyone know of a program that will check all of the trunk ports
>> on switches for vlans allowed + vlans allowed and active on both sides
>> of a trunk port?
>>
>> Seems like it shouldn't be all _that_ hard to write, but downloading
>> an already written program is easier still :)
>>
>> Thanks,
>> Lee
>>
>>
>>
>> On 10/15/15, Patrick M. Hausen <hau...@punkt.de> wrote:
>>> Hi, Nick,
>>>
>>>> Am 15.10.2015 um 13:43 schrieb Nick Cutting <ncutt...@edgetg.co.uk>:
>>>> I came across a curly one like this a few months back - turned out the
>>>> STP
>>>> handling of native VLan frames VS a non-created but configured native
>>>> vlan
>>>> on the downstream switch port.
>>>> The downstream switchport was also configured for native vlan of 999 -
>>>> BUT
>>>> vlan999 was not created in the vlan database so defaulted to expecting
>>>> STP
>>>> frames untagged I think - it was something like that.
>>>
>>> You nailed it! for some reason that I now need to investigate
>>> I do not have VLAN 999 in my VLAN database.
>>>
>>> *argh*
>>>
>>> Thanks, everyone.
>>> Patrick
>>> --
>>> punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
>>> Tel. 0721 9109 0 * Fax 0721 9109 100
>>> i...@punkt.de   http://www.punkt.de
>>> Gf: Jürgen Egeling  AG Mannheim 108285
>>>
>>>
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Spanning Tree works great - except when it doesn't

[Lee]

On 10/16/15, Ian Henderson <i...@ianh.net.au> wrote:
> On 16 Oct 2015, at 11:23 AM, Lee <ler...@gmail.com> wrote:
>> Does anyone know of a program that will check all of the trunk ports
>> on switches for vlans allowed + vlans allowed and active on both sides
>> of a trunk port?
>
> Netdisco.

I can't tell from the docs if netdisco will catch the situation where
switch1 is connected to switch2 & they have a mismatched vlans allowed
list.  In other words, can netdisco flag this misconfiguration:

-- switch1
int g0/0
 desc link_to_switch2.g0/0
 switchport trunk allowed vlans 1-9

-- switch2
int g0/0
 desc link_to_switch1.g0/0
 switchport trunk allowed vlans 1


And can Netdisco flag the situation where
>>> I do not have VLAN 999 in my VLAN database.

(earlier context stripped; basically the problem was something like
both switch ports had "switchport trunk allowed vlans 1-9" but one
switch didn't have vlan 9 defined)


Thanks,
Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Spanning Tree works great - except when it doesn't

[Lee]

>> The downstream switchport was also configured for native vlan of 999 - BUT
>> vlan999 was not created in the vlan database so defaulted to ...

Does anyone know of a program that will check all of the trunk ports
on switches for vlans allowed + vlans allowed and active on both sides
of a trunk port?

Seems like it shouldn't be all _that_ hard to write, but downloading
an already written program is easier still :)

Thanks,
Lee



On 10/15/15, Patrick M. Hausen <hau...@punkt.de> wrote:
> Hi, Nick,
>
>> Am 15.10.2015 um 13:43 schrieb Nick Cutting <ncutt...@edgetg.co.uk>:
>> I came across a curly one like this a few months back - turned out the STP
>> handling of native VLan frames VS a non-created but configured native vlan
>> on the downstream switch port.
>> The downstream switchport was also configured for native vlan of 999 - BUT
>> vlan999 was not created in the vlan database so defaulted to expecting STP
>> frames untagged I think - it was something like that.
>
> You nailed it! for some reason that I now need to investigate
> I do not have VLAN 999 in my VLAN database.
>
> *argh*
>
> Thanks, everyone.
> Patrick
> --
> punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
> Tel. 0721 9109 0 * Fax 0721 9109 100
> i...@punkt.de   http://www.punkt.de
> Gf: Jürgen Egeling  AG Mannheim 108285
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP Setup

[Lee]

On 3/8/15, M K gunner_...@live.com wrote:
 HiWhat is the best setup for NTP to be implemented in a network ?Linux
 server with ntpd package installed and all devices pointing to it ? or a
 core router with public access synchronized with public clock and all
 devices pointing to it ?  

You should have at least three NTP servers.   Not sure what core
router with public access means, but I wouldn't want anything outside
my network being able to access a service on a core router.  If you
really want to go that way, I'd suggest using a couple of 7200s that
aren't doing anything else.

I'd say the better setup* would be 3 or 5 servers running ntpd 
getting their clock from GPS or wireless cell phone towers  using
Internet time servers as a backup

Regards,
Lee


* wrt price/performance.  even better would be each ntp server having
it's own high quality clock
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SNMP for ip virtual-reassembly

[Lee]

On 2/6/15, Brian Christopher Raaen mailing-li...@brianraaen.com wrote:

 Does anyone know an OID I can poll to track the ip virtual-reassembly
 counters.

If you mean ip packet reassembly, there's the rfc-1213 mib

  ipReasmReqds OBJECT-TYPE
  SYNTAX  Counter
  ACCESS  read-only
  STATUS  mandatory
  DESCRIPTION
  The number of IP fragments received which needed
  to be reassembled at this entity.
  ::= { ip 14 }

  ipReasmOKs OBJECT-TYPE
  SYNTAX  Counter
  ACCESS  read-only
  STATUS  mandatory
  DESCRIPTION
  The number of IP datagrams successfully re-
  assembled.
  ::= { ip 15 }

  ipReasmFails OBJECT-TYPE
  SYNTAX  Counter
  ACCESS  read-only
  STATUS  mandatory
  DESCRIPTION
  The number of failures detected by the IP re-
  assembly algorithm (for whatever reason: timed
  out, errors, etc).  Note that this is not
  necessarily a count of discarded IP fragments
  since some algorithms (notably the algorithm in
  RFC 815) can lose track of the number of fragments
  by combining them as they are received.
  ::= { ip 16 }

   Also is there a reliable method to determine how much CPU is
 being consumed by this process?

dunno, but since you asked the question on a cisco specific mailing
list, try looking at CISCO-PROCESS-MIB.my

Regards,
Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS-XR and PBR

[Lee Starnes]

Hi Oliver,

Since we have no default routes and all backbone links are full BGP minus
default route, I am going to assume that the second permit statement won't
work here. Would this just get specified as any since the first entry would
be matched for local netblocks and it would not go further in the ACL?
These special case customers all are fed from a single 6509 to the border
router that contains their one carrier of choice, but that border router
contains several backbone links and each border router also having links to
each other. I suspect that for simplifying this, we can match against
traffic on the link coming from that 6509 to the border router.

Thanks for the pointers.

-Lee

On Wed, Sep 10, 2014 at 11:09 PM, Oliver Boehmer (oboehmer) 
oboeh...@cisco.com wrote:


 
 I am looking to setup some policy based routing on an IOS-XR router. From
 what I understand, XR does not have PBR, but ABF. When looking at how ABF
 works, I don¹t see how to set a next hop route (only next hop per TCP
 port).

 well, you can direct any traffic matching an ACE (be it layer 3 or 4) to a
 chosen next-hop.

 My question then would be, how does one accomplish this on XR? What
 I need to do is allow a particular IP block to only have access to one of
 our backbone carriers and not the others. We have their /24 only announced
 out the one carrier, but for outbound traffic, I want to make sure their
 traffic remains on that carrier but also have access to our local routes
 (all our local customers and local networks). Is this something that can
 be
 done with ABF

 Yes, it can be done, but possibly a bit more difficult:

 ipv4 access-list ABF
  permit CUST/24 your-own-netblocks
  permit CUST/24 0.0.0.0/0 next-hop your-upstream-provider

 not sure how your topology looks and where you would need to apply this
 forwarding rule, but the next-hop can be directly connected or resolve via
 some form of tunnel (including LDP/LSP).

 oli


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS-XR and PBR

[Lee Starnes]

Looks like I may not have this feature as these are 12410XR chassis. Here
is what I have in our lab environment.

RP/0/9/CPU0:lab-router(config)#ipv4 access-list ABF
RP/0/9/CPU0:lab-router(config-ipv4-acl)#permit ipv4 10.10.10.0/24
172.16.0.0/19
RP/0/9/CPU0:lab-router(config-ipv4-acl)#permit ipv4 10.10.10.0/24 any
?
  dscp   Match packets with given DSCP value
  fragments  Check non-initial fragments
  logLog matches against this entry
  log-input  Log matches against this entry, including input interface
  packet-length  Check packet length
  precedence Match packets with given precedence
  cr
RP/0/9/CPU0:lab-router(config-ipv4-acl)#permit ipv4 10.10.10.0/24 any

-Lee

On Thu, Sep 11, 2014 at 12:37 AM, Oliver Boehmer (oboehmer) 
oboeh...@cisco.com wrote:


 
 Since we have no default routes and all backbone links are full BGP minus
 default route, I am going to assume that the second permit statement
 won't work here. Would this just get specified as any since the first
 entry would be matched for local netblocks and

 sorry, 0.0.0.0/0 should be any.. so the first line matches traffic to
 your networks (and it just passes through normally and will be forwarded
 according to your RIB/FIB), and the 2nd matches traffic from this customer
 block to anything else, which then will be ABF'ed to your upstream.

 it would not go further in the ACL?

 it actually would, so I missed a permit ipv4 any any catch-all at the
 end of the ACL to ensure traffic from other sources is forwarded
 normally.. it is a regular ACL, the ABF directives are just inserted into
 it.
 Need more coffee..

 These special case customers all are fed from a single 6509 to the border
 router that contains their one carrier of choice, but that border router
 contains several backbone links and each border router also having links
  to each other. I suspect that for simplifying this, we can match against
 traffic on the link coming from that 6509 to the border router.

 exactly, that sounds straight-forward, just apply this inbound and you're
 set..

 oli


 
 
 
 Thanks for the pointers.
 
 
 -Lee
 
 
 On Wed, Sep 10, 2014 at 11:09 PM, Oliver Boehmer (oboehmer)
 oboeh...@cisco.com wrote:
 
 
 
 I am looking to setup some policy based routing on an IOS-XR router. From
 what I understand, XR does not have PBR, but ABF. When looking at how ABF
 works, I don¹t see how to set a next hop route (only next hop per TCP
 port).
 
 well, you can direct any traffic matching an ACE (be it layer 3 or 4) to a
 chosen next-hop.
 
 My question then would be, how does one accomplish this on XR? What
 I need to do is allow a particular IP block to only have access to one of
 our backbone carriers and not the others. We have their /24 only
 announced
 out the one carrier, but for outbound traffic, I want to make sure their
 traffic remains on that carrier but also have access to our local routes
 (all our local customers and local networks). Is this something that can
 be
 done with ABF
 
 Yes, it can be done, but possibly a bit more difficult:
 
 ipv4 access-list ABF
  permit CUST/24 your-own-netblocks
  permit CUST/24 0.0.0.0/0 http://0.0.0.0/0 next-hop
 your-upstream-provider
 
 not sure how your topology looks and where you would need to apply this
 forwarding rule, but the next-hop can be directly connected or resolve via
 some form of tunnel (including LDP/LSP).
 
 oli
 
 
 
 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] IOS-XR and PBR

[Lee Starnes]

Hello,

I am looking to setup some policy based routing on an IOS-XR router. From
what I understand, XR does not have PBR, but ABF. When looking at how ABF
works, I don’t see how to set a next hop route (only next hop per TCP
port). My question then would be, how does one accomplish this on XR? What
I need to do is allow a particular IP block to only have access to one of
our backbone carriers and not the others. We have their /24 only announced
out the one carrier, but for outbound traffic, I want to make sure their
traffic remains on that carrier but also have access to our local routes
(all our local customers and local networks). Is this something that can be
done with ABF or is this something that has to be done with VRF or VRF
lite? If VRF/lite, does anyone have an example config that might be able to
be shared as a starting point? We are running XR 4.3.0.


Thank you for your time.

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7301 - copper vs fibre port throughput

[Lee]

On 9/1/14, Tom Storey t...@snnap.net wrote:

 The other end was a Cisco 3750 switch. Originally just a straight
 copper patch, but with only 10/100 ports on the 3750 it autoneg'd at
 100/full on both ends just fine

 After moving the ISP link over to fibre, the throughput shot up to
 500-600mbit (NATed.)

fibre port is 1Gb, right?

Lee



 They are happy with the fibre uplink and will leave it that way. I was
 hoping someone might have been aware of some kind of obvious
 limitation of the copper ports or something.


 On 31 August 2014 22:39, Łukasz Bromirski luk...@bromirski.net wrote:

 On 31 Aug 2014, at 23:00, Tom Storey t...@snnap.net wrote:

 Hi all.

 Been watching a thread on a forum where someone using a 7301 was
 suffering rather lousey speeds through a 7301 when using an onboard
 copper port between him and his ISP - only able to obtain about 25mbit
 or so of throughput (all traffic NATed.)

 After moving the ISP link over to fibre, the throughput shot up to
 500-600mbit (NATed.)

 Theres not much room for playing around with the setup at this stage,
 but does anyone have any ideas why this might be so?

 The onboard ports are all gigabit as far as I know, whether or not you
 use copper or fibre, and the copper port augo negotiated at 100/full
 with the remote device so I cant think of a reason for the disparity.

 And how was the fiber connected on the other end?

 It looks like problem with the autonegotiation. Or maybe flow
 control - is the remote device using fiber natively and going
 to copper through some intermediate converter? Those can cause
 such problems also.

 We need way more info to get this through troubleshooting. Or maybe
 they should involve TAC?

 --
 There's no sense in being precise when |   Łukasz Bromirski
  you don't know what you're talking |  jid:lbromir...@jabber.org
  about.   John von Neumann |http://lukasz.bromirski.net


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Spantree .1Q packets received on non-trunk port.

[Lee Starnes]

Thanks Chris for breaking it down. Makes sense.


On Wed, Aug 27, 2014 at 6:14 AM, Chris Marget ch...@marget.com wrote:

 On Tue, Aug 26, 2014 at 7:32 PM, Lee Starnes lee.t.star...@gmail.com
 wrote:
  they are providing an access port for us.
  This is un-tagged traffic at the remote site
  if I connect a cisco switch to it with the
  port on the cisco configured as an access port, I get the error below.
 
  00:06:52: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non
 trunk
  FastEthernet0/3 VLAN638.
  00:06:52: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet0/3 on
  VLAN0638. Inconsistent port type.

 untagged != access in Cisco land.

 Cisco switches (at least those running rapid-pvst+) send an extra TLV in
 their spanning tree BPDUs. The TLV indicates the VLAN associated with the
 STP instance.

 The switch configuration probably looks something like:

 interface x/y
  switchport mode trunk
  switchport trunk native vlan 638
  switchport trunk allowed vlan 638

 The configuration you're expecting is:

 interface x/y
  switch port mode access
  switchport access vlan 638

 Transit traffic in vlan 638 is handled identically by both configurations.

 The spanning tree BPDUs are not the same. The first case (untagged traffic
 via native VLAN on a trunk) marks the VLAN number in the extra TLV in the
 BPDU, which will upset Cisco STP speakers which know to interpret it.

 I think the error which results is the one you're seeing.

 /chris

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Spantree .1Q packets received on non-trunk port.

[Lee Starnes]

Thanks Mike.

Lot of great information. Thanks for taking the time to post this. Very
helpful.

-Lee


On Tue, Aug 26, 2014 at 10:56 PM, Mike Hale eyeronic.des...@gmail.com
wrote:

 when the handoff is an access port
 Because I don't think it's actually configured as an access port.  The
 behavior of the interface mimics exactly what you had to configure on
 yours...that is, a trunk port with a native VLAN defined.

 If the configuration is what I think it is, the reason the tech's
 equipment functioned the way it did was two fold.  First, the gear
 didn't care about STP packets.  So when configured as an access port,
 the test gear sent untagged packets onto the interface which the
 upstream provider's switch put into VLAN 638 (because their interface
 had 638 configured as a native vlan).  The reason it didn't work when
 configured as a trunk is because the device didn't have the native
 vlan configured.  So it tried to send packets, tagged with VLAN 638;
 this failed because the default behavior on the Cisco gear I've worked
 with is to drop packets that are tagged with the native VLAN.

 Aren't BPDU's normally part of STP's chatter?
 Yes, but in my experience BPDUs are only sent on 'infrastructure'
 ports.  That is, ports that are trunked or have special STP settings
 applied for uplinks.  Access ports die (as the OP experienced) when
 they notice STP packets in order to prevent a loop.


 On Tue, Aug 26, 2014 at 7:55 PM, Brielle Bruns br...@2mbit.com wrote:
  On 8/26/14 7:34 PM, Lee Starnes wrote:
 
  Thanks Mike.
 
  That took care of the problem, but still not sure why I would have to
 set
  the port up as a trunk port when the handoff is an access port. When the
  carrier tested the port, they tested it as an access port and then tried
  to
  test it as a trunk port and their test set failed when in trunk mode.
 Very
  odd.
 
  Anyway, thanks again.
 
 
 
  Aren't BPDU's normally part of STP's chatter?
 
  I get errors like that when my MSTP instance settings are mismatched
 between
  switches.   Perhaps its a mix of issues.
 
 
  --
  Brielle Bruns
  The Summit Open Source Development Group
  http://www.sosdg.org/ http://www.ahbl.org
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/



 --
 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Spantree .1Q packets received on non-trunk port.

[Lee Starnes]

Hello,

Been fighting with a carrier about a problem that we are seeing that I have
not been able to get resolved. They are handing off an Metro-E circuit at
one of our remote sites and they are providing an access port for us.
This is un-tagged traffic at the remote site and tagged at our NNI. I can
plug in a laptop to this port at the remote site and pass traffic all the
way through our NNI. However, if I connect a cisco switch to it with the
port on the cisco configured as an access port, I get the error below.

00:06:52: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk
FastEthernet0/3 VLAN638.
00:06:52: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet0/3 on
VLAN0638. Inconsistent port type.

Now this happens on a cisco ME3400, an 2950, and 3750g. Is there something
that I am doing wrong? The config is as follows on the ME and 2950. Swap
out the fastethernet for gigabit.

!
interface fastethernet0/3
switchport mode access
switchport access vlan 638
!
interface vlan 638
ip address 10.20.30.40 255.255.255.0
!
ip default-gateway 10.20.30.1
!

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Spantree .1Q packets received on non-trunk port.

[Lee Starnes]

Thanks Mike.

That took care of the problem, but still not sure why I would have to set
the port up as a trunk port when the handoff is an access port. When the
carrier tested the port, they tested it as an access port and then tried to
test it as a trunk port and their test set failed when in trunk mode. Very
odd.

Anyway, thanks again.


On Tue, Aug 26, 2014 at 4:59 PM, Mike Hale eyeronic.des...@gmail.com
wrote:

 Have you tried turning it into a trunk port and defining 638 as the native
 vlan?

 I know it doesn't solve the underlying problem of them not giving you
 an access port, but it should bring up the interface and let traffic
 flow (unless their interface is truly trunked without the native vlan
 config).

 On Tue, Aug 26, 2014 at 4:32 PM, Lee Starnes lee.t.star...@gmail.com
 wrote:
  Hello,
 
  Been fighting with a carrier about a problem that we are seeing that I
 have
  not been able to get resolved. They are handing off an Metro-E circuit at
  one of our remote sites and they are providing an access port for us.
  This is un-tagged traffic at the remote site and tagged at our NNI. I
 can
  plug in a laptop to this port at the remote site and pass traffic all the
  way through our NNI. However, if I connect a cisco switch to it with the
  port on the cisco configured as an access port, I get the error below.
 
  00:06:52: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non
 trunk
  FastEthernet0/3 VLAN638.
  00:06:52: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet0/3 on
  VLAN0638. Inconsistent port type.
 
  Now this happens on a cisco ME3400, an 2950, and 3750g. Is there
 something
  that I am doing wrong? The config is as follows on the ME and 2950. Swap
  out the fastethernet for gigabit.
 
  !
  interface fastethernet0/3
  switchport mode access
  switchport access vlan 638
  !
  interface vlan 638
  ip address 10.20.30.40 255.255.255.0
  !
  ip default-gateway 10.20.30.1
  !
 
  -Lee
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/



 --
 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] pppoe user tool contribution

[Lee]

On 7/4/14, Mike mike-cisconspl...@tiedyenetworks.com wrote:
 Hi,

  I have a helpful script designed for a service provider environment
 which queries a 7200/asr1000 and displays information per session for
 pppoe subscribers including their mac address, and pppoe intermediate
 agent 'circuit-id' and 'remote-id' strings. I am wondering if there is a
 repository somewhere where this kind of stuff would find a welcome home?

do you know about
  http://sourceforge.net/projects/cosi-nms/?source=directory
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA5512x VPN route issue

[Lee Starnes]

One final reply on this. All works if you setup everything as described in
the link you provided Ulrik. The issue we had was caused by the remote side
of the IPsec tunnel ACL not allowing access for the VPN clients IP block.

Thanks again.

-Lee



On Tue, Jul 1, 2014 at 4:43 PM, Lee Starnes lee.t.star...@gmail.com wrote:

 Thanks Ulrik.

 Confirmed that how that shows to setup is how I have it but still can't
 pass traffic. I suspect the remote office might be filtering it. This was a
 cutover from a Fortinet to an ASA but the other side is till a Fortinet
 when they created the new tunnel. Great link. Thanks for the help.

 -Lee


 On Tue, Jul 1, 2014 at 12:58 AM, Ulrik Ivers ulrik.iv...@excanto.se
 wrote:

 Hi,

 Two things to check:

 1. Make sure you have the following in the config:
 same-security-traffic permit intra-interface

 2. Make sure you have a the NAT rules configured correctly so that the
 traffic between the VPN clients and the remote LAN is NOT translated (or in
 fact are NAT:ed to themselves Also, the order of the NAT rules are
 important.

 Here's a pretty good writeup:
 http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/

 /Ulrik

 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
 Lee Starnes
 Sent: den 30 juni 2014 23:23
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] ASA5512x VPN route issue

 Hello,

 We just setup a new ASA 5512x running v9.1(2). We have about 30 remote
 Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able
 to get all the VPN connections up and passing traffic such that remote VPNs
 can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs
 can get Internet access via NAT. The one thing we can't seem to get working
 is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these
 IP blocks. Doing a packet-tracer, It hangs on the following.

 Phase: 7
 Type: WEBVPN-SVC
 Subtype: in
 Result: DROP
 Config:
 Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false
 hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0,
 protocol=0
 src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
 input_ifc=outside, output_ifc=any

 Result:
 input-interface: outside
 input-status: up
 input-line-status: up
 output-interface: inside
 output-status: up
 output-line-status: up
 Action: drop
 Drop-reason: (acl-drop) Flow is denied by configured rule


 VPN clients are in 192.168.95.0/24
 LAN is on 10.158.95.0/24
 REMOTE LAN is on 10.158.58.0/24

 VPN clients are setup to tunnel all traffic.

 Any idea where to look to resolve this one issue?


 -Lee
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA5512x VPN route issue

[Lee Starnes]

Thanks Ulrik.

Confirmed that how that shows to setup is how I have it but still can't
pass traffic. I suspect the remote office might be filtering it. This was a
cutover from a Fortinet to an ASA but the other side is till a Fortinet
when they created the new tunnel. Great link. Thanks for the help.

-Lee


On Tue, Jul 1, 2014 at 12:58 AM, Ulrik Ivers ulrik.iv...@excanto.se wrote:

 Hi,

 Two things to check:

 1. Make sure you have the following in the config:
 same-security-traffic permit intra-interface

 2. Make sure you have a the NAT rules configured correctly so that the
 traffic between the VPN clients and the remote LAN is NOT translated (or in
 fact are NAT:ed to themselves Also, the order of the NAT rules are
 important.

 Here's a pretty good writeup:
 http://packetpushers.net/cisco-asa-8-38-4-hairpinning-nat-configuration/

 /Ulrik

 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
 Lee Starnes
 Sent: den 30 juni 2014 23:23
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] ASA5512x VPN route issue

 Hello,

 We just setup a new ASA 5512x running v9.1(2). We have about 30 remote
 Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able
 to get all the VPN connections up and passing traffic such that remote VPNs
 can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs
 can get Internet access via NAT. The one thing we can't seem to get working
 is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these
 IP blocks. Doing a packet-tracer, It hangs on the following.

 Phase: 7
 Type: WEBVPN-SVC
 Subtype: in
 Result: DROP
 Config:
 Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false
 hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0,
 protocol=0
 src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
 input_ifc=outside, output_ifc=any

 Result:
 input-interface: outside
 input-status: up
 input-line-status: up
 output-interface: inside
 output-status: up
 output-line-status: up
 Action: drop
 Drop-reason: (acl-drop) Flow is denied by configured rule


 VPN clients are in 192.168.95.0/24
 LAN is on 10.158.95.0/24
 REMOTE LAN is on 10.158.58.0/24

 VPN clients are setup to tunnel all traffic.

 Any idea where to look to resolve this one issue?


 -Lee
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASA5512x VPN route issue

[Lee Starnes]

Hello,

We just setup a new ASA 5512x running v9.1(2). We have about 30 remote
Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able
to get all the VPN connections up and passing traffic such that remote VPNs
can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs
can get Internet access via NAT. The one thing we can't seem to get working
is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these
IP blocks. Doing a packet-tracer, It hangs on the following.

Phase: 7
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false
hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0,
protocol=0
src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


VPN clients are in 192.168.95.0/24
LAN is on 10.158.95.0/24
REMOTE LAN is on 10.158.58.0/24

VPN clients are setup to tunnel all traffic.

Any idea where to look to resolve this one issue?


-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco model recommendation

[Lee Starnes]

Hello everyone,

I am in the need of a recommendation for a Cisco switch that is Layer 2/3,
1U, AC powered and has the same rate limit capability as the ME3400 series
has and has 48 ports of 10/100/1000. Does anyone have any experience with a
model that would best fit this need? These would not be deployed in remote
sites as CPE devices like the ME switches. I just need the ability to do
rate limiting and policing of traffic in several office departments.

I was looking at the 3650 series, but not sure if this has the same ability
to rate limit as the ME switches have.

Any advice or input would be greatly appreciated.

Best.

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] MTU packet loss problem 12410 XR and 6509

[Lee Starnes]

Hello everyone,

A strange MTU issue has popped up and for the life of me I am unable to
figure out why. This seems to only affect one Metro-E carrier and only when
the traffic passes between the 6500 and the 12410.

ME Carrier A --- 10G 6509 bundle-ether1(4G)---12410A
ME Carrier B ---/ \-bundle-ether2(4G)---12410B
ME Carrier C --/

Traffic that passes from either 12410 to customer links on ME carrier A are
seeing MTU issues and packet loss. Traffic across those same links for
carriers B and C have no issue. To test this, we can ping from from the
12410 to a site on ME carrier A with 1500byte packet size and get packet
loss. The same test to clients on ME carrier B and C have no issues. Now,
since no changes were made on our end and the carrier states no changes
were made on their end, we are at a standstill.

However, I did see that the MTU size on the 12410's is by default 1514 and
the MTU on the 6500 is 1500. Changing this to match 1500 on both sides
causes no traffic to pass. I'm not sure why both sides of the bundle-ether
interfaces matching MTU causes 100% packet loss.

Anybody have any ideas on why matching MTU size would cause no traffic to
pass? Ultimately the carrier will need to fix their issue, but I would like
to understand why this problem of matched MTU sizes causes no traffic.

Thanks.

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Peering between route reflectors

[Lee Clark]

Cydon,

Your RRs should (must?) be fully meshed to meet IBGP requirements. The full 
mesh requirement is relaxed toward clients.
I believe the current best practice is assigning each RR its own cluster ID and 
having each client router peered with at least two RRs for redundancy. This set 
up results in the clients receiving two (or more) copies of the same route, 
something to keep in mind if your clients are carrying full Internet routes.

Depending on the size and configuration of your network a scenario like this 
might apply:

RR1/RR2 are assigned unique cluster IDs and are fully meshed.
Client A is peered RR1 and client B is peered with RR2.
RR1 and RR2 must be peered with one another (as non-clients) to exchange routes 
learned from clients A and B.
RR1 will reflect the routes from client B to client A.
RR2 will reflect the routes from client A to client B.

Without the RR/RR peering there is no way to propagate routes between clients A 
and B.
Peering both clients to both RRs that would solve the problem but is not 
scalable in a large network where there are many RRs and significant # of 
clients.

As always, ymmv.

Lee

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Cydon 
Satyr
Sent: Monday, April 07, 2014 1:02 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Peering between route reflectors

Guys,
Could you help me clear this out.

Basically, if there are multiple route reflectors NOT in the forwarding path of 
the traffic, is there ANY reason to peer between them? I don't see a reason why 
they should peer, but I'd like to get this confirmed.

Also, if they are NOT in the forwarding path, regardless of whether they are 
peering between themselves or not, it shouldn't matter if they are all in the 
same CLUSTER, correct ?

I know the questions might look simple to you but I've seen designs where the 
questions pop out, and I'd like to be sure about this.

regards
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Peering between route reflectors

[Lee Clark]

For sure, minimum 2 sessions to 2 different RRs per client. I may have 
over-simplified the example to show why the IBGP session between RRs is needed. 
A more realistic example would have been 10 RRs, 100s of clients. In that case 
peering each client with all 10 RRs in the absence of an RR full mesh wouldn't 
be scalable.

Lee

-Original Message-
From: Mark Tinka [mailto:mark.ti...@seacom.mu] 
Sent: Monday, April 07, 2014 1:54 PM
To: cisco-nsp@puck.nether.net
Cc: Lee Clark; Cydon Satyr
Subject: Re: [c-nsp] Peering between route reflectors

On Monday, April 07, 2014 09:43:05 PM Lee Clark wrote:

 Without the RR/RR peering there is no way to propagate routes between 
 clients A and B. Peering both clients to both RRs that would solve the 
 problem but is not scalable in a large network where there are many 
 RRs and significant # of clients.

Agree that having 2x iBGP sessions per client scales poorer than one, but it 
scales better than a full mesh between routers, which is the problem route 
reflectors solve.

As you rightly point out, YMMV, but from where I'm standing, 2x iBGP sessions 
per client to 2x different route reflectors is fine for us. It's a reasonable 
compromise between redundancy and administration.

Mar.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Peering between route reflectors

[Lee Clark]

 What about building RR trees...
 Parent RRs serving some child RRs?
 I think I heard something like this sometime...

Hierarchical route reflection may be what you're thinking of. A top level of 
fully meshed RRs with a second tier of RR clients which act as RRs to another 
subset of clients.

Gert's got it, a network with a massive # of clients may justify hierarchical 
RRs although the design might be a throwback to the days of small boxes with 
minimal memory. Today's control plane only systems can scale to hundreds if not 
thousands of clients. Hierarchy might be useful if the second tier RRs are in 
the forwarding path and need to conserve resources for something other than BGP.

Just curious, anyone out there using hierarchical RRs?

Lee

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] RAM thing

[Lee]

On 2/17/14, Saku Ytti s...@ytti.fi wrote:
 On (2014-02-17 12:24 +), Phil Mayers wrote:

 So nothing has changed except we know about it. For anyone who
 assumed devices could fail at any time, this isn't *that* worrying.
 For anyone who assumed devices would run forever, this should be a
 wake-up call - it was never true, and will likely never be so ;o)

 Should we expect devices to be build so that broken memory is detected and
 reported to operator? Or is it OK that broken memory is undetected and
 mangles
 packets without us being aware?

The impression I got was that the memory doesn't die until the device
is power cycled.
Is that incorrect?

Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GSR 12410XR SmartNet contracts

[Lee Starnes]

Thanks Everyone.

Now the real challenge. Cards SPA-1X10GE-WL-V2 are listed as supported on
the 12000 XR series chassis but require version 4.3.0 or later. I can find
no such version on CCO. Did Cisco release a card with no OS to support it
or am I just looking in the wrong place? The last version I see that is a
full version is 4.2.3. The SMUs seem to be WAY too small for an upgrade as
they are 0.17M in size. Anyone got an idea where to look?

http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/install_upgrade/XR12000/12ovspa.htmlshows
in table 2-1 That this card is supported on this chassis under
minimum IOS XR release of 4.3.0.

Best.

Lee



On Thu, Dec 19, 2013 at 5:56 PM, Xuhu jstuxuhu0...@gmail.com wrote:

 Since u had spare hardware already, just get the new OS and upgrade it
 yourself, done.

 Br,

 On 20 Dec, 2013, at 3:38 am, Lee Starnes lee.t.star...@gmail.com wrote:

 Hello everyone,

 I am looking to get a SmartNet contract on our GSR 12410XR routers and am
 having a VERY hard time finding anyone that can come up with the SKU for
 it. I need to be able to upgrade our IOS-XR software but can't until I have
 the contract.

 Does anyone have the SKU for it or know where I can get this from a known
 good Cisco vendor?

 Thanks,

 Lee
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] GSR 12410XR SmartNet contracts

[Lee Starnes]

Hello everyone,

I am looking to get a SmartNet contract on our GSR 12410XR routers and am
having a VERY hard time finding anyone that can come up with the SKU for
it. I need to be able to upgrade our IOS-XR software but can't until I have
the contract.

Does anyone have the SKU for it or know where I can get this from a known
good Cisco vendor?

Thanks,

Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GSR 12410XR SmartNet contracts

[Lee Starnes]

Hi Nathaniel,

Basic 8x5NBD is fine. One year. The only thing we need it for is software
updates. We keep spares on hand so slow replacement of hardware is not
critical for us.

Thanks,

Lee


On Thu, Dec 19, 2013 at 12:11 PM, Nathaniel Bernadeau 
nbernad...@gallantsys.com wrote:

 Which kind?  8X5NBD, 24X7. 1yr 3yr? We are Cisco authorized resellers.  I
 can check for you.

 regards,


 Nathaniel Bernadeau
 Gallant Systems,  LLC
 11064 Livingston RD Suite 106-C
 Fort Washington, MD 20744
 Ph: 301-627-6358
 Fax: 240-823-6897
 Cell: 202-246-2229
 nbernad...@gallantsys.com
 www.gallantsys.com


 On 12/19/2013 2:38 PM, Lee Starnes wrote:

 Hello everyone,

 I am looking to get a SmartNet contract on our GSR 12410XR routers and am
 having a VERY hard time finding anyone that can come up with the SKU for
 it. I need to be able to upgrade our IOS-XR software but can't until I
 have
 the contract.

 Does anyone have the SKU for it or know where I can get this from a known
 good Cisco vendor?

 Thanks,

 Lee
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


 -
 No virus found in this message.
 Checked by AVG - www.avg.com
 Version: 2013.0.3462 / Virus Database: 3658/6934 - Release Date: 12/19/13



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] N5500 v6.x orphan ports one-arm traffic

[Lee Q]

Somewhere I heard that version 6.x NX-OS improved handling of orphan 
ports in the N5500 series. But the peer link still drops non-IGMP 
transit traffic.  Any improvements in v6.x with respect to supporting 
one-armed devices upstream or downstream?


Also are there any caveats for creating a dedicated non-vpc trunk (with 
STP of course) between two Nexus 5500 to pass one-armed traffic?


Lee

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] reload command doesn't check command line parameters

[Lee]

On 10/7/13, Pete Lumbis alum...@gmail.com wrote:
 The other options besides in include LINE or what should we put in the
 syslog as to why the reload is occurring. This means it will pick up
 anything that isn't already a keyword (for example in provides an option,
 int is a reason).


 If we fix the behavior what does the fix look like?

reload now [LINE]

Regards,
Lee


 Do we not allow any
 reason that starts with i(in) c (cancel) or a(at)? But then what if
 you want a reload reason of reload installing new software? Should this
 be blocked?


 On Mon, Oct 7, 2013 at 6:56 AM, Luis Miguel Cruz Miranda
 luis...@imasd.netwrote:

 Hi all,

 I am not sure if this this an IOS version related issue.
 The issue is...
 - reload in X schedules a reload in X minutes (that is the correct
 behaviour)
 - reload intasdajxjxhaajsa X just goes ahead with an inmediate reload,
 it is the same as reload command.

 It shouldn't be a problem since there are some confirmations but... I
 just did reload int 10 and pushed enter few times thinking the command
 was right... :-( imagine...

 Saw in...
 c3825-spservicesk9-mz.124-24.T5.bin
 c2600-advsecurityk9-mz.124-15.T13.bin

 Does anyone know if this was fixed or the expected behaviour?
 I think IOS CLI should complain about it as it does with other commands.

 Luis
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] switching of monitored traffic

[Lee]

On 9/29/13, Ben Hammadi, Kayssar (NSN - TN/Tunis)
kayssar.ben_hamm...@nsn.com wrote:
 Hi lee,

  Even for egress-only SPAN , 6509 accept only two session not 14 :


 TSA3-PACOSWB9002(config)#monitor session 1 source vlan 1346 tx
 TSA3-PACOSWB9002(config)#monitor session 2 source vlan 1347 tx
 TSA3-PACOSWB9002(config)#monitor session 3 source vlan 3836 tx
 % Local Egress Session limit has been exceeded

Like I said, I've never tried it, but it looks like you missed a step.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1089465

Router(config)# monitor session local_SPAN_session_number type [local
| local-tx]

•  Enter the local-tx keyword to configure egress-only SPAN sessions.


 My version is 12.2 SXI8 !

I'm guessing it's 12.2(33)SXI8.  The output from show version would
say for sure..

And unrelated to span -
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/caveats_SXI_rebuilds.html
shows there's a 12.2(33)SXI8 and 12.2(33)SXI8a

Usually a rebuild fixes a serious problem.  I'd suggest at least
checking out the release notes for 12.2(33)SXI8a

Regards,
Lee

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] switching of monitored traffic

[Lee]

On 9/28/13, Ben Hammadi, Kayssar (NSN - TN/Tunis)
kayssar.ben_hamm...@nsn.com wrote:
 Thanks Pavel ,

 We are thinking about this solution to be able to monitor the traffic
 again with more granularity on Switch B since Switch A is 6509 and have a
 max of 2 monitor session . Are you aware about any Cisco platform that don't
 have the limitation of two SPAN session ?

6500s allow up to 14 egress-only span sessions:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html#wp1110714

I've never tried it  there look to be lots 'o caveats, so dunno it it
will meet your needs or no.

And I haven't looked at the documentation in ages -- I don't remember
this caveat:

Use SPAN for troubleshooting. Except in carefully planned topologies,
SPAN consumes too many switch and network resources to enable
permanently.


wrt
 Does Switch B treat this traffic as normal traffic

pay attention to the note about replicated traffic:
  SPAN copies Layer 2 Ethernet frames, but SPAN does not copy source
trunk port ISL or 802.1Q tags. You can configure destinations as
trunks to send locally tagged traffic to the traffic analyzer.


SPAN has the charming property of being free, but it comes with
caveats.  There are situations where it's worth paying for a tap and
seeing exactly what's on the wire (fiber :)

Regards,
Lee



 Br.

 BEN HAMMADI Kayssar

 NOKIA SIEMENS NETWORKS
 Lead Engineer -BroadBand Connectivity
 JNCIE-M (#471), JNCIE-SP (#1147), CCIP
 Mobile : +216 29 349 952  /  +216 98 349 952
 FIX  : +216 71 108 173
 Skype : kayssar ben hammadi
 kayssar.ben_hamm...@nsn.commailto:kayssar.ben_hamm...@nsn.com

 From: ext Pavel Skovajsa [mailto:pavel.skova...@gmail.com]
 Sent: Saturday, September 28, 2013 10:39 AM
 To: Ben Hammadi, Kayssar (NSN - TN/Tunis)
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] switching of monitored traffic

 It will switch it as any other incoming traffic.
 -pavel

 On Saturday, September 28, 2013, Ben Hammadi, Kayssar (NSN - TN/Tunis)
 wrote:
 Dears,

 We are monitoring traffic from Switch A to Switch B with monitor
 session  , Switch B receive now all traffic handled by Switch A .
 Does Switch B treat this traffic as normal traffic and continue to
 switch it according to configured Vlans or it has a way to know that it come
 from a monitor session not from a regular switching ?

 Br.

 BEN HAMMADI Kayssar

 NOKIA SIEMENS NETWORKS
 Lead Engineer -BroadBand Connectivity
 JNCIE-M (#471), JNCIE-SP (#1147), CCIP
 Mobile : +216 29 349 952  /  +216 98 349 952
 FIX  : +216 71 108 173
 Skype : kayssar ben hammadi
 kayssar.ben_hamm...@nsn.comjavascript:;



 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.netjavascript:;
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] T-1 errors, unable to pinpoint if CSU or circuit issue

[Lee Starnes]

Hello,

From looking at your output and based on you replacing your cables I
suspect you are seeing issues that the carrier is not seeing from their
basic remote tests or circuit monitoring. We have seen this many times. Ask
for them to pull PMs on the circuit. If this is a CLEC circuit, have them
pull the ILEC PMs. depending on the circuit and how far from the CO you
are, you may be seeing issues with the repeater (if in use) and their
normal tests typically will not show any issues. In some cases, the LEC
will need to dispatch out to the site to pull PMs which may take them a day
to get out to you.

Let us know what they come back with.

-Lee




On Tue, May 7, 2013 at 8:53 AM, false jct...@yahoo.com wrote:

 Hello,

 Let me just first say Thank you to everybody that has helped in my
 previous post. This list is awesome.

 AS for the curren problem, I keep getting voip issues, including the
 occasional phone call drop. I have a dedicated T-1 or voip traffic and
 minor site-to-site vpn traffic with a QoS policy applied to handle voice
 traffic. These problems have occured even when I took the vpn offline. The
 telco provider always states the line is clean. I replaced the cable from
 the smartjack to the CSU in the router as well. I have only gotten a few
 errors over the past week so the issue looks to be brief and intermittent.
 The logs in the router never show any issues with CSU.

 1) any idea on verify the CSU is causing the Line Errors below?
 2) Any ideas on the cause or how to isolate the issue?

 I will probalby turn on debug for the interface in hopes of getting time
 stamps for the interface resets so I can tie them to any voip issues.

 #sho service-module serial 0/1/0
 Interface Serial0/1/0
 Module type is T1/fractional
 Hardware revision is 1.0, Software revision is 001,
 Image checksum is 0x0, Protocol revision is 0.1
 Receiver has no alarms.
 Framing is ESF, Line Code is B8ZS, Current clock source is line,
 Fraction has 24 timeslots (64 Kbits/sec each), Net bandwidth is 1536
 Kbits/sec.
 Last module self-test (done at startup): Passed
 Last clearing of alarm counters 3d01h
 loss of signal:0,
 loss of frame :0,
 AIS alarm :0,
 Remote alarm  :0,
 Module access errors  :0,
 Total Data (last 0 15 minute intervals):
 0 Line Code Violations, 0 Path Code Violations
 0 Slip Secs, 0 Fr Loss Secs, 37 Line Err Secs, 0 Degraded Mins
 4 Errored Secs, 0 Bursty Err Secs, 14 Severely Err Secs, 20 Unavail
 Secs
 Data in current interval (0 seconds elapsed):
 0 Line Code Violations, 0 Path Code Violations
 0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
 0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs


 sh int s0/1/0
 Serial0/1/0 is up, line protocol is up
   Hardware is GT96K with integrated T1 CSU/DSU
   Internet address is x.x.x./30
   MTU 1500 bytes, BW 1544 Kbit/sec, DLY 2 usec,
  reliability 255/255, txload 4/255, rxload 5/255
   Encapsulation PPP, LCP Open
   Listen: CDPCP
   Open: IPCP, loopback not set
   Keepalive set (10 sec)
   Last input 00:00:01, output 00:00:00, output hang never
   Last clearing of show interface counters 3d01h
   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 557
   Queueing strategy: Class-based queueing
   Output queue: 0/1000/0 (size/max total/drops)
   5 minute input rate 35000 bits/sec, 10 packets/sec
   5 minute output rate 28000 bits/sec, 7 packets/sec
  3132198 packets input, 1283936661 bytes, 0 no buffer
  Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
  289 input errors, 289 CRC, 39 frame, 3 overrun, 0 ignored, 67 abort
  2561565 packets output, 793225489 bytes, 0 underruns
  0 output errors, 0 collisions, 2 interface resets
  0 unknown protocol drops
  6 unknown protocol drops
  0 output buffer failures, 0 output buffers swapped out
  0 carrier transitions
  DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

 show controllers s0/1/0

 67 input aborts on receiving flag sequence
 0 throttles, 0 enables
 3 overruns
 0 transmitter underruns
 0 transmitter CTS losts
 3122313 rxintr, 2544022 txintr, 0 rxerr, 0 txerr
 5517559 mpsc_rx, 0 mpsc_rxerr, 66 mpsc_rlsc, 524 mpsc_rhnt, 5517442
 mpsc_rfsc
 5 mpsc_rcsc, 0 mpsc_rovr, 0 mpsc_rcdl, 0 mpsc_rckg, 0 mpsc_bper
 0 mpsc_txerr, 1882006 mpsc_teidl, 0 mpsc_tudr, 0 mpsc_tctsl, 0 mpsc_tckg
 0 sdma_rx_sf, 0 sdma_rx_mfl, 3 sdma_rx_or, 67 sdma_rx_abr, 39 sdma_rx_no
 0 sdma_rx_de, 0 sdma_rx_cdl, 289 sdma_rx_ce, 0 sdma_tx_rl, 0 sdma_tx_ur, 0
 sdma_tx_ctsl
 0 sdma_rx_reserr, 0 sdma_tx_reserr
 0 rx_bogus_pkts, rx_bogus_flag FALSE
 0 sdma_tx_ur_processed

 tx_limited = 1(2), errata19 count1 - 0, count2 - 0
 Receive Ring
 rxr head (21)(0x0F06E930), rxr tail (0)(0x0F06E7E0)
   rmd(F06E7E0): nbd F06E7F0 cmd_sts 8080 buf_sz 0600 buf_ptr
 F07D1E0
   rmd(F06E7F0): nbd F06E800 cmd_sts 8080 buf_sz 0600 buf_ptr
 F073F40

Re: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2

[Lee Starnes]

Hi Andrew,

We have not tried any multimode xfp's. While the documentation shows a
table with only single mode optics, at the end of the document, it
lists an XFP-10G-MM-SR
in the ordering info table.


On Thu, Apr 25, 2013 at 4:09 PM, Andrew Jones andrew.jo...@alphawest.com.au
 wrote:

 Whilst we are talking about SPA-110GE cards, has anyone got these to work
 with a multimode sr xfp?

 Andrew Jones

 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
 Edward Salonia
 Sent: Friday, 26 April 2013 1:25 AM
 To: Lee Starnes
 Cc: cisco-nsp@puck.nether.net; cisco-nsp
 Subject: Re: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2

 Sure. Future-proofing, when capable, is a good idea.


 -Original Message-
 From: Lee Starnes lee.t.star...@gmail.com
 Date: Wed, 24 Apr 2013 22:53:03
 To: e...@edgeoc.net
 Cc: cisco-nspcisco-nsp-boun...@puck.nether.net;
 cisco-nsp@puck.nether.netcisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2

 Hi Ed,

 So there should be no issue if they are used for what we do other than they
 cost more? We may have some SONET applications in the near future, so if I
 wanted to standardize on one card, this should work both ways? This was my
 understanding based on what I read, but I don't want to assume that things
 not clearly stated were there. Our main use being etherchannel stuff.

 -Lee


 On Wed, Apr 24, 2013 at 10:21 PM, Edward Salonia e...@edgeoc.net wrote:

  WL does LANPHY, WANPHY, and SONET/SDH.
  L does only LANPHY
 
  If you are just using this for 10gige LAN interconnect, use the L. If you
  need WAN/SONET support, get the WL.
 
  - Ed
  -Original Message-
  From: Lee Starnes lee.t.star...@gmail.com
  Sender: cisco-nsp cisco-nsp-boun...@puck.nether.netDate: Wed, 24 Apr
  2013 16:12:26
  To: cisco-nsp@puck.nether.netcisco-nsp@puck.nether.net
  Subject: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2
 
  Hello,
 
  I was wondering if anyone here has used the SPA-1X10GE-WL-V2 and if so
 how
  it differs with the non W version with relation to Ethernet and
  EtherBundles.
 
  We currently use the non W versions for our ethernet uplinks to
 backbone
  connections as well as between our switches and routers. In some cases,
 we
  do EtherBundles for 20 or 30G links. I was wondering if the W version
  would have any issues with this or if it's only difference is the ability
  to do POS.
 
  -Lee
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF admin distance not working on IOS-XR.

[Lee Starnes]

Thanks everyone who responded. Very helpful. Sorry for the delay in
responding back.


On Thu, Apr 4, 2013 at 6:24 AM, Adrian Turcu adri...@domeit.net wrote:

 Are you sure is not just your filtering at the show route ospf command,
 that leads you to believe there you only send over the 2nd bundle?
 From the show ip route command it looks like both paths are installed
 and you are sending traffic over both paths equally.

 Did you try the following config:

 router ospf 12345
  area  ! --- your area number where the Bundle-Ether interfaces are
interface Bundle-Ether1
  cost 10
interface Bundle-Ether2
  cost 20

 The above will affect all prefixes learned from these paths, i.e. routes
 will be preferred via Bundle-Ether1 , while Bundle-Ether2 will be just a
 backup path.

 On 4 Apr 2013, at 11:42, Lee Starnes wrote:

 Hello,

 We are trying to change the administrative distance on one of the OSPF
 neighbors of our router and no matter what it is set to, the value does not
 seem to change.

 #sh ip route x.x.0.102
 Thu Apr  4 02:36:05.122

 Routing entry for x.x.0.102/32
  Known via ospf 12345, distance 110, metric 2, type intra area
  Installed Apr  4 02:14:55.059 for 00:21:10
  Routing Descriptor Blocks
x.x.25.19, from x.x.0.102, via Bundle-Ether1
  Route metric is 2
x.x.25.34, from x.x.0.102, via Bundle-Ether2
  Route metric is 2
  No advertising protos.

 #sh route ospf | incl x.x.0.102
 Thu Apr  4 03:31:36.554
 Ox.x.0.102/32 [110/2] via x.x.25.34, 01:16:40, Bundle-Ether2


 The issue here is that we are trying to avoid sending a majority of our
 traffic through Bundle-Ether2 which it seems OSPF has decided is the best
 Path. The 0.102 address is a loopback interface of a neighbor (6500b)
 directly connected to Bundle-Ether1, where Bundle-Ether2 is connected to
 6500a with less capacity on it's links. This is causing the links on
 bundle2 to get saturated at peak times.

 XR-bundle2---6500a---6500b
 XR-bundle1---6500b---6500a

 Configured XR router:

 router ospf 12345
 log adjacency changes
 distance 120 x.x.25.34 0.0.0.0

 Is this a bug or am I going about this all wrong?
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2

[Lee Starnes]

Hello,

I was wondering if anyone here has used the SPA-1X10GE-WL-V2 and if so how
it differs with the non W version with relation to Ethernet and
EtherBundles.

We currently use the non W versions for our ethernet uplinks to backbone
connections as well as between our switches and routers. In some cases, we
do EtherBundles for 20 or 30G links. I was wondering if the W version
would have any issues with this or if it's only difference is the ability
to do POS.

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2

[Lee Starnes]

Hi Ed,

So there should be no issue if they are used for what we do other than they
cost more? We may have some SONET applications in the near future, so if I
wanted to standardize on one card, this should work both ways? This was my
understanding based on what I read, but I don't want to assume that things
not clearly stated were there. Our main use being etherchannel stuff.

-Lee


On Wed, Apr 24, 2013 at 10:21 PM, Edward Salonia e...@edgeoc.net wrote:

 WL does LANPHY, WANPHY, and SONET/SDH.
 L does only LANPHY

 If you are just using this for 10gige LAN interconnect, use the L. If you
 need WAN/SONET support, get the WL.

 - Ed
 -Original Message-
 From: Lee Starnes lee.t.star...@gmail.com
 Sender: cisco-nsp cisco-nsp-boun...@puck.nether.netDate: Wed, 24 Apr
 2013 16:12:26
 To: cisco-nsp@puck.nether.netcisco-nsp@puck.nether.net
 Subject: [c-nsp] SPA-1X10GE-WL-V2 vs SPA-1X10GE-L-V2

 Hello,

 I was wondering if anyone here has used the SPA-1X10GE-WL-V2 and if so how
 it differs with the non W version with relation to Ethernet and
 EtherBundles.

 We currently use the non W versions for our ethernet uplinks to backbone
 connections as well as between our switches and routers. In some cases, we
 do EtherBundles for 20 or 30G links. I was wondering if the W version
 would have any issues with this or if it's only difference is the ability
 to do POS.

 -Lee
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] uRPF Core Internet Routers

[Lee]

On 4/16/13, Antonio Soares amsoa...@netcabo.pt wrote:
 Hello group,

 I looking for Information about anti-spoofing measures namely uRPF.

[.. snip old references ..]

 Now my question, is it appropriate to use uRPF loose mode on Core Routers
 (Full Routing Tables) ?

It's an easy way to drop traffic with RFC-1918 addresses, so it is
nice that way.  But the IPv4 address space is close to all allocated,
so enabling it for IPv4 doesn't seem like a huge win.  IPv6 may be a
different story tho..


 How about the impact/restrictions ?

No idea.  I use an input access list or strict uRPF on the edge 
haven't paid much attention to loose uRPF.
http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html says
  Reference the Implementing Cisco Express Forwarding on Cisco IOS XR Software
  section of the Cisco IOS XR IP Addresses and Services Configuration Guide for
  more information.
so that sounds like a good place to look.

Regards,
Lee


 I was able to find a few restrictions
 when comparing the SUP720 with the SUP-2T but I'm more interested on IOS-XR
 Platforms.


 Thanks.

 Regards,

 Antonio Soares, CCIE #18473 (RS/SP)
 amsoa...@netcabo.pt
 http://www.ccie18473.net
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] uRPF Core Internet Routers

[Lee]

On 4/16/13, Dobbins, Roland rdobb...@arbor.net wrote:

 On Apr 17, 2013, at 8:42 AM, Lee wrote:

 But the IPv4 address space is close to all allocated, so enabling it for
 IPv4 doesn't seem like a huge win.

 This is incorrect, and is actually harmful misinformation.

 The value of antispoofing has nothing to do with allocated address space
 percentages.  It has everything to do with removing the ability to launch
 high-volume reflection/amplification DDoS attacks, spoofed SYN-floods, et.
 al.

The topic was about enabling loose uRPF.  Quoting from
http://www.cisco.com/web/about/security/intelligence/CiscoIOSXR.html
again

Loose mode Unicast RPF: Loose mode searches for the source address of
a packet in the FIB table. If the address exists and matches a real
and valid forwarding entry (not necessarily pointing to the ingress
interface on which the packet was received), then the packet is
further processed, otherwise it is dropped.

Seems to me that the utility of filtering just packets supposedly
coming from unannounced IPv4 address space is not all that useful in
   ... removing the ability to launch
 high-volume reflection/amplification DDoS attacks, spoofed SYN-floods, et.
 al.

If someone is going to spoof traffic, it's no harder for them to spoof
traffic from advertised than non-advertised space.

Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3560g switch - tagged vlans and untagged frames

[Lee]

On 4/9/13, Damian Higgins linnew...@gmail.com wrote:
 Hi Mike,

 How about this scenario. Let's say you want a VLAN tagged on all the ports,
 but also want different untagged VLANs on those ports (e.g. port 10 tagged
 vlan 306 and untagged vlan 6, port 11 tagged vlan 306 and untagged vlan 7).

int g0/10
  switchport trunk allowed vlan 6,306
  switchport trunk native vlan 6

int g0/11
  switchport trunk allowed vlan 7,306
  switchport trunk native vlan 7

 So native VLAN is out of question here since all ports would be untagged in
 the same VLAN ID.

native vlan is per port



 Can you please test the following setup and tell me if it works? :

shouldn't work -  'switchport access vlan nnn' is for non-trunking ports.

Regards,
Lee




 interface GigabitEthernet0/10
description testing cisco vlans
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 306
switchport mode trunk
switchport access vlan 6


 interface GigabitEthernet0/11
description testing cisco vlans
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 306
switchport mode trunk
switchport access vlan 7


 I don't have any cisco switches at the moment that I could do this test on,
 but I can tell you for sure that this setup is possibile on other switches
 (HP procurve for example, and they're way cheaper :)

 Regards,



 On Tue, Apr 9, 2013 at 8:21 PM, Mike
 mike-cisconspl...@tiedyenetworks.comwrote:

 On 04/08/2013 09:48 PM, sth...@nethelp.no wrote:

 I would like to be able to accept both tagged and untagged
 frames
 on my
 3560g. For the untagged frames, I'd like to be able to say these are a
 member of some vlan - say 100 - otherwise I want to be able to allow
 tagged frames from some list.

 In testing, it doesn't appear that switchport trunk native
 vlan
 
 is doing the job; anything I send untagged is dropped and doesn't show
 up in the switch mac address tables.  Here is my config:


 Similar configs work for us.



 interface GigabitEthernet0/45
description testing cisco vlans
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport trunk allowed vlan 306
switchport mode trunk


 It it helps. I do also have dot1q native vlan tagging enabled.


 I believe you need to drop that - it tells the switch that the native
 VLAN should be tagged.

 Also, add the native VLAN to the list of allowed VLANs (so you'd get
 switchport trunk allowed vlan 6,306 here).




 I removed dot1q tag native and that seems to have worked. Unfortunately,
 it caused other problems requiring me to set the native vlans on some
 ports
 to something other than default. In the end it's working but I just don't
 see why I can't say 'hey, got an untagged frame? throw it into this vlan
 for me...'. Maybe I need more expensive switches.

 Thanks all.

 Mike-

 __**_
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at
 http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] OSPF admin distance not working on IOS-XR.

[Lee Starnes]

Hello,

We are trying to change the administrative distance on one of the OSPF
neighbors of our router and no matter what it is set to, the value does not
seem to change.

#sh ip route x.x.0.102
Thu Apr  4 02:36:05.122

Routing entry for x.x.0.102/32
  Known via ospf 12345, distance 110, metric 2, type intra area
  Installed Apr  4 02:14:55.059 for 00:21:10
  Routing Descriptor Blocks
x.x.25.19, from x.x.0.102, via Bundle-Ether1
  Route metric is 2
x.x.25.34, from x.x.0.102, via Bundle-Ether2
  Route metric is 2
  No advertising protos.

#sh route ospf | incl x.x.0.102
Thu Apr  4 03:31:36.554
Ox.x.0.102/32 [110/2] via x.x.25.34, 01:16:40, Bundle-Ether2


The issue here is that we are trying to avoid sending a majority of our
traffic through Bundle-Ether2 which it seems OSPF has decided is the best
Path. The 0.102 address is a loopback interface of a neighbor (6500b)
directly connected to Bundle-Ether1, where Bundle-Ether2 is connected to
6500a with less capacity on it's links. This is causing the links on
bundle2 to get saturated at peak times.

XR-bundle2---6500a---6500b
XR-bundle1---6500b---6500a

Configured XR router:

router ospf 12345
 log adjacency changes
distance 120 x.x.25.34 0.0.0.0

Is this a bug or am I going about this all wrong?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VPN firewall

[Michael Lee]

Hello, 

Anyone has any recommendation for 5-10g performance 3des VPN firewalls?
Not udp throughput..

Thanks,
Regards

-mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 6509 LACP

[Lee]

On 2/9/13, Mack McBride mack.mcbr...@viawest.com wrote:
 Portfast doesn't err disable,

unless you have
spanning-tree portfast bpduguard default

Regards,
Lee



 it simply converts to a non-portfast port when
 it detects a PDU (which is sent first on the link before data).

 Mack

 From: Rogelio Gamino [mailto:rgam...@gmail.com]
 Sent: Friday, February 08, 2013 5:46 PM
 To: Mack McBride
 Cc: Andrew Miehs; Mario Ruiz; cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Cisco 6509 LACP


 I'm surprised portfast is not causing the interfaces to errdisable.

 Do you see MAC addresses for the source/destination devices on both
 switches?

 Rogelio Gamino
 On Feb 8, 2013 6:11 PM, Mack McBride
 mack.mcbr...@viawest.commailto:mack.mcbr...@viawest.com wrote:
 Not on a trunk.
 That is for an access port.

 LR Mack McBride
 Network Architect

 -Original Message-
 From:
 cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net
 [mailto:cisco-nsp-boun...@puck.nether.netmailto:cisco-nsp-boun...@puck.nether.net]
 On Behalf Of Mario Ruiz
 Sent: Friday, February 08, 2013 3:05 PM
 To: Andrew Miehs
 Cc: cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Cisco 6509 LACP

 Don't you need the vlan statement too.

 switchport access vlan 2

 On Fri, Feb 8, 2013 at 4:41 PM, Andrew Miehs
 and...@2sheds.demailto:and...@2sheds.de wrote:
 Which VLANs do you want to trunk?
 Have you created the

 vlan Number
   name VlanName

 entries on the Cisco side yet?

 show interface trunk

 would also be interesting.




 On Sat, Feb 9, 2013 at 7:25 AM, Mike Glass
 mgl...@lccountymt.govmailto:mgl...@lccountymt.gov wrote:

 I hope somebody can help me, I am trying to configure a 6509 as the
 passive receiver from a Dell Force10 10Ge switch with 2 sfp to 2 gig
 ports on our 6509 switch, I see LACP is up on both sides but cannot
 pass traffic, I have only 2 vlans that will carry across the
 aggregate link from our vmware boxes, this is just a temp until I get a
 10ge in our 6509 chassis.

 Attached is the config on both sides.

 Make sense?

 ---
 Cisco 6509 Config
 ---

 interface GigabitEthernet6/7
  switchport
  no ip address
  spanning-tree portfast
  switchport mode trunk
  channel-protocol lacp
  channel-group 1 mode passive
 !
 interface GigabitEthernet6/8
  switchport
  no ip address
  spanning-tree portfast
  switchport mode trunk
  channel-protocol lacp
  channel-group 1 mode passive


 interface Port-channel1
  description lacp Force10
  switchport
  switchport trunk encapsulation dot1q  Switchport mode trunk  no ip
 address  logging event link-status
 


 -
 --
 show etherchannel detail

 -
 --

 Channel-group listing:
 ---

 Group: 1
 --
 Group state = L2
 Ports: 2   Maxports = 16
 Port-channels: 1 Max Port-channels = 16
 Protocol:   LACP
 Minimum Links: 0
 Ports in the group:
 ---
 Port: Gi6/7
 

 Port state= Up Mstr In-Bndl
 Channel group = 1   Mode = Active  Gcchange = -
 Port-channel  = Po1 GC   =   - Pseudo port-channel = Po1
 Port index= 0   Load = 0x55Protocol =   LACP

 Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast
 LACPDUs.
 A - Device is in active mode.P - Device is in passive
 mode.

 Local information:
 LACP port Admin OperPort
  Port
 Port  Flags   State Priority  Key   Key Number
  State
 Gi6/7 SA  bndl  32768 0x1   0x1 0x607
 0x3D

 Partner's information:

   Partner Partner   LACP Partner  Partner   Partner  Partner
 Partner
 Port  Flags   State Port Priority Admin Key Oper Key Port Number
 Port State
 Gi6/7 FA  bndl  32768 0x0   0x1  0xA5
  0x3F

 Age of the port in the current state: 0d:00h:08m:06s

 Port: Gi6/8
 

 Port state= Up Mstr In-Bndl
 Channel group = 1   Mode = Active  Gcchange = -
 Port-channel  = Po1 GC   =   - Pseudo port-channel = Po1
 Port index= 1   Load = 0xAAProtocol =   LACP

 Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast
 LACPDUs.
 A - Device is in active mode.P - Device is in passive
 mode.

 Local information:
 LACP port Admin OperPort
  Port
 Port  Flags   State Priority  Key   Key Number
  State
 Gi6/8 SA  bndl  32768 0x1   0x1 0x608
 0x3D

 Partner's information:

   Partner Partner

[c-nsp] IOS-XR and SIP600/601 with etherbundles

[Lee Starnes]

Hello,

I was wondering if there are any known issues with XR 4.0.1 running a
SIP600 or SIP601 with ether bundles. We have a couple chassis that still
need to upgrade to newer versions of the OS, but I can't do that right away
and need to expand link capacity before I will be able to deploy newer OS.
I understand that IPv6 does not work for bundles until version 4.1.0. Does
anyone have experience with these blades and the version of XR we are
running?

These would be either SIP-600 or SIP-601 blades with SPA-8X1GE-V2 or
SPA-10X1GE-V2 port adapters. I'd prefer the SIP-600 for this site as I have
more on hand then the 601's in case of failure.

Thanks,

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS-XR OSPF rapid repeating error.

[Lee Starnes]

Thanks Oliver. I will login and download it.

-Lee

On Sat, Jan 26, 2013 at 12:20 AM, Oliver Boehmer (oboehmer) 
oboeh...@cisco.com wrote:


 Lee,

 I was wondering if anyone has seen this and if it is caused by a bug or a
 security hole. OSPF process is in an endless loop of errors that I was
 only
 able to fix with a reboot. I could not restart the OSPF process as it
 would
 just hang for 60 seconds and then give up. This problem takes the CPU to
 100% when this OSPF problem happens and for whatever reason, happened on
 two routers at the same time. I did some searching but was never able to
 find an actual answer as to the cause. What I find odd is that two routers
 would end up with the same problem at the same exact time if it is a bug
 and if it is a security hole, that I was not able to find the details on
 it.
 
 RP/0/9/CPU0:Jan 15 19:27:40.781 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range

 you're hitting a known issue CSCtn00523 (details on CCO), there is an OSPF
 Umbrella SMU avaliable for download on CCO, which fixes this an other OSPF
 issues in 4.0.1 (CSCts31308).

 oli


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Confirmation of Gigabit Ethernet autonegotiation behavior

[Wayne Lee]

 I don't think it's technical TBH. I suspect it's just telco mindset -
 force all the params to on/fast/full and it's better, right?

Virgin do the same thing.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] IOS-XR OSPF rapid repeating error.

[Lee Starnes]

Hello everyone.

I was wondering if anyone has seen this and if it is caused by a bug or a
security hole. OSPF process is in an endless loop of errors that I was only
able to fix with a reboot. I could not restart the OSPF process as it would
just hang for 60 seconds and then give up. This problem takes the CPU to
100% when this OSPF problem happens and for whatever reason, happened on
two routers at the same time. I did some searching but was never able to
find an actual answer as to the cause. What I find odd is that two routers
would end up with the same problem at the same exact time if it is a bug
and if it is a security hole, that I was not able to find the details on
it.

RP/0/9/CPU0:Jan 15 19:27:40.781 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.782 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.782 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.783 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.784 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.784 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.785 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.785 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.825 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.827 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.827 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.828 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.856 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.856 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.858 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.858 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.859 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.859 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.890 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range
RP/0/9/CPU0:Jan 15 19:27:40.891 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR :
Internal error, path id out of range

Thanks for your time.

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS-XR OSPF rapid repeating error.

[Lee Starnes]

we are running 4.0.1 currently.

-Lee

On Fri, Jan 25, 2013 at 9:12 PM, Xu Hu jstuxuhu0...@gmail.com wrote:

 It seems is a bug, which version you are using?


 http://status.ovh.es/?do=detailsid=1152PHPSESSID=63f1ab780c97e64284a260a17828a53c



 2013/1/26 Lee Starnes lee.t.star...@gmail.com

 Hello everyone.

 I was wondering if anyone has seen this and if it is caused by a bug or a
 security hole. OSPF process is in an endless loop of errors that I was
 only
 able to fix with a reboot. I could not restart the OSPF process as it
 would
 just hang for 60 seconds and then give up. This problem takes the CPU to
 100% when this OSPF problem happens and for whatever reason, happened on
 two routers at the same time. I did some searching but was never able to
 find an actual answer as to the cause. What I find odd is that two routers
 would end up with the same problem at the same exact time if it is a bug
 and if it is a security hole, that I was not able to find the details on
 it.

 RP/0/9/CPU0:Jan 15 19:27:40.781 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.782 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.782 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.783 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.784 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.784 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.785 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.785 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.825 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.826 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.827 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.827 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.828 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.829 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.856 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.856 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.857 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.858 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.858 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.859 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.859 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.890 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range
 RP/0/9/CPU0:Jan 15 19:27:40.891 : ospf[1009]: %ROUTING-OSPF-3-INTERNALERR
 :
 Internal error, path id out of range

 Thanks for your time.

 -Lee
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] unknown unicast flooding - particularly regarding fhrp's

[Lee]

On 1/21/13, Aaron aar...@gvtc.com wrote:
 What do y'all know about the effects of implementing fhrp's (glbp, hsrp,
 vrrp) WITH route diversity from the distribution (fhrp router) to the
 internet. (which I'd imagine is a pretty typical scenario in HA nets)

Do you have enough bandwidth to the Internet that it might be a problem?

Is the topology such that you could have unicast flooding?  If you
don't allow the same vlan on multiple access layer switches that
eliminates most unicast flooding.

In any case, I like increasing the mac address table timeout, others
like decreasing the ARP table timeout  I remember one recommendation
to configure the hosts to send broadcasts every few minutes (I think
it was ntp to the subnet broadcast address??).  And be sure to enable
portfast on all the host ports - otherwise when a user reboots their
machine you get a topology change notification, all the switches set
the fast aging timer for that vlan and you're back to unicast
flooding.

have you seen
http://www.cisco.com/en/US/customer/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml


Regards,
Lee



 I mean as packets arrive from the internet to the non-active fhrp router,
 then this router probably won't have arp entries (perhaps at 4 hour
 timeouts
 it will) but it more than likely won't have bridge table entries, nor will
 the L2 distribution / access devices have bridge table entries (at 300 secs
 aging probably not)



 How does constant unknown unicast flooding affect networks?  Better yet,
 how
 to design in mitigation ?  is it all about lower arp timeouts below 300
 secs
 so to artificially prop-up bridge tables and keep them fresh?  My goodness
 that's making arp very busy.



 This is also being asked since I'm suspecting this behavior on my asr9k's
 via their bvi's (hsrp'd) since they have separate internet uplinks and I'm
 suspecting unknown unicast flooding from the non-active hsrp asr9k over the
 vpls domain towards customers.  (but ugh, my dual 7609's over my legacy net
 have been running like this forever!)



 Aaron



 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] unknown unicast flooding - particularly regarding fhrp's

[Lee]

On 1/21/13, Aaron aar...@gvtc.com wrote:
 Arp timers are central, bridge timers are more distributed

 Arp timers I believe are specific to svi/bvi/routed interfaces, bridge
 timers I believe are more global and may not be vlan specific

 Those 2 items would lead me to think arp timers would be the best place to
 adjust

What happens when the router doesn't have an arp entry?  When I ping
an idle host I don't get an answer to the first ping.  So if you set
the arp timeout to 5 minutes does that mean the 1st packet to a host
that's been idle = 5 minutes is dropped?

Thanks,
Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Advice for automating changs to asr 1001

[Lee]

On 1/15/13, Bryan Tabb bryan.t...@nztechnologygroup.com wrote:
 Hi all

 I was looking for some advice on what technology to use to automate small
 config changes to an asr1001

 Changes will be small, such as adding  removing subinterfaces \ IPs and
 adding \ removing the odd static route for customers.

 Through googling so far what i've found


 1.   SSH based connection - e.g. clogin \ expect type process

clogin is really nice but you have to escape TCL special characters,
so tasks like setting the snmp community string can be a real pain

 2.   Dropping the config onto a tftp server then using snmp to trigger
 config download and wr mem

easier than clogin since you don't have to worry about special
characters, but our security office sees 'clear text protocol' (ie.
tftp) and has a fit


 3.   I've seen IOS XR XML  for the asr 9000 but since asr used ios xe
 this may not be an option

never tried it

supposedly another option is to scp a config snippet to the
running-config.  haven't gotten around to trying that yet either

regards,
lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 6509 with SUP720-3BXL and WS-X6704-10GE with DFC3BXL

[Lee Starnes]

Hello,

After wading through hours of pages on Cisco's site I was not able to
determine if the following configuration will work without having to
upgrade either the DFC or the IOS. We have some switches that I need to
install some 10G ports in. I have some WS-X6704-10GE blades with 3BXL DFC
boards on them. I don't have a chassis to test with, and don't want to ship
these out to have them installed if they are not going to work. The chassis
have SUP720-3BXL's in them and are running
s72033-advipservicesk9_wan-mz.122-33.SXH. Aside from the fact that the IOS
is older, does anyone see any issues with this IOS and SUP working with the
WS-X6704-10GE?

Thanks,

Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6509 with SUP720-3BXL and WS-X6704-10GE with DFC3BXL

[Lee Starnes]

Thanks Robert for the quick reply.

On Fri, Jan 4, 2013 at 3:48 PM, Robert Hass robh...@gmail.com wrote:

 On Sat, Jan 5, 2013 at 12:39 AM, Lee Starnes lee.t.star...@gmail.com
 wrote:

  s72033-advipservicesk9_wan-mz.122-33.SXH. Aside from the fact that the
 IOS
  is older, does anyone see any issues with this IOS and SUP working with
 the
  WS-X6704-10GE?

 It will work without problems.
 I used same configuration some time ago (Now I'm using SXI release).

 Rob

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6509 with SUP720-3BXL and WS-X6704-10GE with DFC3BXL

[Lee Starnes]

Thank you Nick.

-Lee

On Fri, Jan 4, 2013 at 3:48 PM, Nick Hilliard n...@foobar.org wrote:

 On 04/01/2013 23:39, Lee Starnes wrote:
  is older, does anyone see any issues with this IOS and SUP working with
 the
  WS-X6704-10GE?

 should work fine.  the X6704 cards have been supported since the sup720
 came out.  The 3bxl DFC will work fine with the 3bxl sup.

 Nick



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6509 with SUP720-3BXL and WS-X6704-10GE with DFC3BXL

[Lee Starnes]

Thanks Jeff.

-Lee

On Fri, Jan 4, 2013 at 3:49 PM, Jeff Kell jeff-k...@utc.edu wrote:

 If all the cards in the chassis are DFC3BXL compatible, it should.

 I just added a 6716-10GE with DFC3C to a chassis that had some CFC-only
 SFP gig blades in it (6724/6748 I think).  It works, but not in DFC3C
 mode, and leaves a slurry of warnings at startup.

 Jeff

 On 1/4/2013 6:39 PM, Lee Starnes wrote:
  Hello,
 
  After wading through hours of pages on Cisco's site I was not able to
  determine if the following configuration will work without having to
  upgrade either the DFC or the IOS. We have some switches that I need to
  install some 10G ports in. I have some WS-X6704-10GE blades with 3BXL DFC
  boards on them. I don't have a chassis to test with, and don't want to
 ship
  these out to have them installed if they are not going to work. The
 chassis
  have SUP720-3BXL's in them and are running
  s72033-advipservicesk9_wan-mz.122-33.SXH. Aside from the fact that the
 IOS
  is older, does anyone see any issues with this IOS and SUP working with
 the
  WS-X6704-10GE?
 
  Thanks,
 
  Lee
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] IOS-XR SNMP interface packets per second OID.

[Lee Starnes]

Hello everyone,

Does anyone know if there is an IOS equivalent to the locIfInpktsSec and
locIfoutPktsSec for IOS-XR? Doing an SNMP walk of the XR system and MIB
browser, I was not able to find the Packets Per Second OID for any
interfaces. Am I just missing something?

Thank you for your time.

-Lee.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/