[c-nsp] RES: ASR1006 Upgrade
Just do not forget to keep the old and new image on both active and standby RP and check its MD5 checksum after the copy. Sincerely. -Mensagem original- De: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Lukas Tribus Enviada em: terça-feira, 13 de janeiro de 2015 15:45 Para: Jordi Magrané Roig; cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] ASR1006 Upgrade Dear Colleagues, I'm planning upgrade my ASR1006. I never upgrade this model of router before and I have a doubt. I have found the ISSU procedure to upgrade the device but my question is if I can simply put the following command in the configuration: boot system flash bootflash:NAME-OF-NEW-RELEASE and reload the device. Absolutely! Just because you can ISSU doesn't mean you have to. A clean reload is certainly possible. Lukas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Esta mensagem e seus anexos podem conter informações confidenciais ou privilegiadas. Se você não é o destinatário dessa correspondência eletrônica, você não está autorizado a copiar, transmitir, divulgar ou utilizar o material por qualquer meio ou modo. Nesse caso, apague por gentileza a mensagem e avise imediatamente ao remetente. O conteúdo desse material não representa necessariamente a opinião nem a intenção da empresa, e não implicam nenhuma obrigação ou responsabilidade por parte de NEC Latin America S.A., ou de qualquer de seus acionistas ou de suas subsidiárias ou coligadas. This message may contain confidential and/or privileged information. If you are not the addressee neither are authorized to receive this on behalf of the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. The contents of this message and its attachments do not necessarily express the opinion or the intention of the company, and do not implie any legal obligation or responsibilitieson NEC Latin America S.A. , neither of its shareholders, or its subsidiaries or affiliates. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Speed 100 on 42-1GE CRS module
Hi list, I need to connect a C7200 router with FastEthernet interfaces only to a 42-1GE module on a CRS-3 router. So I would like to know if the 1GE interfaces with SGP-GE-T on this module are able to work with 100M speed, with or without auto negotiation. I didn't find any reference in datasheet or configuration guides. Thanks in advance. Esta mensagem e seus anexos podem conter informações confidenciais ou privilegiadas. Se você não é o destinatário dessa correspondência eletrônica, você não está autorizado a copiar, transmitir, divulgar ou utilizar o material por qualquer meio ou modo. Nesse caso, apague por gentileza a mensagem e avise imediatamente ao remetente. O conteúdo desse material não representa necessariamente a opinião nem a intenção da empresa, e não implicam nenhuma obrigação ou responsabilidade por parte de NEC Latin America S.A., ou de qualquer de seus acionistas ou de suas subsidiárias ou coligadas. This message may contain confidential and/or privileged information. If you are not the addressee neither are authorized to receive this on behalf of the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. The contents of this message and its attachments do not necessarily express the opinion or the intention of the company, and do not implie any legal obligation or responsibilitieson NEC Latin America S.A. , neither of its shareholders, or its subsidiaries or affiliates. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: IOS XR on ASR9001: Some LDP on Interfaces stuck in xmit
I fixed the issue by reloading the whole machine. Usually it's better to restart only the affected process, in this case the LDP process: process restart job-id location node-id. Regards. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Unified MPLS - Discrete area or separate IGP in AccessLayer
You could summarize L2 routes and redistribute those into L1, but you end up with sub-optimal routing (which is why I recommend turning off the ATT bit when doing L1/L2 routing anyway). You could use advertise passive-only in order to scale the number of L2 routes, considering you only have your loopback as passive. Sincerely, Leonardo Gama. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SUP720 to RSP720 upgrade using SSO
Hi list, Does anyone know if it's possible to upgrade two SUP720-3B modules to RSP720-3C (one at a time) using SSO on a 7600, thus minimizing downtime? I couldn't find any doc on cisco.com. IOS version is 12.2(33)SRD8. I'd like to avoid shutting down the whole chassis before swapping both SUP720-3B at the same time. Thanks in advance. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Cisco 3945 IPsec Issue
Hi, ISR-G2 routers need a security license in order to enable IPSec features. Have you installed it? Regards. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Fw: LNS Error %VPDN-3-NORESOURCE:
Did I missed anything? Do you have the following config in the LNS? aaa authorization network default group RADIUS1 aaa authorization subscriber-service default local And for the user in the Radius: Framed-IP-Address += x.x.x.x, Cisco-avpair += ip:vrf-id=VRF-C, Cisco-avpair += ip:ip-unnumbered=loopback101 If so, try using PAP auth. Regards. From: ar ar_...@yahoo.com To: cisco-nsp cisco-nsp@puck.nether.net Sent: Saturday, June 16, 2012 10:53 PM Subject: [c-nsp] Fw: LNS Error %VPDN-3-NORESOURCE: Attached is the complete debug output. Below is the config. There's one vrf configured. And I am attaching the l2tp client to this vrf. Since global l2tp (no vrf) was able to authenticate, can this be a possible IOS issue? vpdn-group 1 description accept-dialin protocol l2tp virtual-template 1 terminate-from hostname XXX source-ip x.x.x.x local name LNS1 lcp renegotiation on-mismatch l2tp tunnel password 7 02081B3C22517C54 l2tp tunnel timeout no-session 600 ip tos reflect interface Virtual-Template1 mtu 1462 ip unnumbered Loopback0 ip tcp adjust-mss 1422 no peer default ip address keepalive 60 ppp authentication chap NEW end aaa group server radius RADIUS1 server-private x.x.x.xauth-port 1812 acct-port 1813 key 7 123456781C aaa authentication ppp NEW group RADIUS1 ! interface Loopback101 ip vrf forwarding VRF-C ip address 10.16.1.101 255.255.255.255 ip vrf VRF-C rd 100:109 route-target export 100:109 route-target import 100:109 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Etherchannel load-balance on 3750-3560
Hi list, I have a dumb question. Is the 3560/3750 platform able to load-balance MPLS packets based on src-dst IP on an Etherchannel? Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Cisco AnyConnect VPN Client
No, it only supports SSL VPN. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Manu Chao Enviada em: quinta-feira, 3 de novembro de 2011 14:24 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] Cisco AnyConnect VPN Client I haven't found how to configure IPSec with Cisco AnyConnect VPN Client. Is it possible? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: QoS VLAN Marking is not working 7600
Here is the paper: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_p aper_c11_538840.html Cheers. --- Leonardo, Thank you for your answer, there is enable MPLS between CRS and 7600. however, the PFC used is PFC3B. please do you have any doc regarding: Moreover only PFC3C/PFC3CXL supports ingress EXP marking at ip2mpls. ? I'm reading http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/gu ide/mplsqos.html#wp1531487 I didn't find details about the EXP Marking at ingress. Rgds. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: QoS VLAN Marking is not working 7600
Omar, You won't be able to mark EXP bits if your interface to CRS isn't MPLS enabled. Moreover only PFC3C/PFC3CXL supports ingress EXP marking at ip2mpls. Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EIGRP metrics on ASA 8.4
Hi. I have two 2911 routers running 15.0(1)M4 in a redundant topology connected to an ASA 5520 firewall running 8.4 version. All gears are running EIGRP. In order to distribute the incoming traffic between the two 2911 routers, I am using 'offset-list out' on them, but in the ASA's routing table I see updates from both 2911 with the same metric, i.e. the offset-list is not working. What are the default metric weights on ASA? How can I change them? I couldn't find any known bug. I will appreciate any insight. Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: RES: UDLD misbehaviour
Dark fibre. No, I said that I never saw the far side go up after getting err-disabled. -Mensagem original- De: Kevin Graham [mailto:kgra...@industrial-marshmallow.com] Enviada em: quinta-feira, 14 de julho de 2011 20:27 Para: Leonardo Gama Souza Cc: Antonio Soares; Andrew Koch; cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] RES: UDLD misbehaviour What's in the middle? That you never saw the far side go down after getting err-disabled is fishy. [sent from my mobile] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: RES: UDLD misbehaviour
Hi, Thanks for the inputs. I figured out that only one side had errdisable recovery for UDLD, and as the state machine (aggressive mode) didn't detected the neighbor after recovery, it wouldn't bring the interface down. The recommendation is not enable automatic recovery for UDLD, at all. Cheers. -Mensagem original- De: Antonio Soares [mailto:amsoa...@netcabo.pt] Enviada em: quinta-feira, 14 de julho de 2011 09:48 Para: Leonardo Gama Souza; 'Andrew Koch' Cc: cisco-nsp@puck.nether.net Assunto: RE: [c-nsp] UDLD misbehaviour Were you able to find if it was a permanent failure or intermittent failure ? If it was intermittent, you will have up and down interfaces with errdisable always trying to put the interface up and then udld putting it down again. For this reason, the automatic recovery should be disabled. And it seems in your case, you had it enabled with a 30 seconds timer, wasn't it ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ - Nenhum vírus encontrado nessa mensagem. Verificado por AVG - www.avgbrasil.com.br Versão: 10.0.1390 / Banco de dados de vírus: 1516/3764 - Data de Lançamento: 07/14/11 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: UDLD misbehaviour
I was supposing the switch would try to recover, but once it detects unidirectional link again, it wouldn't bring up the interface. Isn't that correct? The neighbouring switch didn't bring up the interface and kept the interface in errdisable state. Perhaps I should change the automatic recovery settings, but it really seems that something is wrong here. Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: UDLD misbehaviour
No, It didnt seem to be an intermittent issue. One of the sides didn't show any line/protocol up message. The other side remained up until I shut down the interface. Yes, it's enabled 30 sec timer for recovery. Cheers. -Mensagem original- De: Antonio Soares [mailto:amsoa...@netcabo.pt] Enviada em: quinta-feira, 14 de julho de 2011 09:48 Para: Leonardo Gama Souza; 'Andrew Koch' Cc: cisco-nsp@puck.nether.net Assunto: RE: [c-nsp] UDLD misbehaviour Were you able to find if it was a permanent failure or intermittent failure ? If it was intermittent, you will have up and down interfaces with errdisable always trying to put the interface up and then udld putting it down again. For this reason, the automatic recovery should be disabled. And it seems in your case, you had it enabled with a 30 seconds timer, wasn't it ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] UDLD misbehaviour
Hello my friends, I had some problems on an optical fibre between two 6509 switches and UDLD kicked in to avoid STP loops, but when the switch tried to recover from the error-disable state, the link went up, even with optical fibre problems. This misbehaviour caused a major outage in the network. I couldn't find any known bug for the current IOS version 12.2(33)SXI3. I worked around the issue keeping the interface in a shutdown state until I resolved the cabling issue. Can someone shed some light on the solution? 09:20:24.737: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/4/10, changed state to down 09:20:24.757: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/4/10, changed state to down 09:20:24.994: %PM-SW2_SPSTBY-4-ERR_DISABLE: udld error detected on Te2/4/10, putting Te2/4/10 in err-disable state 09:20:24.710: %UDLD-SW1_SP-4-UDLD_PORT_DISABLED: UDLD disabled interface Te2/4/10, aggressive mode failure detected 09:20:24.710: %PM-SW1_SP-4-ERR_DISABLE: udld error detected on Te2/4/10, putting Te2/4/10 in err-disable state 09:20:25.203: %LINEPROTO-SW1_SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/4/10, changed state to down 09:20:25.203: %LINK-SW1_SP-3-UPDOWN: Interface TenGigabitEthernet2/4/10, changed state to down 09:20:55.004: %PM-SW1_SP-4-ERR_RECOVER: Attempting to recover from udld err-disable state on Te2/4/10 09:20:55.119: %PM-SW2_SPSTBY-4-ERR_RECOVER: Attempting to recover from udld err-disable state on Te2/4/10 09:20:56.362: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/4/10, changed state to up 09:20:56.333: %LINK-SW1_SP-3-UPDOWN: Interface TenGigabitEthernet2/4/10, changed state to up I will really appreciate any input. Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: IP SLA on redundant backhauls
I would recommend PfR. It's a more comprehensive solution. Here you can gather further information: http://docwiki.cisco.com/wiki/PfR:Home -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Ziv Leyes Enviada em: segunda-feira, 13 de junho de 2011 04:23 Para: cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] IP SLA on redundant backhauls I've performed a google search for ip sla + eem, and I've found something that may help you http://fatalerror.info/index.php?o=889l=3 This article explains how to create an ip sla and a eem script that reacts to the ip sla and changes the default route to another provider. That's not exactly what you need, but with a bit of tweaking you can change it to suit your needs. HTH, Ziv -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeferson Guardia Sent: Sunday, June 12, 2011 10:56 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] IP SLA on redundant backhauls Hi, I have the following scenario ISP --- link A -- CE link B - I have a lot of voice traffic on this backhaul.. The problem is that when a circuit has problems in terms of (errors incrementing) but circuit doesnt go down at all, ospf is stable but voice is not reliable to be routed thru that circuit. I want to deploy a IP SLA application to evaluate jitter/loss every 10 seconds and In case there are CRC errors etc. I want to stop routing traffic out of that circuit for a while.. What would you recommend in terms of IP SLA and that redundant backhaul setup I have with OSPF ? Regards, J ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. The information contained in this e-mail message and its attachments is confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender, and then delete the message from your computer. Thank you! This mail was sent via Mail-SeCure System. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ - Nenhum vírus encontrado nessa mensagem. Verificado por AVG - www.avgbrasil.com.br Versão: 10.0.1382 / Banco de dados de vírus: 1513/3701 - Data de Lançamento: 06/13/11 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: ebgp: route-map vs prefix list for outbound prefix filtering
IMHO it is ok. Leveraging only the route-map is the simplest way. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: VPLS and VRF binding
Hi, That's correct. I will test the Routed Pseudowire Thanks much. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Outbound Load balancing using eBGP
Hi, There is an approach of matching on LSB from the prefixes' octets of the full routing table (even/odd) and increase local-preference for one provider. For example: access-list 1 permit 0.0.0.0 255.254.254.255 access-list 2 permit 0.0.1.0 255.254.254.255 access-list 3 permit 0.1.0.0 255.254.254.255 access-list 4 permit 0.1.1.0 255.254.254.255 route-map ISP1 permit 10 match ip address 1 2 set local-preference 120 route-map ISP1 permit 20 match ip address 3 4 set local-preference 110 route-map ISP1 permit 1000 route-map ISP2 permit 10 match ip address 1 2 set local-preference 110 route-map ISP2 permit 20 match ip address 3 4 set local-preference 120 route-map ISP2 permit 1000 Most likely you will achieve a good distribution of best paths and thus outbound traffic among the transit providers. Moreover you can play with the wildcard masks and the matching bits in order to improve the distribution. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de RAZ MUHAMMAD Enviada em: segunda-feira, 20 de dezembro de 2010 19:30 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] Outbound Load balancing using eBGP Hi all, I would like to find out how one can use BGP to load balance outbound traffic, while multi homed to 2 transit providers or ISPs and getting full routing tables, no default routes? The BGP peer at the client end is a non Cisco router, so would not be able to use the multipath feature. The load balancing is intended for all routes in the routing table, or at least to achieve some kind of load distribution. Is there any other way to achieve an optimal outbound load balancing method using eBGP? Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: RES: Outbound Load balancing using eBGP
If you start going there, you will end being *stuck* there - having to fiddle with local-pref again and again, because inevitably, you will have cases where you prefer a 10-AS-hop-paths over a 2-AS-hop-paths, and that way, enforce poor connectivity for your users. (As a well-known net person tends to say I encourage my competitors to do this. Amen.) The only problem is that increase in deaggregation and AS path prepend changes this logic a bit and you should have upstream providers with different connectivity matrix. For a big ISP it is the best approach tough. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Multicast on L3 switch
It's already there... ip multicast-routing distributed -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Phil Mayers Enviada em: sexta-feira, 17 de dezembro de 2010 12:31 Para: cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] Multicast on L3 switch On 17/12/10 14:19, Leonardo Gama Souza wrote: Hi list, Once I put the receiver on the same source's VLAN, everything starts to work. Am I missing something? Global: ip multicast-routing ? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: RES: Multicast on L3 switch
Hmm. Have you checked the TTL of the multicast traffic isn't ==1? Elementary... Thanks much Phil! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: MPLS-EXP Marking on 6k PE
Hi. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de cisco...@secureobscure.com Enviada em: terça-feira, 7 de dezembro de 2010 14:49 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] MPLS-EXP Marking on 6k PE Good morning list, I have a 6500 (720-3c, 6716) functioning as a PE, and have a QOS question regarding its label imposition process. 1) Will a packet entering via a SVI in a VRF (MPLS L3 VPN) have its IP PREC bits automagically copied into the MPLS-EXP bits, or do I need to apply an ingress policy map on every PE-CE interface SVI translating IP-PREC/DSCP to MPLS-EXP? It´s automatically copied. Nothing to worry about. 2) Do I need to configure mls qos trust dscp on the PE-CE ingress SVI in a VRF? Or just the switchport? Or Both? Just the switchport. 3) Do I need to configure mls qos trust something on the PE-P interfaces so that MPLS-EXP is respected and not stripped off? Only if it's used L2 switchport. I don't currently use any L2 or L3 QOS on the 6500, and just want the IP PREC bits marked and passed upstream to the P routers for prioritization in the core. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Is the 6704 really as terrible as everyone says?
I already had problems using it to aggregate GTP/3G traffic. The solution was to swap it with 6708 blade. The 6704 blade was reaching 30% of its bw capacity and was dropping a lot of packets -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Drew Weaver Enviada em: quinta-feira, 2 de dezembro de 2010 13:41 Para: cisco-nsp Assunto: [c-nsp] Is the 6704 really as terrible as everyone says? I've read several posts on here that lead me to believe that the WS-6704-10G is essentially the worst linecard ever produced. The problem is, I only need 2 ports of 10G and just to replace 2x1Gbps uplinks that almost never get anywhere near their line rate capacity. If they are really, really, awful. I will probably just end up getting a 6708 for this particular switch, but I would rather not considering the huge price difference. Currently I am using the 1G ports off of the Sup720 as the uplink, and I hear those have awful buffers as well. So when upgrading from the ports on the Sup720 to a 6704, is that still a bad move? thanks, -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: traffic policing on 7600
The only solution I can think on the top of my head is deploying SCE8000 along with Policy Server, thus you can have global visibility of the transit traffic. Of course this is not cheap. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: C3750G-24TS-E: Routing issue between procted switchports
AFAIK this is not possible. If the test servers are on the same subnet only L2 switching is possible, not L3 routing. And upon the configuration of the protected switchport the traffic will be disrupted. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Odd error after Interface flap [GSR/Engine 5]
I have seen the same messages recently on several slots after TE tunnels flap, but they caused a lot of issues (FIA errors, CEF disable and so on). %EE48-3-QM_SANITY_WARNING: Few free buffers(0) are available in ToFab FreeQ pool# 3 %EE48-3-QM_SANITY_WARNING: Few free buffers(0) are available in ToFab FreeQ pool# 1 %EE48-3-QM_SANITY_WARNING: Few free buffers(0) are available in ToFab FreeQ pool# 1 ToFAB BMA information Number of FreeQs carved 3 Pool 1: Carve Size 94155: Current Size 0 Pool 2: Carve Size 57539: Current Size 0 Pool 3: Carve Size 109848: Current Size 0 IPC FreeQ: Carve Size 600: Current Size 599 Number of LOQs enabled 2048 LOQ/OQ 1408: Current Size 261540 Q 0x580: Head 135076, tail 124292, length 261540 %EE48-3-QM_SANITY_WARNING: Few free buffers(0) are available in ToFab FreeQ pool# 1 %EE48-3-QM_SANITY_WARNING: Few free buffers(0) are available in ToFab FreeQ pool# 1 %EE48-3-QM_SANITY_WARNING: Few free buffers(0) are available in ToFab FreeQ pool# 1 Dumping the head 135076 34908 0x3299EE80 364 Dumping the tail 124292 149241 0x327F9A80 52 %EE48-3-QM_SANITY_WARNING: ToFab FreeQ buffers depleted. Recarving the ToFab buffers %EE192-3-BM_QUIESCE: Rx FIM/LIM failed to go idle. Value: 0x5000 -Traceback= 400312FC 4063DD24 4063DE50 40648B48 40648BAC 40636B08 40B13274 403CAC4C 40107ED4 400AF4A0 400DB2F4 400DB2E0 The version is 12.0(33)S6 and the modules are Engine 5... It seems a bug. What would cause this? -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Oliver Boehmer (oboehmer) Enviada em: terça-feira, 3 de agosto de 2010 02:51 Para: Drew Weaver; cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] Odd error after Interface flap [GSR/Engine 5] Hi, One of our upstream providers had an interface flap for about 10 seconds. After the Interface came back up and before the BGP session came up this message was logged: SLOT 5:Aug 2 14:43:36 EDT: %EE48-3-QM_SANITY_WARNING: Few free buffers(10) are available in ToFab FreeQ pool# 1 ... Has anyone seen this error before/know what it could indicate? Everything seems to be back to normal now, just making sure that isn't cause for high alarm. this is a relatively new msg for E5 (via CSCsr99615, was around for E3 a bit longer), which reports low buffer conditions in LC buffer pools. As long as it doesn't pop up more often, it only reports a transient condition and can be ignored. The check can be adapted/disabled via [no] hw-module slot n qm-sanity ... command.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: SXI3 strange issue, Loose mode uRPF jumps to strict by itself
Hi, This is a well known limitation of 6500/7600 platform. You cannot use strict and loose mode at same time. Upon a URPF mode change on a given interface, all interfaces change as well. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de bas Enviada em: quinta-feira, 29 de julho de 2010 16:22 Para: Cisco Assunto: [c-nsp] SXI3 strange issue,Loose mode uRPF jumps to strict by itself Hi All, Yesterday we had a strange issue. Our monitoring tool alerted that one of our boxes (SUP720-3BXL - 6506 running SXI3) became unreachable. When we logged in everything looked ok. BGP was up, OSPF was up and nothing special in logging. Still traffic had dropped to near zero. With debug ip cef drop we immediately saw that traffic was dropped due to uRPF feature. All upstream interfaces had strict mode uRPF configured, before the problems started it was loose mode uRPF. After manually changing them back too loose mode traffic was restored. A couple of minutes before the problems started an engineer had configured a customer facing interface with strict mode uRPF. Apparently this configuration changed triggered a bug that caused upstream interface loose mode to be automagically turned to strict mode. So, hereby a heads up. If your SXI3 boxes show strange behavior, quickly check uRPF. Cya, Bas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: 6509 input queue drops
Check if the 32 Gbps bus is overwhelmed: #show cat all -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Chris Lane Enviada em: quarta-feira, 21 de julho de 2010 12:59 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] 6509 input queue drops All, I have a 48 port 10/100/1000mb EtherModule WS-X6148-GE-TX on a 6509 running s72033-advipservicesk9_wan-mz.122-33.SXH7.bin Interface built as layer3 with a p2p site to site experiencing tons of Input queue drops but no other errors on port. cr.nyc1.ny#sh int g3/2 GigabitEthernet3/2 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is Description: x Internet address is MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 4/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseT input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:04, output 00:00:05, output hang never Last clearing of show interface counters 00:07:15 * Input queue: 0/75/45605/0 (size/max/drops/flushes); Total output drops: 0 * Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 5511000 bits/sec, 3615 packets/sec 5 minute output rate 1924 bits/sec, 5080 packets/sec L2 Switched: ucast: 68 pkt, 4484 bytes - mcast: 79854 pkt, 5112676 bytes L3 in Switched: ucast: 1116996 pkt, 233979838 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 2138144 pkt, 982224161 bytes mcast: 0 pkt, 0 bytes 1496205 packets input, 261671862 bytes, 0 no buffer Received 358394 broadcasts (0 IP multicasts) 0 runts, 0 giants, 2606 throttles * 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored* 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 2158283 packets output, 988796454 bytes, 0 underruns *0 output errors, 0 collisions, 0 interface resets* 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Anybody experience such an odd error? -- //CL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: 3750E ACL performance
Great. I was researching about commands to monitor the TCAM and ACL statistics, but I could not figure out how is the association between port asics and interfaces. There is the command 'show platform pm if-numbers', but in the column port, is the first number the port asic number and second one the port asic interface? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Brief CPU spikes on 6500 Sup 720
Shouldn't all routed traffic be handled by the active HSRP node? Yes, but the problem is the return path... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Load Configuration From Flash
It is supposed to work... Did you issue the following command? boot config disk0:startup-config nvbypass Which version are you using? -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Mohammad Khalil Enviada em: terça-feira, 1 de junho de 2010 09:12 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] Load Configuration From Flash hi all i have Cisco 2621XM the NVRAM is corrupted and i want to load the configuration file from flash i looked for the command boot config but i cannot find the appropriate image for the router to do this Thanks _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: IPv4 Multicast
Have you looked for well known restrictions for L2TPv3/PIM/IGMP Snooping working altogether in your current IOS version? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: RES: Load Configuration From Flash
So try to set in the ROM Monitor: CONFIG_FILE=flash:startup-config sync reset De: Mohammad Khalil [mailto:eng_m...@hotmail.com] Enviada em: terça-feira, 1 de junho de 2010 10:45 Para: Leonardo Gama Souza; cisco-nsp@puck.nether.net Assunto: RE: RES: [c-nsp] Load Configuration From Flash The current IOS is c2600-advipservicesk9-mz.124-18e.bin i tried more than one IOS image and i am not able to find the right image because when i issue the command boot , see the output below Router(config)#boot ? bootstrap Bootstrap image file host Router-specific config file networkNetwork-wide config file system System image file Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: IPv4 Multicast
In the configuration guide for the IOS version. -Mensagem original- De: Rens [mailto:r...@autempspourmoi.be] Enviada em: terça-feira, 1 de junho de 2010 10:13 Para: Leonardo Gama Souza Cc: cisco-nsp@puck.nether.net Assunto: RE: [c-nsp] IPv4 Multicast I only have looked at the bug toolkit, where can I find those restrictions? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Recommended steps to avoid 100% CPU while executingdebugip nat
Also when possible, filter the debug by using 'debug condition '. []´s ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: FABRIC-3-ERR_HANDLE
Hi, What is the output from 'show controllers errors fabric'? First of all I would try to reseat the LC6 and see if the CRC errors stop. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Antonio Soares Enviada em: segunda-feira, 16 de novembro de 2009 10:15 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] FABRIC-3-ERR_HANDLE Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The show controllers fia do not show any problem. The execute-on slot 6 show controllers fia show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 los0 0 0 0 0 state OffOffOffOffOff crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: SCE 8000 troubles
Which were the subscribers and unidirectional flows usage at the moment of the problem? I've never seen such errors. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Mikhail Schedrin Enviada em: segunda-feira, 16 de novembro de 2009 08:18 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] SCE 8000 troubles Hi all. My SCE8000 logs a lot of error messages: 2009-11-01 00:56:15 | WARN | CPU #000 | System had started hardware congestion bypassed 2009-11-01 01:22:17 | WARN | CPU #000 | System had stopped hardware congestion bypassed 2009-11-01 01:22:23 | WARN | CPU #000 | System had started hardware congestion bypassed 2009-10-01 08:26:37 | WARN | CPU #000 | The SE status changed to Warning 2009-10-01 12:26:37 | WARN | CPU #000 | SE Control Module: A problem occurred. Please report to Cisco's customer support 2009-09-29 03:06:25 | ERROR | CPU #000 | Application configuration file executed with 1363 errors. 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error occurred. Please report to Cisco's customer support 2009-10-05 00:18:42 | ERROR | CPU #000 | SE Watchdog Module: An Error occurred. Please report to Cisco's customer support After these messages SCE can stop shaping, reboot, stop syncing subscribers etc. I could not find any explanation in documentation about such errors. Did anyone meet such problems? -- С уважением, Щедрин Михаил Начальник отдела ТП2 SkyNet Telecom http://sknt.ru Санкт-Петербург тел. +7 812 600-75-35 ext. 554 моб. +7 911 934-79-83 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: FABRIC-3-ERR_HANDLE
Hi, Sounds weird. You're right. It seems a problem with csc0. I guess it's only 4 because there's only one CSC active at any time. -Mensagem original- De: Antonio Soares [mailto:amsoa...@netcabo.pt] Enviada em: segunda-feira, 16 de novembro de 2009 10:49 Para: Leonardo Gama Souza; cisco-nsp@puck.nether.net Assunto: RE: [c-nsp] FABRIC-3-ERR_HANDLE No problems with that output: 12k2show control errors fabric SCA192 SCA192 SCA192 SCA192 XBAR192 XBAR192 CSCFPGA CSCFPGA CLKFPGA LC_ENA BP_FRC LC_TYP DE_GNT DAT_LOS SEL_IDL LP_BAK LC_PRE CLKSTS SLOT0 OK OK OK OKOK OK OK OK OK SLOT1 OK OK OK OKOK OK OK OK OK SLOT2 OK OK OK OKOK OK OK OK OK SLOT3 OK OK OK OKOK OK OK OK OK SLOT4 OK OK OK OKOK OK OK OK OK SLOT5 OK OK OK OKOK OK OK OK OK SLOT6 OK OK OK OKOK OK OK OK OK SLOT7 OK OK OK OKOK OK OK OK OK SLOT8 OK OK OK OKOK OK OK OK OK SLOT9 OK OK OK OKOK OK OK OK OK SLOT10 OK OK OK OKOK OK OK OK OK SLOT11 OK OK OK OKOK OK OK OK OK SLOT12 OK OK OK OKOK OK OK OK OK SLOT13 OK OK OK OKOK OK OK OK OK SLOT14 OK OK OK OKOK OK OK OK OK SLOT15 OK OK OK OKOK OK OK OK OK Fabric error handling : enabled 12k2 But i get the same type of pattern when doing the execute-on slot x show controllers fia for other SIP601 slots. And the pattern is: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 los0 0 0 0 0 state OffOffOffOffOff crc16 X 0 0 0 0 xor error0 0 0 0 cell drops and have non-zero values. Here the column '0' must be csc0. So the problem must be with csc0. I don't understand why in the line 'cell drops' i only have 4 values. I was expecting 5 as with the other lines. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt -Original Message- From: Leonardo Gama Souza [mailto:leonardo.so...@nec.com.br] Sent: segunda-feira, 16 de Novembro de 2009 12:41 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: RES: [c-nsp] FABRIC-3-ERR_HANDLE Hi, What is the output from 'show controllers errors fabric'? First of all I would try to reseat the LC6 and see if the CRC errors stop. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Antonio Soares Enviada em: segunda-feira, 16 de novembro de 2009 10:15 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] FABRIC-3-ERR_HANDLE Hello group, I have a 12k reporting this: %FABRIC-3-ERR_HANDLE: Reconfigure LC on fabric due to CRC error from slot 6 In one week, i have 4 of these messages. Slot 6 is a SIP-601 containing 2 x SPA-10G. What could be the problem ? The show controllers fia do not show any problem. The execute-on slot 6 show controllers fia show this: Switch cards present: 0x1F Switch cards monitored: 0x1F 0 1 2 3 4 los0 0 0 0 0 state OffOffOffOffOff crc16 53989 0 0 0 0 xor error0 0 0 0 cell drops1020 1020 1020 1020 IOS=c12kprp-p-mz.120-32.SY6.bin Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv4 fragmented packets on SUP720-3BXL
Hi list, I would like to know whether SUP720-3BXL supports IPv4 fragmented packets in hardware or not. If it can be supported in hardware, in which cases would the PFC3 punt the IPv4 fragmented packets to MSFC? Unfortunately I could not find/receive a good reference about it so far. Thanks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv4 fragmented packets on SUP720-3BXL
Hi, There is nothing special about *forwarding* fragmented packets - unless you have an ACL or anything else that wants to look at Layer 4 info. That would be Netflow or some QoS policy attached to the interface, for instance? I guess the router should reassembly the fragmented packets before applying any policing on the traffic arriving on the interface... Am I right? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Default behaviour of MPLS enabled interfaces on 6500 SXI
Maybe: mpls static crossconnect in_label out_interface out_label -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Phil Bedard Enviada em: terça-feira, 10 de novembro de 2009 18:10 Para: Rubens Kuhl Cc: Cisco-nsp Assunto: Re: [c-nsp] Default behaviour of MPLS enabled interfaces on 6500 SXI By default it will drop the traffic. If you know the incoming label you can create a static binding, but you can't create a static binding for the default route... Not sure of any other mechanisms. In JunOS you can create an MPLS default route which takes unknown labeled packets and lets you manipulate them as you see fit. But this isn't JunOS. :) Phil On Nov 10, 2009, at 12:13 PM, Rubens Kuhl wrote: Hi, Just curious: what happens on a label-enabled interface when a packet comes with a label that hasn't been negotiated thru LDP ? Is it a default permit, a default deny, anything that can be changed or tuned ? Rubens ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: IOS question for c12406
Hi, Both are similar in performance and suitable for you hardware, but watch out for some bugs that were not fixed in 33S5 yet. CSCsz12423, CSCsx94290 and CSCsz19255. I'd go with SY. You can check additional information at: http://www.cisco.com/en/US/docs/ios/12_0s/release/ntes/120SNEWF.html http://www.cisco.com/en/US/docs/ios/12_0/12_0sy/release/notes/120SYrn.ht ml Unfortunately they are not updated as well... -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Leif Sawyer Enviada em: quinta-feira, 15 de outubro de 2009 21:10 Para: Eninja Cc: cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] IOS question for c12406 I'm stating a that Feature Set Navigator is unstable for purposes of my research (based on the (d)CEF issue, and lack of updates) and asking for feedback about which train (SY or S) to use on my 12406, given the listed linecards. -Original Message- From: Eninja [mailto:eni...@gmail.com] Sent: Thursday, October 15, 2009 4:07 PM To: Leif Sawyer Cc: cisco-nsp@puck.nether.net; e ninja Subject: Re: [c-nsp] IOS question for c12406 Leif, Not sure what you're asking but GSR 12K is a distributed platform where each LC switches packets independently of the RPand whatever IOS is running on the box. Eninja On Oct 15, 2009, at 10:37 PM, Leif Sawyer lsaw...@gci.com wrote: In the process of upgrading from a c12008 to a c12406, with the following linecards: SIP-601 + SPA-10X1GE-V2 2 x PRP-2 LC-4OC3/POS-SM 4GE-SFP-LC Looks like I've got a choice between these two: c12kprp-k4p-mz.120-32.SY10.bin c12kprp-k4p-mz.120-33.S5.bin feature-set comparison doesn't list these, but based on the most recent version in it, the only difference that I would be concerned with is CEF/dCEF - Cisco Express Forwarding however, in botting the SY train, it appears that dCEF truly is enabled. Anybody have any experience with these, recommendations, comments or caveats? Thanks, Leif ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Migrate 6500 to 7600
4) Gotcha#3 (or stupidity on our part) - as, I think Gert mentioned, bring up first 1 IGP adjacency, then get your full BGP feed, then bring all other IGP adjacencies. That will save you from creating huge loops in the network. Mea culpa. If you are running IS-IS, it is generally a good idea to configure 'set-overload-bit on-startup wait-for-bgp' under router isis. []´s ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Large networks
In this case I think you could configure Private VLANs, isolating each customer in the same l3 network segment. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Gert Doering Enviada em: quarta-feira, 26 de agosto de 2009 07:02 Para: Steve Bertrand Cc: Shaun R.; cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] Large networks Hi, On Tue, Aug 25, 2009 at 08:58:32PM -0400, Steve Bertrand wrote: This company was constantly having problems with what i called broadcast attacks. The network graphs would show traffic on all interfaces spike and normally the 100mbit uplink between the switches would saturate and the network would die. From that experience i took my time to design and deploy my network to be as correct as possible. Out of curiosity, did your experience find that the issues were related to actual broadcast problems? Generally, putting each customer into a dedicated layer 3 network segment is a good idea - because half of the attacks that a hacked server belonging to customer 1 might do to a server from customer 2 (ARP spoofing, IP address spoofing [- blaim goes to customer 2], HSRP attacks to the shared router, etc.) suddenly are no longer relevant at all. ... and *if* you need to ACL one customer, or just shut down their network segment (because they are busy attacking someone else), you can be sure that it doesn't affect other customers ;-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: IPV6 in general was Re: Large networks
Why can we forget about HSRP with IPv6? With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget HSRP, and most importantly you no longer need NATs that understand every protocol that runs through it and so remove a possible single point of failure. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: RES: Large networks
You are right. To be protected against IP spoofing you would need a VACL configured as well. Private VLANs won't help you with ip-spoofing in the same subnet and hsrp-attacks and not against arp attacks (but these can be prevented using static arp-entries on the l3-device). Matthias ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc...
Bug toolkit is not only available to Smartnet customers. Shared Support customers also have access. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de e ninja Enviada em: segunda-feira, 17 de agosto de 2009 03:22 Para: ws...@cisco.com Cc: cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] Feedback on Bug Toolkit (BTK),IOS Software Download Planner, etc... Wilson, *Feedback:* - Make the Bug toolkit and Bug fixes freely available to all customers that have purchased Cisco software and not just SMARTnet customers. -Eninja On Thu, Aug 13, 2009 at 7:01 AM, Rodney Dunn rod...@cisco.com wrote: I got involved through a few channels and encouraged the teams responsible for some of the Cisco.com Support tools to leverage this forum directly for feedback. They were very interested in the idea. Can those of you that care enough to give direct feedback based on the past threads around IOS Upgrade Planner, Bug Toolkit, etc. please take a few minutes and compose an email directly to: Wilson Shiu (wshiu) ws...@cisco.com He is the point of contact for feedback. They are eager to listen so now is a good time to get involved. I encourage you guys to take advantage of this. Thanks Rodney ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: vrf-lite vs. MPLS vrf
Hi, -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Randy Densen Enviada em: quinta-feira, 23 de julho de 2009 17:58 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] vrf-lite vs. MPLS vrf This is my first post. I have 2 questions: 1) does The cisco-nsp Archives have a search function to look for posts that may have already been addressed and/or answered? You can use Google search: site:puck.nether.net c-nsp blablabla ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: per-LSP packet loss / FIB corruption?
Hi, Best way to debug when you've eliminated config errors and physical link issues is to use ELAM to capture DBUS/RBUS headers, which will tell you, what the platform is going to do to the frame. Interesting; ELAM is not something I've ever used before. I see there's a doc on Cluepon - I'll have to take a look. Some time ago Rodney shared the procedure to do that: http://puck.nether.net/pipermail/cisco-nsp/2008-September/054801.html []s ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Fun with interface counters.
Are both interfaces configured with 'load-interval 30'? Furthermore that could be due to lack of 64-bit interface counter support on the router. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Drew Weaver Enviada em: terça-feira, 30 de junho de 2009 18:59 Para: 'cisco-nsp@puck.nether.net' Assunto: [c-nsp] Fun with interface counters. I assume this is either a bug, or something else equally enjoyable. Today, I noticed that one of our switches was acting up, so I logged into it and did the usual show interfaces, sh proc cpu sort, etc etc. I noticed that the switch's uplink interface indicated that it was doing 700Mbps to the router it is connected to, the router indicated that it was only getting 200Mbps from the switch. So either there is a counter bug, or the switch was sending traffic that was being dropped by the router or dropped later by the switch (after it was counted?), or something else equally amusing? Does anyone have any thoughts on this/seen this before? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Interface descriptions - what do you put in?
I would avoid using special characters like \ and #. You may face some issue with ISC and other softwares. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Ziv Leyes Enviada em: domingo, 24 de maio de 2009 04:48 Para: Cisco Nsp Assunto: Re: [c-nsp] Interface descriptions - what do you put in? I think all the others already gave a lot of examples, I can only add one little suggestion. Omit the connected to prefix for a description and save yourself some characters for more important info. What else can an interface be other than connected to something else Isn't it obvious? -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pete Templin Sent: Thursday, May 21, 2009 6:07 PM To: Cisco Nsp Subject: [c-nsp] Interface descriptions - what do you put in? List, What do you put into your interface descriptions? Do you document circuit ID, far-end equipment/port, near-end equipment/port, and/or anything else? Pete ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: OSPF fast convergence
You also may want to configure 'carrier-delay msec 0' on the interface. But you will need to configure dampening on it as well. Tweaking 'timers pacing flood' under OSPF process is an option, but use it with caution. If you are using LDP, I would recommend using LDP-IGP synchronization. Do not forget to configure 'ip ospf network point-to-point' for point-to-point gig interfaces. Leonardo. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Phil Mayers Enviada em: terça-feira, 12 de maio de 2009 14:40 Para: Walter Keen Cc: cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] OSPF fast convergence Walter Keen wrote: When redesigning an OSPF service provider network, (default values, with many gig-e links). Aside from fixing link cost issues (100mbit is treated the same as gig-e at the moment) should I look at sub-second timers in OSPF 'ip ospf dead-timers minimal .' Or BFD. It looks like either would require an IOS upgrade, but I have seen lots of discussion about bugs in BFD. This is only for core interfaces (all cisco 7600 series). We'll be adding MPLS and iBGP on top of this after it's completed. Common advice seems to be to make actual link-loss detection fast, in preference to using BFD. That said, I know some people use BFD. Assuming you're using LAN cards, you may want to see if you can make router links as routed rather than SVI interfaces. Though routed interfaces are implemented internally as VLANs, presentations I saw from Cisco claim that this: int G7/1 ip address ... ...will detect link-loss (much) faster than this: int Gi7/1 switchport mode access switchport access vlan 300 int Vlan300 ip address ... Also, the OSPF process/SPF timers (as opposed to hello timers) are relevant for fast convergence (rather than link-loss). I did some research recently and concluded that, with a mostly-empty OSPF table i.e. bulk of routes in BGP, the following settings were both safe, and considerably better than the defaults: router ospf 1 ispf nsf timers throttle spf 10 100 5000 timers throttle lsa all 10 100 5000 timers lsa arrival 80 ...again based on reading presentations from Cisco and others advice. HTH ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: CSS 11501 Question
Are you in debug mode? if not, execute: #llama -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Kelsay, Mark Enviada em: quarta-feira, 29 de abril de 2009 12:43 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] CSS 11501 Question I need to erase an old config and tried the erase config command but it did not work. Any idea what the command is? I am consoled into the console port. TIA, Mark ** This email is sent for and on behalf of Inspop.com Limited ** Authorised and regulated by the Financial Services Authority. Registration no. 310635. Inspop.com Limited [also trading as Confused.com] is registered in England and Wales at 2nd Floor, Friary House, Greyfriars Road, Cardiff, CF10 3AE [Reg. No. 03857130]. Any opinions expressed in this email are those of the individual and not necessarily the company. This email and any files transmitted with it, including replies and forwarded copies [which may contain alterations] subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you have received this email in error please notify the Information Security Officer by telephone on +44 [0] 29 2043 4372. Please then delete this email and destroy any copies of it. This email has been swept for viruses before leaving our system. Security Warning: Please note that this email has been created in the knowledge that Internet email is not a 100% secure communications medium. We advise that you understand and accept this lack of security when emailing us. Viruses: Although we have taken steps to ensure that this email and any attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free. We may monitor the content of E-mails sent and received via our network for viruses or unauthorised use and for other lawful business purposes. This e-mail has been scanned for all viruses by Messagelabs. The service is powered by MessageLabs. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Problems bringing up BGP session
Hi... Try again. It is a hidden command. -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de james edwards Enviada em: quarta-feira, 1 de abril de 2009 13:44 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] Problems bringing up BGP session I moved the BGP session to a new router for my Quagga route server. It was working before the move but now it comes up, the RS gets all the routes and in ~5 mins. the session goes down. This looks like bug CSCsv33977. I can't apply the workaround as I do not have the command dont-capability-negotiate: Enter configuration commands, one per line. End with CNTL/Z. edge-router1(config)#router bgp 22523 edge-router1(config-router)#neighbor 198.59.128.243 ? activate Enable the Address Family for this Neighbor advertise-mapspecify route-map for conditional advertisement advertisement-interval Minimum interval between sending BGP routing updates allowas-in Accept as-path with my AS present in it capability Advertise capability to the peer default-originateOriginate default route to this neighbor description Neighbor specific description disable-connected-check one-hop away EBGP peer using loopback address distribute-list Filter updates to/from this neighbor dmzlink-bw Propagate the DMZ link bandwidth ebgp-multihopAllow EBGP neighbors not on directly connected networks fall-oversession fall on peer route lost filter-list Establish BGP filters ha-mode high availability mode inherit Inherit a template local-as Specify a local-as number maximum-prefix Maximum number of prefixes accepted from this peer next-hop-selfDisable the next hop calculation for this neighbor next-hop-unchanged Propagate next hop unchanged for iBGP paths to this neighbor password Set a password peer-group Member of the peer-group prefix-list Filter updates to/from this neighbor remote-asSpecify a BGP neighbor remove-private-asRemove private AS number from outbound updates route-mapApply route map to neighbor route-reflector-client Configure a neighbor as Route Reflector client send-community Send Community attribute to this neighbor send-label Send NLRI + MPLS Label to this peer shutdown Administratively shut down this neighbor soft-reconfiguration Per neighbor soft reconfiguration soo Site-of-Origin extended community timers BGP per neighbor timers translate-update Translate Update to MBGP format transportTransport options ttl-security BGP ttl security check unsuppress-map Route-map to selectively unsuppress suppressed routes update-sourceSource of routing updates version Set the BGP version to match a neighbor weight Set default weight for routes from this neighbor Cisco Router is running c7200p-adventerprisek9-mz.122-33.SRC2.bin Config looks like this: neighbor 198.59.128.243 remote-as 22523 neighbor 198.59.128.243 description iBGP WITH HOMER neighbor 198.59.128.243 shutdown neighbor 198.59.128.243 update-source Loopback1 neighbor 198.59.128.243 next-hop-self neighbor 198.59.128.243 prefix-list DENY-ALL-ROUTES in Logs: Apr 1 10:14:44.062 mdt: %BGP-5-ADJCHANGE: neighbor 198.59.128.243 Up Apr 1 10:18:23.462 mdt: %SYS-5-CONFIG_I: Configured from console by james on vty0 (198.59.128.254) Apr 1 10:21:44.765 mdt: %BGP-5-ADJCHANGE: neighbor 198.59.128.243 Down BGP Notification sent Apr 1 10:21:44.765 mdt: %BGP-3-NOTIFICATION: sent to neighbor 198.59.128.243 4/0 (hold time expired) 0 bytes Apr 1 10:21:49 mdt: BGP notification suppress timer expired, old send notification: Apr 1 10:21:49 mdt: BGP April 01 16:20:49.913: BGP: 198.59.128.243 passive send NOTIFICATION 2/8 (no supported AFI/SAFI) afi 0 safi 0 Any clues ? James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwa...@nmcourts.gov ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Export routes from VRF to the global routing table
Hi Gustavo, Thanks for the feedback, but I would like to dynamically export the routes, not using static routing. Regards. From: Gustavo Rodrigues Ramos [mailto:gust...@nexthop.com.br] Sent: Mon 3/2/2009 22:30 To: Leonardo Gama Souza Cc: cisco-nsp Subject: Re: [c-nsp] Export routes from VRF to the global routing table Hello Leonardo, I guess you'll use route leaking to accomplish what you want. http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml Gustavo. On Mon, Mar 2, 2009 at 10:08 PM, Leonardo Gama Souza leonardo.so...@nec.com.br wrote: Hi list, I am almost confident this is not possible, but would like to confirm whether exporting routes from some VRF to the global routing table is possible or not. This would be a solution to overcome the constraints of using PBR+GRE setup. Thanks in advance. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Export routes from VRF to the global routing table
Hi list, I am almost confident this is not possible, but would like to confirm whether exporting routes from some VRF to the global routing table is possible or not. This would be a solution to overcome the constraints of using PBR+GRE setup. Thanks in advance. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: BGP MSS=576 bytes
Wasn't it supposed to be enabled by default for all BGP neighbors? I think that's the point... -Mensagem original- De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] Em nome de Jared Mauch Enviada em: quarta-feira, 11 de fevereiro de 2009 13:49 Para: Gergely Antal Cc: Antonio M. Soares; cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] BGP MSS=576 bytes You want to enable 'ip tcp path-mtu-discovery' globally. This will allow it to scale outside the default 536, and if you are using jumbo mtu, may cause significantly reduced convergence times since it takes fewer packets to send those bgp updates. - Jared On Wed, Feb 11, 2009 at 04:46:17PM +0100, Gergely Antal wrote: is ip mtu 1500 set on the interfaces? Antonio M. Soares wrote: Hello group, I have a 6500 running 122-18.SXF7 with lots of BGP peers and all of the BGP sessions have negotiated a MSS of 536 bytes. Here's an example: ++ 6500sh ip bgp neighbors x.x.x.x ... Datagrams (max data segment is 536 bytes): Rcvd: 439340 (out of order: 252), with data: 406672, total data bytes: 94316052 Sent: 296303 (retransmit: 727), with data: 35046, total data bytes: 994215 6500 ++ The documentation says that PMTUD is enabled by default so this should not be happening: ++ BGP Neighbor Session TCP PMTUD TCP path MTU discovery is enabled by default for all BGP neighbor sessions, but there are situations when you may want to disable TCP path MTU discovery for one or all BGP neighbor sessions. While PMTUD works well for larger transmission links (for example, Packet over Sonet links), a badly configured TCP implementation or a firewall may slow or stop the TCP connections from forwarding any packets. In this type of situation, you may need to disable TCP path MTU discovery. In Cisco IOS Release 12.2(33)SRA, 12.2(31)SB, 12.2(33)SXH, 12.4(20)T, Cisco IOS XE Release 2.1, and later releases, configuration options were introduced to permit TCP path MTU discovery to be disabled, or subsequently reenabled, either for a single BGP neighbor session or for all BGP sessions. To disable the TCP path MTU discovery globally for all BGP neighbors, use the no bgp transport path-mtu-discovery command under router configuration mode. To disable the TCP path MTU discovery for a single neighbor, use the no neighbor transport path-mtu-discovery command under router or address family configuration modes. ++ I have for example a direct eBGP peering over TenGiga interfaces where i see the same problem: ++ 6500sh int tenGigabitEthernet x/x | inc MTU MTU 1500 bytes, BW 1000 Kbit, DLY 10 usec, 6500 6500 6500sh ip int tenGigabitEthernet x/x | inc MTU MTU is 1500 bytes 6500 ++ Any explanation to this strange behavior ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS) amsoa...@netcabo.pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Does traffic routing through a PE get an MPLS labeladded/removed?
Hi, You're right and your SE is wrong. What he's saying wouldn't be possible as both site 1 and site 4 are out of MPLS domain. You can see in the VRF routing table the code 'L' (local) and also the VRF CEF table doesn't have any imposed label. Regards, Leonardo. -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de TiM Enviada em: terça-feira, 2 de dezembro de 2008 07:49 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] Does traffic routing through a PE get an MPLS labeladded/removed? Hi, In a recent meeting with our Cisco SE, he told me something that doesn't seem right to me. I'm having trouble finding documentation to support either side though. Given the following diagram (apologies to console people) - http://tinyurl.com/cisco-mpls It's my understanding that traffic leaving Site 4 and heading to Site 1 will route locally through the VRF and not have any MPLS header(s) added/removed as it routes through PE1. (Please assume that all sites are in the _same_ VRF, I realise this Cisco diagram is trying to show two seperate VRFs. That's my problem, I can find no real Cisco discussion of multiple interfaces terminating on the same PE in the same VRF.) Our Cisco SE says that even routing locally on PE1 from Site 4 to Site 1, ingress traffic will have an MPLS header added, it will then be routed, then the MPLS label popped off again and it'll egress towards Site 4. This seems wrong to me, I think it must just be a IPv4 fowarding decision. Only if traffic was egressing towards Site 3 or Site 2 would it have (2) MPLS headers attached. Can anyone point me to Documentation that would answer this question? I'm sure that ingress traffic is assigned some internal you're in VRF x label, but our SE was clear in stating it would be an MPLS header added and removed, the same information as if it was egressing towards Site 2/3. Thanks! Tim ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VLAN internal usage
Hi there, I am wondering why I can see some VLANs configured on L3 interfaces in the internal VLAN usage. Wasn't it supposed to show up only internal VLANs allocated from the range 1006-4094? For example: 7609#show vlan inter usage VLAN Usage 20GigabitEthernet4/1.20 21GigabitEthernet4/1.21 new subinterface accounted as internal vlan 1006 online diag vlan0 1007 online diag vlan1 1008 online diag vlan2 1009 online diag vlan3 1010 online diag vlan4 1011 online diag vlan5 1012 PM vlan process (trunk tagging) 1013 Control Plane Protection 1014 NDE 1015 Container0 1016 L3 multicast partial shortcuts for VPN 0 1017 Egress internal vlan 1018 Multicast VPN 0 QOS vlan 1019 IPv6 Multicast Egress multicast 1020 GigabitEthernet4/2 1021 GigabitEthernet4/1 PS: Only tested in SRB train. Thanks in advance. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: VLAN internal usage
Hi Peter, Subinterfaces use internal VLANs and are not switched like other VLANs. If you were using the VLANs as regular switchport VLANs on a trunk, they wouldn't consume internal VLANs, but subinterfaces do. So the command 'show platform hardware capacity vlan' should be tracking the free internal VLANs, but this is not happening: 7609#show platform hardware capacity vlan VLAN Resources VLANs: 4094 total, 68 VTP, 0 extended, 16 internal, 4010 free As subinterfaces use internal VLANs, I am actually using 18 internal VLANs here. It seems this command is only tracking the internal VLANs in the range 1006-4094 (automatically allocated by IOS). Am I missing anything? Regards, Leonardo. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: DMVPN IPSEC Issue
Hi ! Decrease the ISAKMP keepalive. For example: crypto isakmp keepalive 10 Cheers, Leonardo Gama -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Felix Nkansah Enviada em: quarta-feira, 8 de outubro de 2008 15:05 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] DMVPN IPSEC Issue Hi All, I have a lab setup of 3 routers in a hub-and-spoke topology. I have configured DMVPN with R1 being the hub. These routers all connect through a switch. The problem I experience is that, if the hub router goes off (because I reboot it or shut down the WAN interface), the ISAKMP and IPSEC associations remain active on the spokes. As such when the hub router comes back up, the spokes try to use the existing SAs to communicate with it, which results in 'Invalid SPI errors' on the Hub with no connectivity as such. I resolve this problem manually by clearing crypto sessions on the spokes. I would like to know if there is a way to let the spokes time-out their SA sessions and re-initiate Phase 1 2 negotiations if the Hub becomes unavailable for some seconds. Waiting on your reply. Thanks, Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IS-IS Topology database
Is it also a good practice run mpls ldp sync? If you are agressive with bfd timers, you may also want to run ip event dampening on the interfaces... From: [EMAIL PROTECTED] on behalf of Oliver Boehmer (oboehmer) Sent: Mon 29/9/2008 03:11 To: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Cc: Chintan Shah Subject: Re: [c-nsp] IS-IS Topology database Mark Tinka mailto:[EMAIL PROTECTED] wrote on Monday, September 29, 2008 7:51 AM: On Monday 29 September 2008 12:50:08 Oliver Boehmer (oboehmer) wrote: I've never really figured out what the backup routes in ISIS are good for exactly (haven't digged deep into this either), and I don't bother as you can achieve fast convergence either way by tuning the SPF- and/or PRC-interval down. So either topology is able to converge equally fast. In relation to this, I've posted (on my blog) IS-IS configurations I think are optimized for my environment (and perhaps, a few others): http://aknit-routing.blogspot.com/2008/06/is-is-routing-protocol-best-pr actices.html Feel free to gnaw at it and throw any comments. a few comments after taking a quick look: SPF and PRC-interval are quite aggressive. 1 msec initial wait is appropriate for single link failures, but if you have multiple failures within a short time frame (for example SRLG- or node-failures), you might need to run two SPFs, so many deployments use 50ms initial wait. 20 msec interval is quite low, some folks' SPF takes much longer than this. So I would consider increasing this. Same reasoning applies to lsp-gen-interval, for SRLG failures you might need to generate two LSPs. Not sure if I would consider ignore-attached-bit a Best Practice.. It is useful in some environments, but many others would rely on it. log-adjacency-changes all generates some more log files (for example adjacency down when you shut an interface).. AS you tune for fast convergence, process-max-time 50 and ip routing protocol purge interface (or ip slow-converge in non-12.0S/non-12.2S trains) would also be recommended. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Switch Module
attach mod_number show ver Cheers, Leonardo Gama. De: [EMAIL PROTECTED] em nome de Ahmed Mohamed Enviada: sex 19/9/2008 09:45 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] Switch Module Hello , i have CS65013 switches with some new modules installed on it due to a documentation problem, i don't know which module was installed recently is there any command that can give me the uptime of the module? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Cisco 12406 Etherchannel
There are some restrictions... Take a look: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/lnkbndl.html Cheers. De: [EMAIL PROTECTED] em nome de Mark Tech Enviada: ter 16/9/2008 08:12 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] Cisco 12406 Etherchannel Hi I am trying to configure Ethernchannel/link bundling on a 12406. The port channel seems to be accepted, however when I try and add a channel-group to my GE interfaces, it says its not supported? I am using SPA-10X1GE-V2 line cards with c12kprp-p-mz.120-32.SY6.bin IOS interface Port-channel1 ip address x.x.x.x 255.255.255.252 no ip directed-broadcast channel-group minimum active 1 no channel-group bandwidth control-propagation router(config-if)#channel-group 1 Error: not supported on GigabitEthernet0/0/0. Is there a way to bundle more that 1GE port on a 12406? Regards Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ELAM capture on SRB
Hi... Does anyone know if it's feasible to use ELAM capture on SRB throttle? I haven't been able to find it. I'd appreciate if someone can share additional information about it. Thanks much! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Using CA certificates and pre-shared keys on the same box
Yes. Just add another isakmp policy statement using the pre-shared authentication mode. Cheers, Leonardo Gama. De: [EMAIL PROTECTED] em nome de [EMAIL PROTECTED] Enviada: qua 10/9/2008 11:07 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] Using CA certificates and pre-shared keys on the same box Hi, I have a 2851 working as a hub for remote VPN sites using CA certificates. I want to add other remotes which are using pre-shared keys as their authentication method. Is it possible to configure the hub router to support both the CA trustpoint and per-shared keys? Kind regards Nasir Shaikh ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: GSR12008 Error
Hi, Look for errors in show controller fia. Maybe the LC was badly seated... Maybe you have a bad SFC... There are a lot of possibilities. Cheers, Leonardo Gama. De: [EMAIL PROTECTED] em nome de Chris Lane Enviada: qua 10/9/2008 15:58 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] GSR12008 Error All, GSR question, appears Cisco finally got around to updating the IOS train on 12.0.32.S - we have been running S8 for a while but S11 just came out and it appears to have many new features! One of my routers is running 12.0.32.S6 - its been so for 2years. I had a bad 8 port FastE lc a while back so I replaced just recently with a known good lc tested in the lab, So I sent it to replace the failed one ~ after 2 days I started getting these errors. %FABRIC-3-ERR_HANDLE: %RP-3-FABRIC_UNI %FIA-3-HALT L%LC-6-BMACMDRPLY From what I gather this is the RP is having trouble communicating with the LC. One of these errors suggests upgrading IOS ~ but S6 to S8 isn't that big of a deal and couldn't possibly be the culprit could it? Is this RP related? And if so I could easily flip to the backup RP. Any suggestions would be super appreciative. -- //CL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Sup720 Config registry
Notice this can be broken due to CSCeg76624, CSCeg22424 or CSCed58891. You're safe if you're running 8.5(1) though. []´s -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de [EMAIL PROTECTED] Enviada em: domingo, 31 de agosto de 2008 09:48 Para: Brett Clausenhauf; cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] Sup720 Config registry You can check the config-register setting on SP by: rem comm sw sh ver | i register SP is probably still set to 2142. You should change it to 0x2102 by going to config on RP. When you save the config it will be saved on SP also. After saving you can issue: rem comm sw sh ver | i register It should indicate 0x2102 aftrer reboot. Asad -- Original message -- From: Brett Clausenhauf [EMAIL PROTECTED] Hey Guys.. I have a query I cannot seem to find any answer too. When a sup720 module is booting, if you do a CTRL + Break into rommon change the confreg register on the SP module (Changed to confreg 0x2142 NOT the RP module, what does this actually do? I did this by mistake whilst troubleshooting an issue. The issue is now resolved but I never got the opportunity to put this back (Also not sure what to put it back too). The module boots up the config appears to be working 100 percent fine... I am very concerned if doing this does anything detrimental that is going to be a concern later. Can anybody who might know advise? It would be very much appreciated.. Thanks in advance. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Cisco 2960G Issue
Hi Mike, I´ve never run into this issue before. I presume this is not a common problem. You can start troubleshooting with 'show platform port-asic' and 'show platform tcam'. There are also other 'show platform' and 'show controller' commands that might be useful. Regards, Leonardo Gama. -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Mike Cooper Enviada em: quarta-feira, 27 de agosto de 2008 06:39 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] Cisco 2960G Issue Hi all, I've got a WS-C2960G-24TC-L switch running IOS 12.2(35)SE5 It's been in production for a couple of weeks in a fairly straight forward L2 environment. We noticed this afternoon a few hosts connected to the switch suffering persistent packet loss of ~20% After a bit of investigation we narrowed it down to ports 5, 6, 7, 8. The ports were configured as access ports, 1 @ 10M/FD 3 @ 1G/FD, all were in different vlans. My assumption is the switch runs six ASICs, and that the one that operates those 4 ports has faulted or degraded in some way causing the performance issues. None of the other machines connected to the switch were affected, and currently the switch is still operating. I've since relocated the affected machines to an alternate switch, resolving the loss issues. I'm interested if anyone is aware of this as a common problem with 2960G switches (or any switches for that matter), and if there are any tips for testing/troubleshooting before I return it as faulty. I bought 4 brand new 2960Gs in one go, 1 was DoA, and now this one has developed faults which is leaving me with some concerns for the others. Cheers, --Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: conditional bgp default-originate
I haven't tested this, but you can configure two access-lists with both BGP session IP addresses of your upstream providers and match them in the route-map. neighbor 10.1.0.2 default-originate route-map BGP-UP route-map BGP-UP permit 10 match ip address 101 match ip address 102 route-map BGP-UP deny 20 access-list 101 permit ip host x.x.x.x access-list 101 remark upstream provider 1 bgp session ip address access-list 102 permit ip host y.y.y.y access-list 102 remark upstream provider 2 bgp session ip address Regards, Leonardo Gama. De: [EMAIL PROTECTED] em nome de Jon Lewis Enviada: qua 13/8/2008 12:50 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] conditional bgp default-originate I'd like to be able to conditionally advertise a default route to customers taking just default routes only if my transit BGP sessions appear to be functional. I thought something like this might work: neighbor 10.1.0.2 default-originate route-map BGP-UP route-map BGP-UP permit 10 match as-path 100 ip as-path access-list 100 permit ^3356_ ip as-path access-list 100 permit ^4323_ But no such luck. Checking the docs at http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.html#wp1037042 it seems I have to exactly match against a route for the route-map to work here. That means actually picking a few canary routes I expect to get from my upstreams and hoping they don't go anywhere or change mask. I'm not really happy with that. Are there better ways to do this? Also, while looking at the docs above and experimenting in the GNS3 simulator (emulated 2600s running c2600-i-mz.123-26.bin), I've found a few oddities. First, there's multiple errors in the docs mentioned above. i.e. From the URL above: In the following example, the last line of the configuration has been changed to show the use of an extended access list. The local router injects route 0.0.0.0 to the neighbor 172.16.2.3 only if there is a route to 192.168.0.0 with a mask of 255.255.0.0: router bgp 5 network 172.16.0.0 neighbor 172.16.2.3 remote-as 6 neighbor 172.16.2.3 default-originate route-map default-map ! route-map default-map 10 permit match ip address 1 ! access-list 100 permit ip host 192.168.0.0 host 255.255.255.0 In the above example, they did change the ACL to an extended access-list, but the route-map wasn't updated to use it (still using 1) and they say they're looking for 192.168.0.0 with a mask of 255.255.0.0, but the access-list 100 uses a /24 mask. Just above this example, the docs say that access-list 1 permit 192.168.0.0 will match a route for 192.168.0.0 with any mask. In my simulator, I have R1--R2--R3 R1 advertises 8.0.0.0/16 to R2. R2 is advertising a conditional default to R3 using the route-map route-map BGP-UP permit 10 match ip address 50 access-list 50 permit 8.0.0.0 When R2 receives 8.0.0.0/16 from R1, there are no hits on the ACL and default is not sent ot R3. If I add to access-list 50 access-list 50 permit 8.0.0.0 0.0.255.255 Standard IP access list 50 10 permit 8.0.0.0 (973 matches) 20 permit 8.0.0.0, wildcard bits 0.0.255.255 I get hits on the permit 8.0.0.0 line now, and default is sent to R3. This seems kind of broken. I haven't duplicated the setup with real hardware to see if it's a simulator screwup...but since the simulator is running actual IOS, it seems unlikely the simulator is to blame. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: SXI on 6500 (was: SXH on 6500)
Just kidding... while ( ! ( succeed = try_sx_train() ) ); -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Gert Doering Enviada em: quarta-feira, 13 de agosto de 2008 18:01 Para: Phil Mayers Cc: 'Cisco-nsp' Assunto: Re: [c-nsp] SXI on 6500 (was: SXH on 6500) Hi, On Wed, Aug 13, 2008 at 11:02:52AM +0100, Phil Mayers wrote: Think about it: You're the 6500 IOS team. You have a large body of upstream IOS code, and you have to back-port it, but at the *same* time you also have to modularise it. Contrast: You're the 7600 IOS team. You have a large body of upstream IOS code. You just have to back-port it. rant Did I mention that the whole 6500-vs-7600-vs-why the hell would anybody want stable IOS? debacle is really annoying? IOS quality on the 6500/7600 platform, which really should be the show horse platform for Cisco, is on the same (low) level as new hardware T train release - but on other platforms one can usually choose a non-T train, while on 6500/7600, usually you don't even get to choose between pest or cholera... I can't believe why things as IPv6 on a SVI or scp from the box could simply be non-working in new releases. Is anyone testing this stuff? Or is the single programmer in each BU fully occupied with keeping the gazillion of BU stupid decision makers off his back? [..] Let's not kid ourselves - SXF is going to be the stable release for some time to come. I just hope they release an SXF train with support for the 6716s I bought... There is no SXF support for the Sup720-10G either, as far as I have been led to understand, so I wouldn't hold my breath... (Stupid me, falling for Cisco sales pitch again hey, when we have to swap your 7606S chassis against 6506 chassis anyway, what about paying just a ltle extra and getting a Sup720-Sup720-10G upgrade with it?). Now we're running SXH3, have lost BFD on SVIs, and are waiting for some catastrophic thing to happen to our network. /rant gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] WS-X4548-GB-RJ45V spec
Hello list, Does anyone know the specs for the WS-X4548-GB-RJ45V module? Is the 1 Gbps per port-group (8-to-1 oversubscription) full-duplex? What is the maximum pps processing? I am facing 'Rx No Packet Buffer' on two ports of the same port-group and I think I'm hitting those limitations... Maybe some buffer adjust be needed. Kind regards, Leonardo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: 4 port ISE Giga CARD problem
Field diagnostics can help you troubleshooting the issue: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/c12k_fm/diag.htm l PS: You are running a pretty old IOS version. Regards, Leonardo Gama -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Plz Enviada em: quinta-feira, 26 de junho de 2008 08:00 Para: cisco-nsp Assunto: [c-nsp] 4 port ISE Giga CARD problem Hi, Guys. A new card(4 port ISE gigaethernet) couldn't go online, everytime stopped at starting IOS. I tried reload the slot soft/hard, but it didn't work. Here is the diags. I didn't see the memory part in the diags so i think it's memory problem, maybe on-site engineer didn't get it placed right. Any ideas will be appriceated. - xx#sh ver Cisco Internetwork Operating System Software IOS (tm) GS Software (GSR-P-M), Version 12.0(27)S5, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Mon 09-May-05 12:48 by kellythw Image text-base: 0x50010C84, data-base: 0x532C8000 ROM: System Bootstrap, Version 11.2(20030116:225008) [rarcher-pre_lci_throttle 184], DEVELOPMENT SOFTWARE BOOTLDR: GS Software (GSR-BOOT-M), Version 12.0(8)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) x uptime is 3 hours, 5 minutes System returned to ROM by reload System restarted at 15:43:06 Beijing Thu Jun 26 2008 System image file is slot0:gsr-p-mz.120-27.S5.bin cisco 12008/GRP (R5000) processor (revision 0x05) with 524288K bytes of memory. R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache Last reset from power-on 2 Route Processor Cards 2 Clock Scheduler Cards 3 Switch Fabric Cards 2 Three Port Gigabit Ethernet/IEEE 802.3z controllers (6 GigabitEthernet). 1 Four Port Gigabit Ethernet/IEEE 802.3z controller (4 GigabitEthernet). 1 Ethernet/IEEE 802.3 interface(s) 10 GigabitEthernet/IEEE 802.3 interface(s) 507K bytes of non-volatile configuration memory. 20480K bytes of Flash PCMCIA card at slot 0 (Sector size 128K). 8192K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x2102 WARNING: Old fab-loader in slot 4; use upgrade fabric-downloader to update WARNING: Old MBus agent ROM in some slots; use upgrade mbus-agent-rom to update #sh diags 4 SLOT 4 (RP/LC 4 ): 4 Port ISE Gigabit Ethernet MAIN: type 119, 800-22811-07 rev F0 Deviation: 0 HW config: 0x00SW key: 00-00-00 PCA: 73-8517-07 rev C0 ver 5 Design Release 6.0 S/N SAL113922D7 MBUS: Embedded Agent Test hist: 0x00RMA#: 00-00-00RMA hist: 0x00 DIAG: Test count: 0xTest results: 0x FRU: Linecard/Module: 4GE-SFP-LC= L3 Engine: 3 - ISE OC48 (2.5 Gbps) MBUS Agent Software version 1.98 (RAM) (ROM version is 2.32) ROM Monitor version 1.13 Fabric Downloader version used 5.6 (ROM version is 6.4) Primary clock is CSC 1 Board is analyzed Board State is Starting IOS (IOS STRT) Insertion time: 00:46:49 (02:18:46 ago) Best Regards, runt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: SCA BB Console on Windows Vista
I know one person :-) I resolved the issue reinstalling the application. Something was going wrong with Java. Thanks anyway, Leonardo Gama. De: Ziv Leyes [mailto:[EMAIL PROTECTED] Enviada: ter 17/6/2008 05:11 Para: Leonardo Gama Souza; cisco-nsp@puck.nether.net Assunto: RE: SCA BB Console on Windows Vista Has anyone ever installed Windows Vista?? ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leonardo Gama Souza Sent: Monday, June 16, 2008 5:42 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] SCA BB Console on Windows Vista Hi there, Has anyone ever installed SCA BB Console 3.1.5 on Windows Vista? I haven't found any information about it. I'll appreciate any clue or insight. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: User not authenticating by radius
Hi Everton, Your router is sending access-requests to the wrong Radius IP address 10.180.50.74. It was supposed to send them to 10.10.50.74, all right? Try to create an interface loopback with the IP address configured in your Radius' client file and configure 'ip radius source-interface loopbackX'. Make sure routing is ok. It's worth also comparing configuration before and after the reload, if you could. Regards, Leonardo Gama. De: [EMAIL PROTECTED] em nome de Everton Diniz Enviada: seg 16/6/2008 12:46 Para: cisco-nsp Assunto: [c-nsp] User not authenticating by radius Hi all, After a reboot on router, the radius do not auth users. The config is not change. This the config and debug output. RT_2811#sh run | i aaa|radius aaa new-model aaa authentication login default group radius local aaa authentication enable default group radius enable aaa authorization exec default group radius none aaa authorization network default group radius none aaa accounting exec default start-stop group radius aaa session-id common radius-server host 10.10.50.74 auth-port 1812 acct-port 1813 radius-server key 7 shared 000334: Jun 16 12:31:23: RADIUS/ENCODE(0018): ask Username: 000335: Jun 16 12:31:23: RADIUS/ENCODE(0018): send packet; GET_USER 000338: Jun 16 12:37:24: RADIUS/ENCODE(001A): ask Username: 000339: Jun 16 12:37:24: RADIUS/ENCODE(001A): send packet; GET_USER 000340: Jun 16 12:37:27: RADIUS/ENCODE(001A): ask Password: 000341: Jun 16 12:37:27: RADIUS/ENCODE(001A): send packet; GET_PASSWORD 000342: Jun 16 12:37:29: RADIUS/ENCODE(001A):Orig. component type = EXEC 000343: Jun 16 12:37:29: RADIUS: AAA Unsupported Attr: interface [156] 6 000344: Jun 16 12:37:29: RADIUS: 74 74 79 33 [tty3] 000345: Jun 16 12:37:29: RADIUS(001A): Storing nasport 322 in rad_db 000346: Jun 16 12:37:29: RADIUS/ENCODE(001A): dropping service type, radius-server attribute 6 on-for-login-auth is off 000347: Jun 16 12:37:29: RADIUS(001A): Config NAS IP: 0.0.0.0 000348: Jun 16 12:37:29: RADIUS/ENCODE(001A): acct_session_id: 25 000349: Jun 16 12:37:29: RADIUS(001A): sending 000350: Jun 16 12:37:29: RADIUS/ENCODE: Best Local IP-Address 10.180.50.1 for Radius-Server 10.180.50.74 000351: Jun 16 12:37:29: RADIUS(001A): Send Access-Request to 10.180.50.74:1812 id 1645/36, len 83 000352: Jun 16 12:37:29: RADIUS: authenticator 9C 90 BC 71 C7 35 FE E3 - E5 17 32 00 D2 DE 4A 88 000353: Jun 16 12:37:29: RADIUS: User-Name [1] 13 cpm.everton 000354: Jun 16 12:37:29: RADIUS: User-Password [2] 18 * 000355: Jun 16 12:37:29: RADIUS: NAS-Port[5] 6 322 000356: Jun 16 12:37:29: RADIUS: NAS-Port-Type [61] 6 Virtual [5] 000357: Jun 16 12:37:29: RADIUS: Calling-Station-Id [31] 14 10.251.0.130 000358: Jun 16 12:37:29: RADIUS: NAS-IP-Address [4] 6 10.180.50.1 000359: Jun 16 12:37:35: RADIUS: no sg in radius-timers: ctx 0x44540118 sg 0x 000360: Jun 16 12:37:35: RADIUS: Retransmit to (10.180.50.74:1812,1813) for id 1645/36 000361: Jun 16 12:37:40: RADIUS: no sg in radius-timers: ctx 0x44540118 sg 0x 000362: Jun 16 12:37:40: RADIUS: Retransmit to (10.180.50.74:1812,1813) for id 1645/36 000363: Jun 16 12:37:45: RADIUS: no sg in radius-timers: ctx 0x44540118 sg 0x 000364: Jun 16 12:37:45: RADIUS: Retransmit to (10.180.50.74:1812,1813) for id 1645/36 000365: Jun 16 12:37:51: RADIUS: no sg in radius-timers: ctx 0x44540118 sg 0x 000366: Jun 16 12:37:51: RADIUS: No response from (10.180.50.74:1812,1813) for id 1645/36 000367: Jun 16 12:37:51: RADIUS/DECODE: parse response no app start; FAIL 000368: Jun 16 12:37:51: RADIUS/DECODE: parse response; FAIL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..)
as for the interface stuff... Per Interface Config no ip redirects no ip unreachables personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables? keep in mind those commands are not about accepting those (but, as said: sending them). [Leonardo Gama Souza] Personally I think it's much better rate-limit 'ip unreachables' than block them. Probably Cisco doesn't change these silly defaults because they won't have selling points for tools such as SDM. :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Cisco 7600, bgp neighbor default-originate breaks
Yeah. Interesting... I've been facing this same annoying issue. And I'm dealing with TAC to solve it as well. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: RES: Bogon Filter - Least Resource/CPU intensive method?
Hi Ziv, There is a nice white paper on cisco.com: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd80313fac.pdf []´s -Mensagem original- De: Ziv Leyes [mailto:[EMAIL PROTECTED] Enviada em: domingo, 9 de março de 2008 05:51 Para: Leonardo Gama Souza; cisco-nsp Assunto: RE: [c-nsp] RES: Bogon Filter - Least Resource/CPU intensive method? Will someone be kind and share some sample config for rpf and/or implementation recommendations such as required platforms, IOS and so? Thanks in advance, Ziv -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leonardo Gama Souza Sent: Wednesday, March 05, 2008 4:59 PM To: cisco-nsp Subject: [c-nsp] RES: Bogon Filter - Least Resource/CPU intensive method? Does loose rpf indeed drop packets sourced from null routes? I know strict does for certain, and is the least intensive method of blocking packets sourced from a particular IP/subnet. Yes, it does. And it works pretty well. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals computer viruses. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Bogon Filter - Least Resource/CPU intensive method?
Does loose rpf indeed drop packets sourced from null routes? I know strict does for certain, and is the least intensive method of blocking packets sourced from a particular IP/subnet. Yes, it does. And it works pretty well. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: RES: activ/standby cpu card status changed
Actually this bug had already corrected in SXF2... De: e ninja [mailto:[EMAIL PROTECTED] Enviada: sex 29/2/2008 17:29 Para: Nemeth Laszlo Cc: Leonardo Gama Souza; cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] RES: activ/standby cpu card status changed Nemeth, Your SUP crashed because it failed over 10 consecutive TestSPRPInbandPing. Get the fix/workaround for sc33990 below. /eninja CSCsc33990 Symptoms: A supervisor engine may unexpectedly reset when the TestSPRPInbandPing as part of the Cisco Generic Online Diagnostics (GOLD) fails for 10 consecutive times. The following syslog error messages are typically generated right before the supervisor engine resets, and can also be found in the crashinfo files: %CONST_DIAG-SP-3-HM_TEST_FAIL: Module slot# TestSPRPInbandPing consecutive failure count:5 %CONST_DIAG-SP-6-HM_TEST_INFO: CPU util(5sec): SP=10% RP=0% Traffic=0% netint_thr_active[0], Tx_Rate[4412], Rx_Rate[0] %CONST_DIAG-SP-3-HM_TEST_FAIL: Module slot# TestSPRPInbandPing consecutive failure count:10 %CONST_DIAG-SP-6-HM_TEST_INFO: CPU util(5sec): SP=10% RP=0% Traffic=0% netint_thr_active[0], Tx_Rate[4652], Rx_Rate[0] %CONST_DIAG-SP-2-HM_SUP_CRSH: Supervisor crashed due to unrecoverable errors, Reason: Failed TestSPRPInbandPing Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that run an integrated Cisco IOS software image. The trigger for the symptom may be possible corruption in TCAM entries that are used to perform the TestSPRPInbandPing. Workaround: Enter the no diagnostic crash global configuration command to disable exceptions that are being triggered by failed diagnostic monitoring. However, you should do this with discretion because it may also prevent the system from taking proactive measure to mitigate problems that could impact user traffic. Further Information: The fix for this caveat is more of an enhancement because it only prevents the system from being over-aggressive in taking exceptions when the TestSPRPInbandPing fails under specific conditions. Therefore, the fix for this caveat does not address all triggers that may cause the TestSPRPInbandPing to fail. Please consult Cisco TAC for further assistance if you experience the same problem after upgrading to a Cisco IOS software image that contains the fix for this caveat. On Fri, Feb 29, 2008 at 1:24 AM, Nemeth Laszlo [EMAIL PROTECTED] wrote: Hi! I put the crash file here: ftp://195.70.33.12/crashinfo_20080228-151329_cpu1 ftp://195.70.33.12/crashinfo_20080228-151329_cpu2 If anybody knows what was the problem, please don't silent it :) Possible it's an IOS problem? Thanks Laci Leonardo Gama Souza írta: Hi. It sounds like your MSFC crashed. You ought to look into the crashinfo file in order to figure out why. cheers, Leonardo Gama. *De:* [EMAIL PROTECTED] em nome de Nemeth Laszlo *Enviada:* qui 28/2/2008 13:43 *Para:* cisco-nsp@puck.nether.net *Assunto:* [c-nsp] activ/standby cpu card status changed Hi! My 7604 router has 2 WS-SUP32-10GE-3B cpu card in RRP-PLUS mode. System image file is sup-bootdisk:s3223-ipservices_wan-mz.122-18.SXF9.bin I got this syslog messages and after it the cpu card changed the standby mode to active and active to standby. The cpu went at 100% through 15 minutes. I saw a network L2 loop, but I don't know that this L2 loop problem caused by the CPU change, or the CPU change caused by the L2 loop. I use RSTP. This router and more other 2 are members of a litle 10G ring. I can't found this error messages on cisco.com http://cisco.com/ . We has a similar problem on 1 january 2008 when happend a cpu state change to (cpu was 100% like now, other time the cpu goes on 0-2%). Any idea? Thanks Laci core2#sh redundancy history | inc state Feb 28 16:13:33 *my state = ACTIVE(13) *peer state = DISABLED(1) Feb 28 16:17:12 *my state = ACTIVE(13) *peer state = UNKNOWN(0) Feb 28 16:17:21 *my state = ACTIVE(13) *peer state = STANDBY COLD(4) Feb 28 16:18:09 *my state = ACTIVE(13) *peer state = STANDBY COLD-CONFIG(5) Feb 28 16:18:19 *my state = ACTIVE(13) *peer state = STANDBY HOT(8) core2#sh redundancy switchover Switchovers this system has experienced : 1 Last switchover reason : Active
[c-nsp] RES: (simple?) NAT-question mapping multiple outside addresses to one inside address
What if you invert the picture? ip nat inside source static 192.168.1.1 10.1.2.10 And server - outside - router - inside - source_network ? Traffic from server to the network won't be nat'ted and the return traffic will be directed to 10.1.2.10, thus won't match the nat rule. cheers, Leonardo. -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Dennis Breithaupt Enviada em: sexta-feira, 8 de fevereiro de 2008 05:01 Para: cisco-nsp@puck.nether.net Assunto: [c-nsp] (simple?) NAT-question mapping multiple outside addresses to one inside address Hello list, I request your support with this NAT-szenario, which I'm facing in a migration szenario from one IP-range to another. Szenario: On the inside we have a node1. node1 formerly had the IL-address 192.168.1.1. During a migration the node gets moved to a new location with a new IL-address 10.1.2.10. I now want this node to be reachable over both the ip-addresses. So I set up a hostroute for the old IL 192.168.1.1 to point to the new IL 10.1.2.10. (or a gateway to the segment, where the node resides...) My first approach was to define a static mapping: ip nat inside source static 10.1.2.10 192.168.1.1 But that solution is not feasible. When trying to reach the old IL 192.168.1.1 the translation is correct and the node is reachable, as it should: (1-to-1 mapping) *Feb 8 08:55:55.223: NAT: s=10.1.1.10, d=192.168.1.1-10.1.2.10 [8] *Feb 8 08:55:55.243: NAT*: s=10.1.2.10-192.168.1.1, d=10.1.1.10 [8] When trying to reach the new IL 10.1.2.10 the outside-to-inside packet passes without NATting, but the inside-to-outside packet gets translated according the static mapping. So the initiating host gets an answer packet from a different ip. *Feb 8 08:58:30.271: NAT: s=10.1.2.10-192.168.1.1, d=10.1.1.10 [9] - What would be the correct instrument, to just map multiple inside-global IP's to one inside-local for outside-to-inside conversations? Thank you very much in advance, regards, Dennis ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Router uptime, can you beat it?
Ok...I have one IGS running smoothly for 16 years: IGS-BX Software, Version 8.3(0.15), ROUTER SOFTWARE Copyright (c) 1986-1991 by cisco Systems, Inc. Compiled Wed 14-Aug-91 15:25 by mlb System Bootstrap, Version 4.3(0.6), ROUTER SOFTWARE igs uptime is 16 years, 8 weeks, 5 days, 10 hours, 28 minutes System restarted by reload System image file is unknown, booted via tftp from 10.0.230.11 cisco IGS (68020) processor (revision I) with 4096K/512K bytes of memory. Processor board serial number 00043854 DDN X.25 software. Bridging software. 1 Ethernet/IEEE 802.3 interface. 1 Serial network interface. 16K bytes of non-volatile configuration memory. Configuration register is 0x0 Can you beat it now? No, no, I am just kidding... :) -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Howard Jones Enviada em: terça-feira, 29 de janeiro de 2008 21:26 Para: Ben Steele; cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] Router uptime, can you beat it? Ben Steele wrote: Anyone got anything currently running longer? router uptime is 4 years, 10 weeks, 5 days, 9 hours, 13 minutes System returned to ROM by power-on System restarted at 14:27:52 ACDT Fri Nov 14 2003 System image file is flash:c2600-js-mz.122-17a.bin cisco 2620 (MPC860) processor (revision 0x102) with 61440K/4096K bytes of memory. I know it's heretical but I have a Nortel ASN in a dark corner of the network with at least 5 years of uptime. Sadly it also has a BayRS bug which means the uptime counter breaks after about 280 days or so. Currently it claims to have been up for -17 days. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Key-chain and MD5 authentication for IS-IS
Great. Helped a lot. Thanks. -Mensagem original- De: Oliver Boehmer (oboehmer) [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 24 de janeiro de 2008 04:03 Para: Leonardo Gama Souza; cisco-nsp@puck.nether.net Assunto: RE: [c-nsp] Key-chain and MD5 authentication for IS-IS Leonardo Gama Souza wrote on Wednesday, January 23, 2008 11:10 PM: Hello everybody, Do you know whether I have to update the key chain string after an IOS upgrade? Let´s fancy from 12.2S to 12.0S... I'm only using it for IS-IS instance authentication. Have anyone ever run into this situation? You shouldn't need to update the keys, but I've seen cases where this was required after an upgrade (just re-entering the same key helped). I recall there was a bug somewhere in 12.2S where this was required for all keys (IIRC).. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Key-chain and MD5 authentication for IS-IS
Hello everybody, Do you know whether I have to update the key chain string after an IOS upgrade? Let´s fancy from 12.2S to 12.0S... I'm only using it for IS-IS instance authentication. Have anyone ever run into this situation? I'll appreciate any clue or recommendation. Leonardo. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: Virtual-Template DOS?
If you are under a DoS attack and figure out that you are receiving too many PADI packets, you can throttle them: virtual-template 1 sessions per-mac throtlle... cheers -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Masood Ahmad Shah Enviada em: sexta-feira, 18 de janeiro de 2008 12:42 Para: 'Duracom Lists'; cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] Virtual-Template DOS? There are different types of DoS attack for Cisco PPPoE services. I wonder you might be getting too many PPPoE sessions from a customer. I suggest you use debug vpnd things and get the real picture; keeping in mind that you know the over heads of using debug commands :) Here is something you can do to prevent such PPPoE DoS attacks bba-group pppoe vpn1 virtual-template 1 sessions per-vc limit 1 (1 max number of vpdn session per-vc) sessions per-mac limit 1 ( 1 max number of vpnd session per-mac) Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Duracom Lists Sent: Friday, January 18, 2008 8:08 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Virtual-Template DOS? I have been terminating DSL on my 7206vxr for quite some time. My router began acting sluggish the last couple of days for some odd reason the cpu was being pegged out. Below was what was in the logs non stop. I only have 5 DSL customers terminated to this router. In order for me to get the CPU down I had to issue a no vpdn-group 1 to drop all the tunnels? Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(29), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Wed 11-May-05 15:38 by kellmill Image text-base: 0x60008940, data-base: 0x61314000 ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE (fc2) BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.3(6), RELEASE SOFTWARE (fc3) Dua-7206 uptime is 11 hours, 14 minutes System returned to ROM by reload at 21:48:50 CST Thu Jan 17 2008 System restarted at 21:49:52 CST Thu Jan 17 2008 System image file is slot0:c7200-is-mz.122-29.bin cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory. Processor board ID 21304031 R7000 CPU at 350Mhz, Implementation 39, Rev 3.3, 256KB L2, 4096KB L3 Cache 6 slot VXR midplane, Version 2.1 Jan 18 08:55:40: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to up Jan 18 08:55:40: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to down Jan 18 08:55:48: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to up Jan 18 08:55:49: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to down Jan 18 08:55:54: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up Jan 18 08:55:55: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down Jan 18 08:56:02: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Jan 18 08:56:06: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up Jan 18 08:56:07: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down Jan 18 08:56:11: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down Jan 18 08:56:19: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to up Jan 18 08:56:21: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to down Jan 18 08:56:25: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to up Jan 18 08:56:28: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to down Jan 18 08:56:36: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up Jan 18 08:56:37: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down Jan 18 08:56:43: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Jan 18 08:56:43: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down Jan 18 08:56:51: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up Jan 18 08:56:55: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to up Jan 18 08:56:55: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down Jan 18 08:56:59: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to down Jan 18 08:57:07: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to up Jan 18 08:57:11: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up Jan 18 08:57:12: %LINK-3-UPDOWN: Interface Virtual-Access5, changed state to down Jan 18 08:57:18: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down Jan 18 08:57:27: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up Jan 18 08:57:29: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down Jan 18 08:57:33: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up Jan 18 08:57:35: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down Jan 18 08:57:43: %LINK-3-UPDOWN: Interface Virtual-Access4, changed state to up Jan 18 08:57:45: %LINK-3-UPDOWN: Interface
[c-nsp] RES: Scheduling daily reload
Hello. When does the problem take place? PPPoE Session Recovery After Reload may be the answer for that issue. Configure 'sessions auto cleanup' under bba-group pppoe. -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de [EMAIL PROTECTED] Enviada em: quarta-feira, 2 de janeiro de 2008 12:43 Para: cisco-nsp@puck.nether.net Assunto: Re: [c-nsp] Scheduling daily reload This might be a dumb question... I apologize - but how do you turn OFF ppp keepalives? I'm thinking of a 7206VXR as a BRAS in particular? Interesting as we have a small number of customers (10-15 possibly) at a site where their computer reports it's connected and our side shows them disconnected - hence my interest..;) If they manually disconnect/reconnect then it goes away - we have figured it to be a desktop issue to date... Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marko Milivojevic Sent: Wednesday, January 02, 2008 7:57 AM To: Masood Ahmad Shah; Gert Doering; Eric Helm Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Scheduling daily reload That doesn't really help, because it's usually CPE that is unaware that it had been cut-off. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Masood Ahmad Shah Sent: 2. janúar 2008 12:46 To: 'Gert Doering'; 'Eric Helm' Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Scheduling daily reload Why the heck your service provider (upstream ISP) not using ppp keepalives. They should use ppp keepalives on their BRAS. Regards, Masood Ahmad Shah -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gert Doering Sent: Wednesday, January 02, 2008 2:54 PM To: Eric Helm Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Scheduling daily reload Hi, On Tue, Jan 01, 2008 at 09:13:23PM -0600, Eric Helm wrote: I've seen this happen with PPPoX connections when either the ISP makes a config change that causes the BRAS to disconnect the PPP session and for whatever reason the CPE doesn't receive the disconnect message so the PPP session remains active and thus never re-negotiates a new session. PPP keepalives will nicely take care of this. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: 7600 SRA vs. SRB
Hi. Theorically a limited deployment is more stable than an early deployment, but if I were you, I would wait for SRA7 -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de Peter Rathlev Enviada em: quarta-feira, 26 de dezembro de 2007 11:46 Para: cisco-nsp Assunto: [c-nsp] 7600 SRA vs. SRB Hi everyone, We're running 12.2(33)SRB1 on a couple of 7600/Sup720's acting as core switches in an MPLS network. We've recently seen strange symptoms where traffic apparantly crosses VRFs unexpectedly, although we don't have enough data to say for sure. Reload solved the problem both times it occurred. We're about to upgrade to SRB2 and see if the problem continues, but are thinking about using SRA instead. I can see the SRA6 earned the Limited Deployment tag, but I'm unsure if this is better or worse or neither compared to Early Deployment. Can anyone shed some light on that? We can live without the SRB features (according to Feature Navigator). Regards, Peter Rathlev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSEC behind NAT device problem
What are you seeing from 'debug crypto isakmp' output? Notice you have 'isakmp identity address'. If you do not use nat-t to preserve the peer ip address, the pre-shared key authentication will fail. -- Message: 6 Date: Thu, 18 Oct 2007 22:02:47 +0300 From: Mihai Tanasescu [EMAIL PROTECTED] Subject: Re: [c-nsp] IPSEC behind NAT device problem To: Michael K. Smith - Adhost [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello, I don't think this is required. (the PIX has a public IP and no NAT in place). Also nat-traversal would have been required (as far as I've read) on the C3660 router only if the Linux machine would have been unable to translate packets by default (which works). This is what I found for Nat Traversal on Cisco website: Although this feature addresses many incompatibilities between NAT and IPSec, the following problems still exist: Internet Key Exchange (IKE) IP Address and NAT This incompatibility applies only when IP addresses are used as a search key to find a preshared key. Modification of the IP source or destination addresses by NAT or reverse NAT results in a mismatch between the IP address and the preshared key. Embedded IP Addresses and NAT Because the payload is integrity protected, any IP address enclosed within IPSec packets cannot be translated by NAT. Protocols that use embedded IP addresses include FTP, Internet Relay Chat (IRC), Simple Network Management Protocol (SNMP), Lightweight Directory Access Protocol (LDAP), H.323, and Session Initiation Protocol (SIP). Michael K. Smith - Adhost wrote: Did you try adding: isakmp nat-traversal 20 on the PIX? There may be a similar command on the 3600 but I'm not sure. Regards, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 18, 2007 11:50 AM To: Church, Charles Cc: cisco-nsp@puck.nether.net; [EMAIL PROTECTED] Subject: Re: [c-nsp] IPSEC behind NAT device problem No. I'm using ESP. This is my config: 192.168.5.0/24 -- PIX -- public(IP1) INTERNET public(IP2) Linux - 172.16.254.1 172.16.254.2 Cisco 3660 -- 192.168.6.0/24 On PIX: access-list ipsec permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 192.168.5.0 255.255.255.0 0 0 isakmp enable outside crypto ipsec transform-set avalanche esp-des crypto ipsec security-association lifetime seconds 3600 crypto map forsberg 21 ipsec-isakmp crypto map forsberg 21 match address ipsec crypto map forsberg 21 set peer public-remote-IP(linux NAT) crypto map forsberg 21 set transform-set avalanche crypto map forsberg 21 set security-association lifetime seconds 28800 kilobytes 4608000 isakmp key address public-remote-IP(linux NAT) netmask 255.255.255.255 ! here I've also added a key for the IP behind NAT that initializes the connectiong..don't think it helps though ..but I've seen it in the payload upon debugging..so I thought it might be used instead of the public one for the initial authentication isakmp key address 172.16.254.2 netmask 255.255.255.255 isakmp identity address isakmp policy 21 authentication pre-share isakmp policy 21 encryption des isakmp policy 21 hash md5 isakmp policy 21 group 1 isakmp policy 21 lifetime 86400 On C3660 router: crypto isakmp policy 11 hash md5 authentication pre-share crypto isakmp key n3$$t3@ address PIX-public-IP !tried here with esp-des and esp-md5-hmac before removing the last one ! and trying without any auth algorithm crypto ipsec transform-set sharks esp-des crypto map nolan 11 ipsec-isakmp set peer PIX-public-IP set transform-set sharks match address 120 access-list 120 permit ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Soft Reconfiguration In?
Hi. There is a feature called BGP Soft Reset that introduced enhancements to memory consumption for BGP soft reconfiguration. You can do a research to find out if your version support it. Regards, Leonardo Gama. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: configuring PPPoE Circuit-Id Tag
The configuration seems to be ok. I know this feature works on the SB train. What one are you running? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] vty access-list
If your router can do it, try to use ip receive access-list. Good luck. Cheers, Leonardo Gama ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Fragmented memory
Hi there. Does the memory fragmentation usually take place when the free memory is under 50MB? I have a clue of this fragmentation when there is a lot of difference between free and largest memory. Isn't it? thanks. Leonardo Gama Souza. ___ cisco-nsp mailing list [EMAIL PROTECTED] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/