Re: [c-nsp] cisco ACL filter outbound only
It would probably help if you elaborated on what type of connections will be established through/from the device in question. Sent from my iPhone > On Sep 15, 2020, at 9:45 AM, Mike wrote: > > On 9/15/20 3:12 AM, Nick Hilliard wrote: >> Mike wrote on 15/09/2020 02:17: >>> I have some gear that needs a public ip, but does not have the best >>> security profile, and I want to put up an ACL that only permits this >>> gear to make outbound connections while dropping all inbound. My router >>> is an ASR920 running IOS-XE 03.17.03.S. Does anyone have a simple >>> copy/paste acl for this type of job? >> >> you're mixing up a packet filtering ACL with a firewall ACL. >> >> A packet filter with this sort of ACL will block all inbound traffic, >> i.e. the performance will be terrific but everything will break >> because return traffic will be blocked (e.g. tcp syns/acks, etc). >> >> A firewall rule will enable dynamic outbound state management, which >> seems to be what you want, but the ASR920 doesn't support it. >> >> You need a firewall for this, not a router. >> >> Nick > > > I ask because online cisco docs as well as the command line indicate > support for matching 'established' connections, as well as combinations > of flags: > > rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ? > ack Match on the ACK bit > dscp Match packets with given dscp value > eq Match only packets on a given port number > established Match established connections > fin Match on the FIN bit > fragmentsCheck non-initial fragments > gt Match only packets with a greater port number > log Log matches against this entry > log-inputLog matches against this entry, including input interface > lt Match only packets with a lower port number > match-allMatch if all specified flags are present > match-anyMatch if any specified flag is present > neq Match only packets not on a given port number > option Match packets with given IP Options value > precedence Match packets with given precedence value > psh Match on the PSH bit > rangeMatch only packets in the range of port numbers > rst Match on the RST bit > syn Match on the SYN bit > time-range Specify a time-range > tos Match packets with given TOS value > ttl Match packets with given TTL value > urg Match on the URG bit > > > > It just seems to me that it is indeed possible using the above to put it > together. Is this all just non-working on this platform? > > > Mike- > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco SDWAN Version 19.2
Looking for some recommendations on code version 19.2. We recently upgraded from 17.2.2 to 18.4 and it has been working well but we just picked up some new isr1100’s that require a version of 19.2. Anyone got any experience and feedback? Thanks all Sent from my iPhone ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 7700 sup2e Upgrade
Looking to upgrade some 7ks from 6.2.12 to something 7.2 or 7.3 to support the peering of layer 3 devices across vpc port channels. Looking to see what code versions others are using that have proven to be stable. Sent from my iPhone ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OT Solarwinds Alternatives
Sorry for the off-topic post. I'm looking for input on network management solutions other than solarwinds, unbiased opinions. We will need all things network related, monitoring, alerts, reporting, configuration management, and other tools that might be handy for a NOC. If this takes multiple tools then that is fine. Just looking for some ideas from the guys in the trenches. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR 9000 Upgrade Expectations
Hello, looking for some details in regards to an ASR9000 code upgrade. Currently running software version 5.1.1 with the following packages: Committed Packages: disk0:asr9k-mini-px-5.1.1 disk0:asr9k-k9sec-px-5.1.1 disk0:asr9k-mpls-px-5.1.1 disk0:asr9k-mgbl-px-5.1.1 disk0:asr9k-optic-px-5.1.1 disk0:asr9k-fpd-px-5.1.1 disk0:asr9k-li-px-5.1.1 Installed are RSP-440TR's. We are currently looking to upgrade to version 5.3.3, or perhaps another version if one is recommended, looking for input here as well, in addition to an estimate as to how long this process is expected to take, along with perceived customer impact. If further details are necessary please let me know. I've referenced the following documentation for installation instructions. If there is something better or any best practices not covered, please feel free to advise! http://www.cisco.com/web/Cisco_IOS_XR_Software/pdf/ASR9K_Upgrade_Downgrade_Procedure_IOSXR_Rel_533.pdf Thanks in advance! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Failover Testing
I'm working up some failover testing documentation for a data center design and I'm looking for some good ideas, applications, etc to quantify the impact of failing over different interfaces, chassis, ISSU upgrades etc and their impact on network performance. Does anyone have any good recommendations in the applications arena, preferably open source? Thanks in advance, Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Interworking Question
SP Gurus, I have a short term need to provide connectivity between a couple endpoints for a migration. Customer currently has a DS3 with PPP encap terminating in an edge 7200VXR, and will be migrating this service to ethernet and terminating in new router. Wondering if it's possible to use interworking on the existing terminating router to convert the ppp to ethernet and hand this connection off via ethernet to new router. Seems like it would be some sort of combination ATOM and Local Switching, but I'm not sure it's even possible. Interworking would be done on RTR1 below: pppcircuit-Ser1/0_RTR1_Gig0/0-Gig0/1_RTR2 Thanks for entertaining. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Juniper Independent Domains
Anyone know of the cisco equivlant? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco ASR 1006
I've got an upcoming deployment of an ASR 1006 on the horizon and was looking for some feedback in regards to code versions. I've yet to deploy any ASR's other than the 1001's. On the 6 or so I've deployed in enterprise environments, they've been versions 3.4 and 3.5, specifically asr1001-universalk9.03.05.01.S.152-1.S1.bin in one scenario. This particular guy is a fully redundant 1006 with advanced ip services, in a S/P environment and I was looking for some recommendations, as far as code and any other glaring things. The box will sit on the public side, but at this point will probably only receive a default route. It will also have somewhere in the neighborhood of 12-16 IPSec tunnels and be used solely for the tunnels. Overall I've had good luck with the ASR platform, but this is larger scale and wanted to pose the question. Thanks in advance, Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Line Protocol going down
If they are both set for for auto speed and duplex, seems like it negotiated correctly. Looks like the cable is most likely bad. Nick Griffin CCIE 17381, S/P,R/S On Fri, May 11, 2012 at 9:46 AM, Scott Voll svoll.v...@gmail.com wrote: I have a 2821(15.1(3)T2) connected to a 3560(12.2(55)SE3) and recently i have had the Line protocol between the two go down. The two are connected on a dot1q truck. Sh int on the router: GigabitEthernet0/0 is up, line protocol is up Hardware is MV96340 Ethernet, address is 001b.d470.8fa8 (bia 001b.d470.8fa8) MTU 1500 bytes, BW 10 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) Full Duplex, 100Mbps, media type is T output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters 13w2d Input queue: 0/75/36/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 55000 bits/sec, 28 packets/sec 5 minute output rate 143000 bits/sec, 71 packets/sec 1805047870 packets input, 3205641174 bytes, 1 no buffer Received 14405186 broadcasts (3085682 IP multicasts) 14 runts, 0 giants, 22 throttles 5895 input errors, 49 CRC, 1 frame, 0 overrun, 5831 ignored 0 watchdog, 0 multicast, 0 pause input 1591540763 packets output, 638093162 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 269848 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 50 lost carrier, 0 no carrier, 10 pause output 0 output buffer failures, 0 output buffers swapped out sh int on the switch: FastEthernet0/1 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 0017.94ab.8103 (bia 0017.94ab.8103) Description: Router Port MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:34, output 00:00:00, output hang never Last clearing of show interface counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 641849 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 127000 bits/sec, 70 packets/sec 5 minute output rate 87000 bits/sec, 32 packets/sec 841389935 packets input, 363402231378 bytes, 0 no buffer Received 382643887 broadcasts (382078407 multicasts) 7 runts, 0 giants, 0 throttles 7 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 382078407 multicast, 18 pause input 0 input packets with dribble condition detected 1827233350 packets output, 2184911648917 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out The are directly connected with a 5 foot patch cable. What are runts? pause inputs? unknown protocol drops? Since I'm seeing Inputs errors and CRC's is this a bad patch cable? This Router and switch when setup did not get hard set for speed and duplex. could that be the issue? TIA Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] show stats question
Can anyone confirm the command below, the Chars/in/out reference, are the results listed in bytes? I'm unable to find this command documented anywhere on CCO to get a better description of the command and its output. The 6509 “show stats” command gives the following information: Vlan2 Switching pathPkts In Chars In Pkts Out Chars Out Processor 143421650437 2492 166010 Route cache 534 55212 149 11166 Distributed cache7169590 60901486898831508 9040962158 Total7184466 60918543388834149 9041139334 Thanks, Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Layer 2 VLAN advice..
AFAIK, SRP was implemented/available in 12K's and 7200's, I used it in a cmts environment. This was 5 years ago, not sure about the offering nowdays. On Wed, Feb 3, 2010 at 4:16 AM, Nick Hilliard n...@inex.ie wrote: On 02/02/2010 18:13, Peter Kranz wrote: The network is composed of 6509-e chassis with SUP 720 3BXL cards at all sites.. So far respondents have recommended the following options; (so many ways to skin this cat..!) EoMPLS Cisco Resilient Ethernet Protocol (REP) 802.17 (RPR) Spatial Reuse Protocol (SRP) STP Of this list, sup720s and regular c65k lan cards support stp and eompls. RPR is supported on ONS gear, and REP is supported in some of the metro ethernet products (me3400 and me6500). I don't think that SRP was ever implemented, was it? Anyway, standard warnings apply to STP configurations. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA ssh difficulties
Make sure ssh is setup for location authentication and possibly regenerate your ssh keys: this is what I usually do: crypto key generate rsa general modul 2048 aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL Nick Griffin, CCIE #17381 Systems Consultant Alexander Open Systems Direct 479.899.6830 ext 2609 AOS Scheduling - 417.888.2675 On Tue, Jul 14, 2009 at 9:05 AM, Jonathan Brashear jonathan.brash...@hq.speakeasy.net wrote: I'm a bit stumped on an issue I'm having with a particular 5505. Originally it was inaccessible via ASDM or SSH, but after a reboot it began to allow access via ASDM. However, SSH is still not working. I've verified that the username/pass is correct(it works through the ASDM) and that SSH access is allowed from the relevant IP range(I get to a password prompt), but it refuses to accept known good passwords from multiple accounts. It thinks the password is bad, but only when done via SSH. I haven't run into this issue with other ASAs that are configured identically and I can login to the other ASAs from the same terminal window so it shouldn't be something to do with my terminal emulation. Any thoughts on why this may be happening? Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA ssh difficulties
sorry, location = local :) On Tue, Jul 14, 2009 at 9:15 AM, Nick Griffin nick.jon.grif...@gmail.comwrote: Make sure ssh is setup for location authentication and possibly regenerate your ssh keys: this is what I usually do: crypto key generate rsa general modul 2048 aaa authentication telnet console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL Nick Griffin, CCIE #17381 Systems Consultant Alexander Open Systems Direct 479.899.6830 ext 2609 AOS Scheduling - 417.888.2675 On Tue, Jul 14, 2009 at 9:05 AM, Jonathan Brashear jonathan.brash...@hq.speakeasy.net wrote: I'm a bit stumped on an issue I'm having with a particular 5505. Originally it was inaccessible via ASDM or SSH, but after a reboot it began to allow access via ASDM. However, SSH is still not working. I've verified that the username/pass is correct(it works through the ASDM) and that SSH access is allowed from the relevant IP range(I get to a password prompt), but it refuses to accept known good passwords from multiple accounts. It thinks the password is bad, but only when done via SSH. I haven't run into this issue with other ASAs that are configured identically and I can login to the other ASAs from the same terminal window so it shouldn't be something to do with my terminal emulation. Any thoughts on why this may be happening? Network Engineer, JNCIS-M 214-981-1954 (office) 214-642-4075 (cell) jbrash...@hq.speakeasy.net http://www.speakeasy.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPsec Tunnel Failover
Do you have any routers/layer 3 devices on the inside of the firewalls, the weighted GRE tunnels always work well for this. On Mon, Jul 13, 2009 at 3:14 PM, Munoz, Jeff jeff.mu...@swinc.com wrote: Hey guys, I have two main sites (site A and site B) and one remote site (site C). Sites A and B have a metroethernet connection between them. Remote site C has an IPsec tunnel back to site A. I'd like to setup failover so in case site A's ASA is down the remote site C ASA sends the interesting traffic down the site B IPsec tunnel. Unfortunately, it will always match the tunnel to site A since the phase 2 access lists have the same source/destinations. Any ideas on how I can do this? Thanks! Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSS and ACE
Thanks to everyone for responding. Very valuable information! Nick Griffin On Thu, Apr 23, 2009 at 9:02 AM, Tony Varriale tvarri...@comcast.netwrote: The GSS is definitely not that. If you use it with CNR, yes. Since CNR is that product, shazam. But as said in my previous post, GSS still isn't a DNS server...it's more like a proxy. tv - Original Message - From: Brad Hedlund brhed...@cisco.com To: robbie.ja...@regions.com; Roland Dobbins rdobb...@cisco.com Cc: Cisco-nsp cisco-nsp@puck.nether.net; cisco-nsp-boun...@puck.nether.net Sent: Wednesday, April 22, 2009 10:00 PM Subject: Re: [c-nsp] GSS and ACE On 4/22/09 10:39 AM, robbie.ja...@regions.com robbie.ja...@regions.com wrote: Saying that the GSS is it's own DNS server isn't quite right Not true. GSS can also operate entirely as a full blown DNS server. Using software versions 2.0 through 3.0(x), GSS product capabilities have been enhanced to allow the GSS to migrate to the top level of the DNS hierarchy http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/g ss4400series/v3.1/configuration/cli/gslb/guide/Intro.html#wp1264301 Cheers Brad Hedlund bhedl...@cisco.com http://www.internetworkexpert.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] GSS and ACE
Does anyone know if you can use or even would want to use a GSS appliance without an ACE Module or Appliance? I like the idea of having data center redundancy/global site selection, however I'm not so sure the load balancing features of the ACE appliance are yet a requirement for a particular design I am working with is worth the cost. Thanks in advance. Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSS and ACE
So say I had 2 datacenter locations geographically disperse and I'm not running BGP. I have similar web and smtp servers at each locations. I'm not so much concerned that traffic gets load balanced to a cluster of servers when traffic enters a particular data center (which is an ACE application), instead I'm concerned about D/R. Say I lose DataCenter 1, I want some DNS magic to take place to say that mail.mydomain.com has moved from 10.1.1.5 to 10.1.2.5 at Data Center 2. Does that make sense? On Wed, Apr 22, 2009 at 9:39 AM, Justin C Darby jcda...@usgs.gov wrote: Nick, The primary benefit to these things, AFAIK, is the ACE integration for load balancing. I'm pretty sure there are other options (mostly software) available to do the same DNS load balancing without ACE's, but - ACE's are a great way to add redundancy to a site, and GSS+ACE can handle load balancing across many access points with integrated service monitoring and the like. Doing that without a device like the ACE is pretty complicated. Justin -cisco-nsp-boun...@puck.nether.net wrote: - To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net From: Nick Griffin Sent by: cisco-nsp-boun...@puck.nether.net Date: 04/22/2009 09:18AM Subject: [c-nsp] GSS and ACE Does anyone know if you can use or even would want to use a GSS appliance without an ACE Module or Appliance? I like the idea of having data center redundancy/global site selection, however I'm not so sure the load balancing features of the ACE appliance are yet a requirement for a particular design I am working with is worth the cost. Thanks in advance. Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSS and ACE
Right, my question was does it require ACE appliance or modules to work? I have the need for Global Site Selection, however I don't I need the application level load balancing at this point that is offered by the ACE. Also, are there any ties to particular vendor DNS servers, ie CNR? Gracias, Nick Griffin On Wed, Apr 22, 2009 at 9:52 AM, Roland Dobbins rdobb...@cisco.com wrote: On Apr 22, 2009, at 10:45 PM, Nick Griffin wrote: Does that make sense? Sure - GSS does that. --- Roland Dobbins rdobb...@cisco.com Our dreams are still big; it's just the future that got small. -- Jason Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSS and ACE
Great, thanks to all. So am I to assume if I have X Data Centers, I need 1xX GSS's for redundancy? In other words if I had 2 sites and one GSS and the GSS is at the site that lost internet connectivity, its not going to do me much good. TIA On Wed, Apr 22, 2009 at 10:21 AM, Roland Dobbins rdobb...@cisco.com wrote: On Apr 22, 2009, at 11:10 PM, Nick Griffin wrote: Right, my question was does it require ACE appliance or modules to work? No, can work independently, no problem. Also, are there any ties to particular vendor DNS servers, ie CNR? It can hook into CNR, and is also its own DNS server (can work with anything else, too, obviously, through delegation). --- Roland Dobbins rdobb...@cisco.com // +852.6904.8571 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco command to show 10GE module type?
can you use show interface capabilities? On Fri, Apr 17, 2009 at 11:41 PM, Engelhard Labiro engel.lab...@gmail.comwrote: Use command show int status Sent from my iPhone On 2009/04/18, at 11:04, Neil d neilding2...@gmail.com wrote: Hi all, Is there any command to show what kind of Xenpak 10G module in the 6704-10GE card? from cisco website, there're a bunch of them: Cisco XENPAK-10GB-CX4: . • Cisco XENPAK-10GB-LX4: • Cisco XENPAK-10GB-LRM: • Cisco XENPAK-10GB-SR: • Cisco XENPAK-10GB-LR / -LR+: • Cisco XENPAK-10GB-ER / -ER+ • Cisco XENPAK-10GB-ZR: • Cisco XENPAK-10GB-LW (WAN PHY): question is, how do I know which type is installed in the LC? any command to check this instead of going onsite to check? TIA/Neil ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco and Foundry and MST
I'm working with a client that is migrating to Foundry from Cisco and they need to have interoperability on STP between the two vendors. I usually try to do MST when I can, usually in a cisco environment, so I'm pretty comfortable with it. Does anyone have any experience getting the 2 to play together? It's a critical environment, so minimal disruption is required. There is a core 6500 that can connects to a number of Cisco access switches, the Cisco 6500 also connects into the Foundry FESX switches. I wanted to go ahead and enable MST on the core 6500, and then working my way to the access layer (assuming the interoperability works just fine), and then the Foundry boxes. Just looking for any pro-pointers here to try to avoid baptism by fire! Thanks in advance. Nick Griffin Systems Consultant, CCIE RS 17381 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA O/S version 8
Done a couple 8.0.4(16), be aware of sql bug, CSCsu44598 in 8.0.4. On Mon, Feb 2, 2009 at 10:47 AM, Justin M. Streiner strei...@cluebyfour.org wrote: On Mon, 2 Feb 2009, John Aldrich wrote: Hi, we just installed a new ASA, and the folks who sold it to us and configured it for us (I don't know the first thing about configuring it! G) said they had upgraded it to version 7.4 or something like that, but that there was a new O/S version 8 available. I'm wondering if this is something we ought to look at upgrading to ASAP or if it's something we ought to wait and let someone else get the bugs worked out of first? :-) Version 8.x for the ASA has been around for awhile and I have a few ASAs runninf 8.0(4)ED without too many issues, but they're pretty basic setups (access control, layer 2 firewall, multiple contexts, no VPNs). As far as upgading the code goes, the main reasons to upgrade would be: 1. To resolve a published security vulnerability in the code you're running now. Cisco publishes bulletins at http://www.cisco.com/go/psirt/ and the bulletins are available to the public. Note that while the bulletins are available, you might need a CCO login and a valid support contract to download new code and ASDM packages. 2. To resolve a bug that isn't security related. 3. To get access to a feature you need, if that feature isn't available in the code you're running. Also note that then the code is upgraded on a PIX or ASA, the ASDM (device manager) usually needs to be upgraded to match. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP - OSPF default route failover
As he mentioned above, I don't believe he will be receiving a default route from the service provider that he can pass in via redistribution, so an option available is to use the bgp default-information originate route-map command he mentioned. I've used this in combination with IP Sla probes and tracking recently to get the conditional announcement, and base it upon upstream reachibility since in my case its rare that line protocol on the isp circuit goes down since there is an on-site service provider switching equipment. I've used icmp probes for this, but those tend to get dropped from time to time, I've found a tcp connect probe to port 80 on some well known web sites seems to work pretty well at least for me. What i did was tied up a bogus static route to a particular ip address and tied a sla tcp connect to this, this static route is then referenced by the default-information route map, so when the tcp connect fails, bgp pulls the default route out. It looked liked this: ! ! track 2 rtr 2 reachability delay down 10 up 120 ! ! ! router bgp 65501 no synchronization bgp router-id 10.255.255.254 bgp log-neighbor-changes neighbor 10.255.255.252 remote-as 65500 neighbor 10.255.255.252 description *** eBGP Peering to HQ Switch 1 *** neighbor 10.255.255.252 password 7 supersekret neighbor 10.255.255.252 ebgp-multihop 2 neighbor 10.255.255.252 update-source Loopback0 neighbor 10.255.255.252 default-originate route-map CONDITIONAL_DEFAULT_ORIGINATE neighbor 10.255.255.252 soft-reconfiguration inbound no auto-summary ! ip route 1.1.1.1 255.255.255.255 Null0 name Used_For_BGP_Default_Originate_DO_NOT_REMOVE track 2 ip route 0.0.0.0 0.0.0.0 upstreamisp ! ! ! ip prefix-list TRACKED_ROUTE seq 5 permit 1.1.1.1/32 ! ip sla logging traps ip sla schedule 1 life forever start-time now ip sla 2 tcp-connect 209.191.93.52 80 source-ip myipaddress source-port 52142 control disable timeout 5000 frequency 10 ip sla reaction-configuration 2 react timeout threshold-type consecutive 2 action-type trapOnly ip sla schedule 2 life forever start-time now ! ! route-map CONDITIONAL_DEFAULT_ORIGINATE permit 10 match ip address prefix-list TRACKED_ROUTE Keep in mind, if you have an iBGP adjacencies between the two routers, and one of the routers is losing it's ebgp default route, and is now preferring that default route via ibgp via the internal peering AND doing redistribution into an IGP ie OSPF then you must use the BGP redistribute internal, bgp process level command. This is in specific scenarios. HTH, Nick Griffin On Sat, Jan 31, 2009 at 12:50 PM, Pete S. pshule...@gmail.com wrote: I'd imagine you aren't completely redistributing your bgp tables into OSFP, and from your diagram I'll assume you are doing ibgp between your edge routers already. So build a prefix list, and route-map, which permits only the default route from bgp. Redistribute the bgp process into ospf, based on that route-map, as an E1 type. This will put the default into your ospf area, and traffic will flow towards the closest exit. If you rather a primary/secondary, use the ospf E2 type and assign a large metric to your secondary. I haven't checked the syntax, but this should probably point you in the right direction. !On your BGP routers ! ip prefix-list bgp_default-ospf seq 5 permit 0.0.0.0/0 ip prefix-list bgp_default-ospf seq 100 deny 0.0.0.0/0 ge 1 le 24 ! route-map bgp-ospf permit 10 match ip address prefix-list bgp_default-ospf ! router ospf 100 ! I assign an arbitrary site ID, and then prepend my AS onto it but whatever suits you, tag is optional ! select your own metric-type and metric depending on the exit behavior you want. redistribute bgp 65535 metric-type 2 metric 100 tag 6553501 route-map bgp-ospf ! ! --Pete ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 and VSS
So, I'm building this 6509/VSS in the configuration tool on cisco's web site, and I'm getting an error that concerns me. Whenever I select advance ip services, sxi, I think it's telling me I must also have a secondary supervisor, basically for anything other than ip base? Is this other's experience, those of you using aip services and higher, do you all have redundant sup's in a single chassis? My hope was for aipservices and a single 10G sup in each chassis. Thanks! Nick Griffin On Mon, Dec 29, 2008 at 12:45 PM, Tim Durack tdur...@gmail.com wrote: On Mon, Dec 29, 2008 at 1:40 PM, Murphy, William william.mur...@uth.tmc.edu wrote: I was told by Cisco that SXI support both v6 and MPLS with VSS... Can anyone else confirm this, and if so is anyone using VSS with these features in a production network? Thanks... SXI does not. SXI(n) might. Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6500 and VSS
Looking for some real world input here so coming to the pro's. Anyone using 6500's with VSS implemented? Looking for people's feedback who are using it in production. I had heard awhile back that there are issues with support for ISSU, is this still the case? Just looking for some pro's and con's. Thanks in advance, Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Adding connected routes in a VRF
You have to manually add host routes as the next hop since you can't add the router itself, another solution I found that work was this: BGP Support for ipv4 Prefix Import. This for me worked well, you just need to make sure that the prefixes you wish bring in from the Global Table exist in the BGP GRT RIB, see example below: ip vrf VRF1 import ipv4 unicast map GLOBAL-VRF ! router bgp 1 redistribute connected route-map CONNECTED-BGP metric 5 ! address-family ipv4 vrf VRF1 ! interface vlan X ip address 1.1.1.1 255.255.255.0 ! ip prefix-list GLOBAL-VRF permit 1.1.1.0/24 ! route-map GLOBAL-VRF match ip address prefix GLOBAL-VRF ! route-map CONNECTED-BGP match interface vlan X The other gotcha that seemed to irritate me a bit is that when you apply the ipv4 map to the VRF to filter your global routes, this also seems to filter prefixes imported via other RT's as well. http://forum.cisco.com/eforum/servlet/NetProf?page=netprofCommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2273a/1 On Mon, Dec 8, 2008 at 2:27 PM, [EMAIL PROTECTED] wrote: I would hope so. :) -- Regards, Jason Plank CCIE #16560 e: [EMAIL PROTECTED] -- Original message -- From: Oliver Boehmer (oboehmer) [EMAIL PROTECTED] Ross Vandegrift wrote on Monday, December 08, 2008 20:31: ip route 10.0.0.0 255.255.255.0 Vlan1234 However, there's a syntax ambiguity when you place this in a VRF, since this is how you leak traffic out of a VRF: ip route vrf foobar 10.0.0.0 255.255.255.0 Vlan1234 % For VPN routes, must specify a next hop IP address if not a point-to-point interface Is there any way to get the global table behavior in a VRF? No, the next-hop address is required.. oli P.S: I guess we would also require this for global if we implemented this today.. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Default Route behaviour on PIX
In your lab, on your interface on your router facing your fix, fas 0/0 for example do show ip int fas0/0 | i Proxy and you'll see that proxy arp is enabled. The pix is trying to forward to 1.1.1.1 and the router is probably doing proxy arp, assuming your router thinks it knows how to get to 1.1.1.1. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml On Tue, Oct 28, 2008 at 11:08 PM, Nic Passmore [EMAIL PROTECTED]wrote: All, This may be one of those things you know after working with PIX but I just can't seem to get my head around it. Say I have a PIX that is connected to a DSL router and is filtering traffic. The DSL connection has a ppp negotiated IP address from the ISP. The ISP is also routing a /30 via said address that is used to connect between the DSL router and the PIX (if it makes any difference, the DSL router in this case is an 827). The next-hop address set in the default route on this PIX is a nonsense address. It is definitely not a valid next-hop address. Despite this fact, the PIX still happily seems to forward traffic (this is working at the moment). I set the same configuration up in a lab and it exhibited the same behavior. The lab has a router connected to the Internet via the 30.30.30.0/30 network. The edge router and the PIX are connected via 30.30.40.0/30. If I set the next hop of the default route to 30.30.40.1 (the edge router side), traffic flows. If I set the next hop of the default route to 1.1.1.1, traffic flows? Is this a known thing? The PIX appears to just throw the traffic onto the outbound interface and hope for the best? Ive tried this with both PIXOS 6.x and 7.x, both of which same to exhibit the same behavior. Ive included a snippet of the PIX config from the lab... in the hopes that maybe it is something I am doing? I would appreciate any insight.. Cheers, Nic --- PIX Config from Lab -- interface Ethernet0 description Link to EDGE FA0/1 nameif Outside security-level 0 ip address 30.30.40.2 255.255.255.252 ! interface Ethernet1 description Link to CLIENT FA0/0 nameif Inside security-level 100 ip address 192.168.1.254 255.255.255.0 ! access-list Outside-IN extended permit ip any any access-list Outside-OUT extended permit ip any any access-list Inside-IN extended permit ip any any access-list Inside-OUT extended permit ip any any ! global (Outside) 10 interface nat (Inside) 10 0.0.0.0 0.0.0.0 access-group Outside-IN in interface Outside access-group Outside-OUT out interface Outside access-group Inside-IN in interface Inside access-group Inside-OUT out interface Inside route Outside 0.0.0.0 0.0.0.0 1.1.1.1 1 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Simple VRF ( I hope )
I have a scenario that I am trying to accomplish and I'm having some issues getting my head around it. In the simplest form I have a client on VRF 1 and a server in the global table and I want to enable communication between the 2 so I do 2 things: 2.2.2.0 is vrf 1 network and 1.1.1.0 is in the global table: ip route 2.2.2.0 255.255.255.0 Vlan12 2.2.2.2 ip route vrf I1 1.1.1.0 255.255.255.0 1.1.1.2 global The issue is with the global/next hop ip address on the vrf route. In my scenario the global subnet is an svi on a layer 3 switch, of which the next hop would be the switch itself. I cannot reference the switch itself as the next hop because the IOS won't take the command, if I have 2 routers/switches parallel on the same subnet I can add the route on each router reference the opposite router and all works well. There are scenarios where I don't have 2 switches on the global subnet so i can't configure it this way, and I don't know if this is desirable. It's clearly arp/cef related, however am I missing something here? How would this normally be handled? I am not attempting to use the VRF's for security, hence the leaking between the Global and the VRF, I am more so looking to control the VRF's egress to the internet to avoid using policy based routing. I hope this makes sense, thanks in advance! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VRF Lite Route Propagation
I've figured out how to exchange routes between VRF's with the bgp address family configuration coupled with redistribute static|connected, etc however I'm trying to propagate this information and I'm having problems getting it to work as desired. This is a VRF-Lite only environment, and what I'm trying to accomplish is this. I would like to have separate VRF's for separate internet connections, ie a 1 to 1 relationship. I would also like to be able to get this default route from within the Internet 1 VRF into multiple Client Vlan VRF's, as well as dynamically pass the client vlan connected subnets back into the Internet 1 VRF. Exchanging between the VRF's one one router isn't the issue, it's passing it dynamically from Internet 1 VRF to another neighbor router in this same vrf say using OSPF or EIGRP that I'm having trouble with. I get them to show up as B routes via the address family configuration, but I am able to pass this to the neighboring router. I hope this make sense. Thanks in advance, Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF Lite Route Propagation
I must be missing something, see below: C1#sh ip route vrf I1 Gateway of last resort is 1.1.111.1 to network 0.0.0.0 1.0.0.0/24 is subnetted, 1 subnets C 1.1.111.0 is directly connected, Ethernet0/0.111 3.0.0.0/24 is subnetted, 1 subnets B 3.3.3.0 is directly connected, 02:26:01, Ethernet0/0.333 5.0.0.0/24 is subnetted, 1 subnets B 5.5.5.0 is directly connected, 02:26:01, Ethernet0/0.555 Want this in I1 Vrf on R1 O*E2 0.0.0.0/0 [110/1] via 1.1.111.1, 02:26:01, Ethernet0/0.111 C1# router eigrp 1 no auto-summary ! address-family ipv4 vrf VRF3 network 3.3.3.1 0.0.0.0 no auto-summary autonomous-system 1 exit-address-family ! router ospf 1 vrf I1 log-adjacency-changes redistribute static metric 1 subnets redistribute bgp 1 metric 5 subnets --- Do this you said network 1.1.111.2 0.0.0.0 area 0 ! router bgp 1 no synchronization bgp router-id 3.3.3.3 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf VRF5 redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf VRF3 redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf I1 redistribute connected redistribute ospf 1 vrf I1 metric 5 match internal external 1 external 2 default-information originate no auto-summary no synchronization exit-address-family R1#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.111.2 1 FULL/DR 00:00:331.1.111.2 FastEthernet0/0.111 R1#sh ip route vrf I1 Gateway of last resort is 1.1.11.254 to network 0.0.0.0 1.0.0.0/24 is subnetted, 2 subnets C 1.1.11.0 is directly connected, FastEthernet0/0.11 C 1.1.111.0 is directly connected, FastEthernet0/0.111 2.0.0.0/24 is subnetted, 1 subnets S 2.2.2.0 [1/0] via 1.1.12.2 3.0.0.0/24 is subnetted, 1 subnets S 3.3.3.0 [1/0] via 1.1.111.2 S* 0.0.0.0/0 [1/0] via 1.1.11.254 R1#sh ip ospf database OSPF Router with ID (1.1.111.1) (Process ID 1) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 1.1.111.1 1.1.111.1 15240x8028 0x0072CB 1 1.1.111.2 1.1.111.2 14730x8028 0x00131F 1 Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 1.1.111.2 1.1.111.2 14730x8027 0x000F38 Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag 0.0.0.0 1.1.111.1 15240x8027 0x00CB4E 1 3.3.3.0 1.1.111.2 141 0x8001 0x000A57 3489660929 5.5.5.0 1.1.111.2 141 0x8001 0x00C199 3489660929 R1# On Thu, Aug 14, 2008 at 10:39 AM, Jeff Kell [EMAIL PROTECTED] wrote: Nick Griffin wrote: I've figured out how to exchange routes between VRF's with the bgp address family configuration coupled with redistribute static|connected, etc however I'm trying to propagate this information and I'm having problems getting it to work as desired. I'll take a guess at your problem... If you have everything centralized into one PE doing your intra-VRF iBGP, and also providing VRF-specific routing processes... The intra-VRF routes are propagated locally via iBGP and the vrf route-target import/export specifications. To redistributed learned routes from the VRF-specific routing processes into the iBGP mesh, you must 'redistribute [protocol]' in the BGP address-family ipv4 vrf specification. To redistributed learned routes from the iBGP import/export process back into the VRF-specific routing processes, you must 'redistribute bgp [asn]' in the routing process vrf specification. Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] C3750-24PS and VRF-Lite/Multi VRF
I am thinking that I should be able to create sub-interfaces on these devices to be used for multiple vrf's, but maybe I'm confused. I have some routed core/dist links I need to maintain as well as extended some services via VRF Lite. I have tried ip serv, adv ip serv, etc and I am still unable to configure a subinterface. Am I missing something, does this require a 3750E? interface fas 1/0/1 no switch ip address 1.1.1.1 255.255.255.0 int fas 1/0/1.100, etc ip vrf VRF1 forwarding ip address 2.2.2.2 255.255.255.0 Hope this makes sense, thanks in advance, Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF
I think I must need the metro switch for this: Take a look at Configuring the PE Switch B at this url: http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.1_14_ax/configuration/guide/swiprout.html#wp1258623 On Wed, Jul 9, 2008 at 10:44 AM, Marko Milivojevic [EMAIL PROTECTED] wrote: I think that you need to use SVI's (interface vlan xxx) combined with trunks on these boxes. They don't support subinterfaces, as far as I recall. On Wed, Jul 9, 2008 at 15:35, Nick Griffin [EMAIL PROTECTED] wrote: I am thinking that I should be able to create sub-interfaces on these devices to be used for multiple vrf's, but maybe I'm confused. I have some routed core/dist links I need to maintain as well as extended some services via VRF Lite. I have tried ip serv, adv ip serv, etc and I am still unable to configure a subinterface. Am I missing something, does this require a 3750E? interface fas 1/0/1 no switch ip address 1.1.1.1 255.255.255.0 int fas 1/0/1.100, etc ip vrf VRF1 forwarding ip address 2.2.2.2 255.255.255.0 Hope this makes sense, thanks in advance, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF
If anyone can confirm that the dotted subinterface configurations can be configured on the 3750ME's, that would be excellent. Nick Grififn On Wed, Jul 9, 2008 at 1:29 PM, Jeff Kell [EMAIL PROTECTED] wrote: Marko Milivojevic wrote: I think that you need to use SVI's (interface vlan xxx) combined with trunks on these boxes. They don't support subinterfaces, as far as I recall. Yes, you need trunks for the CE/PE links and SVIs/VLANs for each VRF you want to transport across almost all of the Catalysts below 6500. Some you can GRE-tunnel across a P2P L3 link, but that isn't officially supported on some, and is process switched on all. Dotted interfaces are primarily a true router-ism (WAN). Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WLC and LWAPP Aps
You should be asking yourself, how many access points can the controller itself accomodate, I imagine that the DHCP server will let you dole out dhcp scopes all day long, but at the end of the day the controllers are bound to a maximum number of access points. If your ap manager and your management interface are on the same subnet, its a great idea to place the access points your talking about on the same vlan/subnet so that they may discover the controller via L2 broadcast frames, otherwise you get to do some TLV/conversions to configure DHCP option 43, in your situation, since this is your first deployment I would recommend priming the access points as I mentioned above. You will also need to configure the ip address of the controller under the management, and probably the ap manager interface. HTH, Nick Griffin On Fri, Jul 4, 2008 at 8:42 AM, Dracul [EMAIL PROTECTED] wrote: Additional query. On Fri, Jul 4, 2008 at 2:15 AM, Joerg Mayer [EMAIL PROTECTED] wrote: On Fri, Jul 04, 2008 at 12:48:59AM +0800, Dracul wrote: Has anyone done smooth installs with Cisco WLC 4404 series with AIR 1131. I cannot seem to make the lighweight AP to get IP address from the internal DHCP server of the WLC let more the LW AP be discovered by the 4404. used Layer2 and Layer 3 mode already How about some more details? Are AP and management-if in the same network? If not, what have you done to make sure that the AP knows where to find it? If all fails: You can configure the managementi-if address directly on the lw-ap command line. Ciao Joerg -- Joerg Mayer [EMAIL PROTECTED] We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. -- === Support www.gawadkalinga.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PBR noob question
You can source traces from any interface on the router, try trace enter for extended options. You won't be able to test this from the router itself unless you configure ip local policy, to perform local policy routing. Nick Griffin On Thu, Jun 19, 2008 at 4:49 PM, Adam Greene [EMAIL PROTECTED] wrote: Hi, I'm setting up basic PBR on a remote router (3640, IOS 12.3(26)) and am having some problems testing whether it's working. access-list 20 permit 10.10.60.1 0.0.1.255 ! route-map Special_Subnet match ip address 20 set ip default next-hop 10.10.34.2 ! int f1/0 ip address 192.168.2.1 255.255.255.252 ! int f2/0 ip address 10.10.34.1 255.255.255.252 ! int f3/0 ip address 172.20.20.1 255.255.255.0 ip address 10.10.60.1 255.255.254.0 secondary ip policy route-map Special_Subnet ! ip route 0.0.0.0 0.0.0.0 192.168.2.2 I guess the main question is, when I ping from the router CLI, to an IP address not in the routing table, with a source address of 10.10.60.1, will the ping packets be sent to 10.10.34.2? Or will only the packets sent by hosts in the 10.10.60.0/23 range, connected to int f3/0, be sent to 10.10.34.2? Unfortunately, the IOS doesn't support the /source option on traceroute commands, so I can't test in that way, and at the moment, I have nothing connected to int f3/0 in the 10.10.60.1/23 range Thanks for your help, Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Large GLBP installations
I have used it quite a bit, however not in that many groups. I have done this at at least 4 deployments, with somewhere in the neighborhood of 50 groups. Usually 12.2(18) and a couple with 12.2(33)SXH1. Nick Griffin On Tue, Jun 10, 2008 at 11:27 AM, Jerome Covini [EMAIL PROTECTED] wrote: One of my customers has been running into a very similar problem after 1.5 year of GLBP stability. Running Quad SUP720-3B's + PFC 3B's onto 12.2.18SXD=8 IIRC, GLBP running in round-robin mode for server LB'ing. Can you let me know if a Cisco bugid has been already created following your TAC request ? My overral feeling is that GLBP is nevertheless mature enough for deployment, but indeed, like the good old HSRP doesn't ARP old bug, we still encounter few youth issues, fortunately in this case affecting only the log buffer. Cosmetic. Jerome Covini Ross Vandegrift wrote: GLBP interfaces are constantly flapping which switch is the active master of the GLBP group. The flapping is not service impacting, doesn't elevate CPU, but floods the logs constantly with useless garbage. HSRP interfaces behave perfectly well. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] T1 configuration
Yes, they will display in the configuration after your time slots are provisioned. On Mon, Jun 9, 2008 at 11:15 AM, Paul Stewart [EMAIL PROTECTED] wrote: Hi there.. We have a 6509 (sup2) installed and about to bring up some T1 interfaces on it.. confused over the configuration and only have a limited window of time to try and implement off hours tonight ;) WS-X6182-2PA port adapters with PA-MC-8T1 cards are installed in this box... Currently, the configuration shows: controller T1 6/0/0 framing esf linecode b8zs ! controller T1 6/0/1 framing esf linecode b8zs ! controller T1 6/0/2 framing esf linecode b8zs ! controller T1 6/0/3 framing esf linecode b8zs ! controller T1 6/0/4 framing esf linecode b8zs ! controller T1 6/0/5 framing esf linecode b8zs ! controller T1 6/0/6 framing esf linecode b8zs ! controller T1 6/0/7 framing esf linecode b8zs I expected to see serial interfaces further down in the configuration but nothing is showing... I checked Cisco.com and it keeps referencing configuration on the Serial interfaces (which is the way we have it on 5350/5400 boxes for channelized). Is this because I need to configure timeslots still on the controller? Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 7000
I am curious to hear from those that have began to implement or are currently reviewing the Nexus 7000 platform. I have been doing some research and I like what I hear. Now I'm curious in receiving some feedback from the guys on the ground, good, bad or indifferent. Thanks in advance. Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2811
Well, how much of an increase in traffic did you add to this one FE interface by adding multiple vlans to it? Keep in mind the hairpinning of traffic in an back out the same interface. Could you offload this process to a L3 switch? On Thu, Mar 27, 2008 at 2:01 PM, Ravi Patwari [EMAIL PROTECTED] wrote: Dear all, When I configure many(about 8) subinterfaces on one of the fastethernet ports and connect the port to a switch as a trunk port, port speed per subinterface drops almost to 10% of what it was before when it was a single interface only. Would appreciate if any one can throw some ideas my way. Regards Ravi ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QOS Configuration Help
I've experienced and tried this only on the supV's. I would assume, however never tested to see the same results on the 4948 since they are pretty much identical from a os/platform standpoint. A good hint is if the 4948 will actually even LET you place qos commands on the port channel itself. If it will, I would apply them there too. Unless someone can tell this would actually hurt something. The 3560/750 won't let ya do it. HTH, Nick Griffin On Wed, Mar 5, 2008 at 11:42 PM, Mike Louis [EMAIL PROTECTED] wrote: Is the stripping particular to the 4500 chassis? Have you experience similar results with the 4948 series as well? What supervisors did you experience this with on the 4500? From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Nick Griffin [EMAIL PROTECTED] Sent: Thursday, March 06, 2008 12:11 AM To: Dan Letkeman Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] QOS Configuration Help Some other things to watch out for are your trunk links and port channels. For example, on a 3750/3560 you would configure trust dscp on the physical member interfaces not the port channel. If for example you have channels on a 4500 you should put the trust commands on both the port channel as well as the physical member interfaces. This has specifically caused me issues with removing markings in the past, the 4500 will strip it if you don't have it on the port channel too. On Wed, Mar 5, 2008 at 6:20 PM, Dan Letkeman [EMAIL PROTECTED] wrote: Thanks Nick. That does make sense. I have a polycom vsx 6000 that is marking the packets already. So what you are saying is I shouldn't need to have an acl to match the traffic if the port is setup properly because the device is tagging the traffic with the correct values. I will try wireshark and see what It comes up with. Dan. On Wed, Mar 5, 2008 at 5:46 PM, Nick Griffin [EMAIL PROTECTED] wrote: Well that depends, if your doing the trust dscp on the port facing the video server, as well as your interconnects and your video application is tagging dscp values appropriately, then you don't need an acl for classification as it's already classified by the application itself. It's not that the ACL is NOT working, it's that the CLI output will not show it because of the way these switches devices perform qos. You won't get the output you would expect from a router. The best thing to do to get your head around it is to grab some test equipment and a packet sniffer and capture some packets, change some things and see how it works. Also, have a gander at End to End QoS network design. HTH, Nick Griffin On Wed, Mar 5, 2008 at 5:20 PM, Dan Letkeman [EMAIL PROTECTED] wrote: Ok, that would explain some of my problems. But my main question is why won't the 2960 get a match on the ACL? I even changed the ACL to permit ip any any and it still didn't get a match. Without that acl getting a match nothing will work. On Wed, Mar 5, 2008 at 4:59 PM, Mike Louis [EMAIL PROTECTED] wrote: Also, native vlan will not have a cos value on the trunk link. You will have to trust DSCP on that link to have it match the dscp setting from the downstream switch since native is passed w/o dot1q header -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Griffin Sent: Wednesday, March 05, 2008 5:46 PM To: Dan Letkeman Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] QOS Configuration Help I'm pretty certain you will not get output on this information based on the qos works on these devices, specifically the 3560/3750. The best way to check this stuff out from what I've seen on the CLI is show mls qos interface x/y statistics. This will give you an idea of the DSCP values coming into and leaving the particular interface. Make sure your dscp/cos to queue mappings are configured the way you want, ie what dscp value maps to which queue. Priority queue on the 3560 is by default 1 on the 3560, not sure on the 2960. On Wed, Mar 5, 2008 at 4:32 PM, Dan Letkeman [EMAIL PROTECTED] wrote: Hello, I am in the process of configuring QOS for our video system. Currently I'm having trouble configuring our 2960's with srr queuing. I have not yet tackled the 3560's. Here is the config I'm working with, there are more 3560's and 2960's, but this should give an idea on how I have configured them: 3560: class-map match-any VIDEO match access-group name POLYCOM ! policy-map in class VIDEO set dscp af41 ! interface FastEthernet0/24 description test trunk
Re: [c-nsp] QOS Configuration Help
I'm pretty certain you will not get output on this information based on the qos works on these devices, specifically the 3560/3750. The best way to check this stuff out from what I've seen on the CLI is show mls qos interface x/y statistics. This will give you an idea of the DSCP values coming into and leaving the particular interface. Make sure your dscp/cos to queue mappings are configured the way you want, ie what dscp value maps to which queue. Priority queue on the 3560 is by default 1 on the 3560, not sure on the 2960. On Wed, Mar 5, 2008 at 4:32 PM, Dan Letkeman [EMAIL PROTECTED] wrote: Hello, I am in the process of configuring QOS for our video system. Currently I'm having trouble configuring our 2960's with srr queuing. I have not yet tackled the 3560's. Here is the config I'm working with, there are more 3560's and 2960's, but this should give an idea on how I have configured them: 3560: class-map match-any VIDEO match access-group name POLYCOM ! policy-map in class VIDEO set dscp af41 ! interface FastEthernet0/24 description test trunk to 2960 switchport trunk encapsulation dot1q switchport trunk native vlan 500 switchport trunk allowed vlan 500 switchport mode trunk srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 srr-queue bandwidth limit 20 priority-queue out mls qos trust cos spanning-tree portfast ! ip access-list extended POLYCOM permit ip host 192.168.50.12 any 2960: class-map match-any VIDEO match access-group name POLYCOM ! policy-map in class VIDEO set precedence 4 ! interface FastEthernet0/1 description - Codec plugged in here switchport access vlan 500 switchport mode access ip access-group POLYCOM in srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 auto qos voip trust spanning-tree portfast trunk service-policy input in interface FastEthernet0/24 description - trunk to 3560 switchport trunk native vlan 500 switchport trunk allowed vlan 500 switchport mode trunk srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 srr-queue bandwidth limit 35 priority-queue out auto qos voip trust spanning-tree portfast trunk ip access-list extended POLYCOM permit ip host 192.168.50.12 any I'm not exactly sure what is happening, but i'm not getting any hits on the acl's. The Codec is 192.168.50.12, the trunk's are all working, and the network is working fine. Is there something i'm missing? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QOS Configuration Help
Well that depends, if your doing the trust dscp on the port facing the video server, as well as your interconnects and your video application is tagging dscp values appropriately, then you don't need an acl for classification as it's already classified by the application itself. It's not that the ACL is NOT working, it's that the CLI output will not show it because of the way these switches devices perform qos. You won't get the output you would expect from a router. The best thing to do to get your head around it is to grab some test equipment and a packet sniffer and capture some packets, change some things and see how it works. Also, have a gander at End to End QoS network design. HTH, Nick Griffin On Wed, Mar 5, 2008 at 5:20 PM, Dan Letkeman [EMAIL PROTECTED] wrote: Ok, that would explain some of my problems. But my main question is why won't the 2960 get a match on the ACL? I even changed the ACL to permit ip any any and it still didn't get a match. Without that acl getting a match nothing will work. On Wed, Mar 5, 2008 at 4:59 PM, Mike Louis [EMAIL PROTECTED] wrote: Also, native vlan will not have a cos value on the trunk link. You will have to trust DSCP on that link to have it match the dscp setting from the downstream switch since native is passed w/o dot1q header -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Nick Griffin Sent: Wednesday, March 05, 2008 5:46 PM To: Dan Letkeman Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] QOS Configuration Help I'm pretty certain you will not get output on this information based on the qos works on these devices, specifically the 3560/3750. The best way to check this stuff out from what I've seen on the CLI is show mls qos interface x/y statistics. This will give you an idea of the DSCP values coming into and leaving the particular interface. Make sure your dscp/cos to queue mappings are configured the way you want, ie what dscp value maps to which queue. Priority queue on the 3560 is by default 1 on the 3560, not sure on the 2960. On Wed, Mar 5, 2008 at 4:32 PM, Dan Letkeman [EMAIL PROTECTED] wrote: Hello, I am in the process of configuring QOS for our video system. Currently I'm having trouble configuring our 2960's with srr queuing. I have not yet tackled the 3560's. Here is the config I'm working with, there are more 3560's and 2960's, but this should give an idea on how I have configured them: 3560: class-map match-any VIDEO match access-group name POLYCOM ! policy-map in class VIDEO set dscp af41 ! interface FastEthernet0/24 description test trunk to 2960 switchport trunk encapsulation dot1q switchport trunk native vlan 500 switchport trunk allowed vlan 500 switchport mode trunk srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 srr-queue bandwidth limit 20 priority-queue out mls qos trust cos spanning-tree portfast ! ip access-list extended POLYCOM permit ip host 192.168.50.12 any 2960: class-map match-any VIDEO match access-group name POLYCOM ! policy-map in class VIDEO set precedence 4 ! interface FastEthernet0/1 description - Codec plugged in here switchport access vlan 500 switchport mode access ip access-group POLYCOM in srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 auto qos voip trust spanning-tree portfast trunk service-policy input in interface FastEthernet0/24 description - trunk to 3560 switchport trunk native vlan 500 switchport trunk allowed vlan 500 switchport mode trunk srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 srr-queue bandwidth limit 35 priority-queue out auto qos voip trust spanning-tree portfast trunk ip access-list extended POLYCOM permit ip host 192.168.50.12 any I'm not exactly sure what is happening, but i'm not getting any hits on the acl's. The Codec is 192.168.50.12, the trunk's are all working, and the network is working fine. Is there something i'm missing? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information
Re: [c-nsp] QOS Configuration Help
Some other things to watch out for are your trunk links and port channels. For example, on a 3750/3560 you would configure trust dscp on the physical member interfaces not the port channel. If for example you have channels on a 4500 you should put the trust commands on both the port channel as well as the physical member interfaces. This has specifically caused me issues with removing markings in the past, the 4500 will strip it if you don't have it on the port channel too. On Wed, Mar 5, 2008 at 6:20 PM, Dan Letkeman [EMAIL PROTECTED] wrote: Thanks Nick. That does make sense. I have a polycom vsx 6000 that is marking the packets already. So what you are saying is I shouldn't need to have an acl to match the traffic if the port is setup properly because the device is tagging the traffic with the correct values. I will try wireshark and see what It comes up with. Dan. On Wed, Mar 5, 2008 at 5:46 PM, Nick Griffin [EMAIL PROTECTED] wrote: Well that depends, if your doing the trust dscp on the port facing the video server, as well as your interconnects and your video application is tagging dscp values appropriately, then you don't need an acl for classification as it's already classified by the application itself. It's not that the ACL is NOT working, it's that the CLI output will not show it because of the way these switches devices perform qos. You won't get the output you would expect from a router. The best thing to do to get your head around it is to grab some test equipment and a packet sniffer and capture some packets, change some things and see how it works. Also, have a gander at End to End QoS network design. HTH, Nick Griffin On Wed, Mar 5, 2008 at 5:20 PM, Dan Letkeman [EMAIL PROTECTED] wrote: Ok, that would explain some of my problems. But my main question is why won't the 2960 get a match on the ACL? I even changed the ACL to permit ip any any and it still didn't get a match. Without that acl getting a match nothing will work. On Wed, Mar 5, 2008 at 4:59 PM, Mike Louis [EMAIL PROTECTED] wrote: Also, native vlan will not have a cos value on the trunk link. You will have to trust DSCP on that link to have it match the dscp setting from the downstream switch since native is passed w/o dot1q header -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Griffin Sent: Wednesday, March 05, 2008 5:46 PM To: Dan Letkeman Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] QOS Configuration Help I'm pretty certain you will not get output on this information based on the qos works on these devices, specifically the 3560/3750. The best way to check this stuff out from what I've seen on the CLI is show mls qos interface x/y statistics. This will give you an idea of the DSCP values coming into and leaving the particular interface. Make sure your dscp/cos to queue mappings are configured the way you want, ie what dscp value maps to which queue. Priority queue on the 3560 is by default 1 on the 3560, not sure on the 2960. On Wed, Mar 5, 2008 at 4:32 PM, Dan Letkeman [EMAIL PROTECTED] wrote: Hello, I am in the process of configuring QOS for our video system. Currently I'm having trouble configuring our 2960's with srr queuing. I have not yet tackled the 3560's. Here is the config I'm working with, there are more 3560's and 2960's, but this should give an idea on how I have configured them: 3560: class-map match-any VIDEO match access-group name POLYCOM ! policy-map in class VIDEO set dscp af41 ! interface FastEthernet0/24 description test trunk to 2960 switchport trunk encapsulation dot1q switchport trunk native vlan 500 switchport trunk allowed vlan 500 switchport mode trunk srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 srr-queue bandwidth limit 20 priority-queue out mls qos trust cos spanning-tree portfast ! ip access-list extended POLYCOM permit ip host 192.168.50.12 any 2960: class-map match-any VIDEO match access-group name POLYCOM ! policy-map in class VIDEO set precedence 4 ! interface FastEthernet0/1 description - Codec plugged in here switchport access vlan 500 switchport mode access ip access-group POLYCOM in srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 auto qos voip trust spanning-tree portfast trunk service-policy input in interface FastEthernet0/24 description - trunk to 3560 switchport trunk native vlan 500
Re: [c-nsp] Multiple Spanning Tree
From what I've seen it also appears to cause some issues adding new vlans to instances. I try to make sure my vlan to mst mappings are as close to final as possible to avoid service disruption when needing to change vlan/instance mappings later. Btw, this is next to impossible ;) Nick Griffin On Sat, Mar 1, 2008 at 8:26 PM, mack [EMAIL PROTECTED] wrote: Has anyone had any experience making changes to MST networks? If so what advice can you offer. Pointers I have previously gleaned: Break redundant loops not carrying traffic Watch out for boundary ports Update from the edge to the root -- LR Mack McBride Network Administrator Alpha Red, Inc. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7600Sup720/6500Sup720
I do have access, I'm not as concerned about the features, most should include what I am looking for. I'm concerned with going with software that is up to date and supported on the device I will be using, ie running SXF code on a 720 in a 7606. Just wondering if there are any concerns with that? Thanks, On 5/29/07, Phil Bedard [EMAIL PROTECTED] wrote: Do you have access to feature navigator, with that you can compare the features of the images side by side. With what you have listed there, which is fairly basic, you should be able to run 12.2(18)SXF software on both devices. 12.2(33)SRA/SRB are the software trains that only run on the 7600 platform, but I'm not sure you require the features those trains provide. Phil On May 29, 2007, at 4:26 PM, Nick Griffin wrote: I'm looking for recommendations regarding IOS software to be deployed on 2 new 7600's and 2 new 6500's. The 6500 will be in the core of the network terminating server stacks via 4948's. They will have redundant connections to 7600's that will terminate the ISP connectivity via provider managed MPLS. They will need to be able to provide bgp as well as a redundant FHRP preferably GLBP. I'm a little confused with all the talk of the product split and code changes, simply looking for recommendations. TIA, Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7600Sup720/6500Sup720
I'm looking for recommendations regarding IOS software to be deployed on 2 new 7600's and 2 new 6500's. The 6500 will be in the core of the network terminating server stacks via 4948's. They will have redundant connections to 7600's that will terminate the ISP connectivity via provider managed MPLS. They will need to be able to provide bgp as well as a redundant FHRP preferably GLBP. I'm a little confused with all the talk of the product split and code changes, simply looking for recommendations. TIA, Nick Griffin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vlan configuration for video system
What I'm saying is there are not a lot of ways to dynamically assign those video devices/ports to certain vlans. You may look into VMPS, it can do vlan assignments based on mac address, but it requires a switch capable of being the server. Designate ports 1-X for video and put them in your video vlan. Configure them for priority queuing and the switch to mls qos trust dscp. On 4/13/07, Dan [EMAIL PROTECTED] wrote: Thanks for your reply. We are not implementing a voip system yet but if we do the phones we buy will support cdp. So that would be fine. So from what I gather, our video system has to be able to mark packets with a dscp value, which it does. Separate Vlan's are recommended. So the only thing I need yet is a way for the switch to put a video device into the video vlan when its plugged in. Is there a way to do this with acl's? Would specified address help? The quality across the wireless links has been taken care of. That is not a concern to me. Thanks, Dan. Nick Griffin wrote: The only mechanism I know of on a switch to be able to determine what vlan a port should be assigned to is the communication between a cisco phone and switch utilizing CDP. There are of course other external options, but thats more along the lines of security and Cisco ACS. I wouldn't imagine the capability or the need to trunk to a video system. Typically the video systems will set DSCP values for their control and video traffic which you would configured your switch to trust. If for some reason they wouldn't mark they data, you would use an extended acl to identify the traffic and set the DSCP value accordingly. Some systems also use RSVP to request the reservation from the network. I would recommend separate voice video and data vlans to allow the different levels of QoS required for each respective application. I would have a more of a concern with being able to control quality across those wireless links if video will be running across them. HTH, Nick Griffin, CCIE #17381 On 4/12/07, *Dan Letkeman* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Thats what I was afraid of having to do. Its polycom vsx 6000's that we are using. They do have the capability of marking packets with dscp so I could do that. I guess without having vlan tagging on the polycom equipment there is no way for the switch to know what vlan that unit is supposed to be on? Dan -Original Message- From: Voll, Scott [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: Dan [EMAIL PROTECTED] mailto:[EMAIL PROTECTED], [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Date: Thu, 12 Apr 2007 14:54:53 -0700 Subject: RE: [c-nsp] vlan configuration for video system What kind of video system? Does it mark packets with DSCP / IP Prec by default? My guess is that if your going to make a separate video vlan, you will have to assign the port to the video vlan manually. ( more Management :-( Scott -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Dan Sent: Thursday, April 12, 2007 1:26 PM To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Subject: [c-nsp] vlan configuration for video system Hello We are implementing a video conferencing system on our system and I was wondering if anyone had recommendations for how to setup the vlan's for data/video/voice. We currently have one 3560 in each of the buildings and 2-10 2960's behind the 3560. All of the buildings are connected via wireless bridges. Should I create a separate vlan for voice, video, data, and management in each building? If I do create a separate vlan for each piece, how do the switches know how to put say a video device on the video vlan when its connected on the switch? If there are any other suggestions please let me know as I'm open to any options so I can make this system easy to manage and work well. Thanks, Dan. ___ cisco-nsp mailing list [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] https://puck.nether.net/mailman/listinfo/cisco-nsp [https://puck.nether.net/mailman/listinfo/cisco-nsp] archive at http://puck.nether.net/pipermail/cisco-nsp/ [http://puck.nether.net/pipermail/cisco-nsp/] ___ cisco-nsp mailing list [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net
[c-nsp] OT ACS 4.1
Does anyone have any experience installing ACS 4.1 on a drive other than the c: drive? I'm attempting to and getting ODBC errors before the installation finish. Perhaps someone has seen this. Thanks in advance, Nick Griffin ___ cisco-nsp mailing list [EMAIL PROTECTED] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509 / 3750 link problem
In the past I've had to do speed nonegotiate give that a shot. On 4/9/07, Brad Henshaw [EMAIL PROTECTED] wrote: Glenn, In addition to the other suggestions, I noticed the following in your output: Your side: Full-duplex, 1000Mb/s, media type is LH Their side: Full-duplex, 1000Mb/s, link type is force-up, media type is 1000BaseLX SFP It's possible they've set 'speed nonegotiate' on their gig port. If so, get them to remove this config on their end to allow autonegotiation (which I always prefer for fibre links) or disable autonegotiation on your end to match. Some Cisco gear won't bring a fibre link up by default if autonegotiation isn't playing. Regards, Brad -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Tan Sent: Monday, 9 April 2007 8:56 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 6509 / 3750 link problem Hi I am having a strange problem here... We're trying to connect to an uplink's Catalyst 3750 from one of our 6509 SUP720s via 1000base-LX over single-mode fiber and we are having this weird problem where our router shows the interface as down/down, whereas their router shows the interface as up/up. We have tested every portion of the fiber pair linking both switches and have found nothing wrong. The wavelengths are both the same, signal strengths are well within normal ranges, and all cable loopback tests are successful and indicate no problems. GBIC on our side is: Vendor Name : CISCO-JDSU Vendor OUI: 0x0 0x1 0x9C Vendor PN : JGBR12LY02332 GigabitEthernet3/9 is down, line protocol is down (notconnect) Hardware is C6k 1000Mb 802.3, address is 0007.ec6d.4400 (bia 0007.ec6d.4400) MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is LH input flow-control is off, output flow-control is desired Clock mode is auto SFP on their side is: Vendor Name : CISCO-AVAGO Vendor Part Number: QFCT-5798LP GigabitEthernet1/0/2 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 0019.3014.a282 (bia 0019.3014.a282) MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, link type is force-up, media type is 1000BaseLX SFP input flow-control is off, output flow-control is unsupported Has anyone experienced this before? Any help from anyone is appreciated. Thanks and cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
