Re: [c-nsp] 4x10G Etherchannel overruns
>> Are you seeing any fabric drops? "show fabric drop" Some fabric drops, but not very many: Polling interval for drop counters and timestamp is 15 in seconds Packets dropped by fabric for different queues: slotchannelLow-Q-drops High-Q-drops 1 0398 @14:13 06Mar17 0 1 1390 @11:20 06Mar17 0 2 0419 @14:13 06Mar17 0 2 1396 @14:13 06Mar17 0 Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 4x10G Etherchannel overruns
On a WS-X6908-10G DCEF2T line card with SUP2T's, I ran into overruns yesterday on a 4x10G etherchannel that I am at a loss to resolve: Constantly increasing overrun counter: 6418130558941 packets input, 9277559958229871 bytes, 0 no buffer Received 668274 broadcasts (0 IP multicasts) 0 runts, 190 giants, 0 throttles 192 input errors, 1 CRC, 0 frame, 51591389 overrun, 0 ignored Latency into the router rose by 40ms when these overrun's started to appear This happened at a BW of ~28 Gbps I've built the etherchannel in this manner: Index Load Port EC state No of bits --+--++--+--- 0 0ATe1/1 Active 2 3 81Te1/2 Active 2 1 60Te1/3 Active 2 2 14Te1/4 Active 2 Is it necessary to instead stagger 1/1, 1/3, 1/5, 1/7 to spread the load across the card ASICs? I didn't think the WS-X6908 was an oversubscribed card so didn't bother initially. Peter Kranz www.UnwiredLtd.com <http://www.unwiredltd.com/> Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP Snooping on Cat3850
I've been trying to run the Denali release in production and have run into strange issues where VLANs would stop passing traffic properly (OSPF would no longer come up, and you couldn't ping through it, and counters on interface showed crazy numbers). The only way to restore traffic flow was either to define a new VLAN tag or to reload the router. Last seen in Denali 16.3.1 unfortunately. There is now a 16.3.1a, but nothing in the release notes about fixes. Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 40G options for 6807
There is the newish high-density 10-G modules that will support 40G as well http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6800-seri es-switches/datasheet-c78-733662.html For instance, the C6800-32P10G is labelled as an 8 Port 40GE/32 Port 10GE module, but there is no software release yet that supports the 40G operational mode, nor have I seen the required CVR-4SFP-QSFP adaptor available. Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick Cutting Sent: Wednesday, July 13, 2016 5:30 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 40G options for 6807 Any new 40g modules coming out/been released for the 6807? Or still just WS-X6904-40G-2T Where is the love for this golden chassis monster ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SUP720's memory, looking at options..
Ah.. I've not been able to convince myself that the port density hit on the 9k was worth it yet. Since the nexus 77k supports 2M IPv4 routes in its FIB and has pretty epic density, we are trying to figure out what that would be a bad choice. Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SUP720's memory, looking at options..
What are you replacing your converged core with Mack? Nexus 7700's? Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SUP720's memory, looking at options..
Regarding TCAM ... Data sheets are a little confusing in this regard, some parts indicate "2M FIB TCAM Entries" some imply a 1M FIB limit. If it is a 2M FIB limit, It seems unlikely you would exhaust that limit in the next 10 years. Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SUP720's memory, looking at options..
There is also the option of jumping to a used SUP2T or a SUP6T in your 6500 chassis. Depending on the line cards you have, you might have to replace some of them. Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Kranz Sent: Tuesday, July 05, 2016 10:54 AM To: 'Howard Leadmon' <how...@leadmon.net>; 'Jon Lewis' <jle...@lewis.org> Cc: 'cisco-nsp' <cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] SUP720's memory, looking at options.. For a non-cisco option, the new Arista 7280R is somewhat interesting. Handles BGP full tables, has great port density, relatively affordable. Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Howard Leadmon Sent: Monday, July 04, 2016 10:37 AM To: 'Jon Lewis' <jle...@lewis.org> Cc: 'cisco-nsp' <cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] SUP720's memory, looking at options.. FYI, the version I am currently running is 12.2(33)SXJ1, and though I know it's not the newest thing going, it for sure has served us well with an uptime of 4 years, 51 weeks, 4 days, 19 minutes as of this message.I have little doubt that a reboot may free up some memory, if nothing else some more contiguous chunks, but from all I have read here recently, with taking full routes this is a short term stop gap measure at best. So what I am trying to figure out, is what is a good path forward that will last more than a couple months at best. As mentioned below, I have looked at just using the RSP720-3CXL as it will take a lot more RAM reduce running on the edge of a memory allocation failure (plus the faster CPU is good for BGP). I have looked at using something like the ASR1004/6 as with a full load of RAM it says it will easily do 4 million routes. Finally I know someone that has a GSR12404 that suggested I use it, and though I know it's not new platform, I can't for the life of me figure out what routing limits it has. I for sure need 1G and 10G interfaces (not a lot), also need 32bit ASN support as we already use it at the IX The reboot of the current switch would be easy, but if I need to take the time to haul around big switches/routers, and changing the network around, I figure it just makes good sense to learn what I can to make an informed choice as much as possible. Happy 4th to any that celebrate it.. --- Howard Leadmon - how...@leadmon.net PBW Communications, LLC http://www.pbwcomm.com > -Original Message- > From: Jon Lewis [mailto:jle...@lewis.org] > Sent: Monday, July 4, 2016 9:34 AM > To: Howard Leadmon <how...@leadmon.net> > Cc: 'cisco-nsp' <cisco-nsp@puck.nether.net> > Subject: Re: [c-nsp] SUP720's memory, looking at options.. > > On Mon, 4 Jul 2016, Howard Leadmon wrote: > > > I knew with the 720-3BXL's I was running, that eventually the TCAM > > would become an issue, but it seemed like I still had a little bit > > of breathing > > room left. Then I saw the chatter here about the RAM on the RP > exhausting > > before the TCAM, so went peeking at the switch after reading an earlier > > thread. Sure enough, though TCAM was starting to get full, to my > > surprise when I looked at memory, it was at 92%, so even closer than > > the TCAM by far to exhaustion. > > > > I know I can't just up the RAM on the board, so that now leads me to > > wonder what are reasonable options to resolve this before it becomes > > a > very real > > and big problem. First let me say, compared to many here we are small > > guys, we have a limited budget, and our 6509 has served us well for > > a great > > many years, I think it's about to pass the 5yr uptime mark. We have 2-3 > > full feeds as uptime is important, and we also peer at the Equinix > > IX, so have a bunch of additional peering sessions. > > Some of the software versions for the 6500 have had BGP related memory > leaks, and if you've got an uptime of 5yrs, that means you're not > exactly running recent code, and have had a lot of time for memory to > get misplaced. I no longer have access to a 6500 with full feeds, so > I don't know if > 3 full feeds + an IX should be running you out of memory. An > upgrade/reboot might be worth a try though. I'd stay in whatever > major version you're in though...not try jumping to a much later > version that might > be even more memory hungry. > > -- > Jon Lewis, MCP :) | I route > | therefore you are _
Re: [c-nsp] SUP720's memory, looking at options..
For a non-cisco option, the new Arista 7280R is somewhat interesting. Handles BGP full tables, has great port density, relatively affordable. Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Howard Leadmon Sent: Monday, July 04, 2016 10:37 AM To: 'Jon Lewis' <jle...@lewis.org> Cc: 'cisco-nsp' <cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] SUP720's memory, looking at options.. FYI, the version I am currently running is 12.2(33)SXJ1, and though I know it's not the newest thing going, it for sure has served us well with an uptime of 4 years, 51 weeks, 4 days, 19 minutes as of this message.I have little doubt that a reboot may free up some memory, if nothing else some more contiguous chunks, but from all I have read here recently, with taking full routes this is a short term stop gap measure at best. So what I am trying to figure out, is what is a good path forward that will last more than a couple months at best. As mentioned below, I have looked at just using the RSP720-3CXL as it will take a lot more RAM reduce running on the edge of a memory allocation failure (plus the faster CPU is good for BGP). I have looked at using something like the ASR1004/6 as with a full load of RAM it says it will easily do 4 million routes. Finally I know someone that has a GSR12404 that suggested I use it, and though I know it's not new platform, I can't for the life of me figure out what routing limits it has. I for sure need 1G and 10G interfaces (not a lot), also need 32bit ASN support as we already use it at the IX The reboot of the current switch would be easy, but if I need to take the time to haul around big switches/routers, and changing the network around, I figure it just makes good sense to learn what I can to make an informed choice as much as possible. Happy 4th to any that celebrate it.. --- Howard Leadmon - how...@leadmon.net PBW Communications, LLC http://www.pbwcomm.com > -Original Message- > From: Jon Lewis [mailto:jle...@lewis.org] > Sent: Monday, July 4, 2016 9:34 AM > To: Howard Leadmon <how...@leadmon.net> > Cc: 'cisco-nsp' <cisco-nsp@puck.nether.net> > Subject: Re: [c-nsp] SUP720's memory, looking at options.. > > On Mon, 4 Jul 2016, Howard Leadmon wrote: > > > I knew with the 720-3BXL's I was running, that eventually the TCAM > > would become an issue, but it seemed like I still had a little bit > > of breathing > > room left. Then I saw the chatter here about the RAM on the RP > exhausting > > before the TCAM, so went peeking at the switch after reading an earlier > > thread. Sure enough, though TCAM was starting to get full, to my > > surprise when I looked at memory, it was at 92%, so even closer than > > the TCAM by far to exhaustion. > > > > I know I can't just up the RAM on the board, so that now leads me to > > wonder what are reasonable options to resolve this before it becomes > > a > very real > > and big problem. First let me say, compared to many here we are small > > guys, we have a limited budget, and our 6509 has served us well for > > a great > > many years, I think it's about to pass the 5yr uptime mark. We have 2-3 > > full feeds as uptime is important, and we also peer at the Equinix > > IX, so have a bunch of additional peering sessions. > > Some of the software versions for the 6500 have had BGP related memory > leaks, and if you've got an uptime of 5yrs, that means you're not > exactly running recent code, and have had a lot of time for memory to > get misplaced. I no longer have access to a 6500 with full feeds, so > I don't know if > 3 full feeds + an IX should be running you out of memory. An > upgrade/reboot might be worth a try though. I'd stay in whatever > major version you're in though...not try jumping to a much later > version that might > be even more memory hungry. > > -- > Jon Lewis, MCP :) | I route > | therefore you are _ > http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SUP2T.. TCAM related errors..
I cannot for the life of me figure out why this box seems to think it has TCAM issues.. It's a SUP-2T XL platform.. Usage levels look well under TCAM limits. May 23 12:06:22: %CFIB-7-CFIB_EXCEPTION: FIB TCAM exception, Some entries will be software switched May 31 08:58:51: %CV6_LC-5-FIB_EXCEP_ON: Failed to insert IPv6 prefix in FIB TCAM because it is full rtr #show platform hardware capacity forwarding L2 Forwarding Resources MAC Table usage: Module Collisions Total Used %Used 10 131072 1525 1% 20 131072 1526 1% 60 131072 1522 1% L3 Forwarding Resources FIB TCAM usage: TotalUsed %Used 72 bits (IPv4, MPLS, EoM) 1048576 555182 53% 144 bits (IP mcast, IPv6) 524288 25930 5% 288 bits (IPv6 mcast) 262144 1 1% detail: ProtocolUsed %Used IPv4 555180 53% MPLS 1 1% EoM1 1% IPv6 25924 5% IPv4 mcast 6 1% IPv6 mcast 1 1% Adjacency usage: TotalUsed %Used 1048576 33569 3% rtr #sh mls cef exception status Current IPv4 FIB exception state = TRUE Current IPv6 FIB exception state = TRUE Current MPLS FIB exception state = FALSE Current EoM/VPLS FIB TCAM exception state = FALSE ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Spare-pair power negotiation problem.. Cisco 3850 UPOE
Anyone had any luck with UPOE actually working with the power inline four-pair forced command? WS-C3850-48U / Denali 16.2.1 interface GigabitEthernet1/0/10 power inline four-pair forced end Log: *Apr 25 08:37:59.062 PST: %ILPOWER-5-DET_TIMEOUT_SPARE_PAIR: Interface Gi1/0/10: spare pair detect timeout Of course its timing out, I'm using "power inline four-pair forced" because the device does not support sending Cisco the four pair negotiation message. This command is supposed to ignore this.. However: UnwiredSW-#show power inline g1/0/10 detail Interface: Gi1/0/10 Inline Power Mode: auto Operational status: on Device Detected: yes Device Type: Ieee PD IEEE Class: 4 Discovery mechanism used/configured: Ieee and Cisco Police: off Power Allocated Admin Value: 60.0 Power drawn from the source: 60.0 Power available to the device: 60.0 Actual consumption Measured at the port: 32.5 Maximum Power drawn by the device since powered on: 33.6 Absent Counter: 0 Over Current Counter: 0 Short Current Counter: 0 Invalid Signature Counter: 0 Power Denied Counter: 0 Power Negotiation Used: None LLDP Power Negotiation --Sent to PD-- --Rcvd from PD-- Power Type: -- Power Source:-- Power Priority: -- Requested Power(W): -- Allocated Power(W): -- Four-Pair PoE Supported: Yes Spare Pair Power Enabled: No <-- Should be enabled per the forced command Four-Pair PD Architecture: Independent And then when you try to use more than 30 watts: *Apr 25 08:43:32.212 PST: %ILPOWER-5-IEEE_DISCONNECT: Interface Gi1/0/10: PD removed *Apr 25 08:43:32.215 PST: %ILPOWER-3-CONTROLLER_PORT_ERR: Controller port error, Interface Gi1/0/10: Power Controller reports power Imax error detected *Apr 25 08:43:32.742 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/10, changed state to down Peter Kranz www.UnwiredLtd.com <http://www.unwiredltd.com/> Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Anyone used the C6800-32P10G-XL cards yet?
Anyone used the C6800-32P10G-XL cards yet? Seems like a no brainer replacement for the WS-X6908-10G card at almost the identical price point, but double the fabric bandwidth (160G vs 80G) if you upgrade to a 6807-XL chassis. Peter Kranz www.UnwiredLtd.com <http://www.unwiredltd.com/> Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] C6800-32P10G-XL 40G Support?
Some of the materials I have seen for the C6800-32P10G-XL line card indicate that it can operate in 10G or 40G modes, apparently 40G modes require a CVR-4SFP-QSFP cable to use 4 10G ports to light a single QSFP. However, I've seen in other locations that "40G ports are currently not supported" Anyone got the skinny on this? Peter Kranz www.UnwiredLtd.com <http://www.unwiredltd.com/> Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Most cost effective 100G router?
Happy to clarify James, to expand: " Anyone have any thoughts the most cost effective chassis available currently that supports 100G ports? Need to route upwards of 200 Gbps and handle full tables, but cost is definitely a factor." I would be using 2x100G ports to upstream providers pulling full tables.. and probably 10G LAG groups or 40G ports to feed the downstream user who does not have 100G port capabilities. If I spread across two chassis for redundancy and failover.. then each chassis would have: 1 100G port facing an upstream 1 100G port facing the other chassis 10 10G or 4 40G ports facing the downstream customer Full routes The application doesn't really support spending $200k on the solution, so I'm looking around for something game changing. I think 100G might be too young at this point to find it honestly. Peter Kranz www.UnwiredLtd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Most cost effective 100G router?
Anyone have any thoughts the most cost effective chassis available currently that supports 100G ports? Need to route upwards of 200 Gbps and handle full tables, but cost is definitely a factor. Peter Kranz www.UnwiredLtd.com <http://www.unwiredltd.com/> pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP multipath load balancing.. broken sessions upon hash change
Hi Pete, Thank you very much for this response. It appears to resilient hashing handles the concept of node removal without causing a re-calculation. How well does it handle the scenario where you are adding a new node, or where a failed node returns? -Peter From: Pete Lumbis [mailto:alum...@gmail.com] Sent: Thursday, September 03, 2015 2:02 PM To: Peter Kranz <pkr...@unwiredltd.com> Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP multipath load balancing.. broken sessions upon hash change What you need is resilient hashing, which is supported on the Broadcom Trident 2 chipset by all the vendors that use it (Nexus 3k, Arista platforms, Dell S4048/S6000 with Cumulus Linux). I'm not aware of Cisco custom chips that do this. The way resilient hashing works is that it pre-populates a large number of buckets, say 1024 and then takes your list of next hops and just repeats them. A, B, C, D, A, B, C, D, A, B, C, D If a next hop fails, it just plugs in the hole with the still living next hops. Say B fails. A, A, C, D, A, C, C, D, A, D, C, D Anything that was going to B dies anyway, but you don't have to re-shuffle the existing buckets. The downside is that if you add a new nexthop you have to shuffle again, but you get what you pay for :) -Pete On Wed, Sep 2, 2015 at 4:49 PM, Peter Kranz <pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> > wrote: I’m using bgp maximum-paths and several peers announcing the same /32 to create a poor man’s load balancer. This works well with up to 16 peers after which the CEF number of buckets is exceeded. However, if the number of connected peers change, all sessions break, which I would like to avoid. For example: - 10 machines are advertising a path to the /32 - SSH is opened to one machine via the advertised IP address - 1 machine stops advertising, bringing the pool to 9 - SSH connection breaks a little while later Conversely when adding another machine to the pool, a similar experience: - 9 machines are advertising a path to the /32 - SSH is opened to one machine via the advertised IP address - 1 machines starts advertising, bringing the pool to 10 - SSH connection breaks immediately Is there a solution to keep the client session sticky to the BGP peer it was initially started on? I am using per-destination load balancing. My suspicion is that upon a change in the number of connected peers, the CEF hash buckets are reset and renumbered, breaking all connections. Peter Kranz www.UnwiredLtd.com <http://www.UnwiredLtd.com> Desk: 510-868-1614 x100 <tel:510-868-1614%20x100> Mobile: 510-207- pkr...@unwiredltd.com <mailto:pkr...@unwiredltd.com> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net <mailto:cisco-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco IOS SLB performance under Supervisor 2T
This document indicates a maximum of 8G of throughput for IOS SLB under a Supervisor 720-3BXL http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/persiste nt-storage-device-module/product_data_sheet0900aecd806b5dc9.html Is anyone aware of what the performance limitation of this feature is under the newer Supervisor 2T-10G-XL? Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP multipath load balancing.. broken sessions upon hash change
Im using bgp maximum-paths and several peers announcing the same /32 to create a poor mans load balancer. This works well with up to 16 peers after which the CEF number of buckets is exceeded. However, if the number of connected peers change, all sessions break, which I would like to avoid. For example: - 10 machines are advertising a path to the /32 - SSH is opened to one machine via the advertised IP address - 1 machine stops advertising, bringing the pool to 9 - SSH connection breaks a little while later Conversely when adding another machine to the pool, a similar experience: - 9 machines are advertising a path to the /32 - SSH is opened to one machine via the advertised IP address - 1 machines starts advertising, bringing the pool to 10 - SSH connection breaks immediately Is there a solution to keep the client session sticky to the BGP peer it was initially started on? I am using per-destination load balancing. My suspicion is that upon a change in the number of connected peers, the CEF hash buckets are reset and renumbered, breaking all connections. Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP multipath load balancing.. broken sessions upon hash change
I am attempting to load balance ~100 Gbps of inbound traffic across several processing nodes. Each node advertising the same /32 back to the core router and CEF nicely divides the traffic so that 1/16th of it arrives at each node. The problem arises when a node is brought out of rotation, existing SSH sessions break since the source IP gets mapped to a new node after CEF re-computes. Given the large amount of traffic, it's not easily solvable with higher end load balancers for a reasonable cost. -PK -Original Message- From: Łukasz Bromirski [mailto:luk...@bromirski.net] Sent: Wednesday, September 02, 2015 2:56 PM To: Peter Kranz <pkr...@unwiredltd.com> Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP multipath load balancing.. broken sessions upon hash change Peter, > On 02 Sep 2015, at 22:49, Peter Kranz <pkr...@unwiredltd.com> wrote: > > I’m using bgp maximum-paths and several peers announcing the same /32 > to create a poor man’s load balancer. This works well with up to 16 > peers after which the CEF number of buckets is exceeded. > > However, if the number of connected peers change, all sessions break, > which I would like to avoid. That’s the way CEF works - it has to rebuild the hash every time new nexthop appears or vanishes. This is 6500 you’ve mentioned in different post, right? What is the overall architecture of the thing you’re trying to achieve here (remote terminal access?). — Łukasz Bromirski ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Why only 10 has buckets?
Thanks Paul, You were right.. Reducing the number of paths to 16 got me to the full 16 buckets. -Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Why only 10 has buckets?
67539CC0, path list 27D80DB8, share 1/1, type adjacency prefix, for IPv4 attached to Vlan10, adjacency IP adj out of Vlan10, addr 162.244.60.61 2C4D56E0 path 6753A230, path list 27D7F6F8, share 1/1, type recursive nexthop, for IPv4, flags resolved recursive via 162.244.60.62[IPv4:Default], fib 5D3616C8, 1 terminal fib path 6753AB40, path list 27D80CE8, share 1/1, type adjacency prefix, for IPv4 attached to Vlan10, adjacency IP adj out of Vlan10, addr 162.244.60.62 2C4D5540 path 6753A2A4, path list 27D7F6F8, share 1/1, type recursive nexthop, for IPv4, flags resolved recursive via 162.244.60.63[IPv4:Default], fib 6306FA24, 1 terminal fib path 6753A55C, path list 27D80A10, share 1/1, type adjacency prefix, for IPv4 attached to Vlan10, adjacency IP adj out of Vlan10, addr 162.244.60.63 2C4D53A0 path 67539FEC, path list 27D7F6F8, share 1/1, type recursive nexthop, for IPv4, flags resolved recursive via 162.244.60.64[IPv4:Default], fib 1F8877F0, 1 terminal fib path 6753ADF8, path list 27D80940, share 1/1, type adjacency prefix, for IPv4 attached to Vlan10, adjacency IP adj out of Vlan10, addr 162.244.60.64 2C4D5200 path 6753B4C4, path list 27D7F6F8, share 1/1, type recursive nexthop, for IPv4, flags resolved recursive via 162.244.60.65[IPv4:Default], fib 58D55638, 1 terminal fib path 6753A9E4, path list 27D80668, share 1/1, type adjacency prefix, for IPv4 attached to Vlan10, adjacency IP adj out of Vlan10, addr 162.244.60.65 2C4D5060 path 6753B9C0, path list 27D7F6F8, share 1/1, type recursive nexthop, for IPv4, flags resolved recursive via 162.244.60.66[IPv4:Default], fib 5D3694C8, 1 terminal fib path 6753A6B8, path list 27D80FC0, share 1/1, type adjacency prefix, for IPv4 attached to Vlan10, adjacency IP adj out of Vlan10, addr 162.244.60.66 2C4D4EC0 path 28011AAC, path list 27D7F6F8, share 1/1, type recursive nexthop, for IPv4, flags resolved recursive via 162.244.60.67[IPv4:Default], fib 1DFD3BD8, 1 terminal fib path 6753B694, path list 27D80188, share 1/1, type adjacency prefix, for IPv4 attached to Vlan10, adjacency IP adj out of Vlan10, addr 162.244.60.67 2C4D4D20 path 28010DFC, path list 27D7F6F8, share 1/1, type recursive nexthop, for IPv4, flags resolved recursive via 162.244.60.68[IPv4:Default], fib 6C18A1E4, 1 terminal fib path 675393B0, path list 27D80120, share 1/1, type adjacency prefix, for IPv4 attached to Vlan10, adjacency IP adj out of Vlan10, addr 162.244.60.68 2C4D4B80 path 28011B20, path list 27D7F6F8, share 1/1, type recursive nexthop, for IPv4, flags resolved recursive via 162.244.60.69[IPv4:Default], fib 22BAB6E8, 1 terminal fib path 67539920, path list 27D80E20, share 1/1, type adjacency prefix, for IPv4 attached to Vlan10, adjacency IP adj out of Vlan10, addr 162.244.60.69 2C4D4840 output chain: loadinfo 53BB6B24, per-session, 10 choices, flags 0003, 5 locks flags: Per-session, for-rx-IPv4 10 hash buckets 0 IP adj out of Vlan10, addr 162.244.60.50 2C4D5880 1 IP adj out of Vlan10, addr 162.244.60.51 2C4D5A20 2 IP adj out of Vlan10, addr 162.244.60.52 2C4D5BC0 3 IP adj out of Vlan10, addr 162.244.60.53 2C4D5D60 4 IP adj out of Vlan10, addr 162.244.60.54 2C4D5F00 5 IP adj out of Vlan10, addr 162.244.60.55 2C4D60A0 6 IP adj out of Vlan10, addr 162.244.60.56 2C4D6240 7 IP adj out of Vlan10, addr 162.244.60.57 2C4D63E0 8 IP adj out of Vlan10, addr 162.244.60.58 2C4D7420 9 IP adj out of Vlan10, addr 162.244.60.59 2C4D6580 Subblocks: None Peter Kranz www.UnwiredLtd.com http://www.unwiredltd.com/ Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com mailto:pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3850 per VLAN shaping help...
I am attempting apply per VLAN shaping on the 3850 chassis and having various problems; 1: I have attempted creating policy-maps and applying them to the VLAN SVI. Config mode takes the service-policy commands, with no errors in the log, but a show run on the interface indicates that nothing was applied.. 2: I have tried creating a more complicated policy-map to handle all the vlans on a particular trunk, i.e.: class-map match-any TheFuelist match vlan 202 class-map match-any StephenEBlockCompany match vlan 201 class-map match-any Advoco match vlan 200 ! policy-map CentroShaping class StephenEBlockCompany shape average 2500 class Advoco shape average 1 class TheFuelist shape average 2500 class class-default shape average 5000 But upon applying these to the trunk port I get : Mar 11 08:23:58.363 PDT: Invalid queuing class-map!!! Queuing actions supported only with dscp/cos/qos-group/precedence based classification!!! The only examples I have found either say apply to the SVI (Which doesn't seem to work) or apply to routed sub interfaces instead of trunk ports. Any hints? Peter Kranz www.UnwiredLtd.com http://www.unwiredltd.com/ Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com mailto:pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SUP2T Ignoring ARP response... 12.2(50)SY3
A bit stumped by this one, perhaps someone has seen this behavior: A particular MAC address is seen in two different VLANS: (Should be ok, MAC address table is by VLAN right) rtr-sungard#sho mac address-table | inc 0025.90a6.7ca2 10 0025.90a6.7ca2 dynamic Yes5 Te5/5 * 11 0025.90a6.7ca2 dynamic Yes 60 Te6/5 ARP table shows Incomplete ARP response for one of the VLANs: Internet x.x.x.x 0 Incomplete ARPA Internet x.x.x.x 1 0025.90a6.7ca2 ARPA Vlan10 Cannot ping the host in Vlan11 as a result.. However packet captures from the host show the ARP response being sent as desired on the Incomplete VLAN.. If the host Vlan11 pings the gateway on the 6500, ARP table is now populated and pings possible.. Internet x.x.x.x 0 0025.90a6.7ca2 ARPA Vlan11 Internet x.x.x.x 8 0025.90a6.7ca2 ARPA Vlan10 Any ideas? Peter Kranz Unwired Ltd www.UnwiredLtd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SUP2T Ignoring ARP response... 12.2(50)SY3
Figured this out.. I'll explain it here in case someone else runs into this in the future.. By default cisco uses the same MAC address for every VLAN configured on a 6500. The downstream switches were getting confused by this (customer was combining the two vlans together rather than keeping them seperate) and not sending ARP responses back to the correct port.. Using mac-address .. to alter the mac address of one of the two vlans on the 6500 immediately resolved the problem. http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note0918 6a00801c9b4e.shtml Peter Kranz http://www.unwiredltd.com/ www.UnwiredLtd.com mailto:pkr...@unwiredltd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Rancid causing reload SUP2T 12.2.50-SY3
Had a 6506-E running redundant Sup2T's perform a failover from ACTIVE to HOT STANDBY yesterday with nothing showing in the logs right after the hourly RANCID collection completed. Running s2t54-advipservicesk9-mz.SPA.122-50.SY3.bin Anyone seen this? Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com http://www.unwiredltd.com/ Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com mailto:pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6506-E vs 7606-S
Other than the form factor difference between these two chassis, is there any particular reason to select one over the other? Planning on running 2 VS-S2T-10G-XL sups, and 2 WS-6908-10G-2T 8 port 10G cards.. Full BGP routes to two peers.. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] %IPC-2-INVALIDZONE: Invalid IPC Zone 0x60000000 on WS-C3750X-24P-S
Anyone else seeing these on 3750X's from time to time? Running 15.0(1)SE3 Oct 9 19:49:25.728 PDT: %IPC-2-INVALIDZONE: Invalid IPC Zone 0x6000. -Traceback= 545BFCz CDDE70z 5AD80z 5AE68z 284DA88z 28478FCz Peter Kranz Founder/CEO - Unwired Ltd http://www.unwiredltd.com/ www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- mailto:pkr...@unwiredltd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QOS testing traffic generator and reporter
Looking for an opensource/free package that can generate several data streams with different source IPs and data rates to similar different users that also have a receiver function that can display the real-time BW received for each stream. Testing several different QoS implementations, where the real-time feedback would speed things up. Using iperf right now, but requires kicking lots of scripts for each run.. Regards, Peter Kranz http://www.unwiredltd.com/ www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- mailto:pkr...@unwiredltd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] %LTL-SP-2-LTL_PARITY_CHECK: LTL parity check request for 0x4B86.
May 30 17:25:43: %LTL-SP-2-LTL_PARITY_CHECK: LTL parity check request for 0x4B86. Saw one of these on a 6500 with a Sup720-3BXL today, first time it's shown up in the logs.. Anything to be concerned about? Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Open Source netflow recommendations
Stager is a great netflow analysis option; http://software.uninett.no/stager Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner Sent: Wednesday, May 18, 2011 1:04 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Open Source netflow recommendations On Wed, 18 May 2011, Ge Moua wrote: If vendors start playing games with license fees per feature (to pad their revenues), then one either conform or work-around them. If this pertains to netflow, I've done something like the following in the past: * span traffic to pkt collector * on pkt collector, run something like fprobe to convert raw pkt to flow format * export flow to said flow collector This man-in-the-middle approach may be somewhat silly to bypass licensed netflow feature, and could be moot if one needed another license to do spans. If someone needed to do that, they certainly could. One thing that could become more difficult in that scenario is the ability to view and manipulate Netflow data based on AS number. To get that from a packet collector, the collector would need to be able to speak BGP with the appropriate devices on your network, and then insert the AS data into the exported Netflow packets. As others have mentioned you'd also lose ifIndex, which could make tracing a flow across the network more involved. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Safer DDOS drops
We verified that UDP fragments were not required by anything it was doing so it was straight forward... so after initially filtering UDP fragments, in the end we just blocked UDP completely to the device under attack. -peter -Original Message- From: Drew Weaver [mailto:drew.wea...@thenap.com] Sent: Friday, April 08, 2011 6:44 PM To: 'Peter Kranz' Subject: RE: [c-nsp] Safer DDOS drops Peter, What did you end up using to filter fragments? We see a lot of these UDP 0 looking attacks and we've been reluctant to drop all fragments because it breaks all kinds of legitimate protocols. thanks, -Drew -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Kranz Sent: Friday, April 08, 2011 6:45 PM To: 'Peter Rathlev' Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Safer DDOS drops Brandon, Peter, Phil thanks.. I removed 'ip accounting access-violations', used the fragments filter, and changed to ' mls rate-limit unicast ip icmp unreachable acl-drop 0' .. another 5Gbps attack in progress currently, but router CPU is happy and customer still in service. -peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Safer DDOS drops
So today one of our customers was being hit with a DDOS attack with the following signature; basically a bunch of UDP junk of about 5 Gbps in volume.. 2011-04-08 12:31:49.504 8.832 UDP 58.64.147.47:0 - x:0 20483.0 M 1 2011-04-08 12:31:49.822 8.640 UDP193.142.209.170:0 - :0 66560 98.2 M 1 2011-04-08 12:31:49.825 8.704 UDP 220.95.232.243:0 - x:0 67584 100.0 M 1 2011-04-08 12:31:49.823 8.704 UDP84.22.33.10:0 - x:0 69632 102.7 M 1 2011-04-08 12:31:49.825 8.704 UDP85.25.34.83:0 - x:0 71680 106.5 M 1 2011-04-08 12:31:49.824 8.704 UDP85.206.6.48:0 - x:0 55296 81.9 M 1 2011-04-08 12:31:49.889 8.704 UDP 222.114.174.86:0 - :0 67584 101.3 M 1 2011-04-08 12:31:49.887 8.704 UDP 193.226.98.10:0 - x:0 69632 103.1 M 1 2011-04-08 12:31:49.887 8.704 UDP 85.234.235.135:0 - :0 316416 466.7 M 1 2011-04-08 12:31:49.888 8.704 UDP 92.243.75.90:0 - :0 62464 92.1 M 1 2011-04-08 12:31:49.954 8.704 UDP 72.55.140.164:0 - :0 61449.1 M 1 The device facing the customer is a 6500 with a Sup720-3BXL running 12.2(33)SXI3.. Attempted to alleviate the customer port congestion by adding the following to the port (an etherchannel made up of 2 1G ports on a WS-X6516-GBIC) access-list 101 remark DOS Attack blocker access-list 101 deny udp any host 208.71.159.144 access-list 101 permit ip any any ip access-group 101 out After doing this the router basically froze and died.. only responded to pings sporadically, and its BGP and HSRP sessions all kept flapping until we got in during a lull and removed the access-group. Is there a better way to handle filtering a high volume traffic stream on a 6500 that won't kill the rest of the device? I've also got a WS-X6724-SFP in the device that's available Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Safer DDOS drops
I've got it currently at: mls rate-limit unicast ip icmp unreachable acl-drop 10 10 Would the mls rate-limit unicast ip icmp unreachable acl-drop 0 Make a difference? We used the egress rate, since the overall traffic volumes into the router are much greater than that exiting the port to the customer.. seemed better to deal with the smaller traffic stream than the entire backhauls worth (~20Gbps) -peter -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Friday, April 08, 2011 1:27 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Safer DDOS drops On 04/08/2011 09:18 PM, Peter Kranz wrote: Attempted to alleviate the customer port congestion by adding the following to the port (an etherchannel made up of 2 1G ports on a WS-X6516-GBIC) access-list 101 remark DOS Attack blocker access-list 101 deny udp any host 208.71.159.144 access-list 101 permit ip any any ip access-group 101 out After doing this the router basically froze and died.. only responded to pings sporadically, and its BGP and HSRP sessions all kept flapping until we got in during a lull and removed the access-group. Is there a better way to handle filtering a high volume traffic stream on a 6500 that won't kill the rest of the device? Do you have: mls rate-limit unicast ip icmp unreachable acl-drop 0 ...because if not, the deny ACE will cause some packets to leak to CPU for ICMP generation, and that might saturate the CPU. Also, you might be safer having the deny ACL on ingress interfaces rather than egress. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Safer DDOS drops
It is configured Lukasz.. interface Port-channel2 ip address no ip redirects no ip unreachables no ip proxy-arp ip accounting access-violations ip flow ingress speed nonegotiate mls netflow sampling mls rate limits in place currently.. mls rate-limit unicast ip icmp unreachable acl-drop 10 10 What are your recommended changes? -peter -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lukasz Bromirski Sent: Friday, April 08, 2011 1:28 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Safer DDOS drops On 2011-04-08 22:18, Peter Kranz wrote: So today one of our customers was being hit with a DDOS attack with the following signature; basically a bunch of UDP junk of about 5 Gbps in volume.. The device facing the customer is a 6500 with a Sup720-3BXL running 12.2(33)SXI3.. Attempted to alleviate the customer port congestion by adding the following to the port (an etherchannel made up of 2 1G ports on a WS-X6516-GBIC) access-list 101 remark DOS Attack blocker access-list 101 deny udp any host 208.71.159.144 access-list 101 permit ip any any ip access-group 101 out Let me guess - the 'no ip unreachables' wasn't configured, and you didn't have mls rate-limits nor CoPP configured? -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Safer DDOS drops
Brandon, Peter, Phil thanks.. I removed 'ip accounting access-violations', used the fragments filter, and changed to ' mls rate-limit unicast ip icmp unreachable acl-drop 0' .. another 5Gbps attack in progress currently, but router CPU is happy and customer still in service. -peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QOS Puzzler..
I'm trying to adapt a QOS method we use under linux into cisco space.. Anybody got the cisco QOS fu to give me a general idea of how to do this in cisco world.. Problem: - We traffic shape wireless access points, with a single access point connected per switch port, with several customers attached to each access point - Each customer has his own subnet, but is on the same vlan, so shaping must be done by subnet - Each customer is sold a plan that has a CIR (minimum data rate) and MIR (peak data rate if resources are available), each customer may have a different plan - If the aggregate of total customer usage is less than the total access point capacity, allow them to burst above their CIR up to their MIR limit Solution: - On linux, we use HTB to do this.. The port has a root class with the total capacity of the access point configured, customers are configured with RATE= (CIR) and CEIL= (MIR) rates, along with RULE = Subnet.. It's very straightforward and works remarkably well. Peter Kranz http://www.unwiredltd.com/ www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- mailto:pkr...@unwiredltd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QOS Puzzler..
Hi Arie, Using the feature navigator, Two-Rate Three Color Policer, and Two-Rate Three Color Policer - Ingress are listed.. Supported platforms show: ME3400E CAT4500E-Sup6L CAT4900M Does this seem like the complete set of devices that have this 3 color policer option? Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: Arie Vayner (avayner) [mailto:avay...@cisco.com] Sent: Wednesday, March 23, 2011 2:49 PM To: Peter Kranz; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] QOS Puzzler.. Peter, You most likely can apply ingress policing on the ports, creating a class per customer (matching on ACL), and policing them to their MIR rate. You could try and use a 3 color policer, marking any traffic below CIR with a higher priority, above CIR to default, and above MIR to drop (exceed traffic). Then on the uplink, give the below CIR traffic a higher priority so in case of congestion this traffic will be preferred. You need to select the right platform carefully, and you most likely would need a more advanced device than just a regular desktop switch to be able to scale... Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Kranz Sent: Wednesday, March 23, 2011 22:46 To: cisco-nsp@puck.nether.net Subject: [c-nsp] QOS Puzzler.. I'm trying to adapt a QOS method we use under linux into cisco space.. Anybody got the cisco QOS fu to give me a general idea of how to do this in cisco world.. Problem: - We traffic shape wireless access points, with a single access point connected per switch port, with several customers attached to each access point - Each customer has his own subnet, but is on the same vlan, so shaping must be done by subnet - Each customer is sold a plan that has a CIR (minimum data rate) and MIR (peak data rate if resources are available), each customer may have a different plan - If the aggregate of total customer usage is less than the total access point capacity, allow them to burst above their CIR up to their MIR limit Solution: - On linux, we use HTB to do this.. The port has a root class with the total capacity of the access point configured, customers are configured with RATE= (CIR) and CEIL= (MIR) rates, along with RULE = Subnet.. It's very straightforward and works remarkably well. Peter Kranz http://www.unwiredltd.com/ www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- mailto:pkr...@unwiredltd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cleanest way to remove a redundant SUP720-3BXL
I need to remove a STANDBY HOT redundant SUP720-3BXL from a 6506-E chassis tonight and want to minimize any possibility of a reload or traffic interruption. Other than just yanking the card from the chassis and relying on OIR, is there any suggested steps to take to make this cleaner? I want to pull the card from slot 6, we need it in another chassis.. Rtr-JLS-Backup#show redundancy Redundant System Information : -- Available system uptime = 3 weeks, 12 hours, 26 minutes Switchovers system experienced = 0 Standby failures = 0 Last switchover reason = none Hardware Mode = Duplex Configured Redundancy Mode = sso Operating Redundancy Mode = sso Maintenance Mode = Disabled Communications = Up Current Processor Information : --- Active Location = slot 5 Current Software state = ACTIVE Uptime in current state = 3 weeks, 12 hours, 25 minutes Image Version = Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI3, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Tue 27-Oct-09 11:11 by prod_rel_team BOOT = disk1:s72033-advipservicesk9_wan-mz.122-33.SXI3.bin,12; CONFIG_FILE = BOOTLDR = Configuration register = 0x2102 Peer Processor Information : Standby Location = slot 6 Current Software state = STANDBY HOT Uptime in current state = 3 weeks, 12 hours, 10 minutes Image Version = Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI3, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Tue 27-Oct-09 11:11 by prod_rel_team BOOT = disk1:s72033-advipservicesk9_wan-mz.122-33.SXI3.bin,12; CONFIG_FILE = BOOTLDR = Configuration register = 0x2102 Peter Kranz Founder/CEO - Unwired Ltd http://www.unwiredltd.com/ www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- mailto:pkr...@unwiredltd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Per subnet rate limiting (6500) simple solution?
Looking for a simple solution to do per-subnet rate limiting where we have a bunch of subnet's on the same VLAN.. we a single output interface for this traffic facing the customers, but lots of upstream links to the internet.. so ideally everything could live on the customer interface.. Peter Kranz http://www.unwiredltd.com/ www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- mailto:pkr...@unwiredltd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Replacing redundant Sup720 on Catalyst 6500
Also a chance of stalling the bus for too long if you insert the new supervisor too slowly into the chassis.. so its possible you will reboot even if you should not have to. Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Youssef Bengelloun-Zahr Sent: Thursday, March 25, 2010 5:01 PM To: Stephen Cobb Cc: Cisco-nsp Subject: Re: [c-nsp] Replacing redundant Sup720 on Catalyst 6500 Same old same. FYI, this kind of problem is solved using UBL (in 12.2(33)SXI IOS I think). Basicaly, during this kind of maitainance, the new module will download the same IOS, config, etc... from the active one. I read that a few days ago, comes in handy when you stand in the place you are in right now. Good luck. Y. 2010/3/26 Stephen Cobb sc...@telecoast.com John- You want it to boot the software you've already got up and running, so make a copy of the IOS onto some compact flash. When you insert the redundant Sup, have a console cable and terminal already connected so that you can monitor its boot process. Once you see the Sup's memory displayed, CTRL+BREAK and get to ROMMON. Then, tell it to boot that IOS you want CTRL+from the compact flash disk. If it boots correctly, you'll see console switch to its MSFC and then [once booted] it'll download the config from the active Sup and you'll be up and running. At that point, you'll want to move the console to your active Sup and make sure that your standby Sup's bootflash or bootdisk contains the IOS 12.2(18)SXF7 that you want. If not, make the appropriate file copies from the active Sup's bootflash or bootdisk. (i.e. copy sup-bootlfash:xxx.bin slavesup-bootflash:xxx.bin) That's the short...I'm sure those links would help as well. -- Stephen F. Cobb Senior Sales Engineer CCNA/CCDA/DCNID/CSE/ASP/ATSA Telecoast Communications, LLC Santa Barbara, CA o 877.677.1182 x272 c 760.807.0570 f 805.618.1610 aim/yahoo telecoaststephen On Thu, Mar 25, 2010 at 3:07 PM, John Smith jsmith19...@yahoo.com wrote: Greetings, To all who responded to my query ... Thank you for your responses. I appreciate it. I have couple more questions. Do I need to do anything with the SSO or Redundancy config before I remove the bad Sup module in Slot 5 and insert in the new module? The new module is coming from Cisco, so I have no idea what IOS it will have on it. We do not have a spare chassis to stage the new module coming from Cisco. Will the IOS and Config automatically sync with the Active module in slot 6 when I insert the new/replacement module in slot 5. Thanks again for all your help. I very much appreciate it. Thanks! -John- --- On Thu, 3/25/10, Youssef Bengelloun-Zahr yous...@720.fr wrote: From: Youssef Bengelloun-Zahr yous...@720.fr Subject: Re: [c-nsp] Replacing redundant Sup720 on Catalyst 6500 To: John Smith jsmith19...@yahoo.com Cc: cisco-nsp@puck.nether.net Date: Thursday, March 25, 2010, 4:54 PM P.S : As I said before, make sure you are replacing the STANDBY SUP, not the active one (unless NSF is configured for your IGPs, etc...). Y. 2010/3/25 Youssef Bengelloun-Zahr yous...@720.fr Also, check out this : http://www.cisco.com/en/US/products/hw/switches/ps708/products_configu ration_example09186a008086ed2e.shtml Y. 2010/3/25 Youssef Bengelloun-Zahr yous...@720.fr Hello John, Based on your posting, the sup in slot 5 is in STANDBY state, so no worries to have :-) FYI : https://supportforums.cisco.com/docs/DOC-4068/version/1;jsessionid=667 B4E9940D21005AC46FD72F7A602B9.node0 Good luck ! Y. 2010/3/25 John Smith jsmith19...@yahoo.com We have a 6500 Switch in our network with two SUP720 engines running in SSO mode; one engine is Active and the other is in Standby Hot. The Sup engines are in slot 5 and slot 6. We need to replace the card in Slot 5. Does anyone have a step by step procedure and/or web link on how to replace the redundant supervisor card without rebooting the chassis. Any/all help is much appreciated. Thank you. We have the following config for the supervisors. ! redundancy mode sso main-cpu auto-sync running-config auto-sync standard ! Switch#show redundancy Redundant System Information : -- Available system uptime = 2 year, 7 weeks, 3 days, 8 hours, 33 minutes Switchovers system experienced = 0 Standby failures = 0 Last switchover reason = none Hardware Mode = Duplex Configured Redundancy Mode = sso Operating Redundancy Mode = sso Maintenance Mode = Disabled Communications = Up Current Processor Information
Re: [c-nsp] Sup720 CoPP, limits on CPU performance
If somebody comes up with a 'best-practices' COP example for the 6500 chassis, I'm sure it would be very useful for several people. -Peter -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Saku Ytti Sent: Tuesday, March 23, 2010 6:58 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Sup720 CoPP, limits on CPU performance On (2010-03-23 09:20 -0400), Chris Griffin wrote: Because on the PFC3B, mls HWRL glean traffic is subject to the outbound ACL of the input interface. If it didn't have this feature we would use the glean rate limiter. Its far easier for us to track interface IPs than it is to re-write all of our outbound ACLs to account for inbound glean traffic. That is nasty, 'luckily' for me egress ACL are no-no anyhow, as they'll create aggregate labels and cause egress IP lookup, which would break hub+spoke VRF config, which is fairly typical in my network. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-F6K-PFC3CXL= Cisco Catalyst 6500 Series Supervisor Engine 720 PFC-3CXL on Sup720-3B
No its not.. PFX-3CXL is only supported on the Sup720-10GE supervisor.. Sup720-3B can take a PFC-3BXL, PFC-3B or PFC-3A Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pavel Skovajsa Sent: Monday, March 08, 2010 1:11 PM To: Tim Durack Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] WS-F6K-PFC3CXL= Cisco Catalyst 6500 Series Supervisor Engine 720 PFC-3CXL on Sup720-3B Yep it is, see http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release /notes/ol_14271.pdf page 44, or http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_No tes/78_16220.html -pavel On Mon, Mar 8, 2010 at 8:12 PM, Tim Durack tdur...@gmail.com wrote: Anyone know if: WS-F6K-PFC3CXL=, Cisco Catalyst 6500 Series Supervisor Engine 720 PFC-3CXL Is a supported upgrade on a regular Sup720-3B? -- Tim: ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SXI3 sensor reports changing through the day...
Ever since moving to 12.2(33)SXI3, I've seen a somewhat regular appearance and then later disappearance of a selected list of sensors on SUP-7203BXLs Index: configs/gsr-365-backup.unwiredltd.com === retrieving revision 1.116 diff -U 4 -r1.116 gsr-365-backup.unwiredltd.com @@ -383,8 +383,33 @@ !PID: , VID:, SN: !NAME: module 5 EARL inlet temperature Sensor, DESCR: module 5 EARL inlet temperature Sensor !PID: , VID:, SN: !NAME: module 5 power-output-fail Sensor, DESCR: module 5 power-output-fail Sensor + !PID: , VID:, SN: + !NAME: module 5 insufficient cooling Sensor, DESCR: module 5 insufficient cooling Sensor + !PID: , VID:, SN: + !NAME: module 5 fan-upgrade required Sensor, DESCR: module 5 fan-upgrade required Sensor + !PID: , VID:, SN: + !NAME: module 5 outlet temperature Sensor, DESCR: module 5 outlet temperature Sensor + !PID: , VID:, SN: + !NAME: module 5 inlet temperature Sensor, DESCR: module 5 inlet temperature Sensor + !PID: , VID:, SN: + !NAME: module 5 device-1 temperature Sensor, DESCR: module 5 device-1 temperature Sensor + !PID: , VID:, SN: + !NAME: module 5 device-2 temperature Sensor, DESCR: module 5 device-2 temperature Sensor + !PID: , VID:, SN: + !NAME: module 5 asic-1 temperature Sensor, DESCR: module 5 asic-1 temperature Sensor + !PID: , VID:, SN: + !NAME: module 5 asic-2 temperature Sensor, DESCR: module 5 asic-2 temperature Sensor + !PID: , VID:, SN: + !NAME: module 5 asic-3 temperature Sensor, DESCR: module 5 asic-3 temperature Sensor + !PID: , VID:, SN: + !NAME: module 5 asic-4 temperature Sensor, DESCR: module 5 asic-4 temperature Sensor + !PID: , VID:, SN: + !NAME: module 5 asic-5 temperature Sensor, DESCR: module 5 asic-5 temperature Sensor + !PID: , VID:, SN: + !NAME: module 5 asic-6 temperature Sensor, DESCR: module 5 asic-6 temperature Sensor + !PID: , VID:, SN: !1`H, SN: 01659746 !NAME: 10/100/1000BaseT Gi5/2, DESCR: 10/100/1000BaseT Gi5/2 !PID: 0x ,VID: 0x,SN: 0x !NAME: Physical Slot 6, DESCR: Cisco Systems Catalyst 6500 6-slot Physical Slot ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] compact flash modules for Sup720-3bxl..
I have some CF 1 GB modules that are recognized on insert: Feb 25 10:45:11.034 PST: %FILESYS-SP-5-DEV: PCMCIA flash card inserted into disk0 But won't format: xxx#format disk0: Format operation may take a while. Continue? [confirm]y Format operation will destroy all data in disk0:. Continue? [confirm]y %Error formatting disk0 (No such device) This is not cisco branded CF, but in the past I've had good luck with a variety of other manuf. CF cards. Any hints on how to make sure the CF card I purchase is going to be compatible? Peter Kranz Founder/CEO - Unwired Ltd http://www.unwiredltd.com/ www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- mailto:pkr...@unwiredltd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] compact flash modules for Sup720-3bxl..
And the max capacity for a Sup720 is 1GB right, no 2GB and up modules allowed? Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Randy McAnally Sent: Friday, February 26, 2010 2:18 PM To: Dan Holme; Jason Gurtz Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] compact flash modules for Sup720-3bxl.. Ours are SanDisk. They were sold to us by a vendor who assured us of the compatibility. -- Randy www.FastServ.com -- Original Message --- From: Dan Holme dan.ho...@gmail.com To: Jason Gurtz jasongu...@npumail.com Cc: cisco-nsp@puck.nether.net Sent: Fri, 26 Feb 2010 21:34:37 + Subject: Re: [c-nsp] compact flash modules for Sup720-3bxl.. Well, that would fit my experiences Jason. Looking through a few other SUPs running 12.2SR they all seem to have SanDisk CF in. However the ones I have running 12.2SX do not show the vendor of the CF. Not sure whether that is IOS or CF related. On Fri, Feb 26, 2010 at 9:19 PM, Jason Gurtz jasongu...@npumail.com wrote: Unfortunately you can't just use any flash card in the 6500/7600. Theoretically all that is required is a standard ATA CF but I have found that not all work. You can find more info on the CF card like so show disk0: filesys I have only had good experiences with: ATA CARD GEOMETRY Manufacturer Name SanDisk ..but I am sure there are others that work okay. Recently, on another mailing list, a developer working with ATA drivers made claim that SanDisk is known to follow the ATA specs accurately, unlike many other manufacturers. Something about a RESET command or something. Maybe the SUP is sensitive to these kind of things and doesn't have workarounds coded up. Around here SanDisk isn't too expensive, so it seems like good peace of mind. ~JasonG ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Dan Holme ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- End of Original Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6509-e IOS update
FYI Based on the dates on your flash, are you thinking of moving to this image: 1 60284964 Feb 19 2010 15:42:58 s3223-advipservicesk9_wan-mz.122-33.SXH6.bin I would think you should be on this image instead: S3223-advipservicesk9_wan-mz.122-33.SXI3.bin I believe most have skipped the SXH train, but could be wrong.. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Leslie Meade Sent: Friday, February 19, 2010 9:27 AM To: Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6509-e IOS update Many thanks.. -Original Message- From: Antonio Soares [mailto:amsoa...@netcabo.pt] Sent: Friday, February 19, 2010 9:04 AM To: Leslie Meade; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] 6509-e IOS update The config-register defines how the boot process will occur. Usually we have the default values of 0x2102 or 0x102 meaning that the router/switch will take a look to the config and there usually we have a boot system flash device:filename command. So in your case i would do something like: no boot system flash device:old_ios boot system flash device:new_ios boot system flash device:old_ios Then confirm that everything looks fine with the show bootvar command. You don't need to touch the bootflash. You are running in native mode (not the old hybrid catos+ios mode) so you don't need the MSFC2 file for nothing. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Leslie Meade Sent: sexta-feira, 19 de Fevereiro de 2010 16:10 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 6509-e IOS update I have a question about these devices, I am a voice man not a RS man so my kungfu is not strong in this.. I am wanting to update the IOS on this and I am not quite sure on something Is the booting of this device controlled by the Sup-bootdisk ? I.e. if I change the code in the configs to boot the new ios and reload it should work ? The question is this what is bootflash: used for? Should I also update is as well ? DTCCAT-CORE01#sh bootflash: -#- ED type --crc--- -seek-- nlen -length- -date/time- name 1 .. image3CA5FC8A 1098158 38 16875736 May 5 2007 21:26:10 +00:00 c6msfc2a-ipbase_wan-mz.122-18.SXF8.bin DTCCAT-CORE01#sh sup-bootdisk: -#- --length-- -date/time-- path 1 60284964 Feb 19 2010 15:42:58 s3223-advipservicesk9_wan-mz.122-33.SXH6.bin 2 58262020 Aug 23 2008 18:58:58 s3223-advipservicesk9_wan-mz.122-33.SXH3.bin 3 26843548 Aug 23 2008 19:05:40 sea_log.dat Cheers Leslie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Layer 2 VLAN advice..
So in terms of enabling MPLS on a fully meshed set of routers running BGP and OSPF.. Here are the general steps I believe; #conf t Tag-switching advertise-tags ! Int g0/0 Mtu 9216 Tag-switching ip ! However, what can I expect to happen when this is done, i.e. will existing BGP sessions drop between the routers who's interfaces I have changed to tag-switching IP? What other kinds of gotchas? Ideally I'd like to add MPLS capabilities in a hitless manner to the existing network. -Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Layer 2 VLAN advice..
The network is composed of 6509-e chassis with SUP 720 3BXL cards at all sites.. So far respondents have recommended the following options; (so many ways to skin this cat..!) EoMPLS Cisco Resilient Ethernet Protocol (REP) 802.17 (RPR) Spatial Reuse Protocol (SRP) STP Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Tuesday, February 02, 2010 1:26 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Layer 2 VLAN advice.. On 02/01/2010 08:59 PM, Peter Kranz wrote: Currently in our network we use dot1Q trunks to forward end-user/customer VLANs from Site A to Site B to provide them virtual point-to-point circuits between data centers without the overhead of some type of VPN tunnel. However if one of our backhauls between data centers fails, we would desire these VLAN's to forward via an alternative backhaul path (All of our data centers have at least 2 exits to other datacenters in our network, and are meshed via OSPF/BGP) What equipment are you running the network on? EoMPLS occurs as an option, buf of course requires enabling MPLS. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Layer 2 VLAN advice..
Currently in our network we use dot1Q trunks to forward end-user/customer VLANs from Site A to Site B to provide them virtual point-to-point circuits between data centers without the overhead of some type of VPN tunnel. However if one of our backhauls between data centers fails, we would desire these VLAN's to forward via an alternative backhaul path (All of our data centers have at least 2 exits to other datacenters in our network, and are meshed via OSPF/BGP) It seems like there are a lot of different approaches to provide some level of self-healing/redundancy to these layer2 services we offer, I am interested in advice on which would be most straightforward to implement on top of our existing layer3 network. Perhaps implementing Rapid-PVST is the simplest approach, but I'd be interested in some best-practices knowledge here.. Thanks! Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Problem after upgrading ios on the 6509-E
Hi Renelson, Without telling us the errors, not sure how we can diagnose your issue. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Renelson Panosky Sent: Thursday, October 22, 2009 8:07 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Problem after upgrading ios on the 6509-E A lot of my WS-X6148A-GE-45AF showing up with minor error after i upgrade the IOS on my switch, does any body here have any idea why and how to fix it? I've tried the following but still showing up with errors 1) i reset the module 2) i reseat the module ( take it out and put it back in) Renelson ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] instabilities with SXI2?
Given all this.. is the SXI2a a 'no go' for a production platform at this time? We are planning on doing a version refresh to address the TCP State manipulation issue, and considering moving to SXI2a from the SXF chain. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Kevin Graham Sent: Monday, September 14, 2009 1:15 PM To: Phil Mayers; Daniska Tomas Cc: g...@greenie.muc.de; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] instabilities with SXI2? TAC was pretty responsive, they have identified this as CSCtb27643. It happens in SXI2, both modular and monolithic, and whether in VSS or not, just when DFCs are in place. The ddts is not public so ask your local team. FWIW we just ran into this; TAC told me SXI2a would be released shortly Hit it as well, after ~2 weeks of uptime, and then 4 crashes in the next 12 hours. According to TAC's diagnosis these were all due to the same bug, which seems peculiar for a resource leak. They hadn't seen this frequent of a crash caused by CSCtb27643 yet -- has anyone else? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow Collector shows minimal bandwidth from 6509
We needed the following to see all of the flow data (we use sampling as well): int x/x ip flow ingress ip route-cache flow mls netflow sampling Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- pkr...@unwiredltd.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Andreas Bourges Sent: Monday, July 06, 2009 7:39 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Netflow Collector shows minimal bandwidth from 6509 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On Monday 06 July 2009 16:01:42 Justin Krejci wrote: interface GigabitEthernet5/1 ip flow ingress ip flow egress ...ip flow egress will only catch the software-processed flows. So you will need to modify your netflow setup to enable ip flow ingress on all layer3 interfaces to catch all output traffic for gig5/1. which doesn't explain why you're still missing 50% of your ingress flows ?! Regards, Andy -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkpSDH0ACgkQRrny/uOBVy43UACgoOdfbyaS8X8Td34Twi5OUJID RAEAnjZiiCWqdDBiNXavjk5DTkLBr+ei =9gLx -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ebgp load balancing using maxiumu-paths TCAM impact on Sup720-3BXL?
Setup is as follows; 2 edge routers, each with a BGP session receiving full routes to the same provider router. The provider is load balancing inbound traffic to our AS nicely, 50/50 between the edge routers.. I would also like to load balance the outbound traffic.. I've considered adding 'maximum-paths 2' to install the two equal paths, but an concerned about FIB TCAM impacts. Will adding this command cause each equal cost route to take one additional TCAM entry, i.e. full routing table x 2 524k TCAM limit = EPIC meltdown? Current FIB TCAM: L3 Forwarding Resources FIB TCAM usage: TotalUsed %Used 72 bits (IPv4, MPLS, EoM) 524288 285506 54% 144 bits (IP mcast, IPv6) 262144 5 1% Peter Kranz http://www.UnwiredLtd.com www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- mailto:pkr...@unwiredltd.com pkr...@unwiredltd.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Client/server bandwidth tester
Iperf http://dast.nlanr.net/Projects/Iperf/ Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brandon Price Sent: Wednesday, May 07, 2008 4:53 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Client/server bandwidth tester Hey guys, I'm looking for a good bandwidth tester. I would like to have something that has a server piece on one side and a client on the other, So for example I just setup a point to point wireless link for a customer and it would be nice to throw a laptop on the far end and slam the link and see what I get.. Anything like that out there? Thanks, Brandon ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Traffic Analyzing?
Sure.. Check out stager http://software.uninett.no/stager or FlowViewer http://ensight.eos.nasa.gov/FlowViewer/ coupled with netflow data exports.. both have nice web front ends to allow you to slice and dice your netflow data. Of course your router will need full routes so it knows prefixes and destination ASN#. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shaun R. Sent: Wednesday, December 12, 2007 12:43 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Traffic Analyzing? I don't know if something like this is even possible so I figured I would ask. I was wondering if there was any type of software out there that would monitor traffic leaving the network and display reports about which ASN/Providers they are going down. This would be useful for determining what providers I should peer with next. For example if the software showed that 50% of my traffic was destined to travel to or across Level3 then it would be beneficial for me to bring in a pipe from level3. Anything out there like this? ~Shaun ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Splitting 2 traffic streams for billing/accounting purposes
In the process of turning up a 10G link from a customer's office to one of our data centers. They want both internet access for their office and connectivity to their gear in the data center. For purposes of billing, I need to be able to split the traffic into routed Internet Access traffic vs routed access to their gear in the DC.. From the customers direction toward the DC, it seems easy to use routing rules to route the two destinations via different VLANs.. In the reverse direction; I need a way to route traffic destined to the customers office IP range FROM the internet via VLAN #1, and traffic from the customers gear via VLAN #2.. I.e. everything sourced from a particular set of subnets to a particular subnet will route VIA VLAN #1, otherwise route via VLAN #2.. Or do I have the crazy and is there an easier way to account for this.. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Splitting 2 traffic streams for billing/accounting purposes
Yes, already being done.. but I like the concept of having real-time 95th percentile graphs for both data flows. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] From: Joe Loiacono [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 14, 2007 10:57 AM To: [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net; [EMAIL PROTECTED] Subject: Re: [c-nsp] Splitting 2 traffic streams for billing/accounting purposes [EMAIL PROTECTED] wrote on 11/14/2007 01:20:31 PM: In the process of turning up a 10G link from a customer's office to one of our data centers. They want both internet access for their office and connectivity to their gear in the data center. For purposes of billing, I need to be able to split the traffic into routed Internet Access traffic vs routed access to their gear in the DC.. If it is just billing you're after have you considered exporting netflow data from the device? Joe ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Bad 720-3BXL?
A new 3BXL in burn-in keeps dumping crashinfo's.. bad hardware, or IOS problem? Details: IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF11, RELEASE SOFTWARE (fc1) NAME: WS-C6506-E, DESCR: Cisco Systems Catalyst 6500 6-slot Chassis System PID: WS-C6506-E, VID: V02, SN: SAL10403KDS NAME: WS-C6K-VTT-E 1, DESCR: VTT-E FRU 1 PID: WS-C6K-VTT-E , VID:, SN: SMT1031G183 NAME: WS-C6K-VTT-E 2, DESCR: VTT-E FRU 2 PID: WS-C6K-VTT-E , VID:, SN: SMT1030A329 NAME: WS-C6K-VTT-E 3, DESCR: VTT-E FRU 3 PID: WS-C6K-VTT-E , VID:, SN: SMT1030A293 NAME: CLK-7600 1, DESCR: OSR-7600 Clock FRU 1 PID: CLK-7600 , VID:, SN: SMT1029C869 NAME: CLK-7600 2, DESCR: OSR-7600 Clock FRU 2 PID: CLK-7600 , VID:, SN: SMT1029C869 NAME: 3, DESCR: WS-X6748-GE-TX CEF720 48 port 10/100/1000mb Ethernet Rev. 2.5 PID: WS-X6748-GE-TX, VID: V02, SN: SAL1009EKLH NAME: switching engine sub-module of 3, DESCR: WS-F6700-CFC Centralized Forwarding Card Rev. 2.1 PID: WS-F6700-CFC , VID: V01, SN: SAL1012GFAD NAME: 4, DESCR: WS-X6516-GBIC SFM-capable 16 port 1000mb GBIC Rev. 5.5 PID: WS-X6516-GBIC , VID:, SN: SAL0735L0P4 NAME: 5, DESCR: WS-SUP720-3BXL 2 ports Supervisor Engine 720 Rev. 5.3 PID: WS-SUP720-3BXL, VID: V03, SN: SAL1015JPT1 NAME: msfc sub-module of 5, DESCR: WS-SUP720 MSFC3 Daughterboard Rev. 2.6 PID: WS-SUP720 , VID:, SN: SAL1015JPU9 NAME: switching engine sub-module of 5, DESCR: WS-F6K-PFC3BXL Policy Feature Card 3 Rev. 1.8 PID: WS-F6K-PFC3BXL, VID: V01, SN: SAL1015JQ3X NAME: WS-C6506-E-FAN 1, DESCR: Enhanced 6-slot Fan Tray 1 PID: WS-C6506-E-FAN, VID: V03, SN: DCH10470698 NAME: PS 1 WS-CAC-2500W, DESCR: 110/220v AC power supply, 2500 watt 1 PID: WS-CAC-2500W , VID:, SN: ART0817E032 NAME: PS 2 WS-CAC-2500W, DESCR: 110/220v AC power supply, 2500 watt 2 PID: WS-CAC-2500W , VID:, SN: ART0818E0QM Latest crash: %Software-forced reload Breakpoint exception, CPU signal 23, PC = 0x41D7658C -Traceback= 41D7658C 41D744D8 418698BC 4186AC78 41AC4E10 41AC4F68 41D68FAC $0 : , AT : 430E, v0 : 44AD, v1 : 4363 a0 : 4729CFF8, a1 : 8100, a2 : , a3 : 42E1 t0 : 41D69098, t1 : 34008101, t2 : 41D690C0, t3 : 00FF t4 : 41D69098, t5 : 0004A049, t6 : 5000, t7 : s0 : , s1 : 4309, s2 : , s3 : 4305 s4 : 4305, s5 : 4305, s6 : 42AF, s7 : 42AF t8 : 5001025C, t9 : 0005, k0 : , k1 : gp : 430E0230, sp : 50010340, s8 : 42AF, ra : 41D744D8 EPC : 41D7658C, ErrorEPC : 41AC9CF0, SREG : 34008103 MDLO : , MDHI : , BadVaddr : DATA_START : 0x42DC0210 Cause 0824 (Code 0x9): Breakpoint exception Writing crashinfo to bootflash:crashinfo_20071031-164227 === Flushing messages (09:42:27 PDT Wed Oct 31 2007) === Buffered messages: Queued messages: *Oct 31 09:42:27: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. *Oct 31 09:42:27: %C6K_PLATFORM-2-PEER_RESET: RP is being reset by the SP *** System received a Software forced crash *** signal= 0x17, code= 0x24, context= 0x44aca994 PC = 0x41d690f4, SP = 0x4308c088, RA = 0x4106c330 Cause Reg = 0x3c20, Status Reg = 0x34008002 rommon 1 Oct 31 09:42:30: %SYS-SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. Oct 31 09:42:30: %OIR-SP-6-CONSOLE: Changing console ownership to switch processor *** System received an FPU exception *** signal= 0x8, code= 0x2c, context= 0x42330e64 PC = 0x402d1bac, Cause = 0x1820, Status Reg = 0x34008002 Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bad 720-3BXL?
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF11, RELEASE SOFTWARE (fc1) It's at a default burn-in config already.. I'm leaning toward a defective SUP, although this is our first SXF11 build deployment.. we have SXF8 on the rest of our 720's Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] -Original Message- From: Chris Woodfield [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 31, 2007 11:03 AM To: [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Bad 720-3BXL? What software rev? Rolling FPU exceptions generally scream hardware to me, unless you're running some pretty exotic features. Also, does this happen when you wr erase and boot it with a blank nvram? -C On Oct 31, 2007, at 12:52 PM, Peter Kranz wrote: A new 3BXL in burn-in keeps dumping crashinfo's.. bad hardware, or IOS problem? Details: IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF11, RELEASE SOFTWARE (fc1) NAME: WS-C6506-E, DESCR: Cisco Systems Catalyst 6500 6-slot Chassis System PID: WS-C6506-E, VID: V02, SN: SAL10403KDS NAME: WS-C6K-VTT-E 1, DESCR: VTT-E FRU 1 PID: WS-C6K-VTT-E , VID:, SN: SMT1031G183 NAME: WS-C6K-VTT-E 2, DESCR: VTT-E FRU 2 PID: WS-C6K-VTT-E , VID:, SN: SMT1030A329 NAME: WS-C6K-VTT-E 3, DESCR: VTT-E FRU 3 PID: WS-C6K-VTT-E , VID:, SN: SMT1030A293 NAME: CLK-7600 1, DESCR: OSR-7600 Clock FRU 1 PID: CLK-7600 , VID:, SN: SMT1029C869 NAME: CLK-7600 2, DESCR: OSR-7600 Clock FRU 2 PID: CLK-7600 , VID:, SN: SMT1029C869 NAME: 3, DESCR: WS-X6748-GE-TX CEF720 48 port 10/100/1000mb Ethernet Rev. 2.5 PID: WS-X6748-GE-TX, VID: V02, SN: SAL1009EKLH NAME: switching engine sub-module of 3, DESCR: WS-F6700-CFC Centralized Forwarding Card Rev. 2.1 PID: WS-F6700-CFC , VID: V01, SN: SAL1012GFAD NAME: 4, DESCR: WS-X6516-GBIC SFM-capable 16 port 1000mb GBIC Rev. 5.5 PID: WS-X6516-GBIC , VID:, SN: SAL0735L0P4 NAME: 5, DESCR: WS-SUP720-3BXL 2 ports Supervisor Engine 720 Rev. 5.3 PID: WS-SUP720-3BXL, VID: V03, SN: SAL1015JPT1 NAME: msfc sub-module of 5, DESCR: WS-SUP720 MSFC3 Daughterboard Rev. 2.6 PID: WS-SUP720 , VID:, SN: SAL1015JPU9 NAME: switching engine sub-module of 5, DESCR: WS-F6K-PFC3BXL Policy Feature Card 3 Rev. 1.8 PID: WS-F6K-PFC3BXL, VID: V01, SN: SAL1015JQ3X NAME: WS-C6506-E-FAN 1, DESCR: Enhanced 6-slot Fan Tray 1 PID: WS-C6506-E-FAN, VID: V03, SN: DCH10470698 NAME: PS 1 WS-CAC-2500W, DESCR: 110/220v AC power supply, 2500 watt 1 PID: WS-CAC-2500W , VID:, SN: ART0817E032 NAME: PS 2 WS-CAC-2500W, DESCR: 110/220v AC power supply, 2500 watt 2 PID: WS-CAC-2500W , VID:, SN: ART0818E0QM Latest crash: %Software-forced reload Breakpoint exception, CPU signal 23, PC = 0x41D7658C -Traceback= 41D7658C 41D744D8 418698BC 4186AC78 41AC4E10 41AC4F68 41D68FAC $0 : , AT : 430E, v0 : 44AD, v1 : 4363 a0 : 4729CFF8, a1 : 8100, a2 : , a3 : 42E1 t0 : 41D69098, t1 : 34008101, t2 : 41D690C0, t3 : 00FF t4 : 41D69098, t5 : 0004A049, t6 : 5000, t7 : s0 : , s1 : 4309, s2 : , s3 : 4305 s4 : 4305, s5 : 4305, s6 : 42AF, s7 : 42AF t8 : 5001025C, t9 : 0005, k0 : , k1 : gp : 430E0230, sp : 50010340, s8 : 42AF, ra : 41D744D8 EPC : 41D7658C, ErrorEPC : 41AC9CF0, SREG : 34008103 MDLO : , MDHI : , BadVaddr : DATA_START : 0x42DC0210 Cause 0824 (Code 0x9): Breakpoint exception Writing crashinfo to bootflash:crashinfo_20071031-164227 === Flushing messages (09:42:27 PDT Wed Oct 31 2007) === Buffered messages: Queued messages: *Oct 31 09:42:27: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. *Oct 31 09:42:27: %C6K_PLATFORM-2-PEER_RESET: RP is being reset by the SP *** System received a Software forced crash *** signal= 0x17, code= 0x24, context= 0x44aca994 PC = 0x41d690f4, SP = 0x4308c088, RA = 0x4106c330 Cause Reg = 0x3c20, Status Reg = 0x34008002 rommon 1 Oct 31 09:42:30: %SYS-SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. Oct 31 09:42:30: %OIR-SP-6-CONSOLE: Changing console ownership to switch processor *** System received an FPU exception *** signal= 0x8, code= 0x2c, context= 0x42330e64 PC = 0x402d1bac, Cause = 0x1820, Status Reg = 0x34008002 Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco
Re: [c-nsp] Late night BGP puzzler
Unfortunately, MED comes too late in the process for this example (equal as path length routes from 2 different AS#, one IGP and one EGP).. The only option is local_pref (or weight, but that could lead to trouble) Step 5: Prefer the path with the lowest origin type. Note: IGP is lower than Exterior Gateway Protocol (EGP), and EGP is lower than INCOMPLETE. Step 6: Prefer the path with the lowest multi-exit discriminator (MED). Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gert Doering Sent: Wednesday, August 01, 2007 11:26 PM To: Gunjan GANDHI (BR/EPA) Cc: Collins, Richard (EXT); cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Late night BGP puzzler Hi, On Thu, Aug 02, 2007 at 12:00:50PM +1000, Gunjan GANDHI (BR/EPA) wrote: MED should not be used under this scenario as both the upstream routes are from different providers. Unless both providers have agreed upon a MED benchmark value, it is not wise to use MED for route selection. It is like comparing oranges with apples. I strongly disagree here - this is purely a matter of local policy. MED is a much better tool for careful traffic adjustment than local-pref. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025 [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CF
Has anyone tried using a CompactFlash PC Card adapter with a GSR 12k or similar to use CF flash cards instead of PC Card flash? Its getting harder to find PC Card flash memory around these days, not sure if this 'works' however.. An example: http://tinyurl.com/fh2hk Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Per destination or per VLAN CIR/MIR
I'm trying to figure out the best way to solve the following problem; (Currently I used linux running HTB to do this, but would like to ditch the linux box) On mountain top sites, we have a few hundred users, each with a subnet of /30 or larger.. Each user has a MIR and CIR based on their data plan, i.e. 1 Mb/s CIR burstable to 6 Mb/s MIR.. Do to the nature of the technology, all the users on a particular access point/radio share the full BW of the radio, lets say 14 Mb/s, So If one user is bursting at 6 Mb/s that leaves 8 Mb/s for other users MIR and CIR before it starts lowering the bursting users BW. Whats the best way to implement this model in a Cisco world? What switch models support it? I was looking at UBRL but it doesn't appear to support the PIR when using user subnet masks.. Thanks. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] patch panels/cable management..
Looking for 'best practices' and recommendations for carrier rack cable management.. I am mounting 2 6506-E's with fiber and copper linecards (primary /redundant router) in the meet me room of a new data center, and want to end up with a slick looking install vs the crazy cable tangle some of our gear is today. Ideally I'd envision some kind of structured cabling pre plugged into all the ports on the Cisco into some patch panels at the top of the rack. Then when the data center brought in cross connects they would just need a jumper to x-connect from their demark to this upper patch panel. Has anyone seen snazzy cable bundes designed to plug into 48 port line cards and terminate into the back/front of a patch panel in a clean manner like this.. open to suggestions, etc.. part#'s would be great too.. Thanks Peter Kranz www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6148-GE-TX
No reason to go with the non-A model.. especially since its actually more expense in the market currently. Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207- [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Holemans Wim Sent: Thursday, March 29, 2007 5:09 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] WS-X6148-GE-TX I have to 'replicate' an existing 6513 switch. The current 6513 has a sup2 Supervisor board and 5 WS-X6148-GE-TX boards. The Sup2 board is EOS so we will go for the Sup32 engine. I noticed in our pricelist that there is also a WS-X6148A-GE-TX board. I did a search at cisco's website and it seems to me that this board has more features (e.g. larger buffer/port, jumbo support) than the original WS-X6148-GE-TX board but both are still available according to our pricelist. (The A-version however is cheaper). Does anyone know a reason why we should go for the 6148 board instead of 6148A ? Thanks, Wim Holemans Network Services University of Antwerp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/