[c-nsp] Hiding SCP Password Using Archive Feature
Hi Guys What I'm trying to achieve: 1. Every time an engineer runs the write-memory command, a copy of the running config is sent to my SCP server. 2. Every 7 days, a copy of the running config is sent to my SCP server. 3. The password in configuration is not shown in clear text. It's just #3 that I hope there is a fix for. Here is an example of my config. archive path scp:// user:password@1.2.3.4/CUSTOMERS/CUSTOMER1/CUSTOMER-LONDON6-ETH1.cfg write-memory time-period 10080 Because the password part of the SCP config is not an IOS recognised password I don't appear to be able to encrypt it. If that's the case is there a secure fudge, like somehow referencing a local username that does have password encryption. I'm not looking for server based solutions like SolarWinds etc. Thanks Rick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 4k Performance and Boost Licensing
Hi Guys Quick question regarding the above. Can I activate a boost license independent of a performance license or do I need to activate the performance license and then the boost license? I was hoping I could just activate the boost license on a 4451 to give me 4Gb, rather than activate the performance license first. So 1GB > 4GB rather than 1GB > 2Gb > 4Gb. Thanks Rick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dual Homed Site with L2 Backup
Hi Hunter The only thing that puts me off this approach is the tromboning of traffic for the primary L2 path. It will reduce the capacity of the CE router. PC-Host > Customer L2 > CE L2 attachment interface > CE Tunnel, back to Customer L3 for transit of tunnel traffic. Thanks Rick Gamma.co.uk On Sun, 23 Dec 2018 at 17:46, Hunter Fuller wrote: > Yes, this is what we are planning. We are landing the L2 circuit (in our > case, it's over DWDM) on the VTEPs directly. But they also have access to > an L3 path through the IGP. The tunnel is always in use. > > -- > Hunter Fuller > Network Engineer > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure > > > On Sun, Dec 23, 2018 at 11:03 AM Arie Vayner wrote: > >> One approach I can see to make it work consistently regardless what path >> it >> takes is to use the overlay at all times, even when the primary path is >> up. >> >> Basically you just make the layer 2 link routed (i.e. terminate it with >> layer 3 ports on both ends), and run the VXLAN one hop before (or anywhere >> it makes sense). >> >> This way you just run a vxlan extension over a layer 3 redundant path. >> >> On Sun, Dec 23, 2018, 02:48 Richard Clayton > >> > Hi Arie >> > >> > I did encounter the MTU requirement and configured the lab to allow for >> > it. VXLAN may be the future but this topology isn't really what it was >> > intended for, due to the loop it creates (same with OTV). I was still >> able >> > to ceate a working design for both protocols regardless. >> > >> > Would interesting to see how others would meet the requirement with this >> > particular set of constraints. >> > >> > Thanks >> > Rick >> > >> > gamma.co.uk >> > >> > >> > >> > On Sat, 22 Dec 2018, 20:29 Arie Vayner > > >> >> Vxlan is the future... >> >> Be very careful with the mtu implications. >> >> >> >> Tnx, Arie >> >> >> >> On Sat, Dec 22, 2018, 03:25 Richard Clayton > wrote: >> >> >> >>> Hi Guys >> >>> >> >>> Scenario >> >>> >> >>> Customer has dual homed geographically seperated site into mpls wan. >> >>> They >> >>> also have a single layer 2 circuit running between the two. The >> >>> requirement is to backup the layer 2 over the wan circuits. The wan >> >>> hardware at both sites is cisco 4k ios xe. >> >>> >> >>> I'm interested to know how you guys would achieve this. I've had the >> >>> luxury of 4 days in the lab testing VXLAN, OTV and L2TPV3 xconnect >> >>> between >> >>> the two 4k routers, also did JDSU throughout testing over the tunnel, >> was >> >>> quite interesting. >> >>> ___ >> >>> cisco-nsp mailing list cisco-nsp@puck.nether.net >> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >>> >> >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dual Homed Site with L2 Backup
Thanks for the replies In the current topology the customer connects the L2 circuit directly to their core L2/L3 switches which I have no control over. When the L2 is connected and the tunnel is up a L2 loop forms and because spanning-tree is not forwarded over VXLAN or OTV tunnels, it can't be used to detect and block loops. To counter this I enabled spanning-tree on the two 4431 (MST) and gave them both the lowest bridge priorities in the tree. I also enabled root guard on 4431-2 LAN interface. When all is connected 4431-2 sees a superior root advertised into its LAN interface (from 4431-1), 4431-2 then blocks this interface and as a result blocks the loop. When the L2 p2p is dropped 4431-2 stops seeing the superior root and unblocks the port allowing the tunnel path to be the new L2 path between the sites. I tested this with different customer spanning tree modes and with both VXLAN and OTV, both worked well and failed over consistently using the root guard feature. Observations - Configurations * Even though VXLAN isn't officially supported on the 4431 it works flawlessly. * With the throughput license enabled I was pushing 900Mb/s over the tunnel and the 4431 CPUs were running at 2%. * Spanning-tree can't be used to detect and block loops but root guard can be used to detect a superior root and in practice blocks the loop. * I costed out the link from customer core L2 to 4431-2. * I always used MST on the 4431s but tested MST and Rapid PVST on the customer side. It would be interesting to test the other suggestions you guys have made. Thanks Rick gamma.co.uk On Sun, 23 Dec 2018, 17:46 Hunter Fuller Yes, this is what we are planning. We are landing the L2 circuit (in our > case, it's over DWDM) on the VTEPs directly. But they also have access to > an L3 path through the IGP. The tunnel is always in use. > > -- > Hunter Fuller > Network Engineer > VBH Annex B-5 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure > > > On Sun, Dec 23, 2018 at 11:03 AM Arie Vayner wrote: > >> One approach I can see to make it work consistently regardless what path >> it >> takes is to use the overlay at all times, even when the primary path is >> up. >> >> Basically you just make the layer 2 link routed (i.e. terminate it with >> layer 3 ports on both ends), and run the VXLAN one hop before (or anywhere >> it makes sense). >> >> This way you just run a vxlan extension over a layer 3 redundant path. >> >> On Sun, Dec 23, 2018, 02:48 Richard Clayton > >> > Hi Arie >> > >> > I did encounter the MTU requirement and configured the lab to allow for >> > it. VXLAN may be the future but this topology isn't really what it was >> > intended for, due to the loop it creates (same with OTV). I was still >> able >> > to ceate a working design for both protocols regardless. >> > >> > Would interesting to see how others would meet the requirement with this >> > particular set of constraints. >> > >> > Thanks >> > Rick >> > >> > gamma.co.uk >> > >> > >> > >> > On Sat, 22 Dec 2018, 20:29 Arie Vayner > > >> >> Vxlan is the future... >> >> Be very careful with the mtu implications. >> >> >> >> Tnx, Arie >> >> >> >> On Sat, Dec 22, 2018, 03:25 Richard Clayton > wrote: >> >> >> >>> Hi Guys >> >>> >> >>> Scenario >> >>> >> >>> Customer has dual homed geographically seperated site into mpls wan. >> >>> They >> >>> also have a single layer 2 circuit running between the two. The >> >>> requirement is to backup the layer 2 over the wan circuits. The wan >> >>> hardware at both sites is cisco 4k ios xe. >> >>> >> >>> I'm interested to know how you guys would achieve this. I've had the >> >>> luxury of 4 days in the lab testing VXLAN, OTV and L2TPV3 xconnect >> >>> between >> >>> the two 4k routers, also did JDSU throughout testing over the tunnel, >> was >> >>> quite interesting. >> >>> ___ >> >>> cisco-nsp mailing list cisco-nsp@puck.nether.net >> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >>> >> >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dual Homed Site with L2 Backup
Hi Arie I did encounter the MTU requirement and configured the lab to allow for it. VXLAN may be the future but this topology isn't really what it was intended for, due to the loop it creates (same with OTV). I was still able to ceate a working design for both protocols regardless. Would interesting to see how others would meet the requirement with this particular set of constraints. Thanks Rick gamma.co.uk On Sat, 22 Dec 2018, 20:29 Arie Vayner Vxlan is the future... > Be very careful with the mtu implications. > > Tnx, Arie > > On Sat, Dec 22, 2018, 03:25 Richard Clayton >> Hi Guys >> >> Scenario >> >> Customer has dual homed geographically seperated site into mpls wan. They >> also have a single layer 2 circuit running between the two. The >> requirement is to backup the layer 2 over the wan circuits. The wan >> hardware at both sites is cisco 4k ios xe. >> >> I'm interested to know how you guys would achieve this. I've had the >> luxury of 4 days in the lab testing VXLAN, OTV and L2TPV3 xconnect between >> the two 4k routers, also did JDSU throughout testing over the tunnel, was >> quite interesting. >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Dual Homed Site with L2 Backup
Hi Guys Scenario Customer has dual homed geographically seperated site into mpls wan. They also have a single layer 2 circuit running between the two. The requirement is to backup the layer 2 over the wan circuits. The wan hardware at both sites is cisco 4k ios xe. I'm interested to know how you guys would achieve this. I've had the luxury of 4 days in the lab testing VXLAN, OTV and L2TPV3 xconnect between the two 4k routers, also did JDSU throughout testing over the tunnel, was quite interesting. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 4431 - L2TPV3 xconnect inside Service Instance
I actually got VXLAN working between 2 x 4431s in the end, regardless of what the Cisco site said. I guess what they mean is, "it will work on the 4431 but we will not support it". It's actually a cool protocol/feature, works well and fails over fast. On Sun, 9 Dec 2018 at 14:40, Richard Clayton wrote: > Changed my lab to VXLAN only to find its not supported on the 4431, only > supported on the 4451. It lets you put all the commands in but doesn't > work, why do Cisco do that to us, surely just remove the commands when > there is no support for it? > > > https://www.cisco.com/c/en_in/products/collateral/routers/4000-series-integrated-services-routers-isr/datasheet-c78-732542.html > > > On Sat, 8 Dec 2018 at 10:27, Richard Clayton wrote: > >> Config snippet from both routers >> >> CE R1 >> interface GigabitEthernet0/0/3 >> description POP1-CE02 3750SW-1 >> mtu 1600 >> no ip address >> media-type rj45 >> negotiation auto >> service instance 1 ethernet >> description L2 Extension LAN >> encapsulation dot1q 229,232 >> xconnect 100.66.50.110 100 encapsulation l2tpv3 pw-class L2TPv3 >> ! >> service instance 2 ethernet >> description Corporate L3 LAN >> encapsulation dot1q 700 >> rewrite ingress tag pop 1 symmetric >> bridge-domain 4 >> ! >> CE R2 >> interface GigabitEthernet0/0/3 >> description POP2-CE02 3750SW-1 >> mtu1600 >> no ip address >> negotiation auto >> service instance 1 ethernet >> description L2 Extension LAN >> encapsulation dot1q 229,232 >> xconnect 100.66.50.109 100 encapsulation l2tpv3 pw-class L2TPv3 >> ! >> service instance 2 ethernet >> description Corporate L3 LAN >> encapsulation dot1q 700 >> rewrite ingress tag pop 1 symmetric >> bridge-domain 4 >> ! >> ! >> >> On Fri, 7 Dec 2018 at 18:04, Richard Clayton wrote: >> >>> Hi Guys >>> >>> I have two main sites, HQ and DR, the site has layer 2 p2p between them >>> and a 4431 on each for the WAN. They want layer two backup over the 4431 >>> WAN circuits for their existing layer 2 p2p. >>> I have tested L2TPV3 xconnect inside LAN facing Service Instance, the >>> L2TPV3 session establishes, but is not passing and frames. My question. >>> Is L2TPV3 xconnect inside a Service Instance supported on 4431 IOS XE, or >>> do I need to change my lab to either OTV or VXLAN? >>> >>> I have the AppX license installed on both routers. >>> >>> Thanks in advance of you assistance. >>> >>> Rick >>> >> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 4431 - L2TPV3 xconnect inside Service Instance
Changed my lab to VXLAN only to find its not supported on the 4431, only supported on the 4451. It lets you put all the commands in but doesn't work, why do Cisco do that to us, surely just remove the commands when there is no support for it? https://www.cisco.com/c/en_in/products/collateral/routers/4000-series-integrated-services-routers-isr/datasheet-c78-732542.html On Sat, 8 Dec 2018 at 10:27, Richard Clayton wrote: > Config snippet from both routers > > CE R1 > interface GigabitEthernet0/0/3 > description POP1-CE02 3750SW-1 > mtu 1600 > no ip address > media-type rj45 > negotiation auto > service instance 1 ethernet > description L2 Extension LAN > encapsulation dot1q 229,232 > xconnect 100.66.50.110 100 encapsulation l2tpv3 pw-class L2TPv3 > ! > service instance 2 ethernet > description Corporate L3 LAN > encapsulation dot1q 700 > rewrite ingress tag pop 1 symmetric > bridge-domain 4 > ! > CE R2 > interface GigabitEthernet0/0/3 > description POP2-CE02 3750SW-1 > mtu1600 > no ip address > negotiation auto > service instance 1 ethernet > description L2 Extension LAN > encapsulation dot1q 229,232 > xconnect 100.66.50.109 100 encapsulation l2tpv3 pw-class L2TPv3 > ! > service instance 2 ethernet > description Corporate L3 LAN > encapsulation dot1q 700 > rewrite ingress tag pop 1 symmetric > bridge-domain 4 > ! > ! > > On Fri, 7 Dec 2018 at 18:04, Richard Clayton wrote: > >> Hi Guys >> >> I have two main sites, HQ and DR, the site has layer 2 p2p between them >> and a 4431 on each for the WAN. They want layer two backup over the 4431 >> WAN circuits for their existing layer 2 p2p. >> I have tested L2TPV3 xconnect inside LAN facing Service Instance, the >> L2TPV3 session establishes, but is not passing and frames. My question. >> Is L2TPV3 xconnect inside a Service Instance supported on 4431 IOS XE, or >> do I need to change my lab to either OTV or VXLAN? >> >> I have the AppX license installed on both routers. >> >> Thanks in advance of you assistance. >> >> Rick >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 4431 - L2TPV3 xconnect inside Service Instance
Config snippet from both routers CE R1 interface GigabitEthernet0/0/3 description POP1-CE02 3750SW-1 mtu 1600 no ip address media-type rj45 negotiation auto service instance 1 ethernet description L2 Extension LAN encapsulation dot1q 229,232 xconnect 100.66.50.110 100 encapsulation l2tpv3 pw-class L2TPv3 ! service instance 2 ethernet description Corporate L3 LAN encapsulation dot1q 700 rewrite ingress tag pop 1 symmetric bridge-domain 4 ! CE R2 interface GigabitEthernet0/0/3 description POP2-CE02 3750SW-1 mtu1600 no ip address negotiation auto service instance 1 ethernet description L2 Extension LAN encapsulation dot1q 229,232 xconnect 100.66.50.109 100 encapsulation l2tpv3 pw-class L2TPv3 ! service instance 2 ethernet description Corporate L3 LAN encapsulation dot1q 700 rewrite ingress tag pop 1 symmetric bridge-domain 4 ! ! On Fri, 7 Dec 2018 at 18:04, Richard Clayton wrote: > Hi Guys > > I have two main sites, HQ and DR, the site has layer 2 p2p between them > and a 4431 on each for the WAN. They want layer two backup over the 4431 > WAN circuits for their existing layer 2 p2p. > I have tested L2TPV3 xconnect inside LAN facing Service Instance, the > L2TPV3 session establishes, but is not passing and frames. My question. > Is L2TPV3 xconnect inside a Service Instance supported on 4431 IOS XE, or > do I need to change my lab to either OTV or VXLAN? > > I have the AppX license installed on both routers. > > Thanks in advance of you assistance. > > Rick > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 4431 - L2TPV3 xconnect inside Service Instance
Hi Guys I have two main sites, HQ and DR, the site has layer 2 p2p between them and a 4431 on each for the WAN. They want layer two backup over the 4431 WAN circuits for their existing layer 2 p2p. I have tested L2TPV3 xconnect inside LAN facing Service Instance, the L2TPV3 session establishes, but is not passing and frames. My question. Is L2TPV3 xconnect inside a Service Instance supported on 4431 IOS XE, or do I need to change my lab to either OTV or VXLAN? I have the AppX license installed on both routers. Thanks in advance of you assistance. Rick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
The reason this particular customer wants to extend layer 2 is Vmotion. On 1 Feb 2018 17:04, "Aaron Gould"wrote: > So I think (I could be wrong as I'm not a server guy) that all this L2 > network emulation is because of server virtualization and moving vm's or > vmotion or something like that, and that they need to be in same ip subnet > (aka bcast domain) correct ? > > *if* that's true, and *if* all this layer 2 networking madness is because > of > that point stated above, I would think that someone (vendors/standards > bodies/companies) would/should be working really hard to make that server > stuff work in different bcast domains (different subnets)...so we wouldn't > have to do all that L2 stuff > > -Aaron > > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
Hi I ended up dumping the OTV design for my customer as it was too expensive to deploy. It's only supported on the 4451 (customer has been quoted for 4431) and needs and AppX license, was looking at £9000+ per router and there is a built in 100Mb limit on OTV traffic. I'm doing VPLS now but was good to play with OTV in a lab environment. May come across it one day out in the wild. Thanks Rick On 26 January 2018 at 15:23, Richard Clayton <sledge...@gmail.com> wrote: > Hi Guys > > I have configured Multihomed OTV in a virtual lab on EVE-NG using Cisco > CSR's. The lab is 2 x CSR at one site both connected to layer2 switch and > a single CSR at a remote site. > Everything works good apart from one thing. At the dual router site, when > I drop the OTV WAN/Overlay interface on the active CSR R1, the remote mac > appears in the R2 bridge-domain (as it should) but the 'customer' layer 2 > switch mac address table still show the mac address as facing the R1 LAN. > After 5 minutes the mac table times out and traffic is then restored over > the R2 path. > Is there any way R2 can update the customer L2 switch when the remote mac > moves over to it to make the failover quicker? > I did read a Cisco article that said if spanning tree is enabled on the > OTV router, it will send out a TCN which will update the L2, I have > spanning tree enabled on the OTV routers but when I drop the OTV > WAN/Overlay interface, it does not send out a TCN, I had wireshark running. > > Thanks > Rick > > > -- > If you try to reinvent the wheel you will end up with something non-round > and should expect an uncomfortable ride. The wheel has no copyright. > Richard Clayton - 17/11/2014. > -- If you try to reinvent the wheel you will end up with something non-round and should expect an uncomfortable ride. The wheel has no copyright. Richard Clayton - 17/11/2014. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
Hi Guys I think I have the reason for the behavior in my lab. I have the 'silent host' issue which happens in labs but generally doesn't happen in live networks. For my host devices I used Cisco routers with an IP address on a single interface, all these devices were doing is a ping and and ARP to a single IP address. In a production network these hosts would be workstations and servers and would be a lot more chatty, generating broadcast traffic. When I drop the CSR1 site 1 WAN overlay the remote Cisco host does not generate any new broadcast traffic, new broadcast traffic would flood from the CSR1 site 2 across the overlay and eventually into the 'customer' layer 2 at site 1. So in summary, in a production network the hosts would generate enough broadcast traffic to keep failover connectivity issues to a minimum. In a lab with silent hosts, you will have to wait 5 minutes for the 'customer' layer 2 mac address table to age out before connectivity is restored. For info I used Cisco routers as end hosts because they were easy, quick and lightweight to spin up. I still don't fully understand why the OTV host doesn't generate a TCN as documented so if anyone could get an answer on that it would be great. For now I am happy to design OTV into my customer solution. Thanks Rick On 26 January 2018 at 15:23, Richard Clayton <sledge...@gmail.com> wrote: > Hi Guys > > I have configured Multihomed OTV in a virtual lab on EVE-NG using Cisco > CSR's. The lab is 2 x CSR at one site both connected to layer2 switch and > a single CSR at a remote site. > Everything works good apart from one thing. At the dual router site, when > I drop the OTV WAN/Overlay interface on the active CSR R1, the remote mac > appears in the R2 bridge-domain (as it should) but the 'customer' layer 2 > switch mac address table still show the mac address as facing the R1 LAN. > After 5 minutes the mac table times out and traffic is then restored over > the R2 path. > Is there any way R2 can update the customer L2 switch when the remote mac > moves over to it to make the failover quicker? > I did read a Cisco article that said if spanning tree is enabled on the > OTV router, it will send out a TCN which will update the L2, I have > spanning tree enabled on the OTV routers but when I drop the OTV > WAN/Overlay interface, it does not send out a TCN, I had wireshark running. > > Thanks > Rick > > > -- > If you try to reinvent the wheel you will end up with something non-round > and should expect an uncomfortable ride. The wheel has no copyright. > Richard Clayton - 17/11/2014. > -- If you try to reinvent the wheel you will end up with something non-round and should expect an uncomfortable ride. The wheel has no copyright. Richard Clayton - 17/11/2014. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
Hi Guys I have configured Multihomed OTV in a virtual lab on EVE-NG using Cisco CSR's. The lab is 2 x CSR at one site both connected to layer2 switch and a single CSR at a remote site. Everything works good apart from one thing. At the dual router site, when I drop the OTV WAN/Overlay interface on the active CSR R1, the remote mac appears in the R2 bridge-domain (as it should) but the 'customer' layer 2 switch mac address table still show the mac address as facing the R1 LAN. After 5 minutes the mac table times out and traffic is then restored over the R2 path. Is there any way R2 can update the customer L2 switch when the remote mac moves over to it to make the failover quicker? I did read a Cisco article that said if spanning tree is enabled on the OTV router, it will send out a TCN which will update the L2, I have spanning tree enabled on the OTV routers but when I drop the OTV WAN/Overlay interface, it does not send out a TCN, I had wireshark running. Thanks Rick -- If you try to reinvent the wheel you will end up with something non-round and should expect an uncomfortable ride. The wheel has no copyright. Richard Clayton - 17/11/2014. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP DDoS
Nobody is safe now Jared :-) On 13 February 2014 13:59, Jared Mauch ja...@puck.nether.net wrote: Yeah, but I didn't mean for you to make that public :( - jared On Feb 13, 2014, at 5:10 AM, Nick Ryce n...@fluency.net.uk wrote: You can check for open ntp servers within your AS with the following:- http://openntpproject.org/searchby-asn.cgi?search_asn=56595 Swap 56595 for your ASN :) Nick On 13 Feb 2014, at 02:12, SilverTip257 silvertip...@gmail.com wrote: On Wed, Feb 12, 2014 at 2:36 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Something I can point customers to for testing their own set ups. ;) What I was trying to say is that openntp project URL is something I can point customers at and they should understand. Some of my customers are dense. Sadly, a few of them try to tell me that information I give them doesn't work. But when they say hey, here's my credentials, why don't you fix it for me? ... I come to find (yes, I'm a nice guy) that everything I sent them was spot on (as I expected). Copy+paste is over-rated. o_O On a Linux or mac ntpdc -c monlist xxx.xxx.xxx.xxx Yep. And loopinfo and iostats commands. nmap has a ntp-monlist script that is helpful (combined with the grep-able output option). I'm about due for running another ntp-monlist scan ... [when DNS amplification attacks were real bad a few months ago, we told a customer to disable DNS recursion ... he instead shut off bind/named for that day and turned it back on some time later]. If you get a reply (which will consist of a list of IP addresses that have sync'd with the daemon) then the server has a non optimal config. ... and if it's already been found by others they will all be listed. .. You might even see openntp project and team cymru servers listed ;) Alan -- ---~~.~~--- Mike // SilverTip257 // ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Nick Ryce Fluency Communications Ltd. e. n...@fluency.net.uk w. http://fluency.net.uk/ t. 0845 874 7000 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP DDoS
The details of the attack I was involved with were - upstream bandwidth spike from customer to Internet (only flatlined due to CPE buffer). - downstream bandwidth towards customer didn't really show any significant change but did hurt our edge buffers. - 1000's of inbound NTP connections from random sources on the Internet to a single device on customer network (with open NTP config). - I didn't check outbound connections from the customer to the Internet. Questions What is this type of DDoS called? I've heard a few different types mentioned, amplification, reflection etc. Is the the customer being individually targeted or just the expolitable NTP server? Are these caused by bots or manually by individuals? I've included a snapshot of the downstream connections Gi0/0 166.137.244.122 Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 108.168.210.64 Gi0/1 Customer-IP11 007B 007B 8 Gi0/0 60.248.122.205 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 69.241.167.14 Gi0/1 Customer-IP11 007B 007B 3 Gi0/0 207.235.188.201 Gi0/1 Customer-IP11 007B 007B 38 Gi0/0 46.175.191.22 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 216.79.150.100 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 175.156.199.185 Gi0/1 Customer-IP11 007B 007B 34 Gi0/0 74.216.232.230 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 218.63.59.203 Gi0/1 Customer-IP11 007B 007B 8 Gi0/0 166.137.244.17 Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 208.88.6.65 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 208.68.168.106 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 119.97.145.164 Gi0/1 Customer-IP11 007B 007B 9 Gi0/0 66.216.48.147 Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 218.63.59.202 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 63.113.48.99Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 166.137.244.21 Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 77.48.46.166Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 166.170.5.119 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 195.66.157.213 Gi0/1 Customer-IP11 007B 007B 3 Gi0/0 166.170.5.118 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 81.177.19.157 Gi0/1 Customer-IP11 007B 007B 3 Gi0/0 178.172.26.130 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 216.218.255.175 Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 188.43.3.140Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 166.137.244.45 Gi0/1 Customer-IP11 007B 007B 4 Gi0/0 93.190.88.10Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 188.43.3.139Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 107.77.66.95Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 171.25.249.145 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 61.195.150.43 Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 46.164.154.135 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 80.98.107.69Gi0/1 Customer-IP11 007B 007B 123 Gi0/0 46.164.154.132 Gi0/1 Customer-IP11 007B 007B 3 Gi0/0 75.111.130.177 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 74.216.184.246 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 195.66.157.193 Gi0/1 Customer-IP11 007B 007B 4 Gi0/0 188.228.20.225 Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 166.137.244.54 Gi0/1 Customer-IP11 007B 007B 3 Gi0/0 195.84.151.29 Gi0/1 Customer-IP11 007B 007B 100 Gi0/0 208.64.202.4Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 217.150.56.173 Gi0/1 Customer-IP11 007B 007B 3 Gi0/0 166.137.244.76 Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 166.137.244.78 Gi0/1 Customer-IP11 007B 007B 5 Gi0/0 94.92.86.27 Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 218.63.59.207 Gi0/1 Customer-IP11 007B 007B 15 Gi0/0 177.105.63.251 Gi0/1 Customer-IP11 007B 007B 10 Gi0/0 146.185.48.42 Gi0/1 Customer-IP11 007B 007B 3 Gi0/0 85.255.192.38 Gi0/1 Customer-IP11 007B 007B 96 Gi0/0 166.137.244.56 Gi0/1 Customer-IP11 007B 007B 2 Gi0/0 27.96.37.62 Gi0/1 Customer-IP11 007B 007B 4 Gi0/0 59.34.148.20Gi0/1 Customer-IP11 007B 007B 9 Gi0/0 212.189.144.13 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 212.156.16.74 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 211.79.59.242 Gi0/1 Customer-IP11 007B 007B 1 Gi0/0 220.181.156.232 Gi0/1 Customer-IP11 007B
[c-nsp] NTP DDoS
Seems to be doing the rounds, had a fault open for a couple of days with a 100Mb Ethernet customer, reported fault was packet loss, Cacti showed an upstream flatline of 30Mb and an increase in downstream, as the circuit traffic had recently increased 1st line support presumed that the BT Wholesale circuit had an Etherflow bandwidth restriction so raised the fault which ping ponged back and forth until BT washed their hands of it (rightly so on this occasion) When it was escalated to me I noticed 'no buffer' and 'pause input' packet counters were going nuts on the LAN interface, the packet counters were 10k packets/sec, I enabled 'ip route-cache flow' on the WAN interface and there it was, 1000's of NTP connections. In summary the Cisco 1921 gave up at 30Mb/s with no buffer left, usually runs fine at 100Mb/s with no NAT config, customer had public IP on LAN switch for management and open NTP, LOL. Sledge ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Route Target Export Propagation Time
scenario On a single PE with two VRF's, I create a RT export on VRF A and a RT import on VRF B, VRF A has some prefixes to export which appear in VRF B after approx 20 seconds, what process dictates the 20 seconds and is it configurable. Thanks Sledge ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Route Target Export Propagation Time
awesome, thanks for the info. On 10 January 2014 11:34, Oliver Boehmer (oboehmer) oboeh...@cisco.comwrote: Richard, On a single PE with two VRF's, I create a RT export on VRF A and a RT import on VRF B, VRF A has some prefixes to export which appear in VRF B after approx 20 seconds, what process dictates the 20 seconds and is it configurable. Until recently, importing prefixes into VRFs was done in a periodic fashion (every 15 secs), you can (and should) tune it down to 5 seconds via bgp scan-time import 5 in the vpnv4 AF. Newer releases (as well as XR and NX-OS) do this event-driven, so newer releases don't need this.. Feature you want to look for is BGP Event-Based VPN Import oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird problem with 2960S and desktop switch
By higher priority did you mean lower bridge priority or higher bridge priority? On 10 January 2014 14:14, Garry g...@gmx.de wrote: Just a followup on this problem ... I was on site, and it turns out the desktop switch indeed tried to take over as root bridge of the STP. Anyway, even when filtering the BPDUs on the incoming port, the main switch still ceased doing any network forwarding, not sure what was going on exactly. Anyway, replacing the switch with an identical one (apart from not knowing what's configured on it) fixed the problem for whatever reason. Weird thing about the root bridge is, the existing main switch already used the higher priority, so even considering lower MAC address, the main switch should have remained being the root bridge, as the desktop switch was elected with default priority ... We will look into the config of the desktop switch in our lab, possibly finding out what is wrong here ... for now the customer site is at least working as intended ... Tnx to all who replied with their thoughts and ideas ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird problem with 2960S and desktop switch
or the new switch has a lower bridge priority. On 10 January 2014 15:03, a.l.m.bu...@lboro.ac.uk wrote: Hi, if the burnt in MAC address is lower then it will take overso i guess the new switch has a higher mac address than your switch. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3rd party alternative to MEMUSB-1024FT for ISR G2
After spending a small fortune on sticks I found one that works from romon and IOS for the whole ISR G2 range Corsair Flash Survivor Stealth - USB flash drive - 16 GB - USB 3.0 Its also waterproof, sturdy and comes in matt gangsta black. On 2 December 2013 22:42, Richard Clayton sledge...@gmail.com wrote: Thought I would ask you guys as I'm on the 3rd stick that doesn't work, the only one that 100% works is my Corsair survivor 32GB but I am looking for other alternatives for this platform. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximum Throughtput Cisco Router
with NAT and packet marking I get 260Mb/s synchronous with G711 size frames (75% CPU) with NAT, packet marking and ZBF I also get 260Mb/s synchronous with 512byte frames (75% CPU) On 26 December 2013 14:48, Darwin Santana d...@casainteligente.com.dowrote: Hi All, Can I handle a 400 Mbps or up the bandwidth on the Router 3925E? Best Regards, Darwin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS/VPN Loadbalancing with 2 CPE routers
Nicolas Can I please ask what benefits you want to achieve by load balancing the two WAN circuits and also using IBGP between the two CPE. Thanks Rick On 21 December 2013 12:10, Chris Stand cstand...@gmail.com wrote: Bonjour, I do not know your exact topology well enough, but could you run GLBP on a vlan that goes through the L3 switch ( I am not aware of a switch that ONLY does L3 and does not allow you to pass L2 through at the same time. I do GLBP on 7K VSS links that run through other 6500s. Or, again not being fully knowledgeable on your network , could you do 2 HSRP groups on the LAN and use both default gateways at the same time on devices that point to the existing HSRP .1 If you have not done this before you make routerA active in group1, standby in group2; routerB standby in group1, active in group2. Message: 10 Date: Fri, 20 Dec 2013 16:35:43 +0100 From: Nicolas KARP li...@karp.fr To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Subject: [c-nsp] MPLS/VPN Loadbalancing with 2 CPE routers Message-ID: caelgaxcjq1eenleczausy-ewdsmfzrt+00kknpu2jete+4o...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Hi Guys, We have a customer who has 2 CPE routers. We have 2 uplinks, the first one attached to the first router CPE1, the second one attached to the second router CPE2. We have ebgp configured with 2 different PE's and IBGP between the CPE's. HSRP is configured on the LAN. Unfortunately, we can't use GLBP because there is a L3 switch behind the CPE's. How can we achieve the loadbalancing between the 2 links ? PE1PE2 || || ebgp ebgp || || CE1 --Ibgp--- CE2 Thanks and Best Regards, # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # - - Nicolas KARP # - - Network and Security Engineer # - -Email : li...@karp.fr nico...@karp.fr # - -Linkedin : http://www.linkedin.com/in/nicolaskarp # - -Viadeo : http://www.viadeo.com/fr/profile/nicolas.karp http://www.viadeo.com/fr/profile/nicolas.karp%20 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3rd party alternative to MEMUSB-1024FT for ISR G2
Thought I would ask you guys as I'm on the 3rd stick that doesn't work, the only one that 100% works is my Corsair survivor 32GB but I am looking for other alternatives for this platform. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Effect of simultaneous TCP sessions on bandwidth
Whats the cpe cpu running at with both streams, have you tried adjusting the window sizes on the servers, could help with bandwidth delay product. On Sunday, 10 November 2013, Youssef Bengelloun-Zahr wrote: 2013/11/10 Phil Mayers p.may...@imperial.ac.uk javascript:; On 11/10/2013 05:42 AM, Youssef Bengelloun-Zahr wrote: - UDP traffic reaches up to 95 Mbits/s for one way streams (both ways) and simaltaneous bi-directionnal streams, If there's no (significant) loss or reordering on a simultanous bi-dir UDP stream at 95Mbit/sec, that suggests the pipe is absolutely fine. Did you measure loss/jitter/reodering in this case? At frequent (1-second) intervals? Yes, we internally use a tool called IXChariot which provides us loss/jitter, etc. Everything is fine. - TCP traffic reaches up to 90 Mbits/s for one way streams (both ways), - TCP traffic hits some kind of limit and isn't able to achieve more than 40-60 Mbits/s in average === That's the problem we are facing I'm not really sure I understand this - those two statements sound contradictory. To be more clear : - When we initiate TCP streams only in way (FRA HAM or HAM FRA), we are able to reach up to 90 Mbits/s, - When we initiate TCP streams both ways simultanaously (FRA HAM and HAM FRA), BP drops between 40 to 60 Mbits/s, How are you doing your testing? With what tool, and from what endpoints/OSes? In particular, we've seen some inconsistencies from iperf on windows; my tool of choice these days is netperf on a recent Linux kernel/distro. We generally use IXChariot on windows : http://www.ixiacom.com/products/ixchariot/ At the request of our provider, we also used iperf. We are a Windows home, nothing I can do about that ;-) Anyway, I would arrange to take a packet capture of a non-performing TCP stream at both ends, then use an analysis tool to identify the cause, and manual inspection to see if packets are being dropped and/or re-ordered or unduly delayed (hence taking the capture at both ends). Wireshark has some reasonable TCP analysis tools built into recent versions, but my favourite for hardcore TCP debugging is still tcptrace and xplot; they're a pig to drive, but give you a much better detailed view of the TCP connection evolving. One of my colleagues who has access to the boxes have been able to do just that using Wireshark, he noticed a few percentage of TCP re-transmits (2%) when we initiate TCP streams for HAM to FRA but that was at the beginning. I don't think this is the case anymore. One bit of information I think is relevant : It's worth mentioning that the specific type of equipment might be a factor, in particular if the handoff is on equipment with small buffers, microbursts might be eating into TCPs ability to drive the link. That would be quite odd on a system with modern congestion control algorithms and such a low bandwidth*delay, but you didn't say what you were using to test... Check the handoff isn't on Cat3xxx gear or similar. But primarily, re-check the UDP test looking for loss/jitter/reordering, and look at a pcap of the bad TCP case. I thought about it two and I asked. I know our provider isn't using that kind of equipment at the handoff points in FRA and HAM, they mostly use Cat45xx and some Juniper gear. Impossible to get the information from the LL provider as we don't have a direct contractual link. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net javascript:; https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Youssef BENGELLOUN-ZAHR ___ cisco-nsp mailing list cisco-nsp@puck.nether.net javascript:; https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Configuring Multiple Cisco Devices
I use Solarwinds NCM On 31 October 2013 12:02, Ahmet Uncu uncuah...@gmail.com wrote: Hello all, I need to configure about 300 cisco routers/switches same time. Could you offer me a free software that can do this?IT looks like ciscocmd can do this, but it has lack of documentation since I am not familiar with linux, I wasnt able to run this tool. Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Configuring Multiple Cisco Devices
Since I didn't read the email properly, it's very good though. On 3 November 2013 11:09, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Since when was that free? -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Customer access to PE
I've worked in a couple of ISP's and MPLS VPN environments and have friends that currently work in other providers, we've never had experience of customers having configuration CLI access to what I presume is a PE with multiple customers configurations on, I believe Provider Edge should be just for the provider. On 17 September 2013 13:12, Trey Howland trey.howl...@gmail.com wrote: I have a scenario where a customer wants CLI access to the PE in the provider's network. This access would allow the customer to create/delete VRFs, configure interfaces/sub-interfaces, configure VRRP, etc. All CLI access would be controlled by TACACS to limit the customer to specific commands. So my question is: does anyone have examples where this is done today? In a corporate environment between business units? Looking for examples where this has been successful or unsuccessful. v/r, Trey __**_ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] qos plan - advice please
Identify the QoS capabilities of all the kit in the hops, identify any pinch points, identify the traffic you would like to prioritise, by how much and in which direction, identify which points will be using L2, L3 and mpls exp as the classification, if you get it all on paper it might start making more sense. Also I believe mpls has different QoS operating modes. Rick On Friday, 16 August 2013, Aaron wrote: I work for an ISP/Telco/CATV company. We recently (within the last year or more) rolled out an MPLS network. The mpls network is comprised of asr9k's, asr901's, me3600's and uBR7246vxr's all those run in an ospf area in the core igp. ...then I add on top of all that , all the nice MPLS vpn's (l2vpn's, l3vpn's). How would you go about setting priority treatment to say for instance, all of your cell backhaul traffic and also all of your telco voice traffic? (the difference in the two is that cell backhaul is simply transported via mpls from my perspective... BUT the internal telco voice traffic is what we as a telephone company handle all the sip/mgcp signaling end to end, then all the traditional backend voice call routing , etc ,etc (I'm not the phone guy, but anyway)) 1 - cell backhaul - my cell backhaul traffic is all edged-in on asr901's.. and edge'd out on asr9k's at the MTSO/MSC hand-off locations.. It's mpls l2vpn vpws port-based is how I do it.. X2 .I other words, dual pw's per cell tower site. Two end to end xconnect's 2 - internal voip - my voice traffic is contained within a separate vrf (mpls l3vpn).edge'd into the network on me3600's and core is 9k's. Where would you start with an objective like that ? getting priority treatment to cell backhaul traffic and also internal voip ? From a big picture, nework-wide qos deployment strategy, where would you start? Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net javascript:; https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS down to the CPE
They will always have a job for you there with that design. On 25 July 2013 13:04, Adam Vitkovsky adam.vitkov...@swan.sk wrote: I see so the islands are stitched together over the CsC L3VPN, since all islands have the same AS together they act like a common AS. And the CsC L3VPN is provided by the underlying common backbone Inter-AS-MPLS optC style. Right? So all access nodes within a particular island have RSVP-TE tunnels to ABRs/ASBRs within the island (ASBRs than provide connectivity to other islands). And there's a full mesh of tunnels between all ASBRs. Right? I'd like to ask is there a full mesh of iBGP sessions between the ASBRs or some of the ASBRs have a role of RRs please? So you have decided to create this sort of overlay AS dedicated for L2 services. I think I understand your reasoning behind the setup and must say it's very bold and creative. See this is what I was talking about before, back in the old days engineers would have to get very creative and bold to create something extraordinary with such a limited set of features. With today's boxes you could all stack it up into a single AS not ever worrying about scalability or convergence times. Thank you very much for sharing the design with us adam -Original Message- From: Phil Bedard [mailto:phil...@gmail.com] Sent: Thursday, July 11, 2013 3:48 AM To: Adam Vitkovsky; mark.ti...@seacom.mu Cc: 'Andrew Miehs'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] MPLS down to the CPE On 7/10/13 4:16 AM, Adam Vitkovsky adam.vitkov...@swan.sk wrote: the different network islands are tied together using CsC over a common MPLS core. You got me scared for a moment CsC would mean to run a separate OSPF/LDP/BGP-ASN for each area and doing MP-eBGP between ASBRs within each area(OptB) or between RRs in each area(optC) with core area/AS acting as a labeled relay for ASBRs loopback addresses, though I believe by common MPLS core you mean a single AS right please? The islands are actually all in the same ASN, the common core is not the same ASN. Could have been the same ASN, more political reasons for it not being the same than technical. In the end it looks like Option C, the CsC L3VPN only carries loopbacks and aggregate IP prefixes. The common core is RSVP-TE based, if I had my preference today I would build TE tunnels across it between the islands and then use RFC3107 as a way to tie it all together end to end. Years ago when we first built it some of the feature support wasn't there to do that. At the ABR all of the L2VPN services are stitched since you are entering a different RSVP-TE/MPLS domain, the L3VPN configuration exists on these nodes with the access nodes using L2 pseudowires into virtual L3 interfaces. I see, right that's a clever way to save some money by pushing the L3VPN stuff to only a few powerful boxes with high-queue line cards and L3VPN licenses. Though the PWHE -a setup where you can actually terminate the PW into L3 interface on the same box was introduced to Cisco boxes only recently so prior to that you'd have to have a separate box bridging the PW to sub-int/serv-inst on a QinQ trunk where the L3VPN box would be connected to. I'm still confused about the TE part. So I believe you are pushing PW directly into TE tunnels what gives you the ability to balance the PWs around the ring as well as to use a backup tunnel via the opposite leg of the circuit. So the TE tunnels are actually terminated on the PWHE nodes right? Or do they actually continue into the backbone area please? The tunnels from the access boxes terminate on the PWHE nodes, they do not extend beyond that boundary. There is another set of tunnels which connect the PWHE nodes together. This isn't a one-off deployment or anything, there are other folks out there with basically the same type of deployment. Phil adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] router selection......
I got 300Mb synchronous throughput on the 2951 @ 512byte frames with packet marking enabled (50% CPU) 140Mb synchronous @ 214byte frames with packet marking enabled (50% CPU) 45Mb synchronous @ 214byte frames with packet marking and NAT enabled (50% CPU) 20Mb synchronous @ 214byte frames with packet marking, NAT and ZBF enabled (50% CPU) Thanks Sledge On 28 May 2013 08:10, Calin C. calin.chior...@secdisk.net wrote: Hello Scott, Where did you find that 2951 can do up to 300Mbps? Per this document: http://www.cisco.com/en/US/prod/collateral/routers/ps10538/aag_c45_556315.pdf The upper router of ISR2 line can do up to 350Mbps, and that's a 3945E. I did attached a document, with specs for different lines ISR2 and ASR, maybe you can find it useful. I take into consideration especially the Recommend WAN Access Speed field from the attached document. HTH, Calin On Fri, 24 May 2013 16:53:25 +0200 Scott Voll wrote Sorry for the cross post. But I wasn't sure which was the better forum to post in. I currently have a 2951 running voice, Security, VPN, and Data. it works really great for our current needs. BUT we are going to start pushing more that 300mbps and this router is only rated for 296mbps per the spec sheet. What is the next move up to support up to gig throughput and still support ZBFW, GRE, IPSEC, PRI's for Voice, and QoS at Gig speeds? Do I have to separate out my WAN (use an ASR) and then continue with the 2951 for my security / voice? What are my options? Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] router selection......
it depends on your traffic profile, how much is voice and how much is data, packet sizes and how much of the traffic will traverse the ZBFW On 24 May 2013 15:53, Scott Voll svoll.v...@gmail.com wrote: Sorry for the cross post. But I wasn't sure which was the better forum to post in. I currently have a 2951 running voice, Security, VPN, and Data. it works really great for our current needs. BUT we are going to start pushing more that 300mbps and this router is only rated for 296mbps per the spec sheet. What is the next move up to support up to gig throughput and still support ZBFW, GRE, IPSEC, PRI's for Voice, and QoS at Gig speeds? Do I have to separate out my WAN (use an ASR) and then continue with the 2951 for my security / voice? What are my options? Thanks Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ipsla - latency - related to cellular backhaul
I would use udp-jitter, like this ip sla 1 udp-jitter 1.1.1.1 16384 codec g711alaw codec-numpackets 600 codec-interval 100 tos 184 tag probe my remote site ip sla schedule 1 life forever start-time now The tos is optional, we use it to test for voice media quaility, udp traffic should not suffer the same as icmp On 26 April 2013 00:35, Tony td_mi...@yahoo.com wrote: Hi, From: Aaron aar...@gvtc.com Tac says that this drop and the latency seen using various ipsla pings is expected since all pings are treated less than everything else and could be getting policed by LPTS (I don't know what LPTS is) Google tells me that LPTS = Local Packet Transport Services. TAC are meaning packets that are destined for the router control plane, not the forwarding plane (ie. packets TO the router, not THROUGH the router). Response to these packets can depend on how busy the router is and also any CoPP that might be implemented. Has potentially to be true. If you have no CoPP on the devices and they are under minimal load (CPU wise) then this probably shouldn't be a factor. Are you losing any traffic that is going through the device (ie. from ping tests) ? regards, Tony. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ipsla - latency - related to cellular backhaul
I didnt realise you were using XR, you should be able to finish the operation off by selecting other options from the list. On 26 April 2013 13:48, Aaron aar...@gvtc.com wrote: I don’t see a codec option in ios xr 4.1.2 ** ** RP/0/RSP0/CPU0:9k(config-ipsla-udp-jitter)#? clearClear the uncommitted configuration commit Commit the configuration changes to running control Control packets configuration datasize Protocol data size in payload of probe packets describe Describe a command without taking real actions destination Address/port of the target device do Run an exec command exit Exit from this submode frequencyFrequency of the probing no Negate a command or set its defaults packet Probe packet configuration parameters pwd Commands used to reach current submode root Exit to the global configuration mode show Show contents of configuration source Address/port of the source device statistics Statistics collection parameters for this operation tag Add a tag for this operation timeout Probe/Control timeout interval tos Type of service setting in probe packet verify-data Check each IPSLA response for corruption vrf Configure IPSLA for a VPN Routing/Forwarding instance ** ** ** ** *From:* Richard Clayton [mailto:sledge...@gmail.com] *Sent:* Friday, April 26, 2013 6:27 AM *To:* Tony *Cc:* Aaron; cisco-nsp@puck.nether.net *Subject:* Re: [c-nsp] ipsla - latency - related to cellular backhaul ** ** I would use udp-jitter, like this ip sla 1 udp-jitter 1.1.1.1 16384 codec g711alaw codec-numpackets 600 codec-interval 100 tos 184 tag probe my remote site ip sla schedule 1 life forever start-time now The tos is optional, we use it to test for voice media quaility, udp traffic should not suffer the same as icmp ** ** On 26 April 2013 00:35, Tony td_mi...@yahoo.com wrote: Hi, From: Aaron aar...@gvtc.com Tac says that this drop and the latency seen using various ipsla pings is expected since all pings are treated less than everything else and could be getting policed by LPTS (I don't know what LPTS is) Google tells me that LPTS = Local Packet Transport Services. TAC are meaning packets that are destined for the router control plane, not the forwarding plane (ie. packets TO the router, not THROUGH the router). Response to these packets can depend on how busy the router is and also any CoPP that might be implemented. Has potentially to be true. If you have no CoPP on the devices and they are under minimal load (CPU wise) then this probably shouldn't be a factor. Are you losing any traffic that is going through the device (ie. from ping tests) ? regards, Tony. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ** ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAt issue - two isp connections, need to nat 2nd isp for two dest addresses only
I had an ALG bug which I raised with TAC, took 8 months and 4 TAC Engineers (I use the word Engineers loosely) but finally they released an IOS with a specific fix, we got there in the end. On 19 April 2013 09:57, Reuben Farrelly reuben-cisco-...@reub.net wrote: Yes it certainly should work, however I found that it doesn't always work properly, specifically for SIP traffic (TCP and UDP traffic worked fine). The SIP ALG is broken and you'll find traffic will exit one interface but the SIP ALG will sometimes rewrite the SIP header to have the other interfaces' outside IP. It looked like an elegant solution to a simple problem; the config I had was something like this: route-map internet-nat-access permit 10 match interface FastEthernet0/1 ! route-map tunnel-nat-access permit 10 match interface Tunnel0 ip nat inside source route-map internet-nat-access interface FastEthernet0/1 overload ip nat inside source route-map tunnel-nat-access interface Tunnel0 overload I was controlling which interface the traffic went out with static routes. Disabling the SIP ALG didn't resolve the problem either. I had a TAC case open for over 15 months in which I had a 100% reproducible test case across multiple platforms and multiple versions of IOS, and eventually after much persistence and 3 or so TAC engineers later, TAC agreed that yes, it was indeed a bug. It was raised as CSCue13042 in January (SR 619832003). Unfortunately, and to my extreme frustration, it changed status without warning to Terminated (Unreproducible) just last week. So - YMMV. The config suggested mostly works. Which is more than I can say for TAC in this instance. Reuben On 19/04/2013 5:03 PM, CCIE Ninja wrote: I guess this would work, if you match on outgoing interface? route-map SP_A_NAT match interface $MY_OUTGOING_INTERFACE ip nat inside source 155.1.5.5 155.1.13.7 route-map SP_A_NAT __**_ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISRG2 'right to use' licensing
After 60 days does the router need a reload to change the 'Type' field from Evaluation to Permanent or does it happen dynamically. Thanks Rick On 21 February 2013 20:49, Lukasz Bromirski luk...@bromirski.net wrote: On Feb 19, 2013, at 11:51 AM, Richard Clayton sledge...@gmail.com wrote: Hi Does anybody know the exact process to activate 'right to use' licencing on the ISRG2 platform, we currently install permanent licensing and it's a long, drawn out, time consuming process. After your regular license will run out, router will switch to RTU license. -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ISRG2 'right to use' licensing
Hi Does anybody know the exact process to activate 'right to use' licencing on the ISRG2 platform, we currently install permanent licensing and it's a long, drawn out, time consuming process. Thanks Sledge ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISRG2 'right to use' licensing
Tim Thanks for that, can the licenses be disabled at will or after this process do they become permanent 'right to use'. On 19 February 2013 11:00, Tim Franklin t...@pelican.org wrote: Does anybody know the exact process to activate 'right to use' licencing on the ISRG2 platform, we currently install permanent licensing and it's a long, drawn out, time consuming process. license accept end user agreement y no license boot module ones you don't want license boot module whatever, per platform Regards, Tim. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip tcp adjust-mss
Eric I needed to use this command the other day, I have an 887VA-M and the BT FTTC product, I bypassed the BT modem and connected directly into the BT wall socket with the 887VA-M as it has a VDSL interface (just a config tweek) The config I was using was PPPOE which adds 8 bytes to the frame so on my dialer0 I set the mtu to 1492, without the 'ip tcp adjust-mss 1452' I could not open web pages or run speed tests as my local host's mtu defaulted to their local setting (1500) and was dropped. After adding the command to the LAN interface the router intercepts the SYN packet from the local host and changes the maximum segment size to the value stated before passing on to the remote host, the TCP 3 way handshake is then completed with the two hosts agreeing on the lowest of their 2 values, obviously it doesnt help if you have large UDP packets but there shouldn't be too many of those around anyway. Using this command reduces the mtu size for TCP traffic flowing through the configured router but in your case I would be more interested in why you think you need it and where, do you think you have mtu bottlenecks in your network that are causing fragmentation and if so can you just fix those areas rather than adding this to lots of other routers. Thanks Sledge On 11 February 2013 19:56, Eric A Louie elo...@yahoo.com wrote: I just put in this command on my upstream interfaces to help my mpls network pass traffic - that is, my effort to eliminate fragmentation in my backbone. Is anyone else using this method of mtu control? I need some support - my CEO is asking why I have to do this, and who else does it, and is it a common practice, etc, so I'm looking for evidence, more than just The Cisco TAC told me to do it. thanks Much appreciated, Eric ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISR G2 Interface RX Performance
On 25 January 2013 23:11, Nathanael Law nathanael@aimco.alberta.cawrote: Hello all, We're having some issues with a 3925 and real-time UDP traffic bursts. The bursts are approximately 1500 packets long and are sent in 5.7 ms for an effective rate of ~250 kpps (~375 Mbps). The steady state traffic on this connection is 10kpps. Physical Topology = +--+ +--+ | | | | | 3750 | gi2/0/2 -- gi0/0 | 3925 | | | | | +--+ +--+ Packet captures have shown that the 3750 gi2/0/2 interface has no issues sending the entire burst; however, packet captures on both the receiving host and the 3925 shows that only about 1/3rd of the packets show up on the gi0/0 interface. The overrun counter increases slightly with each burst. 3925#show interfaces gi0/0 GigabitEthernet0/0 is up, line protocol is up Hardware is PQ3_TSEC, address is 70ca.9bb5.7a80 (bia 70ca.9bb5.7a80) Description: Uplink to core switch 2 MTU 1500 bytes, BW 100 Kbit/sec, DLY 10 usec, reliability 255/255, txload 12/255, rxload 1/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) Full Duplex, 1Gbps, media type is RJ45 output flow-control is unsupported, input flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters never Input queue: 0/75/176/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 5331000 bits/sec, 2511 packets/sec 5 minute output rate 48693000 bits/sec, 5037 packets/sec 40386885831 packets input, 7413412230506 bytes, 0 no buffer Received 3800689 broadcasts (0 IP multicasts) 0 runts, 0 giants, 111 throttles 82202 input errors, 0 CRC, 0 frame, 82202 overrun, 0 ignored 0 watchdog, 3800681 multicast, 0 pause input 80802723127 packets output, 110122764930458 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out The only other statistic of note seems to be the rx_overflow_err on the gi0/0 interface: Internal Driver Information: throttled=111, enabled=111, disabled=0 rx_coalesce_failed=0, rx_framing_err=0, rx_overflow_err=1726086, rx_buffer_err=65 rx_no_enp=0, rx_discard=0 tx_one_col_err=0, tx_more_col_err=0, tx_no_enp=0, tx_deferred_err=0 tx_underrun_err=0, tx_late_collision_err=0, tx_loss_carrier_err=0 tx_exc_collision_err=0, tx_buff_err=0, fatal_tx_err=0 From this it seems that the actual gigabit physical interfaces on the 3925 cannot handle even 11% of line rate (2 Mpps for a 1 Gbps connection @ 64 byte packets). I knew that the processor can't handle that, but I expected the interface itself to come at least a little closer given that CEF on the 3925 can supposedly handle 833 kpps without any features turned on. Does my analysis seem accurate? If not, any pointers in the right direction would be appreciated. If so, what Cisco routing hardware would be minimally required to support line-rate 1 Gbps input (the 3925 is a WAN router that basically passes traffic off to one of our MPLS providers)? Would the interfaces on an ASK1k (ESP5) do the job? We do have a TAC case open for this issue, but they have been unable to provide documentation on the limitations of the physical interface so far. Documents that seem related: - https://supportforums.cisco.com/docs/DOC-2613 (doesn't reference anything as new as the ISR G2s, but I figured it may still apply) Thank you, Nathanael Law ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Nathanael I have some lab stress test results for the whole ISR G2 platform which I can share with you if you like, a quick look at the 3925 with a traffic profile of G711 and packet marking (you would probably have marking in a voice environment with QoS applied) shows the cpu at 75% whilst it is passing 280Mb. The bursts could be topping the cpu out although my realtime tests were with voice codecs and your realtime traffic is 1500bytes so the cpu should be at a lower rate for the same amount of bandwidth. Graphing the cpu isnt going to help as its such short bursts but the overuns are a real indicator that the cpu is stressed. Shaping would normally be the answer to control bursty traffic but shaping realtime will cause issues with the stream. If you want to allow this traffic then you need a cpe with a bit more grunt, the 3945 is
Re: [c-nsp] VPN on 7200
You could forget supporting the VPN on the 7200 and run an openvpn tunnel between a Linux host at the site and one where you are, a simple p2p would work between the two servers (I use an inexpensive Linux plug server as its only management traffic), it would be secure as far as the wan is concerned but insecure from server to 7200 across the LAN. If you wanted to go mobile with your laptop as the VPN client you could set a Linux server local to the 7200 in p2p cert server mode and use an Openvpn Windows client with generated certs. Thanks Sledge On 14 January 2013 21:22, Markus H hauschild.mar...@gmail.com wrote: Sorry, it seems the title somehow got lost. On Mon, Jan 14, 2013 at 10:21 PM, Markus H hauschild.mar...@gmail.com wrote: Hi, I want to add VPN support to a cisco 7200 (w/ NPE300). Use case would be secure remote management (of the 7200 and other gear at the site) from a Linux-based computer. Pretty much my only requirement would be that the VPN is usable out of the box with standard Linux tools or the open-source vpnc client (the proprieatry cisco vpn client is a no-go, it has proven to be too unstable and broken for me). Encryption is a strong plus but I think I could somehow live without. Otherwise I don't need a large number of connected clients or high data-rates. So what are you using and what kind of VPN/Tunnel would you suggest in my case? Thanks, Markus ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 867 SIP NAT
I am currently running SIP ALG on 1000 devices without any problems, a mixture of 857 and 887VA-M. I originally had a problem with the 887VA-M but a bug fix was released after I raised a TAC case. Cheers Sledge On 9 January 2013 00:12, Jared Mauch ja...@puck.nether.net wrote: IOS automatically does SIP-ALG when doing nat, is this enabled or not? The SIP-ALG is broken and I have always recommended people to turn it off. - Jared On Jan 8, 2013, at 7:05 PM, Andrew Yager and...@rwts.com.au wrote: Hi, We have a client using a Cisco 867 with SIP based VoIP phones behind it (not CCM). Each time the phones perform a new SIP request a new entry is created in the NAT table on a different port, which very quickly floods the NAT table and crashes the router. We've tried with c860-universalk9-mz.150-1.M6 and c860-universalk9-mz.151-4.M5 but are seeing the same behaviour. Client nat config is relatively standard: ip nat inside source list 10 interface Dialer0 overload ip nat inside source static tcp 10.1.1.100 5900 interface Dialer0 5900 ip nat inside source static tcp 10.1.1.100 1723 interface Dialer0 1723 access-list 10 permit 10.1.1.0 0.0.0.255 Has anyone seen this issue on this series of routers and/or know if it's an IOS bug? Any fixes or workarounds or working IOS versions? Thanks, Andrew -- Andrew Yager, Managing Director (MACS Snr CP BCompSc MCP MCE JNCIA-Junos) Real World Technology Solutions Pty Ltd - IT people you can trust ph: 1300 798 718 or (02) 9037 0500 fax: (02) 9037 0591 mob: 0405 152 568 http://www.rwts.com.au/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISR G2 Licenses - Permanent vs Right To Use
All ours say Index 2 Feature: securityk9 Period left: Life time License Type: Permanent License State: Active, In Use License Count: Non-Counted License Priority: Medium On 28 November 2012 11:52, Steve McCrory smccr...@gcicom.net wrote: Hi Group, We've had a complaint from a customer that their security license on a 1941K9 is showing as Right To Use when they are expecting it to show Permanent: Index 2 Feature: securityk9 Period left: Life time License Type: RightToUse License State: Active, In Use License Count: Non-Counted License Priority: Low We've had this checked with our distributor who shipped us the router pre-installed with the required license and they are happy that Right To Use is correct. They even raised it with Cisco and they came back quoting the Wassenaar Arrangement. Can someone clear up the difference between the two terms as the Cisco literature on the subject is confusing and our customer is like a dog with a bone over this. Thanks Steven Steven McCrory Network Specialist GCI Com Unit 2 Modwen Road Salford M5 3EZ Office: 0844 443 3537 Fax: 0844 443 3540 www.gcicom.net https://mail.ipi-group.co.uk/exchweb/bin/redir.asp?URL=http://www.gcico m.net/ Steve McCrory Senior Network Engineer GCI Com Cedar Court Office Park Denby Dale Road Calder Grove Wakefield WF4 3QZ Office: 0844 443 3537 Fax: 0844 443 3540 http://www.gcicom.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISR G2 Licenses - Permanent vs Right To Use
Reuben How do I activate a RightToUse licence, I have only ever used the permanent process before. Thanks Sledge On 28 November 2012 12:23, Reuben Farrelly reuben-cisco-...@reub.netwrote: On 28/11/2012 10:52 PM, Steve McCrory wrote: Hi Group, RightToUse (RTU) license are licenses that essentially are just honor based, ie you can freely use the features providing you have purchased the license, and there is no enforcement of the featureset on or off. This is basically how Cisco has historically licensed IOS for many years. Permanent licenses are ones where a license key has been imported into the router IOS and are based on a cryptographic license key file. These are node-locked licenses and tied to the serial number of the chassis. With a bit of messing around these can be transferred if you do an RMA. If you've paid for and are entitled to a given featureset then yes, you should be getting what is called a Product Activation Key (PAK), which in turn you enter in to www.cisco.com/go/license, which then spits out a tiny license key file that you install on the router. This then shows up as a 'permanent' license in the IOS. Either that, or the license is pre-installed at the factory in which case it will show as a permanent license out of the box. This is how it normally works, I've had dozens of routers shipped to us from our distributor that are done this way. Cisco went down the path of enforcing licensing (ie permanent licenses, no RTU) on some newer IOS platforms but did a fast backpedal in a 15.0/15.1 maintenance rebuild of IOS. Presumably a few people seriously objected to it and the messing around involved in processing licenses, and Cisco realised it probably was causing more pain and lost sales than it was worth. So pretty much across the board in so far as branch routers now we're back to where we started, ie honor based RTU licenses where the real proof of entitlement is a purchase order proving you've bought the license :-) Reuben __**_ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Interface Buffer and Queue Limit ISRG2
Good Evening Does anybody know what the default buffer is on the Gig interface of an ISRG2, also, if the answer is 1000 packets is there any point in having a queue-limit higher than 1000 packets in the default-queue of a QoS shaping policy attached to one of the interfaces. Will having a queue-limit higher than the default interface buffer cause drops in the PQ of this policy if the default-queue exhausts the configured limit. Thanks Sledge ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3600X Output Drops
George I believe you will be able to specify a % of the available buffer for queue-limit in a future release and you will also be able to specify 100% of the buffer for each individual queue-limit. Thanks Sledge On 23 August 2012 11:57, George Giannousopoulos ggian...@gmail.com wrote: If I remember correctly, 2457 packets is the maximum on this platform We weren't given any specific version for the increase default values In case you get anything extra from your SR, it would be nice to share it with us George On Thu, Aug 23, 2012 at 12:10 PM, Ivan cisco-...@itpro.co.nz wrote: Thanks George. I am raising a SR to get some more information too. Are you able to explain how the queue-limit of 2457 was selected? Also were you given a version for the increase in the default queue size? I am running me360x-universalk9-mz.152-2.**S1.bin Cheers Ivan On 23/Aug/2012 5:48 p.m., George Giannousopoulos wrote: Hi Ivan, In fact the default queue limit in 3800x/3600x is quite small We also had issues with drops in all interfaces, even without congestion After some research and an SR with Cisco, we have started applying qos on all interfaces policy-map INTERFACE-OUTPUT-POLICY class dummy class class-default shape average X queue-limit 2457 packets The dummy class does nothing. It is just there because IOS wouldn't allow changing queue limit otherwise Also there were issues with the policy counters which should be resolved after15.1(2)EY2 Cisco said they would increase the default queue sizes in the second half of 2012.. So, I suggest you try the latest IOS version and check again 10G interfaces had no drops in our setup too. Regards George On Thu, Aug 23, 2012 at 1:34 AM, Ivan cisco-...@itpro.co.nz mailto: cisco-...@itpro.co.nz** wrote: Replying to my own message * Adjusting the hold queue didn't help. * Applying QOS and per referenced email stopped the drops immediately - I used something like the below: policy-map leaf class class-default queue-limit 491520 bytes policy-map logical class class-default service-policy leaf policy-map root class class-default service-policy logical * I would be interested to hear if others have ended up applying a similar policy to all interfaces. Any gotchas? I expect any 10Gbps interfaces would be okay without the QoS - haven't seen any issue on these myself. *Apart from this list I have found very little information around this whole issue. Any pointers to other documentation would be appreciated. Thanks Ivan Ivan Hi, I am seeing output drops on a ME3600X interface as shown below GigabitEthernet0/2 is up, line protocol is up (connected) MTU 9216 bytes, BW 100 Kbit/sec, DLY 10 usec, reliability 255/255, txload 29/255, rxload 2/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is RJ45 input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input 6w1d, output never, output hang never Last clearing of show interface counters 00:12:56 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 231 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 10299000 bits/sec, 5463 packets/sec 30 second output rate 114235000 bits/sec, 12461 packets/sec 3812300 packets input, 705758638 bytes, 0 no buffer Received 776 broadcasts (776 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 776 multicast, 0 pause input 0 input packets with dribble condition detected 9103882 packets output, 10291542297 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out I have read about similar issues on the list: http://www.gossamer-threads.**com/lists/cisco/nsp/157217 http://www.gossamer-threads.com/lists/cisco/nsp/157217 https://puck.nether.net/**pipermail/cisco-nsp/2012-July/** 085889.html https://puck.nether.net/pipermail/cisco-nsp/2012-July/085889.html 1. I have no QoS policies applied to the physical interface or EVCs. Would increasing the hold queue help? Is there a recommended value - the maximum configurable is 24. What is the impact on the 44MB of packet
Re: [c-nsp] Troubleshooting uncategorized output drops and errors on the 6500
John Could your drops be due to microburst On 26 July 2012 18:37, John Neiberger jneiber...@gmail.com wrote: I've got another strange issue brewing. We have a 1-gig interface on a 6500 (6748 blade) that has a high number of output errors and output drops. The drops are not queue drops. Here are the stats, one week after clearing the counters. Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 1158860 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 854000 bits/sec, 101 packets/sec 30 second output rate 78000 bits/sec, 116 packets/sec 97152626 packets input, 115649666904 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 90216394 packets output, 7441734020 bytes, 0 underruns 579430 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Packets dropped on Transmit: queue dropped [cos-map] - 10 [0 1 ] 20 [2 3 4 ] 30 [6 7 ] 40 [5 ] I haven't been able to figure out what could be causing such a high rate of errors and drops. I have a TAC case open, but the engineer hasn't been able to explain what we're seeing. I'm probably just going to coordinate with the server and app owners to move this to another link, but I'm still very curious about what could cause this behavior. Any ideas? Thanks, John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP NAT router limitations
I know that with Packet Marking, NAT and Firewall enabled with 512byte frames you will get 50Mbps (symmetric) throughput out of a 2921 (cpu running at 75%) If this were a router to provide Internet to end users then you would have more traffic dowload than upload and with 50Mb download and say an upload of around 25% of that then the cpu would probably tick over at around 40%. If you don't need Firewall and Marking then a lower model router would do, I reckon a 1921, not sure of the G1's only tested G2's Thanks Rick On 31 May 2012 12:39, Rens r...@autempspourmoi.be wrote: Where do you get that info that a 1841 2811 can't do this? They do fine average Internet traffic @ 50Mbps I got 2811's doing 100Mbps Indeed my wifi setup can cope with 2K connections From: aled.w.mor...@googlemail.com [mailto:aled.w.mor...@googlemail.com] On Behalf Of Aled Morris Sent: woensdag 30 mei 2012 17:09 To: Rens Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] DHCP NAT router limitations On 30 May 2012 11:17, Rens r...@autempspourmoi.be wrote: For a one day wifi event I'm looking which kind of router can be used to deliver DHCP NAT for 1000-2000 simultaneous users Total WAN capacity will be +- 50Mbps Would a 1841 or a 2811 be able to handle all this NAT/DHCP? Neither of these would cope with 50Mbps even without the NAT. If you are purely Ethernet then the cheapest Cisco solution would be an ASA5505 I assume you've already got a wifi setup that can cope with 2,000 connections. Aled ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TP IP TOS Reflect
This is my config and it works fine vpdn-group 1 request-dialin protocol l2tp domain me.com initiate-to ip 192.168.50.50 local name me l2tp tunnel password 0 password l2tp tunnel receive-window 10 ip tos reflect On 3 May 2012 10:54, ar ar_...@yahoo.com wrote: Anyone tried this in l2tp? ip tos reflect seems to be not working sample config:vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname althea local name bertha l2tp ip tos reflect any workarounds? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISRG2
Ah, somebody asked me this on a previous post and I forgot to answer, I have extensive testing results which I will post to you in raw format now. Any questions on the format just ask. On 30 March 2012 14:57, harbor235 harbor...@gmail.com wrote: I am having the hardest time finding docs on ISRG2 performance comparisons for the 3900 and the 3900E models. I am interested in the 3925/3925E, Before anyone lmgtfy.com's typical marketing data I found, there are slot differences, built-in LAN interfaces differences, etc ...One uses the SPE100 and the other the SPE200 but what are the performance numbers, comparisons? thanx in advance, Mike ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] routerperformance
I have performed extensive testing of this platform with different features enabled if you need anything specific. On 23 March 2012 21:40, Keegan Holley keegan.hol...@sungard.com wrote: Does anyone have the throughput numbers for the new cisco 29XX/39XX routers? I see they continue to omit them from the website. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QoS - Fair Queue effect on CPU
I have been searching for any real world examples or information on the effect the 'fair queue' process has on router cpu, does anybody have any experience of this particularly with multiple high bandwidth flows on the ISRG2 platform. I know it's not an exact science and I am being specific with the scenario but I don't want to be caught out with unexpected high cpe when using this in a QoS policy. Thanks Rick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/