[c-nsp] Hiding SCP Password Using Archive Feature

[Richard Clayton via cisco-nsp]

Hi Guys

What I'm trying to achieve:

1.  Every time an engineer runs the write-memory command, a copy of the
running config is sent to my SCP server.
2.  Every 7 days, a copy of the running config is sent to my SCP server.
3. The password in configuration is not shown in clear text.

It's just #3 that I hope there is a fix for.

Here is an example of my config.

archive
 path scp://
user:password@1.2.3.4/CUSTOMERS/CUSTOMER1/CUSTOMER-LONDON6-ETH1.cfg
 write-memory
 time-period 10080

Because the password part of the SCP config is not an IOS recognised
password I don't appear to be able to encrypt it.  If that's the case is
there a secure fudge, like somehow referencing a local username that does
have password encryption.

I'm not looking for server based solutions like SolarWinds etc.

Thanks
Rick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco 4k Performance and Boost Licensing

[Richard Clayton]

Hi Guys

Quick question regarding the above.  Can I activate a boost license
independent of a performance license or do I need to activate the
performance license and then the boost license?
I was hoping I could just activate the boost license on a 4451 to give me
4Gb, rather than activate the performance license first.  So 1GB > 4GB
rather than 1GB > 2Gb > 4Gb.

Thanks
Rick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dual Homed Site with L2 Backup

[Richard Clayton]

Hi Hunter

The only thing that puts me off this approach is the tromboning of traffic
for the primary L2 path.  It will reduce the capacity of the CE router.
PC-Host > Customer L2 > CE L2 attachment interface > CE Tunnel, back to
Customer L3 for transit of tunnel traffic.

Thanks
Rick
Gamma.co.uk

On Sun, 23 Dec 2018 at 17:46, Hunter Fuller  wrote:

> Yes, this is what we are planning. We are landing the L2 circuit (in our
> case, it's over DWDM) on the VTEPs directly. But they also have access to
> an L3 path through the IGP. The tunnel is always in use.
>
> --
> Hunter Fuller
> Network Engineer
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
>
>
> On Sun, Dec 23, 2018 at 11:03 AM Arie Vayner  wrote:
>
>> One approach I can see to make it work consistently regardless what path
>> it
>> takes is to use the overlay at all times, even when the primary path is
>> up.
>>
>> Basically you just make the layer 2 link routed (i.e. terminate it with
>> layer 3 ports on both ends), and run the VXLAN one hop before (or anywhere
>> it makes sense).
>>
>> This way you just run a vxlan extension over a layer 3 redundant path.
>>
>> On Sun, Dec 23, 2018, 02:48 Richard Clayton >
>> > Hi Arie
>> >
>> > I did encounter the MTU requirement and configured the lab to allow for
>> > it.  VXLAN may be the future but this topology isn't really what it was
>> > intended for, due to the loop it creates (same with OTV).  I was still
>> able
>> > to ceate a working design for both protocols regardless.
>> >
>> > Would interesting to see how others would meet the requirement with this
>> > particular set of constraints.
>> >
>> > Thanks
>> > Rick
>> >
>> > gamma.co.uk
>> >
>> >
>> >
>> > On Sat, 22 Dec 2018, 20:29 Arie Vayner > >
>> >> Vxlan is the future... 
>> >> Be very careful with the mtu implications.
>> >>
>> >> Tnx, Arie
>> >>
>> >> On Sat, Dec 22, 2018, 03:25 Richard Clayton > wrote:
>> >>
>> >>> Hi Guys
>> >>>
>> >>> Scenario
>> >>>
>> >>> Customer has dual homed geographically seperated site into mpls wan.
>> >>> They
>> >>> also have a single layer 2 circuit running between the two.  The
>> >>> requirement is to backup the layer 2 over the wan circuits.  The wan
>> >>> hardware at both sites is cisco 4k ios xe.
>> >>>
>> >>> I'm interested to know how you guys would achieve this.  I've had the
>> >>> luxury of 4 days in the lab testing VXLAN, OTV and L2TPV3 xconnect
>> >>> between
>> >>> the two 4k routers, also did JDSU throughout testing over the tunnel,
>> was
>> >>> quite interesting.
>> >>> ___
>> >>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>>
>> >>
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dual Homed Site with L2 Backup

[Richard Clayton]

Thanks for the replies

In the current topology the customer connects the L2 circuit directly to
their core L2/L3 switches which I have no control over.  When the L2 is
connected and the tunnel is up a L2 loop forms and because spanning-tree is
not forwarded over VXLAN or OTV tunnels, it can't be used to detect and
block loops.  To counter this I enabled spanning-tree on the two 4431 (MST)
and gave them both the lowest bridge priorities in the tree.  I also
enabled root guard on 4431-2 LAN interface.  When all is connected 4431-2
sees a superior root advertised into its LAN interface (from 4431-1),
4431-2 then blocks this interface and as a result blocks the loop.  When
the L2 p2p is dropped 4431-2 stops seeing the superior root and unblocks
the port allowing the tunnel path to be the new L2 path between the sites.
I tested this with different customer spanning tree modes and with both
VXLAN and OTV, both worked well and failed over consistently using the root
guard feature.

Observations - Configurations
* Even though VXLAN isn't officially supported on the 4431 it works
flawlessly.
* With the throughput license enabled I was pushing 900Mb/s over the tunnel
and the 4431 CPUs were running at 2%.
* Spanning-tree can't be used to detect and block loops but root guard can
be used to detect a superior root and in practice blocks the loop.
* I costed out the link from customer core L2 to 4431-2.
* I always used MST on the 4431s but tested MST and Rapid PVST on the
customer side.

It would be interesting to test the other suggestions you guys have made.

Thanks
Rick

gamma.co.uk


On Sun, 23 Dec 2018, 17:46 Hunter Fuller  Yes, this is what we are planning. We are landing the L2 circuit (in our
> case, it's over DWDM) on the VTEPs directly. But they also have access to
> an L3 path through the IGP. The tunnel is always in use.
>
> --
> Hunter Fuller
> Network Engineer
> VBH Annex B-5
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Systems and Infrastructure
>
>
> On Sun, Dec 23, 2018 at 11:03 AM Arie Vayner  wrote:
>
>> One approach I can see to make it work consistently regardless what path
>> it
>> takes is to use the overlay at all times, even when the primary path is
>> up.
>>
>> Basically you just make the layer 2 link routed (i.e. terminate it with
>> layer 3 ports on both ends), and run the VXLAN one hop before (or anywhere
>> it makes sense).
>>
>> This way you just run a vxlan extension over a layer 3 redundant path.
>>
>> On Sun, Dec 23, 2018, 02:48 Richard Clayton >
>> > Hi Arie
>> >
>> > I did encounter the MTU requirement and configured the lab to allow for
>> > it.  VXLAN may be the future but this topology isn't really what it was
>> > intended for, due to the loop it creates (same with OTV).  I was still
>> able
>> > to ceate a working design for both protocols regardless.
>> >
>> > Would interesting to see how others would meet the requirement with this
>> > particular set of constraints.
>> >
>> > Thanks
>> > Rick
>> >
>> > gamma.co.uk
>> >
>> >
>> >
>> > On Sat, 22 Dec 2018, 20:29 Arie Vayner > >
>> >> Vxlan is the future... 
>> >> Be very careful with the mtu implications.
>> >>
>> >> Tnx, Arie
>> >>
>> >> On Sat, Dec 22, 2018, 03:25 Richard Clayton > wrote:
>> >>
>> >>> Hi Guys
>> >>>
>> >>> Scenario
>> >>>
>> >>> Customer has dual homed geographically seperated site into mpls wan.
>> >>> They
>> >>> also have a single layer 2 circuit running between the two.  The
>> >>> requirement is to backup the layer 2 over the wan circuits.  The wan
>> >>> hardware at both sites is cisco 4k ios xe.
>> >>>
>> >>> I'm interested to know how you guys would achieve this.  I've had the
>> >>> luxury of 4 days in the lab testing VXLAN, OTV and L2TPV3 xconnect
>> >>> between
>> >>> the two 4k routers, also did JDSU throughout testing over the tunnel,
>> was
>> >>> quite interesting.
>> >>> ___
>> >>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>>
>> >>
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dual Homed Site with L2 Backup

[Richard Clayton]

Hi Arie

I did encounter the MTU requirement and configured the lab to allow for
it.  VXLAN may be the future but this topology isn't really what it was
intended for, due to the loop it creates (same with OTV).  I was still able
to ceate a working design for both protocols regardless.

Would interesting to see how others would meet the requirement with this
particular set of constraints.

Thanks
Rick

gamma.co.uk



On Sat, 22 Dec 2018, 20:29 Arie Vayner  Vxlan is the future... 
> Be very careful with the mtu implications.
>
> Tnx, Arie
>
> On Sat, Dec 22, 2018, 03:25 Richard Clayton 
>> Hi Guys
>>
>> Scenario
>>
>> Customer has dual homed geographically seperated site into mpls wan.  They
>> also have a single layer 2 circuit running between the two.  The
>> requirement is to backup the layer 2 over the wan circuits.  The wan
>> hardware at both sites is cisco 4k ios xe.
>>
>> I'm interested to know how you guys would achieve this.  I've had the
>> luxury of 4 days in the lab testing VXLAN, OTV and L2TPV3 xconnect between
>> the two 4k routers, also did JDSU throughout testing over the tunnel, was
>> quite interesting.
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Dual Homed Site with L2 Backup

[Richard Clayton]

Hi Guys

Scenario

Customer has dual homed geographically seperated site into mpls wan.  They
also have a single layer 2 circuit running between the two.  The
requirement is to backup the layer 2 over the wan circuits.  The wan
hardware at both sites is cisco 4k ios xe.

I'm interested to know how you guys would achieve this.  I've had the
luxury of 4 days in the lab testing VXLAN, OTV and L2TPV3 xconnect between
the two 4k routers, also did JDSU throughout testing over the tunnel, was
quite interesting.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 4431 - L2TPV3 xconnect inside Service Instance

[Richard Clayton]

I actually got VXLAN working between 2 x 4431s in the end, regardless of
what the Cisco site said.  I guess what they mean is, "it will work on the
4431 but we will not support it".  It's actually a cool protocol/feature,
works well and fails over fast.

On Sun, 9 Dec 2018 at 14:40, Richard Clayton  wrote:

> Changed my lab to VXLAN only to find its not supported on the 4431, only
> supported on the 4451.  It lets you put all the commands in but doesn't
> work, why do Cisco do that to us, surely just remove the commands when
> there is no support for it?
>
>
> https://www.cisco.com/c/en_in/products/collateral/routers/4000-series-integrated-services-routers-isr/datasheet-c78-732542.html
>
>
> On Sat, 8 Dec 2018 at 10:27, Richard Clayton  wrote:
>
>> Config snippet from both routers
>>
>> CE R1
>> interface GigabitEthernet0/0/3
>>  description POP1-CE02 3750SW-1
>>  mtu 1600
>>  no ip address
>>  media-type rj45
>>  negotiation auto
>>  service instance 1 ethernet
>>   description L2 Extension LAN
>>   encapsulation dot1q 229,232
>>   xconnect 100.66.50.110 100 encapsulation l2tpv3 pw-class L2TPv3
>>  !
>>  service instance 2 ethernet
>>   description Corporate L3 LAN
>>   encapsulation dot1q 700
>>   rewrite ingress tag pop 1 symmetric
>>   bridge-domain 4
>>  !
>> CE R2
>> interface GigabitEthernet0/0/3
>>  description POP2-CE02 3750SW-1
>>  mtu1600
>>  no ip address
>>  negotiation auto
>>  service instance 1 ethernet
>>   description L2 Extension LAN
>>   encapsulation dot1q 229,232
>>   xconnect 100.66.50.109 100 encapsulation l2tpv3 pw-class L2TPv3
>>  !
>>  service instance 2 ethernet
>>   description Corporate L3 LAN
>>   encapsulation dot1q 700
>>   rewrite ingress tag pop 1 symmetric
>>   bridge-domain 4
>>  !
>> !
>>
>> On Fri, 7 Dec 2018 at 18:04, Richard Clayton  wrote:
>>
>>> Hi Guys
>>>
>>> I have two main sites, HQ and DR, the site has layer 2 p2p between them
>>> and a 4431 on each for the WAN.  They want layer two backup over the 4431
>>> WAN circuits for their existing layer 2 p2p.
>>> I have tested L2TPV3 xconnect inside LAN facing Service Instance, the
>>> L2TPV3 session establishes, but is not passing and frames.  My question.
>>> Is L2TPV3 xconnect inside a Service Instance supported on 4431 IOS XE, or
>>> do I need to change my lab to either OTV or VXLAN?
>>>
>>> I have the AppX license installed on both routers.
>>>
>>> Thanks in advance of you assistance.
>>>
>>> Rick
>>>
>>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 4431 - L2TPV3 xconnect inside Service Instance

[Richard Clayton]

Changed my lab to VXLAN only to find its not supported on the 4431, only
supported on the 4451.  It lets you put all the commands in but doesn't
work, why do Cisco do that to us, surely just remove the commands when
there is no support for it?

https://www.cisco.com/c/en_in/products/collateral/routers/4000-series-integrated-services-routers-isr/datasheet-c78-732542.html


On Sat, 8 Dec 2018 at 10:27, Richard Clayton  wrote:

> Config snippet from both routers
>
> CE R1
> interface GigabitEthernet0/0/3
>  description POP1-CE02 3750SW-1
>  mtu 1600
>  no ip address
>  media-type rj45
>  negotiation auto
>  service instance 1 ethernet
>   description L2 Extension LAN
>   encapsulation dot1q 229,232
>   xconnect 100.66.50.110 100 encapsulation l2tpv3 pw-class L2TPv3
>  !
>  service instance 2 ethernet
>   description Corporate L3 LAN
>   encapsulation dot1q 700
>   rewrite ingress tag pop 1 symmetric
>   bridge-domain 4
>  !
> CE R2
> interface GigabitEthernet0/0/3
>  description POP2-CE02 3750SW-1
>  mtu1600
>  no ip address
>  negotiation auto
>  service instance 1 ethernet
>   description L2 Extension LAN
>   encapsulation dot1q 229,232
>   xconnect 100.66.50.109 100 encapsulation l2tpv3 pw-class L2TPv3
>  !
>  service instance 2 ethernet
>   description Corporate L3 LAN
>   encapsulation dot1q 700
>   rewrite ingress tag pop 1 symmetric
>   bridge-domain 4
>  !
> !
>
> On Fri, 7 Dec 2018 at 18:04, Richard Clayton  wrote:
>
>> Hi Guys
>>
>> I have two main sites, HQ and DR, the site has layer 2 p2p between them
>> and a 4431 on each for the WAN.  They want layer two backup over the 4431
>> WAN circuits for their existing layer 2 p2p.
>> I have tested L2TPV3 xconnect inside LAN facing Service Instance, the
>> L2TPV3 session establishes, but is not passing and frames.  My question.
>> Is L2TPV3 xconnect inside a Service Instance supported on 4431 IOS XE, or
>> do I need to change my lab to either OTV or VXLAN?
>>
>> I have the AppX license installed on both routers.
>>
>> Thanks in advance of you assistance.
>>
>> Rick
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 4431 - L2TPV3 xconnect inside Service Instance

[Richard Clayton]

Config snippet from both routers

CE R1
interface GigabitEthernet0/0/3
 description POP1-CE02 3750SW-1
 mtu 1600
 no ip address
 media-type rj45
 negotiation auto
 service instance 1 ethernet
  description L2 Extension LAN
  encapsulation dot1q 229,232
  xconnect 100.66.50.110 100 encapsulation l2tpv3 pw-class L2TPv3
 !
 service instance 2 ethernet
  description Corporate L3 LAN
  encapsulation dot1q 700
  rewrite ingress tag pop 1 symmetric
  bridge-domain 4
 !
CE R2
interface GigabitEthernet0/0/3
 description POP2-CE02 3750SW-1
 mtu1600
 no ip address
 negotiation auto
 service instance 1 ethernet
  description L2 Extension LAN
  encapsulation dot1q 229,232
  xconnect 100.66.50.109 100 encapsulation l2tpv3 pw-class L2TPv3
 !
 service instance 2 ethernet
  description Corporate L3 LAN
  encapsulation dot1q 700
  rewrite ingress tag pop 1 symmetric
  bridge-domain 4
 !
!

On Fri, 7 Dec 2018 at 18:04, Richard Clayton  wrote:

> Hi Guys
>
> I have two main sites, HQ and DR, the site has layer 2 p2p between them
> and a 4431 on each for the WAN.  They want layer two backup over the 4431
> WAN circuits for their existing layer 2 p2p.
> I have tested L2TPV3 xconnect inside LAN facing Service Instance, the
> L2TPV3 session establishes, but is not passing and frames.  My question.
> Is L2TPV3 xconnect inside a Service Instance supported on 4431 IOS XE, or
> do I need to change my lab to either OTV or VXLAN?
>
> I have the AppX license installed on both routers.
>
> Thanks in advance of you assistance.
>
> Rick
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 4431 - L2TPV3 xconnect inside Service Instance

[Richard Clayton]

Hi Guys

I have two main sites, HQ and DR, the site has layer 2 p2p between them and
a 4431 on each for the WAN.  They want layer two backup over the 4431 WAN
circuits for their existing layer 2 p2p.
I have tested L2TPV3 xconnect inside LAN facing Service Instance, the
L2TPV3 session establishes, but is not passing and frames.  My question.
Is L2TPV3 xconnect inside a Service Instance supported on 4431 IOS XE, or
do I need to change my lab to either OTV or VXLAN?

I have the AppX license installed on both routers.

Thanks in advance of you assistance.

Rick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue

[Richard Clayton]

The reason this particular customer wants to extend layer 2 is Vmotion.

On 1 Feb 2018 17:04, "Aaron Gould"  wrote:

> So I think (I could be wrong as I'm not a server guy) that all this L2
> network emulation is because of server virtualization and moving vm's or
> vmotion or something like that, and that they need to be in same ip subnet
> (aka bcast domain) correct ?
>
> *if* that's true, and *if* all this layer 2 networking madness is because
> of
> that point stated above, I would think that someone (vendors/standards
> bodies/companies) would/should be working really hard to make that server
> stuff work in different bcast domains (different subnets)...so we wouldn't
> have to do all that L2 stuff
>
> -Aaron
>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue

[Richard Clayton]

Hi

I ended up dumping the OTV design for my customer as it was too expensive
to deploy.  It's only supported on the 4451 (customer has been quoted for
4431) and needs and AppX license, was looking at £9000+ per router and
there is a built in 100Mb limit on OTV traffic.  I'm doing VPLS now but was
good to play with OTV in a lab environment.  May come across it one day out
in the wild.

Thanks
Rick

On 26 January 2018 at 15:23, Richard Clayton <sledge...@gmail.com> wrote:

> Hi Guys
>
> I have configured Multihomed OTV in a virtual lab on EVE-NG using Cisco
> CSR's.  The lab is 2 x CSR at one site both connected to layer2 switch and
> a single CSR at a remote site.
> Everything works good apart from one thing.  At the dual router site, when
> I drop the OTV WAN/Overlay interface on the active CSR R1, the remote mac
> appears in the R2 bridge-domain (as it should) but the 'customer' layer 2
> switch mac address table still show the mac address as facing the R1 LAN.
> After 5 minutes the mac table times out and traffic is then restored over
> the R2 path.
> Is there any way R2 can update the customer L2 switch when the remote mac
> moves over to it to make the failover quicker?
> I did read a Cisco article that said if spanning tree is enabled on the
> OTV router, it will send out a TCN which will update the L2, I have
> spanning tree enabled on the OTV routers but when I drop the OTV
> WAN/Overlay interface, it does not send out a TCN, I had wireshark running.
>
> Thanks
> Rick
>
>
> --
> If you try to reinvent the wheel you will end up with something non-round
> and should expect an uncomfortable ride. The wheel has no copyright.
> Richard Clayton - 17/11/2014.
>



-- 
If you try to reinvent the wheel you will end up with something non-round
and should expect an uncomfortable ride. The wheel has no copyright.
Richard Clayton - 17/11/2014.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue

[Richard Clayton]

Hi Guys

I think I have the reason for the behavior in my lab.  I have the 'silent
host' issue which happens in labs but generally doesn't happen in live
networks.  For my host devices I used Cisco routers with an IP address on a
single interface, all these devices were doing is a ping and and ARP to a
single IP address.  In a production network these hosts would be
workstations and servers and would be a lot more chatty, generating
broadcast traffic.  When I drop the CSR1 site 1 WAN overlay the remote
Cisco host does not generate any new broadcast traffic, new broadcast
traffic would flood from the CSR1 site 2 across the overlay and eventually
into the 'customer' layer 2 at site 1.

So in summary, in a production network the hosts would generate enough
broadcast traffic to keep failover connectivity issues to a minimum.  In a
lab with silent hosts, you will have to wait 5 minutes for the 'customer'
layer 2 mac address table to age out before connectivity is restored.  For
info I used Cisco routers as end hosts because they were easy, quick and
lightweight to spin up.

I still don't fully understand why the OTV host doesn't generate a TCN as
documented so if anyone could get an answer on that it would be great.

For now I am happy to design OTV into my customer solution.

Thanks

Rick

On 26 January 2018 at 15:23, Richard Clayton <sledge...@gmail.com> wrote:

> Hi Guys
>
> I have configured Multihomed OTV in a virtual lab on EVE-NG using Cisco
> CSR's.  The lab is 2 x CSR at one site both connected to layer2 switch and
> a single CSR at a remote site.
> Everything works good apart from one thing.  At the dual router site, when
> I drop the OTV WAN/Overlay interface on the active CSR R1, the remote mac
> appears in the R2 bridge-domain (as it should) but the 'customer' layer 2
> switch mac address table still show the mac address as facing the R1 LAN.
> After 5 minutes the mac table times out and traffic is then restored over
> the R2 path.
> Is there any way R2 can update the customer L2 switch when the remote mac
> moves over to it to make the failover quicker?
> I did read a Cisco article that said if spanning tree is enabled on the
> OTV router, it will send out a TCN which will update the L2, I have
> spanning tree enabled on the OTV routers but when I drop the OTV
> WAN/Overlay interface, it does not send out a TCN, I had wireshark running.
>
> Thanks
> Rick
>
>
> --
> If you try to reinvent the wheel you will end up with something non-round
> and should expect an uncomfortable ride. The wheel has no copyright.
> Richard Clayton - 17/11/2014.
>



-- 
If you try to reinvent the wheel you will end up with something non-round
and should expect an uncomfortable ride. The wheel has no copyright.
Richard Clayton - 17/11/2014.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue

[Richard Clayton]

Hi Guys

I have configured Multihomed OTV in a virtual lab on EVE-NG using Cisco
CSR's.  The lab is 2 x CSR at one site both connected to layer2 switch and
a single CSR at a remote site.
Everything works good apart from one thing.  At the dual router site, when
I drop the OTV WAN/Overlay interface on the active CSR R1, the remote mac
appears in the R2 bridge-domain (as it should) but the 'customer' layer 2
switch mac address table still show the mac address as facing the R1 LAN.
After 5 minutes the mac table times out and traffic is then restored over
the R2 path.
Is there any way R2 can update the customer L2 switch when the remote mac
moves over to it to make the failover quicker?
I did read a Cisco article that said if spanning tree is enabled on the OTV
router, it will send out a TCN which will update the L2, I have spanning
tree enabled on the OTV routers but when I drop the OTV WAN/Overlay
interface, it does not send out a TCN, I had wireshark running.

Thanks
Rick


-- 
If you try to reinvent the wheel you will end up with something non-round
and should expect an uncomfortable ride. The wheel has no copyright.
Richard Clayton - 17/11/2014.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP DDoS

[Richard Clayton]

Nobody is safe now Jared :-)


On 13 February 2014 13:59, Jared Mauch ja...@puck.nether.net wrote:

 Yeah, but I didn't mean for you to make that public :(

 - jared

 On Feb 13, 2014, at 5:10 AM, Nick Ryce n...@fluency.net.uk wrote:

  You can check for open ntp servers within your AS with the following:-
 
  http://openntpproject.org/searchby-asn.cgi?search_asn=56595
 
  Swap 56595 for your ASN  :)
 
  Nick
  On 13 Feb 2014, at 02:12, SilverTip257 silvertip...@gmail.com wrote:
 
  On Wed, Feb 12, 2014 at 2:36 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk
 wrote:
 
  Something I can point customers to for testing their own set ups. ;)
 
 
  What I was trying to say is that openntp project URL is something I can
  point customers at and they should understand.  Some of my customers are
  dense.
 
  Sadly, a few of them try to tell me that information I give them doesn't
  work.  But when they say hey, here's my credentials, why don't you fix
 it
  for me? ... I come to find (yes, I'm a nice guy) that everything I sent
  them was spot on (as I expected).
 
  Copy+paste is over-rated.  o_O
 
 
 
  On a Linux or mac
 
  ntpdc -c monlist xxx.xxx.xxx.xxx
 
 
  Yep.  And loopinfo and iostats commands.
 
  nmap has a ntp-monlist script that is helpful (combined with the
 grep-able
  output option).
 
  I'm about due for running another ntp-monlist scan ... [when DNS
  amplification attacks were real bad a few months ago, we told a
 customer to
  disable DNS recursion ... he instead shut off bind/named for that day
 and
  turned it back on some time later].
 
 
 
  If you get a reply (which will consist of a list of IP addresses that
 have
  sync'd with the daemon) then the server has a non optimal config. ...
 and
  if it's already been found by others they will all be listed. .. You
 might
  even see openntp project and team cymru servers listed ;)
 
  Alan
 
 
 
 
  --
  ---~~.~~---
  Mike
  //  SilverTip257  //
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
  --
  Nick Ryce
 
  Fluency Communications Ltd.
  e. n...@fluency.net.uk
  w. http://fluency.net.uk/
  t. 0845 874 7000
 
 
 
 
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP DDoS

[Richard Clayton]

The details of the attack I was involved with were

- upstream bandwidth spike from customer to Internet (only flatlined due to
CPE buffer).
- downstream bandwidth towards customer didn't really show any significant
change but did hurt our edge buffers.
- 1000's of inbound NTP connections from random sources on the Internet to
a single device on customer network (with open NTP config).
- I didn't check outbound connections from the customer to the Internet.

Questions
What is this type of DDoS called?  I've heard a few different types
mentioned, amplification, reflection etc.
Is the the customer being individually targeted or just the expolitable NTP
server?
Are these caused by bots or manually by individuals?

I've included a snapshot of the downstream connections

Gi0/0 166.137.244.122 Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 108.168.210.64  Gi0/1 Customer-IP11 007B 007B
8
Gi0/0 60.248.122.205  Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 69.241.167.14   Gi0/1 Customer-IP11 007B 007B
3
Gi0/0 207.235.188.201 Gi0/1 Customer-IP11 007B 007B
38
Gi0/0 46.175.191.22   Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 216.79.150.100  Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 175.156.199.185 Gi0/1 Customer-IP11 007B 007B
34
Gi0/0 74.216.232.230  Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 218.63.59.203   Gi0/1 Customer-IP11 007B 007B
8
Gi0/0 166.137.244.17  Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 208.88.6.65 Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 208.68.168.106  Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 119.97.145.164  Gi0/1 Customer-IP11 007B 007B
9
Gi0/0 66.216.48.147   Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 218.63.59.202   Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 63.113.48.99Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 166.137.244.21  Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 77.48.46.166Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 166.170.5.119   Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 195.66.157.213  Gi0/1 Customer-IP11 007B 007B
3
Gi0/0 166.170.5.118   Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 81.177.19.157   Gi0/1 Customer-IP11 007B 007B
3
Gi0/0 178.172.26.130  Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 216.218.255.175 Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 188.43.3.140Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 166.137.244.45  Gi0/1 Customer-IP11 007B 007B
4
Gi0/0 93.190.88.10Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 188.43.3.139Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 107.77.66.95Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 171.25.249.145  Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 61.195.150.43   Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 46.164.154.135  Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 80.98.107.69Gi0/1 Customer-IP11 007B 007B
123
Gi0/0 46.164.154.132  Gi0/1 Customer-IP11 007B 007B
3
Gi0/0 75.111.130.177  Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 74.216.184.246  Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 195.66.157.193  Gi0/1 Customer-IP11 007B 007B
4
Gi0/0 188.228.20.225  Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 166.137.244.54  Gi0/1 Customer-IP11 007B 007B
3
Gi0/0 195.84.151.29   Gi0/1 Customer-IP11 007B 007B
100
Gi0/0 208.64.202.4Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 217.150.56.173  Gi0/1 Customer-IP11 007B 007B
3
Gi0/0 166.137.244.76  Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 166.137.244.78  Gi0/1 Customer-IP11 007B 007B
5
Gi0/0 94.92.86.27 Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 218.63.59.207   Gi0/1 Customer-IP11 007B 007B
15
Gi0/0 177.105.63.251  Gi0/1 Customer-IP11 007B 007B
10
Gi0/0 146.185.48.42   Gi0/1 Customer-IP11 007B 007B
3
Gi0/0 85.255.192.38   Gi0/1 Customer-IP11 007B 007B
96
Gi0/0 166.137.244.56  Gi0/1 Customer-IP11 007B 007B
2
Gi0/0 27.96.37.62 Gi0/1 Customer-IP11 007B 007B
4
Gi0/0 59.34.148.20Gi0/1 Customer-IP11 007B 007B
9
Gi0/0 212.189.144.13  Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 212.156.16.74   Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 211.79.59.242   Gi0/1 Customer-IP11 007B 007B
1
Gi0/0 220.181.156.232 Gi0/1 Customer-IP11 007B 

[c-nsp] NTP DDoS

[Richard Clayton]

Seems to be doing the rounds, had a fault open for a couple of days with a
100Mb Ethernet customer, reported fault was packet loss, Cacti showed an
upstream flatline of 30Mb and an increase in downstream, as the circuit
traffic had recently increased 1st line support presumed that the BT
Wholesale circuit had an Etherflow bandwidth restriction so raised the
fault which ping ponged back and forth until BT washed their hands of it
(rightly so on this occasion) When it was escalated to me I noticed 'no
buffer' and 'pause input' packet counters were going nuts on the LAN
interface, the packet counters were 10k packets/sec, I enabled 'ip
route-cache flow' on the WAN interface and there it was, 1000's of NTP
connections.

In summary the Cisco 1921 gave up at 30Mb/s with no buffer left, usually
runs fine at 100Mb/s with no NAT config, customer had public IP on LAN
switch for management and open NTP, LOL.

Sledge
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Route Target Export Propagation Time

[Richard Clayton]

scenario

On a single PE with two VRF's, I create a RT export on VRF A and a RT
import on VRF B, VRF A has some prefixes to export which appear in VRF B
after approx 20 seconds, what process dictates the 20 seconds and is it
configurable.

Thanks
Sledge
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Route Target Export Propagation Time

[Richard Clayton]

awesome, thanks for the info.


On 10 January 2014 11:34, Oliver Boehmer (oboehmer) oboeh...@cisco.comwrote:

 Richard,

 
 On a single PE with two VRF's, I create a RT export on VRF A and a RT
 import on VRF B, VRF A has some prefixes to export which appear in VRF B
 after approx 20 seconds, what process dictates the 20 seconds and is it
 configurable.

 Until recently, importing prefixes into VRFs was done in a periodic
 fashion (every 15 secs), you can (and should) tune it down to 5 seconds
 via bgp scan-time import 5 in the vpnv4 AF.
 Newer releases (as well as XR and NX-OS) do this event-driven, so newer
 releases don't need this.. Feature you want to look for is BGP
 Event-Based VPN Import

 oli


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Weird problem with 2960S and desktop switch

[Richard Clayton]

By higher priority did you mean lower bridge priority or higher bridge
priority?


On 10 January 2014 14:14, Garry g...@gmx.de wrote:

 Just a followup on this problem ... I was on site, and it turns out the
 desktop switch indeed tried to take over as root bridge of the STP.
 Anyway, even when filtering the BPDUs on the incoming port, the main
 switch still ceased doing any network forwarding, not sure what was
 going on exactly. Anyway, replacing the switch with an identical one
 (apart from not knowing what's configured on it) fixed the problem for
 whatever reason. Weird thing about the root bridge is, the existing main
 switch already used the higher priority, so even considering lower MAC
 address, the main switch should have remained being the root bridge, as
 the desktop switch was elected with default priority ...
 We will look into the config of the desktop switch in our lab, possibly
 finding out what is wrong here ... for now the customer site is at least
 working as intended ...

 Tnx to all who replied with their thoughts and ideas ...

 -garry
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Weird problem with 2960S and desktop switch

[Richard Clayton]

or the new switch has a lower bridge priority.


On 10 January 2014 15:03, a.l.m.bu...@lboro.ac.uk wrote:

 Hi,

 if the burnt in MAC address is lower then it will take overso i guess
 the
 new switch has a higher mac address than your switch.

 alan
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3rd party alternative to MEMUSB-1024FT for ISR G2

[Richard Clayton]

After spending a small fortune on sticks I found one that works from romon
and IOS for the whole ISR G2 range

Corsair Flash Survivor Stealth - USB flash drive - 16 GB - USB 3.0

Its also waterproof, sturdy and comes in matt gangsta black.


On 2 December 2013 22:42, Richard Clayton sledge...@gmail.com wrote:

 Thought I would ask you guys as I'm on the 3rd stick that doesn't work,
 the only one that 100% works is my Corsair survivor 32GB but I am looking
 for other alternatives for this platform.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Maximum Throughtput Cisco Router

[Richard Clayton]

with NAT and packet marking I get 260Mb/s synchronous with G711 size frames
(75% CPU)
with NAT, packet marking and ZBF I also get 260Mb/s synchronous with
512byte frames (75% CPU)


On 26 December 2013 14:48, Darwin Santana d...@casainteligente.com.dowrote:

 Hi All,

 Can I handle a 400 Mbps or up the bandwidth on the Router 3925E?

 Best Regards,

 Darwin
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS/VPN Loadbalancing with 2 CPE routers

[Richard Clayton]

Nicolas

Can I please ask what benefits you want to achieve by load balancing the
two WAN circuits and also using IBGP between the two CPE.

Thanks
Rick


On 21 December 2013 12:10, Chris Stand cstand...@gmail.com wrote:

 Bonjour,

I do not know your exact topology well enough, but could you run GLBP on
 a vlan that goes through the L3 switch ( I am not aware of a switch that
 ONLY does L3 and does not allow you to pass L2 through at the same time.  I
 do GLBP on 7K  VSS links that run through other 6500s.

 Or, again not being fully knowledgeable on your network , could you do 2
 HSRP groups on the LAN and use both default gateways at the same time on
 devices that point to the existing HSRP .1

 If you have not done this before you make routerA active in group1, standby
 in group2; routerB standby in group1, active in group2.



 Message: 10
  Date: Fri, 20 Dec 2013 16:35:43 +0100
  From: Nicolas KARP li...@karp.fr
  To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net
  Subject: [c-nsp] MPLS/VPN Loadbalancing with 2 CPE routers
  Message-ID:
  
  caelgaxcjq1eenleczausy-ewdsmfzrt+00kknpu2jete+4o...@mail.gmail.com
  Content-Type: text/plain; charset=ISO-8859-1
 
  Hi Guys,
 
  We have a customer who has 2 CPE routers. We have 2 uplinks, the first
 one
  attached to the first router CPE1, the second one attached to the second
  router CPE2.
 
  We have ebgp configured with 2 different PE's and IBGP between the CPE's.
  HSRP is configured on the LAN. Unfortunately, we can't use GLBP because
  there is a L3 switch behind the CPE's.
 
  How can we achieve the loadbalancing between the 2 links ?
 
  PE1PE2
||
||
  ebgp   ebgp
||
||
   CE1 --Ibgp--- CE2
 
 
  Thanks and Best Regards,
 
  # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 - -
  - - - - - - - - - - - - - - - - - - -
  # - -   Nicolas KARP
  # - -   Network and Security Engineer
  # - -Email : li...@karp.fr nico...@karp.fr
  # - -Linkedin :  http://www.linkedin.com/in/nicolaskarp
  # - -Viadeo : http://www.viadeo.com/fr/profile/nicolas.karp
  http://www.viadeo.com/fr/profile/nicolas.karp%20
  # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 - -
  - - - - - - - - - - - - - - - - - - -
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 3rd party alternative to MEMUSB-1024FT for ISR G2

[Richard Clayton]

Thought I would ask you guys as I'm on the 3rd stick that doesn't work, the
only one that 100% works is my Corsair survivor 32GB but I am looking for
other alternatives for this platform.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Effect of simultaneous TCP sessions on bandwidth

[Richard Clayton]

Whats the cpe cpu running at with both streams, have you tried adjusting
the window sizes on the servers, could help with bandwidth delay product.

On Sunday, 10 November 2013, Youssef Bengelloun-Zahr wrote:

 2013/11/10 Phil Mayers p.may...@imperial.ac.uk javascript:;

  On 11/10/2013 05:42 AM, Youssef Bengelloun-Zahr wrote:
 
   - UDP traffic reaches up to 95 Mbits/s for one way streams (both
 ways)
  and simaltaneous bi-directionnal streams,
 
 
  If there's no (significant) loss or reordering on a simultanous bi-dir
 UDP
  stream at 95Mbit/sec, that suggests the pipe is absolutely fine.
 
  Did you measure loss/jitter/reodering in this case? At frequent
 (1-second)
  intervals?


 Yes, we internally use a tool called IXChariot which provides us
 loss/jitter, etc. Everything is fine.


 
 
 
  - TCP traffic reaches up to 90 Mbits/s for one way streams (both
  ways),
 
  - TCP traffic hits some kind of limit and isn't able to achieve more
  than 40-60 Mbits/s in average  === That's the problem we are facing
 
 
  I'm not really sure I understand this - those two statements sound
  contradictory.
 

 To be more clear :

 - When we initiate TCP streams only in way (FRA  HAM or HAM  FRA), we
 are able to reach up to 90 Mbits/s,

 - When we initiate TCP streams both ways simultanaously (FRA  HAM and
 HAM  FRA), BP drops between 40 to 60 Mbits/s,


 
  How are you doing your testing? With what tool, and from what
  endpoints/OSes? In particular, we've seen some inconsistencies from iperf
  on windows; my tool of choice these days is netperf on a recent Linux
  kernel/distro.
 

 We generally use IXChariot on windows :

 http://www.ixiacom.com/products/ixchariot/

 At the request of our provider, we also used iperf. We are a Windows home,
 nothing I can do about that ;-)


 
  Anyway, I would arrange to take a packet capture of a non-performing TCP
  stream at both ends, then use an analysis tool to identify the cause, and
  manual inspection to see if packets are being dropped and/or re-ordered
 or
  unduly delayed (hence taking the capture at both ends).


  Wireshark has some reasonable TCP analysis tools built into recent
  versions, but my favourite for hardcore TCP debugging is still tcptrace
 and
  xplot; they're a pig to drive, but give you a much better detailed view
 of
  the TCP connection evolving.


 One of my colleagues who has access to the boxes have been able to do just
 that using Wireshark, he noticed a few percentage of TCP re-transmits (2%)
 when we initiate TCP streams for HAM to FRA but that was at the beginning.
 I don't think this is the case anymore.


 
 
   One bit of information I think is relevant :
 
 
  It's worth mentioning that the specific type of equipment might be a
  factor, in particular if the handoff is on equipment with small buffers,
  microbursts might be eating into TCPs ability to drive the link. That
 would
  be quite odd on a system with modern congestion control algorithms and
 such
  a low bandwidth*delay, but you didn't say what you were using to test...
 
  Check the handoff isn't on Cat3xxx gear or similar. But primarily,
  re-check the UDP test looking for loss/jitter/reordering, and look at a
  pcap of the bad TCP case.


 I thought about it two and I asked.

 I know our provider isn't using that kind of equipment at the handoff
 points in FRA and HAM, they mostly use Cat45xx and some Juniper gear.

 Impossible to get the information from the LL provider as we don't have a
 direct contractual link.


 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net javascript:;
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 



 --
 Youssef BENGELLOUN-ZAHR
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net javascript:;
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Configuring Multiple Cisco Devices

[Richard Clayton]

I use Solarwinds NCM


On 31 October 2013 12:02, Ahmet Uncu uncuah...@gmail.com wrote:

 Hello all,
 I need to configure about 300 cisco routers/switches same time. Could
 you offer me a free software that can do this?IT looks like ciscocmd
 can do this, but it has lack of documentation since I am not familiar
 with linux, I wasnt able to run this tool.
 Thanks
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Configuring Multiple Cisco Devices

[Richard Clayton]

Since I didn't read the email properly, it's very good though.


On 3 November 2013 11:09, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:

 Since when was that free?


 --
 Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Customer access to PE

[Richard Clayton]

I've worked in a couple of ISP's and MPLS VPN environments and have friends
that currently work in other providers, we've never had experience of
customers having configuration CLI access to what I presume is a PE with
multiple customers configurations on, I believe Provider Edge should be
just for the provider.


On 17 September 2013 13:12, Trey Howland trey.howl...@gmail.com wrote:

 I have a scenario where a customer wants CLI access to the PE in the
 provider's network.  This access would allow the customer to create/delete
 VRFs, configure interfaces/sub-interfaces, configure VRRP, etc.  All CLI
 access would be controlled by TACACS to limit the customer to specific
 commands.

 So my question is:  does anyone have examples where this is done today?
  In a corporate environment between business units?  Looking for examples
 where this has been successful or unsuccessful.

 v/r,
 Trey
 __**_
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at 
 http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] qos plan - advice please

[Richard Clayton]

Identify the QoS capabilities of all the kit in the hops, identify any
pinch points, identify the traffic you would like to prioritise, by how
much and in which direction, identify which points will be using  L2, L3
and mpls exp as the classification, if you get it all on paper it might
start making more sense.  Also I believe mpls has different QoS operating
modes.

Rick



On Friday, 16 August 2013, Aaron wrote:

 I work for an ISP/Telco/CATV company.  We recently (within the last year or
 more) rolled out an MPLS network.  The mpls network is comprised of
 asr9k's,
 asr901's, me3600's and uBR7246vxr's all those run in an ospf area in
 the
 core igp.  ...then I add on top of all that , all the nice MPLS vpn's
 (l2vpn's, l3vpn's).



 How would you go about setting priority treatment to say for instance, all
 of your cell backhaul traffic and also all of your telco voice traffic?
 (the difference in the two is that cell backhaul is simply transported via
 mpls from my perspective... BUT the internal telco voice traffic is what we
 as a telephone company handle all the sip/mgcp signaling end to end, then
 all the traditional backend voice call routing , etc ,etc (I'm not the
 phone
 guy, but anyway))



 1 - cell backhaul - my cell backhaul traffic is all edged-in on asr901's..
 and edge'd out on asr9k's at the MTSO/MSC hand-off locations.. It's mpls
 l2vpn vpws port-based is how I do it.. X2 .I other words, dual pw's per
 cell
 tower site.  Two end to end xconnect's

 2 - internal voip - my voice traffic is contained within a separate vrf
 (mpls l3vpn).edge'd into the network on me3600's and core is 9k's.



 Where would you start with an objective like that ?  getting priority
 treatment to cell backhaul traffic and also internal voip ?



 From a big picture, nework-wide qos deployment strategy, where would you
 start?



 Aaron





 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net javascript:;
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS down to the CPE

[Richard Clayton]

They will always have a job for you there with that design.


On 25 July 2013 13:04, Adam Vitkovsky adam.vitkov...@swan.sk wrote:

 I see so the islands are stitched together over the CsC L3VPN, since all
 islands have the same AS together they act like a common AS.
 And the CsC L3VPN is provided by the underlying common backbone
 Inter-AS-MPLS optC style.
 Right?

 So all access nodes within a particular island have RSVP-TE tunnels to
 ABRs/ASBRs within the island (ASBRs than provide connectivity to other
 islands).
 And there's a full mesh of tunnels between all ASBRs.
 Right?

 I'd like to ask is there a full mesh of iBGP sessions between the ASBRs or
 some of the ASBRs have a role of RRs please?

 So you have decided to create this sort of overlay AS dedicated for L2
 services.
 I think I understand your reasoning behind the setup and must say it's very
 bold and creative.

 See this is what I was talking about before, back in the old days engineers
 would have to get very creative and bold to create something extraordinary
 with such a limited set of features. With today's boxes you could all stack
 it up into a single AS not ever worrying about scalability or convergence
 times.

 Thank you very much for sharing the design with us

 adam
 -Original Message-
 From: Phil Bedard [mailto:phil...@gmail.com]
 Sent: Thursday, July 11, 2013 3:48 AM
 To: Adam Vitkovsky; mark.ti...@seacom.mu
 Cc: 'Andrew Miehs'; cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] MPLS down to the CPE



 On 7/10/13 4:16 AM, Adam Vitkovsky adam.vitkov...@swan.sk wrote:

  the different network islands are tied together using CsC over a
  common MPLS core.
 You got me scared for a moment CsC would mean to run a separate
 OSPF/LDP/BGP-ASN for each area and doing MP-eBGP between ASBRs within
 each
 area(OptB) or between RRs in each area(optC) with core area/AS acting
 as a labeled relay for ASBRs loopback addresses, though I believe by
 common MPLS core you mean a single AS right please?

 The islands are actually all in the same ASN, the common core is not the
 same ASN.  Could have been the same ASN, more political reasons for it not
 being the same than technical.  In the end it looks like Option C, the CsC
 L3VPN only carries loopbacks and aggregate IP prefixes.   The common core
 is RSVP-TE based, if I had my preference today I would build TE tunnels
 across it between the islands and then use RFC3107 as a way to tie it all
 together end to end.  Years ago when we first built it some of the feature
 support wasn't there to do that.

 
  At the ABR all of the L2VPN services are stitched since you are
  entering a different RSVP-TE/MPLS domain, the L3VPN configuration
  exists on these nodes with the access nodes using
  L2 pseudowires into virtual L3 interfaces.
 I see, right that's a clever way to save some money by pushing the
 L3VPN stuff to only a few powerful boxes with high-queue line cards and
 L3VPN licenses. Though the PWHE -a setup where you can actually
 terminate the PW into L3 interface on the same box was introduced to
 Cisco boxes only recently so prior to that you'd have to have a
 separate box bridging the PW to sub-int/serv-inst on a QinQ trunk where
 the L3VPN box would be connected to.
 
 I'm still confused about the TE part.
 So I believe you are pushing PW directly into TE tunnels what gives you
 the ability to balance the PWs around the ring as well as to use a
 backup tunnel via the opposite leg of the circuit. So the TE tunnels
 are actually terminated on the PWHE nodes right? Or do they actually
 continue into the backbone area please?

 The tunnels from the access boxes terminate on the PWHE nodes, they do not
 extend beyond that boundary.  There is another set of tunnels which connect
 the PWHE nodes together.  This isn't a one-off deployment or anything,
 there
 are other folks out there with basically the same type of deployment.

 Phil
 






 
 adam
 



 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] router selection......

[Richard Clayton]

I got

300Mb synchronous throughput on the 2951 @ 512byte frames with packet
marking enabled (50% CPU)
140Mb synchronous @ 214byte frames with packet marking enabled (50% CPU)
45Mb synchronous @ 214byte frames with packet marking and NAT enabled (50%
CPU)
20Mb synchronous @ 214byte frames with packet marking, NAT and ZBF enabled
(50% CPU)

Thanks
Sledge


On 28 May 2013 08:10, Calin C. calin.chior...@secdisk.net wrote:

 Hello Scott,

 Where did you find that 2951 can do up to 300Mbps?

 Per this document:

 http://www.cisco.com/en/US/prod/collateral/routers/ps10538/aag_c45_556315.pdf

 The upper router of ISR2 line can do up to 350Mbps, and that's a 3945E.

 I did attached a document, with specs for different lines ISR2 and ASR,
 maybe you can find it useful.
 I take into consideration especially the Recommend WAN Access Speed
 field from the attached document.

 HTH,
 Calin


  On Fri, 24 May 2013 16:53:25 +0200 Scott Voll  wrote 

 Sorry for the cross post. But I wasn't sure which was the better forum to
 post in.
 
 I currently have a 2951 running voice, Security, VPN, and Data. it works
 really great for our current needs. BUT we are going to start pushing more
 that 300mbps and this router is only rated for 296mbps per the spec sheet.
 
 What is the next move up to support up to gig throughput and still support
 ZBFW, GRE, IPSEC, PRI's for Voice, and QoS at Gig speeds?
 
 Do I have to separate out my WAN (use an ASR) and then continue with the
 2951 for my security / voice?
 
 What are my options?
 
 Thanks
 
 Scott
 ___
 cisco-nsp mailing list cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] router selection......

[Richard Clayton]

it depends on your traffic profile, how much is voice and how much is data,
packet sizes and how much of the traffic will traverse the ZBFW


On 24 May 2013 15:53, Scott Voll svoll.v...@gmail.com wrote:

 Sorry for the cross post.  But I wasn't sure which was the better forum to
 post in.

 I currently have a 2951 running voice, Security, VPN, and Data.  it works
 really great for our current needs.  BUT we are going to start pushing more
 that 300mbps and this router is only rated for 296mbps per the spec sheet.

 What is the next move up to support up to gig throughput and still support
 ZBFW, GRE, IPSEC, PRI's for Voice, and QoS at Gig speeds?

 Do I have to separate out my WAN (use an ASR) and then continue with the
 2951 for my security / voice?

 What are my options?

 Thanks

 Scott
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ipsla - latency - related to cellular backhaul

[Richard Clayton]

I would use udp-jitter, like this

ip sla 1
 udp-jitter 1.1.1.1 16384 codec g711alaw codec-numpackets 600
codec-interval 100
 tos 184
 tag probe my remote site
ip sla schedule 1 life forever start-time now

The tos is optional, we use it to test for voice media quaility, udp
traffic should not suffer the same as icmp


On 26 April 2013 00:35, Tony td_mi...@yahoo.com wrote:

 Hi,




 
  From: Aaron aar...@gvtc.com
 
 Tac says that this drop and the latency seen using various ipsla pings is
 expected since all pings are treated less than everything else and could
 be
 getting policed by LPTS (I don't know what LPTS is)
 

 Google tells me that LPTS = Local Packet Transport Services. TAC are
 meaning packets that are destined for the router control plane, not the
 forwarding plane (ie. packets TO the router, not THROUGH the router).
 Response to these packets can depend on how busy the router is and also any
 CoPP that might be implemented. Has potentially to be true. If you have no
 CoPP on the devices and they are under minimal load (CPU wise) then this
 probably shouldn't be a factor.

 Are you losing any traffic that is going through the device (ie. from ping
 tests) ?


 regards,
 Tony.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ipsla - latency - related to cellular backhaul

[Richard Clayton]

I didnt realise you were using XR, you should be able to finish the
operation off by selecting other options from the list.


On 26 April 2013 13:48, Aaron aar...@gvtc.com wrote:

 I don’t see a codec option in ios xr 4.1.2

 ** **

 RP/0/RSP0/CPU0:9k(config-ipsla-udp-jitter)#?

   clearClear the uncommitted configuration

   commit   Commit the configuration changes to running

   control  Control packets configuration

   datasize Protocol data size in payload of probe packets

   describe Describe a command without taking real actions

   destination  Address/port of the target device

   do   Run an exec command

   exit Exit from this submode

   frequencyFrequency of the probing

   no   Negate a command or set its defaults

   packet   Probe packet configuration parameters

   pwd  Commands used to reach current submode

   root Exit to the global configuration mode

   show Show contents of configuration

   source   Address/port of the source device

   statistics   Statistics collection parameters for this operation

   tag  Add a tag for this operation

   timeout  Probe/Control timeout interval

   tos  Type of service setting in probe packet

   verify-data  Check each IPSLA response for corruption

   vrf  Configure IPSLA for a VPN Routing/Forwarding instance

 ** **

 ** **

 *From:* Richard Clayton [mailto:sledge...@gmail.com]
 *Sent:* Friday, April 26, 2013 6:27 AM
 *To:* Tony
 *Cc:* Aaron; cisco-nsp@puck.nether.net
 *Subject:* Re: [c-nsp] ipsla - latency - related to cellular backhaul

 ** **

 I would use udp-jitter, like this

 ip sla 1
  udp-jitter 1.1.1.1 16384 codec g711alaw codec-numpackets 600
 codec-interval 100
  tos 184
  tag probe my remote site
 ip sla schedule 1 life forever start-time now

 The tos is optional, we use it to test for voice media quaility, udp
 traffic should not suffer the same as icmp

 ** **

 On 26 April 2013 00:35, Tony td_mi...@yahoo.com wrote:

 Hi,




 
  From: Aaron aar...@gvtc.com

 
 Tac says that this drop and the latency seen using various ipsla pings is
 expected since all pings are treated less than everything else and could
 be
 getting policed by LPTS (I don't know what LPTS is)
 

 Google tells me that LPTS = Local Packet Transport Services. TAC are
 meaning packets that are destined for the router control plane, not the
 forwarding plane (ie. packets TO the router, not THROUGH the router).
 Response to these packets can depend on how busy the router is and also any
 CoPP that might be implemented. Has potentially to be true. If you have no
 CoPP on the devices and they are under minimal load (CPU wise) then this
 probably shouldn't be a factor.

 Are you losing any traffic that is going through the device (ie. from ping
 tests) ?


 regards,
 Tony.

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

 ** **

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAt issue - two isp connections, need to nat 2nd isp for two dest addresses only

[Richard Clayton]

I had an ALG bug which I raised with TAC, took 8 months and 4 TAC Engineers
(I use the word Engineers loosely) but finally they released an IOS with a
specific fix, we got there in the end.



On 19 April 2013 09:57, Reuben Farrelly reuben-cisco-...@reub.net wrote:

 Yes it certainly should work, however I found that it doesn't always work
 properly, specifically for SIP traffic (TCP and UDP traffic worked fine).
  The SIP ALG is broken and you'll find traffic will exit one interface but
 the SIP ALG will sometimes rewrite the SIP header to have the other
 interfaces' outside IP.

 It looked like an elegant solution to a simple problem; the config I had
 was something like this:

 route-map internet-nat-access permit 10
  match interface FastEthernet0/1
 !
 route-map tunnel-nat-access permit 10
  match interface Tunnel0

 ip nat inside source route-map internet-nat-access interface
 FastEthernet0/1 overload
 ip nat inside source route-map tunnel-nat-access interface Tunnel0 overload

 I was controlling which interface the traffic went out with static routes.
  Disabling the SIP ALG didn't resolve the problem either.

 I had a TAC case open for over 15 months in which I had a 100%
 reproducible test case across multiple platforms and multiple versions of
 IOS, and eventually after much persistence and 3 or so TAC engineers
 later, TAC agreed that yes, it was indeed a bug.

 It was raised as CSCue13042 in January (SR 619832003).

 Unfortunately, and to my extreme frustration, it changed status without
 warning to Terminated (Unreproducible) just last week.

 So - YMMV.  The config suggested mostly works.  Which is more than I can
 say for TAC in this instance.

 Reuben



 On 19/04/2013 5:03 PM, CCIE Ninja wrote:

 I guess this would work, if you match on outgoing interface?

 route-map SP_A_NAT
 match interface $MY_OUTGOING_INTERFACE

 ip nat inside source 155.1.5.5 155.1.13.7 route-map SP_A_NAT


 __**_
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at 
 http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISRG2 'right to use' licensing

[Richard Clayton]

After 60 days does the router need a reload to change the 'Type' field from
Evaluation to Permanent or does it happen dynamically.

Thanks
Rick

On 21 February 2013 20:49, Lukasz Bromirski luk...@bromirski.net wrote:


 On Feb 19, 2013, at 11:51 AM, Richard Clayton sledge...@gmail.com wrote:

  Hi
 
  Does anybody know the exact process to activate 'right to use' licencing
 on
  the ISRG2 platform, we currently install permanent licensing and it's a
  long, drawn out, time consuming process.

 After your regular license will run out, router will switch to RTU license.

 --
 There's no sense in being precise when |   Łukasz Bromirski
  you don't know what you're talking |  jid:lbromir...@jabber.org
  about.   John von Neumann |http://lukasz.bromirski.net


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ISRG2 'right to use' licensing

[Richard Clayton]

Hi

Does anybody know the exact process to activate 'right to use' licencing on
the ISRG2 platform, we currently install permanent licensing and it's a
long, drawn out, time consuming process.

Thanks
Sledge
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISRG2 'right to use' licensing

[Richard Clayton]

Tim

Thanks for that, can the licenses be disabled at will or after this process
do they become permanent 'right to use'.



On 19 February 2013 11:00, Tim Franklin t...@pelican.org wrote:

  Does anybody know the exact process to activate 'right to use' licencing
 on
  the ISRG2 platform, we currently install permanent licensing and it's a
  long, drawn out, time consuming process.

 license accept end user agreement
 y
 no license boot module ones you don't want
 license boot module whatever, per platform


 Regards,
 Tim.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ip tcp adjust-mss

[Richard Clayton]

Eric

I needed to use this command the other day, I have an 887VA-M and the BT
FTTC product, I bypassed the BT modem and connected directly into the BT
wall socket with the 887VA-M as it has a VDSL interface (just a config
tweek)

The config I was using was PPPOE which adds 8 bytes to the frame so on my
dialer0 I set the mtu to 1492, without the 'ip tcp adjust-mss 1452' I could
not open web pages or run speed tests as my local host's mtu defaulted to
their local setting (1500) and was dropped.

After adding the command to the LAN interface the router intercepts the SYN
packet from the local host and changes the maximum segment size to the
value stated before passing on to the remote host, the TCP 3 way handshake
is then completed with the two hosts agreeing on the lowest of their 2
values, obviously it doesnt help if you have large UDP packets but there
shouldn't be too many of those around anyway.

Using this command reduces the mtu size for TCP traffic flowing through the
configured router but in your case I would be more interested in why you
think you need it and where, do you think you have mtu bottlenecks in your
network that are causing fragmentation and if so can you just fix those
areas rather than adding this to lots of other routers.

Thanks
Sledge



On 11 February 2013 19:56, Eric A Louie elo...@yahoo.com wrote:

 I just put in this command on my upstream interfaces to help my mpls
 network
 pass traffic - that is, my effort to eliminate fragmentation in my
 backbone.

 Is anyone else using this method of mtu control?  I need some support -
 my CEO
 is asking why I have to do this, and who else does it, and is it a common
 practice, etc, so I'm looking for evidence, more than just The Cisco TAC
 told
 me to do it.

 thanks

  Much appreciated, Eric
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISR G2 Interface RX Performance

[Richard Clayton]

On 25 January 2013 23:11, Nathanael Law nathanael@aimco.alberta.cawrote:

 Hello all,

 We're having some issues with a 3925 and real-time UDP traffic bursts.
  The bursts
 are approximately 1500 packets long and are sent in 5.7 ms for an
 effective rate
 of ~250 kpps (~375 Mbps).  The steady state traffic on this connection is
  10kpps.

 Physical Topology
 =

 +--+  +--+
 |  |  |  |
 | 3750 | gi2/0/2 -- gi0/0 | 3925 |
 |  |  |  |
 +--+  +--+

 Packet captures have shown that the 3750 gi2/0/2 interface has no issues
 sending
 the entire burst; however, packet captures on both the receiving host and
 the
 3925 shows that only about 1/3rd of the packets show up on the gi0/0
 interface.
 The overrun counter increases slightly with each burst.

 3925#show interfaces gi0/0
 GigabitEthernet0/0 is up, line protocol is up
   Hardware is PQ3_TSEC, address is 70ca.9bb5.7a80 (bia 70ca.9bb5.7a80)
   Description: Uplink to core switch 2
   MTU 1500 bytes, BW 100 Kbit/sec, DLY 10 usec,
  reliability 255/255, txload 12/255, rxload 1/255
   Encapsulation 802.1Q Virtual LAN, Vlan ID  1., loopback not set
   Keepalive set (10 sec)
   Full Duplex, 1Gbps, media type is RJ45
   output flow-control is unsupported, input flow-control is unsupported
   ARP type: ARPA, ARP Timeout 04:00:00
   Last input 00:00:00, output 00:00:00, output hang never
   Last clearing of show interface counters never
   Input queue: 0/75/176/0 (size/max/drops/flushes); Total output drops: 0
   Queueing strategy: fifo
   Output queue: 0/40 (size/max)
   5 minute input rate 5331000 bits/sec, 2511 packets/sec
   5 minute output rate 48693000 bits/sec, 5037 packets/sec
  40386885831 packets input, 7413412230506 bytes, 0 no buffer
  Received 3800689 broadcasts (0 IP multicasts)
  0 runts, 0 giants, 111 throttles
  82202 input errors, 0 CRC, 0 frame, 82202 overrun, 0 ignored
  0 watchdog, 3800681 multicast, 0 pause input
  80802723127 packets output, 110122764930458 bytes, 0 underruns
  0 output errors, 0 collisions, 1 interface resets
  0 unknown protocol drops
  0 babbles, 0 late collision, 0 deferred
  0 lost carrier, 0 no carrier, 0 pause output
  0 output buffer failures, 0 output buffers swapped out

 The only other statistic of note seems to be the rx_overflow_err on the
 gi0/0
 interface:

 Internal Driver Information:
  throttled=111, enabled=111, disabled=0
  rx_coalesce_failed=0, rx_framing_err=0, rx_overflow_err=1726086,
 rx_buffer_err=65
  rx_no_enp=0, rx_discard=0
  tx_one_col_err=0, tx_more_col_err=0, tx_no_enp=0, tx_deferred_err=0
  tx_underrun_err=0, tx_late_collision_err=0, tx_loss_carrier_err=0
  tx_exc_collision_err=0, tx_buff_err=0, fatal_tx_err=0

 From this it seems that the actual gigabit physical interfaces on the 3925
 cannot
 handle even 11% of line rate (2 Mpps for a 1 Gbps connection @ 64 byte
 packets).
 I knew that the processor can't handle that, but I expected the interface
 itself
 to come at least a little closer given that CEF on the 3925 can supposedly
 handle
 833 kpps without any features turned on.

 Does my analysis seem accurate?  If not, any pointers in the right
 direction would
 be appreciated.  If so, what Cisco routing hardware would be minimally
 required to
 support line-rate 1 Gbps input (the 3925 is a WAN router that basically
 passes
 traffic off to one of our MPLS providers)?  Would the interfaces on an
 ASK1k (ESP5)
  do the job?

 We do have a TAC case open for this issue, but they have been unable to
 provide
 documentation on the limitations of the physical interface so far.

 Documents that seem related:
  - https://supportforums.cisco.com/docs/DOC-2613 (doesn't reference
 anything as new
as the ISR G2s, but I figured it may still apply)

 Thank you,

 Nathanael Law

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



Nathanael

I have some lab stress test results for the whole ISR G2 platform which I
can share with you if you like, a quick look at the 3925 with a traffic
profile of G711 and packet marking (you would probably have marking in a
voice environment with QoS applied) shows the cpu at 75% whilst it is
passing 280Mb.  The bursts could be topping the cpu out although my
realtime tests were with voice codecs and your realtime traffic is
1500bytes so the cpu should be at a lower rate for the same amount of
bandwidth.  Graphing the cpu isnt going to help as its such short bursts
but the overuns are a real indicator that the cpu is stressed.
Shaping would normally be the answer to control bursty traffic but shaping
realtime will cause issues with the stream.  If you want to allow this
traffic then you need a cpe with a bit more grunt, the 3945 is 

Re: [c-nsp] VPN on 7200

[Richard Clayton]

You could forget supporting the VPN on the 7200 and run an openvpn
tunnel between a Linux host at the site and one where you are, a simple p2p
would work between the two servers (I use an inexpensive Linux plug server
as its only management traffic), it would be secure as far as the wan is
concerned but insecure from server to 7200 across the LAN.
If you wanted to go mobile with your laptop as the VPN client you could set
a Linux server local to the 7200 in p2p cert server mode and use an Openvpn
Windows client with generated certs.

Thanks
Sledge

On 14 January 2013 21:22, Markus H hauschild.mar...@gmail.com wrote:

 Sorry, it seems the title somehow got lost.

 On Mon, Jan 14, 2013 at 10:21 PM, Markus H hauschild.mar...@gmail.com
 wrote:
  Hi,
 
  I want to add VPN support to a cisco 7200 (w/ NPE300). Use case would
  be secure remote management (of the 7200 and other gear at the site)
  from a Linux-based computer.
 
  Pretty much my only requirement would be that the VPN is usable out of
  the box with standard Linux tools or the open-source vpnc client (the
  proprieatry cisco vpn client is a no-go, it has proven to be too
  unstable and broken for me). Encryption is a strong plus but I think I
  could somehow live without. Otherwise I don't need a large number of
  connected clients or high data-rates.
 
  So what are you using and what kind of VPN/Tunnel would you suggest in
 my case?
 
  Thanks,
  Markus
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 867 SIP NAT

[Richard Clayton]

I am currently running SIP ALG on 1000 devices without any problems, a
mixture of 857 and 887VA-M.  I originally had a problem with the 887VA-M
but a bug fix was released after I raised a TAC case.

Cheers
Sledge

On 9 January 2013 00:12, Jared Mauch ja...@puck.nether.net wrote:

 IOS automatically does SIP-ALG when doing nat, is this enabled or not?

 The SIP-ALG is broken and I have always recommended people to turn it off.

 - Jared

 On Jan 8, 2013, at 7:05 PM, Andrew Yager and...@rwts.com.au wrote:

  Hi,
 
  We have a client using a Cisco 867 with SIP based VoIP phones behind it
 (not CCM).
 
  Each time the phones perform a new SIP request a new entry is created in
 the NAT table on a different port, which very quickly floods the NAT table
 and crashes the router.
 
  We've tried with c860-universalk9-mz.150-1.M6 and
 c860-universalk9-mz.151-4.M5 but are seeing the same behaviour.
 
  Client nat config is relatively standard:
 
  ip nat inside source list 10 interface Dialer0 overload
  ip nat inside source static tcp 10.1.1.100 5900 interface Dialer0 5900
  ip nat inside source static tcp 10.1.1.100 1723 interface Dialer0 1723
 
  access-list 10 permit 10.1.1.0 0.0.0.255
 
  Has anyone seen this issue on this series of routers and/or know if it's
 an IOS bug? Any fixes or workarounds or working IOS versions?
 
  Thanks,
  Andrew
 
  --
  Andrew Yager, Managing Director   (MACS Snr CP BCompSc MCP MCE
 JNCIA-Junos)
  Real World Technology Solutions Pty Ltd  - IT people you can trust
  ph: 1300 798 718 or (02) 9037 0500
  fax: (02) 9037 0591 mob: 0405 152 568
  http://www.rwts.com.au/
 
 
 
 
 
 
 
 
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISR G2 Licenses - Permanent vs Right To Use

[Richard Clayton]

All ours say

Index 2 Feature: securityk9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium



On 28 November 2012 11:52, Steve McCrory smccr...@gcicom.net wrote:

 Hi Group,



 We've had a complaint from a customer that their security license on a
 1941K9 is showing as Right To Use when they are expecting it to show
 Permanent:



 Index 2 Feature: securityk9

  Period left: Life time

  License Type: RightToUse

  License State: Active, In Use

  License Count: Non-Counted

  License Priority: Low



 We've had this checked with our distributor who shipped us the router
 pre-installed with the required license and they are happy that Right To
 Use is correct. They even raised it with Cisco and they came back
 quoting the Wassenaar Arrangement.



 Can someone clear up the difference between the two terms as the Cisco
 literature on the subject is confusing and our customer is like a dog
 with a bone over this.



 Thanks



 Steven



 Steven McCrory

 Network Specialist



 GCI Com

 Unit 2

 Modwen Road

 Salford

 M5 3EZ



 Office:  0844 443 3537

 Fax:  0844 443 3540

 www.gcicom.net
 https://mail.ipi-group.co.uk/exchweb/bin/redir.asp?URL=http://www.gcico
 m.net/











 Steve McCrory
 Senior Network Engineer

 GCI Com
 Cedar Court Office Park
 Denby Dale Road
 Calder Grove
 Wakefield
 WF4 3QZ

 Office:   0844 443 3537
 Fax:  0844 443 3540
 http://www.gcicom.net/
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISR G2 Licenses - Permanent vs Right To Use

[Richard Clayton]

Reuben

How do I activate a RightToUse licence, I have only ever used the permanent
process before.

Thanks
Sledge

On 28 November 2012 12:23, Reuben Farrelly reuben-cisco-...@reub.netwrote:

 On 28/11/2012 10:52 PM, Steve McCrory wrote:

 Hi Group,



 RightToUse (RTU) license are licenses that essentially are just honor
 based, ie you can freely use the features providing you have purchased the
 license, and there is no enforcement of the featureset on or off. This is
 basically how Cisco has historically licensed IOS for many years.

 Permanent licenses are ones where a license key has been imported into the
 router IOS and are based on a cryptographic license key file.  These are
 node-locked licenses and tied to the serial number of the chassis. With a
 bit of messing around these can be transferred if you do an RMA.

 If you've paid for and are entitled to a given featureset then yes, you
 should be getting what is called a Product Activation Key (PAK), which in
 turn you enter in to www.cisco.com/go/license, which then spits out a
 tiny license key file that you install on the router.  This then shows up
 as a 'permanent' license in the IOS.  Either that, or the license is
 pre-installed at the factory in which case it will show as a permanent
 license out of the box.  This is how it normally works, I've had dozens of
 routers shipped to us from our distributor that are done this way.

 Cisco went down the path of enforcing licensing (ie permanent licenses, no
 RTU) on some newer IOS platforms but did a fast backpedal in a 15.0/15.1
 maintenance rebuild of IOS.  Presumably a few people seriously objected to
 it and the messing around involved in processing licenses, and Cisco
 realised it probably was causing more pain and lost sales than it was
 worth.  So pretty much across the board in so far as branch routers now
 we're back to where we started, ie honor based RTU licenses where the real
 proof of entitlement is a purchase order proving you've bought the license
 :-)

 Reuben


 __**_
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at 
 http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Interface Buffer and Queue Limit ISRG2

[Richard Clayton]

Good Evening

Does anybody know what the default buffer is on the Gig interface of an
ISRG2, also, if the answer is 1000 packets is there any point in having a
queue-limit higher than 1000 packets in the default-queue of a QoS shaping
policy attached to one of the interfaces.
Will having a queue-limit higher than the default interface buffer cause
drops in the PQ of this policy if the default-queue exhausts the configured
limit.

Thanks
Sledge
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3600X Output Drops

[Richard Clayton]

George

I believe you will be able to specify a % of the available buffer for
queue-limit in a future release and you will also be able to specify 100%
of the buffer for each individual queue-limit.

Thanks
Sledge


On 23 August 2012 11:57, George Giannousopoulos ggian...@gmail.com wrote:

 If I remember correctly, 2457 packets is the maximum on this platform
 We weren't given any specific version for the increase default values

 In case you get anything extra from your SR, it would be nice to share it
 with us

 George

 On Thu, Aug 23, 2012 at 12:10 PM, Ivan cisco-...@itpro.co.nz wrote:

  Thanks George.  I am raising a SR to get some more information too. Are
  you able to explain how the queue-limit of 2457 was selected? Also were
 you
  given a version for the increase in the default queue size?  I am running
  me360x-universalk9-mz.152-2.**S1.bin
 
  Cheers
 
  Ivan
 
 
 
  On 23/Aug/2012 5:48 p.m., George Giannousopoulos wrote:
 
  Hi Ivan,
 
  In fact the default queue limit in 3800x/3600x is quite small
  We also had issues with drops in all interfaces, even without congestion
 
  After some research and an SR with Cisco, we have started applying qos
 on
  all interfaces
 
  policy-map INTERFACE-OUTPUT-POLICY
class dummy
class class-default
 shape average X
 queue-limit 2457 packets
 
 
  The dummy class does nothing.
  It is just there because IOS wouldn't allow changing queue limit
 otherwise
 
  Also there were issues with the policy counters which should be resolved
  after15.1(2)EY2
  Cisco said they would increase the default queue sizes in the second
 half
  of 2012..
  So, I suggest you try the latest IOS version and check again
 
  10G interfaces had no drops in our setup too.
 
  Regards
  George
 
 
  On Thu, Aug 23, 2012 at 1:34 AM, Ivan cisco-...@itpro.co.nz mailto:
  cisco-...@itpro.co.nz** wrote:
 
  Replying to my own message
 
  * Adjusting the hold queue didn't help.
 
  * Applying QOS and per referenced email stopped the drops
  immediately - I
  used something like the below:
 
  policy-map leaf
  class class-default
  queue-limit 491520 bytes
 
  policy-map logical
  class class-default
  service-policy leaf
 
  policy-map root
  class class-default
  service-policy logical
 
  * I would be interested to hear if others have ended up applying a
  similar
  policy to all interfaces.  Any gotchas?  I expect any 10Gbps
  interfaces
  would be okay without the QoS - haven't seen any issue on these
  myself.
 
  *Apart from this list I have found very little information around
 this
  whole issue.  Any pointers to other documentation would be
  appreciated.
 
  Thanks
 
  Ivan
 
  Ivan
 
   Hi,
  
   I am seeing output drops on a ME3600X interface as shown below
  
   GigabitEthernet0/2 is up, line protocol is up (connected)
 MTU 9216 bytes, BW 100 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 29/255, rxload 2/255
 Encapsulation ARPA, loopback not set
 Keepalive set (10 sec)
 Full-duplex, 1000Mb/s, media type is RJ45
 input flow-control is off, output flow-control is unsupported
 ARP type: ARPA, ARP Timeout 04:00:00
 Last input 6w1d, output never, output hang never
 Last clearing of show interface counters 00:12:56
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output
  drops: 231
 Queueing strategy: fifo
 Output queue: 0/40 (size/max)
 30 second input rate 10299000 bits/sec, 5463 packets/sec
 30 second output rate 114235000 bits/sec, 12461 packets/sec
3812300 packets input, 705758638 bytes, 0 no buffer
Received 776 broadcasts (776 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 776 multicast, 0 pause input
0 input packets with dribble condition detected
9103882 packets output, 10291542297 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
  
   I have read about similar issues on the list:
   http://www.gossamer-threads.**com/lists/cisco/nsp/157217
 http://www.gossamer-threads.com/lists/cisco/nsp/157217
   https://puck.nether.net/**pipermail/cisco-nsp/2012-July/**
  085889.html
 https://puck.nether.net/pipermail/cisco-nsp/2012-July/085889.html
  
   1. I have no QoS policies applied to the physical interface or
 EVCs.
   Would increasing the hold queue help?  Is there a recommended
  value - the
   maximum configurable is 24.  What is the impact on the 44MB
  of packet
 

Re: [c-nsp] Troubleshooting uncategorized output drops and errors on the 6500

[Richard Clayton]

John

Could your drops be due to microburst

On 26 July 2012 18:37, John Neiberger jneiber...@gmail.com wrote:

 I've got another strange issue brewing. We have a 1-gig interface on a
 6500 (6748 blade) that has a high number of output errors and output
 drops. The drops are not queue drops. Here are the stats, one week
 after clearing the counters.

 Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
 1158860
   Queueing strategy: fifo
   Output queue: 0/40 (size/max)
   30 second input rate 854000 bits/sec, 101 packets/sec
   30 second output rate 78000 bits/sec, 116 packets/sec
  97152626 packets input, 115649666904 bytes, 0 no buffer
  Received 0 broadcasts (0 multicasts)
  0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0 watchdog, 0 multicast, 0 pause input
  0 input packets with dribble condition detected
  90216394 packets output, 7441734020 bytes, 0 underruns
  579430 output errors, 0 collisions, 0 interface resets
  0 babbles, 0 late collision, 0 deferred
  0 lost carrier, 0 no carrier, 0 PAUSE output
  0 output buffer failures, 0 output buffers swapped out


 Packets dropped on Transmit:

 queue dropped  [cos-map]
 -
 10  [0 1 ]
 20  [2 3 4 ]
 30  [6 7 ]
 40  [5 ]

 I haven't been able to figure out what could be causing such a high
 rate of errors and drops. I have a TAC case open, but the engineer
 hasn't been able to explain what we're seeing. I'm probably just going
 to coordinate with the server and app owners to move this to another
 link, but I'm still very curious about what could cause this behavior.

 Any ideas?

 Thanks,
 John
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DHCP NAT router limitations

[Richard Clayton]

I know that with Packet Marking, NAT and Firewall enabled with 512byte
frames you will get 50Mbps (symmetric) throughput out of a 2921 (cpu
running at 75%)

If this were a router to provide Internet to end users then you would have
more traffic dowload than upload and with 50Mb download and say an upload
of around 25% of that then the cpu would probably tick over at around 40%.
If you don't need Firewall and Marking then a lower model router would do,
I reckon a 1921, not sure of the G1's only tested G2's

Thanks
Rick




On 31 May 2012 12:39, Rens r...@autempspourmoi.be wrote:

 Where do you get that info that a 1841  2811 can't do this?

 They do fine average Internet traffic @ 50Mbps

 I got 2811's doing 100Mbps



 Indeed my wifi setup can cope with 2K connections



 From: aled.w.mor...@googlemail.com [mailto:aled.w.mor...@googlemail.com]
 On
 Behalf Of Aled Morris
 Sent: woensdag 30 mei 2012 17:09
 To: Rens
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] DHCP  NAT router limitations



 On 30 May 2012 11:17, Rens r...@autempspourmoi.be wrote:

 For a one day wifi event I'm looking which kind of router can be used to
 deliver DHCP  NAT for 1000-2000 simultaneous users

 Total WAN capacity will be +- 50Mbps

 Would a 1841 or a 2811 be able to handle all this NAT/DHCP?


 Neither of these would cope with 50Mbps even without the NAT.

 If you are purely Ethernet then the cheapest Cisco solution would be an
 ASA5505

 I assume you've already got a wifi setup that can cope with 2,000
 connections.

 Aled


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] L2TP IP TOS Reflect

[Richard Clayton]

This is my config and it works fine


vpdn-group 1
request-dialin
protocol l2tp
domain me.com
initiate-to ip 192.168.50.50
local name me
l2tp tunnel password 0 password
l2tp tunnel receive-window 10
ip tos reflect


On 3 May 2012 10:54, ar ar_...@yahoo.com wrote:

  Anyone tried this in l2tp?
 ip tos reflect seems to be not working

 sample config:vpdn-group 1
 accept-dialin
 protocol l2tp
 virtual-template 1
 terminate-from hostname althea
 local name bertha
 l2tp ip tos reflect

 any workarounds?
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISRG2

[Richard Clayton]

Ah, somebody asked me this on a previous post and I forgot to answer, I
have extensive testing results which I will post to you in raw format now.
Any questions on the format just ask.

On 30 March 2012 14:57, harbor235 harbor...@gmail.com wrote:

 I am having the hardest time finding docs on ISRG2 performance comparisons
 for the 3900 and
 the 3900E models. I am interested in the 3925/3925E, Before anyone
 lmgtfy.com's typical marketing
 data I found, there are slot differences, built-in LAN interfaces
 differences, etc ...One uses the SPE100 and the
 other the SPE200 but what are the performance numbers, comparisons?


 thanx in advance,

 Mike
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] routerperformance

[Richard Clayton]

I have performed extensive testing of this platform with different features
enabled if you need anything specific.

On 23 March 2012 21:40, Keegan Holley keegan.hol...@sungard.com wrote:

 Does anyone have the throughput numbers for the new cisco 29XX/39XX
 routers?  I see they continue to omit them from the website.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] QoS - Fair Queue effect on CPU

[Richard Clayton]

I have been searching for any real world examples or information on the
effect the 'fair queue' process has on router cpu, does anybody have any
experience of this particularly with multiple high bandwidth flows on the
ISRG2 platform.  I know it's not an exact science and I am being specific
with the scenario but I don't want to be caught out with unexpected high
cpe when using this in a QoS policy.

Thanks
Rick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/