Re: [c-nsp] how codec transparent works?
You probably want to post this in cisco-voip instead of nsp. Why are you using H323 instead of SIP? Is the 2800 a CUBE or voice gateway with TDM? Please explain the setup/call flow? Q. What is a transparent codec, and what does it do? A. The Cisco Unified Border Element transparently passes capabilities between endpoints. To configure this function in Cisco IOS Software, a new codec type called the transparent codec is used. The transparent codec is unique to the Cisco Unified Border Element. Configuring codec transparent on the Cisco Unified Border Element allows it to pass through codecs that it understands, but it does not force the negotiation of any particular codec - codec negotiation is left to the two endpoints. Only codecs that are supported on the Cisco Unified Border Element can be passed between the two call legs. On Sat, May 9, 2015 at 12:20 PM, s m sam.gh1...@gmail.com wrote: hello everybody, anybody knows how codec transparent works? i have a strange problem. i want to set h323 trunk between asterisk and cisco 2800. it only works when i set codec transparent in dial-peer nodes. show commands in cisco shows that i have a call with g711alaw but if i set codec g711alaw in dial-peers, i do not have any success call. i know it is codec compatibility problem. is there any difference between g711 codecs which cisco and asterisk utilize? what happened when codec is set to transparent? dose anyone know anything about it? thanks is advance SAM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3600 traffic shaping
Try adjusting the buffer size: class class-default queue-limit x shape average 55000 http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-3_1_S/configuration/guide/3800x3600xscg/swqos.html On Mon, Mar 16, 2015 at 9:31 PM, Aaron aar...@gvtc.com wrote: I'm only seeing about 150mbps outbound on this interface, and I have a shaper of 550mbps applied to it, but for some reason I'm seeing drops. Please help me understand why. Thanks Aaron me3600#sh int g0/13 | in 30 sec 30 second input rate 15418000 bits/sec, 9518 packets/sec 30 second output rate 151005000 bits/sec, 15213 packets/sec me3600#sh ver | in IOS Cisco IOS Software, ME360x Software (ME360x-UNIVERSALK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1) me3600#sh run in g0/13 interface GigabitEthernet0/13 switchport trunk allowed vlan none switchport mode trunk load-interval 30 spanning-tree portfast trunk service instance 1 ethernet encapsulation default service-policy input 500mbps-in service-policy output 500mbps-out bridge-domain 100 me3600#sh run policy-map policy-map 500mbps-out class class-default shape average 55000 policy-map 500mbps-in class class-default police cir 57500 me3600#sh policy-map int g0/13 service instance 1 GigabitEthernet0/13: EFP 1 Service-policy input: 500mbps-in Class-map: class-default (match-any) 1437173 packets, 312828407 bytes 30 second offered rate 15397000 bps, drop rate bps Match: any police: cir 57500 bps, bc 1600 bytes conform-action transmit exceed-action drop conform: 1435393 (packets) 312613462 (bytes) exceed: 0 (packets) 0 (bytes) conform: 15231000 bps, exceed: 0 bps Output Queue: Tail Packets Drop: 0 Tail Bytes Drop: 0 Service-policy output: 500mbps-out Class-map: class-default (match-any) 2333736 packets, 2865061329 bytes 30 second offered rate 153591000 bps, drop rate 784000 bps Match: any Traffic Shaping Average Rate Traffic Shaping Shape 55 (kbps) Output Queue: Tail Packets Drop: 10394 Tail Bytes Drop: 14192865 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Best practice WLC 5508 public guest network?
Hi. I'm setting up a wireless guest network with dual stack. My concern is security, I want to protect the network as much as possible. My exp. with Cisco WLC is rather limited, but it looks like most of the security features are enabled out of the box. - Dynamic ARP Inspection - DHCP Snooping - RA Guard - All kinds of flooding types using the standard signatures blocking. - IP Theft/IP Reuse Besides that I've enabled: - Peer to peer blocking - DHCP Addr assigment required - Basic ACLs Is there anything else that I might have missed/overlooked? Also, if I disable DHCP Proxy mode, does that mean I'm vulnerable to DHCP starvation attacks, rouge DHCP server etc? The documentation is not very clear on that. Thanks! /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] traceroute shows mpls labels...how?
MPLS TTL By default mpls ip propagation-ttl is enabled in global configuration mode. This enabled user to trace the hops of the mpls router with labels as shown in above traceroute. This is because MPLS TTL field is copied from IP TTL field, on each MPLS LSR hop a TTL will be decremented. To “hide” the MPLS hops you can disable it by doing no mpls ip propagation-ttl on every LSR in global configuration mode. Disabling MPLS propagation TTL will make MPLS TTL field to have a fixed 255 value, and on every MPLS LSR hop the IP TTL value will be intact. IP TTL will only be decremented when egress LSR sends out to the destination host unlabeled. m1(config)#no mpls ip propagate-ttl Not sure why you're not seeing it in Windows, prob a very simple traceroute implementation. /Roger On Wed, Aug 22, 2012 at 9:21 PM, Aaron aar...@gvtc.com wrote: Do you all know how this works? How is traceroute able to report back the mpls label that is in use in the transit hops? Also wondering why I don't see this on windows command line tracert Aaron RP/0/RSP0/CPU0:9k#trace vrf one 1.2.3.4 source 2.4.6.8 1 19.1911.5 [MPLS: Labels 16001/16220 Exp 0] 2 msec 1 msec 0 msec 2 19.1911.1 [MPLS: Label 16220 Exp 0] 0 msec 0 msec 1 msec 3 88.88.191.22 0 msec 0 msec 19.1911.33 1 msec 4 88.88.191.18 1 msec 1 msec 0 msec 5 88.88.135.221 10 msec 10 msec 11 msec 6 122.47.236.130 [MPLS: Label 17039 Exp 1] 47 msec 49 msec 51 msec 7 122.47.154.53 [MPLS: Labels 0/17017 Exp 1] 48 msec 49 msec 47 msec 8 122.45.30.134 [MPLS: Labels 23417/17016 Exp 1] 48 msec 49 msec 47 msec 9 122.45.1.17 [MPLS: Labels 23439/17016 Exp 1] 50 msec 49 msec 51 msec 10 122.45.31.189 [MPLS: Labels 0/17016 Exp 1] 51 msec 54 msec 51 msec 11 122.45.158.34 [MPLS: Labels 0/16009 Exp 1] 49 msec 50 msec 47 msec 12 122.45.104.49 46 msec 46 msec 47 msec 13 122.45.108.14 47 msec 47 msec 47 msec 14 * * * 15 * * * 16 * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 50% intermittent packet loss on Cisco IP Phone connected to Cat4500
Scenario, Cisco 6921 IP phone connected to Cat4500 with IOS 12.2(54)SG1 Port has CDP, dot1x, QoS trust enabled etc. When I ping from another subnet I get about 50% packetloss with no obvious pattern. Phone drops registration to the callmanger, releases IP and restarts, and cycles through it over and over. No PC is connected behind the phone. And PCs on the same switch have no problems what so ever. I tried to remove dot1x and just have a clean port, but still with the same issue. Moved the phone to a 2960 switch, worked right away. I then disabled CDP on the 4500 port and it looks better but to early to tell. Did not find anything like this in the bugtool for 12.2(54)SG1. Have you seen anything like this before on the 4500? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Automatic response - CUCM
On Sun, Jan 29, 2012 at 2:09 PM, Dario Quiroz m...@darioquiroz.com wrote: Hi! We need to play an audio (vacation response) when the customers call a specific number. How can do this? Thanks in advance!! You probably want to sent this to the cisco-voip list. Anyway in terms of Cisco equpiment you need either Unity, Unity Connection, Unity Express or UCCX to accomplish this. You can do it on a Cisco ISR gateway also, but that's not as straight forward. /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR 1002 gigethernet with subinterface config question (stupid/simple?)
Hi, First time configuring an ASR. WAN link is GigE with 3 tagget VLANs. Port is UP/UP 1000-full with LX SFP. I know the link works because we moved it from a 6500 to this new router. I cannot ping myself, I cannot ping the other end, I see no attempts of ARP etc. I have tried moving config to main interface, tried removing VRFs etc. no go. Am I missing something here? config: ip vrf A rd 59313:10 route-target export 59313:10 route-target import 59313:10 ! ip vrf B rd 59313:20 route-target export 59313:20 route-target import 59313:20 ! interface GigabitEthernet0/1/1 media-type sfp no negotiation auto ! interface GigabitEthernet0/1/1.100 description WAN bandwidth 188000 ip address 192.168.1.2 255.255.255.252 encapsulation dot1Q 100 ip nbar protocol-discovery ip pim sparse-dense-mode service-policy output shape-etm-A ! interface GigabitEthernet0/1/1.300 description WAN bandwidth 188000 encapsulation dot1Q 300 ip vrf forwarding A ip address 192.168.2.2 255.255.255.252 service-policy output shape-etm-B ! interface GigabitEthernet0/1/1.400 description WAN bandwidth 188000 encapsulation dot1Q 400 ip vrf forwarding B ip address 192.168.3.2 255.255.255.252 ip nbar protocol-discovery service-policy output shape-etm-C show inv: NAME: Chassis, DESCR: Cisco ASR1002 Chassis PID: ASR1002 , VID: V05, SN: NAME: Power Supply Module 0, DESCR: Cisco ASR1002 AC Power Supply PID: ASR1002-PWR-AC, VID: V02, SN: NAME: Power Supply Module 1, DESCR: Cisco ASR1002 AC Power Supply PID: ASR1002-PWR-AC, VID: V02, SN: NAME: module 0, DESCR: Cisco ASR1002 SPA Interface Processor 10 PID: ASR1002-SIP10 , VID: V05, SN: NAME: SPA subslot 0/1, DESCR: 2-port Gigabit Ethernet Shared Port Adapter PID: SPA-2X1GE-V2 , VID: V01, SN: NAME: subslot 0/1 transceiver 1, DESCR: GE LX PID: SFP-GE-L, VID: A , SN: NAME: SPA subslot 0/0, DESCR: 4-port Gigabit Ethernet Shared Port Adapter PID: 4XGE-BUILT-IN , VID: V00, SN: N/A NAME: subslot 0/0 transceiver 0, DESCR: GE T PID: N/A , VID: E , SN: NAME: subslot 0/0 transceiver 1, DESCR: GE T PID: N/A , VID: E , SN: NAME: subslot 0/0 transceiver 2, DESCR: GE T PID: N/A , VID: E , SN: NAME: module R0, DESCR: Cisco ASR1002 Route Processor 1 PID: ASR1002-RP1 , VID: V05, SN: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1002 gigethernet with subinterface config question (stupid/simple?)
On Mon, Dec 19, 2011 at 4:44 PM, Andrew Miehs and...@2sheds.de wrote: On 19/12/2011, at 4:23 PM, Roger Wiklund wrote: Hi, First time configuring an ASR. WAN link is GigE with 3 tagget VLANs. Port is UP/UP 1000-full with LX SFP. I know the link works because we moved it from a 6500 to this new router. I cannot ping myself, I cannot ping the other end, I see no attempts of ARP etc. I have tried moving config to main interface, tried removing VRFs etc. no go. Am I missing something here? what does show license say? Andrew router#show license % Error: Licensing not supported on this platform Running asr1000rp1-advipservicesk9.02.06.01.122-33.XNF1.bin /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1002 gigethernet with subinterface config question (stupid/simple?)
On Mon, Dec 19, 2011 at 4:49 PM, Roger Wiklund co...@xy.org wrote: On Mon, Dec 19, 2011 at 4:44 PM, Andrew Miehs and...@2sheds.de wrote: On 19/12/2011, at 4:23 PM, Roger Wiklund wrote: Hi, First time configuring an ASR. WAN link is GigE with 3 tagget VLANs. Port is UP/UP 1000-full with LX SFP. I know the link works because we moved it from a 6500 to this new router. I cannot ping myself, I cannot ping the other end, I see no attempts of ARP etc. I have tried moving config to main interface, tried removing VRFs etc. no go. Am I missing something here? what does show license say? Andrew router#show license % Error: Licensing not supported on this platform Running asr1000rp1-advipservicesk9.02.06.01.122-33.XNF1.bin /Roger Am I missing an Embedded Service Processor for packet forwarding??? show inv: NAME: Chassis, DESCR: Cisco ASR1002 Chassis PID: ASR1002 , VID: V05, SN: NAME: Power Supply Module 0, DESCR: Cisco ASR1002 AC Power Supply PID: ASR1002-PWR-AC, VID: V02, SN: NAME: Power Supply Module 1, DESCR: Cisco ASR1002 AC Power Supply PID: ASR1002-PWR-AC, VID: V02, SN: NAME: module 0, DESCR: Cisco ASR1002 SPA Interface Processor 10 PID: ASR1002-SIP10 , VID: V05, SN: NAME: SPA subslot 0/1, DESCR: 2-port Gigabit Ethernet Shared Port Adapter PID: SPA-2X1GE-V2 , VID: V01, SN: NAME: subslot 0/1 transceiver 1, DESCR: GE LX PID: SFP-GE-L, VID: A , SN: NAME: SPA subslot 0/0, DESCR: 4-port Gigabit Ethernet Shared Port Adapter PID: 4XGE-BUILT-IN , VID: V00, SN: N/A NAME: subslot 0/0 transceiver 0, DESCR: GE T PID: N/A , VID: E , SN: NAME: subslot 0/0 transceiver 1, DESCR: GE T PID: N/A , VID: E , SN: NAME: subslot 0/0 transceiver 2, DESCR: GE T PID: N/A , VID: E , SN: NAME: module R0, DESCR: Cisco ASR1002 Route Processor 1 PID: ASR1002-RP1 , VID: V05, SN: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1002 gigethernet with subinterface config question(stupid/simple?)
On Mon, Dec 19, 2011 at 4:59 PM, Iftikhar Mehar iftikhar.me...@maxima.co.uk wrote: Correct, you need an ESP mate. Regards, Ifti Hehe, thanks! Makes sense! /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] traffic engineering tunnels and vrf
Do you not see them if you do show ip cef vrf x detail Look at your prefix and then you should see next hop and MPLS labels, no indication of tunnels there? On Sat, Feb 12, 2011 at 4:17 PM, ghanem ghourme ghanem...@gmail.com wrote: hi, I have a little bit confused.we have a network of mpls traffic engineering enabled.Tunnels has been established and autoruoute has been enabled between all 14 routers.I can see some routes in the global rouiting talbe which has tunnel 100x as a next hop. But we do have several vrf and distribute routes via mp-bgp.I do not understand how vrf traffic flows between different routers since in the vrf route table I can not see any route which has a tunnel as a next hop ,only bgp routes and other routers' loopback ip address as a next hop. can someone explain this? many thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2 Ethernet bridging over GRE issues
And L2TPv3 is supported. Recent code doesn't allow a bridge-group to be defined on a tunnel. While this is possible, its ten times easier and more reliable to use L2TPv3. Thanks, I've never tested L2TP, but I'm familiar with GRE. Is L2TP server-client or can it be used as always up back-to-back between two routers? Do you have any nice sample config of back-to-back L2TP on Ethernet with and without VLANs. Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2 Ethernet bridging over GRE issues
Do you have any nice sample config of back-to-back L2TP on Ethernet with and without VLANs. Nevermind, I got it working. Sample config is someone else is interrested: Router A: pseudowire-class test encapsulation l2tpv3 protocol none ip local interface Loopback0 ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet0/1 description LAN no ip address speed 100 full-duplex xconnect 2.2.2.2 1 encapsulation l2tpv3 manual pw-class test l2tp id 1 2 Router B: pseudowire-class test encapsulation l2tpv3 protocol none ip local interface Loopback0 ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 !interface FastEthernet0/1 no ip address duplex auto speed auto xconnect 1.1.1.1 1 encapsulation l2tpv3 manual pw-class test l2tp id 2 1 Works like a charm. But only layer 2. As I cannot put an IP LAN interface, no usable default gateway for HOST A and B. It seems like you have to create 2 subinterfaces with the same VLAN ID. And then put the IP on the first sub-if, and the xconnection on the second subinterface without the IP, and then connected them to the switch as a trunk. /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L2 Ethernet bridging over GRE issues
I'm trying to accomplish the following: Host A - 10.10.10.10/24 | Router A | Internet | Router B | Host B - 10.10.10.20/24 I've setup a GRE tunnel from Router A to Router B. I've configured bridging between Tunnel0 and LAN interface on Router A and Router B From Host A I can ping Host B and vice versa. So far so good, bridging works. Router A is my main router and thus I've configured a BVI1 Interface with IP 10.10.10.1/24 I've also enabled bridge 1 route ip on Router A. So from Host A, I can ping 10.10.10.1, 10.10.10.20(bridging) and any other destination on the Internet using the BVI1 IP as default gw. However, here is the problem: Host B cannot ping 10.10.10.1, nor any other IP on the Internet, (Host B default gateway is 10.10.10.1) BTW this is all in dynamips with C2691 with advipservices 12.4(15)T14 What could be the problem here? Here is Router A's config: bridge irb ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Tunnel0 description Tunnel To Router B no ip address tunnel source Loopback0 tunnel destination 2.2.2.2 bridge-group 1 bridge-group 1 spanning-disabled ! interface FastEthernet0/1 description LAN no ip address speed 100 full-duplex bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 ip address 10.10.10.1 255.255.255.0 ! bridge 1 protocol ieee bridge 1 route ip Router B: bridge irb ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Tunnel0 description Tunnel to Router A no ip address tunnel source Loopback0 tunnel destination 1.1.1.1 bridge-group 1 bridge-group 1 spanning-disabled ! interface FastEthernet0/1 description LAN no ip address duplex auto speed auto bridge-group 1 bridge-group 1 spanning-disabled ! bridge 1 protocol ieee bridge 1 route ip ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] help cisco product
If you have bought the wrong equpiment due to lack of knowledge, or the reseller did not send you the correct equpiment, thats something you have to work out with the reseller. I doubt very much that Cisco will help you here. http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range If you have the 5510 you need Security Plus license in order to use the 2GE ports. On Tue, Jan 25, 2011 at 4:40 PM, David White, Jr. (dwhitejr) dwhit...@cisco.com wrote: Hi Deric, I'm assuming you have a ASA-5510. Initially, all the interfaces on the ASA-5510s were limited to 100M. Later, E0 and E1 were given the capability to run at 1 Gbps. However, this required that the following 2 conditions be met: 1) The ASA must be running 7.2(3), 8.0(3) or higher 2) The ASA must have a Security Plus license installed (as indicated by the 'show version' output). Hope it helps, David. Deric Kwok wrote: Hi I am new in cisco product I brought new ASA551 from reseller in Asia but not my country Now we discover that the product is not same as we saw in the reseller website In the web, the product includes 2FE and 3 x 100M but now it is all 100M The reseller claims the version and the serial no. should includes 2GigE but we can get ios to sh int as Ethernet (100M) NOT any GE Try to configure int and it only shows 10M / 100M and auto selection too The box is also showing S EC-BUN-K9. 1/ How can we get cisco to help? 2/ I register to cisco website. I am in guess account. Can I get support? 3/ ls cisco shipping the wrong box? 4/ ls reseller correct? Serial no. can prove the product. How can we check with cisco? Thank you for your help ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Outbound Load balancing using eBGP
On Mon, Dec 20, 2010 at 10:30 PM, RAZ MUHAMMAD raz.muham...@gmail.com wrote: Hi all, I would like to find out how one can use BGP to load balance outbound traffic, while multi homed to 2 transit providers or ISPs and getting full routing tables, no default routes? The BGP peer at the client end is a non Cisco router, so would not be able to use the multipath feature. The load balancing is intended for all routes in the routing table, or at least to achieve some kind of load distribution. Is there any other way to achieve an optimal outbound load balancing method using eBGP? Just do maximum path 2 to loadbalance on equal paths. Per session is default. Also if you want to ignore as path use bgp bestpath as-path multipath-relax If your non Cisco router is capable of handling full routing table, surley it must support at least multipath. Check with the vendor. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco IOS Embedded Packet Capture
I guess this may be .old but I think there may be some of you out there who might find this useful/new. Many times when troubleshooting remote locations I've said to myself that I only had a PC with wireshark and a SPAN switchport I would solve this problem. With the Cisco IOS EPC you can capture packets on the router and export them as a pcap and analyse them in Wirehark. Very useful! http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html Enjoy /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Q regarding QoS on 6500
I have a simple question regarding QoS on 6500. My question is: how do I know what type of cards/interfaces I'm using (Flex WAN, OCM-WAN, LAN), and what type of QoS they support. I want to be able to determine just by looking at the card specs, like thats done in hardware and you can only use mls type QoS etc. Now its like I thiink thats that type of port that only supports x, and I thiink thats a WAN port that supports y. I found this article: The 6500 does QoS in three places: * Software-based in the MSFC * Hardware-based (multi-layer switching-based) in the PFC * Software-based on some line cards http://www.netcraftsmen.net/resources/archived-articles/425.html In the article there is a table listing what QoS features are supported on what type of Interfaces etc. I also found this: For hardware-switched traffic, PFC QoS does not support the bandwidth, priority, queue-limit, or random-detect policy map class commands. You can configure these commands because they can be used for software-switched traffic. Here is a show inv: NAME: WS-C6503-E, DESCR: Cisco Systems Catalyst 6500 3-slot Chassis System PID: WS-C6503-E, VID: V02 NAME: CLK-7600 1, DESCR: OSR-7600 Clock FRU 1 PID: CLK-7600 , VID: NAME: CLK-7600 2, DESCR: OSR-7600 Clock FRU 2 PID: CLK-7600 , VID: NAME: 1, DESCR: WS-SUP32P-GE 10 ports Supervisor Engine 32 PISA 8GE Rev. 1.3 PID: WS-SUP32P-GE , VID: V03 NAME: msfc sub-module of 1, DESCR: WS-F6K-PISA PISA Daughterboard Rev. 3.4 PID: WS-F6K-PISA , VID: V04 NAME: switching engine sub-module of 1, DESCR: WS-F6K-PFC3B Policy Feature Card 3 Rev. 2.6 PID: WS-F6K-PFC3B , VID: V02 NAME: 3, DESCR: 7600-SIP-400 0 ports 4-subslot SPA Interface Processor-400 Rev. 2.7 PID: 7600-SIP-400 , VID: V08 NAME: SPA in subslot 3/0, DESCR: 2-port Gigabit Ethernet Shared Port Adapter PID: SPA-2X1GE , VID: V02 NAME: WS-C6503-E-FAN 1, DESCR: Enhanced 3-slot Fan Tray 1 PID: WS-C6503-E-FAN, VID: V02 NAME: PS 1 PWR-1400-AC, DESCR: AC power supply, 1400 watt 1 PID: PWR-1400-AC , VID: V02 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD and no ip redirects ?
On Tue, Dec 7, 2010 at 12:53 PM, selamat pagi keti...@gmail.com wrote: According to Ciscos config guide, *no ip redirects* need to be configured for BFD I'm trying to understand why this is required. thanks, keti ___ Before using BFD echo mode, you must disable the sending of Internet Control Message Protocol (ICMP) redirect messages by entering the no ip redirects command, in order to avoid high CPU utilization. from ietf draft: BFD Echo packets MUST be transmitted in UDP packets with destination UDP port 3785 in an IPv4 packet. The setting of the UDP source port is outside the scope of this specification. The destination address MUST be chosen in such a way as to cause the remote system to forward the packet back to the local system. The source address MUST be chosen in such a way as to preclude the remote system from generating ICMP Redirect messages. In particular, the source address SHOULD NOT be part of the subnet bound to the interface over which the BFD Echo packet is being transmitted, unless it is known by other means that the remote system will not send Redirects. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Adjusting MTU on 802.1q links
On Fri, Dec 3, 2010 at 2:49 PM, Matthew Huff mh...@ox.com wrote: I don't know why it never occurred to me, but on 802.1q trunk links, non-native vlans are encapsulated within 802.1q headers, therefore max packets would have to be fragmented. On trunks that support it, should standard practice to bump up the mtu on both sides to account for the 802.1q header. If so, what are the downsides? Thats not needed, try to ping with 1500bytes with flag do not fragment and you will see that it works. Only time you need to increase MTU is for QinQ, MPLS etc. Take a look at this page: http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00801350c8.shtml#topic2 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SIP to ISDN Call Progress
Exactly what problems are you experiencing? One way audio? No ringback? DTMF issues etc? Have you tried voice rtp send-recv? This is used for cut Through Two-Way Audio Early. Not sure it will help though. http://www.cisco.com/en/US/docs/ios/12_2/voice/command/reference/vrf_t.html#wp1076026 /Roger On Mon, Nov 15, 2010 at 10:36 AM, Marco Marzetti ma...@lamehost.it wrote: Hello, I have a problem with SIP to ISDN internetworking on Cisco IOS. I'm unable to receive early-media messages from the ISDN side of the call. Hardware and software versions are: Cisco 2800 Software (C2800NM-ENTSERVICES-M), Version 12.4(20)T6, RELEASE SOFTWARE (fc2). # debug isdn q931 int Se0/1/0:15 Nov 15 10:06:54.437 CET: ISDN Se0/1/0:15 Q931: Applying typeplan for sw-type 0x12 is 0x0 0x1, Calling num 03631970XXX Nov 15 10:06:54.441 CET: ISDN Se0/1/0:15 Q931: Sending SETUP callref = 0x0D0D callID = 0x980D switch = primary-net5 interface = User Nov 15 10:06:54.441 CET: ISDN Se0/1/0:15 Q931: TX - SETUP pd = 8 callref = 0x0D0D Bearer Capability i = 0x8090A3 Standard = CCITT Transfer Capability = Speech Transfer Mode = Circuit Transfer Rate = 64 kbit/s Channel ID i = 0xA9839F Exclusive, Channel 31 Calling Party Number i = 0x0180, '03631970XXX' Plan:ISDN, Type:Unknown Called Party Number i = 0x81, '199151119' Plan:ISDN, Type:UnknownsipSPIUpdateRtcpSession: sx79861: started RTP timer in state STATE_SENT_ALERTING Nov 15 10:06:54.457 CET: ISDN Se0/1/0:15 Q931: RX - SETUP_ACK pd = 8 callref = 0x8D0D Channel ID i = 0xA9839F Exclusive, Channel 31 Nov 15 10:06:56.745 CET: ISDN Se0/1/0:15 Q931: RX - CALL_PROC pd = 8 callref = 0x8D0D Nov 15 10:07:18.206 CET: ISDN Se0/1/0:15 Q931: RX - ALERTING pd = 8 callref = 0x8D0D Nov 15 10:07:18.302 CET: ISDN Se0/1/0:15 Q931: RX - CONNECT pd = 8 callref = 0x8D0D Nov 15 10:07:18.302 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is now connected to 199151119 N/A Nov 15 10:07:18.302 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is now connected to 199151119 N/A Nov 15 10:07:18.302 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is now connected to 199151119 N/A Nov 15 10:07:18.302 CET: ISDN Se0/1/0:15 Q931: TX - CONNECT_ACK pd = 8 callref = 0x0D0DsipSPIUpdateRtcpSession: sx79861: started RTP timer in state STATE_SENT_ALERTING Nov 15 10:07:21.294 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is now connected to 199151119 N/A Nov 15 10:07:21.294 CET: %ISDN-6-DISCONNECT: Interface Serial0/1/0:30 disconnected from 199151119 , call lasted 2 seconds Nov 15 10:07:21.294 CET: ISDN Se0/1/0:15 Q931: TX - DISCONNECT pd = 8 callref = 0x0D0D Cause i = 0x8090 - Normal call clearing Nov 15 10:07:21.306 CET: ISDN Se0/1/0:15 Q931: RX - RELEASE pd = 8 callref = 0x8D0D Nov 15 10:07:21.306 CET: ISDN Se0/1/0:15 Q931: TX - RELEASE_COMP pd = 8 callref = 0x0D0D The router places the call to our public switch and cut-through the voice path only after the CONNECT message ignoring the CALL_PROC messages and the relative early-audio stream. Looking at the SIP side of the call no SIP 183 Progress is sent by the router between the Trying and the Ringing messages. I would expect the router to generate proper SIP signaling and cut-through in the backward direction the voice path after the CALL_PROC message has been received. Any help? Thank you ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] to shape or not to shape
Thanks all for your answers, My initial question may now have been that well formulated/clear. I was not asking why you need to shape on a sub-rate. I.E my first example 5meg on a 10meg link. I was asking if you benefit from shaping a 1984 to 1984, to utilize more buffers etc, to delay instead of potentially drop etc. It's clear now that you don't. Thanks! /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] to shape or not to shape
I have a question I have been thinking about. Let's say we purchased a 5Mbit Ethernet Link. The physical speed of the link is 10Mbit, so we shape outbound traffic to 5Mbit, like such: class-map ef match ip dscp ef class-map af4 match ip dscp af41, af42, af43 class-map af3 match ip dscp af31, af32, af33 class-map af2 match ip dscp af21, af22, af23 class-map af1 match ip dscp af11, af12, af13 class-map be match ip dscp be policy-map qos class ef priority 1024 class af4 bandwidth remaining percent 40 random detect dscp-based class af3 bandwith remaining percent 30 random detect dscp-based class af2 bandwith remaining percent 20 random detect dscp-based class af1 bandwith remaining percent 9 randon detect dscp-based class be bandwith remanining percent 1 service-policy shape class class-default shape avarage 500 policy-map qos interface wan service-policy output shape So, as we shape, as long as we have buffers, we will never see any tail drops, as we will just delay the packets until we send it, correct? Now imagine we have a framed e1. interface wan bandwith 1984 As we have the full bandwith, no need to shape, so I will just apply the qos service policy for outbound traffic. If this e1 is 100% utilized, we will get tail drops when the buffers are full. So my question now, what if the shape the e1 to 1984, we will still have the full speed, but we shape, and thus avoid tail drop, and just delay the packets instead. I'm thinking we avoid TCP restarts etc etc. pros/cons, or am I wrong about the whole thing? :) Appreache any comments, Thanks! /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] to shape or not to shape
Buffers are not infinite, so you might still see tail drops. Indeed, but I'm thinking if I only apply the qos policy-map, I switch from fifo to CBWFQ with multiple software queues, and buffers. If I on top of that do shaping, would I not utilize yet another buffer? I.E. the shaping buffer. From Cisco: shape max-buffers To specify the maximum number of buffers allowed on shaping queues, use the shape max-buffers class-map configuration command. To remove the maximum number of buffers, use the no form of this command. Defaults The default setting is 1000 buffers. It is a bit confusing, as we shape a 1984 to 1984. If we shape we uses the shaping buffers, it will hold the packets in the buffer until the next Tc. After that It can be sent, will it then utilize the interface buffers if it cant be sent right away? Now I'm even more confused ... :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] to shape or not to shape
In that perspective shaping to the interface speed is rather pointless. Yeah that's what I belive also. This whole thing started with a person at my work telling me that we should shape a 1984 to 1984 just to delay packets instead of tail dropping. I just wanted to get my head around this. Thanks, /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] to shape or not to shape
I don't get it. Tail dropping is what you do when the queue is full, you're delaying a lot of packets and you don't want to fill the queue any more. Saying we should delay packets instead of tail dropping just doesn't make any sense to me. Exactly, this was basically my initial response to him, but I was not 100% how it worked. Thanks all for your comments. Regards Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] to shape or not to shape
I don't get it. Tail dropping is what you do when the queue is full, you're delaying a lot of packets and you don't want to fill the queue any more. Saying we should delay packets instead of tail dropping just doesn't make any sense to me. Exactly, this was basically my initial response to him, but I was not 100% how it worked. Thanks all for your comments. Regards Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Limiting Interface Traffic
When we ran 3750 switches we did srr queue bandwith for egress, and policing on ingress, as mentioned earlier, you may need to increase the Bc (Burst) in order to cope with TCP sawtooth. A quick and dirty workaround if you have plenty of ports would be to create a dummy vlan, put 2 of the ports in the dummy VLAN, and one of the port in the real VLAN. One of the dummy VLAN ports connect to the customer, the other dummy VLAN port connects to the real VLAN port in the same switch, and voilia you can use srr-queue bandwith limit for both in and out. Just put it on the port towards the customer, and on the port that has the real VLAN. I have used this to overcome ACLs on switched interface that can only be applied in the incoming direction. Regards Roger On Wed, Oct 6, 2010 at 11:55 AM, Per Carlson pe...@hemmop.com wrote: Ummm. So how big are the buffers in the ME3600 and ME3800 series? Don't remember exactly, but the docs gives some pin points. When configuring WTD, it's possible with a queue-limit of 491520 bytes (default is 2000). -- Pelle RFC1925, truth 11: Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works. ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] neighbor remove-private-as don't work on PE-CE
Have you tried local-as no-prepend replace-as. That should only show the local-as in the path, and thus you can manipulate it that way. Regards Roger On Wed, Oct 6, 2010 at 6:23 PM, Ibrahim Abo Zaid ibrahim.aboz...@gmail.com wrote: sorry guys , but i already tried as-override and remove private before posting :) here is the topology to give you a wider image about the topology Cory plz check the topology as i said before , i need CE1 to see the routes of CE2 without 64550 in as-path i hope you got me now On Wed, Oct 6, 2010 at 6:05 PM, Heath Jones hj1...@gmail.com wrote: If the customer is provisioned inside a VRF you could use the AS-override feature to rewrite each AS Hop in the path to the configured BGP neighbor ASN. http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_n1.html#wp1034057 Yep, looks like you should use either of these, depending on scenario: as-override = Override matching AS-number while sending update remove-private-as = Remove private AS number from outbound updates I think Cory is probably correct as this does sound like a VRF scenario... Why do you need to manipulate the path attribute? What are you trying to accomplish? Perhaps there is another approach. Otherwise ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] neighbor remove-private-as don't work on PE-CE
There are some new features with IOS 15 with remove-private-as, I.E you can remove private AS even if there is a mix of public and private. You can remove the AS even if its from your eBGP neighbour. http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_remove_as.html#wp1091907 Regards Roger On Wed, Oct 6, 2010 at 7:15 PM, Ibrahim Abo Zaid ibrahim.aboz...@gmail.com wrote: yes and it is still here and that is normal because it is eBGP session at the end so PE1 will attach it is ASN in outbound updates , but as you know with local-as feature we can manipulate real ASN and make it replaced with local ASN but i can't do the reverse and that is what i want any ideas ? On Wed, Oct 6, 2010 at 7:08 PM, Roger Wiklund co...@xy.org wrote: Have you tried local-as no-prepend replace-as. That should only show the local-as in the path, and thus you can manipulate it that way. Regards Roger On Wed, Oct 6, 2010 at 6:23 PM, Ibrahim Abo Zaid ibrahim.aboz...@gmail.com wrote: sorry guys , but i already tried as-override and remove private before posting :) here is the topology to give you a wider image about the topology Cory plz check the topology as i said before , i need CE1 to see the routes of CE2 without 64550 in as-path i hope you got me now On Wed, Oct 6, 2010 at 6:05 PM, Heath Jones hj1...@gmail.com wrote: If the customer is provisioned inside a VRF you could use the AS-override feature to rewrite each AS Hop in the path to the configured BGP neighbor ASN. http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_n1.html#wp1034057 Yep, looks like you should use either of these, depending on scenario: as-override = Override matching AS-number while sending update remove-private-as = Remove private AS number from outbound updates I think Cory is probably correct as this does sound like a VRF scenario... Why do you need to manipulate the path attribute? What are you trying to accomplish? Perhaps there is another approach. Otherwise ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] dhcp problems with ip phones
I doubt its a bug, but you can check the bugtool. Are these two Siemens IP-Phones running some other newer/older software? Do they have a fallback mode if they dont get an IP via DHCP they default to and IP, that just happens to be same range that you are providing? Have you tried factory reset on them etc? Regards Roger On Wed, Oct 6, 2010 at 7:12 PM, Arne Larsen / Region Nordjylland a...@rn.dk wrote: Hi All. I know this might be a bit of topic, but anyhow I have dhcp problems with Siemens IP-phone endpoints under Cisco ws-c3750. It's quite odd, the problem only happens between two Siemens phones. Sometimes when an en endpoint tries to get an ip address via dhcp, an other answer on behalf. The flow is like this. Endpoint send an discover, the server sends an offer via the relay agent. The endpoint sends an request and the server ack's. After this the endpoint sends an gratuitous arp on the requested address, and then an other answers that it has the ip address. I've pulled out the arp table before enabling a new endpoint to get the ip address list on the switch. But after the decline I can't find the mac address in the arp table that I pull out before activating the new endpoint. If I use a laptop or an other vendors ip phone I don't se the problem Does anyone know off a similar problem, is there a known bug on Cisco ws-c3750 with software release 12.2(25r)SEE3. I know that everyone will point towards the Siemens phones, and I'm doing that myself but I just what to be sure that I haven't missed something. /Arne ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on the 2960
This should work. This is the way I did bandwith management on a 3750, policing on ingress and srr-queue bandwith limit on egress. The problem with Internet users and TCP is policing. As soon as a packet exceeds the limit it drops it. And TCP has to resend, and then you have the TCP sliding window etc. So you will see the a sawtooth effect if you look at grahps. Our Internet users complained about this, when they ran TCP based bandwith testers. If you crank up the burst when you police, you will see smoother graphs and get better throuthput. If you test with UDP you should get the full 8 meg. Regards Roger On Thu, Sep 23, 2010 at 2:16 AM, Seth Mattinen se...@rollernet.us wrote: I'm trying to figure out QoS on a 2960 - something I've read about a lot but never had to do before. I'm very simply attempting to limit a customer to speed X, 8M for example. So far I have this: ! mls qos srr-queue input bandwidth 100 1 mls qos srr-queue input buffers 100 0 mls qos srr-queue input priority-queue 2 bandwidth 0 class-map match-all customerX match access-group name customerX policy-map customerX class customerX police 800 10 exceed-action drop interface FastEthernet0/1 srr-queue bandwidth limit 10 service-policy input customerX ! Other than the fact that the download only gets at granular as 10%, will this work? I previously tried applying 8 meg policers (with mls qos srr-queue defaults) on both the customer's port and the uplink port, but the net result seemed to be about a 3 to 5 meg max rather than closer to 8. This customer is alone on the switch. ~Seth ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird Traceroute Issue to Specific Destination
Have you checked the Cisco bugtool for your hardware/IOS? Regards Roger On Wed, Sep 22, 2010 at 11:20 AM, Paul Stewart p...@paulstewart.org wrote: We did reboot the equipment and no difference - it's also older sup2 based 6500 there;) -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: September-22-10 3:40 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Weird Traceroute Issue to Specific Destination On 09/21/2010 08:48 PM, Paul Stewart wrote: Ok... so here's the latest. I put a static route at our Internet edge - we redistribute static into OSPF so now this /32 destination is able to be seen in the routing table (other than the default originated route). This solves the issue if I statically assign it the next hop (which is their ISP that we peer directly with via LINX exchange point). I don't like this solution though because if there was ever an issue with the static next-hop it would never fail over ... plus I don't see *why* I should have to do this in order to find the problem ;) I pulled the static out and same problem re-occurs... any thoughts? That smells awfully like hardware FIB corruption. Have you / can you reload the box? Or get a TAC engineer on the line - I've had pretty good results with that; they usually ELAM the faulty traffic, then inspect the ELAM headers to tell them what FIB entry is really matching the traffic, then work from there. Slow process, though... Actually clearing FIB corruption on the PFC3 platform seems to be tricky; the things you think would work (clear ...) never seem to. I've only ever managed to clear it by shut/no shut of the suspect SVIs, and even then only some of the time. (We've seen 4-5 FIB corruption issues on sup720 w/ recent IOSes, on different routers) ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird Traceroute Issue to Specific Destination
Strange indeed. I have seen a similar problem with the default route + CEF bug. But that was on C10K. You could try to add a static /32 route to the BADIP on the xx.xx.120.25 box, just to exclude some default route issue. Also to create a specific CEF entry. Have you done some ip packet debugging when tracerouting etc? On Tue, Sep 21, 2010 at 9:02 PM, Heath Jones hj1...@gmail.com wrote: What happens when you try BADIP+1 or something close to it? Also if you happened to have assigned this BADIP to a dsl customer (or in a routed network via radius attribute behind it), and had the config on the lns cause the next hop to be the 6500 (policy routing, vrf etc).. I noticed the cef version was pretty high also. Was that before the reboot, or because of a lot of users coming and going? I have a headache because of this problem now ;) On 21 September 2010 19:39, Paul Stewart p...@paulstewart.org wrote: Thanks to everyone... yeah, this is a very strange issue. We've tested about 150 destinations through that path so far and only one of the destination IP's has given us the weird timeouts in the traceroute (which results in the traffic not passing specific to that destination). Last night, we had the opportunity to do a maintenance window and rebooted the 6500 and 7206VXR closest to the customer - no change. They had been up for about a year... No, there isn't any security related devices sitting along there - we have them, just not in that part of the network. They are not inline neither... We'll keep poking away - appreciate it.. Paul ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Two mpls provider with the same core AS# workaround
Hi. Scenario: Two MPLS providers, one major with bulk of the sites. one minor with ~10 sites. Both providers have the same AS# in the core, and I want to exchange routes between these providers (via our network, not directly betweent the providers). to overcome this, I thinking about some different approaches (on the minor MPLS provider side/in our own network) BGP aggregate (in our network) allow-as in (minor MPLS providers network) local-as + allow-as in (minor mpls providers network) remove private as function in IOS 15.1(2)T (can remove private AS even if you have a mix of public and private AS#) Anyone with some experience on this and how this best can be solved? Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Two mpls provider with the same core AS# workaround
1. The providers are running L3VPN in their MPLS. We have CE sites that run BGP to the PEs. 2. We are the customer. So basically we have 2 providers, in the middle we have our network, where we get all the routes from each provider. And we want to propagate the routes via BGP between them. Regards Roger On Mon, Sep 20, 2010 at 2:25 PM, Arie Vayner (avayner) avay...@cisco.com wrote: Roger, What kind of services these network run (Inter-AS L3VPN)? What kind of service does your network provide in the scheme of all things (are you a transit MPLS provider, the customer etc)? Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Roger Wiklund Sent: Monday, September 20, 2010 12:37 To: Cisco-nsp Subject: [c-nsp] Two mpls provider with the same core AS# workaround Hi. Scenario: Two MPLS providers, one major with bulk of the sites. one minor with ~10 sites. Both providers have the same AS# in the core, and I want to exchange routes between these providers (via our network, not directly betweent the providers). to overcome this, I thinking about some different approaches (on the minor MPLS provider side/in our own network) BGP aggregate (in our network) allow-as in (minor MPLS providers network) local-as + allow-as in (minor mpls providers network) remove private as function in IOS 15.1(2)T (can remove private AS even if you have a mix of public and private AS#) Anyone with some experience on this and how this best can be solved? Thanks! ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiple NAT Rerouting Web Traffic
Check this link out, http://forums.whirlpool.net.au/archive/1498451 On Tue, Sep 7, 2010 at 6:57 PM, Ray Davis ray-li...@carpe.net wrote: Thanks for the help! I tried my previous test config again except with this difference... ip access-list extended NAT_Exempt deny tcp any any eq www deny tcp any any eq 443 deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255 permit ip 192.168.8.0 0.0.0.255 any If I do a sh ip nat translations it looks like http traffic is being NATed correctly: HTTP Traffic (123.123.123.123 is the VDSL ip address): tcp 123.123.123.123:14757 192.168.8.1:14757 212.96.133.192:80 212.96.133.192:80 Non-HTTP Traffic (12.34.12.34 is the SDSL ip address (default)): tcp 12.34.12.34:50004 192.168.8.115:50004 93.133.195.154:5938 93.133.195.154:5938 But doesn't seem to go out the correct interface. At least there is never an http connection made. :/ Cheers, Ray On 6. Sep 2010, at 22:35 Uhr, Jan Gregor wrote: Hi, access-list 110 remark * ACL route-map RerouteWebTraffic * access-list 110 permit tcp any any eq www access-list 110 permit tcp any any eq 443 route-map sdsl permit 10 match ip address NAT_Exempt ip access-list extended NAT_Exempt deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255 permit ip 192.168.8.0 0.0.0.255 any I guess this is the problem. Try denying things allowed in acl 110 away from acl NAT_Exempt and see if that helps (be sure that these new denies are before permit in that acl). Best regards, Jan ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiple NAT Rerouting Web Traffic
Here is the NAT order of operations in a Cisco router: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml#topic1 I just put something together in the lab, not sure if this is what you want to accomplish, but it works like this: interface FastEthernet0/0 INSIDE INTERFACE ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map PBR speed 100 full-duplex ! interface FastEthernet0/1 OUTSIDE 1 (your ethernet) ip address 172.18.1.1 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex ! interface FastEthernet1/0 OUTSIDE 2 (your Dialer3) ip address 10.10.10.1 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex This is just to simulate Internet access on both routers. Behind Fa0/1 is a router with a loopback that has 1.1.1.1/24, the same goes for Fa1/0. ip route 0.0.0.0 0.0.0.0 172.18.1.2 ip route 0.0.0.0 0.0.0.0 10.10.10.2 ! standard PAT config. ACL 100 denys ICMP. Which means that SNMP will never be NAT:ed on Fa0/1. In your case this needs to be HTTP/HTTPS deny. ip nat inside source list 100 interface FastEthernet0/1 overload ip nat inside source list 101 interface FastEthernet1/0 overload ! access-list 100 deny icmp any any access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 101 permit ip 192.168.1.0 0.0.0.255 any Then we do PBR, basically when the protocol is ICMP. Send it out of the Fa1/0 interface (Dialer3, again this should be web traffic for you) access-list 150 permit icmp any any ! ! route-map PBR permit 10 match ip address 150 set interface FastEthernet1/0 So when I ping 1.1.1.1 from the client, PBR kicks in and sends it to Fa1/0, and it gets NAT:ed isp2 *Mar 1 00:49:17.799: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:17.955: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.095: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.147: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.199: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 And when I try a telnet to 1.1.1.1 PBR will not kick in, and it will just NAT it to Fa0/1. client#telnet 1.1.1.1 Trying 1.1.1.1 ... Open User Access Verification Password: isp1 Again, I'm not sure this will suit your environment. but perhaps you can get something from it .. Regards Roger On Mon, Aug 30, 2010 at 10:25 PM, Ray Davis ray-li...@carpe.net wrote: Hi y'all, Got a customer router (2801, IOS 12.4(15)T10) with two upstream interfaces. Both need to do NAT (private IPs inside). One is the default route, the other should be used for web traffic. After trying various configs, I got rerouting web traffic out the 2nd interface working, but it's not NATed properly (going out with the default interface IP. I can also get multiple NAT working, but not with the reroute web traffic route-map (only with static routes). Has anyone done this? Is it even possible with IOS or am I missing something here? It seems like the which interface am I NATing part occurs before the which interface do I need to send this packet through part. Below are the relevant parts of this config first, then the whole config (in case something else is mucking me up). There is also some VPN VoIP Appliance priority stuff. Any clues would be much appreciated! TIA, Ray -- interface FastEthernet0/0 description Internal LAN ip address 192.168.8.254 255.255.255.0 ip nat inside ip policy route-map RerouteWebTraffic interface FastEthernet0/1 description Upstream SDSL (123.123.123.104 /29) ip address 123.123.123.108 255.255.255.248 ip nbar protocol-discovery ip nat outside crypto map CustVPNs service-policy output StarfacePolicy interface Dialer3 description Upstream VDSL (dynamic ip) ip nat outside ip route 0.0.0.0 0.0.0.0 123.123.123.105 ip route 10.0.0.1 255.255.255.255 Dialer3 ip nat inside source route-map sdsl interface FastEthernet0/1 overload ip nat inside source route-map vdsl interface Dialer3 overload access-list 110 remark * ACL route-map RerouteWebTraffic * access-list 110 permit tcp any any eq www access-list 110 permit tcp any any eq 443 route-map sdsl permit 10 match ip address NAT_Exempt ! route-map sdsl permit 20 match interface FastEthernet0/1 ! route-map vdsl permit 10 match interface Dialer3 ! route-map RerouteWebTraffic permit 10 match ip address 110 set ip default next-hop 10.0.0.1 -- I also tried this instead of the next-hop route-map above, but no-workie: route-map RerouteWebTraffic permit 10 match ip address 110 set interface Dialer3 = Whole Config === ! ! Last configuration change at 18:19:40 CEDT Fri Aug 20 2010 by ray ! NVRAM config last updated at
Re: [c-nsp] Multiple NAT Rerouting Web Traffic
Here is the NAT order of operations in a Cisco router: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml#topic1 I just put something together in the lab, not sure if this is what you want to accomplish, but it works like this: interface FastEthernet0/0 INSIDE INTERFACE ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map PBR speed 100 full-duplex ! interface FastEthernet0/1 OUTSIDE 1 (your ethernet) ip address 172.18.1.1 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex ! interface FastEthernet1/0 OUTSIDE 2 (your Dialer3) ip address 10.10.10.1 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex This is just to simulate Internet access on both routers. Behind Fa0/1 is a router with a loopback that has 1.1.1.1/24, the same goes for Fa1/0. ip route 0.0.0.0 0.0.0.0 172.18.1.2 ip route 0.0.0.0 0.0.0.0 10.10.10.2 ! standard PAT config. ACL 100 denys ICMP. Which means that SNMP will never be NAT:ed on Fa0/1. In your case this needs to be HTTP/HTTPS deny. ip nat inside source list 100 interface FastEthernet0/1 overload ip nat inside source list 101 interface FastEthernet1/0 overload ! access-list 100 deny icmp any any access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 101 permit ip 192.168.1.0 0.0.0.255 any Then we do PBR, basically when the protocol is ICMP. Send it out of the Fa1/0 interface (Dialer3, again this should be web traffic for you) access-list 150 permit icmp any any ! ! route-map PBR permit 10 match ip address 150 set interface FastEthernet1/0 So when I ping 1.1.1.1 from the client, PBR kicks in and sends it to Fa1/0, and it gets NAT:ed isp2 *Mar 1 00:49:17.799: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:17.955: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.095: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.147: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.199: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 And when I try a telnet to 1.1.1.1 PBR will not kick in, and it will just NAT it to Fa0/1. client#telnet 1.1.1.1 Trying 1.1.1.1 ... Open User Access Verification Password: isp1 Again, I'm not sure this will suit your environment. but perhaps you can get something from it .. Regards Roger On Mon, Aug 30, 2010 at 10:25 PM, Ray Davis ray-li...@carpe.net wrote: Hi y'all, Got a customer router (2801, IOS 12.4(15)T10) with two upstream interfaces. Both need to do NAT (private IPs inside). One is the default route, the other should be used for web traffic. After trying various configs, I got rerouting web traffic out the 2nd interface working, but it's not NATed properly (going out with the default interface IP. I can also get multiple NAT working, but not with the reroute web traffic route-map (only with static routes). Has anyone done this? Is it even possible with IOS or am I missing something here? It seems like the which interface am I NATing part occurs before the which interface do I need to send this packet through part. Below are the relevant parts of this config first, then the whole config (in case something else is mucking me up). There is also some VPN VoIP Appliance priority stuff. Any clues would be much appreciated! TIA, Ray -- interface FastEthernet0/0 description Internal LAN ip address 192.168.8.254 255.255.255.0 ip nat inside ip policy route-map RerouteWebTraffic interface FastEthernet0/1 description Upstream SDSL (123.123.123.104 /29) ip address 123.123.123.108 255.255.255.248 ip nbar protocol-discovery ip nat outside crypto map CustVPNs service-policy output StarfacePolicy interface Dialer3 description Upstream VDSL (dynamic ip) ip nat outside ip route 0.0.0.0 0.0.0.0 123.123.123.105 ip route 10.0.0.1 255.255.255.255 Dialer3 ip nat inside source route-map sdsl interface FastEthernet0/1 overload ip nat inside source route-map vdsl interface Dialer3 overload access-list 110 remark * ACL route-map RerouteWebTraffic * access-list 110 permit tcp any any eq www access-list 110 permit tcp any any eq 443 route-map sdsl permit 10 match ip address NAT_Exempt ! route-map sdsl permit 20 match interface FastEthernet0/1 ! route-map vdsl permit 10 match interface Dialer3 ! route-map RerouteWebTraffic permit 10 match ip address 110 set ip default next-hop 10.0.0.1 -- I also tried this instead of the next-hop route-map above, but no-workie: route-map RerouteWebTraffic permit 10 match ip address 110 set interface Dialer3 = Whole Config === ! ! Last configuration change at 18:19:40 CEDT Fri Aug 20 2010 by ray ! NVRAM config last updated at 18:05:03
Re: [c-nsp] Multiple NAT Rerouting Web Traffic
Which means that SNMP will never be NAT:ed on Fa0/1. Typo :) Should of course be ICMP. On Tue, Aug 31, 2010 at 4:01 PM, Roger Wiklund co...@xy.org wrote: Here is the NAT order of operations in a Cisco router: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml#topic1 I just put something together in the lab, not sure if this is what you want to accomplish, but it works like this: interface FastEthernet0/0 INSIDE INTERFACE ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map PBR speed 100 full-duplex ! interface FastEthernet0/1 OUTSIDE 1 (your ethernet) ip address 172.18.1.1 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex ! interface FastEthernet1/0 OUTSIDE 2 (your Dialer3) ip address 10.10.10.1 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex This is just to simulate Internet access on both routers. Behind Fa0/1 is a router with a loopback that has 1.1.1.1/24, the same goes for Fa1/0. ip route 0.0.0.0 0.0.0.0 172.18.1.2 ip route 0.0.0.0 0.0.0.0 10.10.10.2 ! standard PAT config. ACL 100 denys ICMP. Which means that SNMP will never be NAT:ed on Fa0/1. In your case this needs to be HTTP/HTTPS deny. ip nat inside source list 100 interface FastEthernet0/1 overload ip nat inside source list 101 interface FastEthernet1/0 overload ! access-list 100 deny icmp any any access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 101 permit ip 192.168.1.0 0.0.0.255 any Then we do PBR, basically when the protocol is ICMP. Send it out of the Fa1/0 interface (Dialer3, again this should be web traffic for you) access-list 150 permit icmp any any ! ! route-map PBR permit 10 match ip address 150 set interface FastEthernet1/0 So when I ping 1.1.1.1 from the client, PBR kicks in and sends it to Fa1/0, and it gets NAT:ed isp2 *Mar 1 00:49:17.799: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:17.955: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.095: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.147: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 *Mar 1 00:49:18.199: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1 And when I try a telnet to 1.1.1.1 PBR will not kick in, and it will just NAT it to Fa0/1. client#telnet 1.1.1.1 Trying 1.1.1.1 ... Open User Access Verification Password: isp1 Again, I'm not sure this will suit your environment. but perhaps you can get something from it .. Regards Roger On Mon, Aug 30, 2010 at 10:25 PM, Ray Davis ray-li...@carpe.net wrote: Hi y'all, Got a customer router (2801, IOS 12.4(15)T10) with two upstream interfaces. Both need to do NAT (private IPs inside). One is the default route, the other should be used for web traffic. After trying various configs, I got rerouting web traffic out the 2nd interface working, but it's not NATed properly (going out with the default interface IP. I can also get multiple NAT working, but not with the reroute web traffic route-map (only with static routes). Has anyone done this? Is it even possible with IOS or am I missing something here? It seems like the which interface am I NATing part occurs before the which interface do I need to send this packet through part. Below are the relevant parts of this config first, then the whole config (in case something else is mucking me up). There is also some VPN VoIP Appliance priority stuff. Any clues would be much appreciated! TIA, Ray -- interface FastEthernet0/0 description Internal LAN ip address 192.168.8.254 255.255.255.0 ip nat inside ip policy route-map RerouteWebTraffic interface FastEthernet0/1 description Upstream SDSL (123.123.123.104 /29) ip address 123.123.123.108 255.255.255.248 ip nbar protocol-discovery ip nat outside crypto map CustVPNs service-policy output StarfacePolicy interface Dialer3 description Upstream VDSL (dynamic ip) ip nat outside ip route 0.0.0.0 0.0.0.0 123.123.123.105 ip route 10.0.0.1 255.255.255.255 Dialer3 ip nat inside source route-map sdsl interface FastEthernet0/1 overload ip nat inside source route-map vdsl interface Dialer3 overload access-list 110 remark * ACL route-map RerouteWebTraffic * access-list 110 permit tcp any any eq www access-list 110 permit tcp any any eq 443 route-map sdsl permit 10 match ip address NAT_Exempt ! route-map sdsl permit 20 match interface FastEthernet0/1 ! route-map vdsl permit 10 match interface Dialer3 ! route-map RerouteWebTraffic permit 10 match ip address 110 set ip default next-hop 10.0.0.1 -- I also tried this instead of the next-hop route-map above, but no-workie: route-map RerouteWebTraffic permit 10
Re: [c-nsp] 0/0 into an ipv4 vrf
You should be able to advertise a default route in both global- and VRF table. As Phil said with the default-information originate/redist static or if you want to unconditionally advertise a default route use the neighbor a.b.c.d default-originate With this command you don't need to have a default route present in the routing table. The drawback is however if your default route fails, you will still advertise one, potentially causing a black hole. Regards Roger On Thu, Aug 26, 2010 at 8:18 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/26/2010 12:58 AM, Jason Lixfeld wrote: I'm fiddling with my lab, attempting to edumacate myself on L3VPNs. I'm trying to figure out the best way to get a default route into my test vrf. Since I'm doing BGP between all my PEs, it seems sensible that I try to originate the default route in BGP instead of redistributing it from another protocol. I'm having problems doing this. router bgp xxx address-family ipv4 vrf TEST default-information originate redis static ip route vrf TEST 0.0.0.0 0.0.0.0 ... ...is one way. Possibly I am missing your point though? ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Slight OT, IPv6 books recommendation.
I know this is a bit OT but I was wondering if someone can recommend a good IPv6 book. I have a basic knowledge, running IPv6 at home on my OpenBSD computer using Hurricane Electric as a tunnel broker. So I have a /64 for my clients, pointers with reverse DNS and that works just fine and dandy. However, I would like to learn more about real world scenarios, like best practice IPv6 in an MPLS network with L3VPNs. Also like addressing size for point-to-point links, loopbacks, LAN etc. Should you use link-local/site-local, or use real public IPs etc. Also in the ISP environment, block size for lets say a home DSL connection running IPv6. Security issues etc. Thanks! /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] problems with NAT
Strange, I would start by simplifying the NAT to a very basic level. Skip the pool and just to overload directly to fa0/0. something like: ip nat inside source list 10 interface fa0/0 overload access-list 10 permit 10.0.0.0 0.255.255.255 access-list 10 permit 172.20.1.0 0.0.0.255 if that works, try adding your real config. Or, you could try with this scenario: On c7200-is-mz.122-3.bin, NAT works on everything except for SIP traffic (udp 5060) from the multilink1. and then disable the SIP aware NAT with no ip nat service sip udp port 5060 In theory you will need this enabled. But we actually always disable it when we do SIP NAT, otherwise it wont work with our PBX. Regards, Roger On Sun, Aug 22, 2010 at 9:03 PM, Lee Starnes lee.t.star...@gmail.com wrote: Hi, We are seeing a problem with NAT on a Cisco 7206VXR that has us completely stumped. The setup is working using a 1721, but when replacing that with the 7206 it does not seem to work. Current setup: Internet connection comes into a 2950 switch switch. They is handed to several devices on vlan 10 including the 1721 as a trunked vlan on its fa0.1. The 1721 also have fa0.2 on vlan 20 which is the private network. There are 2 T1s connected to this router on s0 and s1 in a multilink bundle (multilink1). Interfaces multilink1 and fa0.2 are configured as ip nat inside. fa0.1 is configured as ip nat outside. Static nat mappings to devices on the private ethernet and to the T1 network work great. Now, we replaced that 1721 with a 7206VXR and the NAT does not work correctly and the behavior is different depending upon what IOS version we load. The difference is network configuration now is that instead of using a trunk of vlans, there are individual fast ethernet ports. So fa0.1 and fa0.2 get replaced with fa0/0 and fa0/1. Here is the issue. On c7200-is-mz.123-25.bin, NAT only works on devices on the private ethernet. On c7200-is-mz.122-3.bin, NAT works on everything except for SIP traffic (udp 5060) from the multilink1. On c7200-advipservicesk9-mz.124- 2.T5.bin, NAT does not seem to work on any traffic on the multilink and only partially works on private ethernet traffic. Seems to not want to NAT some traffic and leaves it as sourced from the private IP. I have included the interface and NAT portions of the config below. There are more NAT mappings than shown, but just included the first two. Does anyone know why this would work on the 1721 and not the 7206? interface Multilink1 description T1s to office ip address 172.20.1.1 255.255.255.252 ip nat inside load-interval 30 ppp multilink ppp multilink fragment disable ppp multilink links maximum 2 ppp multilink links minimum 1 ppp multilink group 1 service-policy output adtran-VoIP-policy ! interface FastEthernet0/0 description Public internet at colo ip address y.y.y.17 255.255.255.240 ip nat outside ! interface FastEthernet0/1 description Private network at colo ip address 10.10.100.254 255.255.255.0 ip nat inside ! ip nat translation max-entries 1 ip nat pool pool1 y.y.y.18 y.y.y.18 netmask 255.255.255.240 ip nat inside source list 10 pool pool1 overload ip nat inside source static 172.20.1.2 y.y.y.19 ip nat inside source static 10.10.100.21 y.y.y.21 ip nat inside source static tcp 10.2.2.3 443 y.y.y.51 443 extendable ip nat inside source static tcp 10.2.2.3 80 y.y.y.51 80 extendable ! access-list 10 permit 10.0.0.0 0.255.255.255 access-list 10 permit 172.20.1.0 0.0.0.255 Thanks, -Lee ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Voice and nat
I would mirror desired ports in the switch(LAN, WAN)hook up a PC and run wireshark. Make a call from/to the wireless clients and capture the data, in the SIP Invite scroll down to the SDP, you will see the IP address used for the RTP stream, also you should see you will see the flow there. Ensure that the routing is working correctly based on that info, check NAT translation statistics in the router etc. If you have spare public IPs, do 1-to-1 NAT on one of the wireless clients, does that fix the problem? If so check what ports/IPs are used etc etc. /Roger On Tue, Aug 17, 2010 at 5:10 PM, j s ba...@moris.org wrote: I hope this is where I have to post this question at. I have 2 routers. r1 is the router connected to the net via an ethernet interface, it is performing nat to exit to the world, and r2 is a router behind it and connects wireless users. r1 and r2 have a switch between them and few servers and end users are connected there. The ip addresses of the devices on this switch is 192.168.1.0/24. The ip addresses of the wlan customers is from 192.168.2.0/24. I have an asterisk Server connected to the switch having ip address 192.168.1.111. Customers are able to connect to the asterisk from the outside network and getting sip calls with no problem. Customers from inside the network, coming from 192.168.1.0/24 too. The problem is with customers connected to the wifi network. Sip is ok, but rtp isn't. Btw, all the customer are natted for getting to the internet. There is also some traffic coming from the internet natted to the inside ip addresses of the servers. Any Ideas? Thank You all. _ RadioMoris.Com - 100% Sega Music - http://radiomoris.com/?mo ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] bandwidth statement on interface to match shaped value?
Hi When using a physical interface of 100meg with an outbound policy-map that shapes all traffic to 30meg, should the bandwidth of the physical interface reflect the shaped value? The policy-map is also using remaining bandwidth percentage x for different classes. I would assume you want the percentage level to calculate based on the 30meg, rather than on the 100meg right? Thanks! Regards Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ISDN PRI to SIP in 2811, RTP fails one way AFTER first DTMF is sent?
Hi I have a very strange issue. Using a Cisco 2811 router with PRI connecting to customers PBX. SIP trunk towards Verizon. Incoming and outgoing calls are working just fine, using G.729 codec. DTMF RFC288 configured, and I can see in the SIP invites and 200ok messages that it is indeed using RFC2833. However, when customer makes an outgoing call, and the press any key, I can hear the tone, and I see the DTMF in the router with debug voip rtp session but after that, RTP is dead in the outbound direction. IOS: c2800nm-advipservicesk9-mz.124-22.T5.bin voice rtp send-recv ! voice service voip fax protocol pass-through g711alaw sip bind control source-interface Loopback0 bind media source-interface Loopback0 voice class codec 1 codec preference 1 g729r8 codec preference 2 g711alaw codec preference 3 g711ulaw dial-peer voice 100 voip description Inbound and Outbound VoIP service session destination-pattern .T rtp payload-type cisco-codec-fax-ack 114 rtp payload-type cisco-codec-fax-ind 113 rtp payload-type nte 98 voice-class codec 1 session protocol sipv2 session target sip-server incoming called-number 41... dtmf-relay rtp-nte ip qos dscp cs5 media ip qos dscp cs3 signaling no vad some debugs: invite: v=0 o=CiscoSystemsSIP-GW-UserAgent 9659 7570 IN IP4 a.b.c.d s=SIP Call c=IN IP4 a.b.c.d t=0 0 m=audio 17130 RTP/AVP 18 8 0 101 c=IN IP4 194.98.111.122 a=rtpmap:18 G729/8000 a=fmtp:18 annexb=no a=rtpmap:8 PCMA/8000 a=rtpmap:0 PCMU/8000 *a=rtpmap:101 telephone-event/8000* a=fmtp:101 0-16 200ok: v=0 o=BroadWorks 22417778 1 IN IP4 x.y.z.z s=- c=IN IP4x.y.z.z t=0 0 m=audio 25174 RTP/AVP 18 101 *a=rtpmap:101 telephone-event/8000* a=fmtp:101 0-15 a=ptime:20 a=fmtp:18 annexb=no Jul 1 10:59:14.258: //501/825D605A808B/CCAPI/ccSaveDialpeerTag: Outgoing Dial-peer=100 Jul 1 10:59:14.258: //502/825D605A808B/CCAPI/ccSaveDialpeerTag: Incoming Dial-peer=10 Jul 1 10:59:14.270: ISDN Se0/0/0:15 Q921: Net RX - RR sapi=0 tei=0 nr=48 Jul 1 10:59:14.270: ISDN Se0/0/0:15 Q921: Net RX - INFO sapi=0 tei=0, ns=48 nr=48 Jul 1 10:59:14.270: ISDN Se0/0/0:15 Q931: CONNECT_ACK pd = 8 callref = 0x005B Jul 1 10:59:14.274: ISDN Se0/0/0:15 Q921: Net TX - RR sapi=0 tei=0 nr=49 Jul 1 10:59:21.230: s=DSP d=VoIP payload 0x65 ssrc 0x19FA sequence 0x1DF4 timestamp 0xB97203B6 Jul 1 10:59:21.230: Pt:101Evt:7 Pkt:09 00 00 Snd Jul 1 10:59:21.230: //501//CCAPI/cc_api_call_digit_begin: Consume mask is not set. Relaying Digit 7 to dstCallId 0x1F6 Jul 1 10:59:21.230: //501//CCAPI/cc_relay_digit_begin_for_3way_conference: Check DTMF relay digit begin for 3way conf Jul 1 10:59:21.238: s=DSP d=VoIP payload 0x65 ssrc 0x19FA sequence 0x1DF5 timestamp 0xB97203B6 Jul 1 10:59:21.238: Pt:101Evt:7 Pkt:09 00 00 Snd Jul 1 10:59:21.250: s=DSP d=VoIP payload 0x65 ssrc 0x19FA sequence 0x1DF6 timestamp 0xB97203B6 Jul 1 10:59:21.250: Pt:101Evt:7 Pkt:09 00 00 Snd Jul 1 10:59:21.278: s=DSP d=VoIP payload 0x65 ssrc 0x19FA sequence 0x1DF7 timestamp 0xB97203B6 Jul 1 10:59:21.278: Pt:101Evt:7 Pkt:09 01 90 Snd Jul 1 10:59:21.330: s=DSP d=VoIP payload 0x65 ssrc 0x19FA sequence 0x1DF8 timestamp 0xB97203B6 Jul 1 10:59:21.330: Pt:101Evt:7 Pkt:09 03 20 Snd Jul 1 10:59:21.378: s=DSP d=VoIP payload 0x65 ssrc 0x19FA sequence 0x1DF9 timestamp 0xB97203B6 Jul 1 10:59:21.378: Pt:101Evt:7 Pkt:09 04 B0 Snd Jul 1 10:59:21.402: //501//CCAPI/cc_api_call_digit_end: Consume mask is not set. Relaying Digit 7 to dstCallId 0x1F6 Jul 1 10:59:21.402: //501//CCAPI/cc_relay_digit_end_for_3way_conference: Check DTMF relay digit end for 3way conf Jul 1 10:59:21.410: s=DSP d=VoIP payload 0x65 ssrc 0x19FA sequence 0x1DFA timestamp 0xB97203B6 Jul 1 10:59:21.410: Pt:101Evt:7 Pkt:89 04 B0 Snd Jul 1 10:59:21.418: s=DSP d=VoIP payload 0x65 ssrc 0x19FA sequence 0x1DFB timestamp 0xB97203B6 Jul 1 10:59:21.418: Pt:101Evt:7 Pkt:89 04 B0 Snd Jul 1 10:59:21.430: s=DSP d=VoIP payload 0x65 ssrc 0x19FA sequence 0x1DFC timestamp 0xB97203B6 Jul 1 10:59:21.430: Pt:101Evt:7 Pkt:89 04 B0 Snd Jul 1 10:59:24.270: ISDN Se0/0/0:15 Q921: Net TX - RRp sapi=0 tei=0 nr=49 Jul 1 10:59:24.270: ISDN Se0/0/0:15 Q921: Net RX - RRp sapi=0 tei=0 nr=48 Jul 1 10:59:24.274: ISDN Se0/0/0:15 Q921: Net TX - RRf sapi=0 tei=0 nr=49 Jul 1 10:59:24.274: ISDN Se0/0/0:15 Q921: Net RX - RRf sapi=0 tei=0 nr=48 Jul 1 10:59:34.270: ISDN Se0/0/0:15 Q921: Net RX - RRp sapi=0 tei=0 nr=48 Jul 1 10:59:34.274: ISDN Se0/0/0:15 Q921: Net TX - RRf sapi=0 tei=0 nr=49 Any tips? I've tried G711, IOS upgrade, all dtmf-relay methods available, no go =( I'm starting to thing its something with the PBX.. ___ cisco-nsp mailing list
Re: [c-nsp] bandwidth statement on interface to match shaped value?
Hi, That is what everyone is telling me. That its just for routing protocols. However, page 12 in the Cisco QoS book tells me this: Some QoS tools refer to interface bandwidth, which is defined with the bandwidth command. Engineers should consider bandwidth defaults when enabling QoS features. On serial interface on Cisco routers, the default bandwidth setting is T1 speed - regardless of the actual bandwidth. page 302: CBWFQ provides several variations of how to configure the bandwidth reserved for each queue. For instance, the bandwidth 64 class subcommand reserves 64kbps of bandwidth, regardless of the bandwidth setting on interface. The Bandwidth percent 25 class subcommand would also reserve 64 kbps for a class if the interface bandwidth had been set to 256kbps, using the bandwidth 256 interface subcommand. From that is seems crystal clear the the bandwidth statement on the interface IS used for QoS. And this back to my question, should I set the bandwidth on the Interface to match the shaped value? Thanks! On Thu, Jul 1, 2010 at 5:30 PM, Benjamin Lovell belov...@cisco.com wrote: The bandwidth statement just alters the EIGRP bandwidth metric. So if you are using EIGRP and want it to reflect the true bandwidth of the link, then yes. Else it does not matter. -Ben On Jul 1, 2010, at 10:43 AM, Roger Wiklund wrote: Hi When using a physical interface of 100meg with an outbound policy-map that shapes all traffic to 30meg, should the bandwidth of the physical interface reflect the shaped value? The policy-map is also using remaining bandwidth percentage x for different classes. I would assume you want the percentage level to calculate based on the 30meg, rather than on the 100meg right? Thanks! Regards Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bandwidth statement on interface to match shaped value?
Class-map: rtp (match-any) 2743948 packets, 368861980 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef (46) 2743948 packets, 368861980 bytes 5 minute rate 0 bps Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 30 (%) Bandwidth 13263 (kbps) Burst 331575 (Bytes) (pkts matched/bytes matched) 0/0 (total drops/bytes drops) 0/0 Thanks, Tim On 7/1/2010 9:30 AM, Benjamin Lovell wrote: The bandwidth statement just alters the EIGRP bandwidth metric. So if you are using EIGRP and want it to reflect the true bandwidth of the link, then yes. Else it does not matter. -Ben On Jul 1, 2010, at 10:43 AM, Roger Wiklund wrote: Hi When using a physical interface of 100meg with an outbound policy-map that shapes all traffic to 30meg, should the bandwidth of the physical interface reflect the shaped value? The policy-map is also using remaining bandwidth percentage x for different classes. I would assume you want the percentage level to calculate based on the 30meg, rather than on the 100meg right? Thanks! Regards Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] eBGP multihop, CE default route, using PBR instead of dynamic routing?
Hi We have an MPLS customer who is running IS-IS on their LAN, and then redistributing that into BGP to our core. This was the original standard setup: PEebgp-CEebgp-CUSOMERISIS So that worked just fine, but the customer wanted the IS-IS metric to be injected into BGP MED. This can be done, but with the setup above, MED is only sent to the CE router, after that its removed. So what we did was to setup eBGP multihop from the PE directly to the customers router. We then used BGP on the CE to the customers router, and from the CE to PE we used a default route. Now, this site is the customers HUB site so somewhere in their LAN, they have an Internet breakout. So the customer is injecting a default route from their router, into the MPLS. So what happened now is when another stanard site in the MPLS tried to reach the internet, we had a loop between the PE and CE. Cause the PE will send it to the CE, and the CE will have a static default route back to the PE. So to fix this, I skipped the default static route on the CE, and enabled eBGP between the PE and CE. That way the CE have full knowledge about each sides. However, this is not an optimal soultion, I dont want to have 2 BGP peerings on the PE. So, what I came up with, and this is where I would like your input on. In my lab, I have the same setup, so I removed all the static routes and dynamic routing on the CE. So basically everyting is broken, because the CE doesnt know where to send the traffic to. I then configured policy based routing, and created an ACL permit all traffic, and created 2 route-maps, that matches on the ACL, and sets the next hop. I then applied the route-maps to each interface on the CE. So, when traffic coming into the CE from the PE, I match on everything, and set the next hop to the customers router. And vice versa in the other direction. I tested it and it worked, and it has no dynamic routing what so ever. But this is just in the Lab, I really cant say what will happen in the live network. Have anyone done anything similar? Will PBR eat up all the CPU process? Any other problems that may occur? I mean, all I want to do on the CE is shuffle the traffic from one interface to another. Thanks Regards Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] c7200, only one IP configured, seeing 2 as connected
Hi I have a strange problem. I have a Serial interface with one /30 IP configure as a link network between PE and CE. interface Serial1/0 description MPLS Circuit bandwidth 34368 ip address 206.115.103.122 255.255.255.252 ip nbar protocol-discovery encapsulation ppp framing g751 dsu bandwidth 34010 serial restart-delay 0 no cdp enable max-reserved-bandwidth 90 service-policy output shape-etm router#sh conf | i 206.115.103.121 neighbor 206.115.103.121 remote-as X But Im seeing 2 IPs, Im actually seeing the PEs IP addressing, as beeing directly connected, and as I have redist connect it's beeing advertised to the PE. router#show ip route connected C 206.115.103.120/30 is directly connected, Serial1/0 C 206.115.103.121/32 is directly connected, Serial1/0 router#show ip bgp nei 206.115.103.121 advertised-routes * 206.115.103.120/30 0.0.0.0 0 32768 ? * 206.115.103.121/32 0.0.0.0 0 32768 ? Have you ever seen this before? Cisco 7204VXR (NPE400) processor (revision B) with 229376K/32768K bytes of memory. (C7200-IS-M), Version 12.4(25b) Regards Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] telnet session hangs on 6503-E
Hi Im having a weird problem with telnet to a C6503-E. When telneting from the the router connected to its WAN, There is no problem at all. However, when Im telneting from my jumphost telnet session hangs after 30seconds if im lucky. Usually it hangs before I get to enter the password When debugging tcp, I get this error when the session hangs: Oct 23 23:25:31: TCP2: bad seg from 192.168.105.117 -- outside window: port 23 seq 2084376338 ack 2015498788 rcvnxt 2084376350 rcvwnd 4092 len 12 I have tried service nagel, service tcp-keepalive-in/out, disabled tacacs, tried to telnet to differnt IPs/VRFs on the switch, but still the exact same thing. I use this jumphouse for this customer, and they have a bunch of 2800 and 3800 that works perfect. But the three 6500s they have all behave like this. Any tips? Thanks Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS 2 Hub sites with loadsharing, same or separate AS numbers?
Hi I have a question regarding AS numbers, whats the best solution, and pros/cons with the different setups? Let say there is an MPLS provider, and one customer has a HUB-site with dual CPE in the VPN. Each CE router is connected to 2 different PE routers. Behind each CE router the customer has a Juniper router and are using eBGP to peer with us. They want per session loadsharing between the to CPEs. The MPLS provider are not planning to run iBGP between the CE routers. Only eBGP to the PE. Now, should these 2 CE routers belong the the same AS number? Let say, 100. Or should they be in separate? 100, and 200? You should still be able to loadshare with max-path eibgp 2 on the PEs even if they are in different AS numbers right? It is only the AS path lengt that is compared, not the actual number if im not misstaken. Any pros/cons with the different setups, same AS, different AS. Thanks! Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS 2 Hub sites with loadsharing, same or separate AS numbers?
Sorry, should be: Each CE router is connected to different PE routers And also, I forgot, pros/cons with running iBGP between the CE routers? I know this is a benefit on the Internet, with two different ISPs, for optimal routing, but in a MPLS cloud with the same provider I dont see that benefit. Thanks! Roger On Wed, Sep 2, 2009 at 7:01 PM, Roger Wiklund co...@xy.org wrote: Hi I have a question regarding AS numbers, whats the best solution, and pros/cons with the different setups? Let say there is an MPLS provider, and one customer has a HUB-site with dual CPE in the VPN. Each CE router is connected to 2 different PE routers. Behind each CE router the customer has a Juniper router and are using eBGP to peer with us. They want per session loadsharing between the to CPEs. The MPLS provider are not planning to run iBGP between the CE routers. Only eBGP to the PE. Now, should these 2 CE routers belong the the same AS number? Let say, 100. Or should they be in separate? 100, and 200? You should still be able to loadshare with max-path eibgp 2 on the PEs even if they are in different AS numbers right? It is only the AS path lengt that is compared, not the actual number if im not misstaken. Any pros/cons with the different setups, same AS, different AS. Thanks! Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 3560 LAN QoS egress queing shaping/sharing questions
Hi Im a bit confused regarding 3560 egress QoS. This is the default setting on a 3560, only mls qos is enabled globally. FastEthernet0/4 Egress Priority Queue : disabled Shaped queue weights (absolute) : 25 0 0 0 Shared queue weights : 25 25 25 25 The port bandwidth limit : 100 (Operational Bandwidth:100.0) The port is mapped to qset : 1 So after reading the document, the 4 egress queues are configure with 25% bandwith each. and they are in shared mode, which means that they have a minimum of 25% but can also use more from the other queues if available. But then we have the shaped queue. 25 0 0 0. This is from the documentation: In shaped mode, the egress queues are guaranteed a percentage of the bandwidth, and they are rate-limited to that amount. Shaped traffic does not use more than the allocated bandwidth even if the link is idle. Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic. With shaping, the absolute value of each weight is used to compute the bandwidth available for the queues. By default, weight1 is set to 25; weight2, weight3, and weight4 are set to 0, and these queues are in shared mode. For weight1 weight2 weight3 weight4, enter the weights to control the percentage of the port that is shaped. The inverse ratio (1/weight) controls the shaping bandwidth for this queue. Separate each value with a space. The range is 0 to 65535. If you configure a weight of 0, the corresponding queue operates in shared mode. The weight specified with the srr-queue bandwidth shape command is ignored, and the weights specified with the srr-queue bandwidth share interface configuration command for a queue come into effect. When configuring queues in the same queue-set for both shaping and sharing, make sure that you configure the lowest number queue for shaping. The shaped mode overrides the shared mode. Does this then mean that per default, the egress queue 1, handling COS 5, EF etc, only has 25mbit on a fastethernet port. Everything above that gets dropped. And also: Priority-queue out When you configure this command, the SRR weight and queue size ratios are affected because there is one less queue participating in SRR. This means that weight1 in the srr-queue bandwidth shape or the srr-queue bandwidth share command is ignored (not used in the ratio calculation). And also, when enabling egress prio queue, that queue qets 100% of the bandwith? That will starve all the other traffic. Im reading in the Cisco QoS book where you can have strict prio + weighted round robin. But it looks like thats not available on the 3560. Thanks /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3560 LAN QoS egress queing shaping/sharing questions
Correction! It should be 1/25th of 100meg = 4 meg. Thats really strange to have such a small limit. Found this also: http://www.gossamer-threads.com/lists/cisco/nsp/113754 Regards Roger On Mon, Aug 17, 2009 at 4:27 PM, Roger Wiklund co...@xy.org wrote: Hi Im a bit confused regarding 3560 egress QoS. This is the default setting on a 3560, only mls qos is enabled globally. FastEthernet0/4 Egress Priority Queue : disabled Shaped queue weights (absolute) : 25 0 0 0 Shared queue weights : 25 25 25 25 The port bandwidth limit : 100 (Operational Bandwidth:100.0) The port is mapped to qset : 1 So after reading the document, the 4 egress queues are configure with 25% bandwith each. and they are in shared mode, which means that they have a minimum of 25% but can also use more from the other queues if available. But then we have the shaped queue. 25 0 0 0. This is from the documentation: In shaped mode, the egress queues are guaranteed a percentage of the bandwidth, and they are rate-limited to that amount. Shaped traffic does not use more than the allocated bandwidth even if the link is idle. Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic. With shaping, the absolute value of each weight is used to compute the bandwidth available for the queues. By default, weight1 is set to 25; weight2, weight3, and weight4 are set to 0, and these queues are in shared mode. For weight1 weight2 weight3 weight4, enter the weights to control the percentage of the port that is shaped. The inverse ratio (1/weight) controls the shaping bandwidth for this queue. Separate each value with a space. The range is 0 to 65535. If you configure a weight of 0, the corresponding queue operates in shared mode. The weight specified with the srr-queue bandwidth shape command is ignored, and the weights specified with the srr-queue bandwidth share interface configuration command for a queue come into effect. When configuring queues in the same queue-set for both shaping and sharing, make sure that you configure the lowest number queue for shaping. The shaped mode overrides the shared mode. Does this then mean that per default, the egress queue 1, handling COS 5, EF etc, only has 25mbit on a fastethernet port. Everything above that gets dropped. And also: Priority-queue out When you configure this command, the SRR weight and queue size ratios are affected because there is one less queue participating in SRR. This means that weight1 in the srr-queue bandwidth shape or the srr-queue bandwidth share command is ignored (not used in the ratio calculation). And also, when enabling egress prio queue, that queue qets 100% of the bandwith? That will starve all the other traffic. Im reading in the Cisco QoS book where you can have strict prio + weighted round robin. But it looks like thats not available on the 3560. Thanks /Roger ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Load balance for the uplink
How about just using maximum-path x, and then do some route maps forcing only some traffic to only use the faster link unless its down. Then you can loadbalance on evetyhing else but the specific traffic. Then you might get a more even utilization of the links. Or perhaps if you can try the disable-connected-check, but it probably wont work with dmzlink-bw Regards Roger On Thu, Jun 18, 2009 at 6:32 PM, Georgi Genov linuxloa...@gmail.com wrote: Here is my scenario , i have 2 uplink providers , one with 2 backup sessions on two different vlans with 2x /30 ip addr and other with multihop bgp .First provider with the 2 sessions i have 2:1 speed compare against the second . I advertise at the both providers same prefix lists . ( 2x /18 and one /24 ) . dmzlink-bw is one solution , but it didn`t work at multihop bgp . Some other suggestions . PS: Ruter is RSP720-3CXL-GE with Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICES-M), Version 12.2(33)SRB5a, RELEASE SOFTWARE (fc1) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Load balance for the uplink
How about just using maximum-path x, and then do some route maps forcing only some traffic to only use the faster link unless its down. Then you can loadbalance on evetyhing else but the specific traffic. Then you might get a more even utilization of the links. Or perhaps if you can try the disable-connected-check, but it probably wont work with dmzlink-bw Regards Roger On Sat, Jun 20, 2009 at 10:42 PM, Roger Wiklund roger.wikl...@gmail.comwrote: How about just using maximum-path x, and then do some route maps forcing only some traffic to only use the faster link unless its down. Then you can loadbalance on evetyhing else but the specific traffic. Then you might get a more even utilization of the links. Or perhaps if you can try the disable-connected-check, but it probably wont work with dmzlink-bw Regards Roger On Thu, Jun 18, 2009 at 6:32 PM, Georgi Genov linuxloa...@gmail.comwrote: Here is my scenario , i have 2 uplink providers , one with 2 backup sessions on two different vlans with 2x /30 ip addr and other with multihop bgp .First provider with the 2 sessions i have 2:1 speed compare against the second . I advertise at the both providers same prefix lists . ( 2x /18 and one /24 ) . dmzlink-bw is one solution , but it didn`t work at multihop bgp . Some other suggestions . PS: Ruter is RSP720-3CXL-GE with Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICES-M), Version 12.2(33)SRB5a, RELEASE SOFTWARE (fc1) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560 cpu load question
Could be broadcast storms, configure a filter on desired interface with the storm-control command. You can set thresholds for unicast, multicast and broadcast. Regards On Fri, May 22, 2009 at 11:49 AM, Peter Rathlev pe...@rathlev.dk wrote: On Thu, 2009-05-21 at 16:20 -0700, Cord MacLeod wrote: It sits in the middle of a network. Below are layer 2 2960 switches at the top of rack which the machines plug in to. Above are routers announcing BGP default at it in the confederation. The machines use the 3560 to traverse vlans, it is also the root switch in spanning tree and has around 110 inbound acls applied on the interface leading to the edge routers. As far as STP is concerned, the topology never changes so we can rule out convergence. Would this switch happen to have a L3 interface in a VLAN with other hosts? Broadcasts are always sent to the CPU, so user traffic then might cause spikes. That's every function the switch is performing. These spikes are abnormal spikes, and they do not show up on my graphs, nor can I find the process causing them. There is no correlation I find between the CPU spikes and any network traffic. Strange. What are the graphs graphing? Maybe the 5 min avg. every 5 minutes? That would explain why spikes couldn't be seen there at least. You can setup rmon to alert you specifically when the CPU load exceeds some threshold: rmon event 1 trap SecretCommunity description Rising Event for busyPer owner admin rmon event 2 trap SecretCommunity description Falling Event for busyPer owner admin rmon alarm 1 lsystem.56.0 60 absolute rising-threshold 90 1 falling-threshold 70 2 owner admin With EEM or a script on the trap receiver you could extract the process table at exactly the moment the CPU spikes occur. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
