Re: [c-nsp] Whats happens when TCAM is full on 7600/RSP720RSP-3CXL?

[Rolf Hanßen]

Hi,

at least for Sup720-3B(XL) and Sup-2T it results in number 1 for the
family that hit the limit.

So in most cases it will look that way:
#show mls cef exception status
Current IPv4 FIB exception state = TRUE
Current IPv6 FIB exception state = FALSE
Current MPLS FIB exception state = FALSE

And yes, the box will drop down to a few MBit of Traffic.

kind regards
Rolf

> Hi,
>
> I'm currently using a 7606 (RSP720RSP-3CXL) and taking in full BGP on v4
> and v6. Obviously it the TCAM is almost full and the box needs to be
> replaced.
>
> But a have a couple of questions.
>
> I have been hearing different scenario of what would happen when the
> TCAM is full:
> 1. The whole thing goes into software routing mode for all routes which
> causes 100% CPU and resulting and unusable box
> 2. New route entries will just get dropped, current entries just stay in
> TCAM
> 3. New route entries will be software routed, but entries that are
> already in TCAM will be hardware routed. You won't notice much impact in
> the beginning.
>
> What is true?
>
> The only reason that our 7606 needs to be replaces it because of the
> TCAM. It doesn't do much traffic, like 3Gbps upstream. Only BGP/OSPF.
> And not many ports, 8 x 10Gb fiber + 30 x 1Gb copper (local servers).
>
> We will probably go for the ASR9006. But I would like to use it like I'm
> using the 7600 now, as a router/switch. I have been reading that you
> need to make some uncommon config to create Ethernet VLAN/Trunk
> interfaces and ports, as this is not commonly not done with this router.
> But is this good practice? Will it be fine once I fingered it out?
>
> Last question. Can I take a full BGP feed on both v4 and v6 with a
> A9K-RSP440-TR? Or do I need the -SE?
>
> Chiel
>
>
>
> Bellow are some output of our current 7600:
>
> #show mls cef maximum-route
>   IPv4 + MPLS         - 832k (default)
>   IPv6                - 90k
>   IP Multicast        - 1k
>
> #show mls cef su
> Total routes:                     915422
>      IPv4 unicast routes:          822144
>      IPv4 Multicast routes:        8
>      MPLS routes:                  2050
>      IPv6 unicast routes:          91220
>      IPv6 multicast routes:        3
>      EoM routes:                   0
>
> #show mls cef exception status
> Current IPv4 FIB exception state = FALSE
> Current IPv6 FIB exception state = FALSE
> Current MPLS FIB exception state = FALSE
>
> #show platform hardware capacity forwarding
> L3 Forwarding Resources
>   Module              FIB TCAM usage: Total       
> Used     %Used
>     2                     72 bits (IPv4, MPLS,
> EoM)      851968
> 824115     97%
>                          144 bits (IP mcast,
> IPv6)       98304 91198     93%
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPFv3 in CoPP

[Rolf Hanßen]

Hi,

maybe you need to add the non-link-local address.

I did not separate OSPF and BGP, but this works:
ipv6 access-list acl-copp-transfer-ipv6
 permit 89 FE80::/10 any
 permit ipv6 2001:DB8::/48 any

2001:DB8::/48 contains all transfer networks and loopback adresses in my
case.

kind regards
Rolf

> Howdy,
>
> This is SUP2T, I am just playing with this in a lab (I realize sup2t is
> dead).
>
> I notice that if I enable a CoPP policy and then do clear ipv6 ospf
> process 1 (yes) the process gets stuck forever in EXSTART until I remove
> the service-policy and then instantly It connects and begins operating
> normally. I am assuming that it is because I am blocking something
> accidentally via my CoPP policy.
>
> I've allowed protocol 89 sourced from the entire link-local subnet and
> then when that didn't work I then allowed all ipv6 on the link-local
> subnet. If I debug the traffic it just keeps re-transmitting DBDs to the
> IPv4 address of the peer (that is probably just the router-id) on the
> VLAN, over and over.
>
> Does anyone have a working CoPP ACL for OSPFv3?
>
> Thanks,
> -Drew
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FIB insertion issues on Sup2T routers

[Rolf Hanßen]

Hello,

on router #1 it happened again.
We then updated it to 15.2(1)SY5 (put luck) on Dec 6th and configured
prefix limits on all sessions allowing less tha 100k above current count.

On router #2 we did nothing.

Router #3 was false positive, issue did not occur at all (human error).

Nothing happened since the updates, no insertion issue, no prefix count hit.
So we have no clue what happened.

kind regards
Rolf

> Hi,
>
>> I had 3 incidents within a week in which Sup2T-XL routers switched to
>> software forwarding.
>>
>> I.e. log says:
>> %MLSCEF-4-FIB_TCAM_INSERT_FAIL: FIB entry insertion into tcam failed,
>> one
>> IPv4 route may be absent from hardware table
>
> Haven't seen this one, but I'm interested to hear whether you've had new
> occurrences... We're running newer code though, 15.2(1)SY5 currently,
> because of several bugs in earlier releases.
>
>
> Regards,
>
> Jeroen van Ingen
> ICT Service Centre
> University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
>


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FIB insertion issues on Sup2T routers

[Rolf Hanßen]

Hello,

had a "chance" today to check this.

Interesting ist that the ressources are even lower than normal (approx.
100k IPv4 routes less)

L3 Forwarding Resources
 FIB TCAM usage: TotalUsed  
%Used
  72 bits (IPv4, MPLS, EoM) 1048576  557541   
 53%
 144 bits (IP mcast, IPv6)  524288   45727
 9%
 288 bits (IPv6 mcast)  262144   1
 1%

 detail:  ProtocolUsed  
%Used
  IPv4  557539
53%
  MPLS   1
 1%
  EoM1
 1%

  IPv6   45724
 9%
  IPv4 mcast 3
 1%
  IPv6 mcast 1
 1%

Adjacency usage: TotalUsed  
%Used
   1048576   32191
 3%

kind regards
Rolf

> Hello,
>
> I think a full 'show platform hardware capacity' output from the affected
> device before reboot could be the best starting point for
> troubleshooting...
>
> You may use a EEM TCL script for autosaving useful outputs in case of such
> events.
> --
> Best regards,
> Vladimir Troitskiy

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] FIB insertion issues on Sup2T routers

[Rolf Hanßen]

Hello,

I had 3 incidents within a week in which Sup2T-XL routers switched to
software forwarding.

I.e. log says:
%MLSCEF-4-FIB_TCAM_INSERT_FAIL: FIB entry insertion into tcam failed, one
IPv4 route may be absent from hardware table

Was fixed by a reboot in each case.

Uptime differs (several weeks up to years), chassis differ (6509E/7609S),
all routers run 15.1(2)SY1.

Number of total routes is not close to the edge:

#sh platform hardware cef summary
Total routes: 709683
IPv4 unicast routes:  664027
IPv4 non-vrf routes:  664027
IPv4 vrf routes:  0
IPv4 multicast routes:3
IPv6 unicast routes:  45650
IPv6 global routes:   45649
IPv6 non-vrf routes:  45649
IPv6 vrf routes:  0
IPv6 link-local routes:   1
IPv6 multicast routes:1
mpls routes:  1
mpls-vpn routes:  0
eompls-l2 routes: 1
eom-ipv4-mcast routes:0
eom-ipv6-mcast routes:0

#sh platform hardware cef maximum-routes

 Fib-size: 1024k (1048576), shared-size: 1016k (1040384),
shared-usage: 735k(753326)

 Protocol Max-routes Use-shared-region  Dedicated
  -- -  -
 IPV4 1017k   Yes1k
 IPV4-MCAST   1017k   Yes1k
 IPV6 1017k   Yes1k
 IPV6-MCAST   1017k   Yes1k
 MPLS 1017k   Yes1k
 EoMPLS   1017k   Yes1k
 VPLS-IPV4-MCAST  1017k   Yes1k
 VPLS-IPV6-MCAST  1017k   Yes1k

They did not have that issue the same time and receive the same routes
that also other Sup2T routers (that did not have that issue) receive, so I
do not expect this to be result of a short wave of routes learned from
peers/uplinks.

Did anyone else have that issue?
Any hints how to find the cause (without support contract)?

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Juniper MX240 & MX480

[Rolf Hanßen]

Hi,

RE-S-X6-64G requires SCBE2.
SCBE2 does not work with DPCs.
So you cannot upgrade to newest RE with old linecards.

kind regards
Rolf

> Hi,
>
> it is strange, because RE doesn't do much with line cards, maybe it
> depends what kind SCB you have ...
>
> Best regards,
> Misak Khachatryan,


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Juniper MX240 & MX480

[Rolf Hanßen]

Hello Aaron,

that's not a Cisco-only "feature".
You could also move from MX to new ASR boxes because Juniper told you that
your old DPC cards do not work if you replace your RE-S-2000 with the
newest RE (RE-S-X6-64G + SCBE2). ;)

kind regards
Rolf

> The thing that caused me to evaluate replacing my ASR9k 15-node network
> was
> when Cisco told me if I replaced my RSP-4G routing engine with newest one,
> all my 1st gen Trident linecards would stop working.  :|


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 6509 / WS-CAC-6000W OUTPUT FAIL

[Rolf Hanßen]

Hello,

In the meantime the system is was turned off.
Neither removing cards or turning off/on changed situation.
So I guess the chassis is just broken in some kind.
At least the scrap dealer will be happy. ;)

kind regards
Rolf

> Late to the thread, but some of the chassis models (non-E, perhaps) have
> a backplane power limitation from the B supply IIRC, and it was
> somewhere in the 4kw range.
>
>
> On 3/14/17 2:42 AM, James Bensley wrote:
>> On 13 March 2017 at 15:02, "Rolf Hanßen"  wrote:
>>>  Power-Capacity PS-Fan Output Oper
>>> PS   Type   Watts   A @42V Status Status State
>>>  -- --- -- -- -- -
>>> 1WS-CAC-6000W   5771.64 137.42 OK OK on
>>> 2WS-CAC-6000W   3780.00 90.00  -  -  off
>> Why is one of these 6kW PSUs saying 4kW of power capacity? Since they
>> are the same model PSU I think the power capacity has to match on
>> them?
>>
>> Cheers,
>> James.
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Load balancing on portchan (4500X->ASR1006)

[Rolf Hanßen]

Hello,

I read your mail twice and still don't know which direction is affected
(4500X tp ASR or ASR to 4500X or both).
Please be aware that the balancing hash method only affects outbound
traffic, so changing the method on the 4500X only affects traffic towards
the ASR.
Using mac adresses for balancing is a bad idea. Years ago we had the great
idea to connect several servers with dual nic to a router with a 2 port
channel switching between.
MAC on the router was always the same, MACs on the servers were all even
because we used the same port on all servers.
Result: no balaning at all.

Is the switch able to use IP / Port for all frames or do you have packts
it maybe does not understand (like MPLS Packets)?

kind regards
Rolf

> Hi Everyone - Have a 4 port etherchan between ASR1006/4500X(In VSS) -
> Tried virtually all the load-balancing options on the 4500X, but port "1"
> in the portchan group always gets majority of traffic share.
>
>
> Links are:
>
>
> ASR1006  4500X (2)
>
> 0/0/31/1/4
>
> 1/0/01/1/16
>
> 1/0/32/1/4
>
> 2/0/02/1/16
>
>
> src/dst ip - I get both ports on "primary" 4500X being primarily used
> (1/1/4 getting the most)
>
> src/dst mac - I get a bit of a better load spread, but 2/1/4 gets very
> little traffic, and again 1/1/4 gets the most
>
> src/dst port - 1/1/4 gets the most, 2/1/16 gets a lot more (ingress),
> 2/1/4, very little
>
>
> The portchan peak usage is 2 to 2.5Gb/sec, but would do more, as it is
> being limited by the load-balancingi.e 1/1/4 will max out at 1G/sec
> (We have a very bursty traffic.SP - So mix of
> Inet/L3VPN/backup/replication etc)
>
>
> If anyone has some suggestions on how to achieve a better(more even)
> traffic spread, it would be greatly appreciatedMigrating to 10Gb is
> what we plan to do, but am interested in anyones comments on why 1/1/4 is
> used so heavily regardless of the load-balancing algorithm used (Assuming
> it is because it is the "first" portspanning tree  probably preferring
> this port?)the ASR1006 only has 2 load-balancing options flow-based or
> vlan-manual..lol and I dont have any interest in setting up manual
> vlan load-balancing 😉)
>
>
> Thanks
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] vrrpv3 + IPv6 hangs in INIT state

[Rolf Hanßen]

Hi Nick,

yes, that's it.
Comes up now, thanks for the hint.

kind regards
Rolf

> Rolf Hanßen wrote:
>> I just tried to get VRRP + IPv6 running on a Sup2T with 15.1(2)SY1.
>> I enabled VRRPv3 and it works at least for IPv4.
>
> Yeah, this caught me too.  The primary ipv6 address for a vrrpv3 needs
> to be an ipv6 link-local address:
>
>> http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhrp-vrrpv3.html
>
>> VRRPv3 for IPv6 requires that a primary virtual link-local IPv6
>> address is configured to allow the group to operate. After the
>> primary link-local IPv6 address is established on the group, you can
>> add the secondary global addresses.
>
> So your configuration should look like this:
>
> fhrp version vrrp v3
> interface Vlan2000
>  vrrp 6 address-family ipv6
>   address fe80::1 primary
>   address :::::1/64
>   exit-vrrp
> end
>
> Nick


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] vrrpv3 + IPv6 hangs in INIT state

[Rolf Hanßen]

Hello,

I just tried to get VRRP + IPv6 running on a Sup2T with 15.1(2)SY1.
I enabled VRRPv3 and it works at least for IPv4.

But for IPv6 the status stays on status INIT:
sh vrrp brief:
  Interface  Grp  A-F Pri  Time Own Pre State   Master addr/Group
addr
  Vl2000   6 IPv6 100 0  N   Y  INITAF-UNDEFINED no
address

sh vrrp vlan 2000:

Vlan2000 - Group 6 - Address-Family IPv6

  State is INIT
  State duration 49 mins 57.900 secs
  Virtual IP address is no address
  Virtual MAC address is .5E00.0206
  Advertisement interval is 3000 msec
  Preemption enabled
  Priority is 100
  Master Router is unknown, priority is unknown
  Master Advertisement interval is unknown
  Master Down interval is unknown

vlan2000 is up and other side (Juniper MX) pings fine.

sh vrrp statistics shows zero-counters.

Routing-Interface:
interface Vlan2000
 ip address x.x.x.x 255.255.255.0
 no ip redirects
 no ip proxy-arp
 load-interval 30
 ipv6 address :::::3/64
 ipv6 enable
 ipv6 nd dad attempts 0
 ipv6 nd prefix default no-advertise
 ipv6 nd ra suppress
 no ipv6 redirects
 vrrp 6 address-family ipv6
  address :::::1/64
  exit-vrrp
end

I would expect it to become master in case it does not work together with
Juniper.
I checked with a second device, same behaviour.
Any hints?

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco 6509 / WS-CAC-6000W OUTPUT FAIL

[Rolf Hanßen]

Hello,

I have an issue with a C6509 shortly before it will be replaced. ;)
PS2 shows OUTPUT FAIL (both inputs ok), I already replaced it, no change.
sh power shows 3780 Watt for PS2, what is that value?

system power redundancy mode = redundant
system power redundancy operationally = non-redundant
system power total = 5771.64 Watts (137.42 Amps @ 42V)
system power used =  2815.26 Watts (67.03 Amps @ 42V)
system power available = 2956.38 Watts (70.39 Amps @ 42V)
Power-Capacity PS-Fan Output Oper
PS   Type   Watts   A @42V Status Status State
 -- --- -- -- -- -
1WS-CAC-6000W   5771.64 137.42 OK OK on
2WS-CAC-6000W   3780.00 90.00  -  -  off
Pwr-Allocated  Oper
Fan  Type   Watts   A @42V State
 -- --- -- -
1WS-C6509-E-FAN  210.00  5.00  OK
Pwr-Requested  Pwr-Allocated  Admin Oper
Slot Card-Type  Watts   A @42V Watts   A @42V State State
 -- --- -- --- -- - -
1WS-X6748-GE-TX  325.50  7.75   325.50  7.75  onon
2WS-X6748-GE-TX  325.50  7.75   325.50  7.75  onon
3WS-X6748-GE-TX  325.50  7.75   325.50  7.75  onon
5WS-SUP720-3B282.24  6.72   282.24  6.72  onon
6(Redundant Sup)   - -  282.24  6.72  - -
7WS-X6704-10GE   295.26  7.03   295.26  7.03  onon
8WS-X6708-10GE   473.76 11.28   473.76 11.28  onon
9WS-X6704-10GE   295.26  7.03   295.26  7.03  onon
system auxiliary power mode = off
system auxiliary power redundancy operationally = non-redundant
system primary connector power limit =   10920.00 Watts (260.00 Amps @ 42V)
system auxiliary connector power limit = 10500.00 Watts (250.00 Amps @ 42V)
system primary power used =  2815.26 Watts (67.03 Amps @ 42V)
system auxiliary power used =0 Watt

Anyone seen such behaviour yet?
Maybe chassis defective?

kind regards
Rolf



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 720-3BXL IOS 15

[Rolf Hanßen]

Hi Curtis,

that combination does not sound good to me.
I think you will run into memory issues.

kind regards
Rolf


> Does anyone have any suggested 15.x Versions for the 720-3BXL Cards?  I
> have a couple of 7606 routers that have a need to run BFD + BGP within a
> VRF Instance.  The current 12.2(33)SRB3 does not allow this.
>
> The router takes in 3 full copies of the Internet routing table as well as
> some very light VPNv4 routing tables.  I've already reallocated the TCAM
> to
> allow 768k IPv4 Routes.
>
> Thanks
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Router 6504E - SUP 720 3B XL

[Rolf Hanßen]

Hi,

sorry, but 88% used does not mean you really have 12% you can use.
3 years ago we were at similar situation, one of our 3BXL had 92 or 93%
usage and restarted the bgp process because it was unable to allocate more
memory.
We thought to have a few more months and waited to long to replace it.
So 88% mean "disable one session" and not "add another one".

If you want to use 6500/7600, go for the Sup2T (XL was around 9k Euro -
before Brexit) + 4Gig memory.
You can still built a up to 80GBit throughput box with a great router port
amount per money if you use 6700 linecards with CFC (WS-X6748-GE-TX below
200Euro, WS-X6704-10GE below 500Euro) and can live with the risk that 1M
routes could become an issue in a few years.

kind regards
Rolf


> 15.7.2016, 17:13, Nick Hilliard wrote:
>> TCAM is fine for the time being, but RP RAM is definitely a problem on
>> this platform.  The RP has 1G of RAM, non-upgradable.  A DFZ will work
>> for the time being if you run 12.2SX.  If you run 15S, there's less
>> space and it will not run unless you disable inbound soft reconfig.  In
>> either case, it's not going to be viable in the long term.
>>
> Yes, with 15.X IOS you will be at 90% in memory usage. We have one box
> (15.1(2)SY4a IOS) with two full feeds and a lot of features enabled -
> the memory usage is 88%. There is still room for a third full BGP feed.
> I'm not concerned about this, since even with an empty config the memory
> usage is quite high. However, it's stable and doesn't vary much.
>
> But yeah, 6500 is not the best choice for the future.
>
> zzif
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] traceroute from ASA with source IP from inside interface

[Rolf Hanßen]

Hi Nick,

the outgoing packets are UDP but the packets coming back schould be icmp
ttl expired, that is why I allowed icmp.

I just tried to allow anything and out without any change, so I guess this
is not rule-related at all.

Any other ideas?

kind regards
Rolf

> Traceroutes from ASA / routers use UDP not ICMP
>
> You can "inspect ICMP error" as well as allow the ICMP and UDP traceroute
> versions of the message you need - this is my traceroute config I use on
> client contexts:
>
> Note these firewalls are non-internet facing so security is less important
> to me than troubleshooting.
>
> access-list outside_access_in extended permit icmp any any unreachable
> access-list outside_access_in extended permit icmp any any traceroute
> access-list outside_access_in extended permit icmp any any time-exceeded
>
> policy-map global_policy
>  class inspection_default
>   inspect icmp
>   inspect icmp error
>
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
> "Rolf Hanßen"
> Sent: 16 March 2016 10:58
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] traceroute from ASA with source IP from inside interface
>
> Hi,
>
> I am new to ASA and wondering about the traceroute (and ping) behaviour.
> I wanted to trace/ping with the IP address of the internal interface, but
> anything I try results in stars:
>
> ASA# traceroute 8.8.8.8 source inside
>
> Type escape sequence to abort.
> Tracing the route to 8.8.8.8
>
>  1   *  *  *
>  2   *  *  *
>
> Tracing without setting a source (or "source outside") works fine.
> I create a rule for the internal interface towards dst any service ip.
> There is also a rule on the outside interface to allow icmp.
> I replace "inside" with the IP.
> Traceroutes from servers attached to the inside interface work fine.
>
> There is no control plane policy set.
>
> Is this a bug or some strange "security feature"?
> Is there another part that maybe filters such traffic?
> In the management access section I see only https/asdm/ssh/telnet.
>
> Maybe somebody can explain.
>
> kind regards
> Rolf
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] traceroute from ASA with source IP from inside interface

[Rolf Hanßen]

Hi,

I am new to ASA and wondering about the traceroute (and ping) behaviour.
I wanted to trace/ping with the IP address of the internal interface, but
anything I try results in stars:

ASA# traceroute 8.8.8.8 source inside

Type escape sequence to abort.
Tracing the route to 8.8.8.8

 1   *  *  *
 2   *  *  *

Tracing without setting a source (or "source outside") works fine.
I create a rule for the internal interface towards dst any service ip.
There is also a rule on the outside interface to allow icmp.
I replace "inside" with the IP.
Traceroutes from servers attached to the inside interface work fine.

There is no control plane policy set.

Is this a bug or some strange "security feature"?
Is there another part that maybe filters such traffic?
In the management access section I see only https/asdm/ssh/telnet.

Maybe somebody can explain.

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Peering + Transit Circuits

[Rolf Hanßen]

Hi,

you forgot do some interface-ACL-magic that drops peer-traffic that does
not have a destination IP in my cool-networks-whitelist.

kind regards
Rolf

 Question: What is the preferred practice for separating peering and
 transit
 circuits?

 1. Terminate peering and transit on separate routers.
 2. Terminate peering and transit circuits in separate VRFs.
 3. QoS/QPPB (
 https://www.nanog.org/meetings/nanog42/presentations/DavidSmith-PeeringPolicyEnforcement.pdf
 )
 4. Don't worry about peers stealing transit.
 5. What is peering?

 Your comments are appreciated.

 --
 Tim:
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Set BGP metric based on nexthop IGP metric

[Rolf Hanßen]

Hello,

I need a hint regarding a OSPF/BGP setup on some C6500.
I have BGP configured between the loopback IPs of several routers.
Lets say router a and router b advertise x.x.x.x/24 (connected network) to
router c (and d, e...).

Router c now has 2 BGP routes with same attributes (except the nexthop)
and takes the oldest one as far as I see.
sh ip bgp x.x.x.x/24:
...
a.a.a.a (metric 20) from a.a.a.a (a.a.a.a)
  Origin IGP, metric 0, localpref 1000, valid, external, best
...
b.b.b.b (metric 20) from b.b.b.b (b.b.b.b)
  Origin IGP, metric 0, localpref 1000, valid, external


sh ip route a.a.a.a:
Routing entry for a.a.a.a/32
  Known via ospf 1, distance 110, metric 20, type extern 2, forward
metric 2000
...

sh ip route b.b.b.b:
Routing entry for b.b.b.b/32
  Known via ospf 1, distance 110, metric 20, type extern 2, forward
metric 1000
...


I would like to know how to bind/link the BGP metric to the forward metric
value and not to 20.
I would like to archieve that the BGP route is equal to the closest router
according to OSPF.
I always thought this would be default behaviour.

My problem with random picking of the route also is that this can cause a
routing loop in some simple cases:
a--c--d--b
c chooses the route from b and d chooses it from a.
- loop between c and d.

All I could find that sounds like a solutions is set metric-type in the
route map, but this seams to be for route-redistribution only.
I guess anything in the route-map would not help anyway because it is not
processed if something in IGP occurs.

Having the route in OSPF either does not help because the EBGP route is
prefered over the OSPF route (higher administrative distance).
Changing to IBGP isn't a good option in my case, I also want to avoid
configuring manual med/localpref on router c+d.

What is the best practise for such setups?
What do for example providers do that exchange a full table between their
routers that way and do not have those routes in IGP.
Or what did they do before MPLS became popular?

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Switch for vlan translation needed

[Rolf Hanßen]

Hello,

I look for a small switch that can do vlan translation.
Should have 1000T ports and port channel support.

I want to connect one port channel with several tagged vlans that are
mapped to other vlan ids on another port channel.

Do you have any cheap suggestion?

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 512K routes approaching - have you adjusted your tcam settings

[Rolf Hanßen]

Hi Mack,

I am wondering about including sup 2T?
As far as I see Sup2T has no static CAM partition anymore and therefore
needs no specific maximums set.

kind regards
Rolf

 As many readers on this list know the routing table is approaching 512K
 routes.
 For some it has already passed this threshold.
 For those that aren't familiar with the issues associated with passing
 this threshold,
 I suggest the following two documents:

 http://www.ipv4depletion.com/?p=672

 http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html

 Effected devices include 6500s (including sup 2T), 7600s, nexus 7Ks and
 many devices by other vendors.
 This problem will likely impact us in some way over the next month even if
 we fixed our devices because
 We connect to other services that have not prepared.

 So be on the lookout for MLSCEF-SP-7-FIB_EXCEPTION messages in your logs.

 Mack McBride | Network Architect | ViaWest, Inc.




 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Storm control - find out which vlan hits the limit

[Rolf Hanßen]

Hi,

nobody an idea?
Tried Mini Protocol Analyzer but as far as I see I cannot combine with a
MAC address ACL.
In the meantime I got a server connected to the router and could export
the traffic via SPAN but still see no unusal broad-/multicast-spikes.

Can anybody confirm that the physical interface bandwidth is used for the
percentage calculation and not the current traffic?
I.e. 0.35% on a 10Gbit interface with 200MBit traffic will make storm
control drop everything above 35MBit (1MBit*0.35%) and not 0.7MBit
(200MBit*0.35%), correct?

kind regards
Rolf


 Hello,

 I have a switchport interface (6704 card, Sup2T, IOS 15.1(2)SY1) with a
 few vlans (L2 + L3 mixed) on it that drops packets caused by storm
 control.

 sh interfaces counters storm-control:
 Port UcastSupp % McastSupp % BcastSupp %
 TotalSuppDiscards
 Te9/3 100.000.350.35
 5800188

 I now would like to find out on which vlan I receive them.
 Unfortunatelly the non-unicast counters for all vlan-interfaces show 0,
 example:

 sh int vl300 | inc cast
   L2 Switched: ucast: 8023503 pkt, 2642606815 bytes - mcast: 0 pkt, 0
 bytes
   L3 in Switched: ucast: 120002757406 pkt, 16510187670768 bytes - mcast: 0
 pkt, 0 bytes
   L3 out Switched: ucast: 75127991555 pkt, 65410581551697 bytes - mcast: 0
 pkt, 0 bytes
  Received 0 broadcasts (0 IP multicasts)

 sh vlan id xxx counters also schows zeroes only for all vlans:
 Vlan Id: 300
 L2 Unicast Packets : 8023503
 L2 Unicast Octets  : 2642606815
 L3 Input Unicast Packets   : 120008317418
 L3 Input Unicast Octets: 16512241861042
 L3 Output Unicast Packets  : 75144910816
 L3 Output Unicast Octets   : 65423693432219
 L3 Output Multicast Packets: 0
 L3 Output Multicast Octets : 0
 L3 Input Multicast Packets : 0
 L3 Input Multicast Octets  : 0
 L2 Multicast Packets   : 0
 L2 Multicast Octets: 0

 Is there a way to enable those counters or to find out which vlan receives
 those peaks without exporting the traffic to another system
 (SPAN,netflow,...)?

 kind regards
 Rolf


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Storm control - find out which vlan hits the limit

[Rolf Hanßen]

Hello,

I have a switchport interface (6704 card, Sup2T, IOS 15.1(2)SY1) with a
few vlans (L2 + L3 mixed) on it that drops packets caused by storm
control.

sh interfaces counters storm-control:
Port UcastSupp % McastSupp % BcastSupp % 
TotalSuppDiscards
Te9/3 100.000.350.35   
5800188

I now would like to find out on which vlan I receive them.
Unfortunatelly the non-unicast counters for all vlan-interfaces show 0,
example:

sh int vl300 | inc cast
  L2 Switched: ucast: 8023503 pkt, 2642606815 bytes - mcast: 0 pkt, 0 bytes
  L3 in Switched: ucast: 120002757406 pkt, 16510187670768 bytes - mcast: 0
pkt, 0 bytes
  L3 out Switched: ucast: 75127991555 pkt, 65410581551697 bytes - mcast: 0
pkt, 0 bytes
 Received 0 broadcasts (0 IP multicasts)

sh vlan id xxx counters also schows zeroes only for all vlans:
Vlan Id: 300
L2 Unicast Packets : 8023503
L2 Unicast Octets  : 2642606815
L3 Input Unicast Packets   : 120008317418
L3 Input Unicast Octets: 16512241861042
L3 Output Unicast Packets  : 75144910816
L3 Output Unicast Octets   : 65423693432219
L3 Output Multicast Packets: 0
L3 Output Multicast Octets : 0
L3 Input Multicast Packets : 0
L3 Input Multicast Octets  : 0
L2 Multicast Packets   : 0
L2 Multicast Octets: 0

Is there a way to enable those counters or to find out which vlan receives
those peaks without exporting the traffic to another system
(SPAN,netflow,...)?

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Replace NVRAMBattery - decrease impact

[Rolf Hanßen]

Slot 2,3 and 4 are not in use, I could remove the cover-cards and access
the front part of slot 5 easily.

 The battery is right on the board behind the faceplate. I don't see how
 you could replace it without removing the sup at least part way.
 I will say I've seen failures on this particular test that were resolved
 by just reseating the battery.

 Andrew

 On Apr 1, 2014, at 11:00 AM, cisco-nsp-requ...@puck.nether.net wrote:

 Replace NVRAMBattery - decrease impact

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Replace NVRAMBattery - decrease impact

[Rolf Hanßen]

Hello,

I just saw that here on a 6509-E + Sup2T:

router#show diagnostic result module 5
...
  51) TestNVRAMBatteryMonitor - F
...

From my understanding this means battery is empty and I need to replace
the button cell.
Correct?

Afair replacing it means nvram is lost and needs to be re-formatted +
files copied back to it.
Is there a way to bypass this and to reduce downtime in case of a single sup?
Can I replace the battery during operation or does that have some
side-effects (in case I avoid a short-circuit by touching something)?

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Access layer replacement for 6500/Sup720

[Rolf Hanßen]

Hello,

currently we use C6509 + Sup720 for IP access (routing + switching, ISP
environment).
Means BGP + OSPF + HSRP, dual stack, no MPLS, no full table (a few hundred
routes only).
Now I am looking for a small equivalent like a stackable 1HU Layer3 switch.
Should have 40/48x 1GBit + 4/8x 10Gbit.

My dealer recommends a Cisco 3850, which is below 10k Euro for 48xCopper
and 4x SFP+.
Sounds good from the specs, but I have no clue about IOS XE.
In the Configuration Guide Overview I do not see a CoPP-equivalent for
that device.
It is very important for me to have a (hardware-assistend) function to
protect the router CPU in case of ddos to the router itself (or TTL
expired packets).
How is that done on a 3850 or is a 3850 simply the wrong choise in my case?

Anthing else I should be aware of? Known issues, design deficits, too
small buffers, high outage rates or so stuff?

Are there any other recommendations in that or lower price region?
Does not need to be Cisco. What do other ISPs use for such szenarios?

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Access layer replacement for 6500/Sup720

[Rolf Hanßen]

Hello Mark,

 If you want reasonably functional QoS ingress and egress,
 the ME3600X/3800X is your friend.

As far as see no stacking and only 2x 10GBit.

 If you don't care about that (or other fancy features), and
 if your application is purely closet/LAN and not Metro, then
 there are lots of options between Cisco and other vendors in
 this space.

Then please tell me some models below 10k EUR that offer 8x10G + 48xRJ45 +
stacking and have a reliable self-protection.
A basic layer3 switch with 2x 10GBit (that hangs as soon as the cpu is hit
by 100k pps) isn't hard to find from nearly every vendor.

regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ignore ip tcp adjust-mss packets in CoPP

[Rolf Hanßen]

Hi,

I just saw that strict filtering with CoPP (only allow peers and some
management servers) breaks the ip tcp adjust-mss functionaliy.
The window size is manipulated to be able to redirect traffic via a tunnel
from a anti-ddos provider.
Is there a smart way to bypass CoPP for exactly those packets without
making 3/4 of the CoPP rules useless?
Adding a permit tcp any any syn or similar rule does not look like a
good option to me.

I think of something like mls rate-limit unicast cef glean for packets
needing ARP-action from the RP.
Hardware is a 6506 with Sup720-3B and 67xx cards.

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Sup720 - FIB full, software switching

[Rolf Hanßen]

Hi,

today I saw 2x Sup720-3B (default 192K IPv4 routes) that received a full
table.
After FIB was filled IOS gave a warning that it now may forward in
software (and resetted all BGP sessions because of memory issues). I don't
have the exact messages.

The real problem occured after that. I shut the full table BGP session and
cleared the others, the system now had a few routes only again.

But it started to drop packets, I saw no pattern, it looked nearly random.
I needed to reboot both boxes to resolve that issue.

IOS was s72033-advipservicesk9_wan-mz.122-33.SXJ.bin

Is there a way to avoid those issues by let it just ignoring routes not
matching into the FIB?
Is there a command to reset the routing mode/routes back to CEF without
reloading the box?

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup720 - FIB full, software switching

[Rolf Hanßen]

Hi,

indeed, the limiter was installed.

kind regards
Rolf

 One other thing I noticed from your email and something that we've
 experienced in the past as well.  I think it may also be related to
 hitting the TCAM limit but check to see if you have this command enabled:

 mls rate-limit unicast cef receive 1 255

 According to Cisco, that command will automatically get added to your
 config when the tables get full.  That command will start to drop
 packets and unless you look for it you wouldn't know it's there because
 generally it's not.  All BGP sessions appear normal and none of your
 interfaces show full yet you're still dropping packets.  Cisco advised
 us to increase the receive to 100 to avoid any possible issues in
 the future.

 Thanks to the other replies about having to reload the switch to clear
 the TCAM exception.  I didn't know that once you hit it that the only
 way to fix it was to completely reload the box.

 Jose

 On 2/3/2014 9:09 AM, Rolf Hanßen wrote:
 Hi,

 today I saw 2x Sup720-3B (default 192K IPv4 routes) that received a full
 table.
 After FIB was filled IOS gave a warning that it now may forward in
 software (and resetted all BGP sessions because of memory issues). I
 don't
 have the exact messages.

 The real problem occured after that. I shut the full table BGP session
 and
 cleared the others, the system now had a few routes only again.

 But it started to drop packets, I saw no pattern, it looked nearly
 random.
 I needed to reboot both boxes to resolve that issue.

 IOS was s72033-advipservicesk9_wan-mz.122-33.SXJ.bin

 Is there a way to avoid those issues by let it just ignoring routes not
 matching into the FIB?
 Is there a command to reset the routing mode/routes back to CEF without
 reloading the box?

 kind regards
 Rolf

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup720 ignores boot variable

[Rolf Hanßen]

Hello Stuart,

looks like you are right, I will try to reboot in the next maintenance
window and check if it works now.

#remote command switch show bootvar

BOOT variable = bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin,1;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0xA141

(config)#config-register 0x2102

#remote command switch show bootvar

BOOT variable = bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin,1;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0xA141 (will be 0x2102 at next reload)

kind regards
Rolf



 Check the value of the config register on the SP (remote command switch
 show bootvar). Odd things can happen if the SP and RP have different
 values for the config register.


 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
 Rolf Hanßen
 Sent: 24 January 2014 00:19
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] Sup720 ignores boot variable

 Hi,

 I am wondering why this sup720 ignores my boot variable and always boots
 the first image it finds.

 dir shows:
 --
 Directory of sup-bootdisk:/

 1  -rw-78212100   Jul 6 2010 17:27:04 +00:00
 s72033-advipservicesk9_wan-mz.122-33.SXH2.bin
 2  -rw-33554432   Jul 6 2010 17:36:30 +00:00  sea_log.dat
 3  -rw-   143347044  Jan 16 2014 21:47:46 +00:00
 s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin
 --

 I tried:
 boot system flash bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin
 as well as
 boot system flash
 sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin
 I removed the old boot entry.

 after wr mem sh bootvar shows:
 --
 BOOT variable =
 (sup-)bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin,1;
 CONFIG_FILE variable =
 BOOTLDR variable =
 Configuration register is 0x2102

 Standby is not present.
 --

 In both cases result is:
 --
 Autoboot executing command: boot bootdisk:

 Initializing ATA monitor library...
 string is bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXH2.bin
 Loading image, please wait ...
 --

 If I delete s72033-advipservicesk9_wan-mz.122-33.SXH2.bin it starts
 s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin
 (which is now first image rommon finds).
 sh version:
 --
 Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M),
 Version 12.2(33)SXJ6, RELEASE SOFTWARE (fc3)
 Technical Support: http://www.cisco.com/techsupport
 Copyright (c) 1986-2013 by Cisco Systems, Inc.
 Compiled Fri 19-Jul-13 03:30 by prod_rel_team

 ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1)
 ...
 --

 I then upgraded rommon (sp with c6ksup720-rm2.8-5-4.srec, rp with
 c6msfc3-rm2.srec.122-17r.SX7) but still shows:
 Autoboot executing command: boot bootdisk:

 Is there some kind of sync issue or rommon bug or did I forget something ?

 kind regards
 Rolf


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

 “To our Members we're the 4th Emergency Service 
 This electronic message contains information from AA Corporation Limited
 or from a member, or members, of its group of companies which may be
 privileged or confidential. The information is intended to be for the use
 of the individual(s) or entity named above. If you are not the intended
 recipient, please delete this e-mail immediately. The contents of this
 e-mail must not be disclosed or copied without the sender's consent. We
 cannot accept any responsibility for viruses, so please scan all
 attachments.
 No changes to Terms and Conditions of trade can be accepted through e-mail
 communication. All changes to Terms and Conditions must be in writing
 evidenced by a director of the company and in hard copy format. The
 statements and opinions expressed in this message are those of the author
 and do not necessarily reflect those of the company. The company does not
 take any responsibility for the views of the author. ”

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Sup720 ignores boot variable

[Rolf Hanßen]

Hi,

I am wondering why this sup720 ignores my boot variable and always boots
the first image it finds.

dir shows:
--
Directory of sup-bootdisk:/

1  -rw-78212100   Jul 6 2010 17:27:04 +00:00 
s72033-advipservicesk9_wan-mz.122-33.SXH2.bin
2  -rw-33554432   Jul 6 2010 17:36:30 +00:00  sea_log.dat
3  -rw-   143347044  Jan 16 2014 21:47:46 +00:00 
s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin
--

I tried:
boot system flash bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin
as well as
boot system flash sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin
I removed the old boot entry.

after wr mem sh bootvar shows:
--
BOOT variable =
(sup-)bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin,1;
CONFIG_FILE variable =
BOOTLDR variable =
Configuration register is 0x2102

Standby is not present.
--

In both cases result is:
--
Autoboot executing command: boot bootdisk:

Initializing ATA monitor library...
string is bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXH2.bin
Loading image, please wait ...
--

If I delete s72033-advipservicesk9_wan-mz.122-33.SXH2.bin it starts
s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin
(which is now first image rommon finds).
sh version:
--
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M),
Version 12.2(33)SXJ6, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 19-Jul-13 03:30 by prod_rel_team

ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1)
...
--

I then upgraded rommon (sp with c6ksup720-rm2.8-5-4.srec, rp with
c6msfc3-rm2.srec.122-17r.SX7) but still shows:
Autoboot executing command: boot bootdisk:

Is there some kind of sync issue or rommon bug or did I forget something ?

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Search small replacement for Cisco 12k with ATM/OC3 interface

[Rolf Hanßen]

Hi,

we have a Stone Age router running here that wastes about 14HU of space
that I need for something else:
12008/GRP
2x 1GBit NICs (upstream)
One ATM card:
NAME: slot 2, DESCR: 4 port ATM OC3 single mode, HwVer#: 1.1, SwVer#: 0.0
PID: 800-3873-01 rev K0 dev 994423, VID: V00, SN:

We use only one of the 4 ports to terminate 6 old SDSL lines.

Config:

interface ATM2/3
 no ip address
 no ip directed-broadcast
 atm sonet stm-1
 no atm enable-ilmi-trap
 no atm auto-configuration
 no atm ilmi-keepalive
 no atm address-registration
 no atm ilmi-enable

6x Subinterface:
interface ATM2/3.xxx point-to-point
 ip unnumbered Loopback1
 no ip directed-broadcast
 no atm enable-ilmi-trap
 pvc 3/xxx
  oam-pvc manage
  encapsulation aal5snap

ip route x.x.x.x 255.255.255.248 ATM2/3.104

interface Loopback1
 description DSL-Loopback
 ip address
 no ip directed-broadcast
end


Traffic is less than 10 MBit, uses IPv4 only and receives a few routes via
OSPF.

I would like to replace that box with something that is much smaller and
consumes less power.

I have no clue about non-ethernet technology like ATM and so on and also
no possibility for playing around/testing with another line.
Can you recommend something that I can use as a small (1 or 2 HU) + cheap
1:1 replacement?

kind regards
Rolf Hanßen


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Search small replacement for Cisco 12k with ATM/OC3 interface

[Rolf Hanßen]

Hi Nick,

I found on Ebay:
CISCO7204VXR + NPE400 + PWR7200-AC + C7200-I/O-2FE - 160 Euro
PA-A3-OC3SMI ATM Port Adapter (73-2427-04 / PA-A3-OC3SMI) - 40 Euro

Would that combination be sufficient?

Is there something to take care of (size of RAM, bigger memory card for
new IOS images) related to that plattform ?

kind regards
Rolf

 On 20/01/2014 10:37, Rolf Hanßen wrote:
 Can you recommend something that I can use as a small (1 or 2 HU) +
 cheap
 1:1 replacement?

 Easiest thing would be to get a C7200 + ATM card from ebay.  You don't
 need
 a fancy IO card.  An NPE200 or NPE300 would be fine.  The power draw on a
 configuration like this will be less than 100W, and you will pay very
 little for the equipment.

 If you wanted to spend money, you could get an asr1001 + atm card, but
 that
 would be a waste for so little traffic tbh.

 Nick




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Search small replacement for Cisco 12k with ATM/OC3 interface

[Rolf Hanßen]

Hello,

a version without known security bugs sounds good to me. ;)
(according to http://tools.cisco.com/security/center/selectIOSVersion.x)

My list now contains:
CISCO7204VXR-CH
PWR-7200-AC=
NPE-400 (512 MB Ram)
C7200-I/O-2FE/E
PA-A3-OC3SMI

Anything else I forgot ?

kind regards
Rolf

 On Mon, 20 Jan 2014, Gert Doering wrote:

 Hi,

 On Mon, Jan 20, 2014 at 12:06:22PM +0100, Rolf Hanßen wrote:
 I found on Ebay:
 CISCO7204VXR + NPE400 + PWR7200-AC + C7200-I/O-2FE - 160 Euro
 PA-A3-OC3SMI ATM Port Adapter (73-2427-04 / PA-A3-OC3SMI) - 40 Euro

 Would that combination be sufficient?

 It's end of everything, so current IOS won't work - but 12.3M will be
 there, and will do everything you need (and still gets security fixes,
 if I'm not mistaken).  Besides that, it will easily get the job done.

 VXR with NPE-400 isn't out of everything.
 c7200-advipservicesk9-mz.152-4.M4.bin for instance work just fine on
 NPE-400 and is supported.

 To original poster, you probably want 512M of ram on it. It'll use approx
 130-150W of power.

 If you need full tables, get NPE-G1 with 1G of RAM.

 So +1 on the 7200 recommendation for the description of what's needed.

 --
 Mikael Abrahamssonemail: swm...@swm.pp.se


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Search small replacement for Cisco 12k with ATM/OC3 interface

[Rolf Hanßen]

Hi,

yes, none of the 6 lines has more than 2 MBit, so 100MBit upstream is ok.

kind regards
Rolf

 On 20/01/2014 16:20, Aled Morris wrote:
 Bear in mind this is dual Fast Ethernet not Gigabit Ethernet, compared
 to
 your current GSR.

 Traffic levels were ~10Mbit, afair?

 Nick




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] c6500 Low alarms on optics

[Rolf Hanßen]

Hi,

what kind of optics is that ?

The readings rely on the optics used.
Here an output of a system with some OEM LR optics and China DWDM:

   Optical   Optical
   Temperature  Voltage  Current   Tx Power  Rx Power
Port   (Celsius)(Volts)  (mA)  (dBm) (dBm)
-  ---  ---      
Te4/1   -63.0 --0.00  35.5  -1.3  -5.5
Te4/226.1   0.00  26.1  -2.3  -7.1
Te4/3   -30.2 --0.00  41.6  -2.8  -4.1
Te4/427.1   0.00  32.5  -2.1  -3.9
Te8/162.5 + 0.00 101.6   2.1  -9.6
Te8/287.2 ++0.00  61.1  -1.2  -9.0
Te8/335.4   0.00 159.8  -3.5  -1.8
Te8/4   104.0 ++0.00  67.8  -0.8  -3.0
Te9/148.3   0.00  91.2   1.3 -11.0
Te9/266.3 + 0.00  90.2   0.2  -6.7
Te9/357.6   0.00  67.4   1.9 -14.8
Te9/434.3   0.00 374.5   0.5 +   -16.2 --

I am quite sure the Xenpaks neither have -63 nor 104 degree Celsius. ;)

kind regards
Rolf

 I saw some (--) low alarms (current mA) on my optics in intfs ten3/2, 4/2,
 4/7, 4/8, 7/1, 7/2, 7/12, 7/13, 7/16.

 I'm wondering if these alarms can cause any kind of problems.
 Has anyone experience ?

 Tks


 #sh inter transceiver
 Transceiver monitoring is disabled for all interfaces.

 If device is externally calibrated, only calibrated values are printed.
 ++ : high alarm, +  : high warning, -  : low warning, -- : low alarm.
 NA or N/A: not applicable, Tx: transmit, Rx: receive.
 mA: milliamperes, dBm: decibels (milliwatts).

  Optical   Optical
 Temperature  Voltage  Current   Tx Power  Rx Power
 Port(Celsius)(Volts)  (mA)  (dBm) (dBm)
 --  ---  ---      
 Te1/4 33.1   0.00  31.1  -2.2  -0.7
 Te1/6 35.9   0.00  37.5  -2.1  -1.3
 Te1/7 36.0   0.00  38.7  -2.1  -1.7
 Te2/4 30.4   0.00  33.0  -2.1  -1.8
 Te2/6 33.7   0.00  37.6  -2.1  -1.8
 Te2/7 32.7   0.00  37.8  -2.5  -1.8
 Te3/2 33.4   0.00   8.7 --   -2.1  -3.0
 Te3/7 35.7   0.00  37.8  -2.4  -2.0
 Te3/8 30.8   0.00  30.7  -2.5  -1.1
 Te4/2 32.6   0.00   8.0 --   -2.7  -8.2
 Te4/7 29.2   0.00   6.8 --   -2.9  -3.2
 Te4/8 27.3   0.00   5.6 --   -2.8  -7.2
 Te7/1 38.2   0.00   7.2 --   -3.8  -1.8
 Te7/2 37.5   0.00   7.1 --   -3.7  -4.7
 Te7/5 31.9   0.00  37.3  -2.3  -1.9
 Te7/9 28.0   0.00  35.2  -2.0  -1.0
 Te7/1027.7   0.00  38.1  -2.1  -1.1
 Te7/1229.7   0.00   6.0 --   -2.1  -3.2
 Te7/1328.0   0.00   5.9 --   -2.5  -4.6
 Te7/1627.6   0.00   5.7 --   -1.8  -2.1

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup2T interface ACL limitations

[Rolf Hanßen]

Hi,

no hints or experiences ?
No other providers using ACLs on the network borders ?

kind regards
Rolf

 Hello,

 I am thinking about dropping some (mainly ddos) traffic on the outside
 network borders with ACLs.
 The entries would include the basic stuff like src/dst IP, protocol +
 ports, maybe packet length.
 I would like to know about the limitations or potential conflicts with
 other functions.

 I read about up to 256K entries for a Sup2T (XL).
 Does that mean I can use a huge list with 200k entries and apply it ?

 Will an ACL with 10 entries configured on 5 interfaces use 10 or 50 of
 those 256k ?

 Where can I find the limitations, for example:
 How big can a single ACL be and how many ACLs can be combined in a policy
 ?

 Does it make a difference if I assign it via service-policy or ip
 access-group ?

 In case no ip unreachables is set, will there be any other inpact on the
 RP ?

 Will certain sizes cause CPU trouble during installation ?

 Can I change ACLs / policy map while they are in use or will this need a
 reload ?

 Will those ACLs conflict with CoPP or any other functions ?
 I think of some it matches in the ACL, so CoPP is ignored behaviour.

 I found that command here for usage check, is there anything other to
 verify that could hit 100% ?

 Router#sh platform hardware capacity acl
 Classification Mgr Tcam Resources
   Key: Ttlent - Total TCAM entries, QoSent - QoS TCAM entries, LOU - LOUs,
RBLent - RBACL TCAM entries, Lbl - Labels, TCP - TCP Flags,
Dstbl  - Destinfo Table, Ethcam  - Ethertype Cam Table,
ACTtbl - Accounting Table, V6ext - V6 Extn Hdr Table

   Module Ttlent QoSent RBLent Lbl   LOU  TCP  Dstbl Ethcam ACTtbl V6ext
   5   1% 2% 0% 1%2%   0%   2%0% 0% 0%

 Is there maybe any caveat with certain hardware ?
 My systems are Sup2T XL in CFC-only mode, 67xx linecards.

 kind regards
 Rolf Hanßen


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup2T interface ACL limitations

[Rolf Hanßen]

Hi Phil,

 On 16/12/13 12:25, Rolf Hanßen wrote:

 no hints or experiences ?
 No other providers using ACLs on the network borders ?

 These are all pretty basic questions; you might want to re-read the docs
 a few times to get a better understanding.

Unfortunatelly the docs only describe the theory.
Maybe it works if I use an ACL with 100k entries but it takes a minute to
install.
Such things are usually not part of the docs or the information is spread
over half a dozen documents that otherwise contain 99% redundant data.

 I read about up to 256K entries for a Sup2T (XL).
 Does that mean I can use a huge list with 200k entries and apply it ?

 Maybe. That might be very slow to program into hardware though, and
 because it's using 50% of the TCAM the box won't be able to do a
 hitless modify.

 Will an ACL with 10 entries configured on 5 interfaces use 10 or 50 of
 those 256k ?

 10. There is an indirection mechanism.

 Where can I find the limitations, for example:
 How big can a single ACL be and how many ACLs can be combined in a
 policy
 ?

 I don't know what this means; an ACL *is* a policy. You can't combine
 ACLs.

I mean to create several ACLs and combine them in a policy map like:

policy-map pm1
 class class1
   police cir 128000 bc 1000  conform-action drop  exceed-action drop 
violate-action drop
 class class2
   police cir 128000 bc 1000  conform-action drop  exceed-action drop 
violate-action drop

class-map match-any class1
  match access-group name acl1

class-map match-any class2
  match access-group name acl2

ip access-list standard acl1
 permit 1.2.3.0
 ...

ip access-list standard acl2
 permit 5.6.7.8
 ...

 Does it make a difference if I assign it via service-policy or ip
 access-group ?

 Yes. They're totally different things. service-policy is a QoS policy,
 ip access-group is an ACL.

But does it make a difference if a packet is dropped in a policy instead
of a big ACL ?
Does a policy scale better or maybe worse ?

 In case no ip unreachables is set, will there be any other inpact on
 the
 RP ?

 No.

 Will certain sizes cause CPU trouble during installation ?

 Probably yes.

Are there any known to work or known to make trouble sizes ?


 Can I change ACLs / policy map while they are in use or will this need
 a
 reload ?

 No you do not need a reload. Yes you can change them when they're in
 use. Be aware that sup2T has hitless ACL updates if certain conditions
 are met.

 Will those ACLs conflict with CoPP or any other functions ?

 IIRC ACLs first, CoPP second. ACL denies don't go to CoPP, ACL permits
 do, but TBH I'm going from memory here.

 I think of some it matches in the ACL, so CoPP is ignored behaviour.

 I found that command here for usage check, is there anything other to
 verify that could hit 100% ?

 These stats are available over SNMP.

 Is there maybe any caveat with certain hardware ?
 My systems are Sup2T XL in CFC-only mode, 67xx linecards.

 Be aware that ACLs are per-PFC/DFC on this platform.

regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup2T interface ACL limitations

[Rolf Hanßen]

Hello Roland,

 I am thinking about dropping some (mainly ddos) traffic on the outside
network borders with ACLs.

 ACLs don't work well as a DDoS reaction mechanism.  They're good for
protecting your network infrastructure:

 https://app.box.com/s/osk4po8ietn1zrjjmn8b

 S/RTBH is much better as a DDoS reaction mechanism:

I already thought about that (after trying out uRPF, before ever reading
that term).
My fear is that somebody creates blackholes in my network with spoofed
source IPs.
I think this is a potential damage amplifier and may cause much bigger
impact than a flooding itself could ever do.
I could black/whitelist something like 8.8.8.8, but I think there is no
chance to build a list that will ever be sufficient for blackholing
sources.

I furthermore think I will run into problems as soon as I block anything
from source xy in the complete network, i.e. also for customers that do
not want their traffic to be filtered at all.

 All the caveats folks have noted about ACLs hold true.

But are there any experience reports / measurements in place ?
For example how long does an upload of 100 rules via TFTP or SSH +
activation of it take on a Sup2T ?
Does it behave linear, exponential or will a set of 200 rules only take
10% longer ?
Will there be an impact while applying it ?
What about changing rules ? Will adding/removing take less or more
ressources/time than just replacing the whole set with a new one ?

That is the stuff I am interested in.

 Maybe it works if I use an ACL with 100k entries but it takes a minute
 to install.

 In what topological situation do you need 100K entries?  Unless you're a
 very large wholesale transit network trying to enforce anti-spoofing for
 downstreams of your downstreams, do you really need that many entries?

That was just a sample number, not an expectation.
Maybe I will never need more than 100 entries, but I think it is important
to know the limits before hitting them. ;)

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Sup2T interface ACL limitations

[Rolf Hanßen]

Hello,

I am thinking about dropping some (mainly ddos) traffic on the outside
network borders with ACLs.
The entries would include the basic stuff like src/dst IP, protocol +
ports, maybe packet length.
I would like to know about the limitations or potential conflicts with
other functions.

I read about up to 256K entries for a Sup2T (XL).
Does that mean I can use a huge list with 200k entries and apply it ?

Will an ACL with 10 entries configured on 5 interfaces use 10 or 50 of
those 256k ?

Where can I find the limitations, for example:
How big can a single ACL be and how many ACLs can be combined in a policy ?

Does it make a difference if I assign it via service-policy or ip
access-group ?

In case no ip unreachables is set, will there be any other inpact on the
RP ?

Will certain sizes cause CPU trouble during installation ?

Can I change ACLs / policy map while they are in use or will this need a
reload ?

Will those ACLs conflict with CoPP or any other functions ?
I think of some it matches in the ACL, so CoPP is ignored behaviour.

I found that command here for usage check, is there anything other to
verify that could hit 100% ?

Router#sh platform hardware capacity acl
Classification Mgr Tcam Resources
  Key: Ttlent - Total TCAM entries, QoSent - QoS TCAM entries, LOU - LOUs,
   RBLent - RBACL TCAM entries, Lbl - Labels, TCP - TCP Flags,
   Dstbl  - Destinfo Table, Ethcam  - Ethertype Cam Table,
   ACTtbl - Accounting Table, V6ext - V6 Extn Hdr Table

  Module Ttlent QoSent RBLent Lbl   LOU  TCP  Dstbl Ethcam ACTtbl V6ext
  5   1% 2% 0% 1%2%   0%   2%0% 0% 0%

Is there maybe any caveat with certain hardware ?
My systems are Sup2T XL in CFC-only mode, 67xx linecards.

kind regards
Rolf Hanßen


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN bridging and routing on 7600

[Rolf Hanßen]

Hello Rod,

don't know if there is something special with RSP720 (or I do not
understand the question), but this sounds to me like simple switching + a
SVI:

int Gi1/x
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan add the vlans on that port
exit

interface vlan1234
  no shutdown
  ip address x.x.x.x mask
exit

kind regards
Rolf

 Hi

  I need to pass a couple of vlans from my switch trunk port to
 another switch trunk both of which connected to my 7600 with RSP7203cxl.
 Then from the same trunk port I have to get another vlan and assign an
 ip address to that vlan.

 switchA ---*trunk*- 7600 --*trunk* switchB
 X,Y,Z   |Y,Z
 |
vlanX (ip address x.x.x.x)

 Looking around I see IRB, but its not supported in 7600s according
 documentations.

 Hope someone could provide assistance or if it is even possible with my
 current setup.

 Thanks!

 --
 *Rod Bio *
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unicast as Anycast

[Rolf Hanßen]

Hi,

that could work: Add the Arin ASN to your RIPE AS-set.
Tell Level3 to use the object from RADB instead of RIPE and should have
all networks then.

You can check what their prefixgen creates:
whois -h filtergen.level3.net RIPE::AS123

kind regards
Rolf

 Hi Gert

 I´d love to see my unicast network announced from Miami and Madrid :) !!
 But I have two different ASN, I don´t know if this is a problem.
 No load balancing and yes, I think I have a problem with objects and
 Level3. I don´t know how Level3 in US will open their filters for a RIPEs
 /24.

 The /24 seems to be announced only from Spain (I searched through  one of
 my carriers looking glass in Miami and the  prefix is seeing only from
 Spain).

 cheers!




 On Mon, Nov 25, 2013 at 3:33 PM, Gert Doering g...@greenie.muc.de wrote:

 Hi,

 On Mon, Nov 25, 2013 at 02:06:30PM +0100, JJ wrote:
  I´m looking to make some tests with anycast(for DDoS mitigation). Does
  someone tried to achieve this with unicast IPs?.
 
  You know it´s not possible to get more IP assignments from RIPE, and
 after
  asking RIPE for anycast assignments, they told me we still  could use
  unicast for this purpose.
  It sounds a bit weird to me...but  I made a try and configured a /24
 being
  announced in our AS(different ASN) in Miami and Madrid(Spain), then I
 just
  asked my carriers to open their filters and... It doesn´t work.
 
  Have you ever tried a configuration like this? (and successful :) )
 ,or,
  perhaps, am I trying the impossible?

 There are no anycast IPs in IPv4.  There is just unicast networks
 announced
 from multiple places, and that works great :-)

 The anycast thing in the RIPE policies is if you plan to do anycast
 deployment, and have no existing addresses you can use for that, there
 was a special policy to give out /24s from a well-known block for that
 particular purpose.  It's still unicast IPs.

 If it's not working for you, you're likely missing route: objects (so
 your
 announcements are getting filtered), or you're trying TCP traffic with
 some loadbalancing in the mix, with half the packets going to the one
 site and the other half going to the other site - TCP won't work.

 gert
 --
 USENET is *not* the non-clickable part of WWW!
//
 www.muc.de/~gert/
 Gert Doering - Munich, Germany
 g...@greenie.muc.de
 fax: +49-89-35655025
 g...@net.informatik.tu-muenchen.de

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Amix Peering

[Rolf Hanßen]

Hello,

no, you will only receive customer and own routes of those ISPs that also
peer with the route servers.
Not all members also peer with the route servers.

That results in only a small part of the full table, we learn 73k of about
462k prefixes at AMS-IX for example:

edge1-ams3#sh ip bg summary | inc 6777
195.69.144.255  4 6777  138639   11980 36307575900 1w0d   
73012
195.69.145.04 6777 1654482   23160 36307575900 2w0d   
72728

So you will still need an upstream provider, but you can decrease the
traffic amount passing your upstream.

kind regards
Rolf

 Thank you Mikael

 I believe onee can peer with them 2 peers x.x.145.1 and 144.1
 if so what will be published to us
 will they have a full bgp table or will they be missing some prefixes from
 global table.

 Thank you



 On Thursday, October 24, 2013 1:34 PM, Mikael Abrahamsson
 swm...@swm.pp.se wrote:

 On Thu, 24 Oct 2013, naresh reddy wrote:


 will they charge us for the traffic that we pump and pull to internet on
 per MB basis ??
 if so what would be the cost

 No, they will not charge you for traffic.

 --
 Mikael Abrahamsson    email: swm...@swm.pp.se
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 10Gig CWDM

[Rolf Hanßen]

Hello,

we use a few noname China DWDM Xenpaks as well as SFP+ optics with Xenpak
adapter since about 2 years now in 6704 cards.
No outages or issues yet.

But no idea if there is a difference to the Smartoptics or if DWDM/CWDM
support differs.

You should think about using SFP+ + adapter, I think there is a better
chance to re-use them after 6500.

kind regards
Rolf

 Hello Everyone,

 We are looking into upgrading some links actually on a cwdm run to 10Gig.
 After looking into DWDM equipment I was told to check into  10Gig CWDM
 plugs offered in sfp+  xenpak x2   xfp etc
 Such as the ones offered by smartoptics
 http://www.smartoptics.com/optical-transceivers/10g-ethernet-2/

 As we would like to  add this to our existing 6500s does anyone have any
 experience using the x2/xenpaks in a cisco 6500 environment?
 AFAIK cisco does not support  10G CWDM plug ins, at least I can't find
 anything stating that they do publically.

 They are telling me it'll work but is unsupported , yet I would sleep
 better at night knowing that we are not beta testers



 Thanks

 Brian


 ---
 This e-mail is intended only for the addressee named above.
 As this e-mail may contain confidential or privileged information,
 if you are not the named addressee, you are not authorized to retain,
 read,
 copy or disseminate this message or any part of it.

 Please consider your environmental responsibility before printing this
 e-mail.

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup2T - poor netflow performance

[Rolf Hanßen]

Hello,

 Sampling is the normal mode of flow telemetry generation used by large
 network operators, so it's utility is pretty well-established.

I know, that is why I asked for a known to work config, we use netflow for
the first time, others may have some years of experience and also use it
on a Sup2T.

 Did you
 configure the collection/analysis software so that it knows the sampling
 ratio from this exporter

The software (Andrisoft WANSIGHT / WANGUARD) should be aware of sampling,
at least you define the sampling rate in the collector config.

  are you sure that the traffic in question was
 traversing the interfaces on which NetFlow is enabled in the appropriate
 direction?

yes, it does. I guess if made some other logical error it would not appaer
in the unsampled config either.

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup2T - poor netflow performance

[Rolf Hanßen]

Hi,

the whole interface config:
interface Vlan1421
 description ...
 ip address x.x.x.x 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 ..
 ip ospf cost 1000
 load-interval 30
 ipv6 address x::1/y
 ipv6 enable
 ipv6 nd ra suppress
 no ipv6 redirects
 ipv6 ospf 1 area 2069
 ipv6 ospf cost 1000
end

I apply netflow with:
 ip flow monitor monitorname input
 ip flow monitor monitorname output

Also tried with the unicast parameter, no effect.
Changing collect interface to match interface neither helps.
Replacing the record type with plattform default (record platform-original
ipv4 interface-full) does not reduce load either.

I guess it uses no sampling.
How do I configure/enable sampling ?
How do I see if it is sampled ?
I see no commands that look like to configure or verify sampling rate.

It's a 7609-S with CFC only and WS-X67xx linecards.

kind regards
Rolf


 On Oct 17, 2013, at 7:06 PM, Rolf Hanßen n...@rhanssen.de wrote:

 For example a box exporting something to a Peakflow SP for dos
 recognition.
 I recognized that starting a random-source-ip flood over my box even
 could
 make the cli freeze.

 This is not normal.

 What does your per-interface config look like?

 Are you sampling?

 What linecards are you using?  Are they DFC4s or CFC linecards?

 Just as an aside, it would be advisable not to use the collect verb for
 the input interface, but rather to use the match verb in order to use
 input ifindex as a key field.  'Collect' is for non-key fields.

 -
 Roland Dobbins rdobb...@arbor.net


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup2T - poor netflow performance

[Rolf Hanßen]

Hello Roland,

I already tried with single direction.
The load is lower but much higher than the same traffic on a Sup720-3B.
Input only still creates an average of ~20% cpu utilisation with less than
1 GBit live traffic.

I now added a sampling rate of 100:
sampler 1_to_100
 mode random 1 out-of 100

interface Vlan1421
 ip flow monitor monitorname sampler 1_to_100 input
 ip flow monitor monitorname sampler 1_to_100 output

This reduces cpu usage of the netflow processes to less than 5%, but it
looks to me that the exported data is not useful anymore (a stream with
double of the pps rate than everything else was not recognized by the
collector software).
Any other ideas ?

kind regards
Rolf

 On Oct 18, 2013, at 12:13 PM, Rolf Hanßen n...@rhanssen.de wrote:

 ip flow monitor monitorname input

 ip flow monitor monitorname output

 If you're collecting both ingress and egress NetFlow on the same
 interface, this could be contributing to your issues - Cisco do not
 recommend doing this due to overflow issues (which could lead to punting).

 Sampler configuration is covered in the Flexible NetFlow Command Reference
 for 15.x on cisco.com.

 And again, input ifindex should be obtained via 'match', not 'collect', in
 order to ensure that it's a key field.

 -
 Roland Dobbins rdobb...@arbor.net



 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup2T - poor netflow performance

[Rolf Hanßen]

Hello,

the discussion got a bit off-topic.
I have the same issue (cpu-usage explodes after enabling netflow).

@Jiri:
Were you able to solve that problem ? There was no follow-up.

@Roland:
Do you have a sample config / IOS version combination known to work with
high amount of traffic/pps/src-dst-combinations ?
For example a box exporting something to a Peakflow SP for dos recognition.
I recognized that starting a random-source-ip flood over my box even could
make the cli freeze.

I tested with:
System: Sup2T-XL with 15.1(1)SY1, full table.
Cards: WS-X6704-10GE, WS-X6748-GE-TX, WS-X6724-SFP (CFC only)
Traffic is only approx 10-15GBit

Config
flow record xy
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match flow direction
 collect interface input
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last

kind regards
Rolf


On Tue, March 26, 2013 4:37 pm, Jiri Prochazka wrote:
 Hi,

 after replacing one of our old vs-s720-3cxl and 6708-3cxl combo for a
 new sup2t-xl and 6908-2txl I'm struggling with a really poor netflow
 performance.

 In fact, enhanced netflow capacity and capabilities were the major
 reasons for upgrade.

 On the old vs-s720-3cxl setup we have used interface-src-dst flowmask.
 With aggresive timing, this setup was able to 'handle' around 6 Gbps of
 strandard Internet traffic (per DFC) without undercounting and
 overwhelming the whole box.


 Now, when using sup2t-xl, which has two times bigger netflow table (512k
 for ingress flows) and faster CPU, I'm not able to get it working with
 even with the same level of traffic.


 As soon as traffic on ingress reaches aproximately 3 Gbps, and number of
 flows per one cache(card) exceeds 200k, the whole box begins to be
 unresponsive to SNMP polls, timeouts some commands (for example show
 platform flow ip count module x) and the CLI begins to lag.

 Furthermore, I get a lot of following messages -

 %IPC-DFC2-5-WATERMARK: 2013 messages pending in rcv for the port
 Card2/0:Request(202.7) seat 202
 %IPC-DFC2-5-WATERMARK: 2019 messages pending in rcv for the port
 Card2/0:Request(202.7) seat 202


 Utilization of CPU either of Sup or linecards is acceptable (under 60%,
 majority is taken by 'NF SE export thr' and 'NF SE Intr Task' processes).


 Settings of netflow is following -

 flow record SRC-IP-IF-DST-IP-IF-AS
 match ipv4 source address
 match ipv4 destination address
 collect routing source as
 collect routing destination as
 collect routing next-hop address ipv4
 collect interface input
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last


 flow monitor LIVEBOX-MONITOR
 description LIVEBOX v9 monitor
 record SRC-IP-IF-DST-IP-IF-AS
 exporter LIVEBOX-EXPORT
 cache timeout inactive 3
 cache timeout active 60

 flow exporter LIVEBOX-EXPORT
 destination x.x.x.x
 source Vlanx
 transport udp 9996




 Did you notice any REAL perfomance boost compared to older Sup720 with
 B/CXL DFCs?


 Thank you!



 --
 Jiri Prochazka
 network administrator (AS39392)
 SuperNetwork s.r.o.
 ___

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup2T / IOS15 licensing questions

[Rolf Hanßen]

Hello,

ok, beside the technical stuff: How do you guys manage the licenses if
there is no number/certificate/key ?
Let's say a fired ex-employee tells Cisco you have no license for 5 of
your ten boxes upgraded last year and they do not ignore him.
How do you show them you have valid licenses ?

I guess at least anybody who upgraded from Sup720 to Sup2T bought
Supervisor and license separately and not bundled as part of a filled
chassis.

kind regards
Rolf

 On 08/29/2013 11:12 PM, Rolf Hanßen wrote:
 Hi,

 so there is no key or certificate or reference number at all ?

 There is no electronic licensing, that's correct. I suppose it's
 possible Cisco keep a record of device serial numbers and whether an IOS
 license was purchased at the time, and if so what, but the devices
 certainly don't.

 What prevents customers to buy one alibi license for all devices if
 there is no link to the device?

 As Blake says: the law.

 Does it have any effect at all if you configure/install such a pseudo
 license or not ?

 TBH I didn't even know there were licensing CLI commands on the box, and
 I suspect they do nothing.

 I don't even know if you need the license you've paid for. You should
 speak to your reseller and Cisco account manager to clarify things.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup2T / IOS15 licensing questions

[Rolf Hanßen]

Hello Blake,

the question was more the other direction:
How do I prove/verify I have a valid license if I receive nothing that
says here is your Cisco license #xx for IOS Advanced IP Services on
Sup2T ?
I now payed around 8k Dollar and only have a CD (Windows says its ever A
CDRW) with a Cisco logo + the image name / version printed on it and the
dealers invoice that I bought 1x license.
For that price I want to be sure that it is not just a CD made by some
guys in China with a good CD printer.

kind regards
Rolf

 Well, it's copyright infringement if you knowingly violate the terms of
 the
 software licensing, so treat that as you may as far as any enforcement vs
 just buying one license and installing it on many devices.

 -Blake


 On Thu, Aug 29, 2013 at 5:12 PM, Rolf Hanßen n...@rhanssen.de wrote:

 Hi,

 so there is no key or certificate or reference number at all ?
 What prevents customers to buy one alibi license for all devices if
 there is no link to the device?
 Does it have any effect at all if you configure/install such a pseudo
 license or not ?

 regards
 Rolf

  On 29/08/13 17:45, Rolf Hanßen wrote:
 
  How do I see if the correct features were enabled or which type
 (baseip,
  ipservice, advipservice) is installed ?
  Maybe somebody with a working and licensed router can compare the
 output
  ?
 
  What happens if I reboot and the license was wrong (i.e. baseip
 only),
  does the IOS reject commands in that case or is the whole licensing
 on
  6500/7600just a dummy ?
 
  That's not how 6500 works.
 
  For 6500, on both sup720 and sup2T IIRC, the feature set is determined
  by the image you boot. There's no license key for advanced IP
 services
  - you just boot that image.
 
  To see which feature is installed/enabled, just look to see which
  images is booted.
 
  The right to use the software comes from having purchased that version
  of the software with the chassis, or having purchased an upgrade later
 on.
 
  See also
 
 
 http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps6017/qa_c67-661785.pdf
 
  As an example - most of our 6500 purchases came with a line item for:
 
  S733ZK9M-12218SXD
 
  ...which is the Advanced IP service package, and confers the right to
  use that image (and smartnet confers the right to upgrade).
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6500, 7600 or ASR

[Rolf Hanßen]

Hello,

just for my interest: what amount of routes are we discussing ?

show platform hardware capacity:
L3 Forwarding Resources
 FIB TCAM usage: TotalUsed  
%Used
  72 bits (IPv4, MPLS, EoM) 1048576  460874   
 44%
 144 bits (IP mcast, IPv6)  524288   14178
 3%
 288 bits (IPv6 mcast)  262144   1
 1%

Do you expect to have more than 1M IPv4 / 512k IPv6 routes or is there
some other limitation I do not see ?

Back to topic:
If shaping and not only rate-limiting is needed (was mentioned in the
initial mail), 6500/7600 is no option anyway afaik.

kind regards
Rolf

 On Thu, 29 Aug 2013, chip wrote:

 Let's all also remember the TCAM limitations on the 7600/Sup2T platform.
 With the BGP table growing like it is, you'll need to carve up IPv4/IPv6
 TCAM allocation and could likely run out in the not-so-distant future.
 IMHO, unless something amazing happens for the 7600/Supervisor platform,
 this thing is dead as a DFZ BGP router and people should be looking
 elsewhere moving forward.  Both ASR lines (1k/9k) offer much better
 router capabilities and growth paths.  The 6500/7600 platform has had
 a
 helluva run, but I believe its time has passed.

 The TCAM limitation will kill the 6500/7600 platform for BGP router use
 _unless_ cisco comes out with a new PFC and DFCs that raises the limit.  I
 still wonder what they were thinking with the Sup2T and why it didn't get
 any more routing slots than the Sup720-3BXL.  This platform is the
 cheapest way to get lots of gigabit (or even 10 gigabit) ports and line
 rate performance in a BGP capable router...but sometime in the next couple
 of years, the current Sups and DFCs probably won't handle a full table.
 More TCAM and faster CPUs could keep the 6500 series viable for a long
 time.

 I haven't followed the thread closely enough to know if netflow was ever
 elaborated.  The 6500 does netflow.  Whether the netflow it does is
 sufficient for the OPs needs is the question.

 --
   Jon Lewis, MCP :)   |  I route
   |  therefore you are
 _ http://www.lewis.org/~jlewis/pgp for PGP public key_
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6500, 7600 or ASR

[Rolf Hanßen]

Hi,

this is from a Sup2T/PFC4XL with 67xx cards (CFC only mode).
Default values, no config related to the CAM size.

Similar system with Sup720-3BXL looks like:
L3 Forwarding Resources
 Module  FIB TCAM usage: TotalUsed
%Used
   5 72 bits (IPv4, MPLS, EoM)  524288  462992
88%
144 bits (IP mcast, IPv6)  26214414188
 5%

btw, can somebody confirm that Sup2T can handle 1M IPv4 + 512k IPv6 at the
same time or is it calculated like for example Foundry does in the MLX/XMR
(1M IPv4 or 256 IPv6, every IPv6 entry takes 4x IPv4 Slots) ?

kind regards
Rolf

 On Fri, 30 Aug 2013, Rolf Hanßen wrote:

 Hello,

 just for my interest: what amount of routes are we discussing ?

 show platform hardware capacity:
 L3 Forwarding Resources
 FIB TCAM usage: TotalUsed
 %Used
  72 bits (IPv4, MPLS, EoM) 1048576  460874
 44%
 144 bits (IP mcast, IPv6)  524288   14178
 3%
 288 bits (IPv6 mcast)  262144   1
 1%

 Do you expect to have more than 1M IPv4 / 512k IPv6 routes or is there
 some other limitation I do not see ?

 Is that a Sup-2T with PFC4XL?  Everything I'd read about it said it had
 the same FIB as the PFC3XL.  i.e.

 http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-676346.html

 The FIB in the PFC4 contains 256 K entries, while the FIB in the PFC4XL
 contains 1 million entries. These are the same as their PFC3x forwarding
 engine counterparts. The FIB in the PFC4 contains prefix entries for IPv4
 and IPv6 global address, IPv4 and IPv6 multicast addresses and MPLS label
 entries. There is a level of partitioning that exists to ensure there is
 always some space available for different types of forwarding entries.
 There is some flexibility from a user configuration standpoint that allows
 these partition boundaries to be changed to accommodate more of one type
 of forwarding entry. For example, in the PFC4XL, the default setting
 provides for 512 K IPv4 entries, and this can be increased through
 configuration control to support up to 1 M entries if required.

 --
   Jon Lewis, MCP :)   |  I route
   |  therefore you are
 _ http://www.lewis.org/~jlewis/pgp for PGP public key_


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Sup2T / IOS15 licensing questions

[Rolf Hanßen]

Hello,

I just wanted to install a IOS license for the first time (advipservicek9
on Sup2T with IOS 15).
Unfortunatelly I have no clue about that topic and my dealer and Cisco
support do not seam to have either.

I got no license number or anything else from my dealer, just a CD with
the image.
Cisco sent me a link to generate a license with serial and modell number.
I generated a file and installed it:

Installing...Feature:MACSec_Encryption...Successful:Supported
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install

Now the questions:
How does Cisco know what license I bought and what features to enable ?
They did not check any invoice, they have no clue what I bought (I just
told them on the phone that I bought one).

A show license detail now shows:

Index: 1Feature: MACSec_Encryption Version: 1.0
License Type: Permanent
License State: Active, Not in Use
License Count: Non-Counted
License Priority: Medium
Store Index: 0
Store Name: Primary License Storage
Index: 2Feature: TEST_FEATURE_1Version: 1.0
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
Evaluation total period: 4  weeks 2  days
Evaluation period left: 4  weeks 2  days
License Count: Non-Counted
License Priority: None
Store Index: 0
Store Name: Evaluation License Storage
Index: 3Feature: TEST_FEATURE_2Version: 1.0
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
Evaluation total period: 1  hour  0  minute
Evaluation period left: 1  hour  0  minute
License Count: Non-Counted
License Priority: None
Store Index: 1
Store Name: Evaluation License Storage

How do I see if the correct features were enabled or which type (baseip,
ipservice, advipservice) is installed ?
Maybe somebody with a working and licensed router can compare the output ?

What happens if I reboot and the license was wrong (i.e. baseip only),
does the IOS reject commands in that case or is the whole licensing on
6500/7600just a dummy ?

What is my proof that I have a valid license in case somebody
checks/requests this for whatever reason ?
The CD, the invoice or something else ?

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup2T / IOS15 licensing questions

[Rolf Hanßen]

Hi,

so there is no key or certificate or reference number at all ?
What prevents customers to buy one alibi license for all devices if
there is no link to the device?
Does it have any effect at all if you configure/install such a pseudo
license or not ?

regards
Rolf

 On 29/08/13 17:45, Rolf Hanßen wrote:

 How do I see if the correct features were enabled or which type (baseip,
 ipservice, advipservice) is installed ?
 Maybe somebody with a working and licensed router can compare the output
 ?

 What happens if I reboot and the license was wrong (i.e. baseip only),
 does the IOS reject commands in that case or is the whole licensing on
 6500/7600just a dummy ?

 That's not how 6500 works.

 For 6500, on both sup720 and sup2T IIRC, the feature set is determined
 by the image you boot. There's no license key for advanced IP services
 - you just boot that image.

 To see which feature is installed/enabled, just look to see which
 images is booted.

 The right to use the software comes from having purchased that version
 of the software with the chassis, or having purchased an upgrade later on.

 See also

 http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps6017/qa_c67-661785.pdf

 As an example - most of our 6500 purchases came with a line item for:

 S733ZK9M-12218SXD

 ...which is the Advanced IP service package, and confers the right to
 use that image (and smartnet confers the right to upgrade).
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning

[Rolf Hanßen]

Hello,

exactly that was the plan.
We keep CoPP a bit open until the next bigger maintenance work and then
will try another IOS.

regards
Rolf

 I would try switching code versions.
 It sounds like you are hitting a bug.
 Given the fact that other boxes running different code are behaving
 normally,
 The only conclusion is that it is a software issue.
 Keep in mind that TAC may not have it listed as a known bug even though it
 was fixed.

 LR Mack McBride
 Network Architect

 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
 Rolf Hanßen
 Sent: Monday, July 01, 2013 6:44 AM
 To: Nick Hilliard
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC
 learning

 Hi,

 If I had a support contract for that box I would open a tac case now. ;)

 kind regards
 Rolf

 On 28/06/2013 17:55, Rolf Hanßen wrote:
 does not look like this is a general hardware version issue.

 mmm, ok.  I would:

 - run a context diff on the configuration on each of these machines to
 ensure that there are no syntactic differences

 - disable and then re-enable copp on the affected box to ensure that
 it's reprogrammed correctly into the hardware (sometimes things get
 messed up on the way down to the line cards)

 - compare the output of show mls rate-limit on all machines

 - check your platform acl tcam capacity using show platform hardware
 capacity acl, to ensure that you still have some acl tcam space
 available for your copp config.

 If this doesn't point towards a resolution, I'd open up a tac case.

 Nick


 But I found a box with the same hardware versions:

 Mod  Port Model  Serial #Versions
   -- ---
 -
   52  WS-SUP720-3B   ### Hw : 5.3
  Fw : 8.4(2)
  Sw : 12.2(33)SXJ
  Sw1: 20.1(1)SXJ
   WS-SUP720  ### Hw : 2.6
  Fw : 12.2(17r)SX7
  Sw : 12.2(33)SXJ
   WS-F6K-PFC3B   ### Hw : 2.3

 This box also works as soon as I enter mls rate-limit unicast cef
 glean 500.

 kind regards
 Rolf

 Any further ideas except hardware failure, buggy software or try
 rebooting it ?

 Could be a hardware issue.  As someone else mentioned (Phil?), this
 particular feature is hardware revision dependent.

 What hardware versions are each of your SUP720s (show module)?

 Nick









 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] privilege exec ... unexpected behaviour

[Rolf Hanßen]

Hello,

Following Setup:
I created a User with no privileges and want to allow some commands. I
configured:
privilege exec level 0 show bgp ipv6 unicast
privilege exec level 0 show bgp ipv4 unicast
privilege exec level 0 show ip bgp
privilege exec level 0 show ip route
All commands were accepted by the cli.

I then access the device with the limited user.
Those commands work fine:
show ip route 1.2.3.4
show ip bgp 1.2.3.4

But the sh bgp ... commands fail:
Routershow bgp ?
  all   All address families
  ipv4  Address family
  ipv6  Address family
  l2vpn Address family
  nsap  Address family
  rtfilter  Address family
  vpnv4 Address family
  vpnv6 Address family

Routershow bgp ipv4 ?
% Unrecognized command
Routershow bgp ipv4

The Config file also does not list the commands.
Router#sh running-config | inc privilege exec
privilege exec level 0 show bgp
privilege exec level 0 show ipv6 route
privilege exec level 0 show ipv6
privilege exec level 0 show ip bgp
privilege exec level 0 show ip route
privilege exec level 0 show ip
privilege exec level 0 show


Is there some additional config needed or is it some kind of
restriction/limitation ?

Hardware is Sup2T
Software is 15.0(1)SY2

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning

[Rolf Hanßen]

Hi,

If I had a support contract for that box I would open a tac case now. ;)

kind regards
Rolf

 On 28/06/2013 17:55, Rolf Hanßen wrote:
 does not look like this is a general hardware version issue.

 mmm, ok.  I would:

 - run a context diff on the configuration on each of these machines to
 ensure that there are no syntactic differences

 - disable and then re-enable copp on the affected box to ensure that it's
 reprogrammed correctly into the hardware (sometimes things get messed up
 on
 the way down to the line cards)

 - compare the output of show mls rate-limit on all machines

 - check your platform acl tcam capacity using show platform hardware
 capacity acl, to ensure that you still have some acl tcam space available
 for your copp config.

 If this doesn't point towards a resolution, I'd open up a tac case.

 Nick


 But I found a box with the same hardware versions:

 Mod  Port Model  Serial #Versions
   -- ---
 -
   52  WS-SUP720-3B   ### Hw : 5.3
  Fw : 8.4(2)
  Sw : 12.2(33)SXJ
  Sw1: 20.1(1)SXJ
   WS-SUP720  ### Hw : 2.6
  Fw : 12.2(17r)SX7
  Sw : 12.2(33)SXJ
   WS-F6K-PFC3B   ### Hw : 2.3

 This box also works as soon as I enter mls rate-limit unicast cef glean
 500.

 kind regards
 Rolf

 Any further ideas except hardware failure, buggy software or try
 rebooting it ?

 Could be a hardware issue.  As someone else mentioned (Phil?), this
 particular feature is hardware revision dependent.

 What hardware versions are each of your SUP720s (show module)?

 Nick









___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning

[Rolf Hanßen]

Hello,

thanks for the info but that does not help in my case, just tried out.

The link confirms:
if traffic matches a special-case rate limiter, it is never compared
against the hardware CoPP policy. It will only be compared against the
software CoPP policy

So I guess now it is dropped in software instead of hardware. ;)

kind regards
Rolf

 On 27/06/2013 17:36, Rolf Hanßen wrote:
 Is there a way to match that destination IP = connected IP without
 entry
 in arp table traffic ? I found no such option in the syntax.

 that is a glean packet, and is handled using rate limiters, not CoPP:

 Router(config)#mls rate-limit unicast cef glean ?
   10-100  packets per second

 more info here:

 http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.html#wp9000211

 Nick





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning

[Rolf Hanßen]

Hi,

no egress ACL.
On the box I tested there is no ACL bound to any interface at all, only
some in copp classes and one for the line vty.

regards
Rolf

 On 28/06/13 13:14, Rolf Hanßen wrote:
 Hello,

 thanks for the info but that does not help in my case, just tried out.

 The link confirms:
 if traffic matches a special-case rate limiter, it is never compared
 against the hardware CoPP policy. It will only be compared against the
 software CoPP policy

 Hmph. That's odd. I thought we had come to the conclusion that MLS
 rate-limiters circumvented *all* CoPP, hardware  software.

 Do you have egress ACLs? Have you read this:

 http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m2.html#wp1036022

 
 If you enable the CEF rate limiters, the following behaviors occur (if
 the behavior that is listed is unacceptable, disable the CEF rate
 limiters):

 •If a packet hits a glean/receive adjacency, the packet may be dropped
 instead of being sent to the software if there is an output ACL on the
 input VLAN and the matched entry result is deny.
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning

[Rolf Hanßen]

Hello,

there is no explicit config (but listed by sh policy-map control-plane),
I now added:
  class class-default
   police cir 512000 bc 1000conform-action transmit exceed-action
transmit violate-action transmit

Something matches the default class but ARP still does not work.

Also tried mls qos protocol ARP police without success.

But what makes me crazy:
The affected Sup720 has 12.2(33)SXH

I now tried to reproduce on other devices:
Sup2T: no ARP issue, the limiter is enabled by default:
Sup720 #2 (Version 15.1(2)S): mls rate-limit unicast cef glean solves
the arp issue
Sup720 #3 (version 12.2(33)SXH2): it also works with mls rate-limit
unicast cef glean configured

Any further ideas except hardware failure, buggy software or try
rebooting it ?

regards
Rolf

 On (2013-06-28 15:05 +0200), Rolf Hanßen wrote:

 no egress ACL.
 On the box I tested there is no ACL bound to any interface at all, only
 some in copp classes and one for the line vty.

 Do you have 'class-default' configured?

 I have penultimate rule 'CoPP-IP' which drops, like yours, everything
 matching to 'ip any any' ACL.
 After that I have class-default, where I permit (I need it at least for
 ISIS). If not configured, it's permit as well.

 I also have:
 mls rate-limit unicast cef glean 200 50
 mls qos protocol ARP police 200 62000

 And no ARP issues (beware if you're switching also that the ARP police
 affects transit ARP also)

 --
   ++ytti
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning

[Rolf Hanßen]

Hi Nick,

does not look like this is a general hardware version issue.

the bad box:
Mod  Port Model  Serial #Versions
  -- ---
-
  52  WS-SUP720-3B   ### Hw : 5.3
 Fw : 8.5(1)
 Sw : 12.2(33)SXH
 Sw1: 8.7(0.22)SXH11
  WS-SUP720  ### Hw : 2.6
 Fw : 12.2(17r)SX7
 Sw : 12.2(33)SXH
  WS-F6K-PFC3B   ### Hw : 2.3

the good #1:
Mod  Port Model  Serial #Versions
  -- ---
-
  52  WS-SUP720-3B   ### Hw : 5.2
 Fw : 8.4(2)
 Sw : 12.2(33)SXH2
 Sw1: 8.7(0.22)BUB25
  WS-SUP720  ### Hw : 2.5
 Fw : 12.2(17r)S4
 Sw : 12.2(33)SXH2
  WS-F6K-PFC3B   ### Hw : 2.3

the good #2:
Mod  Port Model  Serial #Versions
  -- ---
-
  62  WS-SUP720-3BXL ### Hw : 4.1
 Fw : 8.5(2)
 Sw : 15.1(2)S
 Sw1: (sierra_main_dev)1.0.5
  WS-SUP720  ### Hw : 2.2
 Fw : 12.2(17r)SX5
 Sw : 15.1(2)S
  WS-F6K-PFC3BXL ### Hw : 1.8


But I found a box with the same hardware versions:

Mod  Port Model  Serial #Versions
  -- ---
-
  52  WS-SUP720-3B   ### Hw : 5.3
 Fw : 8.4(2)
 Sw : 12.2(33)SXJ
 Sw1: 20.1(1)SXJ
  WS-SUP720  ### Hw : 2.6
 Fw : 12.2(17r)SX7
 Sw : 12.2(33)SXJ
  WS-F6K-PFC3B   ### Hw : 2.3

This box also works as soon as I enter mls rate-limit unicast cef glean
500.

kind regards
Rolf

 Any further ideas except hardware failure, buggy software or try
 rebooting it ?

 Could be a hardware issue.  As someone else mentioned (Phil?), this
 particular feature is hardware revision dependent.

 What hardware versions are each of your SUP720s (show module)?

 Nick





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Drop rule at the end of CoPP conflicts with MAC learning

[Rolf Hanßen]

Hi,

we recently installed CoPP on several boxes (Sup720, Sup2T).
We have a lot of allow ... whitelist rules and end with a
class dropping everything:

  class class-copp-any-ip
   police cir 128000 bc 1000  conform-action drop  exceed-action drop 
violate-action drop

class-map match-any class-copp-any-ip
  match access-group name acl-copp-any-ip
ip access-list extended acl-copp-any-ip
 permit ip any any

This works fine so far but we now found out that this results in a certain
problem:
Host A with IP x.x.x.x is connected to the Cisco and has no ARP entry yet.
If somebody from outside starts a connection to host A (TCP/UDP), the
packet is dropped, the Cisco does not learn the MAC of host A.

I guess this happens because without an existing arp entry the packet
needs to be sent to the RP and is dropped by CoPP.

I changed the last rule to conform-action transmit to allow a small
amount of any traffic.
This works but is not what we intented.

Is there a way to match that destination IP = connected IP without entry
in arp table traffic ? I found no such option in the syntax.
Any other option, maybe bypass CoPP for that traffic and rate-limit it
another way ?

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup720 hanging after rommon starts loading IOS

[Rolf Hanßen]

Hi,

now got another annoying card, this one does not boot from bootdisk:

--
System Bootstrap, Version 8.5(4)
Copyright (c) 1994-2009 by cisco Systems, Inc.
Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory

Autoboot executing command: boot
bootdisk:/s72033-adventerprisek9_wan-mz.122-33.SXH.bin
Loading image, please wait ...


Initializing ATA monitor library...
monlib.open(): Open Error = -66
loadprog: error - on file open
boot: cannot load bootdisk:/s72033-adventerprisek9_wan-mz.122-33.SXH.bin
Exit at the end of BOOT string
rommon 1  dev
Devices in device table:
id  name
 bootdisk:  boot disk
disk0:  PCMCIA Disk 0
disk1:  PCMCIA Disk 1
eprom:  eprom
rommon 2  dir bootdisk:

Initializing ATA monitor library...
monlib.open(): Open Error = -66
dir: cannot open device bootdisk:
rommon 3 
--

That is a 3bxl.
After replacing the battery I was able to flash the ROMMONs. ;)

Same adapter + same flash card boots in another Sup720 with same ROMMON
versions.
Also tried version 8.5.3 and 8.4.2.
RP has 12.2(17r)SX7 installed (I guess that does not matter anyway).
Booting from disk0: works fine, I can access sup-bootdisk: from within IOS.
I already tried to format it and copy IOS image again but that looks to me
like somthing prior to the magic number things.

Any further idea ?

kind regards
Rolf

 On 4/24/13 2:31 PM, Paul wrote:
 For compact flash cards you need to put them in a PC, and remove the
 partition table (or format it FAT16).
 Once the partition table is completely removed , format it in your
 supervisor and it will work every time.
 The issue is that most flash cards come with the partition table already
 created and already formatted.




 You also can't boot from a flash disk that hasn't been
 formatted/'blessed' by the platform its been inserted into.  This
 platform limitation also applies to differences in SUPs, such as between
 SUP32, SUP720, etc.

 We had gotten a 720 with no flash, its internal flash had been wiped
 completely.  Tried using a flash formatted and loaded in the SUP32 we
 have - wouldn't successfully boot, then tried with a RSP16 from a 7500
 series, and still couldn't make it boot off the flash.

 Finally succeeded in tickling the 720 to boot off of the one made in the
 RSP16 after fooling with its ROMMON.  Apparently, the format command
 adds some hidden flags or files to the flash which when not present or
 of the wrong type, it will cause the boot loader to pretend like the
 flash is unbootable even with the right files on it.

 Important side note for anyone with a SUP720 - you can't load an IOS
 image over serial or TFTP with the ROMMON.  For serial, its particularly
 deceptive in that the command is there, but will fail every single time.

 Yay Cisco!


 --
 Brielle Bruns
 The Summit Open Source Development Group
 http://www.sosdg.org/ http://www.ahbl.org
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DNS amplification

[Rolf Hanßen]

Hello Nick,

guess I did not understand what source IP is allowed with allow-self-ping.
I just tried out with that setup:

Attacking server somewhere in 1.0.0.0/24 connected to Sup2T with 1.0.0.1
and 1.0.0.2 (hard-coded + HSRP).
Target is 2.0.0.123 (connected somewhere else).

No matter if allow-self-ping is set or not, packets with those sources are
dropped:
1.0.0.1
1.0.0.2
1.0.0.255
2.0.0.123

Only source=1.0.0.3-254 works, that looks like correct behaviour to me.
What additional spoofed IP(s) could be used in that case with
allow-self-ping set ?

kind regards
Rolf

 On 08/05/2013 15:06, Rolf Hanßen wrote:
 R2(config-if)#ip verify unicast source reachable-via rx ?
 ...
   allow-self-ping  Allow router to ping itself (opens vulnerability in
 verification)
   l2-src Check packets arrive with correct L2 source address

 What kind of vulnerability is that ? Just for my interest, I do not need
 to ping myself usually. ;)

 In order to ping an interface address, the packet needs to go through the
 normal packet forwarding process.  This includes a urpf check.  As the
 ping
 packet does not come from the interface itself, it will fail a urpf check
 and the packet will be dropped unless allow-self-ping is enabled.  If
 you
 enable allow-self-ping, the vulnerability is that you can also send
 packets to the router with srcip=dstip and they will pass the urpf check.

 Nick





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DNS amplification

[Rolf Hanßen]

Hello,

I have 2 further questions but could not find any hints about it in the web.

R2(config-if)#ip verify unicast source reachable-via rx ?
...
  allow-self-ping  Allow router to ping itself (opens vulnerability in
verification)
  l2-src Check packets arrive with correct L2 source address

What kind of vulnerability is that ? Just for my interest, I do not need
to ping myself usually. ;)

What exactly does l2-src check ?
From the description I would guess it checks if there is an ARP entry for
the source IP of the incoming packet and compares it with the source MAC
from each packet incoming.
I tested and could send packets with changed source IPs without an entry
in the MAC table at all for that source IP and also with another MAC
(configured statically) in the arp table.

kind regards
Rolf Hanßen

 Hi,

 On Sun, Mar 17, 2013 at 05:46:21PM +0100, Rolf Hanßen wrote:
 If that is not just a bad/wrong explanation or a joke, what sense makes
 urpf if it cannot be enabled and configured for each interface
 individually and as a consequence of this cannot be implemented without
 possible service impact ?

 Each interface can be on/off individually just fine.  What does not work
 is have some interfaces in strict mode and other interfaces in loose
 mode on the same sup720 (EARL7) box (is this fixed in EARL8, btw?).

 So if all you have on the box is customers (strict mode) and core
 (no uRPF), you're fine.

 If all the box does is core (no uRPF) and uplinks/peerings (loose mode
 to be able to do S-RTBH), you're fine as well.

 Only if you have customers and uplink/peering interfaces on the same box,
 this gets problematic.

 I am sure we are not the only ones that do not actvate it because it may
 cause more problems than it will solve.
 btw, if there is a way to enable it for single (vlan)interfaces (up to a
 few hundred) without any effect for other interfaces, please let me
 know.

 just turn it on :-)

 gert


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Need help with IPv6 CoPP

[Rolf Hanßen]

Hi,

I captured on the Sup2T (001c.0f1c.bc00) with monitor capture start +
sh monitor capture buffer | inc 86DD:
len 130 ,  ..0005  001c.0f1c.bc00  86DD
6E4C5901FE80
len 114 ,  ..0005  001c.0f1c.bc00  86DD
6E3C5901FE80
len 90  ,  ..0005  001c.0f1c.bc00  86DD
6E245901FE80
len 90  ,  ..0016  001c.0f1c.bc00  86DD
6E240001FE80
len 94  ,  001c.0f1c.bc00  0011.5d9b.a180  86DD
6E285901FE80
len 82  ,  0011.5d9b.a180  001c.0f1c.bc00  86DD
6E1C5901FE80
len 94  ,  0011.5d9b.a180  001c.0f1c.bc00  86DD
6E285901FE80
len 90  ,  ..0016  001c.0f1c.bc00  86DD
6E240001FE80
len 82  ,  001c.0f1c.bc00  0011.5d9b.a180  86DD
6E1C5901FE80
len 162 ,  001c.0f1c.bc00  0011.5d9b.a180  86DD
6E6C5901FE80
len 82  ,  0011.5d9b.a180  001c.0f1c.bc00  86DD
6E1C5901FE80
len 82  ,  001c.0f1c.bc00  0011.5d9b.a180  86DD
6E1C5901FE80
len 118 ,  0011.5d9b.a180  001c.0f1c.bc00  86DD
6E405901FE80
len 246 ,  001c.0f1c.bc00  0011.5d9b.a180  86DD
6EC05901FE80
len 130 ,  ..0005  001c.0f1c.bc00  86DD
6E4C5901FE80
len 90  ,  ..0016  001c.0f1c.bc00  86DD
6E240001FE80
len 114 ,  ..0005  001c.0f1c.bc00  86DD
6E3C5901FE80
len 114 ,  ..0005  0011.5d9b.a180  86DD
6E3C5901FE80
len 114 ,  ..0005  0011.5d9b.a180  86DD
6E3C5901FE80
len 94  ,  ..0005  0011.5d9b.a180  86DD
6E285901FE80

As far as I see everything directed to the Sup720 (0011.5d9b.a180) has
next header 0x59, which is 89 / OSPF.

kind regards
Rolf

 On 07/05/2013 13:05, Rolf Hanßen wrote:
 So as far as I testet Sup2T only needs:
 permit 89 FE80::/10 any

 Sup720 needs:
 permit 89 FE80::/10 any
 permit ipv6 FE80::/10 FE80::/10

 ok, odd.

 Some minutes later:
 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from
 EXSTART to DOWN, Neighbor Down: Too many retransmits

 If I were debugging this and if there were differences between the sup720
 and the sup2t, I would span the RP to see what sort of packets the sup2t
 is
 seeing.  I don't have any sup2ts to test this out, but if you get a packet
 dump, you should be able to design a copp policy based on that.

 Nick





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Need help with IPv6 CoPP

[Rolf Hanßen]

Hello Nick,

that does not help if I cannot filter using the protocoll number.
Maybe I described not exactly.
Whatever OSPF sends, it is not protocol number 89 or CoPP is not able to
filter the protocoll number.

I did further testing and chnaged everything to a Sup2T compatible way
(only one ACL each class).

Those 3 rules were part of my initial config, only the first seams to match:
permit 89 FE80::/10 any
permit 89 any FE80::/10
permit ipv6 any FE02::/16

That rule makes it working (state changes to FULL):
permit ipv6 FE80::/10 FE80::/10

That rules does not work (replacing the above one):
permit 89 FE80::/10 FE80::/10

That rule works but the log does not log anmything:
permit ipv6 FE80::/10 FE80::/10 log

On Sup720 permit ipv6 FE80::/10 FE80::/10 matches and seams to be
needed, on Sup2T it does not match and the ACL is not needed to make OSPF
reach FULL.

So as far as I testet Sup2T only needs:
permit 89 FE80::/10 any

Sup720 needs:
permit 89 FE80::/10 any
permit ipv6 FE80::/10 FE80::/10

Also no matter which router becomes DR / BDR.


debug ipv6 ospf packet on the Sup720 shows:

The second after clear ipv6 ospf process
1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from FULL
to DOWN, Neighbor Down: Interface down or detached
1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123
  aid:0.0.0.123 chk:5A51 inst:0 from Vlan25
1w5d: OSPFv3: rcv. v:3 t:2 l:28 rid:123.123.123.123
  aid:0.0.0.123 chk:634D inst:0 from Vlan25
1w5d: OSPFv3: rcv. v:3 t:2 l:108 rid:123.123.123.123
  aid:0.0.0.123 chk:81C3 inst:0 from Vlan25
1w5d: OSPFv3: rcv. v:3 t:4 l:192 rid:123.123.123.123
  aid:0.0.0.123 chk:594C inst:0 from Vlan25
1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from
LOADING to FULL, Loading Done

Every few seconds:
1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123
  aid:0.0.0.123 chk:C24C inst:0 from Vlan25

clear ipv6 ospf process without permit ipv6 FE80::/10 FE80::/10
1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from FULL
to DOWN, Neighbor Down: Interface down or detached
1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123
  aid:0.0.0.123 chk:59F7 inst:0 from Vlan25

Some minutes later:
1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from
EXSTART to DOWN, Neighbor Down: Too many retransmits

kind regards
Rolf


 On 07/05/2013 08:31, Adam Vitkovsky wrote:
 OSPFv3 should be using addresses from FF02 Multicast link-local address
 sub-range:
 FF02::5 all OSPF routers
 FF02::6 all OSPF designated routers
 So you should be able to limit the permit range to these two.

 No, multicast is only used for hello and LSA transmission on broadcast
 medium networks.  Outside this, unicast can be used and and will usually
 use addresses from the standard fe80::/10 range, but if you're using
 virtual links they can be global addresses.

 It's a more sensible idea to filter protocol 89 to your core address
 ranges
 using an iACL and then permit all 89 in the CoPP policy.

 Nick


 adam

 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
 Dobbins, Roland
 Sent: Monday, May 06, 2013 6:51 PM
 To: cisco-nsp NSP
 Subject: Re: [c-nsp] Need help with IPv6 CoPP


 On May 6, 2013, at 11:11 PM, Rogelio Gamino wrote:

 At that stage, neighbors agree on Master/Slave relationship before
 moving
 to exchange DBD's.

 Unless you're doing OSPF with an external organization and anticipate an
 attack (either deliberate or inadvertent) from the adjacent router(s),
 why
 not leave OSPF out of it entirely, and instead concentrate on traffic
 which
 is layer-3-agile?

 ---
 Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

Luck is the residue of opportunity and design.

 -- John Milton

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Need help with IPv6 CoPP

[Rolf Hanßen]

Hello list,

I am trying to configure IPv6 CoPP and could use some help with several
issues.

First of all I need to know how to allow/filter OSPFv3 sessions.
I am filtering with those rules (reduced them to the minimum for testing):

-
mls ipv6 acl compress address unicast

policy-map policy-copp-in
  class class-copp-ospf
   police cir 5000 bc 625000 conform-action transmit exceed-action
drop violate-action drop
  class class-copp-icmp
   police cir 5000 bc 625000 conform-action transmit exceed-action
drop violate-action drop
  class class-copp-any-ip
   police cir 128000 bc 1000 conform-action drop exceed-action drop
violate-action drop

class-map match-any class-copp-ospf
  match access-group name acl-copp-ospf

ipv6 access-list acl-copp-ospf
 permit 89 FE80::/10 any
 permit 89 any FE80::/10 (should be obsoltete)

class-map match-any class-copp-icmp
  match access-group name acl-copp-icmp

ipv6 access-list acl-copp-icmp
 permit icmp any any

class-map match-any class-copp-any-ip
  match access-group name acl-copp-any-ipv6

ipv6 access-list acl-copp-any-ipv6
 permit ipv6 any any log
-

If I apply the policy-map after OSPF changes to FULL, it stays in that
status.
If I apply the map and clear OSPF process it flaps the whole time between
EXSTART and DOWN:

%OSPFv3-5-ADJCHG: Process 1, Nbr x.x.x.x on Vlan25 from EXSTART to DOWN,
Neighbor Down: Too many retransmits
%OSPFv3-5-ADJCHG: Process 1, Nbr x.x.x.x on Vlan25 from DOWN to DOWN,
Neighbor Down: Ignore timer expired

If I change class-copp-any-ip to conform-action transmit, it works again
and changes to FULL.
Unfortunatelly none of the packets matched by permit ipv6 any any log is
logged.

I found out that a permit ipv6 FE80::/10 FE80::/10 (not protocol 89,
must be something else) makes it going to full again but that is not very
helpful rule to me.

Can somebody tell me what type of packet does OSPF send or what
additional/replacemnt ACL can be used ?
Can furthermore somebody tell me if there is a way to make that box log
all packets from log acl entries and not only random/software
switched/whatever ?



After finding out the above I included the rules to the prior created
entries.
And it did not work anymore.
Plattform is Sup7203B in 6509. In hoped that Sup2T is able to log
more/better or give me a hint what goes wrong and tried out.

There I got that error here:
R2(config-cp)# service-policy input policy-copp-in
QoS: Multiple acl entries cannot be used in match-any in class
class-copp-allowed-important

Is there a way to allow multiple entries or do I need to built a giant
policy-map and a mass of class-maps (one each acl) ?
Is there maybe a way to bypass the class-map and directly configure the
ACLs ?

I then tried to move the permit ipv6 FE80::/10 FE80::/10 to an own
class-map and it worked (even even though no match of that rule is shown).

Does Sup720 also have some number of entries limitations (class-maps
each policy, acls each class, entries each acl, maybe total number of
entries) but just gives no error messages (just does not work/match in
such cases) ? Or is there maybe some bug I hit ?
Both could explain that behaviour imho.

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Need help with IPv6 CoPP

[Rolf Hanßen]

Hello,

I used no authentication for testing, but thanks for the hint, need to put
that on the checklist before implementing. ;)

kind regards
Rolf

 If I apply the policy-map after OSPF changes to FULL, it stays in that
 status.
 If I apply the map and clear OSPF process it flaps the whole time
 between
 EXSTART and DOWN:

 Are you using OSPFv3 authentication? In this case the first protocol in
 the packets is AH, and the next is OSPF. This doesn't fully explain what
 you're seeing, but is something to check.

 I have no clue for the other strangenesses you describe.

 Regards,
   Bergonz


 --
 Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a.
 Phone:+39-051-6781926 e-mail: berg...@labs.it
 alt.advanced.networks.design.configure.operate
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Need help with IPv6 CoPP

[Rolf Hanßen]

Hello,

in the non-working copp-config sh ipv6 ospf nei shows
EXSTART/BDR and EXSTART/DR, so looks like they already found out.

Anyway, do you know which protocol number and maybe port-number they use
(if it is not 89 and CoPP just does not filter correctly) ?
Using permit ipv6 FE80::/10 FE80::/10 without anything further does not
make much sense because it matches half of the possible ipv6 risk
traffic.

kind regards
Rolf

 At that stage, neighbors agree on Master/Slave relationship before moving
 to exchange DBD's. This traffic is unicast between neighbors.


 On Mon, May 6, 2013 at 11:30 AM, Rolf Hanßen n...@rhanssen.de wrote:

 Hello,

 I used no authentication for testing, but thanks for the hint, need to
 put
 that on the checklist before implementing. ;)

 kind regards
 Rolf

  If I apply the policy-map after OSPF changes to FULL, it stays in
 that
  status.
  If I apply the map and clear OSPF process it flaps the whole time
  between
  EXSTART and DOWN:
 
  Are you using OSPFv3 authentication? In this case the first protocol
 in
  the packets is AH, and the next is OSPF. This doesn't fully explain
 what
  you're seeing, but is something to check.
 
  I have no clue for the other strangenesses you describe.
 
  Regards,
Bergonz
 
 
  --
  Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a.
  Phone:+39-051-6781926 e-mail: berg...@labs.it
  alt.advanced.networks.design.configure.operate
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Display age of BGP routes in IOS

[Rolf Hanßen]

Hello,

is there a way to see the age of a BGP route learned from peer xyz in IOS ?
sh ip route contains information for the last route change but not
peer-related.

I am looking for something like sh ip bg routes detail on a Brocade that
also lists the last change of a route for each peer advertising it to me.

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup720 hanging after rommon starts loading IOS

[Rolf Hanßen]

Hello,

after 2 afternoons of trial and error I now got it running.
I replaced the memory modules (RP and SP Ram, not the flash) and could
boot from the 64MB flash modules then.

The CF card was still not accepted.
I needed to boot into some older image, format the CF card in disk0 of the
Sup720.
Then needed to copy the files again via TFTP to CF, move the CF card to
the adapter and boot the image via rommon.

kind regards
Rolf

 Hello,

 I have an issue with a (refurbished) Sup720-2B. It does not load the IOS.
 Chassis is a 6509, also tried a 6509-E and tried Slot 5 + 6 to make sure
 the chassis is ok.
 Few seconds after telling me to load the IOS it hangs:
 
 System Bootstrap, Version 8.5(3)
 Copyright (c) 1994-2008 by cisco Systems, Inc.
 Cat6k-Sup720/SP processor with 524288 Kbytes of main memory

 Autoboot executing command: boot bootflash:
 Loading image, please wait ...


 

 All status LEDs are red from that point.
 I tried with 3 different 64GB Flash modules I had from some past upgrades.

 I at least see some images on those modules (and I am quite sure they
 worked when they were removed ;)), sample:
 rommon 4  dir bootflash:
  File size   Checksum   File name
   4996 bytes (0x2c814f4)  0x27786551
 s72033-pk9sv-mz.122-18.SXD7b.bin

 I think rommon recognizes that the images exists, if I enter a wrong
 filename i get an error message.

 Maybe need to change another setting ?

 rommon 1  set
 PS1=rommon ! 
 LOG_PREFIX_VERSION=1
 SLOTCACHE=cards;
 PF_REDUN_CRASH_COUNT=0
 RET_2_RTS=08:14:12 UTC Wed Mar 7 2012
 TYFIB_BLOCK_ALLOC=
 NT_K=0:0:0:0
 BSI=0
 RET_2_RCALTS=
 ACL_DENY=0
 RANDOM_NUM=1921496405
 ?=0
 BOOT=bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin,1


 boot -v shows some lines before freezing:

 boot: bootstring is: bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin
 ROM: set load_again: a00042e0 bfc2d1ac 80006c50 30409001
 Loading image, please wait ...

 loading section to address 0x80008000 from file position 0x16c, size is
 0x18000
 loading section to address 0x8002 from file position 0x1816c, size is
 0x34e0
 loading section to address 0x800234e0 from file position 0x1b64c, size is
 0x4c0

 loading section to address 0x8002 from file position 0x11c, size is
 0x8000
 loading section to address 0x80028000 from file position 0x811c, size is
 0xe00
 loading section to address 0x80028e00 from file position 0x8f1c, size is
 0x20
 loading section to address 0x80028e20 from file position 0x8f3c, size is
 0x2c78584

 The adresses change depending on the image/flash module.

 Any hint how to make that card running IOS or is this an hardware issue ?

 It also does not read from a CF card (formatted and readable from a Sup2T,
 maybe that uses another format ?) in rommon:

 rommon 2  dir disk0:
 monlib does not contain a valid magic number
 dir: cannot open device disk0:

 Same if I use disk1 or a CF to Flash-module adapter.

 kind regards
 Rolf


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Sup720 hanging after rommon starts loading IOS

[Rolf Hanßen]

Hello,

I have an issue with a (refurbished) Sup720-2B. It does not load the IOS.
Chassis is a 6509, also tried a 6509-E and tried Slot 5 + 6 to make sure
the chassis is ok.
Few seconds after telling me to load the IOS it hangs:

System Bootstrap, Version 8.5(3)
Copyright (c) 1994-2008 by cisco Systems, Inc.
Cat6k-Sup720/SP processor with 524288 Kbytes of main memory

Autoboot executing command: boot bootflash:
Loading image, please wait ...




All status LEDs are red from that point.
I tried with 3 different 64GB Flash modules I had from some past upgrades.

I at least see some images on those modules (and I am quite sure they
worked when they were removed ;)), sample:
rommon 4  dir bootflash:
 File size   Checksum   File name
  4996 bytes (0x2c814f4)  0x27786551s72033-pk9sv-mz.122-18.SXD7b.bin

I think rommon recognizes that the images exists, if I enter a wrong
filename i get an error message.

Maybe need to change another setting ?

rommon 1  set
PS1=rommon ! 
LOG_PREFIX_VERSION=1
SLOTCACHE=cards;
PF_REDUN_CRASH_COUNT=0
RET_2_RTS=08:14:12 UTC Wed Mar 7 2012
TYFIB_BLOCK_ALLOC=
NT_K=0:0:0:0
BSI=0
RET_2_RCALTS=
ACL_DENY=0
RANDOM_NUM=1921496405
?=0
BOOT=bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin,1


boot -v shows some lines before freezing:

boot: bootstring is: bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin
ROM: set load_again: a00042e0 bfc2d1ac 80006c50 30409001
Loading image, please wait ...

loading section to address 0x80008000 from file position 0x16c, size is
0x18000
loading section to address 0x8002 from file position 0x1816c, size is
0x34e0
loading section to address 0x800234e0 from file position 0x1b64c, size is
0x4c0

loading section to address 0x8002 from file position 0x11c, size is
0x8000
loading section to address 0x80028000 from file position 0x811c, size is
0xe00
loading section to address 0x80028e00 from file position 0x8f1c, size is 0x20
loading section to address 0x80028e20 from file position 0x8f3c, size is
0x2c78584

The adresses change depending on the image/flash module.

Any hint how to make that card running IOS or is this an hardware issue ?

It also does not read from a CF card (formatted and readable from a Sup2T,
maybe that uses another format ?) in rommon:

rommon 2  dir disk0:
monlib does not contain a valid magic number
dir: cannot open device disk0:

Same if I use disk1 or a CF to Flash-module adapter.

kind regards
Rolf


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Question about SVI interface acl counters + way of working

[Rolf Hanßen]

Hello,

Just wanted to drop some UDP flooding with an interface ACL.
I configured:

interface Vlan1373
 ip access-group block-flood in
exit

Access-list is very simple:
edge1-ams3#sh ip access-lists block-flood
Extended IP access list block-flood
10 deny udp any host 1.2.3.4 (589878 matches)
20 permit ip any any (149516 matches)
edge1-ams3#

edge1-ams3#sh int  Vl1373 | inc  input rate
  30 second input rate 2772775000 bits/sec, 435403 packets/sec
edge1-ams3#

The interface has a quite high amount of pps, but the acl hit count
increases only by less than 200/sec for both entries together.

Does that ACL not filter all traffic passing the interface or why does the
delta of ACL hits not match the number of incoming pps ?
Maybe it counts only packets going to the RP or something is cached and
counts only every x packets ?

Hardware is a Sup2T + WS-X6704-10GE, all traffic in that vlan is routed.

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] tcpdump-style debugging on 6500/7600

[Rolf Hanßen]

Hello,

I now see it works.
Not as nice as tcpdump, but at least something to work with. ;)

Thanks for your help
Rolf

 On Fri, 2013-03-15 at 14:20 +0100, Rolf Hanßen wrote:
 just tried out, all ends with:
 %SPAN-5-PKTCAP_STOP: Packet capture session 1 ended after the
 specified time, 0 packets captured

 edge1-dus1#sh monitor session 1 detail
 Session 1
 -
 Type   : Capture Session
 Description: -
 Source Ports   :
 RX Only: None
 TX Only: None
 Both   : None
 Source VLANs   :
 RX Only: None
 TX Only: None
 Both   : None

 You need to specify something to capture just like for at normal SPAN
 session. Something like this:

 monitor session 2 type capture
  source vlan 120 both
  filter access-group span-test
 !

 or maybe:

 monitor session 2 type capture
  source interface GigabitEthernet1/1 rx
  filter access-group span-test
 !

 Source/Destination Ports/vlans means the interfaces that take part in
 the capturing or the interfaces used for exporting capture data (I am
 missing the any keyword here) ?

 It's the interface/VLAN from which you want to capture. Data isn't
 exported, it's stored locally.

 --
 Peter





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DNS amplification

[Rolf Hanßen]

Hello,

is there some guide that covers the this will go to the RP on Sup... and
the this will also affect ... and this is limited to xy
interfaces/vlans/routes stuff ?

We thought about implementing strict mode on some customer interfaces
(those special customers who always get attacked and sometimes take
revenge ;)) some time ago, but then saw that doc here:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/secure.html

We stopped after reading those sentences (it even does not mantion any
IPv6 limitations):
The most recently configured mode is automatically applied to all ports
configured for unicast RPF check.
When you enter the ip verify unicast source reachable-via command, the
unicast RPF check mode changes on all ports in the switch.

If that is not just a bad/wrong explanation or a joke, what sense makes
urpf if it cannot be enabled and configured for each interface
individually and as a consequence of this cannot be implemented without
possible service impact ?

I am sure we are not the only ones that do not actvate it because it may
cause more problems than it will solve.
btw, if there is a way to enable it for single (vlan)interfaces (up to a
few hundred) without any effect for other interfaces, please let me know.

kind regards
Rolf

 Hi,

 On Sat, Mar 16, 2013 at 03:59:25PM -0700, Laurent Geyer wrote:
 Curious, how does uRPF help under this scenario? Although the source
 address is spoofed, the target is stil valid destination address.

 uRPF helps everybody else - those of your customers with infected machines
 (and don't claim there aren't any) will not be able to initiate reflection
 attacks against other folks.

 gert,
   deploying uRPF since 10+ years it's really not that hard

 (PS: and yes, the fact that Sup720 can't do IPv6 uRPF in hardware stinks)
 --
 USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
 Gert Doering - Munich, Germany
 g...@greenie.muc.de
 fax: +49-89-35655025
 g...@net.informatik.tu-muenchen.de
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] tcpdump-style debugging on 6500/7600

[Rolf Hanßen]

Hello Peter,

just tried out, all ends with:
%SPAN-5-PKTCAP_STOP: Packet capture session 1 ended after the specified
time, 0 packets captured

edge1-dus1#sh monitor session 1 detail
Session 1
-
Type   : Capture Session
Description: -
Source Ports   :
RX Only: None
TX Only: None
Both   : None
Source VLANs   :
RX Only: None
TX Only: None
Both   : None
Source RSPAN VLAN  : None
Destination Ports  : None
Filter VLANs: None
Dest RSPAN VLAN: None
Source IP Address  : None
Source IP VRF  : None
Source ERSPAN ID   : None
Destination IP Address : None
Destination IP VRF : None
Destination ERSPAN ID  : None
Origin IP Address  : None
IP QOS PREC: 0
IP TTL : 255
Capture dst_cpu_id : 0
Capture vlan   : 1013
Capture buffer size: 2048 KB
Capture rate-limit
 value : 1
Capture filters:
 acl   : 25


Tried with these acls:

Standard IP access list 25
10 permit 1.2.3.4

Extended IP access list span-test
5 permit ip host 1.2.3.4 any
10 permit ip any host 1.2.3.4

Maybe some other values/settings needed ?
Source/Destination Ports/vlans means the interfaces that take part in the
capturing or the interfaces used for exporting capture data (I am missing
the any keyword here) ?

kind regards
Rolf

 On Thu, 2013-03-14 at 17:38 +0100, Rolf Hanßen wrote:
 I saw there was already a discussion concerning that topic, but 5
 years old:
 http://www.gossamer-threads.com/lists/cisco/nsp/78543
 Is there maybe some new tcpdump-style debugging feature available to
 provide such functions beside the suggested debug ip packet?

 Take a look at monitor session N type capture.

 1) I like to view traffic on a certain physical interface or switched
 vlan. I would like to see all packets and not a specific protocol or
 IP range.
 As far as I see I cannot specify an interface in an ACL but the debug
 ip packet only allows ACLs for filtering as far as I see.

 SPAN capture can use an ACL.

 Switch(config)#monitor session 2 type capture
 Switch(config-mon-capture)#?
 Monitor sess type capture config commands:
   buffer-size  Capture buffer size
   description  Properties for this session
   exit Exit from capture session mode
   filter   Capture filter
   no   Negate a command or set its defaults
   rate-limit   Packets per second value
   source   SPAN source Interface/VLAN

 Switch(config-mon-capture)#filter ?
   access-group  Filter access-list (hardware based)
   ethertype Matching ethertype (software based)
   lengthMatching L2-packet length (software based)
   mac-address   Matching mac-address (software-based)
   vlan  Filter vlan (hardware based)

 2) I like to debug an IP connection and limit to a certain amount of
 packets (like show me the next 20 packets from/to host x.x.x.x).
 Can you tell me what bandwidth or pps I have to take into
 consideration to avoid overload ?

 This too:

 Switch#monitor capture start for ?
   1-4294967295  Seconds or number of packets

 To understand better what I do before typing it in on a 10G+ box:
 debug ip packet ... redirects the packets to the Management CPU and
 everything filtered with an ACL leads into only packets matching ALC
 are forwarded to the CPU, everything else is handled by the DFC/CFC
 +PFC only like usual.
 Correct ?

 I don't think that's the case for debug ip packet but it is for SPAN
 capture; it's hardware filtering for ACLs.

 Im looking for a way that works without exporting stuff to another box
 and low risk to overload CPU (live environment).

 The captured traffic is handled by the processor, but only after
 filtering from the session if using ACLs.

 Hardware in my case are several Sup720-3B, Sup720-3BXL or Sup2T with
 67xx linecards.
 If there are special software revisions needed, please let me know.

 It seems that SPAN capture isn't available in SXF but is in SXI. It
 probably also is in SXH.

 Maybe certain older HW releases can't do SPAN capture but at least
 revision 4.0 and newer (2004/2005-ish) seem to support it.

 --
 Peter





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] tcpdump-style debugging on 6500/7600

[Rolf Hanßen]

Hi,

I saw there was already a discussion concerning that topic, but 5 years old:
http://www.gossamer-threads.com/lists/cisco/nsp/78543
Is there maybe some new tcpdump-style debugging feature available to
provide such functions beside the suggested debug ip packet?

I am looking for such situations:

1) I like to view traffic on a certain physical interface or switched
vlan. I would like to see all packets and not a specific protocol or IP
range.
As far as I see I cannot specify an interface in an ACL but the debug ip
packet only allows ACLs for filtering as far as I see.

2) I like to debug an IP connection and limit to a certain amount of
packets (like show me the next 20 packets from/to host x.x.x.x).
Can you tell me what bandwidth or pps I have to take into consideration to
avoid overload ?

To understand better what I do before typing it in on a 10G+ box:
debug ip packet ... redirects the packets to the Management CPU and
everything filtered with an ACL leads into only packets matching ALC are
forwarded to the CPU, everything else is handled by the DFC/CFC+PFC only
like usual.
Correct ?

Im looking for a way that works without exporting stuff to another box and
low risk to overload CPU (live environment).
Hardware in my case are several Sup720-3B, Sup720-3BXL or Sup2T with 67xx
linecards.
If there are special software revisions needed, please let me know.

kind regards
Rolf Hanßen

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] timezone setting in networking gear; local, HQ, or UTC?

[Rolf Hanßen]

Hi,

we try to use UTC as far as possible (to avoid summer/winter time
confusion), no big problem imho.
But that's POV of a European, we just need to add 1 or 2 hours, not
subtract 6-9. ;).

kind regards
Rolf

 my company is east-coast US, but now we're expanding West; for the first
 time we'll have routers/switches/etc in a different time zone.

 How does everyone else handle time zone settings on a network that spans
 multiple time zones? We've discussed internally about the pros/cons of
 setting them to their local timezone, or to match the timezone of HQ, or
 to
 just set everything as UTC.

 --
 deny ip any any (4393649193 matches)
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] STP active/listed on wrong port

[Rolf Hanßen]

Hello,

maybe just a bug I found, shutting down the port and re-enabling it
solves it:

edge1-dus3#sh spanning-tree

No spanning tree instance exists.

edge1-dus3#

kind regards
Rolf


 Hello,

 I would also guess somthing in that direction if it was
 general/reproduceble behaviour, but why does that happen only on this port
 ?
 I have lots of ports with similar config (mode trunk, everything tagged)
 on several boxes and this is the only one listed in show spanning-tree.

 Config samples:

 interface GigabitEthernet7/2
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 666,1153
  switchport mode trunk
  load-interval 30
 end

 interface GigabitEthernet7/16
  description custsw2-dus1 A16
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1253,1606
  switchport mode trunk
  mtu 9216
  load-interval 30
 end

 interface TenGigabitEthernet8/2
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1122,1142,1293,1421,1429,1476,3404,3405
  switchport trunk allowed vlan add 3408-3410
  switchport mode trunk
  mtu 9216
  load-interval 30
 end

 Only 7/16 is listed and there is nothing on the config beside the above as
 far as I see:

 edge1-dus3#sh running-config | inc 7/16
 interface GigabitEthernet7/16
 edge1-dus3#

 kind regards
 Rolf

 You're using 802.1q, which uses an untagged native VLAN for things like
 STP
 BPDUs, CDP, VTP, etc ,etc.  Even though you pruned off VLAN 1 via the
 allowed VLANs command, the native VLAN will still be used for
 switch-generated protocols like those listed above.  Only
 transit-traffic
 is
 denied by pruning.  If you change the native VLAN to something other
 than
 one (do it on both sides, or wacky/painful things can happen), you
 should
 see VLAN 1 no longer on that port.

 Chuck

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rolf Hanßen
 Sent: Tuesday, March 12, 2013 1:34 PM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] STP active/listed on wrong port

 Hello list,

 do you have an explanation why STP thinks Gi7/16 belongs to vlan 1 ?

 edge1-dus3#sh spanning-tree

 VLAN0001
   Spanning tree enabled protocol ieee
   Root IDPriority32769
  Address 5475.d0a6.75c0
  This bridge is the root
  Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

   Bridge ID  Priority32769  (priority 32768 sys-id-ext 1)
  Address 5475.d0a6.75c0
  Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Aging Time 300

 Interface   Role Sts Cost  Prio.Nbr Type
 ---  --- - 
 
 Gi7/16  Desg FWD 4 128.1552 P2p


 Interface Config:
 interface GigabitEthernet7/16
  description custsw2-dus1 A16
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1253,1606  switchport mode trunk  mtu
 9216
 load-interval 30 end

 STP is disabled on all other vlans:
 no spanning-tree vlan 2-4000

 Gi7/16 is not listed here:

 edge1-dus3#sh vlan id 1

 VLAN Name StatusPorts
   -
 ---
 1default  activeGi1/5, Gi1/8, Gi1/13,
 Gi1/25, Gi1/27, Gi1/48, Te4/1, Gi6/1, Gi7/1, Gi7/3, Gi7/4, Gi7/5, Gi7/6,
 Gi7/7, Gi7/8, Gi7/9, Gi7/10, Gi7/11, Gi7/12, Gi7/13, Gi7/14, Gi7/15,
 Gi7/17,
 Gi7/18, Gi7/19
 Gi7/20, Gi7/21, Gi7/22,
 Gi7/23, Gi7/24

 VLAN Type  SAID   MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1
 Trans2
  - -- - -- --    --
 --
 1enet  11 1500  -  -  ---0
 0

 Remote SPAN VLAN
 
 Disabled

 Primary Secondary Type  Ports
 --- - -
 --


 Port is up and works fine:

 edge1-dus3#sh int Gi7/16
 GigabitEthernet7/16 is up, line protocol is up (connected)
   Hardware is C6k 1000Mb 802.3, address is 001d.a246.3743 (bia
 001d.a246.3743)
   Description: custsw2-dus1 A16
   MTU 9216 bytes, BW 100 Kbit/sec, DLY 10 usec,
  reliability 255/255, txload 6/255, rxload 6/255
   Encapsulation ARPA, loopback not set
   Keepalive set (10 sec)
   Full-duplex, 1000Mb/s, media type is LX
   input flow-control is off, output flow-control is off
   Clock mode is auto
   ARP type: ARPA, ARP Timeout 04:00:00
   Last input 00:00:00, output never, output hang never
   Last clearing of show interface counters never
   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
 0
   Queueing strategy: fifo
   Output queue: 0/40 (size/max)
   30 second input rate 27117000 bits/sec, 3517 packets/sec
   30 second output rate 24383000 bits/sec, 2860 packets/sec

[c-nsp] STP active/listed on wrong port

[Rolf Hanßen]

Hello list,

do you have an explanation why STP thinks Gi7/16 belongs to vlan 1 ?

edge1-dus3#sh spanning-tree

VLAN0001
  Spanning tree enabled protocol ieee
  Root IDPriority32769
 Address 5475.d0a6.75c0
 This bridge is the root
 Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority32769  (priority 32768 sys-id-ext 1)
 Address 5475.d0a6.75c0
 Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
 Aging Time 300

Interface   Role Sts Cost  Prio.Nbr Type
---  --- - 

Gi7/16  Desg FWD 4 128.1552 P2p


Interface Config:
interface GigabitEthernet7/16
 description custsw2-dus1 A16
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1253,1606
 switchport mode trunk
 mtu 9216
 load-interval 30
end

STP is disabled on all other vlans:
no spanning-tree vlan 2-4000

Gi7/16 is not listed here:

edge1-dus3#sh vlan id 1

VLAN Name StatusPorts
  -
---
1default  activeGi1/5, Gi1/8, Gi1/13,
Gi1/25, Gi1/27, Gi1/48, Te4/1, Gi6/1, Gi7/1, Gi7/3, Gi7/4, Gi7/5, Gi7/6,
Gi7/7, Gi7/8, Gi7/9, Gi7/10, Gi7/11, Gi7/12, Gi7/13, Gi7/14, Gi7/15,
Gi7/17, Gi7/18, Gi7/19
Gi7/20, Gi7/21, Gi7/22,
Gi7/23, Gi7/24

VLAN Type  SAID   MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1
Trans2
 - -- - -- --    --
--
1enet  11 1500  -  -  ---0  0

Remote SPAN VLAN

Disabled

Primary Secondary Type  Ports
--- - -
--


Port is up and works fine:

edge1-dus3#sh int Gi7/16
GigabitEthernet7/16 is up, line protocol is up (connected)
  Hardware is C6k 1000Mb 802.3, address is 001d.a246.3743 (bia
001d.a246.3743)
  Description: custsw2-dus1 A16
  MTU 9216 bytes, BW 100 Kbit/sec, DLY 10 usec,
 reliability 255/255, txload 6/255, rxload 6/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is LX
  input flow-control is off, output flow-control is off
  Clock mode is auto
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output never, output hang never
  Last clearing of show interface counters never
  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 27117000 bits/sec, 3517 packets/sec
  30 second output rate 24383000 bits/sec, 2860 packets/sec
 32078138057 packets input, 32998390284372 bytes, 0 no buffer
 Received 524965 broadcasts (173874 multicasts)
 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 watchdog, 0 multicast, 0 pause input
 0 input packets with dribble condition detected
 13839785752 packets output, 9991981200426 bytes, 0 underruns
 0 output errors, 0 collisions, 3 interface resets
 0 unknown protocol drops
 0 babbles, 0 late collision, 0 deferred
 0 lost carrier, 0 no carrier, 0 pause output
 0 output buffer failures, 0 output buffers swapped out


edge1-dus3#sh version
Cisco IOS Software, c7600s72033_rp Software
(c7600s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE
(fc1)

Hardware is Cisco 7609-S, Sub720-3BXL, Slot 7 is a WS-X6724-SFP

kind regards
Rolf Hanßen



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] STP active/listed on wrong port

[Rolf Hanßen]

Hello,

I would also guess somthing in that direction if it was
general/reproduceble behaviour, but why does that happen only on this port
?
I have lots of ports with similar config (mode trunk, everything tagged)
on several boxes and this is the only one listed in show spanning-tree.

Config samples:

interface GigabitEthernet7/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 666,1153
 switchport mode trunk
 load-interval 30
end

interface GigabitEthernet7/16
 description custsw2-dus1 A16
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1253,1606
 switchport mode trunk
 mtu 9216
 load-interval 30
end

interface TenGigabitEthernet8/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1122,1142,1293,1421,1429,1476,3404,3405
 switchport trunk allowed vlan add 3408-3410
 switchport mode trunk
 mtu 9216
 load-interval 30
end

Only 7/16 is listed and there is nothing on the config beside the above as
far as I see:

edge1-dus3#sh running-config | inc 7/16
interface GigabitEthernet7/16
edge1-dus3#

kind regards
Rolf

 You're using 802.1q, which uses an untagged native VLAN for things like
 STP
 BPDUs, CDP, VTP, etc ,etc.  Even though you pruned off VLAN 1 via the
 allowed VLANs command, the native VLAN will still be used for
 switch-generated protocols like those listed above.  Only transit-traffic
 is
 denied by pruning.  If you change the native VLAN to something other than
 one (do it on both sides, or wacky/painful things can happen), you should
 see VLAN 1 no longer on that port.

 Chuck

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rolf Hanßen
 Sent: Tuesday, March 12, 2013 1:34 PM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] STP active/listed on wrong port

 Hello list,

 do you have an explanation why STP thinks Gi7/16 belongs to vlan 1 ?

 edge1-dus3#sh spanning-tree

 VLAN0001
   Spanning tree enabled protocol ieee
   Root IDPriority32769
  Address 5475.d0a6.75c0
  This bridge is the root
  Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

   Bridge ID  Priority32769  (priority 32768 sys-id-ext 1)
  Address 5475.d0a6.75c0
  Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Aging Time 300

 Interface   Role Sts Cost  Prio.Nbr Type
 ---  --- - 
 
 Gi7/16  Desg FWD 4 128.1552 P2p


 Interface Config:
 interface GigabitEthernet7/16
  description custsw2-dus1 A16
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1253,1606  switchport mode trunk  mtu 9216
 load-interval 30 end

 STP is disabled on all other vlans:
 no spanning-tree vlan 2-4000

 Gi7/16 is not listed here:

 edge1-dus3#sh vlan id 1

 VLAN Name StatusPorts
   -
 ---
 1default  activeGi1/5, Gi1/8, Gi1/13,
 Gi1/25, Gi1/27, Gi1/48, Te4/1, Gi6/1, Gi7/1, Gi7/3, Gi7/4, Gi7/5, Gi7/6,
 Gi7/7, Gi7/8, Gi7/9, Gi7/10, Gi7/11, Gi7/12, Gi7/13, Gi7/14, Gi7/15,
 Gi7/17,
 Gi7/18, Gi7/19
 Gi7/20, Gi7/21, Gi7/22,
 Gi7/23, Gi7/24

 VLAN Type  SAID   MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1
 Trans2
  - -- - -- --    --
 --
 1enet  11 1500  -  -  ---0  0

 Remote SPAN VLAN
 
 Disabled

 Primary Secondary Type  Ports
 --- - -
 --


 Port is up and works fine:

 edge1-dus3#sh int Gi7/16
 GigabitEthernet7/16 is up, line protocol is up (connected)
   Hardware is C6k 1000Mb 802.3, address is 001d.a246.3743 (bia
 001d.a246.3743)
   Description: custsw2-dus1 A16
   MTU 9216 bytes, BW 100 Kbit/sec, DLY 10 usec,
  reliability 255/255, txload 6/255, rxload 6/255
   Encapsulation ARPA, loopback not set
   Keepalive set (10 sec)
   Full-duplex, 1000Mb/s, media type is LX
   input flow-control is off, output flow-control is off
   Clock mode is auto
   ARP type: ARPA, ARP Timeout 04:00:00
   Last input 00:00:00, output never, output hang never
   Last clearing of show interface counters never
   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
   Queueing strategy: fifo
   Output queue: 0/40 (size/max)
   30 second input rate 27117000 bits/sec, 3517 packets/sec
   30 second output rate 24383000 bits/sec, 2860 packets/sec
  32078138057 packets input, 32998390284372 bytes, 0 no buffer
  Received 524965 broadcasts (173874 multicasts)
  0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0

Re: [c-nsp] STP active/listed on wrong port

[Rolf Hanßen]

Hello,

shouldn't be an too old software issue. ;)

edge1-dus3#show version
Cisco IOS Software, c7600s72033_rp Software
(c7600s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE
(fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 25-Mar-11 17:24 by prod_rel_team

ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, c7600s72033_rp Software
(c7600s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE
(fc1)

edge1-dus3 uptime is 26 weeks, 4 days, 8 hours, 31 minutes
Uptime for this control processor is 26 weeks, 4 days, 8 hours, 2 minutes
System returned to ROM by s/w reset at 13:05:04 UTC Fri Sep 7 2012 (SP by
bus error at PC 0x4048AF74, address 0x0)
System restarted at 13:52:05 UTC Fri Sep 7 2012
System image file is
sup-bootflash:c7600s72033-advipservicesk9-mz.151-2.S.bin
Last reload type: Normal Reload


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found
at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
exp...@cisco.com.

cisco CISCO7609-S (R7000) processor (revision 1.0) with 983008K/65536K
bytes of memory.
Processor board ID FOX1428GMLV
SR71000 CPU at 600MHz, Implementation 1284, Rev 1.2, 512KB L2 Cache
Last reset from s/w reset
37 Virtual Ethernet interfaces
76 Gigabit Ethernet interfaces
16 Ten Gigabit Ethernet interfaces
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.

65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102

edge1-dus3#

 Hi,

 On Tue, Mar 12, 2013 at 06:34:14PM +0100, Rolf Hanßen wrote:
 do you have an explanation why STP thinks Gi7/16 belongs to vlan 1 ?

 Some of the more stupid catalysts will always have vlan 1 on all trunks,
 and you can't remove it.

 Corrolary: don't use vlan 1 for anything interesting in your network.

 Hardware is Cisco 7609-S, Sub720-3BXL, Slot 7 is a WS-X6724-SFP

 Now *that* is actually more interesting, because 6500/7600 can do that
 just fine, that is, not have vlan 1 on trunks.

 What IOS version is that?

 gert
 --
 USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
 Gert Doering - Munich, Germany
 g...@greenie.muc.de
 fax: +49-89-35655025
 g...@net.informatik.tu-muenchen.de



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS Tutorial or Guide?

[Rolf Hanßen]

Hello list,

is there any book you can recommend ?
I am also interested in the VPN/transport feature mainly and want to run
it on a C6500/Brocade mixed network.

I see MPLS and VPN Architectures widely available, but im wondering it
was already released in year 2000, which sounds a bit outdated to me
(don't know if something important changed during last years).

English or German is fine.

kind regards
Rolf

 Seth,

 You could try the Configuration Guides...

 MPLS Config Guide Home:
 http://www.cisco.com/en/US/partner/docs/ios-xml/ios/mpls/config_library/15-1mt/mp-15-1mt-library.html

 General MPLS:
 http://www.cisco.com/en/US/partner/docs/ios-xml/ios/mp_basic/configuration/15-1mt/mp-mpls-overview.html

 Layer 2 VPN (as you mentioned xconnects)
 http://www.cisco.com/en/US/partner/docs/ios-xml/ios/mp_l2_vpns/configuration/15-1mt/mp-l2-vpns-15-1mt-book.html


 I would still recommend reading the book... At least the basic stuff. You
 may turn it on, but things would seem weird if you do not really
 understand what's going on in the background...

 Arie


 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Seth Mattinen
 Sent: Monday, September 17, 2012 10:47
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] MPLS Tutorial or Guide?

 Does anyone have a good intro or beginner's guide to MPLS that they like?
 Something succinct and focused that's not a 500 page my-first-Cisco book.
 The situation I'm thinking is putting someone in front of some routers and
 switches in a lab setting and saying take these and set them up to do
 MPLS and create some xconnects for simulated customers with the
 assumption that they already have Cisco experience and can build a
 non-MPLS network, but who is new to MPLS alone.

 ~Seth
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Getting Source MAC of sh buffers output

[Rolf Hanßen]

Hello,

I think we got a flooding with ARP packets towards a SUP720-3B, I saw that
here with sh buffers input-interface vlan xy header:

Buffer information for Small buffer at 0x4634BF8C
  data_area 0x802E5E4, refcount 1, next 0x4639A6A0, flags 0x200
  linktype 1 (ARP), enctype 1 (ARPA), encsize 14, rxtype 45
  if_input 0x48C6BA10 (Vlan1050), if_output 0x0 (None)
  inputtime 19w1d (elapsed 00:09:25.372)
  outputtime 19w1d (elapsed 00:33:13.308), oqnumber 65535
  datagramstart 0x802E65A, datagramsize 60, maximum size 308
  mac_start 0x802E65A, addr_start 0x802E65A, info_start 0x0
  network_start 0x802E668, transport_start 0x802E67C, caller_pc 0x41DC7428


Buffer information for Small buffer at 0x4634D4A4
  data_area 0x802F664, refcount 1, next 0x4639BBB8, flags 0x200
  linktype 1 (ARP), enctype 1 (ARPA), encsize 14, rxtype 45
  if_input 0x48C6BA10 (Vlan1050), if_output 0x0 (None)
  inputtime 19w1d (elapsed 00:09:08.472)
  outputtime 19w0d (elapsed 1d15h), oqnumber 65535
  datagramstart 0x802F6DA, datagramsize 60, maximum size 308
  mac_start 0x802F6DA, addr_start 0x802F6DA, info_start 0x0
  network_start 0x802F6E8, transport_start 0x802F6FC, caller_pc 0x41DC7428

Is there a way to find out the MAC-address those packets are coming from ?
None of the numbers looks like a MAC to me.

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Protecting MLX/XMR MP against attacks with IP Receive ACLs / extended ACL behaviour

[Rolf Hanßen]

Hello,

this week we had an attack directly against one of our XMR (UDP packets to
a transfer network IP).
I was looking for an CoPP-equivalant and found the IP Receive ACLs feature.

In sample case of I block all UDP and allow everthing else I would use
that config here according to the manual:

access-list 101 remark BLOCK_UDP
access-list 101 deny udp any any

access-list 102 remark ALLOW_ANYTHING_ELSE
access-list 102 permit ip any any

ip receive access-list 101 sequence 5
ip receive access-list 102 sequence 10

Manual says that default policy is deny ip any any (applied after last
rule).
I am wondering what exactly is matched by ip because other protocols are
not mentioned.
Is ip an equivalent for ipv4 or more some kind of any in an extended
access list ?
Does the above config work or do I need a standard access list like
access-list 50 permit any at the end ?

Does anybody maybe already have a known to work-config for 0815 usage
(BGP, OSPF, VRRP) ?

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Protecting MLX/XMR MP against attacks with IP Receive ACLs / extended ACL behaviour

[Rolf Hanßen]

Sorry, wrong list, should go to foundry-nsp ;)

 Hello,

 this week we had an attack directly against one of our XMR (UDP packets to
 a transfer network IP).
 I was looking for an CoPP-equivalant and found the IP Receive ACLs
 feature.

 In sample case of I block all UDP and allow everthing else I would use
 that config here according to the manual:

 access-list 101 remark BLOCK_UDP
 access-list 101 deny udp any any

 access-list 102 remark ALLOW_ANYTHING_ELSE
 access-list 102 permit ip any any

 ip receive access-list 101 sequence 5
 ip receive access-list 102 sequence 10

 Manual says that default policy is deny ip any any (applied after last
 rule).
 I am wondering what exactly is matched by ip because other protocols are
 not mentioned.
 Is ip an equivalent for ipv4 or more some kind of any in an extended
 access list ?
 Does the above config work or do I need a standard access list like
 access-list 50 permit any at the end ?

 Does anybody maybe already have a known to work-config for 0815 usage
 (BGP, OSPF, VRRP) ?

 kind regards
 Rolf

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] replacing CARP with Cisco possible ?

[Rolf Hanßen]

Hi,

any idea how other providers offer such redundancy to end customers (if
they do at all) ?
We have a mass of customers with /29 or /28 networks and losing IPs isn't
an option in such cases imo.
Using bigger networks would require giving up vlan separation each
customer, no option either.

regards
Rolf

 On Thu, 2012-03-01 at 16:30 +0100, Rolf Hanßen wrote:
 Is there a way to configure virtual IPs that do not belong to the
 hard-coded network (ip address x.x.x.x y.y.y.y) of the interface ?
 I see that it is possible to configure other IPs, but this results in a
 warning and there is no possibility to set the netmask at all.

 I was wondering the same some years ago. Take a look at this thread:

 http://puck.nether.net/pipermail/cisco-nsp/2007-November/045409.html

 We never got it to work. ARP requests are sourced from the real address,
 and you cannot add a connected static route for a VRF enabled
 interface, i.e. ip route vrf A 192.168.1.0 255.255.255.0 Vlan50 fails.

 Also keep in mind that TTL exceeded replies (traceroute) would source
 from the real interface address.

 Is there a possibility to have static routes that are only active if the
 node has enabled the virtual IP ?

 This in itself would be possible with an EEM script that follows the
 HSRP log messages and adjusts the configuration. It would trigger a
 configuration change, so Rancid or whatever you might use would log a
 change every time the HSRP state changes.

 Is there anything else to take care of ?
 Any limitations except the 4096 HSRP-IDs ?

 That's 256 for HSRPv1 by the way.

 --
 Peter





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] replacing CARP with Cisco possible ?

[Rolf Hanßen]

Hello,

we have a few setups that do gateway failover with Linux + CARP and are
thinking if we can replace them with HRSP (or VRRP).

The CARP setups are configured that way now:
-a small non-public network (something like 192.168.0.0/30) is configured
on the interfaces and used to run CARP to avoid waste of public IPs.
-public IPs and static routes are enabled/disabled with the
up/down-Scripts (ip addr add/del x.x.x.x/y dev ethX, ip route add/del ...)

Looking into the config syntax im wondering if this setup can be done at
all with VRRP/HSRP.
Is there a way to configure virtual IPs that do not belong to the
hard-coded network (ip address x.x.x.x y.y.y.y) of the interface ?
I see that it is possible to configure other IPs, but this results in a
warning and there is no possibility to set the netmask at all.

Is there a possibility to have static routes that are only active if the
node has enabled the virtual IP ?

Is there anything else to take care of ?
Any limitations except the 4096 HSRP-IDs ?
We will be using SUP720-3B with 6548, 6748 and 6704 LCs, no DFCs.
All Layer 3 stuff is configured winside vlan-interfaces, all physical
interfaces are configured as switchports.

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Recommendation for small GBit router

[Rolf Hanßen]

Hi,

ok, nevertheless, what can I expect from these 4 processors / plattforms ?
As far as I found NPE-G1 / NPE-G2 will have SW updates till 2013/2015.

What throughput can bigger/newer plattform like Sup32/ASR provide with
netflow ?

kind regards
Rolf

 Hi,

 On Fri, Dec 16, 2011 at 03:37:59PM +0100, Rolf Hanßen wrote:
 What about a NSE-100 ? Looks cheap on Ebay.

 There's a reason for that.  End-of-life, and abandoned architecture (PXF).

 gert


 --
 USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
 Gert Doering - Munich, Germany
 g...@greenie.muc.de
 fax: +49-89-35655025
 g...@net.informatik.tu-muenchen.de


On 16.12.2011 15:37, Rolf Hanßen wrote:
 Hello,

 2nd hand is no problem, I did not think about new stuff at all.

 What about a NSE-100 ? Looks cheap on Ebay.
 Docs say 3.5 Mpps (PXF); 450 kpps (RP). Is IPv6 forwarded in hardware or
 via RP on NSE ?

 Concerning Netflow on NSE-100/NSE-150/NPE-G1/NPE-G2 cards:
 What traffic amount is realistic ? Is the limitation factor bandwidth or
 pps ?
 What happens beyond the point it can handle to send the Netflow data
 properly ? Does that affect Netflow only (for example it sends incomplete
 data or switches to a sampling mode to reduce load) or will packet
 forwarding also be affected ?

 Im just looking for high pps capability for flooding scenarios only.
 If just accounting loses some data in such cases it is not a big issue.

 Anything else to take care of ?

 Concerning other/software based solutions:
 I prefer some box that can exchange the existing one without much time
 effort for testing/preparing/configuring.

 regards
 Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Recommendation for small GBit router

[Rolf Hanßen]

Hello,

2nd hand is no problem, I did not think about new stuff at all.

What about a NSE-100 ? Looks cheap on Ebay.
Docs say 3.5 Mpps (PXF); 450 kpps (RP). Is IPv6 forwarded in hardware or
via RP on NSE ?

Concerning Netflow on NSE-100/NSE-150/NPE-G1/NPE-G2 cards:
What traffic amount is realistic ? Is the limitation factor bandwidth or
pps ?
What happens beyond the point it can handle to send the Netflow data
properly ? Does that affect Netflow only (for example it sends incomplete
data or switches to a sampling mode to reduce load) or will packet
forwarding also be affected ?

Im just looking for high pps capability for flooding scenarios only.
If just accounting loses some data in such cases it is not a big issue.

Anything else to take care of ?

Concerning other/software based solutions:
I prefer some box that can exchange the existing one without much time
effort for testing/preparing/configuring.

regards
Rolf

 On 16 December 2011 10:53, Phil Mayers p.may...@imperial.ac.uk wrote:

 On 12/16/2011 01:09 AM, Rolf Hanßen wrote:

 Hi Andrew,

 just pure forwarding of a few public networks towards each other and
 internet with default route.
 No tunnels, no NAT, no DHCP, no VPN or something similar.
 Concerning relatively cheap: Im searching for below 3000 Euro
 absolutely. ;)


 You'll get nothing in the Cisco range with that feature set for that
 price
 unless you go 2nd hand, IMO.

 Netflow at the same time as 1Gbit/sec is the killer - platforms that do
 both are €lots.

 At this level of performance, consider whether a network tap  linux
 machine with one of the software flow capture engines would be an
 alternative - then buy a low-end 3x50 catalyst, which will easily
 perform
 and do IPv6.

 Or tolerate 1Gbit/sec and buy one of the ISRs.



 ASR1001 would be my recommendation or there is a service module for the
 Cat 3560X switch that adds netflow capability.

 ASR1001 MSRP $17k + $5k for IP BASE licence

 WS-C3560X-24T-S MSRP $4,300 + $3,750 for C3KX-SM-10G service module + $500
 for dual PSU

 neither of these options is close to the €3k target, and neither is
 readily
 available used.

 Up until recently Cisco had few low-end router platforms that could shift
 1Gbps - only the 7304 NSE-150 or 7200 NPE-G2.  Both are available used -
 I'd recommend the G2 above the NSE.

 The Cat switches can move the packets but support for IPv6 and Netflow are
 limited.  I don't know how software in Nexus is shaping up.
 ,
 Other than that you're looking at high-end routers like OSR (10k), GSR
 (12k) or CRS which are overkill for the requirements.

 If you're looking for a non-Cisco solution, how about a Mikrotik?
 According to them the RB1100AHx2 can do 1Gbps and nearly 1Mbpps for less
 than €500, which is cheap enough to try one to see if it meets your needs
 -
 http://routerboard.com/RB1100AHx2

 Aled
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Recommendation for small GBit router

[Rolf Hanßen]

Hello,

I am looking for a stable, reliable router / Layer3 switch that can do the
following:
-forward at least 1GBit / 1Mpps
-full support of IPv6
-provide NetFlow data or similar for several hundred connected hosts in a
way that can be used for IP-based accounting (including IPv6 and not
sampled)
-small size (max. 5HU)
-redundant PSU

nice to have:
-bgp
-hsrp/vrrp

not needed:
-full table
-SFP or 10G Interfaces
-high amount of interfaces (3x 1000T is ok)

At the moment there is a GSR 12008 used for it but it has no IPv6 support
(apart from senseless size and power wasting).
I got a suggestion to take a refurbished 7206VXR + NPE-G1 but it still
looks expensive to me for such old piece of hardware.
Can you suggest a better/cheaper solution ?

kind regards
Rolf Hanßen


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Recommendation for small GBit router

[Rolf Hanßen]

Hi Andrew,

just pure forwarding of a few public networks towards each other and
internet with default route.
No tunnels, no NAT, no DHCP, no VPN or something similar.
Concerning relatively cheap: Im searching for below 3000 Euro
absolutely. ;)

regards
Rolf

 Hi Rolf,

 On 16/12/2011, at 12:25 AM, Rolf Hanßen wrote:
 I am looking for a stable, reliable router / Layer3 switch that can do
 the
 following:
 -forward at least 1GBit / 1Mpps
 -full support of IPv6
 -provide NetFlow data or similar for several hundred connected hosts in
 a
 way that can be used for IP-based accounting (including IPv6 and not
 sampled)
 -small size (max. 5HU)
 -redundant PSU

 What type of connections do you want to terminate?
 An ASR1001 is pretty cheap (relatively) and a great little box - 1HE.

 Regards

 Andrew




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Oversubscription + port groups on WS-X6548-GE-TX

[Rolf Hanßen]

Hi,

I know that WS-X6548-GE-TX has only 8GBit fdx towards the chassis/bus and
I was told recently that this bandwidth is maybe divided into some kind of
port groups.

Unfortunatelly I found nothing except some old documents that describe
some ASIC limiation in old CatOS versions while using port channels.

I now would like to know if there is another limitation beside the 8GBit
total for any kind of configuration (with our without channels) with
present IOS releases and Sup720 I need to take care of with these cards.

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] show installed memory and usage

[Rolf Hanßen]

Hello list,

according what I read on a Sup720 I have:
-Switch processor DRAM
-Route processor DRAM
-Switch processor bootdisk
-Route processor bootdisk

I now want to find out what is installed and what is used (at least for
the DRAM).

with dir I get the SP bootdisk I think:
Directory of sup-bootdisk:/
...
512024576 bytes total (303824896 bytes free)

sh version gives me:
cisco CISCO7609-S (R7000) processor (revision 1.0) with 983008K/65536K
bytes of memory.

sh mem shows:
HeadTotal(b) Used(b) Free(b)   Lowest(b) 
Largest(b)
Processor   47352690   885676400   581839952   30383644878906924  
302877164
  I/O80067108864157931805131568451315684   
51313980

Are those values the RP memory or the SP memory ?
How can I find out the values for the other memory not shown here?

How do I see the memory installed in 2nd sup720 (in case it is not in a
mode which requires same sizes as active card) ? attach the slot and sh
mem ?

kind regards
Rolf Hanßen

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Output of bgp advertised-routes with next-hop-self

[Rolf Hanßen]

Hi,

maybe we swap incoming/outgoing routes.

 the output of the command you have executed locally will *always*
 display the *real* next-hop!

But why ? It obviously is not the nexthop that is sent to the peer.

 Execute the sh ip bgp neigh routes/received-routes - depending on config
 to *see* what your peer sees as next-hop!

With that commands I see the routes I receive and not those I advertise to
that peer.
I would like to see which nexthop is sent to the peer.

 The more-important question *IS* -
 why do you have 'next-hop-self' configured?

 1) e-bgp-speaker speaker sending updates to its i-bgp peer/s?

 2) All peers(E an I on same broadcast segment OR part of an NBMA-cloud)-
 the behavior is the same!
 ./Randy


Ok, forget the next-hop-self part, I thought it would have impact on
outgoing routes also.

regards
Rolf


 --- On Sat, 10/8/11, Rolf Hanßen n...@rhanssen.de wrote:

 From: Rolf Hanßen n...@rhanssen.de
 Subject: [c-nsp] Output of bgp advertised-routes with next-hop-self
 To: cisco-nsp@puck.nether.net
 Date: Saturday, October 8, 2011, 4:12 PM
 Hi,

 I was just wondering about the output of:
 sh bgp ipv6 unicast neighbors x advertised-routes
 sh ip bgp neighbors x advertised-routes

 I have configured next-hop-self and think that the Next
 Hop column
 should show the IP of my side of the (e)BGP session.
 Quagga and Foundry XMR behave that expected way, Cisco 7600
 does not
 (shows my internal nexthop no matter with or without
 next-hop-self,
 shutting session has no influence either).

 Is that a bug or a feature ?

 Version:
 Cisco IOS Software, c7600s72033_rp Software
 (c7600s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)S,
 RELEASE SOFTWARE
 (fc1)

 kind regards
 Rolf

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Output of bgp advertised-routes with next-hop-self

[Rolf Hanßen]

Hi,

I was just wondering about the output of:
sh bgp ipv6 unicast neighbors x advertised-routes
sh ip bgp neighbors x advertised-routes

I have configured next-hop-self and think that the Next Hop column
should show the IP of my side of the (e)BGP session.
Quagga and Foundry XMR behave that expected way, Cisco 7600 does not
(shows my internal nexthop no matter with or without next-hop-self,
shutting session has no influence either).

Is that a bug or a feature ?

Version:
Cisco IOS Software, c7600s72033_rp Software
(c7600s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE
(fc1)

kind regards
Rolf

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Basic IOS questions

[Rolf Hanßen]

Hello,

 Show log:

 If you are trying to get the current day logs you can use sh log | inc
 Sep  9 (notice the two spaces since there is no zero and day is two
 digits)

Isn't there a way just to switch the order ?
Obviously somebody at Cisco also thinks it could be comfortable, sh ip
ospf events is ordered descent for example. ;)

 Ssh timeouts:

 The command you are looking for is exec-timeout this has to be applied
 to the individual vty lines.

The missing part was service tcp-keepalives-in

So this config works as far as I can see:
service tcp-keepalives-in
line vty 0 4
 exec-timeout 0 0

 Osfp ipv6:

 Yes they replaced router ospfv3 with ipv6 router ospf

 OSPF metric:

 Example 1:

 Show ipv6 route | inc ^O
 O   2001:::::/64 [110/49]

 The admin distance is 110 and metric is 49

 Example 2:

 sh ipv6 route  2001:::::/64
 Routing entry for 2001:::::/64
   Known via ospf , distance 110, metric 49, type intra area

 Same admin distance and metric

 Unless there are changes in those code revisions that effect the show
 ipv6 route they should be the same.

 Mack

I think that is not the same.
I set cost to 1000 for v4 and v6. This results in this output:

IPv4:
  Known via ospf 1, distance 110, metric 20, type extern 2, forward
metric 1000
  Last update from 123.123.123.123 on Vlan1349, 1d14h ago
  Routing Descriptor Blocks:
  * 123.123.123.123, from 123.123.123.123, 1d14h ago, via Vlan1349
  Route metric is 20, traffic share count is 1

IPv6:
  Known via ospf 1, distance 110, metric 20, type extern 2
  Route count is 1/1, share count 0
  Routing paths:
FE80::20B:FCFF:FE05:800, Vlan1349
  Last updated 16:58:47 ago

The router behind this Cisco shows the cost of 1000 I added for IPv6, so I
think it is just not shown here but calculated and forwarded correctly.

kind regards
Rolf

 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rolf Hanßen
 Sent: Friday, September 09, 2011 3:51 PM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] Basic IOS questions

 Hi,

 I have some questions that came up while working with Cisco 7600/6500
 boxes first weeks.
 Maybe you guys have some hints for me.

 order of sh log:
 Is there a way to show the latest entries first instead of scrolling down
 to the end ?

 ssh timeouts:
 I would like to disable the console timeout for ssh sessions. I.e. the
 sessions should only be closed if the ssh tcp-connection has a timeout.
 I tried a few commands that sounded like timeout but none worked.

 OSPF IPv6 documentation:
 several documentation tells me to use router ospfv3 to setup OSPF for
 IPv6 but it is not available in the cli.
 I could setup OSPF with ipv6 router ospf at least similar to the v4
 version. Did that replace router ospfv3 or why can I not enter it ?

 OSPFv6 costs:
 How can I see the costs of an OSPF v6 route ?
 sh ip route shows an entry forward metric but sh ipv6 route shows
 nothing similar.

 Software used:
 6500: 12.2(33)SXJ
 7600: 15.1(2)S

 kind regards
 Rolf Hanßen




 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Basic IOS questions

[Rolf Hanßen]

Hi,

I have some questions that came up while working with Cisco 7600/6500
boxes first weeks.
Maybe you guys have some hints for me.

order of sh log:
Is there a way to show the latest entries first instead of scrolling down
to the end ?

ssh timeouts:
I would like to disable the console timeout for ssh sessions. I.e. the
sessions should only be closed if the ssh tcp-connection has a timeout.
I tried a few commands that sounded like timeout but none worked.

OSPF IPv6 documentation:
several documentation tells me to use router ospfv3 to setup OSPF for
IPv6 but it is not available in the cli.
I could setup OSPF with ipv6 router ospf at least similar to the v4
version. Did that replace router ospfv3 or why can I not enter it ?

OSPFv6 costs:
How can I see the costs of an OSPF v6 route ?
sh ip route shows an entry forward metric but sh ipv6 route shows
nothing similar.

Software used:
6500: 12.2(33)SXJ
7600: 15.1(2)S

kind regards
Rolf Hanßen




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 6500/SUP720-3B EtherChannel Sample ?

[Rolf Hanßen]

Hi,

I just thought about how to add an interface to a running channel and I am
wondering about the config after adding a port.
If you have an existing channel and use channel-group ... on a clean
interface to add it the config of the physical interface is not extendet
with the config of the channel (for example the switchport trunk allowed
vlan ... line).
But If you change the config of the channel the config of the member ports
is updated automatically.

What happens if a have 2 ports in the channel with different allowed vlans ?
Is the physical interface config ignored (and the channel interface vlans
are valid on all members) or does this really work and a vlan only
configured on one port of the channel is handled like a vlan on a
non-channel port ?

kind regards
Rolf

 add command 'channel-group 5 mode on' to interface. This creates
 port-channel interface
 configuration below from one 7609 SUP720

 interface Port-channel5
   description xxx link
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan
 1-253,255-283,285-288,291-306,308-337,339-355
   switchport trunk allowed vlan add
 357-372,375,376,380-382,384-388,390-531
   switchport trunk allowed vlan add
 534-603,607-610,612-691,693-703,705-899
   switchport trunk allowed vlan add 901-973,975-1156,1158-1207,1209-1252
   switchport trunk allowed vlan add
 1254-1268,1270,1271,1274-1276,1278-1296
   switchport trunk allowed vlan add
 1298-1356,1358-1383,1385-1422,1424-1513
   switchport trunk allowed vlan add
 1515-1524,1526-1604,1606,1608-1628,1630
   switchport trunk allowed vlan add
 1632-1968,1971-1979,1981-2099,2101-2204
   switchport trunk allowed vlan add
 2206-2899,2901-3472,3474,3476-3478,3480-4094
   switchport mode trunk
   switchport nonegotiate
   mtu 2200
   load-interval 30
   mls qos trust cos

 interface TenGigabitEthernet7/1
   description xxx portchannel 5
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan
 1-253,255-283,285-288,291-306,308-337,339-355
   switchport trunk allowed vlan add
 357-372,375,376,380-382,384-388,390-531
   switchport trunk allowed vlan add
 534-603,607-610,612-691,693-703,705-899
   switchport trunk allowed vlan add 901-973,975-1156,1158-1207,1209-1252
   switchport trunk allowed vlan add
 1254-1268,1270,1271,1274-1276,1278-1296
   switchport trunk allowed vlan add
 1298-1356,1358-1383,1385-1422,1424-1513
   switchport trunk allowed vlan add
 1515-1524,1526-1604,1606,1608-1628,1630
   switchport trunk allowed vlan add
 1632-1968,1971-1979,1981-2099,2101-2204
   switchport trunk allowed vlan add
 2206-2899,2901-3472,3474,3476-3478,3480-4094
   switchport mode trunk
   switchport nonegotiate
   mtu 2200
   load-interval 30
   mls qos trust cos
   channel-group 5 mode on


 interface TenGigabitEthernet7/3
   description xxx portchannel 5
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan
 1-253,255-283,285-288,291-306,308-337,339-355
   switchport trunk allowed vlan add
 357-372,375,376,380-382,384-388,390-531
   switchport trunk allowed vlan add
 534-603,607-610,612-691,693-703,705-899
   switchport trunk allowed vlan add 901-973,975-1156,1158-1207,1209-1252
   switchport trunk allowed vlan add
 1254-1268,1270,1271,1274-1276,1278-1296
   switchport trunk allowed vlan add
 1298-1356,1358-1383,1385-1422,1424-1513
   switchport trunk allowed vlan add
 1515-1524,1526-1604,1606,1608-1628,1630
   switchport trunk allowed vlan add
 1632-1968,1971-1979,1981-2099,2101-2204
   switchport trunk allowed vlan add
 2206-2899,2901-3472,3474,3476-3478,3480-4094
   switchport mode trunk
   switchport nonegotiate
   mtu 2200
   load-interval 30
   mls qos trust cos
   channel-group 5 mode on



 site#sh etherchannel 5 detail
 Group state = L2
 Ports: 2   Maxports = 8
 Port-channels: 1 Max Port-channels = 1
 Protocol:-
 Minimum Links: 0
  Ports in the group:
  ---
 Port: Te7/1
 

 Port state= Up Mstr In-Bndl
 Channel group = 5   Mode = On   Gcchange = -
 Port-channel  = Po5 GC   =   -  Pseudo port-channel
 = Po5
 Port index= 0   Load = 0x55 Protocol =-
 Mode = LACP

 Age of the port in the current state: 160d:04h:22m:01s

 Port: Te7/3
 

 Port state= Up Mstr In-Bndl
 Channel group = 5   Mode = On   Gcchange = -
 Port-channel  = Po5 GC   =   -  Pseudo port-channel
 = Po5
 Port index= 1   Load = 0xAA Protocol =-
 Mode = LACP

 Age of the port in the current state: 117d:23h:20m:43s

  Port-channels in the group:
  --

 Port-channel: Po5
 

 Age of the Port-channel   = 167d:04h:04m:53s
 Logical slot/port   = 14/5  Number of ports = 2
 GC  = 0x  HotStandBy port = null
 Port state  = Port-channel Ag-Inuse