Re: [c-nsp] Whats happens when TCAM is full on 7600/RSP720RSP-3CXL?
Hi, at least for Sup720-3B(XL) and Sup-2T it results in number 1 for the family that hit the limit. So in most cases it will look that way: #show mls cef exception status Current IPv4 FIB exception state = TRUE Current IPv6 FIB exception state = FALSE Current MPLS FIB exception state = FALSE And yes, the box will drop down to a few MBit of Traffic. kind regards Rolf > Hi, > > I'm currently using a 7606 (RSP720RSP-3CXL) and taking in full BGP on v4 > and v6. Obviously it the TCAM is almost full and the box needs to be > replaced. > > But a have a couple of questions. > > I have been hearing different scenario of what would happen when the > TCAM is full: > 1. The whole thing goes into software routing mode for all routes which > causes 100% CPU and resulting and unusable box > 2. New route entries will just get dropped, current entries just stay in > TCAM > 3. New route entries will be software routed, but entries that are > already in TCAM will be hardware routed. You won't notice much impact in > the beginning. > > What is true? > > The only reason that our 7606 needs to be replaces it because of the > TCAM. It doesn't do much traffic, like 3Gbps upstream. Only BGP/OSPF. > And not many ports, 8 x 10Gb fiber + 30 x 1Gb copper (local servers). > > We will probably go for the ASR9006. But I would like to use it like I'm > using the 7600 now, as a router/switch. I have been reading that you > need to make some uncommon config to create Ethernet VLAN/Trunk > interfaces and ports, as this is not commonly not done with this router. > But is this good practice? Will it be fine once I fingered it out? > > Last question. Can I take a full BGP feed on both v4 and v6 with a > A9K-RSP440-TR? Or do I need the -SE? > > Chiel > > > > Bellow are some output of our current 7600: > > #show mls cef maximum-route >  IPv4 + MPLS        - 832k (default) >  IPv6               - 90k >  IP Multicast       - 1k > > #show mls cef su > Total routes:                    915422 >    IPv4 unicast routes:         822144 >    IPv4 Multicast routes:       8 >    MPLS routes:                 2050 >    IPv6 unicast routes:         91220 >    IPv6 multicast routes:       3 >    EoM routes:                  0 > > #show mls cef exception status > Current IPv4 FIB exception state = FALSE > Current IPv6 FIB exception state = FALSE > Current MPLS FIB exception state = FALSE > > #show platform hardware capacity forwarding > L3 Forwarding Resources >  Module             FIB TCAM usage: Total       > Used    %Used >   2                    72 bits (IPv4, MPLS, > EoM)     851968 > 824115    97% >                        144 bits (IP mcast, > IPv6)      98304 91198    93% > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPFv3 in CoPP
Hi, maybe you need to add the non-link-local address. I did not separate OSPF and BGP, but this works: ipv6 access-list acl-copp-transfer-ipv6 permit 89 FE80::/10 any permit ipv6 2001:DB8::/48 any 2001:DB8::/48 contains all transfer networks and loopback adresses in my case. kind regards Rolf > Howdy, > > This is SUP2T, I am just playing with this in a lab (I realize sup2t is > dead). > > I notice that if I enable a CoPP policy and then do clear ipv6 ospf > process 1 (yes) the process gets stuck forever in EXSTART until I remove > the service-policy and then instantly It connects and begins operating > normally. I am assuming that it is because I am blocking something > accidentally via my CoPP policy. > > I've allowed protocol 89 sourced from the entire link-local subnet and > then when that didn't work I then allowed all ipv6 on the link-local > subnet. If I debug the traffic it just keeps re-transmitting DBDs to the > IPv4 address of the peer (that is probably just the router-id) on the > VLAN, over and over. > > Does anyone have a working CoPP ACL for OSPFv3? > > Thanks, > -Drew > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FIB insertion issues on Sup2T routers
Hello, on router #1 it happened again. We then updated it to 15.2(1)SY5 (put luck) on Dec 6th and configured prefix limits on all sessions allowing less tha 100k above current count. On router #2 we did nothing. Router #3 was false positive, issue did not occur at all (human error). Nothing happened since the updates, no insertion issue, no prefix count hit. So we have no clue what happened. kind regards Rolf > Hi, > >> I had 3 incidents within a week in which Sup2T-XL routers switched to >> software forwarding. >> >> I.e. log says: >> %MLSCEF-4-FIB_TCAM_INSERT_FAIL: FIB entry insertion into tcam failed, >> one >> IPv4 route may be absent from hardware table > > Haven't seen this one, but I'm interested to hear whether you've had new > occurrences... We're running newer code though, 15.2(1)SY5 currently, > because of several bugs in earlier releases. > > > Regards, > > Jeroen van Ingen > ICT Service Centre > University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FIB insertion issues on Sup2T routers
Hello, had a "chance" today to check this. Interesting ist that the ressources are even lower than normal (approx. 100k IPv4 routes less) L3 Forwarding Resources FIB TCAM usage: TotalUsed %Used 72 bits (IPv4, MPLS, EoM) 1048576 557541 53% 144 bits (IP mcast, IPv6) 524288 45727 9% 288 bits (IPv6 mcast) 262144 1 1% detail: ProtocolUsed %Used IPv4 557539 53% MPLS 1 1% EoM1 1% IPv6 45724 9% IPv4 mcast 3 1% IPv6 mcast 1 1% Adjacency usage: TotalUsed %Used 1048576 32191 3% kind regards Rolf > Hello, > > I think a full 'show platform hardware capacity' output from the affected > device before reboot could be the best starting point for > troubleshooting... > > You may use a EEM TCL script for autosaving useful outputs in case of such > events. > -- > Best regards, > Vladimir Troitskiy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FIB insertion issues on Sup2T routers
Hello, I had 3 incidents within a week in which Sup2T-XL routers switched to software forwarding. I.e. log says: %MLSCEF-4-FIB_TCAM_INSERT_FAIL: FIB entry insertion into tcam failed, one IPv4 route may be absent from hardware table Was fixed by a reboot in each case. Uptime differs (several weeks up to years), chassis differ (6509E/7609S), all routers run 15.1(2)SY1. Number of total routes is not close to the edge: #sh platform hardware cef summary Total routes: 709683 IPv4 unicast routes: 664027 IPv4 non-vrf routes: 664027 IPv4 vrf routes: 0 IPv4 multicast routes:3 IPv6 unicast routes: 45650 IPv6 global routes: 45649 IPv6 non-vrf routes: 45649 IPv6 vrf routes: 0 IPv6 link-local routes: 1 IPv6 multicast routes:1 mpls routes: 1 mpls-vpn routes: 0 eompls-l2 routes: 1 eom-ipv4-mcast routes:0 eom-ipv6-mcast routes:0 #sh platform hardware cef maximum-routes Fib-size: 1024k (1048576), shared-size: 1016k (1040384), shared-usage: 735k(753326) Protocol Max-routes Use-shared-region Dedicated -- - - IPV4 1017k Yes1k IPV4-MCAST 1017k Yes1k IPV6 1017k Yes1k IPV6-MCAST 1017k Yes1k MPLS 1017k Yes1k EoMPLS 1017k Yes1k VPLS-IPV4-MCAST 1017k Yes1k VPLS-IPV6-MCAST 1017k Yes1k They did not have that issue the same time and receive the same routes that also other Sup2T routers (that did not have that issue) receive, so I do not expect this to be result of a short wave of routes learned from peers/uplinks. Did anyone else have that issue? Any hints how to find the cause (without support contract)? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Juniper MX240 & MX480
Hi, RE-S-X6-64G requires SCBE2. SCBE2 does not work with DPCs. So you cannot upgrade to newest RE with old linecards. kind regards Rolf > Hi, > > it is strange, because RE doesn't do much with line cards, maybe it > depends what kind SCB you have ... > > Best regards, > Misak Khachatryan, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Juniper MX240 & MX480
Hello Aaron, that's not a Cisco-only "feature". You could also move from MX to new ASR boxes because Juniper told you that your old DPC cards do not work if you replace your RE-S-2000 with the newest RE (RE-S-X6-64G + SCBE2). ;) kind regards Rolf > The thing that caused me to evaluate replacing my ASR9k 15-node network > was > when Cisco told me if I replaced my RSP-4G routing engine with newest one, > all my 1st gen Trident linecards would stop working. :| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6509 / WS-CAC-6000W OUTPUT FAIL
Hello, In the meantime the system is was turned off. Neither removing cards or turning off/on changed situation. So I guess the chassis is just broken in some kind. At least the scrap dealer will be happy. ;) kind regards Rolf > Late to the thread, but some of the chassis models (non-E, perhaps) have > a backplane power limitation from the B supply IIRC, and it was > somewhere in the 4kw range. > > > On 3/14/17 2:42 AM, James Bensley wrote: >> On 13 March 2017 at 15:02, "Rolf HanÃen"wrote: >>> Power-Capacity PS-Fan Output Oper >>> PS Type Watts A @42V Status Status State >>> -- --- -- -- -- - >>> 1WS-CAC-6000W 5771.64 137.42 OK OK on >>> 2WS-CAC-6000W 3780.00 90.00 - - off >> Why is one of these 6kW PSUs saying 4kW of power capacity? Since they >> are the same model PSU I think the power capacity has to match on >> them? >> >> Cheers, >> James. >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Load balancing on portchan (4500X->ASR1006)
Hello, I read your mail twice and still don't know which direction is affected (4500X tp ASR or ASR to 4500X or both). Please be aware that the balancing hash method only affects outbound traffic, so changing the method on the 4500X only affects traffic towards the ASR. Using mac adresses for balancing is a bad idea. Years ago we had the great idea to connect several servers with dual nic to a router with a 2 port channel switching between. MAC on the router was always the same, MACs on the servers were all even because we used the same port on all servers. Result: no balaning at all. Is the switch able to use IP / Port for all frames or do you have packts it maybe does not understand (like MPLS Packets)? kind regards Rolf > Hi Everyone - Have a 4 port etherchan between ASR1006/4500X(In VSS) - > Tried virtually all the load-balancing options on the 4500X, but port "1" > in the portchan group always gets majority of traffic share. > > > Links are: > > > ASR1006 4500X (2) > > 0/0/31/1/4 > > 1/0/01/1/16 > > 1/0/32/1/4 > > 2/0/02/1/16 > > > src/dst ip - I get both ports on "primary" 4500X being primarily used > (1/1/4 getting the most) > > src/dst mac - I get a bit of a better load spread, but 2/1/4 gets very > little traffic, and again 1/1/4 gets the most > > src/dst port - 1/1/4 gets the most, 2/1/16 gets a lot more (ingress), > 2/1/4, very little > > > The portchan peak usage is 2 to 2.5Gb/sec, but would do more, as it is > being limited by the load-balancingi.e 1/1/4 will max out at 1G/sec > (We have a very bursty traffic.SP - So mix of > Inet/L3VPN/backup/replication etc) > > > If anyone has some suggestions on how to achieve a better(more even) > traffic spread, it would be greatly appreciatedMigrating to 10Gb is > what we plan to do, but am interested in anyones comments on why 1/1/4 is > used so heavily regardless of the load-balancing algorithm used (Assuming > it is because it is the "first" portspanning tree probably preferring > this port?)the ASR1006 only has 2 load-balancing options flow-based or > vlan-manual..lol and I dont have any interest in setting up manual > vlan load-balancing ð) > > > Thanks > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vrrpv3 + IPv6 hangs in INIT state
Hi Nick, yes, that's it. Comes up now, thanks for the hint. kind regards Rolf > Rolf Hanßen wrote: >> I just tried to get VRRP + IPv6 running on a Sup2T with 15.1(2)SY1. >> I enabled VRRPv3 and it works at least for IPv4. > > Yeah, this caught me too. The primary ipv6 address for a vrrpv3 needs > to be an ipv6 link-local address: > >> http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhrp-vrrpv3.html > >> VRRPv3 for IPv6 requires that a primary virtual link-local IPv6 >> address is configured to allow the group to operate. After the >> primary link-local IPv6 address is established on the group, you can >> add the secondary global addresses. > > So your configuration should look like this: > > fhrp version vrrp v3 > interface Vlan2000 > vrrp 6 address-family ipv6 > address fe80::1 primary > address :::::1/64 > exit-vrrp > end > > Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] vrrpv3 + IPv6 hangs in INIT state
Hello, I just tried to get VRRP + IPv6 running on a Sup2T with 15.1(2)SY1. I enabled VRRPv3 and it works at least for IPv4. But for IPv6 the status stays on status INIT: sh vrrp brief: Interface Grp A-F Pri Time Own Pre State Master addr/Group addr Vl2000 6 IPv6 100 0 N Y INITAF-UNDEFINED no address sh vrrp vlan 2000: Vlan2000 - Group 6 - Address-Family IPv6 State is INIT State duration 49 mins 57.900 secs Virtual IP address is no address Virtual MAC address is .5E00.0206 Advertisement interval is 3000 msec Preemption enabled Priority is 100 Master Router is unknown, priority is unknown Master Advertisement interval is unknown Master Down interval is unknown vlan2000 is up and other side (Juniper MX) pings fine. sh vrrp statistics shows zero-counters. Routing-Interface: interface Vlan2000 ip address x.x.x.x 255.255.255.0 no ip redirects no ip proxy-arp load-interval 30 ipv6 address :::::3/64 ipv6 enable ipv6 nd dad attempts 0 ipv6 nd prefix default no-advertise ipv6 nd ra suppress no ipv6 redirects vrrp 6 address-family ipv6 address :::::1/64 exit-vrrp end I would expect it to become master in case it does not work together with Juniper. I checked with a second device, same behaviour. Any hints? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 6509 / WS-CAC-6000W OUTPUT FAIL
Hello, I have an issue with a C6509 shortly before it will be replaced. ;) PS2 shows OUTPUT FAIL (both inputs ok), I already replaced it, no change. sh power shows 3780 Watt for PS2, what is that value? system power redundancy mode = redundant system power redundancy operationally = non-redundant system power total = 5771.64 Watts (137.42 Amps @ 42V) system power used = 2815.26 Watts (67.03 Amps @ 42V) system power available = 2956.38 Watts (70.39 Amps @ 42V) Power-Capacity PS-Fan Output Oper PS Type Watts A @42V Status Status State -- --- -- -- -- - 1WS-CAC-6000W 5771.64 137.42 OK OK on 2WS-CAC-6000W 3780.00 90.00 - - off Pwr-Allocated Oper Fan Type Watts A @42V State -- --- -- - 1WS-C6509-E-FAN 210.00 5.00 OK Pwr-Requested Pwr-Allocated Admin Oper Slot Card-Type Watts A @42V Watts A @42V State State -- --- -- --- -- - - 1WS-X6748-GE-TX 325.50 7.75 325.50 7.75 onon 2WS-X6748-GE-TX 325.50 7.75 325.50 7.75 onon 3WS-X6748-GE-TX 325.50 7.75 325.50 7.75 onon 5WS-SUP720-3B282.24 6.72 282.24 6.72 onon 6(Redundant Sup) - - 282.24 6.72 - - 7WS-X6704-10GE 295.26 7.03 295.26 7.03 onon 8WS-X6708-10GE 473.76 11.28 473.76 11.28 onon 9WS-X6704-10GE 295.26 7.03 295.26 7.03 onon system auxiliary power mode = off system auxiliary power redundancy operationally = non-redundant system primary connector power limit = 10920.00 Watts (260.00 Amps @ 42V) system auxiliary connector power limit = 10500.00 Watts (250.00 Amps @ 42V) system primary power used = 2815.26 Watts (67.03 Amps @ 42V) system auxiliary power used =0 Watt Anyone seen such behaviour yet? Maybe chassis defective? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 720-3BXL IOS 15
Hi Curtis, that combination does not sound good to me. I think you will run into memory issues. kind regards Rolf > Does anyone have any suggested 15.x Versions for the 720-3BXL Cards? I > have a couple of 7606 routers that have a need to run BFD + BGP within a > VRF Instance. The current 12.2(33)SRB3 does not allow this. > > The router takes in 3 full copies of the Internet routing table as well as > some very light VPNv4 routing tables. I've already reallocated the TCAM > to > allow 768k IPv4 Routes. > > Thanks > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 6504E - SUP 720 3B XL
Hi, sorry, but 88% used does not mean you really have 12% you can use. 3 years ago we were at similar situation, one of our 3BXL had 92 or 93% usage and restarted the bgp process because it was unable to allocate more memory. We thought to have a few more months and waited to long to replace it. So 88% mean "disable one session" and not "add another one". If you want to use 6500/7600, go for the Sup2T (XL was around 9k Euro - before Brexit) + 4Gig memory. You can still built a up to 80GBit throughput box with a great router port amount per money if you use 6700 linecards with CFC (WS-X6748-GE-TX below 200Euro, WS-X6704-10GE below 500Euro) and can live with the risk that 1M routes could become an issue in a few years. kind regards Rolf > 15.7.2016, 17:13, Nick Hilliard wrote: >> TCAM is fine for the time being, but RP RAM is definitely a problem on >> this platform. The RP has 1G of RAM, non-upgradable. A DFZ will work >> for the time being if you run 12.2SX. If you run 15S, there's less >> space and it will not run unless you disable inbound soft reconfig. In >> either case, it's not going to be viable in the long term. >> > Yes, with 15.X IOS you will be at 90% in memory usage. We have one box > (15.1(2)SY4a IOS) with two full feeds and a lot of features enabled - > the memory usage is 88%. There is still room for a third full BGP feed. > I'm not concerned about this, since even with an empty config the memory > usage is quite high. However, it's stable and doesn't vary much. > > But yeah, 6500 is not the best choice for the future. > > zzif > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] traceroute from ASA with source IP from inside interface
Hi Nick, the outgoing packets are UDP but the packets coming back schould be icmp ttl expired, that is why I allowed icmp. I just tried to allow anything and out without any change, so I guess this is not rule-related at all. Any other ideas? kind regards Rolf > Traceroutes from ASA / routers use UDP not ICMP > > You can "inspect ICMP error" as well as allow the ICMP and UDP traceroute > versions of the message you need - this is my traceroute config I use on > client contexts: > > Note these firewalls are non-internet facing so security is less important > to me than troubleshooting. > > access-list outside_access_in extended permit icmp any any unreachable > access-list outside_access_in extended permit icmp any any traceroute > access-list outside_access_in extended permit icmp any any time-exceeded > > policy-map global_policy > class inspection_default > inspect icmp > inspect icmp error > > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > "Rolf Hanßen" > Sent: 16 March 2016 10:58 > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] traceroute from ASA with source IP from inside interface > > Hi, > > I am new to ASA and wondering about the traceroute (and ping) behaviour. > I wanted to trace/ping with the IP address of the internal interface, but > anything I try results in stars: > > ASA# traceroute 8.8.8.8 source inside > > Type escape sequence to abort. > Tracing the route to 8.8.8.8 > > 1 * * * > 2 * * * > > Tracing without setting a source (or "source outside") works fine. > I create a rule for the internal interface towards dst any service ip. > There is also a rule on the outside interface to allow icmp. > I replace "inside" with the IP. > Traceroutes from servers attached to the inside interface work fine. > > There is no control plane policy set. > > Is this a bug or some strange "security feature"? > Is there another part that maybe filters such traffic? > In the management access section I see only https/asdm/ssh/telnet. > > Maybe somebody can explain. > > kind regards > Rolf > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] traceroute from ASA with source IP from inside interface
Hi, I am new to ASA and wondering about the traceroute (and ping) behaviour. I wanted to trace/ping with the IP address of the internal interface, but anything I try results in stars: ASA# traceroute 8.8.8.8 source inside Type escape sequence to abort. Tracing the route to 8.8.8.8 1 * * * 2 * * * Tracing without setting a source (or "source outside") works fine. I create a rule for the internal interface towards dst any service ip. There is also a rule on the outside interface to allow icmp. I replace "inside" with the IP. Traceroutes from servers attached to the inside interface work fine. There is no control plane policy set. Is this a bug or some strange "security feature"? Is there another part that maybe filters such traffic? In the management access section I see only https/asdm/ssh/telnet. Maybe somebody can explain. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Peering + Transit Circuits
Hi, you forgot do some interface-ACL-magic that drops peer-traffic that does not have a destination IP in my cool-networks-whitelist. kind regards Rolf Question: What is the preferred practice for separating peering and transit circuits? 1. Terminate peering and transit on separate routers. 2. Terminate peering and transit circuits in separate VRFs. 3. QoS/QPPB ( https://www.nanog.org/meetings/nanog42/presentations/DavidSmith-PeeringPolicyEnforcement.pdf ) 4. Don't worry about peers stealing transit. 5. What is peering? Your comments are appreciated. -- Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Set BGP metric based on nexthop IGP metric
Hello, I need a hint regarding a OSPF/BGP setup on some C6500. I have BGP configured between the loopback IPs of several routers. Lets say router a and router b advertise x.x.x.x/24 (connected network) to router c (and d, e...). Router c now has 2 BGP routes with same attributes (except the nexthop) and takes the oldest one as far as I see. sh ip bgp x.x.x.x/24: ... a.a.a.a (metric 20) from a.a.a.a (a.a.a.a) Origin IGP, metric 0, localpref 1000, valid, external, best ... b.b.b.b (metric 20) from b.b.b.b (b.b.b.b) Origin IGP, metric 0, localpref 1000, valid, external sh ip route a.a.a.a: Routing entry for a.a.a.a/32 Known via ospf 1, distance 110, metric 20, type extern 2, forward metric 2000 ... sh ip route b.b.b.b: Routing entry for b.b.b.b/32 Known via ospf 1, distance 110, metric 20, type extern 2, forward metric 1000 ... I would like to know how to bind/link the BGP metric to the forward metric value and not to 20. I would like to archieve that the BGP route is equal to the closest router according to OSPF. I always thought this would be default behaviour. My problem with random picking of the route also is that this can cause a routing loop in some simple cases: a--c--d--b c chooses the route from b and d chooses it from a. - loop between c and d. All I could find that sounds like a solutions is set metric-type in the route map, but this seams to be for route-redistribution only. I guess anything in the route-map would not help anyway because it is not processed if something in IGP occurs. Having the route in OSPF either does not help because the EBGP route is prefered over the OSPF route (higher administrative distance). Changing to IBGP isn't a good option in my case, I also want to avoid configuring manual med/localpref on router c+d. What is the best practise for such setups? What do for example providers do that exchange a full table between their routers that way and do not have those routes in IGP. Or what did they do before MPLS became popular? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Switch for vlan translation needed
Hello, I look for a small switch that can do vlan translation. Should have 1000T ports and port channel support. I want to connect one port channel with several tagged vlans that are mapped to other vlan ids on another port channel. Do you have any cheap suggestion? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 512K routes approaching - have you adjusted your tcam settings
Hi Mack, I am wondering about including sup 2T? As far as I see Sup2T has no static CAM partition anymore and therefore needs no specific maximums set. kind regards Rolf As many readers on this list know the routing table is approaching 512K routes. For some it has already passed this threshold. For those that aren't familiar with the issues associated with passing this threshold, I suggest the following two documents: http://www.ipv4depletion.com/?p=672 http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html Effected devices include 6500s (including sup 2T), 7600s, nexus 7Ks and many devices by other vendors. This problem will likely impact us in some way over the next month even if we fixed our devices because We connect to other services that have not prepared. So be on the lookout for MLSCEF-SP-7-FIB_EXCEPTION messages in your logs. Mack McBride | Network Architect | ViaWest, Inc. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Storm control - find out which vlan hits the limit
Hi, nobody an idea? Tried Mini Protocol Analyzer but as far as I see I cannot combine with a MAC address ACL. In the meantime I got a server connected to the router and could export the traffic via SPAN but still see no unusal broad-/multicast-spikes. Can anybody confirm that the physical interface bandwidth is used for the percentage calculation and not the current traffic? I.e. 0.35% on a 10Gbit interface with 200MBit traffic will make storm control drop everything above 35MBit (1MBit*0.35%) and not 0.7MBit (200MBit*0.35%), correct? kind regards Rolf Hello, I have a switchport interface (6704 card, Sup2T, IOS 15.1(2)SY1) with a few vlans (L2 + L3 mixed) on it that drops packets caused by storm control. sh interfaces counters storm-control: Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards Te9/3 100.000.350.35 5800188 I now would like to find out on which vlan I receive them. Unfortunatelly the non-unicast counters for all vlan-interfaces show 0, example: sh int vl300 | inc cast L2 Switched: ucast: 8023503 pkt, 2642606815 bytes - mcast: 0 pkt, 0 bytes L3 in Switched: ucast: 120002757406 pkt, 16510187670768 bytes - mcast: 0 pkt, 0 bytes L3 out Switched: ucast: 75127991555 pkt, 65410581551697 bytes - mcast: 0 pkt, 0 bytes Received 0 broadcasts (0 IP multicasts) sh vlan id xxx counters also schows zeroes only for all vlans: Vlan Id: 300 L2 Unicast Packets : 8023503 L2 Unicast Octets : 2642606815 L3 Input Unicast Packets : 120008317418 L3 Input Unicast Octets: 16512241861042 L3 Output Unicast Packets : 75144910816 L3 Output Unicast Octets : 65423693432219 L3 Output Multicast Packets: 0 L3 Output Multicast Octets : 0 L3 Input Multicast Packets : 0 L3 Input Multicast Octets : 0 L2 Multicast Packets : 0 L2 Multicast Octets: 0 Is there a way to enable those counters or to find out which vlan receives those peaks without exporting the traffic to another system (SPAN,netflow,...)? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Storm control - find out which vlan hits the limit
Hello, I have a switchport interface (6704 card, Sup2T, IOS 15.1(2)SY1) with a few vlans (L2 + L3 mixed) on it that drops packets caused by storm control. sh interfaces counters storm-control: Port UcastSupp % McastSupp % BcastSupp % TotalSuppDiscards Te9/3 100.000.350.35 5800188 I now would like to find out on which vlan I receive them. Unfortunatelly the non-unicast counters for all vlan-interfaces show 0, example: sh int vl300 | inc cast L2 Switched: ucast: 8023503 pkt, 2642606815 bytes - mcast: 0 pkt, 0 bytes L3 in Switched: ucast: 120002757406 pkt, 16510187670768 bytes - mcast: 0 pkt, 0 bytes L3 out Switched: ucast: 75127991555 pkt, 65410581551697 bytes - mcast: 0 pkt, 0 bytes Received 0 broadcasts (0 IP multicasts) sh vlan id xxx counters also schows zeroes only for all vlans: Vlan Id: 300 L2 Unicast Packets : 8023503 L2 Unicast Octets : 2642606815 L3 Input Unicast Packets : 120008317418 L3 Input Unicast Octets: 16512241861042 L3 Output Unicast Packets : 75144910816 L3 Output Unicast Octets : 65423693432219 L3 Output Multicast Packets: 0 L3 Output Multicast Octets : 0 L3 Input Multicast Packets : 0 L3 Input Multicast Octets : 0 L2 Multicast Packets : 0 L2 Multicast Octets: 0 Is there a way to enable those counters or to find out which vlan receives those peaks without exporting the traffic to another system (SPAN,netflow,...)? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Replace NVRAMBattery - decrease impact
Slot 2,3 and 4 are not in use, I could remove the cover-cards and access the front part of slot 5 easily. The battery is right on the board behind the faceplate. I don't see how you could replace it without removing the sup at least part way. I will say I've seen failures on this particular test that were resolved by just reseating the battery. Andrew On Apr 1, 2014, at 11:00 AM, cisco-nsp-requ...@puck.nether.net wrote: Replace NVRAMBattery - decrease impact ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Replace NVRAMBattery - decrease impact
Hello, I just saw that here on a 6509-E + Sup2T: router#show diagnostic result module 5 ... 51) TestNVRAMBatteryMonitor - F ... From my understanding this means battery is empty and I need to replace the button cell. Correct? Afair replacing it means nvram is lost and needs to be re-formatted + files copied back to it. Is there a way to bypass this and to reduce downtime in case of a single sup? Can I replace the battery during operation or does that have some side-effects (in case I avoid a short-circuit by touching something)? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Access layer replacement for 6500/Sup720
Hello, currently we use C6509 + Sup720 for IP access (routing + switching, ISP environment). Means BGP + OSPF + HSRP, dual stack, no MPLS, no full table (a few hundred routes only). Now I am looking for a small equivalent like a stackable 1HU Layer3 switch. Should have 40/48x 1GBit + 4/8x 10Gbit. My dealer recommends a Cisco 3850, which is below 10k Euro for 48xCopper and 4x SFP+. Sounds good from the specs, but I have no clue about IOS XE. In the Configuration Guide Overview I do not see a CoPP-equivalent for that device. It is very important for me to have a (hardware-assistend) function to protect the router CPU in case of ddos to the router itself (or TTL expired packets). How is that done on a 3850 or is a 3850 simply the wrong choise in my case? Anthing else I should be aware of? Known issues, design deficits, too small buffers, high outage rates or so stuff? Are there any other recommendations in that or lower price region? Does not need to be Cisco. What do other ISPs use for such szenarios? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Access layer replacement for 6500/Sup720
Hello Mark, If you want reasonably functional QoS ingress and egress, the ME3600X/3800X is your friend. As far as see no stacking and only 2x 10GBit. If you don't care about that (or other fancy features), and if your application is purely closet/LAN and not Metro, then there are lots of options between Cisco and other vendors in this space. Then please tell me some models below 10k EUR that offer 8x10G + 48xRJ45 + stacking and have a reliable self-protection. A basic layer3 switch with 2x 10GBit (that hangs as soon as the cpu is hit by 100k pps) isn't hard to find from nearly every vendor. regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ignore ip tcp adjust-mss packets in CoPP
Hi, I just saw that strict filtering with CoPP (only allow peers and some management servers) breaks the ip tcp adjust-mss functionaliy. The window size is manipulated to be able to redirect traffic via a tunnel from a anti-ddos provider. Is there a smart way to bypass CoPP for exactly those packets without making 3/4 of the CoPP rules useless? Adding a permit tcp any any syn or similar rule does not look like a good option to me. I think of something like mls rate-limit unicast cef glean for packets needing ARP-action from the RP. Hardware is a 6506 with Sup720-3B and 67xx cards. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Sup720 - FIB full, software switching
Hi, today I saw 2x Sup720-3B (default 192K IPv4 routes) that received a full table. After FIB was filled IOS gave a warning that it now may forward in software (and resetted all BGP sessions because of memory issues). I don't have the exact messages. The real problem occured after that. I shut the full table BGP session and cleared the others, the system now had a few routes only again. But it started to drop packets, I saw no pattern, it looked nearly random. I needed to reboot both boxes to resolve that issue. IOS was s72033-advipservicesk9_wan-mz.122-33.SXJ.bin Is there a way to avoid those issues by let it just ignoring routes not matching into the FIB? Is there a command to reset the routing mode/routes back to CEF without reloading the box? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720 - FIB full, software switching
Hi, indeed, the limiter was installed. kind regards Rolf One other thing I noticed from your email and something that we've experienced in the past as well. I think it may also be related to hitting the TCAM limit but check to see if you have this command enabled: mls rate-limit unicast cef receive 1 255 According to Cisco, that command will automatically get added to your config when the tables get full. That command will start to drop packets and unless you look for it you wouldn't know it's there because generally it's not. All BGP sessions appear normal and none of your interfaces show full yet you're still dropping packets. Cisco advised us to increase the receive to 100 to avoid any possible issues in the future. Thanks to the other replies about having to reload the switch to clear the TCAM exception. I didn't know that once you hit it that the only way to fix it was to completely reload the box. Jose On 2/3/2014 9:09 AM, Rolf Hanßen wrote: Hi, today I saw 2x Sup720-3B (default 192K IPv4 routes) that received a full table. After FIB was filled IOS gave a warning that it now may forward in software (and resetted all BGP sessions because of memory issues). I don't have the exact messages. The real problem occured after that. I shut the full table BGP session and cleared the others, the system now had a few routes only again. But it started to drop packets, I saw no pattern, it looked nearly random. I needed to reboot both boxes to resolve that issue. IOS was s72033-advipservicesk9_wan-mz.122-33.SXJ.bin Is there a way to avoid those issues by let it just ignoring routes not matching into the FIB? Is there a command to reset the routing mode/routes back to CEF without reloading the box? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720 ignores boot variable
Hello Stuart, looks like you are right, I will try to reboot in the next maintenance window and check if it works now. #remote command switch show bootvar BOOT variable = bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin,1; CONFIG_FILE variable does not exist BOOTLDR variable does not exist Configuration register is 0xA141 (config)#config-register 0x2102 #remote command switch show bootvar BOOT variable = bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin,1; CONFIG_FILE variable does not exist BOOTLDR variable does not exist Configuration register is 0xA141 (will be 0x2102 at next reload) kind regards Rolf Check the value of the config register on the SP (remote command switch show bootvar). Odd things can happen if the SP and RP have different values for the config register. -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rolf HanÃen Sent: 24 January 2014 00:19 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Sup720 ignores boot variable Hi, I am wondering why this sup720 ignores my boot variable and always boots the first image it finds. dir shows: -- Directory of sup-bootdisk:/ 1 -rw-78212100 Jul 6 2010 17:27:04 +00:00 s72033-advipservicesk9_wan-mz.122-33.SXH2.bin 2 -rw-33554432 Jul 6 2010 17:36:30 +00:00 sea_log.dat 3 -rw- 143347044 Jan 16 2014 21:47:46 +00:00 s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin -- I tried: boot system flash bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin as well as boot system flash sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin I removed the old boot entry. after wr mem sh bootvar shows: -- BOOT variable = (sup-)bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin,1; CONFIG_FILE variable = BOOTLDR variable = Configuration register is 0x2102 Standby is not present. -- In both cases result is: -- Autoboot executing command: boot bootdisk: Initializing ATA monitor library... string is bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXH2.bin Loading image, please wait ... -- If I delete s72033-advipservicesk9_wan-mz.122-33.SXH2.bin it starts s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin (which is now first image rommon finds). sh version: -- Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXJ6, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Fri 19-Jul-13 03:30 by prod_rel_team ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1) ... -- I then upgraded rommon (sp with c6ksup720-rm2.8-5-4.srec, rp with c6msfc3-rm2.srec.122-17r.SX7) but still shows: Autoboot executing command: boot bootdisk: Is there some kind of sync issue or rommon bug or did I forget something ? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ âTo our Members we're the 4th Emergency Service This electronic message contains information from AA Corporation Limited or from a member, or members, of its group of companies which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, please delete this e-mail immediately. The contents of this e-mail must not be disclosed or copied without the sender's consent. We cannot accept any responsibility for viruses, so please scan all attachments. No changes to Terms and Conditions of trade can be accepted through e-mail communication. All changes to Terms and Conditions must be in writing evidenced by a director of the company and in hard copy format. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. The company does not take any responsibility for the views of the author. â ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Sup720 ignores boot variable
Hi, I am wondering why this sup720 ignores my boot variable and always boots the first image it finds. dir shows: -- Directory of sup-bootdisk:/ 1 -rw-78212100 Jul 6 2010 17:27:04 +00:00 s72033-advipservicesk9_wan-mz.122-33.SXH2.bin 2 -rw-33554432 Jul 6 2010 17:36:30 +00:00 sea_log.dat 3 -rw- 143347044 Jan 16 2014 21:47:46 +00:00 s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin -- I tried: boot system flash bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin as well as boot system flash sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin I removed the old boot entry. after wr mem sh bootvar shows: -- BOOT variable = (sup-)bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin,1; CONFIG_FILE variable = BOOTLDR variable = Configuration register is 0x2102 Standby is not present. -- In both cases result is: -- Autoboot executing command: boot bootdisk: Initializing ATA monitor library... string is bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXH2.bin Loading image, please wait ... -- If I delete s72033-advipservicesk9_wan-mz.122-33.SXH2.bin it starts s72033-advipservicesk9_wan-mz.122-33.SXJ6.bin (which is now first image rommon finds). sh version: -- Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXJ6, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Fri 19-Jul-13 03:30 by prod_rel_team ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1) ... -- I then upgraded rommon (sp with c6ksup720-rm2.8-5-4.srec, rp with c6msfc3-rm2.srec.122-17r.SX7) but still shows: Autoboot executing command: boot bootdisk: Is there some kind of sync issue or rommon bug or did I forget something ? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Search small replacement for Cisco 12k with ATM/OC3 interface
Hi, we have a Stone Age router running here that wastes about 14HU of space that I need for something else: 12008/GRP 2x 1GBit NICs (upstream) One ATM card: NAME: slot 2, DESCR: 4 port ATM OC3 single mode, HwVer#: 1.1, SwVer#: 0.0 PID: 800-3873-01 rev K0 dev 994423, VID: V00, SN: We use only one of the 4 ports to terminate 6 old SDSL lines. Config: interface ATM2/3 no ip address no ip directed-broadcast atm sonet stm-1 no atm enable-ilmi-trap no atm auto-configuration no atm ilmi-keepalive no atm address-registration no atm ilmi-enable 6x Subinterface: interface ATM2/3.xxx point-to-point ip unnumbered Loopback1 no ip directed-broadcast no atm enable-ilmi-trap pvc 3/xxx oam-pvc manage encapsulation aal5snap ip route x.x.x.x 255.255.255.248 ATM2/3.104 interface Loopback1 description DSL-Loopback ip address no ip directed-broadcast end Traffic is less than 10 MBit, uses IPv4 only and receives a few routes via OSPF. I would like to replace that box with something that is much smaller and consumes less power. I have no clue about non-ethernet technology like ATM and so on and also no possibility for playing around/testing with another line. Can you recommend something that I can use as a small (1 or 2 HU) + cheap 1:1 replacement? kind regards Rolf Hanßen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Search small replacement for Cisco 12k with ATM/OC3 interface
Hi Nick, I found on Ebay: CISCO7204VXR + NPE400 + PWR7200-AC + C7200-I/O-2FE - 160 Euro PA-A3-OC3SMI ATM Port Adapter (73-2427-04 / PA-A3-OC3SMI) - 40 Euro Would that combination be sufficient? Is there something to take care of (size of RAM, bigger memory card for new IOS images) related to that plattform ? kind regards Rolf On 20/01/2014 10:37, Rolf Hanßen wrote: Can you recommend something that I can use as a small (1 or 2 HU) + cheap 1:1 replacement? Easiest thing would be to get a C7200 + ATM card from ebay. You don't need a fancy IO card. An NPE200 or NPE300 would be fine. The power draw on a configuration like this will be less than 100W, and you will pay very little for the equipment. If you wanted to spend money, you could get an asr1001 + atm card, but that would be a waste for so little traffic tbh. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Search small replacement for Cisco 12k with ATM/OC3 interface
Hello, a version without known security bugs sounds good to me. ;) (according to http://tools.cisco.com/security/center/selectIOSVersion.x) My list now contains: CISCO7204VXR-CH PWR-7200-AC= NPE-400 (512 MB Ram) C7200-I/O-2FE/E PA-A3-OC3SMI Anything else I forgot ? kind regards Rolf On Mon, 20 Jan 2014, Gert Doering wrote: Hi, On Mon, Jan 20, 2014 at 12:06:22PM +0100, Rolf Hanßen wrote: I found on Ebay: CISCO7204VXR + NPE400 + PWR7200-AC + C7200-I/O-2FE - 160 Euro PA-A3-OC3SMI ATM Port Adapter (73-2427-04 / PA-A3-OC3SMI) - 40 Euro Would that combination be sufficient? It's end of everything, so current IOS won't work - but 12.3M will be there, and will do everything you need (and still gets security fixes, if I'm not mistaken). Besides that, it will easily get the job done. VXR with NPE-400 isn't out of everything. c7200-advipservicesk9-mz.152-4.M4.bin for instance work just fine on NPE-400 and is supported. To original poster, you probably want 512M of ram on it. It'll use approx 130-150W of power. If you need full tables, get NPE-G1 with 1G of RAM. So +1 on the 7200 recommendation for the description of what's needed. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Search small replacement for Cisco 12k with ATM/OC3 interface
Hi, yes, none of the 6 lines has more than 2 MBit, so 100MBit upstream is ok. kind regards Rolf On 20/01/2014 16:20, Aled Morris wrote: Bear in mind this is dual Fast Ethernet not Gigabit Ethernet, compared to your current GSR. Traffic levels were ~10Mbit, afair? Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] c6500 Low alarms on optics
Hi, what kind of optics is that ? The readings rely on the optics used. Here an output of a system with some OEM LR optics and China DWDM: Optical Optical Temperature Voltage Current Tx Power Rx Power Port (Celsius)(Volts) (mA) (dBm) (dBm) - --- --- Te4/1 -63.0 --0.00 35.5 -1.3 -5.5 Te4/226.1 0.00 26.1 -2.3 -7.1 Te4/3 -30.2 --0.00 41.6 -2.8 -4.1 Te4/427.1 0.00 32.5 -2.1 -3.9 Te8/162.5 + 0.00 101.6 2.1 -9.6 Te8/287.2 ++0.00 61.1 -1.2 -9.0 Te8/335.4 0.00 159.8 -3.5 -1.8 Te8/4 104.0 ++0.00 67.8 -0.8 -3.0 Te9/148.3 0.00 91.2 1.3 -11.0 Te9/266.3 + 0.00 90.2 0.2 -6.7 Te9/357.6 0.00 67.4 1.9 -14.8 Te9/434.3 0.00 374.5 0.5 + -16.2 -- I am quite sure the Xenpaks neither have -63 nor 104 degree Celsius. ;) kind regards Rolf I saw some (--) low alarms (current mA) on my optics in intfs ten3/2, 4/2, 4/7, 4/8, 7/1, 7/2, 7/12, 7/13, 7/16. I'm wondering if these alarms can cause any kind of problems. Has anyone experience ? Tks #sh inter transceiver Transceiver monitoring is disabled for all interfaces. If device is externally calibrated, only calibrated values are printed. ++ : high alarm, + : high warning, - : low warning, -- : low alarm. NA or N/A: not applicable, Tx: transmit, Rx: receive. mA: milliamperes, dBm: decibels (milliwatts). Optical Optical Temperature Voltage Current Tx Power Rx Power Port(Celsius)(Volts) (mA) (dBm) (dBm) -- --- --- Te1/4 33.1 0.00 31.1 -2.2 -0.7 Te1/6 35.9 0.00 37.5 -2.1 -1.3 Te1/7 36.0 0.00 38.7 -2.1 -1.7 Te2/4 30.4 0.00 33.0 -2.1 -1.8 Te2/6 33.7 0.00 37.6 -2.1 -1.8 Te2/7 32.7 0.00 37.8 -2.5 -1.8 Te3/2 33.4 0.00 8.7 -- -2.1 -3.0 Te3/7 35.7 0.00 37.8 -2.4 -2.0 Te3/8 30.8 0.00 30.7 -2.5 -1.1 Te4/2 32.6 0.00 8.0 -- -2.7 -8.2 Te4/7 29.2 0.00 6.8 -- -2.9 -3.2 Te4/8 27.3 0.00 5.6 -- -2.8 -7.2 Te7/1 38.2 0.00 7.2 -- -3.8 -1.8 Te7/2 37.5 0.00 7.1 -- -3.7 -4.7 Te7/5 31.9 0.00 37.3 -2.3 -1.9 Te7/9 28.0 0.00 35.2 -2.0 -1.0 Te7/1027.7 0.00 38.1 -2.1 -1.1 Te7/1229.7 0.00 6.0 -- -2.1 -3.2 Te7/1328.0 0.00 5.9 -- -2.5 -4.6 Te7/1627.6 0.00 5.7 -- -1.8 -2.1 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T interface ACL limitations
Hi, no hints or experiences ? No other providers using ACLs on the network borders ? kind regards Rolf Hello, I am thinking about dropping some (mainly ddos) traffic on the outside network borders with ACLs. The entries would include the basic stuff like src/dst IP, protocol + ports, maybe packet length. I would like to know about the limitations or potential conflicts with other functions. I read about up to 256K entries for a Sup2T (XL). Does that mean I can use a huge list with 200k entries and apply it ? Will an ACL with 10 entries configured on 5 interfaces use 10 or 50 of those 256k ? Where can I find the limitations, for example: How big can a single ACL be and how many ACLs can be combined in a policy ? Does it make a difference if I assign it via service-policy or ip access-group ? In case no ip unreachables is set, will there be any other inpact on the RP ? Will certain sizes cause CPU trouble during installation ? Can I change ACLs / policy map while they are in use or will this need a reload ? Will those ACLs conflict with CoPP or any other functions ? I think of some it matches in the ACL, so CoPP is ignored behaviour. I found that command here for usage check, is there anything other to verify that could hit 100% ? Router#sh platform hardware capacity acl Classification Mgr Tcam Resources Key: Ttlent - Total TCAM entries, QoSent - QoS TCAM entries, LOU - LOUs, RBLent - RBACL TCAM entries, Lbl - Labels, TCP - TCP Flags, Dstbl - Destinfo Table, Ethcam - Ethertype Cam Table, ACTtbl - Accounting Table, V6ext - V6 Extn Hdr Table Module Ttlent QoSent RBLent Lbl LOU TCP Dstbl Ethcam ACTtbl V6ext 5 1% 2% 0% 1%2% 0% 2%0% 0% 0% Is there maybe any caveat with certain hardware ? My systems are Sup2T XL in CFC-only mode, 67xx linecards. kind regards Rolf Hanßen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T interface ACL limitations
Hi Phil, On 16/12/13 12:25, Rolf Hanßen wrote: no hints or experiences ? No other providers using ACLs on the network borders ? These are all pretty basic questions; you might want to re-read the docs a few times to get a better understanding. Unfortunatelly the docs only describe the theory. Maybe it works if I use an ACL with 100k entries but it takes a minute to install. Such things are usually not part of the docs or the information is spread over half a dozen documents that otherwise contain 99% redundant data. I read about up to 256K entries for a Sup2T (XL). Does that mean I can use a huge list with 200k entries and apply it ? Maybe. That might be very slow to program into hardware though, and because it's using 50% of the TCAM the box won't be able to do a hitless modify. Will an ACL with 10 entries configured on 5 interfaces use 10 or 50 of those 256k ? 10. There is an indirection mechanism. Where can I find the limitations, for example: How big can a single ACL be and how many ACLs can be combined in a policy ? I don't know what this means; an ACL *is* a policy. You can't combine ACLs. I mean to create several ACLs and combine them in a policy map like: policy-map pm1 class class1 police cir 128000 bc 1000 conform-action drop exceed-action drop violate-action drop class class2 police cir 128000 bc 1000 conform-action drop exceed-action drop violate-action drop class-map match-any class1 match access-group name acl1 class-map match-any class2 match access-group name acl2 ip access-list standard acl1 permit 1.2.3.0 ... ip access-list standard acl2 permit 5.6.7.8 ... Does it make a difference if I assign it via service-policy or ip access-group ? Yes. They're totally different things. service-policy is a QoS policy, ip access-group is an ACL. But does it make a difference if a packet is dropped in a policy instead of a big ACL ? Does a policy scale better or maybe worse ? In case no ip unreachables is set, will there be any other inpact on the RP ? No. Will certain sizes cause CPU trouble during installation ? Probably yes. Are there any known to work or known to make trouble sizes ? Can I change ACLs / policy map while they are in use or will this need a reload ? No you do not need a reload. Yes you can change them when they're in use. Be aware that sup2T has hitless ACL updates if certain conditions are met. Will those ACLs conflict with CoPP or any other functions ? IIRC ACLs first, CoPP second. ACL denies don't go to CoPP, ACL permits do, but TBH I'm going from memory here. I think of some it matches in the ACL, so CoPP is ignored behaviour. I found that command here for usage check, is there anything other to verify that could hit 100% ? These stats are available over SNMP. Is there maybe any caveat with certain hardware ? My systems are Sup2T XL in CFC-only mode, 67xx linecards. Be aware that ACLs are per-PFC/DFC on this platform. regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T interface ACL limitations
Hello Roland, I am thinking about dropping some (mainly ddos) traffic on the outside network borders with ACLs. ACLs don't work well as a DDoS reaction mechanism. They're good for protecting your network infrastructure: https://app.box.com/s/osk4po8ietn1zrjjmn8b S/RTBH is much better as a DDoS reaction mechanism: I already thought about that (after trying out uRPF, before ever reading that term). My fear is that somebody creates blackholes in my network with spoofed source IPs. I think this is a potential damage amplifier and may cause much bigger impact than a flooding itself could ever do. I could black/whitelist something like 8.8.8.8, but I think there is no chance to build a list that will ever be sufficient for blackholing sources. I furthermore think I will run into problems as soon as I block anything from source xy in the complete network, i.e. also for customers that do not want their traffic to be filtered at all. All the caveats folks have noted about ACLs hold true. But are there any experience reports / measurements in place ? For example how long does an upload of 100 rules via TFTP or SSH + activation of it take on a Sup2T ? Does it behave linear, exponential or will a set of 200 rules only take 10% longer ? Will there be an impact while applying it ? What about changing rules ? Will adding/removing take less or more ressources/time than just replacing the whole set with a new one ? That is the stuff I am interested in. Maybe it works if I use an ACL with 100k entries but it takes a minute to install. In what topological situation do you need 100K entries? Unless you're a very large wholesale transit network trying to enforce anti-spoofing for downstreams of your downstreams, do you really need that many entries? That was just a sample number, not an expectation. Maybe I will never need more than 100 entries, but I think it is important to know the limits before hitting them. ;) kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Sup2T interface ACL limitations
Hello, I am thinking about dropping some (mainly ddos) traffic on the outside network borders with ACLs. The entries would include the basic stuff like src/dst IP, protocol + ports, maybe packet length. I would like to know about the limitations or potential conflicts with other functions. I read about up to 256K entries for a Sup2T (XL). Does that mean I can use a huge list with 200k entries and apply it ? Will an ACL with 10 entries configured on 5 interfaces use 10 or 50 of those 256k ? Where can I find the limitations, for example: How big can a single ACL be and how many ACLs can be combined in a policy ? Does it make a difference if I assign it via service-policy or ip access-group ? In case no ip unreachables is set, will there be any other inpact on the RP ? Will certain sizes cause CPU trouble during installation ? Can I change ACLs / policy map while they are in use or will this need a reload ? Will those ACLs conflict with CoPP or any other functions ? I think of some it matches in the ACL, so CoPP is ignored behaviour. I found that command here for usage check, is there anything other to verify that could hit 100% ? Router#sh platform hardware capacity acl Classification Mgr Tcam Resources Key: Ttlent - Total TCAM entries, QoSent - QoS TCAM entries, LOU - LOUs, RBLent - RBACL TCAM entries, Lbl - Labels, TCP - TCP Flags, Dstbl - Destinfo Table, Ethcam - Ethertype Cam Table, ACTtbl - Accounting Table, V6ext - V6 Extn Hdr Table Module Ttlent QoSent RBLent Lbl LOU TCP Dstbl Ethcam ACTtbl V6ext 5 1% 2% 0% 1%2% 0% 2%0% 0% 0% Is there maybe any caveat with certain hardware ? My systems are Sup2T XL in CFC-only mode, 67xx linecards. kind regards Rolf Hanßen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VLAN bridging and routing on 7600
Hello Rod, don't know if there is something special with RSP720 (or I do not understand the question), but this sounds to me like simple switching + a SVI: int Gi1/x switchport switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan add the vlans on that port exit interface vlan1234 no shutdown ip address x.x.x.x mask exit kind regards Rolf Hi I need to pass a couple of vlans from my switch trunk port to another switch trunk both of which connected to my 7600 with RSP7203cxl. Then from the same trunk port I have to get another vlan and assign an ip address to that vlan. switchA ---*trunk*- 7600 --*trunk* switchB X,Y,Z |Y,Z | vlanX (ip address x.x.x.x) Looking around I see IRB, but its not supported in 7600s according documentations. Hope someone could provide assistance or if it is even possible with my current setup. Thanks! -- *Rod Bio * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Unicast as Anycast
Hi, that could work: Add the Arin ASN to your RIPE AS-set. Tell Level3 to use the object from RADB instead of RIPE and should have all networks then. You can check what their prefixgen creates: whois -h filtergen.level3.net RIPE::AS123 kind regards Rolf Hi Gert I´d love to see my unicast network announced from Miami and Madrid :) !! But I have two different ASN, I don´t know if this is a problem. No load balancing and yes, I think I have a problem with objects and Level3. I don´t know how Level3 in US will open their filters for a RIPEs /24. The /24 seems to be announced only from Spain (I searched through one of my carriers looking glass in Miami and the prefix is seeing only from Spain). cheers! On Mon, Nov 25, 2013 at 3:33 PM, Gert Doering g...@greenie.muc.de wrote: Hi, On Mon, Nov 25, 2013 at 02:06:30PM +0100, JJ wrote: I´m looking to make some tests with anycast(for DDoS mitigation). Does someone tried to achieve this with unicast IPs?. You know it´s not possible to get more IP assignments from RIPE, and after asking RIPE for anycast assignments, they told me we still could use unicast for this purpose. It sounds a bit weird to me...but I made a try and configured a /24 being announced in our AS(different ASN) in Miami and Madrid(Spain), then I just asked my carriers to open their filters and... It doesn´t work. Have you ever tried a configuration like this? (and successful :) ) ,or, perhaps, am I trying the impossible? There are no anycast IPs in IPv4. There is just unicast networks announced from multiple places, and that works great :-) The anycast thing in the RIPE policies is if you plan to do anycast deployment, and have no existing addresses you can use for that, there was a special policy to give out /24s from a well-known block for that particular purpose. It's still unicast IPs. If it's not working for you, you're likely missing route: objects (so your announcements are getting filtered), or you're trying TCP traffic with some loadbalancing in the mix, with half the packets going to the one site and the other half going to the other site - TCP won't work. gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Amix Peering
Hello, no, you will only receive customer and own routes of those ISPs that also peer with the route servers. Not all members also peer with the route servers. That results in only a small part of the full table, we learn 73k of about 462k prefixes at AMS-IX for example: edge1-ams3#sh ip bg summary | inc 6777 195.69.144.255 4 6777 138639 11980 36307575900 1w0d 73012 195.69.145.04 6777 1654482 23160 36307575900 2w0d 72728 So you will still need an upstream provider, but you can decrease the traffic amount passing your upstream. kind regards Rolf Thank you Mikael I believe onee can peer with them 2 peers x.x.145.1 and 144.1 if so what will be published to us will they have a full bgp table or will they be missing some prefixes from global table. Thank you On Thursday, October 24, 2013 1:34 PM, Mikael Abrahamsson swm...@swm.pp.se wrote: On Thu, 24 Oct 2013, naresh reddy wrote: will they charge us for the traffic that we pump and pull to internet on per MB basis ?? if so what would be the cost No, they will not charge you for traffic. -- Mikael Abrahamsson email: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10Gig CWDM
Hello, we use a few noname China DWDM Xenpaks as well as SFP+ optics with Xenpak adapter since about 2 years now in 6704 cards. No outages or issues yet. But no idea if there is a difference to the Smartoptics or if DWDM/CWDM support differs. You should think about using SFP+ + adapter, I think there is a better chance to re-use them after 6500. kind regards Rolf Hello Everyone, We are looking into upgrading some links actually on a cwdm run to 10Gig. After looking into DWDM equipment I was told to check into 10Gig CWDM plugs offered in sfp+ xenpak x2 xfp etc Such as the ones offered by smartoptics http://www.smartoptics.com/optical-transceivers/10g-ethernet-2/ As we would like to add this to our existing 6500s does anyone have any experience using the x2/xenpaks in a cisco 6500 environment? AFAIK cisco does not support 10G CWDM plug ins, at least I can't find anything stating that they do publically. They are telling me it'll work but is unsupported , yet I would sleep better at night knowing that we are not beta testers Thanks Brian --- This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorized to retain, read, copy or disseminate this message or any part of it. Please consider your environmental responsibility before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T - poor netflow performance
Hello, Sampling is the normal mode of flow telemetry generation used by large network operators, so it's utility is pretty well-established. I know, that is why I asked for a known to work config, we use netflow for the first time, others may have some years of experience and also use it on a Sup2T. Did you configure the collection/analysis software so that it knows the sampling ratio from this exporter The software (Andrisoft WANSIGHT / WANGUARD) should be aware of sampling, at least you define the sampling rate in the collector config. are you sure that the traffic in question was traversing the interfaces on which NetFlow is enabled in the appropriate direction? yes, it does. I guess if made some other logical error it would not appaer in the unsampled config either. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T - poor netflow performance
Hi, the whole interface config: interface Vlan1421 description ... ip address x.x.x.x 255.255.255.252 no ip redirects no ip proxy-arp ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 .. ip ospf cost 1000 load-interval 30 ipv6 address x::1/y ipv6 enable ipv6 nd ra suppress no ipv6 redirects ipv6 ospf 1 area 2069 ipv6 ospf cost 1000 end I apply netflow with: ip flow monitor monitorname input ip flow monitor monitorname output Also tried with the unicast parameter, no effect. Changing collect interface to match interface neither helps. Replacing the record type with plattform default (record platform-original ipv4 interface-full) does not reduce load either. I guess it uses no sampling. How do I configure/enable sampling ? How do I see if it is sampled ? I see no commands that look like to configure or verify sampling rate. It's a 7609-S with CFC only and WS-X67xx linecards. kind regards Rolf On Oct 17, 2013, at 7:06 PM, Rolf Hanßen n...@rhanssen.de wrote: For example a box exporting something to a Peakflow SP for dos recognition. I recognized that starting a random-source-ip flood over my box even could make the cli freeze. This is not normal. What does your per-interface config look like? Are you sampling? What linecards are you using? Are they DFC4s or CFC linecards? Just as an aside, it would be advisable not to use the collect verb for the input interface, but rather to use the match verb in order to use input ifindex as a key field. 'Collect' is for non-key fields. - Roland Dobbins rdobb...@arbor.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T - poor netflow performance
Hello Roland, I already tried with single direction. The load is lower but much higher than the same traffic on a Sup720-3B. Input only still creates an average of ~20% cpu utilisation with less than 1 GBit live traffic. I now added a sampling rate of 100: sampler 1_to_100 mode random 1 out-of 100 interface Vlan1421 ip flow monitor monitorname sampler 1_to_100 input ip flow monitor monitorname sampler 1_to_100 output This reduces cpu usage of the netflow processes to less than 5%, but it looks to me that the exported data is not useful anymore (a stream with double of the pps rate than everything else was not recognized by the collector software). Any other ideas ? kind regards Rolf On Oct 18, 2013, at 12:13 PM, Rolf Hanßen n...@rhanssen.de wrote: ip flow monitor monitorname input ip flow monitor monitorname output If you're collecting both ingress and egress NetFlow on the same interface, this could be contributing to your issues - Cisco do not recommend doing this due to overflow issues (which could lead to punting). Sampler configuration is covered in the Flexible NetFlow Command Reference for 15.x on cisco.com. And again, input ifindex should be obtained via 'match', not 'collect', in order to ensure that it's a key field. - Roland Dobbins rdobb...@arbor.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T - poor netflow performance
Hello, the discussion got a bit off-topic. I have the same issue (cpu-usage explodes after enabling netflow). @Jiri: Were you able to solve that problem ? There was no follow-up. @Roland: Do you have a sample config / IOS version combination known to work with high amount of traffic/pps/src-dst-combinations ? For example a box exporting something to a Peakflow SP for dos recognition. I recognized that starting a random-source-ip flood over my box even could make the cli freeze. I tested with: System: Sup2T-XL with 15.1(1)SY1, full table. Cards: WS-X6704-10GE, WS-X6748-GE-TX, WS-X6724-SFP (CFC only) Traffic is only approx 10-15GBit Config flow record xy match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction collect interface input collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last kind regards Rolf On Tue, March 26, 2013 4:37 pm, Jiri Prochazka wrote: Hi, after replacing one of our old vs-s720-3cxl and 6708-3cxl combo for a new sup2t-xl and 6908-2txl I'm struggling with a really poor netflow performance. In fact, enhanced netflow capacity and capabilities were the major reasons for upgrade. On the old vs-s720-3cxl setup we have used interface-src-dst flowmask. With aggresive timing, this setup was able to 'handle' around 6 Gbps of strandard Internet traffic (per DFC) without undercounting and overwhelming the whole box. Now, when using sup2t-xl, which has two times bigger netflow table (512k for ingress flows) and faster CPU, I'm not able to get it working with even with the same level of traffic. As soon as traffic on ingress reaches aproximately 3 Gbps, and number of flows per one cache(card) exceeds 200k, the whole box begins to be unresponsive to SNMP polls, timeouts some commands (for example show platform flow ip count module x) and the CLI begins to lag. Furthermore, I get a lot of following messages - %IPC-DFC2-5-WATERMARK: 2013 messages pending in rcv for the port Card2/0:Request(202.7) seat 202 %IPC-DFC2-5-WATERMARK: 2019 messages pending in rcv for the port Card2/0:Request(202.7) seat 202 Utilization of CPU either of Sup or linecards is acceptable (under 60%, majority is taken by 'NF SE export thr' and 'NF SE Intr Task' processes). Settings of netflow is following - flow record SRC-IP-IF-DST-IP-IF-AS match ipv4 source address match ipv4 destination address collect routing source as collect routing destination as collect routing next-hop address ipv4 collect interface input collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last flow monitor LIVEBOX-MONITOR description LIVEBOX v9 monitor record SRC-IP-IF-DST-IP-IF-AS exporter LIVEBOX-EXPORT cache timeout inactive 3 cache timeout active 60 flow exporter LIVEBOX-EXPORT destination x.x.x.x source Vlanx transport udp 9996 Did you notice any REAL perfomance boost compared to older Sup720 with B/CXL DFCs? Thank you! -- Jiri Prochazka network administrator (AS39392) SuperNetwork s.r.o. ___ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T / IOS15 licensing questions
Hello, ok, beside the technical stuff: How do you guys manage the licenses if there is no number/certificate/key ? Let's say a fired ex-employee tells Cisco you have no license for 5 of your ten boxes upgraded last year and they do not ignore him. How do you show them you have valid licenses ? I guess at least anybody who upgraded from Sup720 to Sup2T bought Supervisor and license separately and not bundled as part of a filled chassis. kind regards Rolf On 08/29/2013 11:12 PM, Rolf Hanßen wrote: Hi, so there is no key or certificate or reference number at all ? There is no electronic licensing, that's correct. I suppose it's possible Cisco keep a record of device serial numbers and whether an IOS license was purchased at the time, and if so what, but the devices certainly don't. What prevents customers to buy one alibi license for all devices if there is no link to the device? As Blake says: the law. Does it have any effect at all if you configure/install such a pseudo license or not ? TBH I didn't even know there were licensing CLI commands on the box, and I suspect they do nothing. I don't even know if you need the license you've paid for. You should speak to your reseller and Cisco account manager to clarify things. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T / IOS15 licensing questions
Hello Blake, the question was more the other direction: How do I prove/verify I have a valid license if I receive nothing that says here is your Cisco license #xx for IOS Advanced IP Services on Sup2T ? I now payed around 8k Dollar and only have a CD (Windows says its ever A CDRW) with a Cisco logo + the image name / version printed on it and the dealers invoice that I bought 1x license. For that price I want to be sure that it is not just a CD made by some guys in China with a good CD printer. kind regards Rolf Well, it's copyright infringement if you knowingly violate the terms of the software licensing, so treat that as you may as far as any enforcement vs just buying one license and installing it on many devices. -Blake On Thu, Aug 29, 2013 at 5:12 PM, Rolf Hanßen n...@rhanssen.de wrote: Hi, so there is no key or certificate or reference number at all ? What prevents customers to buy one alibi license for all devices if there is no link to the device? Does it have any effect at all if you configure/install such a pseudo license or not ? regards Rolf On 29/08/13 17:45, Rolf Hanßen wrote: How do I see if the correct features were enabled or which type (baseip, ipservice, advipservice) is installed ? Maybe somebody with a working and licensed router can compare the output ? What happens if I reboot and the license was wrong (i.e. baseip only), does the IOS reject commands in that case or is the whole licensing on 6500/7600just a dummy ? That's not how 6500 works. For 6500, on both sup720 and sup2T IIRC, the feature set is determined by the image you boot. There's no license key for advanced IP services - you just boot that image. To see which feature is installed/enabled, just look to see which images is booted. The right to use the software comes from having purchased that version of the software with the chassis, or having purchased an upgrade later on. See also http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps6017/qa_c67-661785.pdf As an example - most of our 6500 purchases came with a line item for: S733ZK9M-12218SXD ...which is the Advanced IP service package, and confers the right to use that image (and smartnet confers the right to upgrade). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500, 7600 or ASR
Hello, just for my interest: what amount of routes are we discussing ? show platform hardware capacity: L3 Forwarding Resources FIB TCAM usage: TotalUsed %Used 72 bits (IPv4, MPLS, EoM) 1048576 460874 44% 144 bits (IP mcast, IPv6) 524288 14178 3% 288 bits (IPv6 mcast) 262144 1 1% Do you expect to have more than 1M IPv4 / 512k IPv6 routes or is there some other limitation I do not see ? Back to topic: If shaping and not only rate-limiting is needed (was mentioned in the initial mail), 6500/7600 is no option anyway afaik. kind regards Rolf On Thu, 29 Aug 2013, chip wrote: Let's all also remember the TCAM limitations on the 7600/Sup2T platform. With the BGP table growing like it is, you'll need to carve up IPv4/IPv6 TCAM allocation and could likely run out in the not-so-distant future. IMHO, unless something amazing happens for the 7600/Supervisor platform, this thing is dead as a DFZ BGP router and people should be looking elsewhere moving forward. Both ASR lines (1k/9k) offer much better router capabilities and growth paths. The 6500/7600 platform has had a helluva run, but I believe its time has passed. The TCAM limitation will kill the 6500/7600 platform for BGP router use _unless_ cisco comes out with a new PFC and DFCs that raises the limit. I still wonder what they were thinking with the Sup2T and why it didn't get any more routing slots than the Sup720-3BXL. This platform is the cheapest way to get lots of gigabit (or even 10 gigabit) ports and line rate performance in a BGP capable router...but sometime in the next couple of years, the current Sups and DFCs probably won't handle a full table. More TCAM and faster CPUs could keep the 6500 series viable for a long time. I haven't followed the thread closely enough to know if netflow was ever elaborated. The 6500 does netflow. Whether the netflow it does is sufficient for the OPs needs is the question. -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500, 7600 or ASR
Hi, this is from a Sup2T/PFC4XL with 67xx cards (CFC only mode). Default values, no config related to the CAM size. Similar system with Sup720-3BXL looks like: L3 Forwarding Resources Module FIB TCAM usage: TotalUsed %Used 5 72 bits (IPv4, MPLS, EoM) 524288 462992 88% 144 bits (IP mcast, IPv6) 26214414188 5% btw, can somebody confirm that Sup2T can handle 1M IPv4 + 512k IPv6 at the same time or is it calculated like for example Foundry does in the MLX/XMR (1M IPv4 or 256 IPv6, every IPv6 entry takes 4x IPv4 Slots) ? kind regards Rolf On Fri, 30 Aug 2013, Rolf Hanßen wrote: Hello, just for my interest: what amount of routes are we discussing ? show platform hardware capacity: L3 Forwarding Resources FIB TCAM usage: TotalUsed %Used 72 bits (IPv4, MPLS, EoM) 1048576 460874 44% 144 bits (IP mcast, IPv6) 524288 14178 3% 288 bits (IPv6 mcast) 262144 1 1% Do you expect to have more than 1M IPv4 / 512k IPv6 routes or is there some other limitation I do not see ? Is that a Sup-2T with PFC4XL? Everything I'd read about it said it had the same FIB as the PFC3XL. i.e. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-676346.html The FIB in the PFC4 contains 256 K entries, while the FIB in the PFC4XL contains 1 million entries. These are the same as their PFC3x forwarding engine counterparts. The FIB in the PFC4 contains prefix entries for IPv4 and IPv6 global address, IPv4 and IPv6 multicast addresses and MPLS label entries. There is a level of partitioning that exists to ensure there is always some space available for different types of forwarding entries. There is some flexibility from a user configuration standpoint that allows these partition boundaries to be changed to accommodate more of one type of forwarding entry. For example, in the PFC4XL, the default setting provides for 512 K IPv4 entries, and this can be increased through configuration control to support up to 1 M entries if required. -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Sup2T / IOS15 licensing questions
Hello, I just wanted to install a IOS license for the first time (advipservicek9 on Sup2T with IOS 15). Unfortunatelly I have no clue about that topic and my dealer and Cisco support do not seam to have either. I got no license number or anything else from my dealer, just a CD with the image. Cisco sent me a link to generate a license with serial and modell number. I generated a file and installed it: Installing...Feature:MACSec_Encryption...Successful:Supported 1/1 licenses were successfully installed 0/1 licenses were existing licenses 0/1 licenses were failed to install Now the questions: How does Cisco know what license I bought and what features to enable ? They did not check any invoice, they have no clue what I bought (I just told them on the phone that I bought one). A show license detail now shows: Index: 1Feature: MACSec_Encryption Version: 1.0 License Type: Permanent License State: Active, Not in Use License Count: Non-Counted License Priority: Medium Store Index: 0 Store Name: Primary License Storage Index: 2Feature: TEST_FEATURE_1Version: 1.0 License Type: Evaluation License State: Active, Not in Use, EULA not accepted Evaluation total period: 4 weeks 2 days Evaluation period left: 4 weeks 2 days License Count: Non-Counted License Priority: None Store Index: 0 Store Name: Evaluation License Storage Index: 3Feature: TEST_FEATURE_2Version: 1.0 License Type: Evaluation License State: Active, Not in Use, EULA not accepted Evaluation total period: 1 hour 0 minute Evaluation period left: 1 hour 0 minute License Count: Non-Counted License Priority: None Store Index: 1 Store Name: Evaluation License Storage How do I see if the correct features were enabled or which type (baseip, ipservice, advipservice) is installed ? Maybe somebody with a working and licensed router can compare the output ? What happens if I reboot and the license was wrong (i.e. baseip only), does the IOS reject commands in that case or is the whole licensing on 6500/7600just a dummy ? What is my proof that I have a valid license in case somebody checks/requests this for whatever reason ? The CD, the invoice or something else ? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup2T / IOS15 licensing questions
Hi, so there is no key or certificate or reference number at all ? What prevents customers to buy one alibi license for all devices if there is no link to the device? Does it have any effect at all if you configure/install such a pseudo license or not ? regards Rolf On 29/08/13 17:45, Rolf Hanßen wrote: How do I see if the correct features were enabled or which type (baseip, ipservice, advipservice) is installed ? Maybe somebody with a working and licensed router can compare the output ? What happens if I reboot and the license was wrong (i.e. baseip only), does the IOS reject commands in that case or is the whole licensing on 6500/7600just a dummy ? That's not how 6500 works. For 6500, on both sup720 and sup2T IIRC, the feature set is determined by the image you boot. There's no license key for advanced IP services - you just boot that image. To see which feature is installed/enabled, just look to see which images is booted. The right to use the software comes from having purchased that version of the software with the chassis, or having purchased an upgrade later on. See also http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps6017/qa_c67-661785.pdf As an example - most of our 6500 purchases came with a line item for: S733ZK9M-12218SXD ...which is the Advanced IP service package, and confers the right to use that image (and smartnet confers the right to upgrade). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
Hello, exactly that was the plan. We keep CoPP a bit open until the next bigger maintenance work and then will try another IOS. regards Rolf I would try switching code versions. It sounds like you are hitting a bug. Given the fact that other boxes running different code are behaving normally, The only conclusion is that it is a software issue. Keep in mind that TAC may not have it listed as a known bug even though it was fixed. LR Mack McBride Network Architect -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rolf Hanßen Sent: Monday, July 01, 2013 6:44 AM To: Nick Hilliard Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning Hi, If I had a support contract for that box I would open a tac case now. ;) kind regards Rolf On 28/06/2013 17:55, Rolf Hanßen wrote: does not look like this is a general hardware version issue. mmm, ok. I would: - run a context diff on the configuration on each of these machines to ensure that there are no syntactic differences - disable and then re-enable copp on the affected box to ensure that it's reprogrammed correctly into the hardware (sometimes things get messed up on the way down to the line cards) - compare the output of show mls rate-limit on all machines - check your platform acl tcam capacity using show platform hardware capacity acl, to ensure that you still have some acl tcam space available for your copp config. If this doesn't point towards a resolution, I'd open up a tac case. Nick But I found a box with the same hardware versions: Mod Port Model Serial #Versions -- --- - 52 WS-SUP720-3B ### Hw : 5.3 Fw : 8.4(2) Sw : 12.2(33)SXJ Sw1: 20.1(1)SXJ WS-SUP720 ### Hw : 2.6 Fw : 12.2(17r)SX7 Sw : 12.2(33)SXJ WS-F6K-PFC3B ### Hw : 2.3 This box also works as soon as I enter mls rate-limit unicast cef glean 500. kind regards Rolf Any further ideas except hardware failure, buggy software or try rebooting it ? Could be a hardware issue. As someone else mentioned (Phil?), this particular feature is hardware revision dependent. What hardware versions are each of your SUP720s (show module)? Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] privilege exec ... unexpected behaviour
Hello, Following Setup: I created a User with no privileges and want to allow some commands. I configured: privilege exec level 0 show bgp ipv6 unicast privilege exec level 0 show bgp ipv4 unicast privilege exec level 0 show ip bgp privilege exec level 0 show ip route All commands were accepted by the cli. I then access the device with the limited user. Those commands work fine: show ip route 1.2.3.4 show ip bgp 1.2.3.4 But the sh bgp ... commands fail: Routershow bgp ? all All address families ipv4 Address family ipv6 Address family l2vpn Address family nsap Address family rtfilter Address family vpnv4 Address family vpnv6 Address family Routershow bgp ipv4 ? % Unrecognized command Routershow bgp ipv4 The Config file also does not list the commands. Router#sh running-config | inc privilege exec privilege exec level 0 show bgp privilege exec level 0 show ipv6 route privilege exec level 0 show ipv6 privilege exec level 0 show ip bgp privilege exec level 0 show ip route privilege exec level 0 show ip privilege exec level 0 show Is there some additional config needed or is it some kind of restriction/limitation ? Hardware is Sup2T Software is 15.0(1)SY2 kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
Hi, If I had a support contract for that box I would open a tac case now. ;) kind regards Rolf On 28/06/2013 17:55, Rolf Hanßen wrote: does not look like this is a general hardware version issue. mmm, ok. I would: - run a context diff on the configuration on each of these machines to ensure that there are no syntactic differences - disable and then re-enable copp on the affected box to ensure that it's reprogrammed correctly into the hardware (sometimes things get messed up on the way down to the line cards) - compare the output of show mls rate-limit on all machines - check your platform acl tcam capacity using show platform hardware capacity acl, to ensure that you still have some acl tcam space available for your copp config. If this doesn't point towards a resolution, I'd open up a tac case. Nick But I found a box with the same hardware versions: Mod Port Model Serial #Versions -- --- - 52 WS-SUP720-3B ### Hw : 5.3 Fw : 8.4(2) Sw : 12.2(33)SXJ Sw1: 20.1(1)SXJ WS-SUP720 ### Hw : 2.6 Fw : 12.2(17r)SX7 Sw : 12.2(33)SXJ WS-F6K-PFC3B ### Hw : 2.3 This box also works as soon as I enter mls rate-limit unicast cef glean 500. kind regards Rolf Any further ideas except hardware failure, buggy software or try rebooting it ? Could be a hardware issue. As someone else mentioned (Phil?), this particular feature is hardware revision dependent. What hardware versions are each of your SUP720s (show module)? Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
Hello, thanks for the info but that does not help in my case, just tried out. The link confirms: if traffic matches a special-case rate limiter, it is never compared against the hardware CoPP policy. It will only be compared against the software CoPP policy So I guess now it is dropped in software instead of hardware. ;) kind regards Rolf On 27/06/2013 17:36, Rolf Hanßen wrote: Is there a way to match that destination IP = connected IP without entry in arp table traffic ? I found no such option in the syntax. that is a glean packet, and is handled using rate limiters, not CoPP: Router(config)#mls rate-limit unicast cef glean ? 10-100 packets per second more info here: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.html#wp9000211 Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
Hi, no egress ACL. On the box I tested there is no ACL bound to any interface at all, only some in copp classes and one for the line vty. regards Rolf On 28/06/13 13:14, Rolf Hanßen wrote: Hello, thanks for the info but that does not help in my case, just tried out. The link confirms: if traffic matches a special-case rate limiter, it is never compared against the hardware CoPP policy. It will only be compared against the software CoPP policy Hmph. That's odd. I thought we had come to the conclusion that MLS rate-limiters circumvented *all* CoPP, hardware software. Do you have egress ACLs? Have you read this: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m2.html#wp1036022 If you enable the CEF rate limiters, the following behaviors occur (if the behavior that is listed is unacceptable, disable the CEF rate limiters): If a packet hits a glean/receive adjacency, the packet may be dropped instead of being sent to the software if there is an output ACL on the input VLAN and the matched entry result is deny. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
Hello, there is no explicit config (but listed by sh policy-map control-plane), I now added: class class-default police cir 512000 bc 1000conform-action transmit exceed-action transmit violate-action transmit Something matches the default class but ARP still does not work. Also tried mls qos protocol ARP police without success. But what makes me crazy: The affected Sup720 has 12.2(33)SXH I now tried to reproduce on other devices: Sup2T: no ARP issue, the limiter is enabled by default: Sup720 #2 (Version 15.1(2)S): mls rate-limit unicast cef glean solves the arp issue Sup720 #3 (version 12.2(33)SXH2): it also works with mls rate-limit unicast cef glean configured Any further ideas except hardware failure, buggy software or try rebooting it ? regards Rolf On (2013-06-28 15:05 +0200), Rolf Hanßen wrote: no egress ACL. On the box I tested there is no ACL bound to any interface at all, only some in copp classes and one for the line vty. Do you have 'class-default' configured? I have penultimate rule 'CoPP-IP' which drops, like yours, everything matching to 'ip any any' ACL. After that I have class-default, where I permit (I need it at least for ISIS). If not configured, it's permit as well. I also have: mls rate-limit unicast cef glean 200 50 mls qos protocol ARP police 200 62000 And no ARP issues (beware if you're switching also that the ARP police affects transit ARP also) -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
Hi Nick, does not look like this is a general hardware version issue. the bad box: Mod Port Model Serial #Versions -- --- - 52 WS-SUP720-3B ### Hw : 5.3 Fw : 8.5(1) Sw : 12.2(33)SXH Sw1: 8.7(0.22)SXH11 WS-SUP720 ### Hw : 2.6 Fw : 12.2(17r)SX7 Sw : 12.2(33)SXH WS-F6K-PFC3B ### Hw : 2.3 the good #1: Mod Port Model Serial #Versions -- --- - 52 WS-SUP720-3B ### Hw : 5.2 Fw : 8.4(2) Sw : 12.2(33)SXH2 Sw1: 8.7(0.22)BUB25 WS-SUP720 ### Hw : 2.5 Fw : 12.2(17r)S4 Sw : 12.2(33)SXH2 WS-F6K-PFC3B ### Hw : 2.3 the good #2: Mod Port Model Serial #Versions -- --- - 62 WS-SUP720-3BXL ### Hw : 4.1 Fw : 8.5(2) Sw : 15.1(2)S Sw1: (sierra_main_dev)1.0.5 WS-SUP720 ### Hw : 2.2 Fw : 12.2(17r)SX5 Sw : 15.1(2)S WS-F6K-PFC3BXL ### Hw : 1.8 But I found a box with the same hardware versions: Mod Port Model Serial #Versions -- --- - 52 WS-SUP720-3B ### Hw : 5.3 Fw : 8.4(2) Sw : 12.2(33)SXJ Sw1: 20.1(1)SXJ WS-SUP720 ### Hw : 2.6 Fw : 12.2(17r)SX7 Sw : 12.2(33)SXJ WS-F6K-PFC3B ### Hw : 2.3 This box also works as soon as I enter mls rate-limit unicast cef glean 500. kind regards Rolf Any further ideas except hardware failure, buggy software or try rebooting it ? Could be a hardware issue. As someone else mentioned (Phil?), this particular feature is hardware revision dependent. What hardware versions are each of your SUP720s (show module)? Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Drop rule at the end of CoPP conflicts with MAC learning
Hi, we recently installed CoPP on several boxes (Sup720, Sup2T). We have a lot of allow ... whitelist rules and end with a class dropping everything: class class-copp-any-ip police cir 128000 bc 1000 conform-action drop exceed-action drop violate-action drop class-map match-any class-copp-any-ip match access-group name acl-copp-any-ip ip access-list extended acl-copp-any-ip permit ip any any This works fine so far but we now found out that this results in a certain problem: Host A with IP x.x.x.x is connected to the Cisco and has no ARP entry yet. If somebody from outside starts a connection to host A (TCP/UDP), the packet is dropped, the Cisco does not learn the MAC of host A. I guess this happens because without an existing arp entry the packet needs to be sent to the RP and is dropped by CoPP. I changed the last rule to conform-action transmit to allow a small amount of any traffic. This works but is not what we intented. Is there a way to match that destination IP = connected IP without entry in arp table traffic ? I found no such option in the syntax. Any other option, maybe bypass CoPP for that traffic and rate-limit it another way ? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720 hanging after rommon starts loading IOS
Hi, now got another annoying card, this one does not boot from bootdisk: -- System Bootstrap, Version 8.5(4) Copyright (c) 1994-2009 by cisco Systems, Inc. Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory Autoboot executing command: boot bootdisk:/s72033-adventerprisek9_wan-mz.122-33.SXH.bin Loading image, please wait ... Initializing ATA monitor library... monlib.open(): Open Error = -66 loadprog: error - on file open boot: cannot load bootdisk:/s72033-adventerprisek9_wan-mz.122-33.SXH.bin Exit at the end of BOOT string rommon 1 dev Devices in device table: id name bootdisk: boot disk disk0: PCMCIA Disk 0 disk1: PCMCIA Disk 1 eprom: eprom rommon 2 dir bootdisk: Initializing ATA monitor library... monlib.open(): Open Error = -66 dir: cannot open device bootdisk: rommon 3 -- That is a 3bxl. After replacing the battery I was able to flash the ROMMONs. ;) Same adapter + same flash card boots in another Sup720 with same ROMMON versions. Also tried version 8.5.3 and 8.4.2. RP has 12.2(17r)SX7 installed (I guess that does not matter anyway). Booting from disk0: works fine, I can access sup-bootdisk: from within IOS. I already tried to format it and copy IOS image again but that looks to me like somthing prior to the magic number things. Any further idea ? kind regards Rolf On 4/24/13 2:31 PM, Paul wrote: For compact flash cards you need to put them in a PC, and remove the partition table (or format it FAT16). Once the partition table is completely removed , format it in your supervisor and it will work every time. The issue is that most flash cards come with the partition table already created and already formatted. You also can't boot from a flash disk that hasn't been formatted/'blessed' by the platform its been inserted into. This platform limitation also applies to differences in SUPs, such as between SUP32, SUP720, etc. We had gotten a 720 with no flash, its internal flash had been wiped completely. Tried using a flash formatted and loaded in the SUP32 we have - wouldn't successfully boot, then tried with a RSP16 from a 7500 series, and still couldn't make it boot off the flash. Finally succeeded in tickling the 720 to boot off of the one made in the RSP16 after fooling with its ROMMON. Apparently, the format command adds some hidden flags or files to the flash which when not present or of the wrong type, it will cause the boot loader to pretend like the flash is unbootable even with the right files on it. Important side note for anyone with a SUP720 - you can't load an IOS image over serial or TFTP with the ROMMON. For serial, its particularly deceptive in that the command is there, but will fail every single time. Yay Cisco! -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DNS amplification
Hello Nick, guess I did not understand what source IP is allowed with allow-self-ping. I just tried out with that setup: Attacking server somewhere in 1.0.0.0/24 connected to Sup2T with 1.0.0.1 and 1.0.0.2 (hard-coded + HSRP). Target is 2.0.0.123 (connected somewhere else). No matter if allow-self-ping is set or not, packets with those sources are dropped: 1.0.0.1 1.0.0.2 1.0.0.255 2.0.0.123 Only source=1.0.0.3-254 works, that looks like correct behaviour to me. What additional spoofed IP(s) could be used in that case with allow-self-ping set ? kind regards Rolf On 08/05/2013 15:06, Rolf Hanßen wrote: R2(config-if)#ip verify unicast source reachable-via rx ? ... allow-self-ping Allow router to ping itself (opens vulnerability in verification) l2-src Check packets arrive with correct L2 source address What kind of vulnerability is that ? Just for my interest, I do not need to ping myself usually. ;) In order to ping an interface address, the packet needs to go through the normal packet forwarding process. This includes a urpf check. As the ping packet does not come from the interface itself, it will fail a urpf check and the packet will be dropped unless allow-self-ping is enabled. If you enable allow-self-ping, the vulnerability is that you can also send packets to the router with srcip=dstip and they will pass the urpf check. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DNS amplification
Hello, I have 2 further questions but could not find any hints about it in the web. R2(config-if)#ip verify unicast source reachable-via rx ? ... allow-self-ping Allow router to ping itself (opens vulnerability in verification) l2-src Check packets arrive with correct L2 source address What kind of vulnerability is that ? Just for my interest, I do not need to ping myself usually. ;) What exactly does l2-src check ? From the description I would guess it checks if there is an ARP entry for the source IP of the incoming packet and compares it with the source MAC from each packet incoming. I tested and could send packets with changed source IPs without an entry in the MAC table at all for that source IP and also with another MAC (configured statically) in the arp table. kind regards Rolf Hanßen Hi, On Sun, Mar 17, 2013 at 05:46:21PM +0100, Rolf Hanßen wrote: If that is not just a bad/wrong explanation or a joke, what sense makes urpf if it cannot be enabled and configured for each interface individually and as a consequence of this cannot be implemented without possible service impact ? Each interface can be on/off individually just fine. What does not work is have some interfaces in strict mode and other interfaces in loose mode on the same sup720 (EARL7) box (is this fixed in EARL8, btw?). So if all you have on the box is customers (strict mode) and core (no uRPF), you're fine. If all the box does is core (no uRPF) and uplinks/peerings (loose mode to be able to do S-RTBH), you're fine as well. Only if you have customers and uplink/peering interfaces on the same box, this gets problematic. I am sure we are not the only ones that do not actvate it because it may cause more problems than it will solve. btw, if there is a way to enable it for single (vlan)interfaces (up to a few hundred) without any effect for other interfaces, please let me know. just turn it on :-) gert ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
Hi, I captured on the Sup2T (001c.0f1c.bc00) with monitor capture start + sh monitor capture buffer | inc 86DD: len 130 , ..0005 001c.0f1c.bc00 86DD 6E4C5901FE80 len 114 , ..0005 001c.0f1c.bc00 86DD 6E3C5901FE80 len 90 , ..0005 001c.0f1c.bc00 86DD 6E245901FE80 len 90 , ..0016 001c.0f1c.bc00 86DD 6E240001FE80 len 94 , 001c.0f1c.bc00 0011.5d9b.a180 86DD 6E285901FE80 len 82 , 0011.5d9b.a180 001c.0f1c.bc00 86DD 6E1C5901FE80 len 94 , 0011.5d9b.a180 001c.0f1c.bc00 86DD 6E285901FE80 len 90 , ..0016 001c.0f1c.bc00 86DD 6E240001FE80 len 82 , 001c.0f1c.bc00 0011.5d9b.a180 86DD 6E1C5901FE80 len 162 , 001c.0f1c.bc00 0011.5d9b.a180 86DD 6E6C5901FE80 len 82 , 0011.5d9b.a180 001c.0f1c.bc00 86DD 6E1C5901FE80 len 82 , 001c.0f1c.bc00 0011.5d9b.a180 86DD 6E1C5901FE80 len 118 , 0011.5d9b.a180 001c.0f1c.bc00 86DD 6E405901FE80 len 246 , 001c.0f1c.bc00 0011.5d9b.a180 86DD 6EC05901FE80 len 130 , ..0005 001c.0f1c.bc00 86DD 6E4C5901FE80 len 90 , ..0016 001c.0f1c.bc00 86DD 6E240001FE80 len 114 , ..0005 001c.0f1c.bc00 86DD 6E3C5901FE80 len 114 , ..0005 0011.5d9b.a180 86DD 6E3C5901FE80 len 114 , ..0005 0011.5d9b.a180 86DD 6E3C5901FE80 len 94 , ..0005 0011.5d9b.a180 86DD 6E285901FE80 As far as I see everything directed to the Sup720 (0011.5d9b.a180) has next header 0x59, which is 89 / OSPF. kind regards Rolf On 07/05/2013 13:05, Rolf Hanßen wrote: So as far as I testet Sup2T only needs: permit 89 FE80::/10 any Sup720 needs: permit 89 FE80::/10 any permit ipv6 FE80::/10 FE80::/10 ok, odd. Some minutes later: 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from EXSTART to DOWN, Neighbor Down: Too many retransmits If I were debugging this and if there were differences between the sup720 and the sup2t, I would span the RP to see what sort of packets the sup2t is seeing. I don't have any sup2ts to test this out, but if you get a packet dump, you should be able to design a copp policy based on that. Nick ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
Hello Nick, that does not help if I cannot filter using the protocoll number. Maybe I described not exactly. Whatever OSPF sends, it is not protocol number 89 or CoPP is not able to filter the protocoll number. I did further testing and chnaged everything to a Sup2T compatible way (only one ACL each class). Those 3 rules were part of my initial config, only the first seams to match: permit 89 FE80::/10 any permit 89 any FE80::/10 permit ipv6 any FE02::/16 That rule makes it working (state changes to FULL): permit ipv6 FE80::/10 FE80::/10 That rules does not work (replacing the above one): permit 89 FE80::/10 FE80::/10 That rule works but the log does not log anmything: permit ipv6 FE80::/10 FE80::/10 log On Sup720 permit ipv6 FE80::/10 FE80::/10 matches and seams to be needed, on Sup2T it does not match and the ACL is not needed to make OSPF reach FULL. So as far as I testet Sup2T only needs: permit 89 FE80::/10 any Sup720 needs: permit 89 FE80::/10 any permit ipv6 FE80::/10 FE80::/10 Also no matter which router becomes DR / BDR. debug ipv6 ospf packet on the Sup720 shows: The second after clear ipv6 ospf process 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from FULL to DOWN, Neighbor Down: Interface down or detached 1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123 aid:0.0.0.123 chk:5A51 inst:0 from Vlan25 1w5d: OSPFv3: rcv. v:3 t:2 l:28 rid:123.123.123.123 aid:0.0.0.123 chk:634D inst:0 from Vlan25 1w5d: OSPFv3: rcv. v:3 t:2 l:108 rid:123.123.123.123 aid:0.0.0.123 chk:81C3 inst:0 from Vlan25 1w5d: OSPFv3: rcv. v:3 t:4 l:192 rid:123.123.123.123 aid:0.0.0.123 chk:594C inst:0 from Vlan25 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from LOADING to FULL, Loading Done Every few seconds: 1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123 aid:0.0.0.123 chk:C24C inst:0 from Vlan25 clear ipv6 ospf process without permit ipv6 FE80::/10 FE80::/10 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from FULL to DOWN, Neighbor Down: Interface down or detached 1w5d: OSPFv3: rcv. v:3 t:1 l:40 rid:123.123.123.123 aid:0.0.0.123 chk:59F7 inst:0 from Vlan25 Some minutes later: 1w5d: %OSPFv3-5-ADJCHG: Process 1, Nbr 123.123.123.123 on Vlan25 from EXSTART to DOWN, Neighbor Down: Too many retransmits kind regards Rolf On 07/05/2013 08:31, Adam Vitkovsky wrote: OSPFv3 should be using addresses from FF02 Multicast link-local address sub-range: FF02::5 all OSPF routers FF02::6 all OSPF designated routers So you should be able to limit the permit range to these two. No, multicast is only used for hello and LSA transmission on broadcast medium networks. Outside this, unicast can be used and and will usually use addresses from the standard fe80::/10 range, but if you're using virtual links they can be global addresses. It's a more sensible idea to filter protocol 89 to your core address ranges using an iACL and then permit all 89 in the CoPP policy. Nick adam -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dobbins, Roland Sent: Monday, May 06, 2013 6:51 PM To: cisco-nsp NSP Subject: Re: [c-nsp] Need help with IPv6 CoPP On May 6, 2013, at 11:11 PM, Rogelio Gamino wrote: At that stage, neighbors agree on Master/Slave relationship before moving to exchange DBD's. Unless you're doing OSPF with an external organization and anticipate an attack (either deliberate or inadvertent) from the adjacent router(s), why not leave OSPF out of it entirely, and instead concentrate on traffic which is layer-3-agile? --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Need help with IPv6 CoPP
Hello list, I am trying to configure IPv6 CoPP and could use some help with several issues. First of all I need to know how to allow/filter OSPFv3 sessions. I am filtering with those rules (reduced them to the minimum for testing): - mls ipv6 acl compress address unicast policy-map policy-copp-in class class-copp-ospf police cir 5000 bc 625000 conform-action transmit exceed-action drop violate-action drop class class-copp-icmp police cir 5000 bc 625000 conform-action transmit exceed-action drop violate-action drop class class-copp-any-ip police cir 128000 bc 1000 conform-action drop exceed-action drop violate-action drop class-map match-any class-copp-ospf match access-group name acl-copp-ospf ipv6 access-list acl-copp-ospf permit 89 FE80::/10 any permit 89 any FE80::/10 (should be obsoltete) class-map match-any class-copp-icmp match access-group name acl-copp-icmp ipv6 access-list acl-copp-icmp permit icmp any any class-map match-any class-copp-any-ip match access-group name acl-copp-any-ipv6 ipv6 access-list acl-copp-any-ipv6 permit ipv6 any any log - If I apply the policy-map after OSPF changes to FULL, it stays in that status. If I apply the map and clear OSPF process it flaps the whole time between EXSTART and DOWN: %OSPFv3-5-ADJCHG: Process 1, Nbr x.x.x.x on Vlan25 from EXSTART to DOWN, Neighbor Down: Too many retransmits %OSPFv3-5-ADJCHG: Process 1, Nbr x.x.x.x on Vlan25 from DOWN to DOWN, Neighbor Down: Ignore timer expired If I change class-copp-any-ip to conform-action transmit, it works again and changes to FULL. Unfortunatelly none of the packets matched by permit ipv6 any any log is logged. I found out that a permit ipv6 FE80::/10 FE80::/10 (not protocol 89, must be something else) makes it going to full again but that is not very helpful rule to me. Can somebody tell me what type of packet does OSPF send or what additional/replacemnt ACL can be used ? Can furthermore somebody tell me if there is a way to make that box log all packets from log acl entries and not only random/software switched/whatever ? After finding out the above I included the rules to the prior created entries. And it did not work anymore. Plattform is Sup7203B in 6509. In hoped that Sup2T is able to log more/better or give me a hint what goes wrong and tried out. There I got that error here: R2(config-cp)# service-policy input policy-copp-in QoS: Multiple acl entries cannot be used in match-any in class class-copp-allowed-important Is there a way to allow multiple entries or do I need to built a giant policy-map and a mass of class-maps (one each acl) ? Is there maybe a way to bypass the class-map and directly configure the ACLs ? I then tried to move the permit ipv6 FE80::/10 FE80::/10 to an own class-map and it worked (even even though no match of that rule is shown). Does Sup720 also have some number of entries limitations (class-maps each policy, acls each class, entries each acl, maybe total number of entries) but just gives no error messages (just does not work/match in such cases) ? Or is there maybe some bug I hit ? Both could explain that behaviour imho. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
Hello, I used no authentication for testing, but thanks for the hint, need to put that on the checklist before implementing. ;) kind regards Rolf If I apply the policy-map after OSPF changes to FULL, it stays in that status. If I apply the map and clear OSPF process it flaps the whole time between EXSTART and DOWN: Are you using OSPFv3 authentication? In this case the first protocol in the packets is AH, and the next is OSPF. This doesn't fully explain what you're seeing, but is something to check. I have no clue for the other strangenesses you describe. Regards, Bergonz -- Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a. Phone:+39-051-6781926 e-mail: berg...@labs.it alt.advanced.networks.design.configure.operate ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need help with IPv6 CoPP
Hello, in the non-working copp-config sh ipv6 ospf nei shows EXSTART/BDR and EXSTART/DR, so looks like they already found out. Anyway, do you know which protocol number and maybe port-number they use (if it is not 89 and CoPP just does not filter correctly) ? Using permit ipv6 FE80::/10 FE80::/10 without anything further does not make much sense because it matches half of the possible ipv6 risk traffic. kind regards Rolf At that stage, neighbors agree on Master/Slave relationship before moving to exchange DBD's. This traffic is unicast between neighbors. On Mon, May 6, 2013 at 11:30 AM, Rolf Hanßen n...@rhanssen.de wrote: Hello, I used no authentication for testing, but thanks for the hint, need to put that on the checklist before implementing. ;) kind regards Rolf If I apply the policy-map after OSPF changes to FULL, it stays in that status. If I apply the map and clear OSPF process it flaps the whole time between EXSTART and DOWN: Are you using OSPFv3 authentication? In this case the first protocol in the packets is AH, and the next is OSPF. This doesn't fully explain what you're seeing, but is something to check. I have no clue for the other strangenesses you describe. Regards, Bergonz -- Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a. Phone:+39-051-6781926 e-mail: berg...@labs.it alt.advanced.networks.design.configure.operate ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Display age of BGP routes in IOS
Hello, is there a way to see the age of a BGP route learned from peer xyz in IOS ? sh ip route contains information for the last route change but not peer-related. I am looking for something like sh ip bg routes detail on a Brocade that also lists the last change of a route for each peer advertising it to me. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720 hanging after rommon starts loading IOS
Hello, after 2 afternoons of trial and error I now got it running. I replaced the memory modules (RP and SP Ram, not the flash) and could boot from the 64MB flash modules then. The CF card was still not accepted. I needed to boot into some older image, format the CF card in disk0 of the Sup720. Then needed to copy the files again via TFTP to CF, move the CF card to the adapter and boot the image via rommon. kind regards Rolf Hello, I have an issue with a (refurbished) Sup720-2B. It does not load the IOS. Chassis is a 6509, also tried a 6509-E and tried Slot 5 + 6 to make sure the chassis is ok. Few seconds after telling me to load the IOS it hangs: System Bootstrap, Version 8.5(3) Copyright (c) 1994-2008 by cisco Systems, Inc. Cat6k-Sup720/SP processor with 524288 Kbytes of main memory Autoboot executing command: boot bootflash: Loading image, please wait ... All status LEDs are red from that point. I tried with 3 different 64GB Flash modules I had from some past upgrades. I at least see some images on those modules (and I am quite sure they worked when they were removed ;)), sample: rommon 4 dir bootflash: File size Checksum File name 4996 bytes (0x2c814f4) 0x27786551 s72033-pk9sv-mz.122-18.SXD7b.bin I think rommon recognizes that the images exists, if I enter a wrong filename i get an error message. Maybe need to change another setting ? rommon 1 set PS1=rommon ! LOG_PREFIX_VERSION=1 SLOTCACHE=cards; PF_REDUN_CRASH_COUNT=0 RET_2_RTS=08:14:12 UTC Wed Mar 7 2012 TYFIB_BLOCK_ALLOC= NT_K=0:0:0:0 BSI=0 RET_2_RCALTS= ACL_DENY=0 RANDOM_NUM=1921496405 ?=0 BOOT=bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin,1 boot -v shows some lines before freezing: boot: bootstring is: bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin ROM: set load_again: a00042e0 bfc2d1ac 80006c50 30409001 Loading image, please wait ... loading section to address 0x80008000 from file position 0x16c, size is 0x18000 loading section to address 0x8002 from file position 0x1816c, size is 0x34e0 loading section to address 0x800234e0 from file position 0x1b64c, size is 0x4c0 loading section to address 0x8002 from file position 0x11c, size is 0x8000 loading section to address 0x80028000 from file position 0x811c, size is 0xe00 loading section to address 0x80028e00 from file position 0x8f1c, size is 0x20 loading section to address 0x80028e20 from file position 0x8f3c, size is 0x2c78584 The adresses change depending on the image/flash module. Any hint how to make that card running IOS or is this an hardware issue ? It also does not read from a CF card (formatted and readable from a Sup2T, maybe that uses another format ?) in rommon: rommon 2 dir disk0: monlib does not contain a valid magic number dir: cannot open device disk0: Same if I use disk1 or a CF to Flash-module adapter. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Sup720 hanging after rommon starts loading IOS
Hello, I have an issue with a (refurbished) Sup720-2B. It does not load the IOS. Chassis is a 6509, also tried a 6509-E and tried Slot 5 + 6 to make sure the chassis is ok. Few seconds after telling me to load the IOS it hangs: System Bootstrap, Version 8.5(3) Copyright (c) 1994-2008 by cisco Systems, Inc. Cat6k-Sup720/SP processor with 524288 Kbytes of main memory Autoboot executing command: boot bootflash: Loading image, please wait ... All status LEDs are red from that point. I tried with 3 different 64GB Flash modules I had from some past upgrades. I at least see some images on those modules (and I am quite sure they worked when they were removed ;)), sample: rommon 4 dir bootflash: File size Checksum File name 4996 bytes (0x2c814f4) 0x27786551s72033-pk9sv-mz.122-18.SXD7b.bin I think rommon recognizes that the images exists, if I enter a wrong filename i get an error message. Maybe need to change another setting ? rommon 1 set PS1=rommon ! LOG_PREFIX_VERSION=1 SLOTCACHE=cards; PF_REDUN_CRASH_COUNT=0 RET_2_RTS=08:14:12 UTC Wed Mar 7 2012 TYFIB_BLOCK_ALLOC= NT_K=0:0:0:0 BSI=0 RET_2_RCALTS= ACL_DENY=0 RANDOM_NUM=1921496405 ?=0 BOOT=bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin,1 boot -v shows some lines before freezing: boot: bootstring is: bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin ROM: set load_again: a00042e0 bfc2d1ac 80006c50 30409001 Loading image, please wait ... loading section to address 0x80008000 from file position 0x16c, size is 0x18000 loading section to address 0x8002 from file position 0x1816c, size is 0x34e0 loading section to address 0x800234e0 from file position 0x1b64c, size is 0x4c0 loading section to address 0x8002 from file position 0x11c, size is 0x8000 loading section to address 0x80028000 from file position 0x811c, size is 0xe00 loading section to address 0x80028e00 from file position 0x8f1c, size is 0x20 loading section to address 0x80028e20 from file position 0x8f3c, size is 0x2c78584 The adresses change depending on the image/flash module. Any hint how to make that card running IOS or is this an hardware issue ? It also does not read from a CF card (formatted and readable from a Sup2T, maybe that uses another format ?) in rommon: rommon 2 dir disk0: monlib does not contain a valid magic number dir: cannot open device disk0: Same if I use disk1 or a CF to Flash-module adapter. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Question about SVI interface acl counters + way of working
Hello, Just wanted to drop some UDP flooding with an interface ACL. I configured: interface Vlan1373 ip access-group block-flood in exit Access-list is very simple: edge1-ams3#sh ip access-lists block-flood Extended IP access list block-flood 10 deny udp any host 1.2.3.4 (589878 matches) 20 permit ip any any (149516 matches) edge1-ams3# edge1-ams3#sh int Vl1373 | inc input rate 30 second input rate 2772775000 bits/sec, 435403 packets/sec edge1-ams3# The interface has a quite high amount of pps, but the acl hit count increases only by less than 200/sec for both entries together. Does that ACL not filter all traffic passing the interface or why does the delta of ACL hits not match the number of incoming pps ? Maybe it counts only packets going to the RP or something is cached and counts only every x packets ? Hardware is a Sup2T + WS-X6704-10GE, all traffic in that vlan is routed. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tcpdump-style debugging on 6500/7600
Hello, I now see it works. Not as nice as tcpdump, but at least something to work with. ;) Thanks for your help Rolf On Fri, 2013-03-15 at 14:20 +0100, Rolf HanÃen wrote: just tried out, all ends with: %SPAN-5-PKTCAP_STOP: Packet capture session 1 ended after the specified time, 0 packets captured edge1-dus1#sh monitor session 1 detail Session 1 - Type : Capture Session Description: - Source Ports : RX Only: None TX Only: None Both : None Source VLANs : RX Only: None TX Only: None Both : None You need to specify something to capture just like for at normal SPAN session. Something like this: monitor session 2 type capture source vlan 120 both filter access-group span-test ! or maybe: monitor session 2 type capture source interface GigabitEthernet1/1 rx filter access-group span-test ! Source/Destination Ports/vlans means the interfaces that take part in the capturing or the interfaces used for exporting capture data (I am missing the any keyword here) ? It's the interface/VLAN from which you want to capture. Data isn't exported, it's stored locally. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DNS amplification
Hello, is there some guide that covers the this will go to the RP on Sup... and the this will also affect ... and this is limited to xy interfaces/vlans/routes stuff ? We thought about implementing strict mode on some customer interfaces (those special customers who always get attacked and sometimes take revenge ;)) some time ago, but then saw that doc here: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/secure.html We stopped after reading those sentences (it even does not mantion any IPv6 limitations): The most recently configured mode is automatically applied to all ports configured for unicast RPF check. When you enter the ip verify unicast source reachable-via command, the unicast RPF check mode changes on all ports in the switch. If that is not just a bad/wrong explanation or a joke, what sense makes urpf if it cannot be enabled and configured for each interface individually and as a consequence of this cannot be implemented without possible service impact ? I am sure we are not the only ones that do not actvate it because it may cause more problems than it will solve. btw, if there is a way to enable it for single (vlan)interfaces (up to a few hundred) without any effect for other interfaces, please let me know. kind regards Rolf Hi, On Sat, Mar 16, 2013 at 03:59:25PM -0700, Laurent Geyer wrote: Curious, how does uRPF help under this scenario? Although the source address is spoofed, the target is stil valid destination address. uRPF helps everybody else - those of your customers with infected machines (and don't claim there aren't any) will not be able to initiate reflection attacks against other folks. gert, deploying uRPF since 10+ years it's really not that hard (PS: and yes, the fact that Sup720 can't do IPv6 uRPF in hardware stinks) -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tcpdump-style debugging on 6500/7600
Hello Peter, just tried out, all ends with: %SPAN-5-PKTCAP_STOP: Packet capture session 1 ended after the specified time, 0 packets captured edge1-dus1#sh monitor session 1 detail Session 1 - Type : Capture Session Description: - Source Ports : RX Only: None TX Only: None Both : None Source VLANs : RX Only: None TX Only: None Both : None Source RSPAN VLAN : None Destination Ports : None Filter VLANs: None Dest RSPAN VLAN: None Source IP Address : None Source IP VRF : None Source ERSPAN ID : None Destination IP Address : None Destination IP VRF : None Destination ERSPAN ID : None Origin IP Address : None IP QOS PREC: 0 IP TTL : 255 Capture dst_cpu_id : 0 Capture vlan : 1013 Capture buffer size: 2048 KB Capture rate-limit value : 1 Capture filters: acl : 25 Tried with these acls: Standard IP access list 25 10 permit 1.2.3.4 Extended IP access list span-test 5 permit ip host 1.2.3.4 any 10 permit ip any host 1.2.3.4 Maybe some other values/settings needed ? Source/Destination Ports/vlans means the interfaces that take part in the capturing or the interfaces used for exporting capture data (I am missing the any keyword here) ? kind regards Rolf On Thu, 2013-03-14 at 17:38 +0100, Rolf HanÃen wrote: I saw there was already a discussion concerning that topic, but 5 years old: http://www.gossamer-threads.com/lists/cisco/nsp/78543 Is there maybe some new tcpdump-style debugging feature available to provide such functions beside the suggested debug ip packet? Take a look at monitor session N type capture. 1) I like to view traffic on a certain physical interface or switched vlan. I would like to see all packets and not a specific protocol or IP range. As far as I see I cannot specify an interface in an ACL but the debug ip packet only allows ACLs for filtering as far as I see. SPAN capture can use an ACL. Switch(config)#monitor session 2 type capture Switch(config-mon-capture)#? Monitor sess type capture config commands: buffer-size Capture buffer size description Properties for this session exit Exit from capture session mode filter Capture filter no Negate a command or set its defaults rate-limit Packets per second value source SPAN source Interface/VLAN Switch(config-mon-capture)#filter ? access-group Filter access-list (hardware based) ethertype Matching ethertype (software based) lengthMatching L2-packet length (software based) mac-address Matching mac-address (software-based) vlan Filter vlan (hardware based) 2) I like to debug an IP connection and limit to a certain amount of packets (like show me the next 20 packets from/to host x.x.x.x). Can you tell me what bandwidth or pps I have to take into consideration to avoid overload ? This too: Switch#monitor capture start for ? 1-4294967295 Seconds or number of packets To understand better what I do before typing it in on a 10G+ box: debug ip packet ... redirects the packets to the Management CPU and everything filtered with an ACL leads into only packets matching ALC are forwarded to the CPU, everything else is handled by the DFC/CFC +PFC only like usual. Correct ? I don't think that's the case for debug ip packet but it is for SPAN capture; it's hardware filtering for ACLs. Im looking for a way that works without exporting stuff to another box and low risk to overload CPU (live environment). The captured traffic is handled by the processor, but only after filtering from the session if using ACLs. Hardware in my case are several Sup720-3B, Sup720-3BXL or Sup2T with 67xx linecards. If there are special software revisions needed, please let me know. It seems that SPAN capture isn't available in SXF but is in SXI. It probably also is in SXH. Maybe certain older HW releases can't do SPAN capture but at least revision 4.0 and newer (2004/2005-ish) seem to support it. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] tcpdump-style debugging on 6500/7600
Hi, I saw there was already a discussion concerning that topic, but 5 years old: http://www.gossamer-threads.com/lists/cisco/nsp/78543 Is there maybe some new tcpdump-style debugging feature available to provide such functions beside the suggested debug ip packet? I am looking for such situations: 1) I like to view traffic on a certain physical interface or switched vlan. I would like to see all packets and not a specific protocol or IP range. As far as I see I cannot specify an interface in an ACL but the debug ip packet only allows ACLs for filtering as far as I see. 2) I like to debug an IP connection and limit to a certain amount of packets (like show me the next 20 packets from/to host x.x.x.x). Can you tell me what bandwidth or pps I have to take into consideration to avoid overload ? To understand better what I do before typing it in on a 10G+ box: debug ip packet ... redirects the packets to the Management CPU and everything filtered with an ACL leads into only packets matching ALC are forwarded to the CPU, everything else is handled by the DFC/CFC+PFC only like usual. Correct ? Im looking for a way that works without exporting stuff to another box and low risk to overload CPU (live environment). Hardware in my case are several Sup720-3B, Sup720-3BXL or Sup2T with 67xx linecards. If there are special software revisions needed, please let me know. kind regards Rolf Hanßen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] timezone setting in networking gear; local, HQ, or UTC?
Hi, we try to use UTC as far as possible (to avoid summer/winter time confusion), no big problem imho. But that's POV of a European, we just need to add 1 or 2 hours, not subtract 6-9. ;). kind regards Rolf my company is east-coast US, but now we're expanding West; for the first time we'll have routers/switches/etc in a different time zone. How does everyone else handle time zone settings on a network that spans multiple time zones? We've discussed internally about the pros/cons of setting them to their local timezone, or to match the timezone of HQ, or to just set everything as UTC. -- deny ip any any (4393649193 matches) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] STP active/listed on wrong port
Hello, maybe just a bug I found, shutting down the port and re-enabling it solves it: edge1-dus3#sh spanning-tree No spanning tree instance exists. edge1-dus3# kind regards Rolf Hello, I would also guess somthing in that direction if it was general/reproduceble behaviour, but why does that happen only on this port ? I have lots of ports with similar config (mode trunk, everything tagged) on several boxes and this is the only one listed in show spanning-tree. Config samples: interface GigabitEthernet7/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 666,1153 switchport mode trunk load-interval 30 end interface GigabitEthernet7/16 description custsw2-dus1 A16 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1253,1606 switchport mode trunk mtu 9216 load-interval 30 end interface TenGigabitEthernet8/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1122,1142,1293,1421,1429,1476,3404,3405 switchport trunk allowed vlan add 3408-3410 switchport mode trunk mtu 9216 load-interval 30 end Only 7/16 is listed and there is nothing on the config beside the above as far as I see: edge1-dus3#sh running-config | inc 7/16 interface GigabitEthernet7/16 edge1-dus3# kind regards Rolf You're using 802.1q, which uses an untagged native VLAN for things like STP BPDUs, CDP, VTP, etc ,etc. Even though you pruned off VLAN 1 via the allowed VLANs command, the native VLAN will still be used for switch-generated protocols like those listed above. Only transit-traffic is denied by pruning. If you change the native VLAN to something other than one (do it on both sides, or wacky/painful things can happen), you should see VLAN 1 no longer on that port. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rolf Hanßen Sent: Tuesday, March 12, 2013 1:34 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] STP active/listed on wrong port Hello list, do you have an explanation why STP thinks Gi7/16 belongs to vlan 1 ? edge1-dus3#sh spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root IDPriority32769 Address 5475.d0a6.75c0 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority32769 (priority 32768 sys-id-ext 1) Address 5475.d0a6.75c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type --- --- - Gi7/16 Desg FWD 4 128.1552 P2p Interface Config: interface GigabitEthernet7/16 description custsw2-dus1 A16 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1253,1606 switchport mode trunk mtu 9216 load-interval 30 end STP is disabled on all other vlans: no spanning-tree vlan 2-4000 Gi7/16 is not listed here: edge1-dus3#sh vlan id 1 VLAN Name StatusPorts - --- 1default activeGi1/5, Gi1/8, Gi1/13, Gi1/25, Gi1/27, Gi1/48, Te4/1, Gi6/1, Gi7/1, Gi7/3, Gi7/4, Gi7/5, Gi7/6, Gi7/7, Gi7/8, Gi7/9, Gi7/10, Gi7/11, Gi7/12, Gi7/13, Gi7/14, Gi7/15, Gi7/17, Gi7/18, Gi7/19 Gi7/20, Gi7/21, Gi7/22, Gi7/23, Gi7/24 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - -- - -- -- -- -- 1enet 11 1500 - - ---0 0 Remote SPAN VLAN Disabled Primary Secondary Type Ports --- - - -- Port is up and works fine: edge1-dus3#sh int Gi7/16 GigabitEthernet7/16 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 001d.a246.3743 (bia 001d.a246.3743) Description: custsw2-dus1 A16 MTU 9216 bytes, BW 100 Kbit/sec, DLY 10 usec, reliability 255/255, txload 6/255, rxload 6/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is LX input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output never, output hang never Last clearing of show interface counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 27117000 bits/sec, 3517 packets/sec 30 second output rate 24383000 bits/sec, 2860 packets/sec
[c-nsp] STP active/listed on wrong port
Hello list, do you have an explanation why STP thinks Gi7/16 belongs to vlan 1 ? edge1-dus3#sh spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root IDPriority32769 Address 5475.d0a6.75c0 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority32769 (priority 32768 sys-id-ext 1) Address 5475.d0a6.75c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type --- --- - Gi7/16 Desg FWD 4 128.1552 P2p Interface Config: interface GigabitEthernet7/16 description custsw2-dus1 A16 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1253,1606 switchport mode trunk mtu 9216 load-interval 30 end STP is disabled on all other vlans: no spanning-tree vlan 2-4000 Gi7/16 is not listed here: edge1-dus3#sh vlan id 1 VLAN Name StatusPorts - --- 1default activeGi1/5, Gi1/8, Gi1/13, Gi1/25, Gi1/27, Gi1/48, Te4/1, Gi6/1, Gi7/1, Gi7/3, Gi7/4, Gi7/5, Gi7/6, Gi7/7, Gi7/8, Gi7/9, Gi7/10, Gi7/11, Gi7/12, Gi7/13, Gi7/14, Gi7/15, Gi7/17, Gi7/18, Gi7/19 Gi7/20, Gi7/21, Gi7/22, Gi7/23, Gi7/24 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - -- - -- -- -- -- 1enet 11 1500 - - ---0 0 Remote SPAN VLAN Disabled Primary Secondary Type Ports --- - - -- Port is up and works fine: edge1-dus3#sh int Gi7/16 GigabitEthernet7/16 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 001d.a246.3743 (bia 001d.a246.3743) Description: custsw2-dus1 A16 MTU 9216 bytes, BW 100 Kbit/sec, DLY 10 usec, reliability 255/255, txload 6/255, rxload 6/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is LX input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output never, output hang never Last clearing of show interface counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 27117000 bits/sec, 3517 packets/sec 30 second output rate 24383000 bits/sec, 2860 packets/sec 32078138057 packets input, 32998390284372 bytes, 0 no buffer Received 524965 broadcasts (173874 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 13839785752 packets output, 9991981200426 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out edge1-dus3#sh version Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1) Hardware is Cisco 7609-S, Sub720-3BXL, Slot 7 is a WS-X6724-SFP kind regards Rolf Hanßen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] STP active/listed on wrong port
Hello, I would also guess somthing in that direction if it was general/reproduceble behaviour, but why does that happen only on this port ? I have lots of ports with similar config (mode trunk, everything tagged) on several boxes and this is the only one listed in show spanning-tree. Config samples: interface GigabitEthernet7/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 666,1153 switchport mode trunk load-interval 30 end interface GigabitEthernet7/16 description custsw2-dus1 A16 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1253,1606 switchport mode trunk mtu 9216 load-interval 30 end interface TenGigabitEthernet8/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1122,1142,1293,1421,1429,1476,3404,3405 switchport trunk allowed vlan add 3408-3410 switchport mode trunk mtu 9216 load-interval 30 end Only 7/16 is listed and there is nothing on the config beside the above as far as I see: edge1-dus3#sh running-config | inc 7/16 interface GigabitEthernet7/16 edge1-dus3# kind regards Rolf You're using 802.1q, which uses an untagged native VLAN for things like STP BPDUs, CDP, VTP, etc ,etc. Even though you pruned off VLAN 1 via the allowed VLANs command, the native VLAN will still be used for switch-generated protocols like those listed above. Only transit-traffic is denied by pruning. If you change the native VLAN to something other than one (do it on both sides, or wacky/painful things can happen), you should see VLAN 1 no longer on that port. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rolf Hanßen Sent: Tuesday, March 12, 2013 1:34 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] STP active/listed on wrong port Hello list, do you have an explanation why STP thinks Gi7/16 belongs to vlan 1 ? edge1-dus3#sh spanning-tree VLAN0001 Spanning tree enabled protocol ieee Root IDPriority32769 Address 5475.d0a6.75c0 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority32769 (priority 32768 sys-id-ext 1) Address 5475.d0a6.75c0 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type --- --- - Gi7/16 Desg FWD 4 128.1552 P2p Interface Config: interface GigabitEthernet7/16 description custsw2-dus1 A16 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1253,1606 switchport mode trunk mtu 9216 load-interval 30 end STP is disabled on all other vlans: no spanning-tree vlan 2-4000 Gi7/16 is not listed here: edge1-dus3#sh vlan id 1 VLAN Name StatusPorts - --- 1default activeGi1/5, Gi1/8, Gi1/13, Gi1/25, Gi1/27, Gi1/48, Te4/1, Gi6/1, Gi7/1, Gi7/3, Gi7/4, Gi7/5, Gi7/6, Gi7/7, Gi7/8, Gi7/9, Gi7/10, Gi7/11, Gi7/12, Gi7/13, Gi7/14, Gi7/15, Gi7/17, Gi7/18, Gi7/19 Gi7/20, Gi7/21, Gi7/22, Gi7/23, Gi7/24 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - -- - -- -- -- -- 1enet 11 1500 - - ---0 0 Remote SPAN VLAN Disabled Primary Secondary Type Ports --- - - -- Port is up and works fine: edge1-dus3#sh int Gi7/16 GigabitEthernet7/16 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 001d.a246.3743 (bia 001d.a246.3743) Description: custsw2-dus1 A16 MTU 9216 bytes, BW 100 Kbit/sec, DLY 10 usec, reliability 255/255, txload 6/255, rxload 6/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is LX input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output never, output hang never Last clearing of show interface counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 27117000 bits/sec, 3517 packets/sec 30 second output rate 24383000 bits/sec, 2860 packets/sec 32078138057 packets input, 32998390284372 bytes, 0 no buffer Received 524965 broadcasts (173874 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0
Re: [c-nsp] STP active/listed on wrong port
Hello, shouldn't be an too old software issue. ;) edge1-dus3#show version Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2011 by Cisco Systems, Inc. Compiled Fri 25-Mar-11 17:24 by prod_rel_team ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1) BOOTLDR: Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1) edge1-dus3 uptime is 26 weeks, 4 days, 8 hours, 31 minutes Uptime for this control processor is 26 weeks, 4 days, 8 hours, 2 minutes System returned to ROM by s/w reset at 13:05:04 UTC Fri Sep 7 2012 (SP by bus error at PC 0x4048AF74, address 0x0) System restarted at 13:52:05 UTC Fri Sep 7 2012 System image file is sup-bootflash:c7600s72033-advipservicesk9-mz.151-2.S.bin Last reload type: Normal Reload This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to exp...@cisco.com. cisco CISCO7609-S (R7000) processor (revision 1.0) with 983008K/65536K bytes of memory. Processor board ID FOX1428GMLV SR71000 CPU at 600MHz, Implementation 1284, Rev 1.2, 512KB L2 Cache Last reset from s/w reset 37 Virtual Ethernet interfaces 76 Gigabit Ethernet interfaces 16 Ten Gigabit Ethernet interfaces 1917K bytes of non-volatile configuration memory. 8192K bytes of packet buffer memory. 65536K bytes of Flash internal SIMM (Sector size 512K). Configuration register is 0x2102 edge1-dus3# Hi, On Tue, Mar 12, 2013 at 06:34:14PM +0100, Rolf Hanßen wrote: do you have an explanation why STP thinks Gi7/16 belongs to vlan 1 ? Some of the more stupid catalysts will always have vlan 1 on all trunks, and you can't remove it. Corrolary: don't use vlan 1 for anything interesting in your network. Hardware is Cisco 7609-S, Sub720-3BXL, Slot 7 is a WS-X6724-SFP Now *that* is actually more interesting, because 6500/7600 can do that just fine, that is, not have vlan 1 on trunks. What IOS version is that? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS Tutorial or Guide?
Hello list, is there any book you can recommend ? I am also interested in the VPN/transport feature mainly and want to run it on a C6500/Brocade mixed network. I see MPLS and VPN Architectures widely available, but im wondering it was already released in year 2000, which sounds a bit outdated to me (don't know if something important changed during last years). English or German is fine. kind regards Rolf Seth, You could try the Configuration Guides... MPLS Config Guide Home: http://www.cisco.com/en/US/partner/docs/ios-xml/ios/mpls/config_library/15-1mt/mp-15-1mt-library.html General MPLS: http://www.cisco.com/en/US/partner/docs/ios-xml/ios/mp_basic/configuration/15-1mt/mp-mpls-overview.html Layer 2 VPN (as you mentioned xconnects) http://www.cisco.com/en/US/partner/docs/ios-xml/ios/mp_l2_vpns/configuration/15-1mt/mp-l2-vpns-15-1mt-book.html I would still recommend reading the book... At least the basic stuff. You may turn it on, but things would seem weird if you do not really understand what's going on in the background... Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Seth Mattinen Sent: Monday, September 17, 2012 10:47 To: cisco-nsp@puck.nether.net Subject: [c-nsp] MPLS Tutorial or Guide? Does anyone have a good intro or beginner's guide to MPLS that they like? Something succinct and focused that's not a 500 page my-first-Cisco book. The situation I'm thinking is putting someone in front of some routers and switches in a lab setting and saying take these and set them up to do MPLS and create some xconnects for simulated customers with the assumption that they already have Cisco experience and can build a non-MPLS network, but who is new to MPLS alone. ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Getting Source MAC of sh buffers output
Hello, I think we got a flooding with ARP packets towards a SUP720-3B, I saw that here with sh buffers input-interface vlan xy header: Buffer information for Small buffer at 0x4634BF8C data_area 0x802E5E4, refcount 1, next 0x4639A6A0, flags 0x200 linktype 1 (ARP), enctype 1 (ARPA), encsize 14, rxtype 45 if_input 0x48C6BA10 (Vlan1050), if_output 0x0 (None) inputtime 19w1d (elapsed 00:09:25.372) outputtime 19w1d (elapsed 00:33:13.308), oqnumber 65535 datagramstart 0x802E65A, datagramsize 60, maximum size 308 mac_start 0x802E65A, addr_start 0x802E65A, info_start 0x0 network_start 0x802E668, transport_start 0x802E67C, caller_pc 0x41DC7428 Buffer information for Small buffer at 0x4634D4A4 data_area 0x802F664, refcount 1, next 0x4639BBB8, flags 0x200 linktype 1 (ARP), enctype 1 (ARPA), encsize 14, rxtype 45 if_input 0x48C6BA10 (Vlan1050), if_output 0x0 (None) inputtime 19w1d (elapsed 00:09:08.472) outputtime 19w0d (elapsed 1d15h), oqnumber 65535 datagramstart 0x802F6DA, datagramsize 60, maximum size 308 mac_start 0x802F6DA, addr_start 0x802F6DA, info_start 0x0 network_start 0x802F6E8, transport_start 0x802F6FC, caller_pc 0x41DC7428 Is there a way to find out the MAC-address those packets are coming from ? None of the numbers looks like a MAC to me. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Protecting MLX/XMR MP against attacks with IP Receive ACLs / extended ACL behaviour
Hello, this week we had an attack directly against one of our XMR (UDP packets to a transfer network IP). I was looking for an CoPP-equivalant and found the IP Receive ACLs feature. In sample case of I block all UDP and allow everthing else I would use that config here according to the manual: access-list 101 remark BLOCK_UDP access-list 101 deny udp any any access-list 102 remark ALLOW_ANYTHING_ELSE access-list 102 permit ip any any ip receive access-list 101 sequence 5 ip receive access-list 102 sequence 10 Manual says that default policy is deny ip any any (applied after last rule). I am wondering what exactly is matched by ip because other protocols are not mentioned. Is ip an equivalent for ipv4 or more some kind of any in an extended access list ? Does the above config work or do I need a standard access list like access-list 50 permit any at the end ? Does anybody maybe already have a known to work-config for 0815 usage (BGP, OSPF, VRRP) ? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Protecting MLX/XMR MP against attacks with IP Receive ACLs / extended ACL behaviour
Sorry, wrong list, should go to foundry-nsp ;) Hello, this week we had an attack directly against one of our XMR (UDP packets to a transfer network IP). I was looking for an CoPP-equivalant and found the IP Receive ACLs feature. In sample case of I block all UDP and allow everthing else I would use that config here according to the manual: access-list 101 remark BLOCK_UDP access-list 101 deny udp any any access-list 102 remark ALLOW_ANYTHING_ELSE access-list 102 permit ip any any ip receive access-list 101 sequence 5 ip receive access-list 102 sequence 10 Manual says that default policy is deny ip any any (applied after last rule). I am wondering what exactly is matched by ip because other protocols are not mentioned. Is ip an equivalent for ipv4 or more some kind of any in an extended access list ? Does the above config work or do I need a standard access list like access-list 50 permit any at the end ? Does anybody maybe already have a known to work-config for 0815 usage (BGP, OSPF, VRRP) ? kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] replacing CARP with Cisco possible ?
Hi, any idea how other providers offer such redundancy to end customers (if they do at all) ? We have a mass of customers with /29 or /28 networks and losing IPs isn't an option in such cases imo. Using bigger networks would require giving up vlan separation each customer, no option either. regards Rolf On Thu, 2012-03-01 at 16:30 +0100, Rolf HanÃen wrote: Is there a way to configure virtual IPs that do not belong to the hard-coded network (ip address x.x.x.x y.y.y.y) of the interface ? I see that it is possible to configure other IPs, but this results in a warning and there is no possibility to set the netmask at all. I was wondering the same some years ago. Take a look at this thread: http://puck.nether.net/pipermail/cisco-nsp/2007-November/045409.html We never got it to work. ARP requests are sourced from the real address, and you cannot add a connected static route for a VRF enabled interface, i.e. ip route vrf A 192.168.1.0 255.255.255.0 Vlan50 fails. Also keep in mind that TTL exceeded replies (traceroute) would source from the real interface address. Is there a possibility to have static routes that are only active if the node has enabled the virtual IP ? This in itself would be possible with an EEM script that follows the HSRP log messages and adjusts the configuration. It would trigger a configuration change, so Rancid or whatever you might use would log a change every time the HSRP state changes. Is there anything else to take care of ? Any limitations except the 4096 HSRP-IDs ? That's 256 for HSRPv1 by the way. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] replacing CARP with Cisco possible ?
Hello, we have a few setups that do gateway failover with Linux + CARP and are thinking if we can replace them with HRSP (or VRRP). The CARP setups are configured that way now: -a small non-public network (something like 192.168.0.0/30) is configured on the interfaces and used to run CARP to avoid waste of public IPs. -public IPs and static routes are enabled/disabled with the up/down-Scripts (ip addr add/del x.x.x.x/y dev ethX, ip route add/del ...) Looking into the config syntax im wondering if this setup can be done at all with VRRP/HSRP. Is there a way to configure virtual IPs that do not belong to the hard-coded network (ip address x.x.x.x y.y.y.y) of the interface ? I see that it is possible to configure other IPs, but this results in a warning and there is no possibility to set the netmask at all. Is there a possibility to have static routes that are only active if the node has enabled the virtual IP ? Is there anything else to take care of ? Any limitations except the 4096 HSRP-IDs ? We will be using SUP720-3B with 6548, 6748 and 6704 LCs, no DFCs. All Layer 3 stuff is configured winside vlan-interfaces, all physical interfaces are configured as switchports. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommendation for small GBit router
Hi, ok, nevertheless, what can I expect from these 4 processors / plattforms ? As far as I found NPE-G1 / NPE-G2 will have SW updates till 2013/2015. What throughput can bigger/newer plattform like Sup32/ASR provide with netflow ? kind regards Rolf Hi, On Fri, Dec 16, 2011 at 03:37:59PM +0100, Rolf Hanßen wrote: What about a NSE-100 ? Looks cheap on Ebay. There's a reason for that. End-of-life, and abandoned architecture (PXF). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de On 16.12.2011 15:37, Rolf Hanßen wrote: Hello, 2nd hand is no problem, I did not think about new stuff at all. What about a NSE-100 ? Looks cheap on Ebay. Docs say 3.5 Mpps (PXF); 450 kpps (RP). Is IPv6 forwarded in hardware or via RP on NSE ? Concerning Netflow on NSE-100/NSE-150/NPE-G1/NPE-G2 cards: What traffic amount is realistic ? Is the limitation factor bandwidth or pps ? What happens beyond the point it can handle to send the Netflow data properly ? Does that affect Netflow only (for example it sends incomplete data or switches to a sampling mode to reduce load) or will packet forwarding also be affected ? Im just looking for high pps capability for flooding scenarios only. If just accounting loses some data in such cases it is not a big issue. Anything else to take care of ? Concerning other/software based solutions: I prefer some box that can exchange the existing one without much time effort for testing/preparing/configuring. regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommendation for small GBit router
Hello, 2nd hand is no problem, I did not think about new stuff at all. What about a NSE-100 ? Looks cheap on Ebay. Docs say 3.5 Mpps (PXF); 450 kpps (RP). Is IPv6 forwarded in hardware or via RP on NSE ? Concerning Netflow on NSE-100/NSE-150/NPE-G1/NPE-G2 cards: What traffic amount is realistic ? Is the limitation factor bandwidth or pps ? What happens beyond the point it can handle to send the Netflow data properly ? Does that affect Netflow only (for example it sends incomplete data or switches to a sampling mode to reduce load) or will packet forwarding also be affected ? Im just looking for high pps capability for flooding scenarios only. If just accounting loses some data in such cases it is not a big issue. Anything else to take care of ? Concerning other/software based solutions: I prefer some box that can exchange the existing one without much time effort for testing/preparing/configuring. regards Rolf On 16 December 2011 10:53, Phil Mayers p.may...@imperial.ac.uk wrote: On 12/16/2011 01:09 AM, Rolf Hanßen wrote: Hi Andrew, just pure forwarding of a few public networks towards each other and internet with default route. No tunnels, no NAT, no DHCP, no VPN or something similar. Concerning relatively cheap: Im searching for below 3000 Euro absolutely. ;) You'll get nothing in the Cisco range with that feature set for that price unless you go 2nd hand, IMO. Netflow at the same time as 1Gbit/sec is the killer - platforms that do both are lots. At this level of performance, consider whether a network tap linux machine with one of the software flow capture engines would be an alternative - then buy a low-end 3x50 catalyst, which will easily perform and do IPv6. Or tolerate 1Gbit/sec and buy one of the ISRs. ASR1001 would be my recommendation or there is a service module for the Cat 3560X switch that adds netflow capability. ASR1001 MSRP $17k + $5k for IP BASE licence WS-C3560X-24T-S MSRP $4,300 + $3,750 for C3KX-SM-10G service module + $500 for dual PSU neither of these options is close to the 3k target, and neither is readily available used. Up until recently Cisco had few low-end router platforms that could shift 1Gbps - only the 7304 NSE-150 or 7200 NPE-G2. Both are available used - I'd recommend the G2 above the NSE. The Cat switches can move the packets but support for IPv6 and Netflow are limited. I don't know how software in Nexus is shaping up. , Other than that you're looking at high-end routers like OSR (10k), GSR (12k) or CRS which are overkill for the requirements. If you're looking for a non-Cisco solution, how about a Mikrotik? According to them the RB1100AHx2 can do 1Gbps and nearly 1Mbpps for less than 500, which is cheap enough to try one to see if it meets your needs - http://routerboard.com/RB1100AHx2 Aled ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Recommendation for small GBit router
Hello, I am looking for a stable, reliable router / Layer3 switch that can do the following: -forward at least 1GBit / 1Mpps -full support of IPv6 -provide NetFlow data or similar for several hundred connected hosts in a way that can be used for IP-based accounting (including IPv6 and not sampled) -small size (max. 5HU) -redundant PSU nice to have: -bgp -hsrp/vrrp not needed: -full table -SFP or 10G Interfaces -high amount of interfaces (3x 1000T is ok) At the moment there is a GSR 12008 used for it but it has no IPv6 support (apart from senseless size and power wasting). I got a suggestion to take a refurbished 7206VXR + NPE-G1 but it still looks expensive to me for such old piece of hardware. Can you suggest a better/cheaper solution ? kind regards Rolf Hanßen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommendation for small GBit router
Hi Andrew, just pure forwarding of a few public networks towards each other and internet with default route. No tunnels, no NAT, no DHCP, no VPN or something similar. Concerning relatively cheap: Im searching for below 3000 Euro absolutely. ;) regards Rolf Hi Rolf, On 16/12/2011, at 12:25 AM, Rolf Hanßen wrote: I am looking for a stable, reliable router / Layer3 switch that can do the following: -forward at least 1GBit / 1Mpps -full support of IPv6 -provide NetFlow data or similar for several hundred connected hosts in a way that can be used for IP-based accounting (including IPv6 and not sampled) -small size (max. 5HU) -redundant PSU What type of connections do you want to terminate? An ASR1001 is pretty cheap (relatively) and a great little box - 1HE. Regards Andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Oversubscription + port groups on WS-X6548-GE-TX
Hi, I know that WS-X6548-GE-TX has only 8GBit fdx towards the chassis/bus and I was told recently that this bandwidth is maybe divided into some kind of port groups. Unfortunatelly I found nothing except some old documents that describe some ASIC limiation in old CatOS versions while using port channels. I now would like to know if there is another limitation beside the 8GBit total for any kind of configuration (with our without channels) with present IOS releases and Sup720 I need to take care of with these cards. kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] show installed memory and usage
Hello list, according what I read on a Sup720 I have: -Switch processor DRAM -Route processor DRAM -Switch processor bootdisk -Route processor bootdisk I now want to find out what is installed and what is used (at least for the DRAM). with dir I get the SP bootdisk I think: Directory of sup-bootdisk:/ ... 512024576 bytes total (303824896 bytes free) sh version gives me: cisco CISCO7609-S (R7000) processor (revision 1.0) with 983008K/65536K bytes of memory. sh mem shows: HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 47352690 885676400 581839952 30383644878906924 302877164 I/O80067108864157931805131568451315684 51313980 Are those values the RP memory or the SP memory ? How can I find out the values for the other memory not shown here? How do I see the memory installed in 2nd sup720 (in case it is not in a mode which requires same sizes as active card) ? attach the slot and sh mem ? kind regards Rolf Hanßen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Output of bgp advertised-routes with next-hop-self
Hi, maybe we swap incoming/outgoing routes. the output of the command you have executed locally will *always* display the *real* next-hop! But why ? It obviously is not the nexthop that is sent to the peer. Execute the sh ip bgp neigh routes/received-routes - depending on config to *see* what your peer sees as next-hop! With that commands I see the routes I receive and not those I advertise to that peer. I would like to see which nexthop is sent to the peer. The more-important question *IS* - why do you have 'next-hop-self' configured? 1) e-bgp-speaker speaker sending updates to its i-bgp peer/s? 2) All peers(E an I on same broadcast segment OR part of an NBMA-cloud)- the behavior is the same! ./Randy Ok, forget the next-hop-self part, I thought it would have impact on outgoing routes also. regards Rolf --- On Sat, 10/8/11, Rolf Hanßen n...@rhanssen.de wrote: From: Rolf Hanßen n...@rhanssen.de Subject: [c-nsp] Output of bgp advertised-routes with next-hop-self To: cisco-nsp@puck.nether.net Date: Saturday, October 8, 2011, 4:12 PM Hi, I was just wondering about the output of: sh bgp ipv6 unicast neighbors x advertised-routes sh ip bgp neighbors x advertised-routes I have configured next-hop-self and think that the Next Hop column should show the IP of my side of the (e)BGP session. Quagga and Foundry XMR behave that expected way, Cisco 7600 does not (shows my internal nexthop no matter with or without next-hop-self, shutting session has no influence either). Is that a bug or a feature ? Version: Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1) kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Output of bgp advertised-routes with next-hop-self
Hi, I was just wondering about the output of: sh bgp ipv6 unicast neighbors x advertised-routes sh ip bgp neighbors x advertised-routes I have configured next-hop-self and think that the Next Hop column should show the IP of my side of the (e)BGP session. Quagga and Foundry XMR behave that expected way, Cisco 7600 does not (shows my internal nexthop no matter with or without next-hop-self, shutting session has no influence either). Is that a bug or a feature ? Version: Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1) kind regards Rolf ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic IOS questions
Hello, Show log: If you are trying to get the current day logs you can use sh log | inc Sep 9 (notice the two spaces since there is no zero and day is two digits) Isn't there a way just to switch the order ? Obviously somebody at Cisco also thinks it could be comfortable, sh ip ospf events is ordered descent for example. ;) Ssh timeouts: The command you are looking for is exec-timeout this has to be applied to the individual vty lines. The missing part was service tcp-keepalives-in So this config works as far as I can see: service tcp-keepalives-in line vty 0 4 exec-timeout 0 0 Osfp ipv6: Yes they replaced router ospfv3 with ipv6 router ospf OSPF metric: Example 1: Show ipv6 route | inc ^O O 2001:::::/64 [110/49] The admin distance is 110 and metric is 49 Example 2: sh ipv6 route 2001:::::/64 Routing entry for 2001:::::/64 Known via ospf , distance 110, metric 49, type intra area Same admin distance and metric Unless there are changes in those code revisions that effect the show ipv6 route they should be the same. Mack I think that is not the same. I set cost to 1000 for v4 and v6. This results in this output: IPv4: Known via ospf 1, distance 110, metric 20, type extern 2, forward metric 1000 Last update from 123.123.123.123 on Vlan1349, 1d14h ago Routing Descriptor Blocks: * 123.123.123.123, from 123.123.123.123, 1d14h ago, via Vlan1349 Route metric is 20, traffic share count is 1 IPv6: Known via ospf 1, distance 110, metric 20, type extern 2 Route count is 1/1, share count 0 Routing paths: FE80::20B:FCFF:FE05:800, Vlan1349 Last updated 16:58:47 ago The router behind this Cisco shows the cost of 1000 I added for IPv6, so I think it is just not shown here but calculated and forwarded correctly. kind regards Rolf -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rolf Hanßen Sent: Friday, September 09, 2011 3:51 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Basic IOS questions Hi, I have some questions that came up while working with Cisco 7600/6500 boxes first weeks. Maybe you guys have some hints for me. order of sh log: Is there a way to show the latest entries first instead of scrolling down to the end ? ssh timeouts: I would like to disable the console timeout for ssh sessions. I.e. the sessions should only be closed if the ssh tcp-connection has a timeout. I tried a few commands that sounded like timeout but none worked. OSPF IPv6 documentation: several documentation tells me to use router ospfv3 to setup OSPF for IPv6 but it is not available in the cli. I could setup OSPF with ipv6 router ospf at least similar to the v4 version. Did that replace router ospfv3 or why can I not enter it ? OSPFv6 costs: How can I see the costs of an OSPF v6 route ? sh ip route shows an entry forward metric but sh ipv6 route shows nothing similar. Software used: 6500: 12.2(33)SXJ 7600: 15.1(2)S kind regards Rolf Hanßen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Basic IOS questions
Hi, I have some questions that came up while working with Cisco 7600/6500 boxes first weeks. Maybe you guys have some hints for me. order of sh log: Is there a way to show the latest entries first instead of scrolling down to the end ? ssh timeouts: I would like to disable the console timeout for ssh sessions. I.e. the sessions should only be closed if the ssh tcp-connection has a timeout. I tried a few commands that sounded like timeout but none worked. OSPF IPv6 documentation: several documentation tells me to use router ospfv3 to setup OSPF for IPv6 but it is not available in the cli. I could setup OSPF with ipv6 router ospf at least similar to the v4 version. Did that replace router ospfv3 or why can I not enter it ? OSPFv6 costs: How can I see the costs of an OSPF v6 route ? sh ip route shows an entry forward metric but sh ipv6 route shows nothing similar. Software used: 6500: 12.2(33)SXJ 7600: 15.1(2)S kind regards Rolf Hanßen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 6500/SUP720-3B EtherChannel Sample ?
Hi, I just thought about how to add an interface to a running channel and I am wondering about the config after adding a port. If you have an existing channel and use channel-group ... on a clean interface to add it the config of the physical interface is not extendet with the config of the channel (for example the switchport trunk allowed vlan ... line). But If you change the config of the channel the config of the member ports is updated automatically. What happens if a have 2 ports in the channel with different allowed vlans ? Is the physical interface config ignored (and the channel interface vlans are valid on all members) or does this really work and a vlan only configured on one port of the channel is handled like a vlan on a non-channel port ? kind regards Rolf add command 'channel-group 5 mode on' to interface. This creates port-channel interface configuration below from one 7609 SUP720 interface Port-channel5 description xxx link switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-253,255-283,285-288,291-306,308-337,339-355 switchport trunk allowed vlan add 357-372,375,376,380-382,384-388,390-531 switchport trunk allowed vlan add 534-603,607-610,612-691,693-703,705-899 switchport trunk allowed vlan add 901-973,975-1156,1158-1207,1209-1252 switchport trunk allowed vlan add 1254-1268,1270,1271,1274-1276,1278-1296 switchport trunk allowed vlan add 1298-1356,1358-1383,1385-1422,1424-1513 switchport trunk allowed vlan add 1515-1524,1526-1604,1606,1608-1628,1630 switchport trunk allowed vlan add 1632-1968,1971-1979,1981-2099,2101-2204 switchport trunk allowed vlan add 2206-2899,2901-3472,3474,3476-3478,3480-4094 switchport mode trunk switchport nonegotiate mtu 2200 load-interval 30 mls qos trust cos interface TenGigabitEthernet7/1 description xxx portchannel 5 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-253,255-283,285-288,291-306,308-337,339-355 switchport trunk allowed vlan add 357-372,375,376,380-382,384-388,390-531 switchport trunk allowed vlan add 534-603,607-610,612-691,693-703,705-899 switchport trunk allowed vlan add 901-973,975-1156,1158-1207,1209-1252 switchport trunk allowed vlan add 1254-1268,1270,1271,1274-1276,1278-1296 switchport trunk allowed vlan add 1298-1356,1358-1383,1385-1422,1424-1513 switchport trunk allowed vlan add 1515-1524,1526-1604,1606,1608-1628,1630 switchport trunk allowed vlan add 1632-1968,1971-1979,1981-2099,2101-2204 switchport trunk allowed vlan add 2206-2899,2901-3472,3474,3476-3478,3480-4094 switchport mode trunk switchport nonegotiate mtu 2200 load-interval 30 mls qos trust cos channel-group 5 mode on interface TenGigabitEthernet7/3 description xxx portchannel 5 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-253,255-283,285-288,291-306,308-337,339-355 switchport trunk allowed vlan add 357-372,375,376,380-382,384-388,390-531 switchport trunk allowed vlan add 534-603,607-610,612-691,693-703,705-899 switchport trunk allowed vlan add 901-973,975-1156,1158-1207,1209-1252 switchport trunk allowed vlan add 1254-1268,1270,1271,1274-1276,1278-1296 switchport trunk allowed vlan add 1298-1356,1358-1383,1385-1422,1424-1513 switchport trunk allowed vlan add 1515-1524,1526-1604,1606,1608-1628,1630 switchport trunk allowed vlan add 1632-1968,1971-1979,1981-2099,2101-2204 switchport trunk allowed vlan add 2206-2899,2901-3472,3474,3476-3478,3480-4094 switchport mode trunk switchport nonegotiate mtu 2200 load-interval 30 mls qos trust cos channel-group 5 mode on site#sh etherchannel 5 detail Group state = L2 Ports: 2 Maxports = 8 Port-channels: 1 Max Port-channels = 1 Protocol:- Minimum Links: 0 Ports in the group: --- Port: Te7/1 Port state= Up Mstr In-Bndl Channel group = 5 Mode = On Gcchange = - Port-channel = Po5 GC = - Pseudo port-channel = Po5 Port index= 0 Load = 0x55 Protocol =- Mode = LACP Age of the port in the current state: 160d:04h:22m:01s Port: Te7/3 Port state= Up Mstr In-Bndl Channel group = 5 Mode = On Gcchange = - Port-channel = Po5 GC = - Pseudo port-channel = Po5 Port index= 1 Load = 0xAA Protocol =- Mode = LACP Age of the port in the current state: 117d:23h:20m:43s Port-channels in the group: -- Port-channel: Po5 Age of the Port-channel = 167d:04h:04m:53s Logical slot/port = 14/5 Number of ports = 2 GC = 0x HotStandBy port = null Port state = Port-channel Ag-Inuse