[c-nsp] Monitoring NAT64 on ASR1k
We're making extensive use of stateful NAT64 on ASR1k but can't find any SNMP MIBs for monitoring this feature. Is anyone aware of a method we could use to at least monitor whether our IPv4 pools are (nearly) full? Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 4900M questions
On 25 Feb 2014, at 12:35, Blake Pfankuch - Mailing List blake.mailingl...@pfankuch.me wrote: My second question is hardware related... I have 2 devices that I would like to uplink entirely into this 4900M environment, however they only support 10gbit with SFP+ connectivity. I can get 10gbit fiber SFP's however they are enforced to the manufacturer (confirmed) and run about $1800 a piece. I know there are some funky requirements with the twingig x2 adaptors. Does anyone have experience with the OneX x2 adaptors to present SFP+ out of the built in onboard X2 interfaces? With this being DEV/QA and me trying to be cheap, has anyone used the off brand modules for this? We connect UCS Fabric Interconnects to 4900M with OneX adapters in the 4900M's built-in ports with no problems. We have WS-X4908-10GE 8-port X2 cards in the slots and have not tried OneX adaptors in those ports (but do have TwinGig adaptors in the 8-port oversubscribed cards to convert to 2x 1Gbps SFPs). Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Experience with ASR1k IOS XE 3.10S or 3.11S?
Hi list, We have some ASR1002 running 3.4.0aS and 3.7.2S and are looking to upgrade (at least the 3.4.0a boxes); I wondered whether 3.10.x or 3.11.0 have had any major issues for anyone? We're also keen to bring up inter-chassis stateful NAT64 redundancy between a couple of the ASRs - has anyone any good/bad experience with this feature? Thanks, Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Prefer (outbound) certain bgp peer for AS or subnet ?
On 15/10/2013, at 12:47 PM, CiscoNSP List cisconsp_l...@hotmail.com wrote: Hi, Have 2 BGP peers with upstreams(full tables from each) on an ASR1000, and we are seeing asymmetric routing for an AS (and /24) - Customer believes this is causing performance issues. Egress traffic to this AS + /24 is going via upstream A (As it only has 3 AS's - Upstream B has 4 AS's to this destination), but return traffic is coming in via upstream B. What is the best method to prefer upstream B egress (For AS or /24)? (But still maintain redundancy if upstream B should go down)? How about using a route-map on the upstream B peer to set a higher local-preference for that originating AS (using a as-path access-list) or prefix (using an ip prefix-list)? Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] reading HSL/NEL NetFlow/IPFIX streams on ASR [was: Announcement: FlowViewer v4.1]
Has anyone found any open-source tools which will receive HSL streams from an ASR? I've tried numerous for our NAT64 ASR1k devices - and from what I remember - whilst they understand and receive the NetFlow v9 template packets, the data packets are silently discarded as an unknown format. Tom On 26/06/2013, at 6:42 AM, Joe Loiacono jloia...@csc.com wrote: It appears that these ASR logging features export events with a single event time (IPFIX IE #230 for NEL and #323 for HSL). SiLK does not support these fields. Further, FlowViewer relies on typical flow start and end times as well, so I believe the tool will not support these exports. Joe From: Luis Miguel Cruz Miranda luis...@imasd.net Does it support HSL or NEL for ASR routers? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT64-6-ADDR_ALLOC_FAILURE on ASR1000
Hi list, Anyone seen these messages before on an ASR1k doing stateful NAT64? %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:00 Thread:067 TS:00040171576961408317 %NAT64-6-ADDR_ALLOC_FAILURE: Address allocation failed; pool 4 may be exhausted The box seems to have plenty of free memory and plenty of free ports in the NAT64 v4 pool. I've cleared all the NAT64 translations but the ADDR_ALLOC_FAILURE messages return immediately upon the next v6 - v4 connection initiation. Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Change BGP default-originate to IGP?
Thanks for the tips, we'll have a play with some of the options suggested around originating the default. On 05/10/2012, at 11:52 AM, Anton Kapela wrote: also +1 to inter-border router ibgp sessions over some other layer2 path/port pair/etc -- one should always have that, unless you can't for some strange reason. On 27/09/2012, at 11:24 PM, David Prall wrote: As well could put a GRE Tunnel or VLAN between the two ASR's and run iBGP between the two. You control the path between the two routers, so the tunnel can be over a jumbo frame capable path. I'm glad a iBGP session between the ASRs over a GRE tunnel was mentioned, as that's exactly what we have running and I was questioning whether this was a bad practice or not... Thanks, Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR1k client VPN - L2TP over IPSec
Not strictly NSP related, but does anyone have an example of a working config for L2TP over IPSec on an ASR1K? Specifically I'm trying to get this working for client-initiated VPN on workstations/laptops which are usually behind NAT. Below is where I'm up to. The IPSec phase 1 2 SAs appear to come up, but I don't see any L2TP/VPDN debug messages on the ASR1K from my Mac test machine. Also if there's a simpler way to define the crypto config so that I don't need to apply a map to the loopback, tips would be appreciated! Regards, Tom vpdn enable vpdn-group l2tp-client-vpn ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 ! crypto isakmp policy 20 encr aes 256 authentication pre-share group 2 lifetime 3600 ! crypto isakmp key test address 0.0.0.0 ! crypto ipsec transform-set VPNSET-l2tp-users esp-aes 256 esp-sha-hmac mode transport ! crypto dynamic-map VPNMAP-dynamic-users 10 set transform-set VPNSET-l2tp-users ! crypto map VPNMAP-l2tp-users 10 ipsec-isakmp dynamic VPNMAP-dynamic-users ! interface Loopback0 ip address 192.0.2.1 255.255.255.255 no ip redirects ipv6 address 2001:db8::1/128 ipv6 enable no ipv6 redirects crypto map VPNMAP-l2tp-users ! interface Virtual-Template1 ip unnumbered Loopback0 peer default ip address pool l2tp-client-vpn-pool ppp authentication ms-chap ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Change BGP default-originate to IGP?
On 28/09/2012, at 4:03 AM, Christian Meutes wrote: The best way is here really to inject the defaults via ISIS. Great - that's my current thinking too. I just wanted to double-check that this was reasonable and I wasn't missing something! Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Change BGP default-originate to IGP?
Hi list, In an enterprise network I have a core of 4900Ms with a few ASR1ks hanging off to handle upstream connectivity. As an example: Upstream1 - [ASR1k]--[4900M]--[4900M]--[ASR1k] - Upstream2 || || ServersWorkstations, etc The ASRs and 4900Ms are running BGP and ISIS with full tables on the ASRs and mostly just defaults on the 4900Ms. The ASRs are originating defaults via BGP but on reload they are blackholing traffic whilst BGP converges. I've seen that OSPF and ISIS have 'wait-for-bgp' overload bits available and have been questioning whether switching to an IGP-generated default with wait-for-bpg is the correct solution here. Any thoughts? Thanks, Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR IPv6 image
On 17/09/2012, at 9:41 PM, Nikolay Shopik wrote: Hey, Just wondering does ASR routers need advanced ip services to route IPv6 traffic? Feature navigator report mostly says yes, as IPv6 support on base image is pretty much limited or better say non-existent. Can anyone confirm/deny? We just had an ASR1002 replaced with a new device running IP Base 3.4.0S and it had no problems running basic IPv6 unicast routing w/BGP and IS-IS. We've taken it back up to Adv IP Services now, however, so I can't do any specific tests for you. Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Change BGP default-originate to IGP?
Is there a specific order in which BGP updates are sent/exchanged/processed? The concern I have with tracking upstream routes is that the route tracked would need to be one of the last routes received (if not the last) to ensure that the router has full visibility. This seems quite non-deterministic and so potentially fraught with 'weirdness'. Thanks, Tom On 27/09/2012, at 12:19 PM, David Prall wrote: Why not use selective advertisement of the default based on receiving a specific route from your carrier or an upstream you know to be stable. http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_n1g.h tml#wp1037042 David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA vs. ASR for large Wireless NAT deployment ?
On 29/11/2011, at 4:14 AM, Mark Tinka wrote: On Tuesday, November 29, 2011 01:29:41 AM P C wrote: I think t-mobile is running public customer trials with IPV6-only customers and NAT64. You can sign up here: http://www.personal.psu.edu/dvm105/blogs/ipv6/2010/07/t-m obile-ipv6-open-trial.html We have ours working - of course, Skype and friends don't work yet (although GTalk is working). What are people using for an internal NAT64 prefix? We're trialling a v6-only realm in our new datacentre deployment and using NAT64 on ASR1002s to reach the public v4 Internet. The ASR1000s refused to use the well-known 64:ff9b::/96 prefix for stateful NAT64, so I've currently got it running on a FD64::/96 ULA prefix and keen to hear what others are doing. Are you using private space or just using a /96 from your RIR allocated v6 space? Thanks, Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA vs. ASR for large Wireless NAT deployment ?
On 01/12/2011, at 4:16 AM, Mark Tinka wrote: What are people using for an internal NAT64 prefix? We are using a /96 from within our PA allocation. Good to know. One thing IOS XE seems to do is accept only one Pref64 prefixes for the entire chassis. We have scenarios where we might want to have multiple Pre64 prefixes in the same NAT64 router. Pushing Cisco on that. My understanding from the options available in the IOS XE CLI (we're on 3.4.0aS) is that I can assign another pref64 to an interface, instead of using the globally assigned prefix. (config)# int gi0/0/2 (config-int)# nat64 prefix stateful fd65::/96 #show nat64 prefix stateful interface Stateful Prefixes Interface NAT64 Enabled Global Prefix GigabitEthernet0/0/0 TRUE TRUE FD64::/96 GigabitEthernet0/0/2 TRUE FALSE FD65::/96 Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA vs. ASR for large Wireless NAT deployment ?
On 01/12/2011, at 11:29 AM, Mark Tinka wrote: 1. WKP (which you say isn't working - we haven't gone that route, so don't know). It's not that it doesn't work, it's not supported. :) (config)#nat64 prefix stateful 64:ff9b::/96 %NAT64: Cannot use the well-known prefix 64:FF9B::/96 for a stateful prefix Cheers, Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] switch with 2x 10GBASE-T interfaces
On 02/10/2011, at 12:03 PM, Martin T wrote: In addition, as I checked the 4900 series as well, do built in X2 ports(the ones in the chassis http://mcaf.ee/us1dt) in 4900M support TwinGig Converter Module? According to documentation they don't. Any experience with this? Only the 8-port X2 half card (X4908 supports the TwinGig modules. The OneX modules (X2 to SFP+) are supported in all X2 ports, even the built-in chassis ports. A 4900M would meet your needs, but you'd have to configure as: 1x WS-X4908-10G-RJ45 (8x 10GBASE-T ports) 1x WS-X4908-10GE (8x X2 10Gb ports) + 8x CVR-X2-SFP TwinGig converter + 14x GLC-T (14x 1000BASE-T ports) That would leave 2x SFP ports spare on the TwinGigs for your LX10 optics and all 8x X2 ports on the chassis free for other 10gig purposes. It's a bit more expensive like this than making use of the WS-X4920-GB-RJ45 20 port 1000BASE-T card, though, which you could do if you didn't need the 2x LX10 SFPs. Could you upgrade to 10GBASE-LR? You could put 2x X2-10GB-LR adapters in the X2 chassis slots. Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 2232 FEX into UCS 6120/6140?
Hi list, Slightly off-topic for NSP, but was just wondering if anyone's tried plugging a 2232PP Nexus FEX into a UCS 6100 series fabric interconnect? This doesn't appear to be supported (although it's apparently possible to plug one of the 48x GigE FEXs in), but I'm curious whether it currently works unsupported or is planned to be supported in a future software release. The goal here is to be able to plug a bunch of C-series UCS servers in via 10 Gig + FCoE so that they can be managed by the same UCS Manager instance as all the B-series UCS blade servers connected to a (pair of) 6100. Obviously we can consolidate all of this at a higher level into a N5K or N7K, but then we're not able to manage the C-series servers via the UCS Manager. The only supported option seems to be plugging the C-series servers directly into the 6100 devices, but then we're limited to a maximum of ~40 servers (dual-homed to a pair of 40-port 6140s, minus whatever ports are occupied by uplinks or B-series chassis downlinks) and also need to pay the per-port licenses and have a nightmare cabling all the servers back to the 6100s. My understanding is that the 6100 and N5k share common HW, so I'd imagine that this is theoretically possible... Thanks, Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow on ISR G2
On 16/04/2010, at 5:12 PM, Dobbins, Roland wrote: On Apr 16, 2010, at 1:35 PM, jayaprakash...@airtel.in wrote: Now is there anything else that we need to consider while considering the support for netflow and the additional CPU load that will be introduced. NDE CPU utilization should be single-digit - while any feature can put a router over the edge in terms of aggregate CPU, lab testing prior to deployment with your anticipated feature-set and configuration, using generated test traffic, should provide assurance and validation. Obviously doing this in a lab as Roland suggests will provide better figures, but can anyone provide experience on throughput to expect using a 38xx or 39xx for basic BGP to 2-3 full table peers with the basic edge services (NetFlow, ACLs, uRPF) enabled, before its CPU hits the roof? A 3845 lists at 256Mbps and a 3945 at 502Mbps in the routing performance throughput tables, but I am interested in how much of that people are actually seeing... Regards, Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow on ISR G2
On 16/04/2010, at 8:19 PM, Dobbins, Roland wrote: On Apr 16, 2010, at 4:38 PM, Tom Lanyon wrote: A 3845 lists at 256Mbps and a 3945 at 502Mbps in the routing performance throughput tables, but I am interested in how much of that people are actually seeing... Note that this is going to be highly situationally-dependent based upon many factors, including traffic types, configuration details, pps, packet-size. Of course; I was merely hoping for others' experiences in such varied real-world situations. Also, throughput (i.e., pps) throughout the performance envelope is actually a more important and relevant metric than bandwidth (i.e., bps). Well, some experience with pps as well as bps in such situations would also be helpful. :) Regards, Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] what is it with 3550s?
On 23/02/2010, at 7:41 AM, Jeff Kell wrote: On 2/22/2010 3:45 PM, Seth Mattinen wrote: Exactly. Correct me if I'm wrong, but as far as I know the only way to get that functionality back is a 6500, and that's a *huge* step. Umm, 4500 Sup-IV appears to support input/output (or at least doesn't bitch at the configs in a quick test...). Does that mean a 4948/4900M could possibly support it too? Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPV6 again
On 03/02/2010, at 9:33 PM, Gert Doering wrote: On Wed, Feb 03, 2010 at 09:07:23PM +1030, Tom Lanyon wrote: They are not handing out an for www.youtube.com but most of the content (img+video) servers are on v6. Actually you're missing all the fun :-) www.youtube.com is an alias for youtube-ui.l.google.com. youtube-ui.l.google.com has address 74.125.79.102 youtube-ui.l.google.com has address 74.125.79.101 youtube-ui.l.google.com has address 74.125.79.100 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::64 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::66 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::71 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8b youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::65 youtube-ui.l.google.com has IPv6 address 2a00:1450:8005::8a (since this morning) gert Hi Gert, I spoke too soon! That wasn't available for me 12 hours ago. :) Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Adding vlan to port-channel trunk causes port-channel to flap
On 08/01/2010, at 6:53 AM, Jared Gillis wrote: Hi all, I just ran into a strange problem on a 3750ME. I've got two gig ports in an active LACP port-channel looking like this: snip When I added vlan 400 to the trunk allowed vlan list, one of the underlying gig ports flapped, which caused the port-channel to flap as well. snip This definitely seems like something that should not happen. I'm running Cisco IOS Software, C3750ME Software (C3750ME-I5K91-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2). Any thoughts on what I should be checking? Hi Jared, I've run into the same problem on our 3750Gs and 3750Es (running 12.2(46)SE) with no solution so far. The log on our switches indicates that it's due to the config for the Port-Channel being different than the underlying Gix/y/z interfaces, which is not allowed, so it shuts the etherchannel down. I tried to work around this by adding the VLAN to all ports at once, eg: conf t int ran gi1/0/1, gi1/0/2, po1 sw trunk allowed vlan add 400 end ... but this didn't seem to help. This has been a constant problem with earlier IOS releases too so I don't believe it's just 12.2(46) to blame. I assumed there was a simple solution, but hadn't had enough impetus to search for it yet. Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] tacacs+ an nexus 5010
No, it should be right. My problem is that if I do a tcpdump on the tacacs+ server I dont see anything from the nexus. It's like it doesn't leave the box at all. or is blocked elsewhere - check the network that the TACACS+ traffic is being sent on and check ACLs etc that might be in the way on the way to the server. check firewall on server to ensure such traffic is allowed. ping and telnet are okay but they wont test the actual method used. ... and are you using the correct 'ip tacacs source-interface' to source the traffic? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 4900M onboard X2 and twingig convertors
On 22/06/2009, at 9:15 PM, Sam Stickland wrote: Hi, Is anyone able to confirm whether the onboard X2 slots on the 4900M support the twin-gig modules? Some of the documentation suggests they are only supported on the 8- Port (2:1) 10 Gigabit Ethernet (X2) Half Card, but I haven't seen any that definitively rules out there use on the onboard slots. Thanks, Sam All the documentation for the 4900M insists that they only work in the 8-port card, but I've not tested them in any of the other cards or in the base chassis. -Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720 vs RSP720 - Difference?
On 23/06/2009, at 7:22 AM, Lukasz Bromirski wrote: On 2009-06-22 23:12, MKS wrote: For example ASR 1k with RP1 or RP2 end properly sized ESP. Look for the cisco.com site for details. Does someone as some performance reference regarding the netflow implementation for the ASR1K ? How dues it scale and that sampling options are there? The size of flow cache is dependent upon the ESP used. For ESP5 it's 512k entries, for ESP10 it's 1M and for ESP20 it's 2M, essentially the QFP is doing all the processing, RP is responsible only for export. Sampling up to 1:1 is supported, with v5/v8/v9. Does anyone know how the newer architecture of the ASR1k ESP compares to a 7200 NPE-G2 in regards to 'all services enabled' performance? If I recall previous discussions on this list, it's fairly easy to overload the CPU on the NPE when you start enabling QoS, NetFlow, WCCP, FPM, etc. Do the ASR1k ESPs do this any better? The ESP data sheets show a 50-60% pps performance decrease with 'commonly-used features' enabled so I assume its fairly similar, but the ESP provides a higher maximum throughput so enabling features is not so much of an issue? At least with the ESP, Cisco are providing some theoretical maximum vs standard performance figures. -Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] full routing table / provider-class chassis
On 13/06/2009, at 7:33 AM, Peter Rathlev wrote: Now, let's stop talking about non-DFC cards and start talking about equipment which can handle uRPF on every port, full Netflow analysis of up to 8 ports at a time, every port layer 3, every port filtered, colo facility core/peering. If this is the target then 6500/7600 isn't really the best tool IMHO. Was the original intention of this thread not to find out exactly what *is* the best tool for the above scenario? :) Regards, Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 4510 reporting dozens of config changes throughout the day...
On 08/06/2009, at 6:53 PM, David Freedman wrote: Silly question, but are you running RANCID and do these changes appear to be to port/vlan membership? It is quite a common occurrence to have flapping ports be shown as members and then suddenly not members of a vlan when rancid executes the show vlan command. That shouldn't cause a AUDIT-5-RUN_CONFIG log message though, right? Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Any problems w/ 3750 IOS 12.2(46)SE?
We are seeing consistent low TCP throughput over a dual gig etherchannel between two stacks of 3x 3750G + 1x 3750E and intermittent delays (ie. random slow ICMP ping times) on another 2x 3750G stack, all on 12.2(46)SE. All switches are doing L2/L3 forwarding and a small amount of EIGRP. The stack with delayed ICMP has seemingly random high CPU load and this seems to correlate with the delayed ICMP packets; example: 5Min Processes: 27% CPU Interrupts: 0% CPU Sum of all processes: 1.88% CPU The other stacks haven't shown signs of ICMP delayed packets but still list high (40-100%) peaks of CPU utilisation. Can't see any indications of TCAM exhaustion on any switch (all desktop default SDM template). Just thought I'd throw this to the list to see if anyone else has had something similar? Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/