[c-nsp] vPC-DI installation on Cisco UCS
Hi, Please refer me if there is some configuration guide available for vPC- DI installation on Cisco UCS. I need it over KVM/Redhat. Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco StarOS
Dear Team, I do not see many references for StarOS for PDSN on Cisco site. Any link will be appreciated. Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco N540-ACC-SYS ipv4 routes
I am not sure if all hardware support hierarchical FIB as this is hardware base feature. Yes, if H-FIB is supported, BGP PIC will be used. If not, then !!! Regards, Vikas On Thu, 9 Jul, 2020, 11:35 am Gert Doering, wrote: > Hi, > > On Thu, Jul 09, 2020 at 07:04:13AM +0530, Vikas Sharma wrote: > > Also, processing power of ASR vs C 540 is very different, one with quard > > core 1.2 GHz and another with 2.5 GHz, so I was also wondering if BGP > > scanner process will be good with which. If 540 can take care of scanning > > process!! > > BGP scanner process died like 10 years ago... > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco N540-ACC-SYS ipv4 routes
Slight modification, I am looking for fib for ASR 1002-HX , RIB is available. Regards, Vikas On Thu, 9 Jul, 2020, 7:04 am Vikas Sharma, wrote: > Dear Luka, > > Thanks for your revert. I have checked all ciscolive presentation before I > have shooted question to the forum. I understand, LPM and LEM along with > iTCAM support on C 540 does not exceed 400k but I was not getting details > on rib/fib on ASR 1002-HX, in case you have found, please share with me. > > Also, processing power of ASR vs C 540 is very different, one with quard > core 1.2 GHz and another with 2.5 GHz, so I was also wondering if BGP > scanner process will be good with which. If 540 can take care of scanning > process!! > > Also internet does not inform about table-map (atleast, I couldn't find), > on C 540, many thanks to Jason for details provided. > > Anyway, many thanks for the kind revert. > > Regards, > Vikas > > On Thu, 9 Jul, 2020, 6:44 am Łukasz Bromirski, > wrote: > >> Vikas, >> >> First of all, NCS 540 ACC-SYS has 16GB of RAM. >> >> For NCS 540, slide 43: >> >> https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSPG-2159.pdf >> >> Essentially, around 380k depending on prefix distribution. >> >> For ASR 1002-HX it’s here: >> >> https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/datasheet-c78-731640.html#PerformanceandScaling >> >> Please use your favorite search engine first in future. >> >> — >> ./ >> >> On 9 Jul 2020, at 02:48, Vikas Sharma wrote: >> >> Many thanks Jason for your quick response. >> >> If possible please also confirm the rib/fib limits of ASR1002-HX. >> >> I have two choices to be used as IGW, ASR1002-HX or C 540 X and I want to >> choose the best of the two options. >> >> Regards, >> Vikas >> >> On Thu, 9 Jul, 2020, 12:52 am Jason Lixfeld, wrote: >> >> Hi, >> >> I don’t know the exact RIB scale, if there is one, short of what available >> memory will hold. That said, it’s got 8GB of memory, and I’ve seen 1.7M+ >> BGP prefixes with the BGP process consuming about 1.9GB of memory. >> >> It won’t hold a full table in FIB. 350K max, protocol independent, >> depending on the prefix size. >> >> SRD is implemented using table-policy. >> >> On Jul 8, 2020, at 3:02 PM, Vikas Sharma wrote: >> >> Dear, >> >> Can someone please confirm how many routes are supported in above model >> >> in >> >> both rib and fib? >> >> Also, I am not able to find table-map command for this router. >> >> Any suggestions? >> >> Regards, >> >>Vikas >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco N540-ACC-SYS ipv4 routes
Dear Luka, Thanks for your revert. I have checked all ciscolive presentation before I have shooted question to the forum. I understand, LPM and LEM along with iTCAM support on C 540 does not exceed 400k but I was not getting details on rib/fib on ASR 1002-HX, in case you have found, please share with me. Also, processing power of ASR vs C 540 is very different, one with quard core 1.2 GHz and another with 2.5 GHz, so I was also wondering if BGP scanner process will be good with which. If 540 can take care of scanning process!! Also internet does not inform about table-map (atleast, I couldn't find), on C 540, many thanks to Jason for details provided. Anyway, many thanks for the kind revert. Regards, Vikas On Thu, 9 Jul, 2020, 6:44 am Łukasz Bromirski, wrote: > Vikas, > > First of all, NCS 540 ACC-SYS has 16GB of RAM. > > For NCS 540, slide 43: > > https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSPG-2159.pdf > > Essentially, around 380k depending on prefix distribution. > > For ASR 1002-HX it’s here: > > https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/datasheet-c78-731640.html#PerformanceandScaling > > Please use your favorite search engine first in future. > > — > ./ > > On 9 Jul 2020, at 02:48, Vikas Sharma wrote: > > Many thanks Jason for your quick response. > > If possible please also confirm the rib/fib limits of ASR1002-HX. > > I have two choices to be used as IGW, ASR1002-HX or C 540 X and I want to > choose the best of the two options. > > Regards, > Vikas > > On Thu, 9 Jul, 2020, 12:52 am Jason Lixfeld, wrote: > > Hi, > > I don’t know the exact RIB scale, if there is one, short of what available > memory will hold. That said, it’s got 8GB of memory, and I’ve seen 1.7M+ > BGP prefixes with the BGP process consuming about 1.9GB of memory. > > It won’t hold a full table in FIB. 350K max, protocol independent, > depending on the prefix size. > > SRD is implemented using table-policy. > > On Jul 8, 2020, at 3:02 PM, Vikas Sharma wrote: > > Dear, > > Can someone please confirm how many routes are supported in above model > > in > > both rib and fib? > > Also, I am not able to find table-map command for this router. > > Any suggestions? > > Regards, > >Vikas > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco N540-ACC-SYS ipv4 routes
Many thanks Jason. Regards, Vikas On Thu, 9 Jul, 2020, 6:39 am Jason Lixfeld, wrote: > I’m not as familiar with the ASR1002-HX, but what I’m pretty sure of is if > you’re considering the ASR1002-HX for IGW, you may want to review Juniper’s > MX204. It’s probably going to be slightly more expensive than a NCS540, > but far less expensive than the ASR1002-HX, but overall it will be a much > better bang for your buck as an IGW. > > On Jul 8, 2020, at 8:48 PM, Vikas Sharma wrote: > > Many thanks Jason for your quick response. > > If possible please also confirm the rib/fib limits of ASR1002-HX. > > I have two choices to be used as IGW, ASR1002-HX or C 540 X and I want to > choose the best of the two options. > > Regards, > Vikas > > On Thu, 9 Jul, 2020, 12:52 am Jason Lixfeld, wrote: > >> Hi, >> >> I don’t know the exact RIB scale, if there is one, short of what >> available memory will hold. That said, it’s got 8GB of memory, and I’ve >> seen 1.7M+ BGP prefixes with the BGP process consuming about 1.9GB of >> memory. >> >> It won’t hold a full table in FIB. 350K max, protocol independent, >> depending on the prefix size. >> >> SRD is implemented using table-policy. >> >> > On Jul 8, 2020, at 3:02 PM, Vikas Sharma >> wrote: >> > >> > Dear, >> > >> > Can someone please confirm how many routes are supported in above model >> in >> > both rib and fib? >> > >> > Also, I am not able to find table-map command for this router. >> > >> > Any suggestions? >> > >> > Regards, >> > >> > Vikas >> > ___ >> > cisco-nsp mailing list cisco-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco N540-ACC-SYS ipv4 routes
Many thanks Jason for your quick response. If possible please also confirm the rib/fib limits of ASR1002-HX. I have two choices to be used as IGW, ASR1002-HX or C 540 X and I want to choose the best of the two options. Regards, Vikas On Thu, 9 Jul, 2020, 12:52 am Jason Lixfeld, wrote: > Hi, > > I don’t know the exact RIB scale, if there is one, short of what available > memory will hold. That said, it’s got 8GB of memory, and I’ve seen 1.7M+ > BGP prefixes with the BGP process consuming about 1.9GB of memory. > > It won’t hold a full table in FIB. 350K max, protocol independent, > depending on the prefix size. > > SRD is implemented using table-policy. > > > On Jul 8, 2020, at 3:02 PM, Vikas Sharma wrote: > > > > Dear, > > > > Can someone please confirm how many routes are supported in above model > in > > both rib and fib? > > > > Also, I am not able to find table-map command for this router. > > > > Any suggestions? > > > > Regards, > > > > Vikas > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco N540-ACC-SYS ipv4 routes
Dear, Can someone please confirm how many routes are supported in above model in both rib and fib? Also, I am not able to find table-map command for this router. Any suggestions? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6PE question
Hi, I need another advice on IPv6. Setup looks like - rtr1 -- P rtr3 and it's 6PE setup. 7206 is SRE3 image and 12k is 4.0.1 image. rtr.LAB-7206G2#show ipv6 route 2001:920:0:f002:10:54:0:3 Routing entry for 2001:920:0:F002:10:54:0:3/128 Known via bgp 8220, distance 200, metric 0, type internal Route count is 1/1, share count 0 Routing paths: 10.54.0.3%default indirectly connected any idea abt this? it should be shown as ; also what is % sign ? MPLS label: 16048 Last updated 17:58:59 ago 10.54.0.3 is loopback ip of rtr1. But when I see on rtr3.lab for rtr1.lab loopback, I see following RP/0/9/CPU0:rtr3.LAB-12410#sh route ipv6 2001:920:0:F002:10:54:0:9 Mon Apr 25 22:47:31.344 UTC Routing entry for 2001:920:0:f002:10:54:0:9/128 Known via bgp 8220, distance 200, metric 0, type internal Installed Apr 21 04:47:10.868 for 4d18h Routing Descriptor Blocks :::10.54.0.9, from :::10.54.0.6 this is correct Nexthop in Vrf: default, Table: default, IPv4 Unicast, Table Id: 0xe000 Route metric is 0 No advertising protos. Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] mpls ipv6 source-interface XR and on IOS
Hi, I was trying command mpls ipv6 source-interface on SRE3 code, look like there is no command like that on SRE. This command is important for locally generated packets. Have someone used this command? Also what is the command on XR 4.0.1 to achieve the same? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] similar command sh mls cef max-route on 12k
Hi, Similar to 6500 sh mls cef max-route does anyone knows corresponding command on 12k with XR? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 12k QoS issue - Drop in premium queue on 4.0.1
Hi, I am facing a strange issue on 12k with xr 4.0.1. I have shaped the 1 gig b/w to 300m and then child qos does the queueing. The issue is, till I send contracted traffic (in different class), there is no drop and things works as usual. But as soon as I pump extra traffic in best effort class (say 300 mbps), it impacts premium queue. Does anyone has experienced similar? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] sh policy-map interface Te0/1/2/0.52 output
Hi, Looking at the output of sh policy-map interface Te0/1/2/0.52 output, I can see Matched and Transmitted packets in premium class is same but policed (confirmed) packets are more. It should be same. RP/0/RP0/CPU0:crs1.rtr#sh policy-map interface Te0/1/2/0.52 output Wed Mar 16 01:25:47.318 UTC TenGigE0/1/2/0.52 output: CR_QOS_10GB_SHAPED_300MB_TO_CR_SAR Class class-default Classification statistics (packets/bytes) (rate - kbps) Matched : 1906340718/322722640980 865104 Transmitted : 1161629877/18714791 299553 Total Dropped : 744710841/135574652099 565551 Policy CR_QOS_300MB_TO_CR_SAR Class Premium-To-CR-SAR Classification statistics (packets/bytes) (rate - kbps) Matched : 735059258/90540635032 155457 Transmitted : 734152071/90424515096 155457 Total Dropped : 907187/1161199360 Policing statistics(packets/bytes) (rate - kbps) Policed(conform): 734027358/90408041280 171564 Policed(exceed) : 907187/1161199360 Policed(violate): 0/00 Policed and dropped : 907187/116119936 Policed and dropped(parent policer) : 0/0 Queueing statistics Queue ID : 69 High watermark (bytes)/(ms) : 2944/0 Inst-queue-len (bytes)/(ms) : 1536/0 Avg-queue-len (bytes)/(ms) : 3/0 Taildropped(packets/bytes) : 0/0 am I missing something.. Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7206 cpu utilization
Hi All, Another issue i am seeing on 7206 setup looks like Spirent 12k XR --(10 gig link)--- CRS1 ---(10 gig link)- (l2 switch) --(1 gig link) 7206 npeG1 Spirent I have shaper on CRS1 towards 7206 which shape 10gig to 300 mbps RP/0/RP0/CPU0:crs1.rtr#sh run int Te0/1/2/0.52 Wed Mar 16 01:36:57.751 UTC interface TenGigE0/1/2/0.52 description service-policy output CR_QOS_10GB_SHAPED_300MB_TO_CR_SAR ipv4 mtu 1500 ipv4 address 10.54.1.8 255.255.255.254 arp timeout 1200 load-interval 30 dot1q vlan 52 ! RP/0/RP0/CPU0:crs1.rtr#sh run policy-map CR_QOS_10GB_SHAPED_300MB_TO_CR_SAR Wed Mar 16 01:37:08.041 UTC policy-map CR_QOS_10GB_SHAPED_300MB_TO_CR_SAR class class-default service-policy CR_QOS_300MB_TO_CR_SAR shape average percent 3 ! end-policy-map ! Issue is when I am sending normal traffic i.e. within 300 mbps (even 500 mbps), things works fine and output of policy on crs interface looks fine also. But as soon as i increase BE traffic (128 byte), cpu utilization on 7205 increase to 99% but on crs1 still I can see all traffic is in the respective limit. So my question is when I increase traffic (simulate attack) in BE class with 128 byte, why CPU on 7206 increase BUT on crs still traffic is bounded to the assigned value in respective class. any reaoson !!! Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PPP termination and ppp forwarding on same box
Hi, Is it possible to terminate PPP as well as forward ppp session on the same box? i.e. same 7206 acts as PPP termination device and for some other session (L2TP based) it acts as PPP forwarding device? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CRS1 downgrade from 4.0.1 to 3.6.2
Hi, I have upgraded CRS1 to 4.0.1 from 3.6.2. Upgrade worked fine and it is running 4.0.1. But the issue is I am not able to downgrade it back to 3.6.2 If I am trying to run any install command I see similar output - RP/0/RP0/CPU0:crs1.BLB(admin)#install commit Fri Feb 25 03:45:10.181 UTC Install operation 402 '(admin) install commit' started by user 'colt123' via CLI at 03:45:10 UTC Fri Feb 25 2011. Error:Cannot proceed with the operation because the upgrade package is Error:active. Error: Error:The package should only be used when upgrading from software RP/0/RP0/CPU0:Feb 25 03:45:11.503 : instdir[216]: %INSTALL-INSTMGR-3-INSTALL_OPERATION_USER_ERROR : User error occurred during install operation 402. See 'show install log 402 detail' for more inError:versions prior to 4.0.0. Once the upgrade is complete, it should be formation. Error:immediately deactivated and removed. No further install operations Error:will be allowed until this is completed. Error: Error:Deactivate the package from the entire router by executing the Error:'install deactivate ' command in admin mode. Error:Remove the package from the entire router by executing the 'install Error:remove ' command in admin mode. Error:No further install operations will be allowed until this is Error:completed. Install operation 402 failed at 03:45:11 UTC Fri Feb 25 2011. I have also checked on the active and inactive files and could not locate upgrade package on active disk (boot disk). Does anyone has faced similar issue? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS1 downgrade from 4.0.1 to 3.6.2
Also I can see this log which clearly says no upgrade package is available but then why it asks to uninstall the upgrade package.. Fri Feb 25 02:26:03.572 UTC Install operation 396 '(admin) install remove disk1:hfr-upgrade-p.pie-4.0.1 synchronous' started by user 'colt123' via CLI at 02:26:04 UTC Fri Feb 25 2011. P/0/RP0/CPU0:Feb 25 02:26:04.876 : instdir[216]: %INSTALL-INSTMGR-3-INSTALL_OPERATION_USER_ERROR : User error occurred during install operation 396. See 'show install log 396 detail' for more inKformation. Warning: The following specified package does not use the boot device, and so Warning: will not be removed: Warning: disk1:hfr-upgrade-p.pie-4.0.1 Error:There are no valid packages on the boot device to be removed. Regards, VIkas On Fri, Feb 25, 2011 at 4:33 PM, Vikas Sharma vikasshar...@gmail.comwrote: Hi, I have upgraded CRS1 to 4.0.1 from 3.6.2. Upgrade worked fine and it is running 4.0.1. But the issue is I am not able to downgrade it back to 3.6.2 If I am trying to run any install command I see similar output - RP/0/RP0/CPU0:crs1.BLB(admin)#install commit Fri Feb 25 03:45:10.181 UTC Install operation 402 '(admin) install commit' started by user 'colt123' via CLI at 03:45:10 UTC Fri Feb 25 2011. Error:Cannot proceed with the operation because the upgrade package is Error:active. Error: Error:The package should only be used when upgrading from software RP/0/RP0/CPU0:Feb 25 03:45:11.503 : instdir[216]: %INSTALL-INSTMGR-3-INSTALL_OPERATION_USER_ERROR : User error occurred during install operation 402. See 'show install log 402 detail' for more inError:versions prior to 4.0.0. Once the upgrade is complete, it should be formation. Error:immediately deactivated and removed. No further install operations Error:will be allowed until this is completed. Error: Error:Deactivate the package from the entire router by executing the Error:'install deactivate ' command in admin mode. Error:Remove the package from the entire router by executing the 'install Error:remove ' command in admin mode. Error:No further install operations will be allowed until this is Error:completed. Install operation 402 failed at 03:45:11 UTC Fri Feb 25 2011. I have also checked on the active and inactive files and could not locate upgrade package on active disk (boot disk). Does anyone has faced similar issue? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS1 downgrade from 4.0.1 to 3.6.2
Hi Farhan, Yes I did follow all steps and box is up and running 4.0.1 w/o any issue. Also it has Fat32 partition. Regards, Vikas On Fri, Feb 25, 2011 at 5:04 PM, Farhan Jaffer bandh...@gmail.com wrote: Hi Vikas, Have the CRS is running on 4.0.1? I mean that the all steps required to complete the installation have completed? Or you are stuck during installation... For downgrade the same procedures are required. However your flash file system is required to up-grade from FAT 16 to FAT 32 in 4.0.1, have you did this? -FJ On Fri, Feb 25, 2011 at 4:05 PM, Vikas Sharma vikasshar...@gmail.comwrote: Also I can see this log which clearly says no upgrade package is available but then why it asks to uninstall the upgrade package.. Fri Feb 25 02:26:03.572 UTC Install operation 396 '(admin) install remove disk1:hfr-upgrade-p.pie-4.0.1 synchronous' started by user 'colt123' via CLI at 02:26:04 UTC Fri Feb 25 2011. P/0/RP0/CPU0:Feb 25 02:26:04.876 : instdir[216]: %INSTALL-INSTMGR-3-INSTALL_OPERATION_USER_ERROR : User error occurred during install operation 396. See 'show install log 396 detail' for more inKformation. Warning: The following specified package does not use the boot device, and so Warning: will not be removed: Warning: disk1:hfr-upgrade-p.pie-4.0.1 Error:There are no valid packages on the boot device to be removed. Regards, VIkas On Fri, Feb 25, 2011 at 4:33 PM, Vikas Sharma vikasshar...@gmail.com wrote: Hi, I have upgraded CRS1 to 4.0.1 from 3.6.2. Upgrade worked fine and it is running 4.0.1. But the issue is I am not able to downgrade it back to 3.6.2 If I am trying to run any install command I see similar output - RP/0/RP0/CPU0:crs1.BLB(admin)#install commit Fri Feb 25 03:45:10.181 UTC Install operation 402 '(admin) install commit' started by user 'colt123' via CLI at 03:45:10 UTC Fri Feb 25 2011. Error:Cannot proceed with the operation because the upgrade package is Error:active. Error: Error:The package should only be used when upgrading from software RP/0/RP0/CPU0:Feb 25 03:45:11.503 : instdir[216]: %INSTALL-INSTMGR-3-INSTALL_OPERATION_USER_ERROR : User error occurred during install operation 402. See 'show install log 402 detail' for more inError:versions prior to 4.0.0. Once the upgrade is complete, it should be formation. Error:immediately deactivated and removed. No further install operations Error:will be allowed until this is completed. Error: Error:Deactivate the package from the entire router by executing the Error:'install deactivate ' command in admin mode. Error:Remove the package from the entire router by executing the 'install Error:remove ' command in admin mode. Error:No further install operations will be allowed until this is Error:completed. Install operation 402 failed at 03:45:11 UTC Fri Feb 25 2011. I have also checked on the active and inactive files and could not locate upgrade package on active disk (boot disk). Does anyone has faced similar issue? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS1 downgrade from 4.0.1 to 3.6.2
Hi Mikael, There is a process to downgrade, but it is not working for me http://www.cisco.com/web/Cisco_IOS_XR_Software/pdf/CRS-1_Upgrade_Procedure_3_6_x_4_0_0_to_401-3.pdf I have 3.6.2 in production network and I want to move to 4.0.1 due to some really GOOD feature availability. I also think the last option is turboboot, if I do not find any other way to downgrade. Regards, Vikas On Fri, Feb 25, 2011 at 5:35 PM, Mikael Abrahamsson swm...@swm.pp.sewrote: On Fri, 25 Feb 2011, Vikas Sharma wrote: Hi, I have upgraded CRS1 to 4.0.1 from 3.6.2. Upgrade worked fine and it is running 4.0.1. But the issue is I am not able to downgrade it back to 3.6.2 I believe the release notes say that when you've finished upgrading to 4.0.x and removed the upgrade package, you cannot downgrade again. If you want to go back to 3.6.2 you have to Turboboot that image including recommended reformat of the flash drives to FAT16. Perhaps when you do this, you might as well go to 3.8.x instead of the now (afaik) unsupported 3.6.2? -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS-1 Policy change
sorry Farhan, My mistake. I overlook one interface and again missed to update the list. Regards, Vikas On Fri, Feb 25, 2011 at 10:54 AM, Farhan Jaffer bandh...@gmail.com wrote: Hi, I have tried the same configuration it is working... (config)#show Fri Feb 25 10:19:56.980 PST Building configuration... ! class-map match-any Premium-From-PE_CORE match dscp default cs1 end-class-map ! class-map match-any Business1-From-PE-CORE match dscp default cs1 end-class-map ! policy-map CR_QOS_FROM_PE-CORE class Premium-From-PE_CORE set qos-group 5 ! class Business1-From-PE-CORE set qos-group 3 ! class class-default ! end-policy-map ! end (config)#commit (config)# (config)# (config)# (config)# (config)#policy-map CR_QOS_FROM_PE-CORE (config-pmap)#class Premium-From-PE_CORE (config-pmap-c)#set qos-group 4 (config-pmap-c)#exit (config-pmap)#exit (config)#commit (config)# (config)# (config)# -FJ On Wed, Feb 23, 2011 at 3:22 PM, Vikas Sharma vikasshar...@gmail.comwrote: Hi Farhan, All other policies I am able to modify except this. Also this is the only policy with qos-group (for incoming packets) policy-map CR_QOS_FROM_PE-CORE class Premium-From-PE_CORE set qos-group 5 ! class Business1-From-PE-CORE set qos-group 3 ! class Business2-From-PE-CORE set qos-group 2 ! class Business3-From-PE-CORE set qos-group 1 ! class Routing-Management-From-PE-CORE set qos-group 6 ! class Default-From-PE-CORE set qos-group 0 ! class Multicast-From-PE-CORE set qos-group 4 ! class class-default ! end-policy-map Regards, Vikas On Wed, Feb 23, 2011 at 3:19 PM, Farhan Jaffer bandh...@gmail.comwrote: Can you please confirm the modified configuration / new class-map? We are running same version on CRS-1s with no. of policies modification on need basis. This should not be the case... -FJ On Wed, Feb 23, 2011 at 1:14 PM, Vikas Sharma vikasshar...@gmail.comwrote: Hi, I have a policy which I can see currently not applied on any interface, I am trying to modify the policy (remove existing class-map and add new class-map), but when I commit I see following message !!% Policy manager does not support this feature: Platform does not support policy-map modification type qos I am sure this policy is not anywhere attached as otherwise I would see following error !!% Object is in use: Class-map Default-From-PE-CORE of type qos is used bypolicy-map(s). Delete failed This is on CRS1 XR rel 3.6.2 am I missing something? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CRS-1 Policy change
Hi, I have a policy which I can see currently not applied on any interface, I am trying to modify the policy (remove existing class-map and add new class-map), but when I commit I see following message !!% Policy manager does not support this feature: Platform does not support policy-map modification type qos I am sure this policy is not anywhere attached as otherwise I would see following error !!% Object is in use: Class-map Default-From-CR-SAR of type qos is used bypolicy-map(s). Delete failed This is on CRS1 XR rel 3.6.2 am I missing something? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS-1 Policy change
Hi Farhan, All other policies I am able to modify except this. Also this is the only policy with qos-group (for incoming packets) policy-map CR_QOS_FROM_PE-CORE class Premium-From-PE_CORE set qos-group 5 ! class Business1-From-PE-CORE set qos-group 3 ! class Business2-From-PE-CORE set qos-group 2 ! class Business3-From-PE-CORE set qos-group 1 ! class Routing-Management-From-PE-CORE set qos-group 6 ! class Default-From-PE-CORE set qos-group 0 ! class Multicast-From-PE-CORE set qos-group 4 ! class class-default ! end-policy-map Regards, Vikas On Wed, Feb 23, 2011 at 3:19 PM, Farhan Jaffer bandh...@gmail.com wrote: Can you please confirm the modified configuration / new class-map? We are running same version on CRS-1s with no. of policies modification on need basis. This should not be the case... -FJ On Wed, Feb 23, 2011 at 1:14 PM, Vikas Sharma vikasshar...@gmail.comwrote: Hi, I have a policy which I can see currently not applied on any interface, I am trying to modify the policy (remove existing class-map and add new class-map), but when I commit I see following message !!% Policy manager does not support this feature: Platform does not support policy-map modification type qos I am sure this policy is not anywhere attached as otherwise I would see following error !!% Object is in use: Class-map Default-From-PE-CORE of type qos is used bypolicy-map(s). Delete failed This is on CRS1 XR rel 3.6.2 am I missing something? Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco-nsp Digest, Vol 98, Issue 91
Hi Felix, You can also look at E320 / E120. Juniper is also coming up with LNS feature in MX 960 also. Regards, Vikas Message: 3 Date: Sat, 22 Jan 2011 14:12:32 + From: Felix Nkansah felixnkan...@gmail.com To: cisco-nsp@puck.nether.net Subject: [c-nsp] Dedicated L2TP LNS Appliance for Telcos Message-ID: AANLkTikVZC=pV8vCbCeGniTSuzrnXZik8UgDBhRc=v...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Hi All, I am presently using a Cisco ASR 1006 router as an LNS in a L2TP mobile broadband solution. However, the ASR has a maximum session limit of 32,000. Subscriber numbers are increasing and I am wondering if I could find there are dedicated L2TP LNS platform/appliance, with capacity for terminating 100K+ sessions. Thanks. Felix -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 98, Issue 91 * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSR 12k downgrade IOX to IOS
Hi, First change the conf-reg to 0X0 reboot the router. rommon 1 unset BOOT rommon 2 reset System Bootstrap, Version 12.0(20080619:121934) [gradhakr-sq86358 1.20dev(0.1)] DEVELOPMENT SOFTWARE Copyright (c) 1994-2008 by cisco Systems, Inc. DRAM DIMM Slot 1: 2048M found, Slot 2: 2048M found MPC7457 platform with 3670016 Kbytes of main memory rommon 1 TURBOBOOT=ON rommon 2 TURBOBOOT=on,compactflash rommon 3 boot disk1:image name ensure yu have image in the directory (also copy the image name). Rehards, Vikas On Wed, Jan 12, 2011 at 6:27 AM, cisco-nsp-requ...@puck.nether.net wrote: Send cisco-nsp mailing list submissions to cisco-...@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to cisco-nsp-requ...@puck.nether.net You can reach the person managing the list at cisco-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than Re: Contents of cisco-nsp digest... Today's Topics: 1. Re: Catalyst reloads (was Re: Is Cisco equpiment de facto for you? (Keegan Holley) 2. Re: Catalyst reloads (was Re: Is Cisco equpiment de facto for?you? (Alexander Clouter) 3. local privilege level question (Greg Whynott) 4. Re: Catalyst reloads (was Re: Is Cisco equpiment de facto for you? (Pete Lumbis) 5. Re: Catalyst reloads (was Re: Is Cisco equpiment de facto for you? (Pete Lumbis) 6. Re: local privilege level question (Daniele Orlandi) 7. GSR 12k downgrade IOX to IOS (Judah Scott) 8. PVLAN Question (Sam Evans) -- Message: 1 Date: Tue, 11 Jan 2011 15:28:30 -0500 From: Keegan Holley keegan.hol...@sungard.com To: Jeff Kell jeff-k...@utc.edu Cc: cisco-nsp cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Catalyst reloads (was Re: Is Cisco equpiment de facto for you? Message-ID: aanlktikip5vnbg5y+petqgp9vmnsurhgfwtao-jaq...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Are your PDU's metered? Are you near capacity? Did anything else in the rack lose power? Usually the whole circuit drops if something like that happens or a breaker is tripped. Is it possible it's a bad power supply? Cisco said the outage was cause by power, but they didn't say the switch wasn't broken. Have you tried an RMA? Also, I'd rename it to something other than funny farm, switches are sensitive. ;) On Tue, Jan 11, 2011 at 2:25 PM, Jeff Kell jeff-k...@utc.edu wrote: On 1/11/2011 11:29 AM, Seth Mattinen wrote: The cisco-nsp mailing list is often much more helpful than TAC. On that note... does this ring any bells? Have a 3750E that has had spurious reloads (4 since Friday), was switch-1 of a 3-member stack, initially was the master, now switch-2 has taken over as master. Show version on the failing one just shows FunnyFarm-1 uptime is 17 hours, 48 minutes System returned to ROM by power-on The other members have 23-week uptimes. There's no crashinfo in the logs, no software forced reload type reload events. TAC insists power was cut to the switch (four times?). Stack members are in a pair of self-contained, self-cooling Liebert racks, 240v PDUs, different phases of a 3-phase supply, dual UPS, generator backup, it's your above average server room. There are dozens of servers in these racks (3 x 48-port 3750Es full, mostly dual-connected) and nothing has burped whatsoever. Running 12.2(53)SE2 IPServices. Stack has been up almost 6 months (switch-3, a 3750X, was added about 4 months ago and has a 19-week uptime). No incidents until Friday, and no changes then that we can identify. Jeff ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Message: 2 Date: Tue, 11 Jan 2011 20:44:36 + From: Alexander Clouter a...@digriz.org.uk To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Catalyst reloads (was Re: Is Cisco equpiment de facto for?you? Message-ID: k2suv7-m38@chipmunk.wormnet.eu Jeff Kell jeff-k...@utc.edu wrote: On 1/11/2011 11:29 AM, Seth Mattinen wrote: The cisco-nsp mailing list is often much more helpful than TAC. On that note... does this ring any bells? Have a 3750E that has had spurious reloads (4 since Friday), was switch-1 of a 3-member stack, initially was the master, now switch-2 has taken over as master. Show version on the failing one just shows FunnyFarm-1 uptime is 17 hours, 48 minutes System returned to ROM by power-on The other members have 23-week uptimes. There's no crashinfo in the logs, no software forced reload type reload events. TAC insists power was cut to the
[c-nsp] XR - propagate level 1 into level 2
Hi, I am working on xr 3.6.2, I can see with the command propagate level 1 into level 2 there is only policy option. (config)#propagate level 1 into level 2 ? policy name But when I give following command propagate level 1 into level 2 distribute-list ISIS-1-TO-2, it accepts w/o any issue. Distribute-list is not an option after leve2. My question is is distribute-list is part of hidden command? Will cisco support it in case there is any issue as command is hidden... Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Pointer to PPPoE docs for 887 CPE?
This requires pppoeoa support / configuration on BRAS. You can configure pppoeoa on CPE but it will not negotiate as ser ver will be expecting PPPoA encap and you are sending PPPoE. Regards, Vikas Message: 1 Date: Fri, 17 Dec 2010 12:03:23 -0500 From: Jason Gurtz jasongu...@npumail.com To: Cisco Network Service Providers cisco-nsp@puck.nether.net Subject: [c-nsp] Pointer to PPPoE docs for 887 CPE? Message-ID: a92eaf652ec423438d55c14c60771c8702eb5...@exchgsrv.nputilities.local Content-Type: text/plain; charset=US-ASCII All the Cisco Documentation seem to assume that the ATM interface will be used for VDSL or PPPoA. PPPoE is shown running over Eth0 and we'd like to ditch the ATT provided modem device. Is there any IOS 15 examples out there for running the PPPoE dialer over ATM0.1 in on this device? ~JasonG -- Message: 2 Date: Fri, 17 Dec 2010 11:38:01 -0600 From: Rick Martin rick.mar...@arkansas.gov To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Subject: Re: [c-nsp] High Density T1 aggregation device - migrating to MPLS Message-ID: 2007edbc2b3c3f41a73166a968bce07626cd1db...@cms01.sas.arkgov.net Content-Type: text/plain; charset=us-ascii Thanks to all for the replies to this question, we have settled on ASR 1006 with two 5 port gig SPA's and a couple of 1 port STM-1/OC-3 SPAs for terminating the T1's. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeremy Bresley Sent: Friday, December 03, 2010 3:43 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] High Density T1 aggregation device - migrating to MPLS On 12/3/2010 12:16 PM, Rick Martin wrote: We are in the planning stages for a conversion to an MPLS infrastructure, we have about 3,000 connections on this statewide network which spans 3 major carriers territory. We expect we will wind up with one vendor at the core. Assuming vendor A wins the core we expect we will have to provide hardware to aggregate connections from vendor B and C's territory and pass those connections on to the core via Ethernet. Our expectation is that we will have 2 types of last mile connections to our customers - Ethernet and MPPP via T1's. Of course our preference would be Ethernet for all of the WAN links but at this time that is not possible due to the rural nature of portions of our state. We expect perhaps 50 - 100 T1's at a given aggregation point. I am in need of advice on what products are available for high density aggregation of the T1's. I am currently researching Cisco products but do not want to limit my scope to Cisco only. I would welcome any suggestions or advice on this. Thanks in advance for your suggestions rick ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Biggest question with aggregating T1s would be whether to get an external MUX to aggregate T1s into DS3/OC3s, or whether your carrier(s) can do this and hand off DS3/OC3s to you. If you can get DS3s or OC3s handed to you, a channelized DS3 or channelized OC3 card in a 7200 or ASR should be able to handle this easily. If you have discrete T1s coming in, you're probably looking at several routers to handle 100 T1s. Most of the T1 cards only scale to 8 ports. 100 T1s would be able to be handled by 4 channelized DS3 cards. If your carriers can't hand you off DS3/OC3, one option would be to feed the T1s into one or more M13 MUXes (Adtran MX2800 series is one example of these.) One thing to double check on the channelized cards is that there are no known issues with running MLPPP across them, and verify if all the T1s would be on the same DS3, and running MLPPP across multiple cards was problematic with the 7200 cards. Jeremy ___ cisco-nsp mailing list cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Message: 3 Date: Fri, 17 Dec 2010 13:06:51 -0500 From: Brian Christopher Raaen opsli...@rhemasound.org To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Pointer to PPPoE docs for 887 CPE? Message-ID: 201012171306.51569.opsli...@rhemasound.org Content-Type: Text/Plain; charset=iso-8859-1 On Friday, December 17, 2010 12:03:23 pm Jason Gurtz wrote: All the Cisco Documentation seem to assume that the ATM interface will be used for VDSL or PPPoA. PPPoE is shown running over Eth0 and we'd like to ditch the ATT provided modem device. Is there any IOS 15 examples out there for running the PPPoE dialer over ATM0.1 in on this device? ~JasonG Here is a config from my 3725 router at home on Belsouth (ATT). interface ATM0/0 no ip
[c-nsp] PPPoEoA QoS issue
Hi, I am running following configuration on 7206 with IOS - 12.4(15)T10 interface ATM2/0.10856 point-to-point mtu 1500 no ip redirects no ip proxy-arp pvc 1/856 vbr-rt 2048 2048 1 dbs enable encapsulation aal5snap max-reserved-bandwidth 100 protocol pppoe group ft-pppoeoa ! end bba-group pppoe pppoeoa virtual-template 661 sessions per-mac limit 300 interface Virtual-Template661 no ip address ppp authentication chap end When I want to see the packets in policy, I can not see even a single packet in any queue... Router1#sh policy-map interface ATM2/0.10856 ATM2/0.10856: VC 1/856 - Service-policy input: SAR_QOS_FROM_MANAGED_CPE Class-map: Premium-From-CPE (match-any) 0 packets, 0 bytes 1 minute offered rate 0 bps, drop rate 0 bps Match: ip precedence 5 0 packets, 0 bytes 1 minute rate 0 bps Match: ip dscp ef (46) 0 packets, 0 bytes 1 minute rate 0 bps QoS Set mpls experimental imposition 5 Packets marked 0 qos-group 5 Packets marked 0 Class-map: Business1-From-CPE (match-any) 0 packets, 0 bytes 1 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp af31 (26) 0 packets, 0 bytes 1 minute rate 0 bps QoS Set mpls experimental imposition 3 Packets marked 0 discard-class 3 Packets marked 0 qos-group 3 Packets marked 0 Class-map: Business2-From-CPE (match-any) 0 packets, 0 bytes 1 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp af21 (18) 0 packets, 0 bytes 1 minute rate 0 bps QoS Set mpls experimental imposition 2 Packets marked 0 discard-class 2 Packets marked 0 qos-group 2 Packets marked 0 Class-map: Business3-From-CPE (match-any) 0 packets, 0 bytes 1 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp af11 (10) 0 packets, 0 bytes 1 minute rate 0 bps QoS Set mpls experimental imposition 1 Packets marked 0 discard-class 1 Packets marked 0 qos-group 1 Packets marked 0 Class-map: Routing-Management-From-CPE (match-any) 0 packets, 0 bytes 1 minute offered rate 0 bps, drop rate 0 bps Match: ip precedence 6 7 0 packets, 0 bytes 1 minute rate 0 bps Match: ip dscp af41 (34) 0 packets, 0 bytes 1 minute rate 0 bps QoS Set mpls experimental imposition 6 Packets marked 0 discard-class 6 Packets marked 0 qos-group 6 Packets marked 0 Class-map: Default-From-CPE (match-any) 0 packets, 0 bytes 1 minute offered rate 0 bps, drop rate 0 bps Match: ip precedence 0 0 packets, 0 bytes 1 minute rate 0 bps QoS Set mpls experimental imposition 0 Packets marked 0 discard-class 0 Packets marked 0 qos-group 0 Packets marked 0 Class-map: Multicast-From-CPE (match-any) 0 packets, 0 bytes 1 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp cs4 (32) 0 packets, 0 bytes 1 minute rate 0 bps QoS Set discard-class 4 Packets marked 0 qos-group 4 Packets marked 0 Class-map: class-default (match-any) 0 packets, 0 bytes 1 minute offered rate 0 bps, drop rate 0 bps Match: any Service-policy output: SAR_QOS_TO_COLT_TOTAL_CPE Class-map: Routing-Management-To-CPE (match-any) 6 packets, 518 bytes 1 minute offered rate 0 bps, drop rate 0 bps Match: qos-group 6 1 packets, 74 bytes 1 minute rate 0 bps Match: ip precedence 6 7 5 packets, 444 bytes 1 minute rate 0 bps Queueing Output Queue: Conversation 137 Bandwidth 5 (%) Bandwidth 102 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0 Class-map: Premium-Class-To-CPE (match-any) 190 packets, 14060 bytes 1 minute offered rate 0 bps, drop rate 0 bps Match: qos-group 5 190 packets, 14060 bytes 1 minute rate 0 bps Queueing Strict Priority Output Queue: Conversation 136 Bandwidth 50 (%) Bandwidth 1024 (kbps) Burst 25600 (Bytes) (pkts matched/bytes matched) 0/0 (total drops/bytes drops) 0/0 Class-map: Business1-Class-To-CPE (match-any) 0 packets, 0 bytes 1 minute offered rate 0 bps, drop rate 0 bps Match: qos-group 3 0 packets, 0 bytes 1 minute rate 0 bps Queueing Output Queue: Conversation 138 Bandwidth 5 (%) Bandwidth 102 (kbps) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0
[c-nsp] Monitor class based b/w
Hi, Usually we monitor b/w of the link to decide whether we need to upgrade the capacity. I want to know if we can monitor the class based b/w i.e. Premium calss or business-class, when reached to threshold, I should get an alert. Is that possible? What tools and MIB supports this. I need these MIBs for CRS1 / 12K / 7206 / 7609. Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD in XR 3.9.1
Hi, Not sure why you are using L2 multipath with BFD... as far as I know L2 multipath is sth related to DC and replacement of STP (i may be wrong) Regards, Vikas On Wed, Aug 25, 2010 at 11:32 AM, Richard A Steenbergen r...@e-gerbil.net wrote: On Wed, Aug 25, 2010 at 09:08:42AM +1200, Pshem Kowalczyk wrote: that surprising). We have encountered one limitation - currently BFD over ethtrunks is not supported (at least on 9k). We tested it with 20ms intervals (even though 15ms is the minimal value Cisco advised us to use 20ms). BFD is an IP based protocol, it's completely ignorant of L2 multipath and will almost always get hashed over a single link arbitrarily. This means that most failures will not be detected at all, and even if the packets do happen to get hashed on the physical member which goes down, it will bring down the entire port-channel. -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BFD in XR 3.9.1
Hi, I am planning to test BFD in XR 3.9.1 (both on 12k and on CRS-1). Any testing already done and feedback is appreciated. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] match community support in PBR
Hi, Does PBR supports match community in route-map? If yes which IOS release? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Multicast on PPP
Hi, Does anyone has implemented multicast over PPP interface? Since PPP does not support PIM, I am trying to use proxy-service and mroute-proxy. When I do join on dialer interface, I am able to ping the multicast ip (this confirms no issue in n/w wrt multicast). But when I join on LAN interface (removing igmp-join from dialer interface), it does no work, I am not able to ping the multicast IP from remote CE. Can anyone help me here? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3750 - power AC / DC
Hi, Is there any command on 3750 (e and non-E) switches which can tell whether the power is AC or DC in the box? Like in 7206 we have sh environemnt.. Regards, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FWSM - BGP STUB
Hi, I have FWSM contexts connected to vrf (part of MSFC) and then this vrf is connected to FWSM ext context and then to msfc. fwsm contest (1,2,3...n) --- VRF -- Ext FWSM context --- MSFC (Global routing table) From fwsm cxt1,2,n to vrf are point to point connection. ctx1 --- vrf1 (vlan1) ctx2 vrf1( vlan2) point to point interfaces from ctx to vrf. I want to use BGP stub in this scenario. But limitation is BGP stub can only be configured in admin context. It is possible to configure BGP stub in this scenario? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FWSM - BGP stub vs RHI
Hi, In FWSM inplementation, which one is preffered BGP stub or RHI. My low confidecnce in RHI bcos it is the new feature and not deployed extensively. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ip cef linecard ipc service-timer on XR
Hi, Coammnd ip cef linecard ipc service-timer works fine on 12k (with srvice Internal). I tried this command over XR and found there is no service internal. Can I use this command on XR to optimize the traffic? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] URL redirection
Hi, Need advice on URL redirection. The issue is one of our customer accessing Internet from different locations in Europe but his Internet access point (gateway) is in UK only. Now if he tries to access google.com and gets page google.co.uk from all locations. Now the requirement is if customer is accessing internet from, for example frankfurt, he should get google.co.fra not google.co.uk. How this can be achieved with minimum configuration? Can DNS halp to achieve this? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] number of vlan 16k
Hi, I could see few of the vendors support 16k /128 k vlans on BRAS devices. I was wondering how can it be integrated with other devices which only support 4095 vlan !!! any help is appreciated.. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SRB on 6500
Hi, Is it possible to run SRB3 on 6500-E chassis. I am sure this can be done by using 6509-NEB-A, but not sure about 6509-E. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] police rate percent vs. police CIR percent
Hi, Need help to understand the difference between these commands, I searched the net, but could not find the difference. 1- police rate percent 2- police CIR percent Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] logging server in MPLS VRF
Hi, I am curious to know whether we should put snmp logging servers part of MPLS vpn (as this has to reveive logs from all servers across the network) or it should be the part of global routing table. If we can do ti with mpls vpn, is there any benefit? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] F5 BIG IP and FWSM
Hi, Did any one have worked on F5 BIG IP and FWSM? If yes please help me. As this point I wanted to know BIG IP and how it should be conected to fwsm, specially in routed mode. My understanding - 6509 (MSFC) -- outside interface of LB -- Inside interface of LB - FWSM context (multiple context) How bigip will be able to do loadbalancing, when it is not directly connected to servers. All servers d/g is fwsm context. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] F5 BIG IP and FWSM
Hi, Thanks for the quick reply. I agree with your advice. But it might be required to loadbalance other devices those are sitting somewhere in my MPLS network. To do this mandatory condition is - LB internal interface should be able to ping / reach that. If I am using first DG to LB VIP and from LB 2nd DG to fwsm context failover ip, how can I achieve reachability from LB internal interface to servers somewhere in my MPLS network as to reach LB one have to pass through FWSM. Do i need to create a separate context for LB reachability to servers outside in MPLS network? Regards, Vikas Sharma On 9/12/08, Max Reid [EMAIL PROTECTED] wrote: That looks backwards...why not have the DG for internal hosts be the BigIP, and DG the BigIP to the inside of the FWSM? The BigIP does a good job of performing NAT, and doesn't need to be directly connected to the nodes in its pools...in fact, I would highly recommend against connecting nodes directly to the BigIP - you should utilize a core switch block for that and default route to a floating internal ip on the BigIP, from there, upstream to the FWSM and let it handle security out front. I concur with this advice, esp. the note about having an L3 connected network between the back end hosts and the 'Inside' interface of the big IP. Main Benefit is failover (no arp issues on clients or F5); when dealing with large load balanced farms. ~Max -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vikas Sharma Sent: Thursday, September 11, 2008 11:08 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] F5 BIG IP and FWSM Hi, Did any one have worked on F5 BIG IP and FWSM? If yes please help me. As this point I wanted to know BIG IP and how it should be conected to fwsm, specially in routed mode. My understanding - 6509 (MSFC) -- outside interface of LB -- Inside interface of LB - FWSM context (multiple context) How bigip will be able to do loadbalancing, when it is not directly connected to servers. All servers d/g is fwsm context. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] mpls ldp discovery transport-address
Hi, Below is the output of sh mpls ldp discovery. Here LDP identifier and LDP discovery source are different. I can change discovery source using mpls ldp discovery transport-address but my question here is what is the best practice and what are the benefits? is it using both LDP identifier and Discovery source same or different? One of the benefit I can see is if I use the same IP for both is I can reduce the number of labels. Any other benefit wrt security!!! router1# sh mpls ldp discovery Local LDP Identifier: 212.74.65.105:0 Discovery Sources: Interfaces: GigabitEthernet0/1 (ldp): xmit/recv LDP Id: 212.74.65.124:0 GigabitEthernet0/2 (ldp): xmit/recv LDP Id: 212.74.65.126:0 Targeted Hellos: 212.74.65.105 - 212.74.65.124 (ldp): passive, xmit/recv LDP Id: 212.74.65.124:0 212.74.65.105 - 212.74.65.126 (ldp): passive, xmit/recv LDP Id: 212.74.65.126:0 router1#sh mpls fo router1#sh mpls forwarding-table | in 212.74.65.124 4560 Pop tag 212.74.65.124/32 0 Gi0/1 212.74.88.233 router1#sh mpls forwarding-table | in 212.74.65.105 router1# Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] voip with ssl vpn
Hi All, Did any one has tested securing voip with ssl vpn? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] F5 firepass - MPLS connectivity
Thanks Andrew, Actually I was looking for vrf-lite or mapping to vlan to vrf kind of functionality. I know it can provide SSL vpn but can I use this device to connect to the user directly to MPLS ?? I mean, user connect to FirePass and then based on which vlan the user is in, I can map that vlan to vrf and forward it to appropriate MPLS vpn. Regards, Vikas Sharma On 8/7/08, Andrew Gristina [EMAIL PROTECTED][EMAIL PROTECTED] wrote: FirePass is SSL VPN. As far as I know it doesn't speak MPLS at all. If you are on the customer side of the CE device, it won't matter that it doesn't speak MPLS and you can use it for SSL VPN termination as it was intended. On Wed, Aug 6, 2008 at 8:01 PM, Vikas Sharma [EMAIL PROTECTED] wrote: Hi, Did any one has used F5's FirePass to connect MPLS VPN? If yes please let me know how? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] EoMPLS port mode 7200
Hi, Can I configure EoMPLS on one side 7200 and another side 7600 using service type as EWS and vc-type 4? My requirement is - 1st scenario - I require port mode between 7200 and 7600. 2nd scenario- I require port mode between 7200 and 12k Thanks Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] F5 firepass - MPLS connectivity
Hi, Did any one has used F5's FirePass to connect MPLS VPN? If yes please let me know how? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Inter-AS option B - filter based on IPv4+ Labels?
Hi, In Inter-AS - option B, I have an option of filtering with BGP attributes ASPATH, ext communities, RDs checks. Can I filter based on IPv4+ Labels? i.e. set route maps to filter and send only the desirable prefixes are injected into the BGP table and propagated using IPv4+ Labels to the adjacent ASBR? Can you point me the web page? If above it true then I can use standard BGP communities to filter the traffic between ASBRs in option B!!! Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mpls option A with LAC and LNS
Hi Oli, Thanks for the prompt responce. I think I need to slightly modify this. Though I have used the term LAC and LNS, I am not using L2TP to get the data from the other operator. I am using Inter-AS option A, back to back vrf. The issue I can see once the data is at my ASBR, it will not have any control plane information (as other operator has already put it in to the respective vrf). In that case I will not be able to use my radius to authenticate the user. In summary, my radius will not be used at all. Regards, Vikas Sharma On 7/28/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Vikas Sharma wrote on Monday, July 28, 2008 6:59 AM: Hi, Need help to resolve the below situation. The scenario of LAC / LNS and mpls option A - In case, the customer belong to the ISP dials and latch in the same ISP (i.e. using ISP infrastructure), I can authenticate (since they will latch on LNS, a radius client), using radius and radius will return certain attribute including vrf / pool name etc. and then customer will go to it's own vrf and to it's own network. But in my case, customers come from other ISP domain (dialing and coming on their lac) and we are using back to back vrf to connect LAC and LNS. Now the problem is, how to authenticate the users and return vrf and ip pool name from the radius as LNS can not act as radius client now. The only option I can see is to forward the fraffic to firewall, which can act as radius client and query to radius server, radius server can inturn return the vlan which can be mapped to respective vrf. you can use vrf-aware Radius to send Radius the radius requests within the VRF (which, I think, solves your problem, but I'm not sure I entirely understood your topology): aaa authentication ppp VRFCUST group VRFGROUP aaa authorization network VRFCUST group VRFGROUP aaa accounting network VRFCUST group VRFGROUP ! aaa group server radius VRFGROUP server-private x.x.x.x key z ip radius source-interface ... ip vrf forwarding vrf-name ! int virtual-template1 ppp authentication chap pap VRFCUST ppp authorization VRFCUST ppp accounting VRFCUST However: The L2TP packets also arrive within a VRF, so you need to use vrf-aware vpdn as well (specifiy vpn vrf name in your vpdn-group). hope this helps.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mpls option A with LAC and LNS
Hi Oli, Authentication is required to keep users in their respective VRFs. These all attributes will come from Radius. We are getting services from other operator. User are using their infracture and coming in to my network. We provide mpls vpn / internet services to the customer. Regards, Vikas Sharma On 7/28/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Ah, ok.. may I ask why you would want to authenticate the users? And against which user database? Which service(s) do you provide for the other operator? More than just traffic? oli Vikas Sharma mailto:[EMAIL PROTECTED] wrote on Monday, July 28, 2008 8:24 AM: Hi Oli, Thanks for the prompt responce. I think I need to slightly modify this. Though I have used the term LAC and LNS, I am not using L2TP to get the data from the other operator. I am using Inter-AS option A, back to back vrf. The issue I can see once the data is at my ASBR, it will not have any control plane information (as other operator has already put it in to the respective vrf). In that case I will not be able to use my radius to authenticate the user. In summary, my radius will not be used at all. Regards, Vikas Sharma On 7/28/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Vikas Sharma wrote on Monday, July 28, 2008 6:59 AM: Hi, Need help to resolve the below situation. The scenario of LAC / LNS and mpls option A - In case, the customer belong to the ISP dials and latch in the same ISP (i.e. using ISP infrastructure), I can authenticate (since they will latch on LNS, a radius client), using radius and radius will return certain attribute including vrf / pool name etc. and then customer will go to it's own vrf and to it's own network. But in my case, customers come from other ISP domain (dialing and coming on their lac) and we are using back to back vrf to connect LAC and LNS. Now the problem is, how to authenticate the users and return vrf and ip pool name from the radius as LNS can not act as radius client now. The only option I can see is to forward the fraffic to firewall, which can act as radius client and query to radius server, radius server can inturn return the vlan which can be mapped to respective vrf. you can use vrf-aware Radius to send Radius the radius requests within the VRF (which, I think, solves your problem, but I'm not sure I entirely understood your topology): aaa authentication ppp VRFCUST group VRFGROUP aaa authorization network VRFCUST group VRFGROUP aaa accounting network VRFCUST group VRFGROUP ! aaa group server radius VRFGROUP server-private x.x.x.x key z ip radius source-interface ... ip vrf forwarding vrf-name ! int virtual-template1 ppp authentication chap pap VRFCUST ppp authorization VRFCUST ppp accounting VRFCUST However: The L2TP packets also arrive within a VRF, so you need to use vrf-aware vpdn as well (specifiy vpn vrf name in your vpdn-group). hope this helps.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mpls option A with LAC and LNS
Hi Oli / Stig, Thanks for the reply. Oli - Let me see if I can use ISG.. Stig - Here user-authentication in a firewall the issue is I do not have control plane information, I just have IP subnet and VRF. On that basis my authentication will not work. Even I thought of creating vrf's on the operator ASBR, but the issue is I have to create so many e-bgp session based on every customer, my router will be down :) Regards, Vikas Sharma On 7/28/08, Stig Johansen [EMAIL PROTECTED] wrote: Hi there, You should separate the customers in the LAC at your service provider. Either in different VRF's or at least in different IP-subnets. The best would be if you could get the provider to use *your* RADIUS-server for authenticating. They could do a proxy and stripping unwanted parameters/adding their internal parameters at their end. This way you could control which IP-subnet the different users (your customers) get and do some VRF-selection based on source-addresses at your LNS. Since the PPP-connection is terminated in the LAC at the service-provider, you won't be able to do any re-negotiating as in a LAC/LNS L2TP-setup. The alternative would then be to do a [EMAIL PROTECTED]:~$ telnet mas1.zrh mas1.zrh: node name or service name not known [EMAIL PROTECTED]:~$ telnet MAS1.ZRH MAS1.ZRH: node name or service name not known but I belive this would be a negative impact for the users. Best regards, Stig Meireles Johansen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vikas Sharma Sent: 28. juli 2008 10:26 To: Oliver Boehmer (oboehmer) Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] mpls option A with LAC and LNS Hi Oli, Authentication is required to keep users in their respective VRFs. These all attributes will come from Radius. We are getting services from other operator. User are using their infracture and coming in to my network. We provide mpls vpn / internet services to the customer. Regards, Vikas Sharma On 7/28/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Ah, ok.. may I ask why you would want to authenticate the users? And against which user database? Which service(s) do you provide for the other operator? More than just traffic? oli Vikas Sharma mailto:[EMAIL PROTECTED] wrote on Monday, July 28, 2008 8:24 AM: Hi Oli, Thanks for the prompt responce. I think I need to slightly modify this. Though I have used the term LAC and LNS, I am not using L2TP to get the data from the other operator. I am using Inter-AS option A, back to back vrf. The issue I can see once the data is at my ASBR, it will not have any control plane information (as other operator has already put it in to the respective vrf). In that case I will not be able to use my radius to authenticate the user. In summary, my radius will not be used at all. Regards, Vikas Sharma On 7/28/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Vikas Sharma wrote on Monday, July 28, 2008 6:59 AM: Hi, Need help to resolve the below situation. The scenario of LAC / LNS and mpls option A - In case, the customer belong to the ISP dials and latch in the same ISP (i.e. using ISP infrastructure), I can authenticate (since they will latch on LNS, a radius client), using radius and radius will return certain attribute including vrf / pool name etc. and then customer will go to it's own vrf and to it's own network. But in my case, customers come from other ISP domain (dialing and coming on their lac) and we are using back to back vrf to connect LAC and LNS. Now the problem is, how to authenticate the users and return vrf and ip pool name from the radius as LNS can not act as radius client now. The only option I can see is to forward the fraffic to firewall, which can act as radius client and query to radius server, radius server can inturn return the vlan which can be mapped to respective vrf. you can use vrf-aware Radius to send Radius the radius requests within the VRF (which, I think, solves your problem, but I'm not sure I entirely understood your topology): aaa authentication ppp VRFCUST group VRFGROUP aaa authorization network VRFCUST group VRFGROUP aaa accounting network VRFCUST group VRFGROUP ! aaa group server radius VRFGROUP server-private x.x.x.x key z ip radius source-interface ... ip vrf forwarding vrf-name ! int virtual-template1 ppp authentication chap pap VRFCUST ppp authorization VRFCUST ppp accounting VRFCUST However: The L2TP packets also arrive within a VRF, so you
[c-nsp] mpls option A with LAC and LNS
Hi, Need help to resolve the below situation. The scenario of LAC / LNS and mpls option A - In case, the customer belong to the ISP dials and latch in the same ISP (i.e. using ISP infrastructure), I can authenticate (since they will latch on LNS, a radius client), using radius and radius will return certain attribute including vrf / pool name etc. and then customer will go to it's own vrf and to it's own network. But in my case, customers come from other ISP domain (dialing and coming on their lac) and we are using back to back vrf to connect LAC and LNS. Now the problem is, how to authenticate the users and return vrf and ip pool name from the radius as LNS can not act as radius client now. The only option I can see is to forward the fraffic to firewall, which can act as radius client and query to radius server, radius server can inturn return the vlan which can be mapped to respective vrf. If anyone have done it b4, pls let me know. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP - unsupported parameter - peer reset
Hi, To my astonishment, everything started working fine after enabling mpls on juniper ERX globally. Can any one tell me the reason? My understanding which proved to be wrong in case of ERX is - The issue we have is bgp session not establishing (not, bgp is not advertising the vpnv4 routes). ERX can advertise ipv4:vpn unicast (vpnv4 routes) only after mpbgp is in establish state. The statement from juniper holds true not only for juniper but for any other vendor as until mpls is not configured it will not advertise any vpnv4 routes. The process for bgp is - First bgp session is established then only bgp advertise the routes / prefixes The process for mpbgp is - First the mpbgp session is establish then only one can see any vpnv4 routes My point is to establish mpbgp session we do not need to enable mpls. After mpbgp session only vpnv4 prefixes can be seen in mpbgp table. Thus the answer from Juniper is not to the point. Still we do not know the reason for mpbgp session not establishing and in the logs it is clearly stating the reason is capability mismatch. Further to this mbbgp and mpls are entirely two different independent protocols and configured separately, one under bgp process and another under mpls and mpls is just a transport protocol. Summary of the above is - advertisement of vpnv4 routes, mpbgp session establishment and enabling mpls are different process. Thus juniper has to rework on the issue and let us know the actual reason. Regards, Vikas Sharma On 7/14/08, Vikas Sharma [EMAIL PROTECTED] wrote: Hi, I have mpls network where I am connecting ERX (juniper box) as PE to cisco 12 k (vpnv4 route reflector). At all locations itsworking fine except one and showing me on ERX unsupported capabilities. from ERX - We received an unsupported-capability notification from this peer. This indicates that the peer does not ignore unrecognized capabilities. We received the notification before we received an open from this peer. As a result we cannot guess which capabilities are supported by the peer. We won't advertise capabilities with known interoperability problems. Capability advertisements: Capabilities option: send Dynamic capability negotiation: send Deprecated dynamic capability negotiation: send Multi-protocol extensions: send Route refresh: send Route refresh (Cisco proprietary): send Four octet AS numbers: send Graceful restart: Graceful restart negotiation: Restart time is 120 seconds Stale paths time is 360 seconds The last time that the session was in state established: We did not send the graceful-restart capability We did not receive the graceful-restart capability Total of 20782 messages sent, 20639 messages received 0 update messages sent, 0 update messages received As per rfc3392, if bgp speaking router does not understand optional community, it should ignore it and should not try to re-establish the session. I am attaching the status of sh ip bgp vpnv1 a s for the ref. on ERX - sh ip bgp vpnv4 all s Local router ID 212.74.69.117, local AS 8220 Administrative state is Start BGP Operational state is Up Shutdown in overload state is disabled Default local preference is 100 IGP synchronization is disabled Default originate is disabled Auto summary is disabled Always compare MED is disabled Compare MED within confederation is disabled Advertise inactive routes is disabled Advertise best external route to internal peers is disabled Enforce first AS is enabled Missing MED as worst is disabled Route flap dampening is disabled Log neighbor changes is enabled Fast External Fallover is disabled No maximum received AS-path length BGP administrative distances are 20 (ext), 200 (int), and 200 (local) Client-to-client reflection is enabled Cluster ID is not configured (local router ID used) Route-target filter is enabled Default IPv4-unicast is enabled Check next-hops of vpn routes is disabled Redistribution of iBGP routes is disabled Graceful restart is globally disabled Global graceful-restart restart time is 120 seconds Global graceful-restart stale paths time is 360 seconds Graceful-restart path selection defer time is 360 seconds Graceful-restart is not ready to switch to the standby SRP The last restart was not graceful Address family ipv4:vpn-unicast in core VRF operationally down due to IPv6 not present Local-RIB version 2. FIB version 2. Messages Messages Prefixes Neighbor AS State Up/down time Sent Received Received 212.74.69.1128220 Idle 2d 06:25:40 18301 18166 0 212.74.69.1138220 Idle 4d 11:06:33 20934 20788 0 these are two route reflectors connected to this PE. We have one more PE (again ERX box), which does not have any issue
[c-nsp] FWSM and AAA
Hi, I have a setup where user dialin in to access server (BRAS) and get authenticated via AAA. Now I want to implement fwsm so that all traffic first go to fwsm then to anywhere in the network. But since user is getting all attributes e.g. ip address, vrf from aaa, I am not able to understand the traffic flow. Can anyone help me out to understand this? 1st packet should go to fwsm anf then to vrf, the issue id I can not map vlan to vrf as I am getting all these information from AAA. Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP - unsupported parameter - peer reset
Hi, I have mpls network where I am connecting ERX (juniper box) as PE to cisco 12 k (vpnv4 route reflector). At all locations itsworking fine except one and showing me on ERX unsupported capabilities. from ERX - We received an unsupported-capability notification from this peer. This indicates that the peer does not ignore unrecognized capabilities. We received the notification before we received an open from this peer. As a result we cannot guess which capabilities are supported by the peer. We won't advertise capabilities with known interoperability problems. Capability advertisements: Capabilities option: send Dynamic capability negotiation: send Deprecated dynamic capability negotiation: send Multi-protocol extensions: send Route refresh: send Route refresh (Cisco proprietary): send Four octet AS numbers: send Graceful restart: Graceful restart negotiation: Restart time is 120 seconds Stale paths time is 360 seconds The last time that the session was in state established: We did not send the graceful-restart capability We did not receive the graceful-restart capability Total of 20782 messages sent, 20639 messages received 0 update messages sent, 0 update messages received As per rfc3392, if bgp speaking router does not understand optional community, it should ignore it and should not try to re-establish the session. I am attaching the status of sh ip bgp vpnv1 a s for the ref. on ERX - sh ip bgp vpnv4 all s Local router ID 212.74.69.117, local AS 8220 Administrative state is Start BGP Operational state is Up Shutdown in overload state is disabled Default local preference is 100 IGP synchronization is disabled Default originate is disabled Auto summary is disabled Always compare MED is disabled Compare MED within confederation is disabled Advertise inactive routes is disabled Advertise best external route to internal peers is disabled Enforce first AS is enabled Missing MED as worst is disabled Route flap dampening is disabled Log neighbor changes is enabled Fast External Fallover is disabled No maximum received AS-path length BGP administrative distances are 20 (ext), 200 (int), and 200 (local) Client-to-client reflection is enabled Cluster ID is not configured (local router ID used) Route-target filter is enabled Default IPv4-unicast is enabled Check next-hops of vpn routes is disabled Redistribution of iBGP routes is disabled Graceful restart is globally disabled Global graceful-restart restart time is 120 seconds Global graceful-restart stale paths time is 360 seconds Graceful-restart path selection defer time is 360 seconds Graceful-restart is not ready to switch to the standby SRP The last restart was not graceful Address family ipv4:vpn-unicast in core VRF operationally down due to IPv6 not present Local-RIB version 2. FIB version 2. Messages Messages Prefixes Neighbor AS State Up/down time Sent Received Received 212.74.69.1128220 Idle 2d 06:25:40 18301 181660 212.74.69.1138220 Idle 4d 11:06:33 20934 20788 0 these are two route reflectors connected to this PE. We have one more PE (again ERX box), which does not have any issue. For your ref. I am also attaching working and non-working ERX, sh ip bgp v a nei output working ERX - Capability advertisements: Capabilities option: sent, received Dynamic capability negotiation: sent Deprecated dynamic capability negotiation: sent Multi-protocol extensions: sent, received Route refresh: sent, received Route refresh (Cisco proprietary): sent, received Four octet AS numbers: sent Graceful restart: *Multi-protocol extensions negotiation: ip-v4 vpn-unicast: sent, received, used * Dynamic capability negotiation: Multi-protocol extensions: sent Route refresh: sent Graceful restart: sent Route refresh (Cisco proprietary): sent Graceful restart negotiation: Restart time is 120 seconds Stale paths time is 360 seconds We did not send the graceful-restart capability Non- working ERX - Capability advertisements: Capabilities option: send Dynamic capability negotiation: send Deprecated dynamic capability negotiation: send Multi-protocol extensions: send Route refresh: send Route refresh (Cisco proprietary): send Four octet AS numbers: send Graceful restart: Graceful restart negotiation: Restart time is 120 seconds Stale paths time is 360 seconds Note- I can see the diference as in working I can see multiprotocol extensio negotiations while I can not see the same in non-working. Since the message states issue with 12k !!!, which I am not sure abt, sending this to cisaco-mail ;) Regards, Vikas Sharma ___ cisco-nsp mailing
[c-nsp] Cisco BFD support for Juniper / Huawei
Hi All, My questio is - does BFD implementation in Cisco support Juniper / Huawei CPE? Does Cisco's implementation is as pe standard? has anyone tested it? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] /31 network
Hi, has anyone used /31 network instead of /30? I believe this is recommended to use /31 network? Need expert comments. Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CoPP on PE router for access network
Hi, I want to understand the impact of mpls vpn (vrf) control traffic on CoPP. Can I block vrf contol plane packets (PE-CE) using CoPP? If yes, what is the impact? Another idea is to use infrastructure acl. but I am more interested if I can block PE-CE control traffic using CoPP? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Short pipe with Inter-as option 10b
Hi oli, I understood - if CPE is managed one, it's good to use uniform mode and if CPE is unmanagaed, use pipe/short pipe mode. What is the best strategy for transit traffic?? Regards, Vikas Sharma On 6/9/08, Oliver Boehmer (oboehmer) [EMAIL PROTECTED] wrote: Vikas Sharma mailto:[EMAIL PROTECTED] wrote on Monday, June 09, 2008 5:29 AM: Thanks oli, Jeff - Yes I am working with carrier. Refining my question, Generally what QoS mechanism Service Provider choose? Short pipe mode or Pipe mode. Many are actually using uniform.. pipe/short-pipe is intersting for unmanaged CE deployments, but once the SP boundary is the CE's LAN toward the customer, DSCP/QoS transparency is much more difficult to implement. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Short pipe with Inter-as option 10b
Thanks oli, Jeff - Yes I am working with carrier. Refining my question, Generally what QoS mechanism Service Provider choose? Short pipe mode or Pipe mode. Regards, Vikas Sharma On 6/6/08, Jeff Cartier [EMAIL PROTECTED] wrote: Are you an MPLS carrier? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vikas Sharma Sent: Thursday, June 05, 2008 11:11 PM To: cisco-nsp@puck.nether.net; Oliver Boehmer (oboehmer); [EMAIL PROTECTED]; Tom Mulvey (tmulvey) Subject: [c-nsp] Short pipe with Inter-as option 10b Hi, Need your expert comment on what QoS mechanism to be used for Inter-As option 10b, pipe mode or short pipe mode. This is for ISP setup. What is the trend in ISP industry? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Short pipe with Inter-as option 10b
Hi, Need your expert comment on what QoS mechanism to be used for Inter-As option 10b, pipe mode or short pipe mode. This is for ISP setup. What is the trend in ISP industry? Regards, Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD aware VRF
Hi Aaron, If you have customer who wants redundancy for CE -PE , and switchover should be very fast .. .. then u have to implement BFD..BFD can be on ethernet also. Hope it clears.. Regards On 2/9/08, Aaron [EMAIL PROTECTED] wrote: Why do you need bfd on a serial interface? Seems like a waste of CPU and BW. On Feb 4, 2008 1:12 PM, Luan Nguyen [EMAIL PROTECTED] wrote: I have bgp running between PE and CE. So on the PE, you do: router bgp address-family ipv4 vrf whatever neighbor y.y.y.y fall-over bfd Do the same for the CE under bgp. Then on the link between CE and PE, configured the bfd interval...etc. That should work. The problem is my CE is a 1841 with a Channelized T1/PRI port and even with the latest 12.4.15T3, i can't put the bfd command under the serial interface! Without interface level bfd command, bfd won't work. Hello? I did try with an ethernet link between PE and CE, and bfd config looks good. -lmn On Feb 4, 2008 11:47 AM, Vikas Sharma [EMAIL PROTECTED] wrote: Hi, Anyone have configured VRF aware BFD? If yes pls let me know how? Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD aware VRF
Hi, I have configured BFD but it is showing down. I have used BGP to configure BFD. Client Router - a05-2821-3#sh bfd neighbors OurAddr NeighAddr LD/RD RH/RS Holddown(mult) State Int 172.16.1.5172.16.1.6 4/0Down 0(0 ) Down Gi0/0 172.16.1.1172.16.1.2 6/0Down 0(0 ) Down Gi0/1 *7600 PE -* e12-7600-1#sh bfd neighbors OurAddr NeighAddr LD/RD RH/RS Holddown(mult) State Int 172.16.1.2172.16.1.1 1/6Down 1916 (3 ) Init Gi12/1 Debug output - e12-7600-1#debug bfd event BFD event debugging is on e12-7600-1# *Feb 6 04:33:06.176: Applying event 2 *Feb 6 04:33:06.176: bfdV1FSM e:2 s:2 *Feb 6 04:33:07.008: Applying event 2 *Feb 6 04:33:07.008: bfdV1FSM e:2 s:2 *Feb 6 04:33:07.508: bfdV1FSM e:4 s:2 *Feb 6 04:33:07.508: Session [172.16.1.2,172.16.1.1,Gi12/1,1], event DETECT TIMER EXPIRED, state INIT - DOWN *Feb 6 04:33:07.912: Applying event 2 *Feb 6 04:33:07.912: bfdV1FSM e:2 s:1 *Feb 6 04:33:07.912: Session [172.16.1.2,172.16.1.1,Gi12/1,1], event RX DOWN, state DOWN - INIT *Feb 6 04:33:08.704: Applying event 2 *Feb 6 04:33:08.704: bfdV1FSM e:2 s:2 *Feb 6 04:33:09.648: Applying event 2 *Feb 6 04:33:09.648: bfdV1FSM e:2 s:2u all *Feb 6 04:33:10.436: Applying event 2 *Feb 6 04:33:10.436: bfdV1FSM e:2 s:2 *Feb 6 04:33:10.912: bfdV1FSM e:4 s:2 *Feb 6 04:33:10.912: Session [172.16.1.2,172.16.1.1,Gi12/1,1], event DETECT TIMER EXPIRED, state INIT - DOWN *Feb 6 04:33:11.288: Applying event 2 *Feb 6 04:33:11.288: bfdV1FSM e:2 s:1 *Feb 6 04:33:11.288: Session [172.16.1.2,172.16.1.1,Gi12/1,1], event RX DOWN, state DOWN - INIT All possible debugging has been turned off e12-7600-1# *Feb 6 04:33:12.152: Applying event 2 *Feb 6 04:33:12.152: bfdV1FSM e:2 s:2 *7200 PE -* c12-7200-3#sh bfd n OurAddr NeighAddr LD/RD RH/RS Holddown(mult) State Int 172.16.1.6172.16.1.5 1/4Down 512 (3 ) Init Gi0/2 Debug Output - c12-7200-3#debug bfd event BFD event debugging is on c12-7200-3# *Feb 6 04:39:54.544: Applying event 2 *Feb 6 04:39:54.544: bfdV1FSM e:2 s:1 *Feb 6 04:39:54.544: Session [172.16.1.6,172.16.1.5,Gi0/2,1], event RX DOWN, state DOWN - INIT *Feb 6 04:39:55.328: Applying event 2 *Feb 6 04:39:55.328: bfdV1FSM e:2 s:2 *Feb 6 04:39:56.100: Applying event 2 *Feb 6 04:39:56.100: bfdV1FSM e:2 s:2 *Feb 6 04:39:56.880: Applying event 2 *Feb 6 04:39:56.880: bfdV1FSM e:2 s:2 *Feb 6 04:39:57.544: bfdV1FSM e:4 s:2 *Feb 6 04:39:57.544: Session [172.16.1.6,172.16.1.5,Gi0/2,1], event DETECT TIMER EXPIRED, state INIT - DOWN *Feb 6 04:39:57.676: Applying event 2 *Feb 6 04:39:57.676: bfdV1FSM e:2 s:1 *Feb 6 04:39:57.676: Session [172.16.1.6,172.16.1.5,Gi0/2,1], event RX DOWN, state DOWN - INITu all All possible debugging has been turned off c12-7200-3# *Feb 6 04:39:58.632: Applying event 2 *Feb 6 04:39:58.632: bfdV1FSM e:2 s:2 *Feb 6 04:39:59.472: Applying event 2 *Feb 6 04:39:59.472: bfdV1FSM e:2 s:2 Both PE have SRC image. Not getting any debug output on 2800 CE router. Regards Vikas Sharma On 2/5/08, Justin Shore [EMAIL PROTECTED] wrote: Luan Nguyen wrote: I did try with an ethernet link between PE and CE, and bfd config looks good. Unless you're Ethernet links are 1Q trunks like what you'd have between a site with a pair of redundant routers doing both L3 and access layer connections (FHRPs). SRC removed BFD on SVI support, as did SXH on the ME6524s. Yes, I'm beating a dead horse but it aggravates me nonetheless. I need to upgrade to SRC but I am going to lose BFD support as soon as I do, pushing my recovery times up into seconds; far from the milliseconds Cisco sold us on when they blessed this design. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Control plane policy recommendation
Hi, I am configuring CoPP. If any one previously have implemented the same, pls help me in finding what should be the PPS for different traffic class? Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Metro ethernet VCs are up but no packet transfer
Hi, In a metroethernet configuration, I have one side mst with 7600 (PE) and another side 7200 (PE) with pvst. My VCs are up and mst and pvst has been configured. But in the output below i can not see any packet send. any clue?? PE2#sh mpls l2 vc 500 detail Local interface: Gi0/1.500 up, line protocol up, Eth VLAN 500 up Destination address: 1.1.1.1, VC ID: 500, VC status: up Output interface: Gi0/3, imposed label stack {18 19} Preferred path: not configured Default path: active Next hop: 20.1.1.1 Create time: 05:54:13, last status change time: 00:36:36 Signaling protocol: LDP, peer 1.1.1.1:0 up MPLS VC labels: local 18, remote 19 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: *** L2 connection to 7600 router *** Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 29, send 0 byte totals: receive 2349, send 0 packet drops: receive 0, seq error 0, send 0 Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco-nsp Digest, Vol 60, Issue 52
Thanks for the support... Regards Vikas On 11/16/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Send cisco-nsp mailing list submissions to cisco-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of cisco-nsp digest... Today's Topics: 1. Problems with CiscoWorks LMS 3.0, Device Fault Manager, Mail-Notifications (Enno Rey) 2. Re: BGPoPPPoEoA ?! (Gerald Krause) 3. Re: Cat6509 and transparent firewall (Ruben Alvarez) 4. Re: Auto MD on Catalyst 4948? (Asbjorn Hojmark - Lists) 5. Re: traffic flow in 6500 switch with FWSM and MPLS VPN (Vikas Sharma) 6. Re: traffic flow in 6500 switch with FWSM and MPLS VPN (Peter Rathlev) 7. Re: traffic flow in 6500 switch with FWSM and MPLS VPN (Ramcharan, Vijay A) -- Message: 1 Date: Thu, 15 Nov 2007 20:53:38 +0100 From: Enno Rey [EMAIL PROTECTED] Subject: [c-nsp] Problems with CiscoWorks LMS 3.0, Device Fault Manager,Mail-Notifications To: cisco-nsp@puck.nether.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi, I'm currently struggling with setting up mail notifications with CiscoWorks' DFM. The goal is simple: to send notification mails based on alerts and/or incoming SNMP traps. I've seen this working successfully in one environment but some time ago I tried in vain with LMS 2.6 at the time, being confronted with the same kind of problems I currently encounter (and I gave up then. In fact one of the reasons to upgrade the current systems to LMS 3.0 was the failure of getting it running at that time). There are two major pieces that have to be configured: notification groups and subscriptions. One can modify/configure event sets (I tried with and without those), but - according to the documentation - using no events sets means that all events/levels of severity are used. The setup seems not too difficult once one understands the structure (albeit I might miss sth) but despite quite some efforts and modifications not one single mail gets sent (even though quite a few alarms can be seen in the alarms view and quite a lot of SNMP traps are coming in). The setup is as follows: CiscoWorks LMS 3.0 running on W2K3 server, both fully patched (= DFM 3.0.1). Set up some user defined groups in Common Services (CS), performed device inventory and some work in other modules, everything seems to work fine for approx. 180 devices. Set up syslog based mail delivery in RME which works smoothly (so no problems with mail delivery in general). Alert views in DFM work fine, too. Tried to get mail notifications running in DFM with - different device groups, - different notification groups, - with (all|none|some) defined events sets, - some subscriptions and I never see _any_ effort to send any mail at all. No port 25 traffic at all in wireshark (with the exception of the syslog stuff from RME which works smoothly). I've no idea what could be wrong. This is a fresh install, fully licensed, so no problems with updating modules (which might have been one of the reasons for failure in the past). I see some errors in various DFM logfiles (e.g. in aad.log and others) though that I do not really understand. They may be related or not. However from my understanding of Java stuff and exceptions they _seem_ not related. Does anybody have any idea what could be wrong? Am I missing something obvious? I will probably open a TAC case after the weekend but was hoping for some clue from the people here before... thanks in advance, Enno -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey -- Message: 2 Date: Thu, 15 Nov 2007 21:29:39 +0100 From: Gerald Krause [EMAIL PROTECTED] Subject: Re: [c-nsp] BGPoPPPoEoA ?! To: cisco-nsp@puck.nether.net Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Ok, but I need none if the GW IP address from the PPP negotiation is the loopback IP address on the PE in question. That's why I have no configured static route on the CE. On Thursday 15 November 2007 20:47:56 Aaron wrote: Don't forget the static for the loopback On Nov 15, 2007 2:30 PM, Gerald Krause [EMAIL PROTECTED] wrote: On Thursday 15 November 2007 17:40:54 Adam Greene wrote: Lots of o's in that subject line ... I'm trying to set
Re: [c-nsp] traffic flow in 6500 switch with FWSM and MPLS VPN
Hi, on the same line i have few more doubts. pls help me to solve this. I have 5 vlans namely data, voice , video and CCTV. Packet coming out of access switch will go to SVI and then come to FWSM as firewall-group has been configured. Now I want to integrate this LAN to my MPLS cloud. I have created two vrf (one for voice/data and video) and another for CCTV and importing and exporting to all remote sites. My question is how does FWSM behave when default gateway is on MSFC svi (i have created dot1 q interfaces on svi and assign vrf forwarding to respective interfaces). Since on svi i have configured vrf forwarding, will FWSM understand the firewall-group in this case? any help is greatly appreciated Regards Vikas Sharma On 11/12/07, Vikas Sharma [EMAIL PROTECTED] wrote: Hi, Can I configure FWSM as a default gateway for my internal vlans (similar to HSRP configuration on MSFC for vlans)? i.e inside packet will first hit fwsm then MSFC !!! If u have some doc on this pls share if possible.. Regards Vikas Sharma On Nov 7, 2007 7:00 PM, Fred Reimer [EMAIL PROTECTED] wrote: There are many ways that you can configure the 6500 with a FWSM and IDSM. It depends on what you want to do with it. You can place the MSFC (routing entity) inside or outside of the FWSM. I prefer inside unless there is a really good reason to have it outside (such as routing sessions to providers, etc) as you don't need to secure it quite as much as when it is on a publically accessible address. You could also use VRF on the MSFC and have one instance on the outside and one on the inside (or a bunch of instances and one on each DMZ interface of the FWSM also). For the IDSM you also have an option of in-line mode or not. You want in-line mode if you want IPS functionality, and promiscuous mode if you want IDS functionality. Again, you can place the IDSM inside or outside the FWSM, but it really makes sense to drop malicious traffic before it even reaches your FW. Perhaps have it look like Internet -- IDSM -- MSFC -- FWSM -- MSFC - inside networks. You really need to talk to, or hire, a security specialist. Fred Reimer, CISSP, CCNP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Vikas Sharma Sent: Wednesday, November 07, 2007 3:14 AM To: cisco-nsp@puck.nether.net; Oliver Boehmer (oboehmer) Subject: [c-nsp] traffic flow in 6500 switch with FWSM and IDSM Hi, I have FWSM and IDSN-2 on 6500 switch. Since I am not a security guy I am not able to visualize how traffic flow will take place in this situation. My requirement is to secure internal traffic from external / DMZ traffic and inspect malicious traffic. Can someone give me the logical picture how packet will flow inside 6500 switch? whether it will first go to FWSM then to MSFC or first to MSFC then firewall? I have vlan (SVIs) created on msfc and these ips are default gateway for my internal traffic. Any help is appreciated... Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] traffic flow in 6500 switch with FWSM and MPLS VPN
Hi Fred, The link shows me the option of configuring multiple SVIs but my question is if i assigned these vlans to VRF created on 6509, will fwsm understand this? I can do this conf on the switch for fwsm - firewall vlan-group 50 55-57 firewall module 8 vlan-group 50 but my SVI have to be in vrf for mpls forwarding. Does FWSM support this kind of vrf functionality? Regards Vikas Sharma On 11/16/07, Fred Reimer [EMAIL PROTECTED] wrote: Yes, it works fine. You would need to configure the option on the SUP to allow multiple SVI's to be configured when they are assigned/trunked to the firewall. See here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuratio n/guide/switch_f.html Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: Vikas Sharma [mailto:[EMAIL PROTECTED] Sent: Thursday, November 15, 2007 6:20 AM To: Fred Reimer; cisco-nsp@puck.nether.net; Oliver Boehmer (oboehmer) Subject: Re: [c-nsp] traffic flow in 6500 switch with FWSM and MPLS VPN Hi, on the same line i have few more doubts. pls help me to solve this. I have 5 vlans namely data, voice , video and CCTV. Packet coming out of access switch will go to SVI and then come to FWSM as firewall-group has been configured. Now I want to integrate this LAN to my MPLS cloud. I have created two vrf (one for voice/data and video) and another for CCTV and importing and exporting to all remote sites. My question is how does FWSM behave when default gateway is on MSFC svi (i have created dot1 q interfaces on svi and assign vrf forwarding to respective interfaces). Since on svi i have configured vrf forwarding, will FWSM understand the firewall-group in this case? any help is greatly appreciated Regards Vikas Sharma On 11/12/07, Vikas Sharma [EMAIL PROTECTED] wrote: Hi, Can I configure FWSM as a default gateway for my internal vlans (similar to HSRP configuration on MSFC for vlans)? i.e inside packet will first hit fwsm then MSFC !!! If u have some doc on this pls share if possible.. Regards Vikas Sharma On Nov 7, 2007 7:00 PM, Fred Reimer [EMAIL PROTECTED] wrote: There are many ways that you can configure the 6500 with a FWSM and IDSM. It depends on what you want to do with it. You can place the MSFC (routing entity) inside or outside of the FWSM. I prefer inside unless there is a really good reason to have it outside (such as routing sessions to providers, etc) as you don't need to secure it quite as much as when it is on a publically accessible address. You could also use VRF on the MSFC and have one instance on the outside and one on the inside (or a bunch of instances and one on each DMZ interface of the FWSM also). For the IDSM you also have an option of in-line mode or not. You want in-line mode if you want IPS functionality, and promiscuous mode if you want IDS functionality. Again, you can place the IDSM inside or outside the FWSM, but it really makes sense to drop malicious traffic before it even reaches your FW. Perhaps have it look like Internet -- IDSM -- MSFC -- FWSM -- MSFC - inside networks. You really need to talk to, or hire, a security specialist. Fred Reimer, CISSP, CCNP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Vikas Sharma Sent: Wednesday, November 07, 2007 3:14 AM To: cisco-nsp@puck.nether.net; Oliver Boehmer (oboehmer) Subject: [c-nsp] traffic flow in 6500 switch with FWSM and IDSM Hi, I have FWSM and IDSN-2 on 6500 switch. Since I am not a security guy I am not able to visualize how traffic flow will take place in this situation. My requirement is to secure internal traffic from external / DMZ traffic and inspect malicious traffic. Can someone give me the logical picture how packet will flow inside 6500 switch? whether it will first go to FWSM then to MSFC or first to MSFC then firewall? I have vlan (SVIs) created on msfc and these ips are default gateway for my internal traffic
Re: [c-nsp] traffic flow in 6500 switch with FWSM and IDSM
Hi, Can I configure FWSM as a default gateway for my internal vlans (similar to HSRP configuration on MSFC for vlans)? i.e inside packet will first hit fwsm then MSFC !!! If u have some doc on this pls share if possible.. Regards Vikas Sharma On Nov 7, 2007 7:00 PM, Fred Reimer [EMAIL PROTECTED] wrote: There are many ways that you can configure the 6500 with a FWSM and IDSM. It depends on what you want to do with it. You can place the MSFC (routing entity) inside or outside of the FWSM. I prefer inside unless there is a really good reason to have it outside (such as routing sessions to providers, etc) as you don't need to secure it quite as much as when it is on a publically accessible address. You could also use VRF on the MSFC and have one instance on the outside and one on the inside (or a bunch of instances and one on each DMZ interface of the FWSM also). For the IDSM you also have an option of in-line mode or not. You want in-line mode if you want IPS functionality, and promiscuous mode if you want IDS functionality. Again, you can place the IDSM inside or outside the FWSM, but it really makes sense to drop malicious traffic before it even reaches your FW. Perhaps have it look like Internet -- IDSM -- MSFC -- FWSM -- MSFC - inside networks. You really need to talk to, or hire, a security specialist. Fred Reimer, CISSP, CCNP Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vikas Sharma Sent: Wednesday, November 07, 2007 3:14 AM To: cisco-nsp@puck.nether.net; Oliver Boehmer (oboehmer) Subject: [c-nsp] traffic flow in 6500 switch with FWSM and IDSM Hi, I have FWSM and IDSN-2 on 6500 switch. Since I am not a security guy I am not able to visualize how traffic flow will take place in this situation. My requirement is to secure internal traffic from external / DMZ traffic and inspect malicious traffic. Can someone give me the logical picture how packet will flow inside 6500 switch? whether it will first go to FWSM then to MSFC or first to MSFC then firewall? I have vlan (SVIs) created on msfc and these ips are default gateway for my internal traffic. Any help is appreciated... Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] traffic flow in 6500 switch with FWSM and IDSM
Hi, I have FWSM and IDSN-2 on 6500 switch. Since I am not a security guy I am not able to visualize how traffic flow will take place in this situation. My requirement is to secure internal traffic from external / DMZ traffic and inspect malicious traffic. Can someone give me the logical picture how packet will flow inside 6500 switch? whether it will first go to FWSM then to MSFC or first to MSFC then firewall? I have vlan (SVIs) created on msfc and these ips are default gateway for my internal traffic. Any help is appreciated... Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Wireless LAN survey tool
Hi Richard, Thanks for the reply. I have a greenfield project and I have to design the access points etc. Thus I wanted to understand which tool is best for site survey so that we can avoid interference etc. We are planning for 802.11 g as it will give more channels and good enough for Voice/video/data over wireless. Pls suggest. Regards Vikas Saarma On 10/29/07, Richard Golodner [EMAIL PROTECTED] wrote: Vikas, it can be used as a hacking tool for war driving, but if configured from a laptop using built in wireless card Intel ProSet or similar, it will show you all of the available wireless networks in your area. Do you want to survey the hosts in a particular subnet? What is your network topology like? Give me some specifics and I will try and guide your choice amongst the available, free tools. Kismet is another one, but I like netstumbler for its ease of use and minimal learning curve. Richard -- *From:* Vikas Sharma [mailto:[EMAIL PROTECTED] *Sent:* Monday, October 29, 2007 2:19 AM *To:* Richard Golodner *Subject:* Re: [c-nsp] Wireless LAN survey tool Hi Richerd, Can we use netstumbler for wireless LAN survey? bcos as per my knowledge it is a kind of hacking tool. Since my knowledge is limited in WLAN, request you to pls guide me. Regards Vikas Sharma On 10/29/07, *Richard Golodner* [EMAIL PROTECTED] wrote: Vikas, hello. I have used many, but have found that Netstumbler works best for me. Not only does it show what hosts are up, but gives Mac address and s/n ratios as well. http://www.netstumbler.com/downloads/ Most sincerely, Richard Golodner -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vikas Sharma Sent: Monday, October 29, 2007 2:02 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Wireless LAN survey tool Hi, Can some one tell me the best (or good enough) tool for WLAN survey. I have seen many tools available but not sure which one is best as per user friendliness and accurate enough. Pls guide me if any one has worked on any of wireless survey tool. Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Wireless LAN survey tool
Hi, Can some one tell me the best (or good enough) tool for WLAN survey. I have seen many tools available but not sure which one is best as per user friendliness and accurate enough. Pls guide me if any one has worked on any of wireless survey tool. Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MPLS network on 3750 switches - ISIS or OSPF which is scalable?
Hi, I have approx. fifty 3750 switches and I have to implement MPLS network on that. I am planning for OSPF in a single area as there will be only loopback IPs and connected routes in global IP routing table. But I am not sure abt he LSA flooding as my network is a full mesh. Though I can use database-filter command but to configure this command on every router is cumbersome. 2nd though is to implement ISIS with L2 level across the network. I want to understand which is more scalable with the kind of 3750 switches, ISIS with level 2 or OSPF with area zero? Any help is appreciated.. regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] kboot image , mboot image and boot image
Hi, Help required to understand the difference between kboot/mboot and boot images...and why Cisco has so many image options? Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Protocol analyzer to monitor IMA traffic
Hi, Pls let me know - a Protocol analyzer which can capture/decode IMA traffic, multiple E1s ( 8 port IMA capability), monitor latency and process a dial -in access capability into the test set. Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP open failed...connection refused due to jitter
Hi, While configuring IBGP, I am getting Active stste in sh ip bgp summary. debug of BGP is pested below. R7-PE5#debug bgp ipv4 unicast BGP debugging is on for address family: IPv4 Unicast R7-PE5#clear ip bgp * R7-PE5# *Jul 18 09:09:00.476: BGPNSF state: 192.168.2.254 went from nsf_not_active to ns f_not_active *Jul 18 09:09:00.476: BGP: 192.168.2.254 went from Active to Idle *Jul 18 09:09:00.476: BGPNSF state: 192.168.7.254 went from nsf_not_active to ns f_not_active *Jul 18 09:09:00.476: BGP: 192.168.7.254 went from Active to Idle *Jul 18 09:09:00.476: BGP: 192.168.2.254 went from Idle to Active *Jul 18 09:09:00.476: BGP: 192.168.7.254 went from Idle to Active *Jul 18 09:09:00.480: BGP: 192.168.2.254 open active delayed 27534ms (35000ms ma x, 28% jitter) *Jul 18 09:09:00.480: BGP: 192.168.7.254 open active delayed 31092ms (35000ms ma x, 28% jitter) *Jul 18 09:09:28.016: BGP: 192.168.2.254 open active, local address 192.168.6.25 4 *Jul 18 09:09:28.072: BGP: 192.168.2.254 open failed: Connection refused by remo te host, open active delayed 28425ms (35000ms max, 28% jitter) *Jul 18 09:09:31.572: BGP: 192.168.7.254 open active, local address 192.168.6.25 4 *Jul 18 09:09:31.592: BGP: 192.168.7.254 open failed: Connection refused by remo te host, open active delayed 32653ms (35000ms max, 28% jitter) Can some one pls help me to find out the issue Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Prevent traffic originated from the router usingaccess-list
Hi Ozgur, I have tried what you have suggested in lab and found it is difficult to block packets originated from local router using policy-map. Bcos it drops ospf neighborship and still if u give static route, it matched all the condition in class map that also have permit any any (1st is - 10 deny ip host 192.168.3.254 any 2nd is - 20 permit ip any any ). What is does it drops all the packets. Thus I feel only way to do this is local PBR. Thanks Vikas Sharma On 6/27/07, Ozgur Guler [EMAIL PROTECTED] wrote: You can... http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804559b3.html On 6/27/07, Jeff Tantsura [EMAIL PROTECTED] wrote: Bollocks, I does not. You can't set drop action within policy-map framework I don't need a lab for this. The working config would be: ip local policy route-map BLAH route-map BLAH match ip address 101 set interface null0 access-list 101 permit ip host 192.168.5.254 any access-list 101 deny any any -- *From:* Ozgur Guler [mailto:[EMAIL PROTECTED] *Sent:* woensdag 27 juni 2007 14:22 *To:* [EMAIL PROTECTED] *Cc:* Vikas Sharma; cisco-nsp@puck.nether.net *Subject:* Re: [c-nsp] Prevent traffic originated from the router usingaccess-list It works. Just try it in the lab ... On 6/27/07, *Jeff Tantsura* [EMAIL PROTECTED] wrote: Hi, It's not going to work, you'd only match on transit traffic, in order to match on locally generated traffic you should use local PBR ie: ip local policy route-map BLAH Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Ozgur Guler Sent: woensdag 27 juni 2007 13:55 To: Vikas Sharma Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Prevent traffic originated from the router usingaccess-list You can drop the relevant traffic with a simple policy-map by applying it to an outgoing interface ... R2#sh policy-map Policy Map X Class x drop Class class-default On 6/27/07, Vikas Sharma [EMAIL PROTECTED] wrote: Hi, How can I stop traffic originated from local router e.g. from loopback interface of router to go any where? I tried with ACL but it permits the traffic as access-list only stop traffic passing through the router not originated from the router. = access-list 101 deny ip host 192.168.5.254 any access-list 101 permit any any ip access-group 101 out = Using below conf i am able to achieve the objective. In that I have changed the sourse and destination. Thats correct. But I wanted to know can I achieve the same result using sourse as loopback? working conf - === access-list 102 deny ip any host 192.168.5.254 access-list 102 permit ip any any ip access-group 102 in == THanks Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DMVPN with OSPF
Hi, Can I configure DMVPN with ospf. Is there ant scalabilty issue with ospf wrt DMVPN? I can not use EIGRP as I have non cisco devices in the network. Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP route filtering
Hi, Pls verify below statement. Is it correct? * One restriction on route maps is that when used for filtering BGP updates rather than when redistributing between protocols, you can NOT filter on the inbound when using a match on the ip address. Filtering on the outbound is OK. Regards Vikas Sharma * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] wccp support on S4KL3E-12220EWA - Cisco IOS ENHANCED L3 Cat4500 SUP4/5(OSPF, EIGRP, IS-IS)
Hi, Does S4KL3E-12220EWA - Cisco IOS ENHANCED L3 Cat4500 SUP4/5(OSPF,EIGRP,IS-IS) IOS support WCCP functionality? Did anybody implemented the same? I have 4507 switch with the above mentioned IOS. Pls help Regards Vikas Sharma ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/