from:"cnsp"

Re: [c-nsp] Cisco L2TP Failed

2021-09-13 Thread cnsp



Hi,

a) i have hostname/password/authentication on dthe L2tp-classm matching the
central site

In some IOS Versions, the password must not be too long
(initally works fine, afer wr and reboot, the cisco7 representation was too
long)

b) starting with some IOS, I had to add
  ppp direction callout
to the int virt-ppp X
(and I also have "ppp authentication chap pap callin" on it

c) license issue (LIC-AIS-800 or so needed) ?

d) why using an 881 when a 1812 with internal power-supply performs better ?

e) I suggest putting either the dhcp-wan interface or the virtual-ppp
interface into a VRF to make routing easy


just my $0.01 

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] N9K traffic lost when redundant link comes up

2021-03-09 Thread cnsp


Hi, 

i have a pair of N9K-C93180YC-EX running nxos.9.3.1.bin connected with a LACP 
port-channel (pair of 100G Links). 
I got a pair of N9K-C9348GC-FXP running nxos.9.3.5.bin connect with a 
(single-100G Link) LACP post-channel to only one of the above switches.

I finally got more transceivers to create the missing redundant link(s) to the 
other one of the first switches , 
In a second LACP port-channel with just one single-100G Link. 

No Multi-Chassis LACP here, each device works stand-alone, 
spanning tree mode is MST, everywhere identically configured. 

Expected behaviour is: 
New link gets active, and 
if spanning tree finds this new link as "lower" it would block it. 
if spanning tree finds it "better" it should start to use it and block 
somewhere else. 

But monitoring was crying, and I found in the loggin: 
16:30:19 dsw2 %L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN: Disabling learning in vlan 
XXX for 120s due to too many mac moves 
16:32:19 dsw2 %L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN: Re-enabling learning in 
vlan XXX 

Yes, that was also the duration of the "outage", adding a redundant link leads 
two two minutes outage ☹ 

Cisco's error-messages finder tells me that there is nothing to do  ?!? 

Case opened, infos submitted, but two days (plus weekend) silence. 

Any idea what is happening and how I can avoid that (the fourth link wants to 
be plugged in). 

Will that happen when a link fails, STP unblocks an other link and therefor the 
switch relearns too much mac-addresses too fast

so I get again 2 minutes "down" instead of just 2..3 seconds ? 

The ancient C4900M did not show that behaviour... 

Any suggestions? 

Thank you for your patience, 

Jürgen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] disable or rate-limit icmp-unreachables IOS-XR

2021-01-20 Thread cnsp



Hi, 

when looking at amsix peering template, I found that generating of icmp
unreachables shall be disabled. 

Is that a good idea? Some say it breaks PMTU 
(so I am wondering why this was also present in a pppoe virtual-template
just seen on the list here). 

Also, several secure-your-network checklists insist on setting it on at
least all external interfaces. 

Or rate-limit 

RP/0/RSP0/CPU0:ASR9901(config)#icmp ipv4 rate-limit unreachable ? 
  <1-4294967295>  One ICMP unreachable message in x milliseconds(default is
500ms) 
  DF  Fragmentation needed and DF set (code4) 
  disable Disable rate limit of ICMP messages 
RP/0/RSP0/CPU0:ASR9901(config)# 

Is this "per chassis" so it will send maximum 2 icmp unreachable messages
per second ? 

What is a "good" value to keep things like PMTU working but also the device
happy ? 10ms ? 

Thank you for your help, 

Jürgen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9k RSP440

2020-11-13 Thread cnsp



> > What is everyones opinion of the 64bit XR? 
> 
> No particular opinion other than the fact that every new A9K deployment 
> here is eXR (64-bit) as new HW doesn't run on 32-bit anymore. 
> 
> A few things I noted: 


> 1b. access to 'admin' CLI context is noticeably slower in eXR, as admin
runs in 
> different (sysadmin-vm) VM. 
> However, recent eXR builds (6.5.1 and newer) appear to have improved 
> this quite a bit now, that it's not as bad. 

Yes, that is a real GREAT feature 
Docker processes crashing and respawning, 
Sometimes restarting the "Router" vm producing outages. 

One Workaround they gave me after half a year investigation 
exists (until you reboot the box), 
SMU for that is existent but will not solve the "real" problem 
they told be 
But create installing the SMU creates DOWNtime, 
And reading that there will be side-effects and 
No real instructions on how to recover from that will prevent me from 
Trying to patch anything on it. 

No real solution for that, while the PC-Linux folks had those problems 5
years ago, 
dont know weather fixed or not. 

Support can not give correct working instructions for how to collect
logfiles from those virtual shit 
Or copy it between them since one and assume that one can ssh/scp between
them but sth. 
Is not setup the expected way on that expencive piece of junk 

Installing SMU from 6.5.1 to 6.5.3 too 2 weeks because of WRONG update
instructions 
And faulty assistance from TAC. 

The docs say that Patch-packages installation is incompatible with single
SMU installtation. 

Nothing learned from the people who did  engeneer real Operation-Systems
and patch/update procedures 
(for example SUNos ?)  but using hobbyist clash everything together for
their potential high end devices. 

Hardware for forwarding may be good, 
The "IOS-XR" with different syntax may be usefull, 
Marketing slides look great and "ISSU" etc. sound great 

But having >10% downtime and lots of time for debug sessions with TAC 
Poking in the nebula and not knowing what they do leads to the result that 
Getting the ASR9901 was a fault. 

Just my bad experience, 

Jürgen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco WLAN-Controller SNMP

2020-11-12 Thread cnsp

Hi, 
this is a little bit off-topic but perhaps someone solved this already: 

Regarding Cisco WLAN-Controllers and CAPWAP Access-points, 
I am seeking the snmp way to get the "NAT External IP Address" 
shown in the CLI output (and also visiblae in the web-interface): 

(Cisco Controller) >show ap config general JM-TEST 

Cisco AP Identifier.. 19 
Cisco AP Name JM-TEST 
Country code. DE  - Germany 
[...] 
MAC Address.. 7c:69:f6:04:9a:e2 
IP Address Configuration. DHCP 
IP Address... 192.168.33.169 
IP NetMask... 255.255.255.0 
Gateway IP Addr.. 192.168.33.254 
NAT External IP Address.. 21X.1X6.1X3.1XY:1481 
CAPWAP Path MTU.. 1485 
[...] 

I think it may bee in the CISCO-LWAPP-TUNNEL-MIB but a snmpwalk fails "index
not increasing" 
And many Variables are "NOT ACCESSIBLE" marked ind the .my file 
(and I do not know hov to use an unknow octett-string as an index) . 

Thank you for any ideas, 

Jürgen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NXOS output numeric

2020-10-09 Thread cnsp

Aloha, 

> Howdy, 
> 
> I had a quick question regarding NXOS, is there any way to run a command 
> and have it output numerically only? 

[...] 

> It would show a normal easily parsed number? For instance the number of 
> seconds since the last time the link flapped? 
> 
> If not are there any helper libraries for python that you guys have found
that 
> can handle these sorts of things before I create one? 

Why going thru CLI Text representation when you can read out the
corresponding snmp variable/counter ? 

OK it should be fun to be able to read that more directly from the embedded
linutz ... 

Just my 0.01 $ 

Juergen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco vpdn multihop

2020-10-07 Thread cnsp

> > I am cleaning up a cisco lac/tunnelswich/lns setup historically grown. 
> > 
> > Do I need the "vpdn multihop" statement on the final LNS 
> > which should only terminate the ppp sessions inside the l2tp tunnels 
> > and not forward them based on realm/domain-name/... in my setup? 
  
> Lol, my VPDN skills are, errm, rusty, but I recall the only scenario where 
> you 
> would need vpdn multihop on the final LNS is when you run them in a 
> MPP/SGBP group to terminate multilink-PPP sessions (in which case the final 
> LNS isn't actually final, so this makes perfect sense IMHO) 

Just a followup to ack that everything still works after removing 
the "vpdn multihop" statement from my final LNSes. 

(This was on 7201 and NPE-G2 with 122-33-SREx) 

Thank you for your hints, 

Juergen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco vpdn multihop

2020-09-29 Thread cnsp

Hi, 

I am cleaning up a cisco lac/tunnelswich/lns setup historically grown. 

Do I need the "vpdn multihop" statement on the final LNS 
which should only terminate the ppp sessions inside the l2tp tunnels 
and not forward them based on realm/domain-name/... in my setup? 

One example in cisco's documentation has it on all three Devices 
while an other has it only on the tunnelswitch. 

(ok, I could test it in the night the hard way) 

Thank you for your advice on this, 

Juergen. 



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Mass-renaming interfaces

2020-09-28 Thread cnsp



I would avoid using gig 0/3 and would not bundle it with gig0/[012] . 

Gig0/0 0/1 0/2 are marvel SOCs build-in Ports 
while Gig0/3 together with the Mangement "Fas"0/0 are on a separate intel
ethernetcontrollerchip 
(with gig+(only)fas they try tonot oversubscribe the internal pci bus ) 
  
> One of my 7201 routers has four GigabitEthernet interfaces but uses only 
> two, one for IP uplink and another as client-sided downlink with multiple 
> sub-interfaces named like GigabitEthernet0/1.10 (encapsulation dot1Q). 
> 
> It need reconfiguration to use 2x1G port-channles. I already did such 
> reconfiguration for same 7201 router with small number of sub-interfaces 
> and know this is doable changing sub-interfaces from GigabitEthernet0/1.N 
> to Port-channel1.N 

Just my 0.01 $ 
Juergen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR920 LACP and xconnect

2020-08-21 Thread cnsp

Sorry, i think the behaviour is explainable. 
You have (I think, on both sides equivalent config) 
Two Gig Ports bundled with LACP to that prot-channel. 
For that, the switch speak link-local pakets to the neighbor device. 
Now , yo build that xconnect and ask to forward link-local pakets to the
remote. 
OK, device  does this. 
Recieving device does some fancy load blancing an therfor, LACP starts to
fail since . 
Either let the local switch handle the LACP Bundle and do not forward the
LACP packets 
Thru that xconnect, 
or build _two_ transparent xconnects/Eline/Epipe servicesso A-1 sees B-Side
1 and A-2 sees B-2 
and the LACP Pakets from A1 and A2 do not go all to B1 or mixed/loadbalaced
to B1 and B2 (end vice-versa). 
and _do_not_ bundle locally. 
Just my 0.01 $ 
Mit freundlichen Grüßen 
Kind regards 
Veuillez agréer mes salutations distinguées 
Met vriendelijke groet 
Jürgen Marenda. 
> -Ursprüngliche Nachricht- 
> Von: cisco-nsp mailto:cisco-nsp-boun...@puck.nether.net> > Im Auftrag von James 
> Bensley 
> Gesendet: Freitag, 21. August 2020 16:38 
> An: Eric Van Tol mailto:e...@atlantech.net> >;
cisco-nsp@puck.nether.net   
> Betreff: Re: [c-nsp] ASR920 LACP and xconnect 
> 
> On Thu, 20 Aug 2020 at 19:16, Eric Van Tol mailto:e...@atlantech.net> > wrote: 
> > Interface configs: 
> > 
> > interface GigabitEthernet0/0/0 
> > mtu 1600 
> > no ip address 
> > load-interval 30 
> > negotiation auto 
> > channel-group 1 mode active 
> > ! 
> > 
> > interface GigabitEthernet0/0/1 
> > mtu 1600 
> > no ip address 
> > load-interval 30 
> > negotiation auto 
> > channel-group 1 mode active 
> > ! 
> > interface Port-channel1 
> > mtu 1600 
> > no ip address 
> > load-interval 30 
> > negotiation auto 
> > no keepalive 
> > service instance 1 ethernet 
> >   encapsulation default 
> >   l2protocol peer lacp 
> >   xconnect x.x.x.x 1234 encapsulation mpls pw-class Raw-Mode-VC5 
> >mtu 1600 
> 
> What happens if you change each interface to be "channel-group 1 mode on" 
> and remove "l2protocol peer lacp" to disable LACP and remove it from the 
> equation? 
> 
> Cheers, 
> James. 
> ___ 
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
  
> https://puck.nether.net/mailman/listinfo/cisco-nsp 
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Devil's Advocate - Segment Routing, Why?

2020-06-20 Thread cnsp



> I've been told Merak is very nice...  if all you're interested in is "sell
to 
> Enterprise customers and make lots of cash". 

We asked the sales-person weather that meraki devices can handle ipv6 
(as customer traffic) and for the cloudy management access (in an ipv4 free
world) 
But they did not know this, told us they will ask, but we did not get any
answer yet ... 

Juergen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9001 ASR9901 IOS-XR IPv6 filtering

2020-06-12 Thread cnsp


Thank you for sharing your experience and the concrete example . 
Also good to know that I am not the only one trying to filter 
 up-streams/peerings and of course the customer's traffic. 

Sorry for the late "thanks", I had to collect logs and dump 
from the 9901 ☹ again, 
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs53433 
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu49346 
with - for this list - a trivial configuration. 
Worst cisco experience for the last 10 years. 

Mit freundlichen Grüßen 
Kind regards 
Veuillez agréer mes salutations distinguées 
Met vriendelijke groet 

Jürgen Marenda. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR9001 ASR9901 IOS-XR IPv6 filtering

2020-06-10 Thread cnsp



Hi List, 

I would like to filter the incoming IPv6 traffic from upstream and peering 
relatively strong like I do it for IPv4 
(no martian src allowed, 
 Traffic on the link to upstream/peerinc allowed, 
 my and customers prefixes allowed as dst ). 

Having link-local addresses will complicate this , 
also the ND etc. 
So I came up to a relatively long ACL and big question-marks: 

1. With classical IOS, "IP" Rules include  icmp, udp, tcp ,... 
   Is this also true on IOS-XR for IPv6 ? 

2. On  the Neighbor Discovery ets stuff  is src and dst allway link-lokal 
or must I allow explicit the four pairs LL-LL LL-real real-LL real-real ? 

3. will that ACL work on the mentioned devices in Hardware 
or is it done in software slowing down everything ? 

With 1. And 2. I could probably short the sketch below down 
and avoid unspecific icmp "any any "rules 

!== 
ipv6 access-list AL6-FILTER-IN 
! from http://www.bgp4all.com.au/pfs/_media/workshops/12-ipv6-security.pdf 
2000 permit icmpv6 any any echo-reply 
2010 permit icmpv6 any any echo-request 
2020 permit icmpv6 any any 1 3 
2030 permit icmpv6 any any 1 4 
2040 permit icmpv6 any any packet-too-big 
2050 permit icmpv6 any any time-exceeded 
2060 permit icmpv6 any any parameter-problem 
! not accepted 2070 permit icmpv6 any any mld-query 
! not accepted 2080 permit icmpv6 any any mld-reduction 
! not accepted 2090 permit icmpv6 any any mld-report 
2100 permit icmpv6 any any nd-na 
2110 permit icmpv6 any any nd-ns 
2120 permit icmpv6 any any router-solicitation 

!HSRP 2200 permit udp FE80::/16 eq 2029 host FF02::66 eq 2029 

2900 deny icmpv9 any any 
! 
! tmp block bad src 
3000 deny ipv6 2605:9880:300::/48 any 
! 
! transit to upstreams and peering 
6000 permit ipv6 2001:qwer::1234/126 2001:qwer::1234/126 
6020 permit ipv6 2001:789::/64 2001:789::/64 
6030 permit ipv6 2001:asdf:ghjk:uiop::/64 2001:asdf:ghjk:uiop::/64 
! 
!! my and customers ipv6 ranges src 
! wrong direction 
!7000 permit ipv6 2a00::/32 any 
!7100 permit ipv6 2a01:asdf::/32 any 
! 
! my and customers ipv6 ranges dst 
8000 permit ipv6 any 2a00:::/32 
8100 permit ipv6 any 2a01:asdf::/32 
! 
9000 deny ipv6 any any 
! 
!== 

Thank you for suggestions on how do do this "right", 

Juergen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EVPN/VXLAN on ASR9001 - BGP announcements not working

2020-05-04 Thread cnsp

> On Mon, 4 May 2020 at 12:15,  wrote:
> 
> > Just my 0.01$
> 
> Can I get a refund?

 just come and collect a ningi in my shed on Kakafroon Kappa,
but beware the vogon's.

Yes, you'll get a free  Pan Galactic Gargle Blaster.

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EVPN/VXLAN on ASR9001 - BGP announcements not working

2020-05-04 Thread cnsp




>[...] 
> DC-folks# This STP sucks, let's MC-LAG/VSS everything, ok that sucks let's
do 
> TRILL et, al., that sucked let's do VXLAN, wait, how do we do CP-based mac

> learning? Let's do EVPN VXLAN, Oh has anyone reserved VXLAN header field 
> that can be used for micro-segmentation? Tumbleweed ... 
> SP-folks# no way we'll have STP to core, let's sue VPLS, that sucked let's
use 
> EVPN/PBB-EVPN.. 
> 
> adam 

Today everything must  go over https (like dns, ...) 
but do not forget to use XML to over bloat everything 
and use at least TLS Rev. 9.11 . 

Will be punted into the dollar-note big cards (Hollerith) (80 Characters
wide) 
Fragmentation will be managed by punting a "C" in Column 5 . 

So we will soon see MPLS over HTTPS with fancy XML-Schemes- 
Network-devices will be CHROMOS-Browser-Devices, 
Don't think of performance or saleable implementation in hardware, 
When that would be ready, the standard has been obsoleted and replaced by 

Just my 0.01$ 

Juergen 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] IOS-XR on ASR9[09]001 ip local policy route-map equivalent

2019-12-30 Thread cnsp

Hi, 

is there an equivalent to IOS "ip local policy route-map ..." on IOS-XR ? 

i tried hard to g00gle it but did not get usefull results , 
my search term formulator nose has a cold 

Mit freundlichen Grüßen 
Kind regards 
Veuillez agréer mes salutations distinguées 
Met vriendelijke groet 

Jürgen Marenda. 

BTW, happy new year etc. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] new ASR9901 ios update / full

2019-11-04 Thread cnsp

> So i did continue and no it is 99-100% full, "install add source ..."
> works but "install activate ..." aborts.
> 
> I do not have "userfiles" on it, i did but the ios,tar,smu's onto "harddisk:" 
> .
> I did not find any hint how to make space there, i tried
> 
> "clear configuration commits oldest 100"
> "install remove inactive all synchronous"
> 
> But this did not help 

What helped was 

# install deactivate superseded sync
# install commit sync

I found that in an older IOS-XR documentation, not in the current.

When istalling  SMU's in release-date order,
 asr9k-x64-6.5.3.CSCvn74595.tar
results in ssh not working,
going back removes my three ssh config lines
(good to have the serial CON to entert hem again).

After installing all the other SMUs i tried again,
and this time i had no problems.

In the corresponding Readme are some dependencies mentioned
But i was unable to locate them by their name/number.

And after all was over,
i did again
# install deactivate superseded sync
# install commit sync

Plus

# install remove inactive all sync
# install commit sync 

"run df -k" show root at 77% .

So i am now thru with this,
i am some dekandes older, my hair went gray .

Probably tomorrow a big bug will be found so an other IOS-XR version ist he new 
"recommanded" ☹

BTW, TAC was no help on this.

Thank you for your kind help,

Jürgen Marenda.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] new ASR9901 ios update problem

2019-11-02 Thread cnsp

Thanks fort he flowers, Aaron!

Now i got stuck in those patches called SMU.

Not only the mentioned time-consuming (each reload takes 15..20 minutes) is
boring,
But after installing most of the SMUs and ony 5..7 remaining from the bunch of
80+-5 SMUs,
the X device tells me on its console port, that the root filesystem is over
80% or more full.

LC/0/0/CPU0:Nov 2 12:47:56.505 CET: resmon[290]: %HA-HA_WD-3-DISK_ALARM_ALERT
: A monitored device / ( rootfs:/ ) is above 80% utilization. Current
utilization = 80. Please remove unwanted user files and configuration rollback
points.

Googling for this i found

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xr-software/116332-maintain-ios-xr-smu-00.html
[...]
Bootflash is above 80% utilization

The following message may appear after SMU installation.
RP/0/RSP0/CPU0:Jul 9 17:40:37.959 : wdsysmon[447]: %HA-HA_WD-4-DISK_WARN : A
monitored device /bootflash: is above 80% utilization. Current utilization =
89. Please remove unwanted user files and configuration rollback points.
This message can be safely ignored.
As per design it is expected that IOS-XR will keep up to two MBIs on the
bootflash following SMU install(s). At subsequent SMU install(s), if the
bootflash space required by the new package(s) is not available, IOS-XR will
clean up automatically old MBIs to make space for the new MBI package.
[...]

So i did continue and no it is 99-100% full, "install add source ..."
works but "install activate ..." aborts.

I do not have "userfiles" on it, i did but the ios,tar,smu's onto "harddisk:" .
I did not find any hint how to make space there,
i tried

"clear configuration commits oldest 100"

"install remove inactive all synchronous"

But this did not help.

#show install log 250 detail
Sat Nov 2 12:56:50.744 CET
Nov 02 09:56:57 Install operation 250 started by jm:
install activate id 249
Nov 02 09:56:57 Package list:
Nov 02 09:56:57 asr9k-mgbl-x64-2.0.0.4-r653.CSCvr46090.x86_64
Nov 02 09:57:01 Action 1: install prepare action started
Nov 02 09:57:03 Install operation will continue in the background
Nov 02 09:57:03 The prepared software is set to be activated with process
restart
Nov 02 09:57:47 Start preparing software for local installation
Nov 02 09:57:59 Action 1: install prepare action completed successfully
Nov 02 09:58:00 Action 2: install activate action started
Nov 02 09:58:00 The software will be activated with process restart
Nov 02 09:58:01 Activating XR packages
Nov 02 09:59:12 Node 0/RSP0/CPU0 encountered error(s) during operation. Please
check 'show install log 250 detail' for error details
Nov 02 09:59:12

Error stack for location 0/RSP0/CPU0

1# Available disk space(including additional buffer 104857600)
215699456 is not sufficient for rpm installation of archive size 110199132
2# failed to load files from ldpath (new)

Please collect 'show tech-support install one-showtech' from XR and
'show tech-support ctrace' from Admin and pass this information to your TAC
representative for support.

Nov 02 09:59:12 Agent on the lead has err'ed during SWC_BEGIN Aborting the
operation
Nov 02 09:59:12 Action 2: install activate action aborted
Nov 02 10:00:21 Install operation 250 aborted
Nov 02 10:00:21 Ending operation 250

I submitted the output from 'show tech-support install one-showtech' to my TAC
case
But i have not found out how to move the "admin'show tech-support ctrace'"
output
out of the box. Looks like admin-harddisk: is not the same as harddisk:
and also admin copy does not know ftp as destination (and i believe it will not
work
with my mgmt-vrf, ip information is a stange 192.168.0.4 not my mgmt-ip, )
Very very strange ☹

BTW, When i was at the approx. 80% SMU installation point,
i got the hint from tac that i can untar the SMUs,
and bundle them (without the .txt files) in one tape-archive to get it
installed faster.
Way too late after 3 days of work

Looks that the documentation on how to upgrade the box has never been tested
(and in/output captured)
and also, no-one had ever tried to add all recommended patches.

Any idea on what is blocking space on / and can be removed ?

Repartiion and install from scratch ?
RMA it and get a refurbished device with scratches
instead of this expensive brand new garbage ?

I am also a little bit afraid on using such a thing for production.,
Thought version 6.5 would be matured and procedures well documented
And the TAC people can give me concrete answers not generic blarney.

->sigh<-

Jürgen Marenda.

> -Ursprüngliche Nachricht-
> Von: Aaron Gould
> Btw, good job, and thanks Jürgen for the informative and detailed instruction
> on XR upgrade.

___
cisco-nsp mailing list cisco-nsp@puck.nether.net

Re: [c-nsp] new ASR9901 ios update problem

2019-10-26 Thread cnsp



Hi, i got some help from TAC on this,
So i manged the upgrade (but the patches "SMU"s are still waiting)

Here is a (not really) short summary  of the steps i did
(may be thats not the optimal/fastes procedure):




1. i have working serial console access (115200-8N1)

2. i have an account "jm" with the same rights as "admin"
   so i must not type "admin" in front of each command i believe

3. the first Management-Ethernet "MgmtEth0/RSP0/CPU0/0" 
   is in vrf mgmt with ip 10.10.50.22 /24

4. my ftp/tftp/... server is on the same (v)lan and has the ip 10.10.50.84
   so direct connection and no router/NAT/... in the way

5. username:password for ftp in this text used is cisco:ciscopass 

6. i did the steps 1,3
   and skipped step 2 
   from the PDF ASR9K_IOS-XR-64-bit_Upgrade_MOP_6.5.3.pdf 
   found in  ASR9K-x64-docs-6.5.3.tar
   since i upgrade only from 6.5.2 to 6.5.3
   where no "bridge" package installation is nessassary

   (in that tar-ball are not the linux-manpages for the box)

7. i put the files
   asr9k-mini-x64-6.5.3.iso
   ASR9K-x64-iosxr-px-k9-6.5.3.tar
   onto the ftp-server in directory ASR9901/6.5.3/ i
   (relative to user cisco's basedirectory)

8. i put the "x64" and "sysadmin" smus
   onto the ftp-server in directory ASR9901/6.5.3/smu/

9. Trying method "4.2" from the pdf above,
   "install" does not know the command "upgrade" or "update"

   When entering "run" or "admin" "run" the install command
   has "update" "upgrade" options but does not know how to ftp out,
   due to unknow syntax i could not find out how to use a vrf.
   
   Also setting ftp source-interface etc in the config did not help.

   doing ifconfig does not show my Management-ethernet 
   but some strange internal vlans...

10. Trying method "4.1" .

10.1. makeing directories on the "harddisk:"

  mkdir harddisk:/sw
  mkdir harddisk:/sw/6.5.3
  mkdir harddisk:/sw/6.5.3/smu
  cd harddisk:/sw/6.5.3

10.2. copying files from ftp-server 
  
  copy
ftp://cisco:ciscopass@10.10.50.84;mgmt/ASR9901/6.5.3/asr9k-mini-x64-6.5.3.is
o harddisk:/sw/6.5.3/

  copy
ftp://cisco:ciscopass@10.10.50.84;mgmt/ASR9901/6.5.3/ASR9K-x64-iosxr-px-k9-6
.5.3.tar harddisk:/sw/6.5.3/

10.3. install add source harddisk:/sw/6.5.3/ asr9k-mini-x64-6.5.3.iso
  --^ here is a needed space between
...6.5.3/ and asr9...
   
  ...Install operation 13 finished successfully

10.4. install add source harddisk:/sw/6.5.3/ ASR9K-x64-iosxr-px-k9-6.5.3.tar
  --^ here is a needed space between
...6.5.3/ and ASR9...

  ...Install operation 14 finished successfully

10.5. install prepare id 13 14

 Both Install opertion numbers from above together

 shwo install request
 show install log 15 detail

fast going to 40%, then long waiting (15 minutes)

... Install operation 15 finished successfully

10.6 install activate

...  Action 1: install activate action completed successfully
 Action 1: install activate action completed successfully
 Install operation 16 finished successfully
 Ending operation 16

10.7. maschine boots automatically

  and after around 15 minutes, all the interfaces are again there.

10.8. login (iff not done)

10.9. install commit

  ... Install operation 18 finished successfully

10.10. again doing Part 2 of the upgrade PDF

10.11.  install remove inactive all

10.12. and a final reload

That was it.

==

Now i need a nice way to get the SMUs installed without headache.

BTW, the "px" are for the 32Bit (for example) ASR9001 devices "classic XR"
"cXR"
the "x64" and the "sysadm" are for the 64Bit (for example) ASR9901 devices
"enhanced XR" "eXR" so i was told in my TAC case. 

I wonder why i find them all mixed up when i first select the one or other
in cisco-support-download section.

==

missing output of my mgmt-vrf in IOS-XR 6.5.2 
when i was typeing "show vrf all"
was a bug disappearing afer the upgrade to 6.5.3.

==


Jürgen Marenda.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] new ASR9901 ios update problem

2019-10-23 Thread cnsp



Hi,

the asr9k series is quite new for me, so sorry for asking silly beginners
questions.

i found a box with an asr9901 in my office.
It is loaded with IOS-XR x64 6.5.2 .
Cisco-download recommends 6.5.3 ,
so i downloaded that several Gbyte .

(or should I use 6.6.x ?)

I was seeking instructions on how to do the update,
and found a pdf on this subject in the ...docs..tarball.

Fine, I thought.

The asr9901 is currently connected with the first mgmt-ethernet 
to my mgmt-vlan where I have a tftp/ftp/syslog/... server
As allways, that interface is in it's own vrf.

Also I can connect to the CON port from a serial-line-terminalserver.

First "problem": "show vrf ?" or "show vrf all" does not show it.
(while my older asr9001 currently running 6.1.4 code does)

Second "problem": how to formulate the URLs with vrf ?
I have tried ftp://user:pass@10.11.12.13;mgmt/rhabarbar/6-5-3/
But this seems to not work (for example to save the running config to ftp
server).

I went thru the instructions on how to upgrade .

In Method 4.1 "classical" way I need the "iso" but cannt find what to do
with it.

So I tried to use Method 4.2 "install upgrade" ,
Put the files into my ftp-server
I found that "install" does not have the option update or upgrade 
So I cannot do this.

(also, in the screenshots of that update-document,
 is output referring 6.3.3 iso file, I don't want to mix things)

I have an open TAC case on that, 
but did not hear anything from them for the last 50 hour.
Since the mashine is not doing real work,
What is the fool-safe way for upgrading it?

Pre-final question is regarding the patches called "SMU".
There seem to be three sorts of it:
"x64" "px" and "sysadmin" .
"x64" is good for the 9901, "px" for the 9001 (32bit) and "sysadmin" for
both ?

The Method 4.2 tells me to put (all?) the SMUs into the same
Directory as the .iso and an unpacked tar file .
Is that ok? I saw some slides on it, and that looked like I should 
Sort this in some kind of directory structure, which was not clearly
defined.

Can the installation of the SMUs be done later, 
will the device find out by itself in which order
To install them?

Last question is, weather I should update the older asr9001 
also to 6.5.3 to have bugs^Wfeatures in sync ?

( _must_ they have call-home/smart-licensing/ enabled ?)

Sorry again for beginners questions,
now everyone knows that I'm too stupid for those devices.

Thank you for your patience reading this and your kind help

Jürgen Marenda.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Has there been a Cisco network device with GE management port while other ports are FE or lower?

2018-10-25 Thread cnsp




> > Also - the only other place you might see it is on a 8xx series
> router.
>
> Yes, for example in Cisco 891, which has a 1GigE WAN port:
> https://i.ebayimg.com/images/i/112239287188-0-1/s-l1000.jpg
>
>
> In summary, if GigabitEthernet0 is not the only GigabitEthernet port,
> then it is definitely a management Ethernet interface. If
> GigabitEthernet0 is the only GigabitEthernet port, then it is
> impossible to say, if it is a management port(for example, CSR running
> IOS XE 3.10S or ASR with slower/non-ethernet line cards) or
> non-management port(for example, some Cisco 800 series models)?

No
Again, here comes the famous 800 Series:
C891F and C89[67]VA have a 8 port Gigethernet-switch (no longer the FE
Switch form the not so famous 89[12] ), one GE WAN Port (combo) and one FE
WAN Port.
Gig0 is here one of the embedded switch-ports, while the WAN Port ist Gig8 .
There is no special (feature-fewer) "Mangement" Port where varying named
(not changeable) VRFs are hardcoded.

Juergen.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR920 l2cp over mpls xconnect

2018-07-27 Thread cnsp



Hi,

i got two ethernet-links, 
- one between me-3800'x and 
- one between me-3800 and asr920.
They have been created doing mpls-xconnect's.

Connecting my own "CE2.0" CPE's, 
- on the first link, my OAM's find their way, everything OK.
- On the Circuit with the asr920, the OAM's don't come out on the other end,
  so my NNI Ports are marked "down".
  (disabling OAM, LLDP neighborhood comes up, my inband-mgmt is working,
...)

I do not have access to those devices from our carrier,
and have not got exact model and IOS Version.
Is there any special to configure? 
Something like "l2cp tunnel all" ?

(I found "transparent-cfm" but this is in the context of
CarrierEthernetConfig and not MPLS.)

I hope that STP BPDUs will be transported (in both directions) over that
xconnect.

Thank you for any ideas,

Juergen.






___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DHCP server

2018-06-16 Thread cnsp

How many physical interfaces/ports?

A c891f could be sufficient...

Jürgen.
-Original Message-
Dear experts,
a customer of mine as an old C7200 acting as DHCP server and wants to
replace it with an IOS device in order to port configuration 1:1.

He asked for a solution which is not so expensive, I'm thinking to ASR1k or
CAT9k, do you have any other suggestion ?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NPE-G1s don't want to talk to each other over copper?

2014-03-20 Thread cnsp

 802.3-2008 40.4.4 says:
 
  Implementation of an automatic MDI/MDI-X configuration is optional
 for 1000BASE-T devices.

Just downloaded 802.3-2012 from the IEEE,
In Section3  40.8.2 (p269) explains, or tries to.
There is also the pinout for the two Variants, (incompatible to 10/100baseT
Xover).

So Iff you want to have autoneg OFF, you must use
the correct wiring. Switch MDI-X, device MDI,
if both are the same you must make use of the magic 1000baseT-crossover
Cable
at the farest possible end (so at the end-device, not on the switch, 
not between any patchpanels on the way).

If you have autoneg ON, the pairs will be matched,
so normally, you can use simple straight patch-cords.


Hey, tomorrow I will call my local dealer for an GigabitCrossover Cable.
I need a 5 feet 1000BaseT Crossover Cable Class D (for you: CAT5) 
 according to IEEE Std 802.3-2012 Section Three
He will think I got mad.
Or he will tell me: Well, that's a relative new version of the standard,
So those cables are quite expensive, we do not have much on stock her, oops,
Currently sold out.

Juergen.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PPPoE Session

2014-02-02 Thread cnsp


 Hi all
 Can I control the session timeout via CLI ? i.e. I want each
 PPPoE session to be disconnected automatically after for example 24
 hours?

Yes We Can:
!
int dialer 3
! ...
 encapsulation ppp
 dialer pool 2
 dialer-group 1
 dialer idle-timeout 0
 dialer persistent
 no cdp enable
 keepalive 30
 ppp authentication chap ...
 ppp chap ...
! ...
! 
 timeout absolute 1400 0
!
!


On the central side,
You can put it into an interface virtual-template
or set it thru AAA (radiator can calculate the value
to fix the automatic disconnection to a given time.

Hope this help's,

Juergen.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PPPoE Session

2014-02-02 Thread cnsp

 

Thanks for the reply

U mean the timeout absolute 1400 0 , for example for 24 hours it should be
1440 ?

 

Yes, you got it J !

 

It is timeout absolute minutes seconds ,

1day = 24 hours = 24*60 = 1440 minutes plus 0 seconds. 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Transparent WAN Encryption

2014-02-02 Thread cnsp

Many of those devices do think that the WAN Ethernet is
Bit-transparent, not paket-oriented, unlimited MTU...

In Reality, those EthernetLinks are MTU-Limited, often with an
EthernetMTU
of just 1500 or sometimes plus 1 or 2 VLAN Tags. Full-Stop. 
No Space for Additional information,encryption header, etc.

Or for jumbo Frames found in iscsi etc. applications.

BUT You need your Ethernet-crypto device to solve this,
So when my switches on both ends have an MTU of 9216 Bytes
I would like the crypto-device to transport this even over the
ethernet link with an MTU of 1371 .

Very ew of the Products solve that,
so take Care in selecting your Product,
simple Products think that you own a dark-fibre
where they can to anything 
But in reality, you just have a paket-switched link
with singlemode-fibres on both ends.

 I'm looking for the simplest way to do it. Most customers have L2
 connections between Data Centers. The edge device controlled by the
 customer is a Layer 2 Switch. The mechanisms like IPSec, GETVPN,
 FlexVPN, an so on, need a router in the edge. This implies modification
 of the customer's topologies. L2 encryption seems the perfect solution
 and it seems there are several options on the market.

You can use Cisco-routers to build an encrypting, 
transparent Ethernet-link, bridging every paket including STP CDP LLDP ...
Needs some CPU on the router, that sets the limits, 
but this works well, even with limited links.

 Regards,
 
 Antonio Soares, CCIE #18473 (RS/SP)
 amsoa...@netcabo.pt
 http://www.ccie18473.net
 
 
 
 -Original Message-
 From: Jeff Orr [mailto:j...@communicorr.com]
 Sent: domingo, 2 de Fevereiro de 2014 17:25
 To: Antonio Soares
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Transparent WAN Encryption
 
 If you are using a private MPLS (I.e. Not over Internet)  have Cisco
 CE routers consider GETVPN.
 
 For the reasons you mentioned, we as a customer went this direction.
 We needed to ensure our WAN (150 sites/multiple data centers)traveling
 across a variety of links/providers including DS1/DS3/Metro-e is
 secure.
 
 It has really scaled  worked well. GETVPN is VRF aware  can function
 on the PE side as well.
 
 -jeff
 
 Sent from my ATT iPhone
 
  On Feb 1, 2014, at 9:16 PM, Antonio Soares amsoa...@netcabo.pt
 wrote:
 
  Hello group,
 
 
 
  Service Provider WAN links are not secure anymore and I have more and
  more enterprise customer asking transparent WAN encryption solutions.
  I came across these two products:
 
 
 
  EncryptTight:
 
 
 
  http://www.blackbox.com/Store/Results.aspx/Networking/Security-
 Optimiz
  ation/
  Encryption/n-4294953119
 
 
 
  TrustNet:
 
 
 
  http://www.certesnetworks.com/securitysolutions/wan-encryption.html
 
 
 
  Anyone has experience with these products ? This seems the ideal
 solution.
  The networks remain exactly the same as they were, we simply add
 these
  devices to do their job.
 
 
 
 
 
  Thanks.
 
 
 
  Regards,
 
 
 
  Antonio Soares, CCIE #18473 (RS/SP)
  amsoa...@netcabo.pt
 
  http://www.ccie18473.net http://www.ccie18473.net/
 
 
 
 
 
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] how to overwrite L2TP multihop NAS-IP-Address

2013-12-16 Thread cnsp

Hi,

On an l2tp multihop broadband dialin environment,
I would like to overwrite the NAS-IP-address (attribute 4) 
tunneled somehow inside L2TP from the carriers first 
Broadband-router showing up in my LNS'es radius-requests
to reflect _my_ border-gateway not _theirs_ .

I found a way to override it in the local generated
Radius-requests, but this does not change anything
on the next LNS; there I can see again the original value. 

Currently working with NPE-G1/G2 with 12.2(33)SRE5 ,

Any ideas/suggestions ?

Juergen.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cheap core switch for a hacker space (nonprofit association)

2013-12-10 Thread cnsp

The generated hot air is good for
drying the laundry in my cellar.

I was first unsure wether the air-humidity would harm,
but my home-servers still survive.

The depth of my rack is ok (HP/Compaq)
but it was hard to find one less than 1,8 m .

Boing...Ouch my head...allways duck when going thru doors.

Just my 0.01$
Juergen.

 Am 10.12.2013 um 21:19 schrieb Markus H hauschild.mar...@gmail.com:
  I have found a Cisco Catalyst 4948-S to be less expensive on ebay
 than
  two
  3750G-24 (and both options are far cheaper than any Juniper EX on
 ebay).
 [...]
 One drawback - this thing is huge ;-) You will need 60cm or something
 deep of rackspace. Not a problem in a commercial environment with racks
 but could be a limiting factor in a private setup. More than twice as
 big as a 29xx or 37xx ...



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Third party transceivers that fail only with new, NX-OS 6.2.2a on sup-2E

2013-11-20 Thread cnsp

Things will get worse if they start to solder
crytoprocs with mask-programmed vendor-signed certificates 
into the gbic/sfp/.. instead of the serial eeprom.

Also the real-time clock helps to limit the lifetime of
devices to just a little longer than warrenty time.

show transceiver lifetime remaining
show transceiver certificate path

(for those on h3c-omware: display transceiver ...)

Just my 0.01 $,

Juergen.

 On 11/19/2013 11:57 PM, Jared Mauch wrote:
 +1 to that.  We recently ran across some 3rd-party CODED DOM-
 supporting
 optics that have worked (thus far) in both Ciscos and Brocades.  When
 you can issue a show int trans and get results from 3rd-parties
 while
 Ciscos remain silent, it speaks volumes :)
 
 Exactly,
 We use a local vendor and have a guy there who can code just about
 anything into the firmware for us so we never have problems with
 unsupported transceivers and the show int trans or sh controller
 pops out plethora of useful information, we use XFP, SFP+ and SFP in
 different platforms no with issues whatsoever.
 And the prices are just incomparable to Cisco prices.
 
 adam

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400

2013-11-12 Thread cnsp

  As someone else had suggested, the NPE-G2 is good too, but if you
 need
  to support more PA's (especially non-Ethernet, which tax the fabric
  less), it's not that scalable.
 
 I meant the 7201, of course (which is, essentially, an NPE-
 G2 with an extra Gig-E port).
 
 Mark.

But that extra Gig port is shared hardware with the FAS Management Port,
(which could be Gig...). it's another chipset than the other three
CPU?-Ports,
and it's not performing very well :-(

just my 0.01$,

Juergen



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400

2013-11-12 Thread cnsp


That are good news,
since 720x seem to be EOL etc.

So with supported Hardware for the next years,
replacement for the 7206VXR/NPE400 G1 G2 or 7201 7301
may be either ASR or 3925E .

But what happens with traffic which needs to be fragmented?
How does the 29xx 39xx perform?

From the 870's I know that I get just 3.x Mbit/s traffix thru
if I use an l2tpv3 with ipesc 
and every wan paket needs to be fragmented with the l2tp and ipesc
overhead
(CPU load is then 100%)

The 892 is at 8.3 Mbit/s LAN and 10Mbit/s WAN (lstpv3 over ipsec)
at 34 % CPU so I think it can handle 25 Mbit/s for this scenario.

How do the 29x/39xx behave ?

 we just this year went through similar migrations - we had 2 7206 w/npe
 G2.  BGP 400K routes replaced them with 3925s - which seemed overkill
 at the time - still is.
 
 Internally as we are moving 10M to 1G circuits to new gear we are going
 with 29xx and 4451s at the core ( we thought about the ASR and like its
 performance, the 4451 emulates the ASR chip but the 4451 seems to be
 more flexible in terms of features.
 
 We hooked up to 2921 back to back and did some iperf/ftp traffic flows
 with NAT and got well over 500Mb through it .
 Your mileage of course will vary .. NAT, QOS, IPSEC, 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400

2013-11-11 Thread cnsp

Hi,

I would tend to use the compact two power-supply 7201,
instead of putting an (equal expensive) NPE-G2 into and old
Chassis, but isn't all that hardware EOL ?

NPE-G1 _was_ fine until they started to die one-by-one
out of the blue.

Had seen 2821 with just 3 BGP sessions, everything very slow,
3825/45 are much faster;
so with current (lower-cost) Cisco Routers
i think an 3925 would perform much better than an 2921 and be worth it
(but currently not tested myself).
Hmm looking at the datashit, the 3925-E would be the choice.

While marketing Material says ISR-2 29xx WAN up to 75 MBps,
They write for the ISR-2 39xx WAN up to 350 MBps.
So the choice will be clear on the 39xx side,
Even no fancy-advanced-firewall-filter-whateverelse Features are used.


OK, a much better fitting replacement for 7206VXR is the ASR1002-X ...


Just my 0.01 $,

Juergen.

 -Ursprüngliche Nachricht-
 Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag
 von Adam Greene
 Gesendet: lundi 11 novembre 2013 19:42
 An: 'Scott Granados'
 Cc: cisco-nsp@puck.nether.net
 Betreff: Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400
 
 Well, the 7206VXR rebooted unexpectedly a few days ago, with a System
 returned to ROM by error - an Error Interrupt which usually implies a
 hardware issue of some kind. I reseated all components and removed
 unused cards to minimize issues, but the thought did cross my mind to
 avoid the complications of troubleshooting 10yr+ old hardware and
 replacing components with used parts, by going with something brand
 spanking new.
 
 -Original Message-
 From: Scott Granados [mailto:sc...@granados-llc.net]
 Sent: Monday, November 11, 2013 12:32 PM
 To: Adam Greene
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400
 
 Why not an NPE G1 or G2 for the same 7206?
 
 On Nov 11, 2013, at 11:27 AM, Adam Greene maill...@webjogger.net
 wrote:
 
  Hi guys.
 
  We're considering replacing our 7206VXR/NPE-400 (512MB RAM) with some
  newer hardware.
 
  We take a single full routing table, have (1) OSPF and (4) BGP peers,
  and currently push about 70M aggregate.
 
  We're considering a 2921 because it has 1GB RAM and can do 480k PPS /
  245M throughput compared with the NPE-400's 420k PPS / 215M.
 
  What I'm not clear on is CPU speed. The NPE-400 looks like it's a
  300MHz processor. Does someone know how fast the 2921's CPU is?
 
  Thanks,
 
  Adam
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ip tcp adjust-mss

2013-11-04 Thread cnsp

Hi, this looks like a CPE-device
With static IP-adresses and routing. 

You may really want to set ip tcp adjust-mss 1280
on _both_ your WAN and your (probably natted) LAN (L3) Interfaces.
(_both_ sides, yes !)

This will help you in most cases with
MTU restrictions on 
- your link
- home-webservers behind Broadband links
etc.

Yes, the value is not optimized but very computerish ( 2**10 + 2**8 ), 
but it is good for
- pppoe (1500-8=1492)
- l2tp forwarded dial-in sessions (l2tp overhead+pppoe leads to 1456)
- even with an additional vlan tag ( so MTU will be 1452 found in most 
literature)
- some other tunneled environments

Iff you are an ISP, 
you will configure this _only_ on the virtual-template interfaces
on your LNSes for broadband-termination .

Keep it out of your core,
You will not want to modify your valued customer's ip packets
in your core network; here you want to use a MTU greater than 1500
while on your BGP up/downstreams will stay at Ethernet-default 1500 .

Sorry, very conservative, but will avoid may problems.

Just my 0.01 $ on this

Juergen.

 -Ursprüngliche Nachricht-
 Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag
 von Methsri Wickramarathna
 Gesendet: lundi 4 novembre 2013 17:55
 An: Pete Lumbis
 Cc: cisco-nsp@puck.nether.net
 Betreff: Re: [c-nsp] ip tcp adjust-mss
 
 Thanks Pete,
 
 If not a problem can any one look in to following mturoute taken ??? :)
 
 E:\mturoute -t www.ubnt.com
 mturoute to www.ubnt.com, 30 hops max, variable sized packets
 * ICMP Fragmentation is not permitted. *
 * Speed optimization is enabled. *
 * Maximum payload is 1 bytes. *
  1  +-  host: 116.12.78.1  max: 1500 bytes
[...]


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF Over FR

2013-10-06 Thread cnsp

- ensure you HUB will be DR by setting ospf priority on the interface level
  probably you which set this to zero on the spokes or a very low value.

- correct the network statements,
  i think it should read  network 192.168.123.0 0.0.0.255 area 0 
  for the FR-interface , using the broadcast-emulation of frame-relay.

  Otherwise, one single network 0.0.0.0 0.0.0.0 area 0 
  should catch'em all...

- is the ospf interface type correct thru automagic ?

- and probably the frame-relay-switch is just broken.

  Test connectivity betweek each router-pair
  with loopback interfaces and static routes.


 -Ursprüngliche Nachricht-
 Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag
 von M K
 Gesendet: dimanche 6 octobre 2013 17:08
 An: cisco-nsp@puck.nether.net
 Betreff: [c-nsp] OSPF Over FR
 
 Hi , I have three routers R1 , R2 and R3R1 is the hub and is configured
 as below R1#sh run int s0/0.123Building configuration...
 Current configuration : 201 bytes!interface Serial0/0.123 multipoint ip
 address 192.168.123.1 255.255.255.0 snmp trap link-status frame-relay
 map ip 192.168.123.3 103 broadcast frame-relay map ip 192.168.123.2 102
 broadcast R1#sh run | sec router ospfrouter ospf 1 router-id 1.1.1.1
 log-adjacency-changes network 1.1.1.1 0.0.0.0 area 0 network
 192.168.14.1 0.0.0.0 area 0 network 192.168.123.1 0.0.0.0 area 0
 neighbor 192.168.123.2 neighbor 192.168.123.3 R2#sh run int s0/0
 Building configuration...
 Current configuration : 190 bytes!interface Serial0/0 ip address
 192.168.123.2 255.255.255.0 encapsulation frame-relay clock rate
 200 frame-relay map ip 192.168.123.1 201 broadcast no frame-relay
 inverse-arpend R2#R2#R2#sh run | sec router ospfrouter ospf 1 router-id
 2.2.2.2 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 0 network
 192.168.123.2 0.0.0.0 area 0 neighbor 192.168.123.1 R3#sh run int
 s0/0Building configuration...
 Current configuration : 190 bytes!interface Serial0/0 ip address
 192.168.123.3 255.255.255.0 encapsulation frame-relay clock rate
 200 frame-relay map ip 192.168.123.1 301 broadcast no frame-relay
 inverse-arpend R3#sh run | sec router ospfrouter ospf 1 router-id
 3.3.3.3 log-adjacency-changes network 3.3.3.3 0.0.0.0 area 0 network
 192.168.123.3 0.0.0.0 area 0 neighbor 192.168.123.1 Why on R1 i cannot
 receive anything from R2 ?
 R1#sh ip route ospf  3.0.0.0/24 is subnetted, 1 subnetsO
 3.3.3.0 [110/65] via 192.168.123.3, 00:06:21, Serial0/0.123
 Even though the neighborship is up ?
 Thanks
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IP nat translation

2013-09-30 Thread cnsp



 How do I change the dynamic time out ?

For example:

ip nat translation timeout 60
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 10
ip nat translation syn-timeout 10
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 10

Values to be discussed...

Iff you use reflexive ACL, 
you should set their timeouts nearby, I think greater.

  IIRC on router IOS the defaults are:
  24 hrs for tcp unless a rst or fin is seen non-dns udp is 5 mins;
 dns:
  1 min Only static entries remain indefinitely - as long as it is
  present in config.

Just my $0.01

Juergen.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] separate two directly connected networks on a Cisco 1800 series ISR?

2013-08-28 Thread cnsp

 What is the best approach here? Stick with this NAT solution described
 above? Something completely different to separate two networks behind
 the same router?

To avoide the hide nat of your vlan5 so you can see the true src-ip,
you may try to use reflexive access-lists to temporarily allow
the back-traffic from vlan10 to vlan5 .

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QoS

2013-08-03 Thread cnsp

Hi,

It depends on the mode your telnet is working:

If it's sending LINE-by-LINE, then you will see fewer pakets and bytes,
and longer contents (for example, your password sent in clear thru telnet
protocol)
will cause bigger packets, or even more of them if contents does not fit
into one. 
But Normally, a line of say 80 characters will fit into one paket.

If it's sending letter-by-letter, you will see more pakets and bytes because
of the overhead.

I don't think that this answers your RealQuestion(TM) , but i 
Hope this help's,

Juergen.

 -Ursprüngliche Nachricht-
 Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag
 von M K
 Gesendet: mardi 30 juillet 2013 02:26
 An: Tony; cisco-nsp@puck.nether.net
 Betreff: Re: [c-nsp] QoS
 
 Hi and sorry for the late replyNo , it's not a tricky question I want
 to understand how the counts are calculated , if I entered a larger
 password will it really matters?
 
 Date: Thu, 25 Jul 2013 03:09:26 -0700
 From: td_mi...@yahoo.com
 Subject: Re: [c-nsp] QoS
 To: gunner_...@live.com; cisco-nsp@puck.nether.net
 
 Is this a trick question ?
 
 Every time it sees a packet that matches the criteria you have
 specified and is put into your class it increments the packets
 counter by 1 and adds the size of the packet to the bytes counter.
 
 What is or isn't happening that you're concerned about ?
 
 regards,
 Tony.
 
 From: M K gunner_...@live.com
  To: cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net
  Sent: Tuesday, 23 July 2013 8:10 PM
  Subject: [c-nsp] QoS
 
 Hi allI have configured QoS between two sites across my backbone , the
 classification was done based on telnet traffic and the marking was
 done based on the precedence valueI have configured to mark all telnet
 traffic with precedence value of 3 and I received it fine without any
 issues
 Now my question is as belowWhen I first wrote telnet 7.7.7.7 and
 checked the output of show policy-map interface fastEthernet 1/0 | inc
 Class|packet
 telnet 7.7.7.7Class-map: PRECEDENCE_3 (match-all)9 packets,
 520 bytesUsername : ciscoClass-map: PRECEDENCE_3 (match-all)
 16 packets, 905
  bytesPassword : ciscoClass-map: PRECEDENCE_3 (match-all)23
 packets, 1290 bytesR7exitClass-map: PRECEDENCE_3 (match-all)
 30 packets, 1674 bytes
 I want to know what is the methodology used to count these numbers ?
 Thanks
 

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF admin distance not working on IOS-XR.

2013-04-04 Thread cnsp

Hi, I am not too familiar with IOS XR but with normal IOS,
(carefully) setting the ospf cost 
helps to avoid load-balancing thru equal-cost 
(but not equal bandwidth) paths to create an main/backup scenario:

!
interface Bundle-Ether2
 ip ospf cost 4
!

 
 Hello,
 
 We are trying to change the administrative distance on one of the OSPF
 neighbors of our router and no matter what it is set to, the value does
 not seem to change.
 
 #sh ip route x.x.0.102
 Thu Apr  4 02:36:05.122
 
 Routing entry for x.x.0.102/32
   Known via ospf 12345, distance 110, metric 2, type intra area
   Installed Apr  4 02:14:55.059 for 00:21:10
   Routing Descriptor Blocks
 x.x.25.19, from x.x.0.102, via Bundle-Ether1
   Route metric is 2
 x.x.25.34, from x.x.0.102, via Bundle-Ether2
   Route metric is 2
   No advertising protos.
 
 #sh route ospf | incl x.x.0.102
 Thu Apr  4 03:31:36.554
 Ox.x.0.102/32 [110/2] via x.x.25.34, 01:16:40, Bundle-Ether2
 
 
 The issue here is that we are trying to avoid sending a majority of our
 traffic through Bundle-Ether2 which it seems OSPF has decided is the
 best Path. The 0.102 address is a loopback interface of a neighbor
 (6500b) directly connected to Bundle-Ether1, where Bundle-Ether2 is
 connected to 6500a with less capacity on it's links. This is causing
 the links on
 bundle2 to get saturated at peak times.
 
 XR-bundle2---6500a---6500b
 XR-bundle1---6500b---6500a

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Switching Loops

2013-03-25 Thread cnsp

Get a special device for this kind of problem,
for example
www.knipex.com 
Products  Cable and Wire Rope Shears  Cable Shears  
95 26 165 Cable Shears with opening spring
EAN 4003773069980

  Hi I was wondering if I can avoid switching loops without turning on
 spanning tree ?I have two connections between two switches and they are
 configured as access in the same vlan , and i do not want to configure
 spanning tree , how to avoid loops ?
 
 Easy: Pull one of the cables.
 

You may want to use LACP, but a device not speaking STP seldom speaks LACP.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DHCP Forwarding Strategy

2013-03-09 Thread cnsp

 So is there anything I am missing? Is there any good documentation on
 what information forwarded DHCP requests have by default or what things
 I can add (besides the quite useless port number where the request came
 in)?

Look at 

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/1
2.2_25_see/configuration/guide/swdhcp82.html#wp1148846

and upgrade your 3550's to at least 12.2(25) 
and you will be able to get the vlan-id .

( 12.2(44)SE6 is nearly current )

Hope this help's,

Juergen.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Option 82

2013-03-08 Thread cnsp

On Thu, Mar 07, 2013 at 02:11:16PM +0200, M K wrote:
 Hi all
 What smaller Cisco device that supports DHCP option 82

ip dhcp relay information option

To enable the system to insert a Dynamic Host Configuration Protocol (DHCP)
relay agent information option in forwarded BOOTREQUEST messages to a DHCP
server, use the ip dhcp relay information option command in global
configuration mode. To disable inserting relay information into forwarded
BOOTREQUEST messages, use the no form of this command.

present in Cisco 1812, 12.4(24)T7
or even (smaller) Cisco 831, 12.4(25b)

Hope this help's,

Juergen.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MSTP issue. Isolation of core switch

2013-01-10 Thread cnsp

Hello!

Thanks for you response.

As I know MSTP does not send MSTI's information in separate BPDUs, this
information is piggybacked into the IST's BPDUs using special M-Record
fields.



They are all send UNTAGGED.

They may be filtered (bpdufilter enable) or Carrier-Eqiupment may be
configured not to forward them

(may not be configured to forward them).

To have alle vlans in one instance just don't map them, they will all in
instance 0 .

So, I can have multiple MSTI or one with whole vlan range (1-4096) no
matter. Also we not planned to use some load share mechanism, so i did not
see any sense in multiple instance.

In any case, BPDU will be propagated in MST0 (Internal Spanning Tree) and
will consist of such components as configuration name, revision number and a
hash value calculated over VLANs to MSTI mapping table contents

To form one region, the hash must be same, so the mapping/name/revision must
be identical.


The configuration name and revision parapeters have sense if we used
multiple instase (maybe i'm wrong). But this is not acceptable for us now.



They are mandatory. Did not work on my first 6 switches with MST-config
without name and revision.


I think that this problem may apear due very large L2 segment. So value Max
Hops  exhausts itself in some cases.
As a result sw-core receives BPDU 0 and after that  happens  the following
scenario

sw-Core ceases to receive BPDU from all neighbors and and decides that he is
root.
Upstream switches sends superior root bridge information to the sw-Core
bridge but receives the BPDUs with Designated bit set, the upstream switch
concludes that the downstream does not hear its BPDU's. The upstream switch
then blocks the downstream port and marks it as STP dispute link

BUT Why sw-CORE ceases to receive BPDU from ALL neighbors?  - a mystery.



If your sw-core is HP than I would tell you enable spanning-tree  it's off
by default.

Filter -Y see above

Wll show spannint-tree tell you that running stp version IS MST ?

(you can have mst config and pvrstp running,

Show mst config will shot it even when pvst is active.)

 

So what Switches do you use?

Ensure identical MST configuration with name and revsion (textual identical
on all switches helps a lot)

And that all your switches have STP/MST running.

Having WAN links with carrier-CPE'S/NT's  ensure sufficient MTU and
forwarding of BPDU's 

(and packet with destination-MAC=local-special-MAC-Address)

Enable UDLD aggressive to find one-way links and disable them.

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WLC with DHCP relay not working on in VRF

2012-12-06 Thread cnsp

Hi,

Maybe a
(no) ip dhcp vrf connected problem ?
see https://supportforums.cisco.com/message/631964#631964

vrf in debug output is VRF_Guest and does not find an address-pool
so you should define one...; 
but your config-example's vrf is named Guests 


 -Ursprüngliche Nachricht-
 Von: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
 boun...@puck.nether.net] Im Auftrag von Nasir Shaikh
 Gesendet: jeudi 6 décembre 2012 16:42
 An: cisco-nsp@puck.nether.net
 Betreff: [c-nsp] WLC with DHCP relay not working on in VRF
 
 Hi,
 
 I encountered a problem whereby I have a  Guest-LAN placed in the VRF
 and a guest tries to connect via a WLC which is configured as a dhcp-
 relay. The guest does not get any IP address assigned by DHCP.
 
 Apparently the DHCP server functionality does not work properly in the
 VRF when a DHCP-relay is used, see below debug.
 
 First I thought it might be a bug in 12.4(20)T3 on the 2851 and 3845 on
 which I encountered the issue but had the same result on a 3945E
 running
 15.1 so it seems on all IOS's
 
 Problem does not occur when using autonomous APs.
 
 WITH THE VRF we see the following debug info:
 
 Dec  6 13:42:16.829 CET: DHCPD: Sending notification of DISCOVER:
 Dec  6 13:42:16.829 CET:   DHCPD: htype 1 chaddr f87b.7a04.db2d
 Dec  6 13:42:16.829 CET:   DHCPD: remote id 020ac0a80a02000300c0
 Dec  6 13:42:16.829 CET:   DHCPD: circuit id 
 Dec  6 13:42:16.829 CET:   DHCPD: table id 1 = vrf VRF_Guest
 Dec  6 13:42:16.829 CET: DHCPD: DHCPDISCOVER received from client
 f87b.7a04.db2d through relay 192.168.9.193.
 Dec  6 13:42:16.829 CET: DHCPD: Seeing if there is an internally
 specified pool class:
 Dec  6 13:42:16.829 CET:   DHCPD: htype 1 chaddr f87b.7a04.db2d
 Dec  6 13:42:16.829 CET:   DHCPD: remote id 020ac0a80a02000300c0 
 Dec  6 13:42:16.829 CET:   DHCPD: circuit id  
 Dec  6 13:42:16.829 CET:   DHCPD: table id 1 = vrf VRF_Guest 
 Dec  6 13:42:16.829 CET: DHCPD: there is no address pool for
 192.168.9.193.
 
 
 
 WITHOUT THE VRF we see the following debug info:
 
 Dec  6 14:46:05.413 CET: DHCPD: Sending notification of DISCOVER:
 Dec  6 14:46:05.417 CET:   DHCPD: htype 1 chaddr f87b.7a04.db2d
 Dec  6 14:46:05.417 CET:   DHCPD: remote id 020ac0a80a02000300c0
 Dec  6 14:46:05.417 CET:   DHCPD: circuit id 
 Dec  6 14:46:05.417 CET: DHCPD: DHCPDISCOVER received from client
 f87b.7a04.db2d through relay 192.168.9.193.
 Dec  6 14:46:05.417 CET: DHCPD: Seeing if there is an internally
 specified pool class:
 Dec  6 14:46:05.417 CET:   DHCPD: htype 1 chaddr f87b.7a04.db2d
 Dec  6 14:46:05.417 CET:   DHCPD: remote id 020ac0a80a02000300c0
 Dec  6 14:46:05.417 CET:   DHCPD: circuit id 
 Dec  6 14:46:05.417 CET: DHCPD: Allocate an address without class
 information (192.168.8.0)
 Dec  6 14:46:07.417 CET: DHCPD: Adding binding to radix tree
 (192.168.8.3)
 Dec  6 14:46:07.417 CET: DHCPD: Adding binding to hash tree
 Dec  6 14:46:07.417 CET: DHCPD: assigned IP address 192.168.8.3 to
 client f87b.7a04.db2d.
 Dec  6 14:46:07.417 CET: DHCPD: Sending DHCPOFFER to client
 f87b.7a04.db2d (192.168.8.3). 
 
 Config is straightforward.
 
 ip dhcp pool Guests
 vrf Guests
 import all
 network 192.168.8.0 255.255.252.0
 default-router 192.168.10.1
  dns-server 8.8.8.8 8.8.4.4
  lease 0 4
 !
 
 interface Vlan192
 description Guest access Internet (ISP Speed = 120M)
 ip forwarding vrf Guests
 ip address 192.168.10.2 255.255.252.0
 ip access-group 192 in
 
 Any ideas?
 
 Regards
 Nasir


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7200 npe-g2 lacp

2012-10-10 Thread cnsp



 -Ursprüngliche Nachricht-
 Von: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
 boun...@puck.nether.net] Im Auftrag von Darren O'Connor
 Gesendet: mercredi 10 octobre 2012 17:53
 An: cisco-nsp@puck.nether.net
 Betreff: [c-nsp] 7200 npe-g2 lacp
 
 I can see this platform supports etherchannel, but does it support
 lacp?
 
 I think now, but wanted to check

Looked at a 7201 c7200p-spservicesk9-mz.122-33.SRE6.bin

Configuring an int port-channel 1 
and putting the currently unused gig0/3 into channelgroup 1
results in flapping of the mgmt interface fas0/0 (o.k, it's the same
controller-chip as for gig0/3):

%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state
to down
%SYS-5-CONFIG_I: Configured from console by jm on vty0 
%LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
%ENTITY_ALARM-6-INFO: ASSERT CRITICAL Fa0/0 Physical Port Link Down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed
state to down
%LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
%ENTITY_ALARM-6-INFO: CLEAR CRITICAL Fa0/0 Physical Port Link Down
GigabitEthernet0/3 added as member-1 to port-channel1
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed
state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state
to up
GigabitEthernet0/3 taken out of port-channel1
%LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
%ENTITY_ALARM-6-INFO: ASSERT CRITICAL Fa0/0 Physical Port Link Down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state
to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed
state to down
%LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
%ENTITY_ALARM-6-INFO: CLEAR CRITICAL Fa0/0 Physical Port Link Down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed
state to up
%LINK-5-CHANGED: Interface Port-channel1, changed state to administratively
down
%SYS-5-CONFIG_I: Configured from console by jm on vty0

Hope the other two CPU Gig Ports do not flap when you
configure one of them to go into a port-channel. 
Ok, yes, I know, the NPE-G2 does not have the Gig0/3 port.

Not found any hint on lacp, seems to be a static thing.

Hope this help's,

Juergen.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Security Advisories for DHCP

2012-09-26 Thread cnsp



 Hi,
 
 Is there a general problem with Cisco and DHCP? Did get a lot of SA's
 regarding DHCP and nearly any OS!

Just starting at IOS 12.5 aehm 15.0 ,
They claim that the 12.0 12.2 12.3 12.4 based releases are not affected.

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] l2tpv3

2012-08-30 Thread cnsp


Hi,

L2tpv3 does not work well with the embedded switch-ports on the 870/1800
Routers since they tend to collect the stp/dot-q/.. pakets.

With 1812 and the two real Fastethernet ports,
Stp and also full-ethernetframe  including dot-q tags get transmitted.

So I used one of the switch-ports in vlan1 for the IP Transport connection.
IOS was c181x-adventerprisek9-mz.124-9.T.bin

With this IOS you can use the ip-adress of the LAN interface for the L2tpv3.
So you are not bound to have a loopback interface, as seen in later IOses.

Probably, the WAN Internet Port of an 871 may work, but
Those devices have an external power-supply.

With the 180[123]/1811/1812, you have at least one real FastEthernet Port
for the internet-crossover Cable; embedded xDSL Modem or second FAS
(1811/1812)
for the WAN Connection and a crypto-copro for the encryption of that Cable.

Hope this help's,

Juergen.

 -Ursprüngliche Nachricht-
 Von: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
 boun...@puck.nether.net] Im Auftrag von Aaron
 Gesendet: jeudi 30 août 2012 18:32
 An: 'Arie Vayner (avayner)'; cisco-nsp@puck.nether.net
 Betreff: Re: [c-nsp] l2tpv3
 
 Also, can I have a mesh of tunnels between (3) different endpoints, so
 3 different cisco 800's with (2) tunnels per 800 to the other (2)
 800's, such that (3) lan switches hanging off the lan side of the 800's
 appear to be all
 3 meshed together AND PASS STP/CDP/VTP, etc ?
 
 Aaron
 
 
 -Original Message-
 From: Arie Vayner (avayner) [mailto:avay...@cisco.com]
 Sent: Thursday, August 30, 2012 10:57 AM
 To: Aaron; cisco-nsp@puck.nether.net
 Subject: RE: [c-nsp] l2tpv3
 
 Aaron,
 
 You should be able to deploy L2TPv3 with the smaller ISR routers... The
 800 series support it (not sure what software feature set is needed...)
 
 Arie
 
 -Original Message-
 From:
 cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
 boun...@puck.nether.net]
 On Behalf Of Aaron
 Sent: Thursday, August 30, 2012 08:27
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] l2tpv3
 
 What is the smallest/cheapest cisco router that supports L2TPv3?
 
 I work at an isp and have small/medium sized businesses that
 occasionally want transparent lan connectivity between their sites
 (which are connected via FTTH, DSL, Cable Modem).
 
 Is L2TPv3 tunneling the way to go for something like that ?
 
 I don't really want to set up all kinds of qinq or mpls l2vpn's in my
 core if I can avoid it.
 
 Also, tunneling endpoints at the customer premise seems that the
 dslam/olt/cmts would not have to be wise at all about the tunneling
 architecture. 
 
 Lemme know your thoughts/suggestions please
 Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] l2tpv3

2012-08-30 Thread cnsp


Hi,

L2tpv3 does not work well with the embedded switch-ports on the 870/1800
Routers since they tend to collect the stp/dot-q/.. pakets.

With 1812 and the two real Fastethernet ports, Stp and also
full-ethernetframe  including dot-q tags get transmitted.

So I used one of the switch-ports in vlan1 for the IP Transport connection.
IOS was c181x-adventerprisek9-mz.124-9.T.bin
H
With this IOS you can use the ip-adress of the LAN interface for the L2tpv3.
So you are not bound to have a loopback interface, as seen in later IOses.

Probably, the WAN Internet Port of an 871 may work, but Those devices
have an external power-supply.

With the 180[123]/1811/1812, you have at least one real FastEthernet Port
for the internet-crossover Cable; embedded xDSL Modem or second FAS
(1811/1812) for the WAN Connection and a crypto-copro for the encryption of
that Cable.

Hope this help's,

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Anycast//DNS - BGP

2012-05-04 Thread cnsp

Hi,

it isn't quite that easy. Never heard before about the diverse-path feature on 
Cisco for RRs, but looking at your link it looks like to have this probably 
limiting restriction in most setups:
'Path diversity is configured within an AS, within a single RR cluster. That 
is, the RR will advertise the diverse path to its RR client peers only.'

In case you have one RR cluster per datacenter and multiple DNS anycast servers 
per datacenter, only the best path per datacenter will be distributed to the 
iBGP full-mesh and only the local DC routers will know about local multiple 
paths. In case the backbone routers connected to the DC can directly reach all 
DC routers, only one of the DNS anycast servers will be contacted (assuming the 
anycast servers are connected to different DC distribution routers). So no 
traffic balancing will happen for traffic comming from your backbone-routers 
(part of the full mesh).

If you use a global RR cluster for all datacenters, even traffic distribution 
accross severall datacenters won't happen if your setup includes full-meshed 
iBGP peers.

So it's not only turning that feature on on your RRs, but you'll have to 
consider how your RR-clusters are setup and how they are placed in your 
topology (for anycast it is more or less the same like trying to get BGP based 
multipathing to work in a RR environment).

Or did I miss something?

Cheers,
Matthias

On Fri, 04 May 2012 17:47:39 +0200
Robert Raszuk rob...@raszuk.net wrote:

 Hi Henry,
 
   Currently we have issues with the RR (Only select the main route)
 
 That's an easy one to solve :)
 
 Try using either add-paths or diverse-path on the RR. The latter is much 
 easier as it does not require upgrade of all of your BGP speakers !
 
 http://goo.gl/KDjlg
 
 Best,
 R.
 
  We want to work with DNS that are span geographical. Our DNS have the same 
  IP.
  We need to configure the Backbone IP (BGP) to distribute this IP (Anycast).
  Could you have any examples over how to deployment Anycast?
  Currently we have issues with the RR (Only select the main route)
 
  Thanks a lot!
 
  Henry
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Constant output drops on etherchannel

2011-01-14 Thread cnsp

Depending on the network and the hardware(buffer space) output drops start at 
15-20% of linerate traffic. Hardware buffers on lower end switches are usually 
very low, so output drop happen very often.
One of the main problems leading to micro bursts (leading to buffer related 
output drops) is network synchronisation, e.g. systems tend to send out 
periodic packets at the same time (and synchronize over the time). For network 
protocols algorithms are implemented that avoid that synchronization, but on 
the application layer there are a lot of protocols, that tend to synchronize 
over the time (most of the time self developed protocols).
So, seeing problems at 92% linerate is normal, but with enough bad protocols 
running you can see the same probs at 20% linerate...

Bye,
Matthias

On Fri, 14 Jan 2011 13:18:23 -0500
Benjamin Lovell belov...@cisco.com wrote:

 Agreed would need some platform details but, in general, if you are seeing 
 port get to 92% then you can be pretty much sure that you are bursting to 
 100% and dropping at times. 
 
 -Ben
 
 
 On Jan 14, 2011, at 11:12 AM, Phil Mayers wrote:
 
  On 14/01/11 16:08, Dan Letkeman wrote:
  Hello,
  
  I'm seeing many of our etherchannel's on different switches having output 
  drops:
  
  Platform? IOS version? Config of the interface(s) (routed, SVI, etc.)
  
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 
  898085
  
  Are you monitoring the traffic rate? Do the drops correspond to traffic 
  bursts? Do you have QoS enabled?
  
  I also see that it usually uses one port of the etherchannel to a high
  degree, say 92% before it seems to push data through the other
  connection.
  
  That's not necessarily unusual, depending on your etherchannel load 
  balancing algorithm and traffic patterns. But you haven't really supplied 
  enough info for people to help you.
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

50 matches

Mail list logo