[c-nsp] cisco nexus vpc hybrid topology

2021-02-23 Thread Marco Regini 
Hello,

 is anyone heavily using nexus vpc in hybrid topology ?

I want to maintain my standard L2 network ( with STP as loop avoidance 
mechanism) with the possibility to configure some vpc  when is possible or when 
is useful.
In the vpc documentation STP is evil, connecting switches in daisy-chain 
discouraged but I can't rebuild from scratch all my campus network.


Simplifying I have 3 building connected each-over with a couple of dark-fiber: 
a triangle with double edges.
In each vertex I'm going to place a couple of Nexus9k.
 
I'm interested in vpc to aggregate the couple of dark-fiber interconnecting 
each building but: 

- a triangle topology require STP ( I guess)
- In each building the existing switches ( Catalyst 3560)  are mostly in 
daisy-chain and  can't be connected to the local couple of nexus via a dedicate 
vpc port.


I understand that what I want is not what Cisco suggests,  but I don't see any 
issue of doing that.
I simply prefer vpc in hybrid topology that no vpc at all


Thanks 

Marco 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EVPN-VPWS PW and AC status coupling

2018-02-16 Thread Marco Marzetti 
Adam,

You're right. I didn't explain it well.
PW is UP, but LDP propagates AC status to the other end.

Anyway it doesn't look to be supported by EVPNs, which is a pity.

Regards


On Fri, Feb 9, 2018 at 2:29 PM,  <adamv0...@netconsultings.com> wrote:
>> Marco Marzetti
>> Sent: Friday, February 09, 2018 10:34 AM
>>
>> Hello,
>>
>> It's been a few weeks I've been working on EVPNs and IOS-XR 6.1 and i
>> wonder if ther's a way to couple AC and PW status so that you can
> propagate
>> PE-CE link failures end-to-end.
>>
>> I know it's supported for "regular" EVPNs (RFC7432), but EVPN-VPWS
>> (RFC8214) is definitely a special case.
>>
>> Here's my configuration snippets
>>
>> !
>> hostname XRV1
>> !
>> interface GigabitEthernet0/0/0/0.200 l2transport  encapsulation dot1q 200
> !
>> router bgp 64496
>>  bgp router-id 192.0.2.1
>>  address-family l2vpn evpn
>>  !
>>  neighbor 192.0.2.2
>>   remote-as 64496
>>   local address 192.0.2.1
>>   address-family l2vpn evpn
>>   !
>>  !
>> !
>> l2vpn
>>  xconnect group test
>>   p2p test
>>interface GigabitEthernet0/0/0/0.200
>>neighbor evpn evi 100 target 300 source 200
>>   !
>>  !
>> !
>>
>>
>> !
>> hostname XRV2
>> !
>> interface GigabitEthernet0/0/0/0.300 l2transport  encapsulation dot1q 300
> !
>> router bgp 64496
>>  bgp router-id 192.0.2.2
>>  address-family l2vpn evpn
>>  !
>>  neighbor 192.0.2.1
>>   remote-as 64496
>>   local address 192.0.2.2
>>   address-family l2vpn evpn
>>   !
>>  !
>> !
>> l2vpn
>>  xconnect group test
>>   p2p test
>>interface GigabitEthernet0/0/0/0.300
>>neighbor evpn evi 100 target 200 source 300
>>   !
>>  !
>> !
>>
>>
>> What i'd expect is XRV1 to turn Gi0/0/0/0.200 down when XRV2 withdraws
>> the BGP advertisements.
>>
>> Is that supported?
>>
> Hmm I'm getting a bit rusty on the Carrier-Ethernet stuff but isn't that the
> other way around?
> I mean what I remember is that if AC goes down that in turn brings down the
> PW -but the bit where the PW failure propagating to the other end then in
> turn brings the AC down on that end too  -that one I don't recall to be
> honest.  (Would I need to enable that with some knob first?)
> And what if the other end is configured with PW-redundancy -in that case I'd
> need the AC at remote end to stay up and just use the backup PW.
>
> Sure if you run LFM or the whole CFM suite end-to-end, then that could bring
> down ACs at both ends in case any component along the path fails.
>
>
> adam
>
> netconsultings.com
> ::carrier-class solutions for the telecommunications industry::
>



-- 
Marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] EVPN-VPWS PW and AC status coupling

2018-02-09 Thread Marco Marzetti 
Hello,

It's been a few weeks I've been working on EVPNs and IOS-XR 6.1 and i
wonder if ther's a way to couple AC and PW status so that you can
propagate PE-CE link failures end-to-end.

I know it's supported for "regular" EVPNs (RFC7432), but EVPN-VPWS
(RFC8214) is definitely a special case.

Here's my configuration snippets

!
hostname XRV1
!
interface GigabitEthernet0/0/0/0.200 l2transport
 encapsulation dot1q 200
!
router bgp 64496
 bgp router-id 192.0.2.1
 address-family l2vpn evpn
 !
 neighbor 192.0.2.2
  remote-as 64496
  local address 192.0.2.1
  address-family l2vpn evpn
  !
 !
!
l2vpn
 xconnect group test
  p2p test
   interface GigabitEthernet0/0/0/0.200
   neighbor evpn evi 100 target 300 source 200
  !
 !
!


!
hostname XRV2
!
interface GigabitEthernet0/0/0/0.300 l2transport
 encapsulation dot1q 300
!
router bgp 64496
 bgp router-id 192.0.2.2
 address-family l2vpn evpn
 !
 neighbor 192.0.2.1
  remote-as 64496
  local address 192.0.2.2
  address-family l2vpn evpn
  !
 !
!
l2vpn
 xconnect group test
  p2p test
   interface GigabitEthernet0/0/0/0.300
   neighbor evpn evi 100 target 200 source 300
  !
 !
!


What i'd expect is XRV1 to turn Gi0/0/0/0.200 down when XRV2 withdraws
the BGP advertisements.

Is that supported?

Thank you

Regards


-- 
Marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VxLAN on Nexus 9000v and trunk ports

2017-12-11 Thread Marco Marzetti 
Hello,

I am trying to configure EVPN VxLANs on Nexus 9000v.
And i am stuck with trunk ports

Configuration looks like:

vlan 101
  vn-segment 1

interface nve1
  no shutdown
  overlay-encapsulation vxlan-with-tag
  host-reachability protocol bgp
  source-interface loopback0
  member vni 1
ingress-replication protocol bgp

interface ethernet 1/3
  no shutdown
  switchport access vlan 101

router bgp 64496
  router-id 192.0.2.2
  address-family l2vpn evpn
  neighbor 192.0.2.1
remote-as 64496
update-source loopback0
address-family l2vpn evpn
  send-community extended

evpn
  vni 1 l2
rd auto
route-target import auto
route-target export auto

As long as i use access ports on both leafs everything works as expected.
But i can't get it working when one of the two is in trunk mode.

So, for instance:
hostname leaf1
!
interface ethernet 1/3
  no shutdown
  switchport access vlan 101

and

hostname leaf2
!
interface ethernet 1/3
  no shutdown
  switchport mode trunk
  switchport trunk allowed vlan 101,2

Vlan2 is connected to a SVI on the Nexus.
Vlan101 is connected to NVE1 via vn-segment

I'd expected traffic going out from e1/3 on leaf2 for vlan101 to be tagged
with id 101, but it is not. It's untagged.

Is it a bug (or a limitation of Nexus 9000v) or am i missing something?

Thank you

-- 
Marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Ode to the old days

2016-12-09 Thread Marco van den Bovenkamp 
. I didn't just play with them back in the day, I still own one! A 
CGS running IOS 8.0.

It's actually older than the one they have in the small museum in the main 
Cisco building here in Amsterdam. I checked :-)

Ah, when ciscos (no capitals!) were white and the IOS documentation fit in a 
single binder...

On December 9, 2016 4:58:10 PM CET, Traveling Diner  wrote:
>You guys making reference to all these Cisco numbered-series devices...
>let's go back and talk AGS/AGS+, CGS, IGS... the letter-series devices.
>How many of ya'll got to play with the jumpers on the boards inside the
>AGS+? ;-)
>
>On Fri, Dec 9, 2016 at 4:44 AM, Saku Ytti  wrote:
>
>> On 9 December 2016 at 09:49, Gert Doering 
>wrote:
>>
>> > Compare a 7200 of 15 years ago with an ASR9001 of today for list
>price
>> > insanity.
>>
>> I think 7200 and ASR1k are more apt comparison. ASR9001 should be
>> compared against GSR, but no small model existed.
>>
>> --
>>   ++ytti
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>___
>cisco-nsp mailing list  cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Ode to the old days

2016-12-08 Thread Marco van den Bovenkamp 
I had the same reaction when I first saw a Lannet 3LS some twenty years ago, 
back when the 7500s were king.

'1.28 Gbps of routing performance? WHAT!?' 

On December 8, 2016 10:29:01 PM CET, Nick Cutting  wrote:
>The day I got my hands on a 3550, when I was new to networking - and I
>thought we will never ever need routers again ! Removed all our routers
>living on sticks 
>
>-Original Message-
>From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
>Mattias Gyllenvarg
>Sent: Thursday, December 8, 2016 6:46 AM
>To: cisco-nsp 
>Subject: [c-nsp] Ode to the old days
>
>Dear All
>
>10year 4weeks 6days and about 11hours ago I was working for my first
>ISP (ispA).
>
>On that day I put a 3560-24TS into production as a device to terminate
>to a Metronet running OSPF/BGP och public IP space.
>
>A few years later I started consulting for ispB who later split into
>and became ispC for whom I worked for several years.
>
>After this I ventured into a smaller ISP (ispD) that was acquiring
>ispA.
>
>During that time that 3560 has been working without issue or power
>interruptions.
>Today, that it was replaced to add MPLS capabilities to the node
>boasting an up-time of 10 years 4 weeks 6 days and 11 hours.
>
>I fear I will never beat this record in my career.
>
>To the old gear!
>___
>cisco-nsp mailing list  cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>___
>cisco-nsp mailing list  cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cat6500 VLAN cannot be assigned to a routed port sub-if?

2016-09-16 Thread Marco van den Bovenkamp 


On 16/09/2016 13:36, Curtis Piehler wrote:
Exactly!   On the 6500/7600 platforms you can't have your cake and eat 
it

:)


Indeed :-). And 'routed ports' are actally SVIs on a VLAN you don't see, 
but does get taken from the global pool (try 'show vlan internal usage' 
sometime).


A 6500 is a switch, even when it calls itself a 7600 :-)


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IPV6 RTBH on IOS

2016-05-03 Thread Marco Marzetti 

On 2016-05-03 08:47, Gert Doering wrote:

Hi,

On Mon, May 02, 2016 at 11:39:47PM +0200, Sebastian Ganschow wrote:

There's a feature request open for this.


The whole "use link-local next-hops for peers where the session is via
a global address" is one of the most stupid ideas in this whole IPv6 
thing

anyway.  There is no benefit, but a heap of drawbacks (like, instant
black holing if ND fails for the link-local address) - and it's no 
wonder

that no other vendor but Cisco does this...

I have a feature request to at least add a knob for "please use GUA
next-hop!" - CSCut26765 - it was opened by a friendly Cisco developer,
and I have no read access to it, so no idea whether it's proceeding or
not.  But if you have interest in getting this fixed, please open a
case and link to it...

gert


Sebastian,

Thank you!


Gert,

As far as i can see there are two valid options for that:
1) route-map + disable-connected-check
2) bgp table-map

And on XR (5.3.1) you only need the route-policy.

Why do we need yet another knob?

Regards

--
Marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] IPV6 RTBH on IOS

2016-05-02 Thread Marco Marzetti 

Hello,

I am working on RTBH for IPv6 on IOS and i am stuck with the odd 
behavior of the OS.


Let's say that i have the following configuration on the router:

!
hostname R2
ipv6 unicast-routing
!
interface Gi1/0
 ipv6 address 2001::DB8::2/64
!
router bgp 64512
 bgp maxas-limit 30
 neighbor 2001:DB8::1 remote-as 64513
 !
 address-family ipv6
  neighbor 2001:DB8::1 activate
  neighbor 2001:DB8::1 send-community
  neighbor 2001:DB8::1 prefix-list AS64513_IN in
  neighbor 2001:DB8::1 route-map CUST_IN_V6 in
 exit-address-family
!
ipv6 route 100::/64 Null0
!
route-map CUST_IN_V6 permit 10
 match community BLACKHOLE
 set community no-export additive
 set local-preference 200
 set ipv6 next-hop 100::1
!
route-map CUST_IN_V6 permit 20
!
ipv6 prefix-list AS64513_IN permit 2001:db8:100::/48 le 128
!



Now let's say that R1 (the peer) is sending the following prefixes to R2 
via eBGP marked with community BLACKHOLE:

 - 2001:DB8:100::/48
 - 2001:DB8:100::1/128



The prefixes are received by R2 and next-hop is set to 100::1 as 
expected (because of the community)

R2#show bgp ipv6 unicast
BGP table version is 17, local router ID is 192.0.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - 
internal,
  r RIB-failure, S Stale, m multipath, b backup-path, f 
RT-Filter,

  x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

 Network  Next HopMetric LocPrf Weight Path
 *>  2001:DB8:100::/48
   100::1 100200  0 64513 i
 *>  2001:DB8:100::1/128
   100::1 100200  0 64513 ?


But, even if 100::1 is routed to Null0, the routing table shows that the 
next-hop for the eBGP prefixes is the link-local address of R1 (the 
peering router)

R2#show ipv6 route
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
   B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
   I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
   EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - 
Destination

   NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
   OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2, l 
- LISP

S   100::/64 [1/0]
 via Null0, directly connected
C   2001:DB8::/64 [0/0]
 via GigabitEthernet1/0, directly connected
L   2001:DB8::2/128 [0/0]
 via GigabitEthernet1/0, receive
B   2001:DB8:100::/48 [20/100]
 via FE80::C801:37FF:FEB0:1C, GigabitEthernet1/0
B   2001:DB8:100::1/128 [20/100]
 via FE80::C801:37FF:FEB0:1C, GigabitEthernet1/0
L   FF00::/8 [0/0]
 via Null0, receive



And the same does FIB:
R2#show ipv6 cef 2001:DB8:100::1/128
2001:DB8:100::1/128
  nexthop FE80::C801:37FF:FEB0:1C GigabitEthernet1/0
R2#



So The prefix is reachable
R2#ping 2001:DB8:100::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:100::1, timeout is 2 seconds:
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
R2#



The outcomes is that I cannot null-route traffic destined to a neighbor 
on the same router of the source of the attack.


Now, i understand that RFC2545 permits a router to use link-local for 
eBGP.

It precisely says:
" The link-local address shall be included in the Next Hop field if and
only if the BGP speaker shares a common subnet with the entity
identified by the global IPv6 address carried in the Network Address
of Next Hop field and the peer the route is being advertised to. "

But this is "less than optimal" and i wonder if there's a 
trick/kludge/whatever to amend that.
For instance IOS-XR is smart enough to stick to the specified next-hop 
if the use "set next-hop" within a route-policy.


So far the only thing that have come to my mind was to set ebgp-multihop 
(in the wrong hope that would have forced IOS to consider the neighbor 
as non-connected), but it didn't work.


And you can't even forward the prefixes to another router/exabgp and 
somehow receive them back because you'll end up in overwriting the 
originals.


Do you have any ideas?

--
Marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cat 6800 performance mode

2015-12-31 Thread Marco van den Bovenkamp 
No, the Catalysts were external acquisitions. Low end stuff like the 1900 came 
from Grand Junction, the 3K was Kalpana, and the 5K & 6K Crescendo.

   Regards, Marco.


On December 31, 2015 9:33:31 PM CET, Wes Smith <fath...@live.com> wrote:
>Insieme is the skunkworks venture Cisco backed group they use for some
>new tech.   These guys operate outside Cisco and develop Product to
>eventually be bought / acquired. 
>
>Nx9k is the latest example.   I'm told the original catalyst and cat5k
>were similar.   
>
>Sent from my iPhone
>
>> On Dec 31, 2015, at 11:20 AM, Gert Doering <g...@greenie.muc.de>
>wrote:
>> 
>> Insieme
>___
>cisco-nsp mailing list  cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] rtfilter for VPLS

2015-03-26 Thread Marco Marzetti 

Hello,

I've not been able to find any references on cisco.com so i'm asking 
here before reaching TAC.


As per my understanding IOS-XE does not support RT constrained route 
distribution (address-family rtfilter / RFC4684 ) for VPLS NRLIs 
(AFI=25, SAFI=65).


Is it a bug or a (missing) feature?

Ps. We're running 15.4(3)S1 on ME3600x with the AdvancedMetroIPAccess 
license.


Thank You
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TCN's - Causing brief outages on ASR1K

2014-12-18 Thread Marco Marzetti 

On 18/12/2014 05:59, Blake Dunlap wrote:

This seems like...interesting advice. At that point, you might as
well just turn spanning-tree off. This is somewhere around cutting off
your foot to stop your toe bleeding.

That said: This seems like design problem not so much gear
problem. Why are you running spanning tree with devices you don't
administratively control? And if you do control them, why the hell are
you seeing TCNs so often if your network is stable?



That happens very often when you buy inter-pops links from your town's 
metro ethernet carrier.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Multipath broken on ASR1k

2014-12-16 Thread Marco Marzetti 

Hello,

I'm afraid that multipath is broken on our ASR1k routers

We redistribute the address 192.0.2.4 on both the upstream routers of 
the box named BG-ASR1.



BG-ASR1#show ip route 192.0.2.4
Routing entry for 192.0.2.4/32
  Known via ospf 1, distance 110, metric 20, type extern 2, forward 
metric 10

  Redistributing via bgp 41497
  Advertised by bgp 41497 match external 2
  Last update from 212.183.160.94 on GigabitEthernet0/1/4, 00:11:25 ago
  Routing Descriptor Blocks:
  * 212.183.160.126, from 212.183.160.52, 00:11:38 ago, via 
GigabitEthernet0/1/3

  Route metric is 20, traffic share count is 1
212.183.160.94, from 212.183.160.50, 00:11:25 ago, via 
GigabitEthernet0/1/4

  Route metric is 20, traffic share count is 1


As you can see they're both active in RIB


BG-ASR1#show ip cef 192.0.2.4 detail
192.0.2.4/32, epoch 5, per-longest-match-prefix sharing
  local label info: global/2398
  nexthop 212.183.160.94 GigabitEthernet0/1/4 label explicit-null
  nexthop 212.183.160.126 GigabitEthernet0/1/3 label explicit-null


And, according to the output above, the corresponding entries are 
present in FIB.


Anyway there is only one entry in mpls forwarding-table.


BG-ASR1#show mpls forwarding-table 192.0.2.4 detail
Local  Outgoing   Prefix   Bytes Label   Outgoing   Next Hop
Label  Label  or Tunnel Id Switched  interface
2398   explicit-n 192.0.2.4/32 0 Gi0/1/3 
212.183.160.126

MAC/Encaps=14/18, MRU=9192, Label Stack{}
C47D4FB09F804C4E351A3E938847 
No output feature configured


Why?
Do You have any ideas?

Thank You
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unable to create BFD session on C6500

2014-12-13 Thread Marco Marzetti 

On 12/12/2014 18:00, Murat Kaipov wrote:

Hello Marco.
Now I don't have any idea. But in my opinion there is issue on me3600. I 
haven't any proof, but it is just my experience with ME series switches. If you 
can, check this theory. Connect gi2/7 on cat6500 to another box and try setup 
ospf with bfd in some another ospf process. You can do it for me3600 too.
Thank you. I really have no other idea.
Murat



Hello,

Thanks to Andrew Koch, I've finally managed to bring the session up.

On C6500_1 there was an overlapping subnet configured on an interface 
that has been shut down months ago.t


Gi2/71 0   192.0.2.174/30 10P2P   1/1
Gi3/11   1 0   192.0.2.173/30 10DOWN  0/0

That was enough to break the BFD stack.

Thank you for your help.

Marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unable to create BFD session on C6500

2014-12-12 Thread Marco Marzetti 

On 11/12/2014 21:28, Мурат Каипов wrote:

Hello Marco.
Can you provide what type of Line Cards you use and check your Cat6500
for this restrictions:

  * Cisco Catalyst 6500 series switches support up to 100 BFD sessions
with a minimum hello interval of 50 ms and a multiplier of 3. The
multiplier specifies the minimum number of consecutive packets that
can be missed before a session is declared down.
  * If SSO is enabled on a dual RP system, the following limitations apply:
  o The maximum number of BFD sessions supported is 50.
  o The minimum hello interval is 500 ms with a multiplier of 3 or
higher.
  o If EIGRP is enabled, the maximum number of BFD sessions
supported is reduced to 30.
  o Echo mode is supported on Distributed Forwarding Cards (DFCs) only.
  * BFD SSO is supported on Cisco Catalyst 6500 series switches using
the E-chassis and 67xx line cards only. Centralized Forwarding Cards
(CFCs) are not supported.
  * To enable echo mode the system must be configured with the no ip
redirects command.
  * During the In Service Software Upgrade (ISSU) cycle the line cards
are reset, causing a routing flap in the BFD session.





Hello,

Gi2/7 is on a very old line card: WS-X6724-SFP

We're not running SSO on that box and the number of session is a lot 
less the 100.


Also note that C6500_1 is not able to create the BFD session on the 
interface Gi2/7 even if we disable the protocol on ME3600X.



ME3600X(config)#interface GigabitEthernet0/24
ME3600X(config-if)#no  bfd template bfd-core
ME3600X(config-if)#do sho bfd neig

IPv4 Sessions
NeighAddr  LD/RD RH/RS State Int
192.0.2.202 8/199UpUp 
 Gi0/23

ME3600X(config-if)#


C6500_1(config-if)#no  bfd interval 300 min_rx 300 multiplier 3
C6500_1(config-if)# bfd interval 300 min_rx 300 multiplier 3
Dec 12 09:17:57.360: BFD-DEBUG EVENT: bfd_session_create failed, 6
C6500_1(config-if)#


So i guess that something went wrong on that box.

Do You have any ideas?

Thank You
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unable to create BFD session on C6500

2014-12-12 Thread Marco Marzetti 

On 11/12/2014 03:30, Alessandro Braga wrote:

Marco,

Are you using NSF/SSO on the C6500 devices? If yes, please check the
restrictions regarding the use of BFD and NSF.


Regards,
Alessandro




Hello Alessandro,

We're not.

Thank You

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unable to create BFD session on C6500

2014-12-11 Thread Marco Marzetti 

On 11/12/2014 02:50, Мурат Каипов wrote:

Hello Marco, can you show Ip ospf interface  on both sides?



Hello,

Of course:

C6500_1#show ip ospf interface brief
InterfacePID   AreaIP Address/MaskCost  State Nbrs F/C
Lo0  1 0   192.0.2.52/32  1 LOOP  0/0
Gi2/71 0   192.0.2.174/30 10P2P   1/1
Gi2/61 0   192.0.2.110/30 10P2P   1/1
Gi3/11   1 0   192.0.2.173/30 10DOWN  0/0
Vl27 1 0   192.0.2.126/28 10DR4/4
Gi2/41 0   192.0.2.105/30 10P2P   1/1
Gi1/11 0   192.0.2.97/30  1 P2P   1/1
Gi2/51 0   192.0.2.57/30  10P2P   1/1
C6500_1#show mpls interfaces
Interface  IPTunnel   BGP Static Operational
GigabitEthernet1/1 Yes (ldp) No   No  No Yes
GigabitEthernet2/4 Yes (ldp) No   No  No Yes
GigabitEthernet2/5 Yes (ldp) No   No  No Yes
GigabitEthernet2/6 Yes (ldp) No   No  No Yes
GigabitEthernet2/7 Yes (ldp) No   No  No Yes
GigabitEthernet3/11Yes   No   No  No No
Vlan27 Yes (ldp) No   No  No Yes
C6500_1#show ip ospf neighbor

Neighbor ID Pri   State   Dead Time   Address Interface
192.0.2.190   FULL/  -00:00:34192.0.2.173 
GigabitEthernet2/7
192.0.2.180   FULL/  -00:00:38192.0.2.109 
GigabitEthernet2/6

192.0.2.3 0   FULL/DROTHER00:00:38192.0.2.114 Vlan27
192.0.2.4 0   FULL/DROTHER00:00:36192.0.2.113 Vlan27
192.0.2.5 0   FULL/DROTHER00:00:37192.0.2.119 Vlan27
192.0.2.7 0   FULL/DROTHER00:00:38192.0.2.118 Vlan27
192.0.2.500   FULL/  -00:00:39192.0.2.106 
GigabitEthernet2/4
192.0.2.1 0   FULL/  -00:00:38192.0.2.98 
GigabitEthernet1/1
192.0.2.500   FULL/  -00:00:38192.0.2.58 
GigabitEthernet2/5

C6500_1#



ME3600X#show ip ospf interface brief
InterfacePID   AreaIP Address/MaskCost  State Nbrs F/C
Lo0  1 0   192.0.2.19/32  1 LOOP  0/0
Gi0/24   1 0   192.0.2.173/30 10P2P   1/1
Gi0/23   1 0   192.0.2.201/30 10P2P   1/1
ME3600X#show mpls interfaces
Interface  IPTunnel   BGP Static Operational
GigabitEthernet0/23Yes (ldp) No   No  No Yes
GigabitEthernet0/24Yes (ldp) No   No  No Yes
ME3600X#show ip ospf neighbor

Neighbor ID Pri   State   Dead Time   Address Interface
192.0.2.520   FULL/  -00:00:35192.0.2.174 
GigabitEthernet0/24
192.0.2.500   FULL/  -00:00:35192.0.2.202 
GigabitEthernet0/23

ME3600X#



As you can see ( on both sides ):
- OSPF is in FULL state
- MPLS is enabled
- LDP is up

Thank You
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unable to create BFD session on C6500

2014-12-10 Thread Marco Marzetti 

On 09/12/2014 20:39, Murat Kaipov wrote:

Hello Marco.
Keep in mind that ME3600/ME3800 platforms doesn't support BFD offload, and
all BFD packets processed by CPU.
http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/r
elease/15-4_1_S/chassis/configuration/guide/3600x_24cxscg/swbfd.pdf
Show configuration on both sides please.




Hello Murat,

I'm well aware of the hardware offload limit.
But cisco brought it to ME-3600X-24CX and I *HOPE* they will do the same 
with the other platforms in future.


Anyway you can find the configuration below

 C6500_1 
!
router ospf 1
 router-id 192.0.2.52
 auto-cost reference-bandwidth 1
 redistribute connected subnets
 bfd all-interfaces
 mpls ldp sync
!
interface GigabitEthernet2/7
 mtu 9216
 ip address 192.0.2.174 255.255.255.252
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 *HIDDEN*
 ip ospf network point-to-point
 ip ospf 1 area 0
 udld port disable
 mls qos trust dscp
 mpls ip
 bfd interval 300 min_rx 300 multiplier 3
!


 ME3600X 
!
platform bfd allow-svi
!
bfd-template single-hop bfd-core
 interval min-tx 300 min-rx 300 multiplier 3
!
router ospf 1
 router-id 192.0.2.19
 auto-cost reference-bandwidth 1
 redistribute connected subnets
 redistribute static subnets
 bfd all-interfaces
 mpls ldp sync
 mpls ldp autoconfig area 0
!
interface GigabitEthernet0/24
 no switchport
 mtu 9216
 ip address 192.0.2.173 255.255.255.252
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 7 *HIDDEN*
 ip ospf network point-to-point
 ip ospf 1 area 0
 udld port disable
 bfd template bfd-core
!

Thank you

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Unable to create BFD session on C6500

2014-12-09 Thread Marco Marzetti 

Hello,

We run BFD on all of our devices and we're currently having some 
problems between a pair of C6500/SUP720 and a ME3600X .


The network diagram is as follows:

  +---+
  |   |
 ++  C6500_1  |
 ||   |
 |++-++
+++| |
| || |
| ME3600X || |
| || |
+++| |
 |++-++
 ||   |
 ++  C6500_2  |
  |   |
  +---+

Both the C6500 run the following software: 
s72033-adventerprisek9-mz.151-2.SY2.bin

Both C6500 are SUP720-3B and there isn't any dCEF enabled card on them.

The OSPF sessions on C6500_1 is in FULL state:

C6500_1# show ip ospf neighbor | i 2/7
192.0.2.190   FULL/  -00:00:32192.0.2.173 GigabitEthernet2/7

and the relevant configuration is as follows:

interface gigabitEthernet 2/7
 ip ospf network point-to-point
 ip ospf 1 area 0
 bfd interval 300 min_rx 300 multiplier 3
 no bfd echo
!
router ospf 1
 bfd all-interfaces
!

Anyway IOS is not able to start a BFD session on that interface:

C6500_1# show ip ospf neighbor 212.183.160.19 | i BFD
C6500_1#

And returns an error when BFD debugging is on:

C6500_1#show debugging
BFD:
  BFD event debugging is on for interface GigabitEthernet2/7
  BFD packet debugging is on for interface GigabitEthernet2/7
C6500_1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
C6500_1(config)#int gi2/7
C6500_1(config-if)#no bfd interval
C6500_1(config-if)#bfd interval 300 min_rx 300 multi 3
C6500_1(config-if)#
Dec  9 16:07:42.737: BFD-DEBUG EVENT: bfd_session_create failed, 6
C6500_1(config-if)#

At the same time there are running BFD sessions on other interfaces 
configured with the very same statements:


For instance the following interface is connected to another ME3600X 
that is running the same software version:


C6500_1#show bfd neighbors | i 2/6
192.0.2.109   294/3  UpUpGi2/6
C6500_1#

Can anyone help?

Thank You
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Upgrading to 40G

2014-02-28 Thread Marco van den Bovenkamp 
On February 28, 2014 1:33:52 PM CET, Gert Doering g...@greenie.muc.de wrote:
Hi,

On Fri, Feb 28, 2014 at 12:49:26PM +0200, Mark Tinka wrote:
 While I can appreciate this, history has always proven that 
 users will find a use for something for which it wasn't 
 initially intended - y'know, like using a Cisco 2901 as a 
 core router :-).

old age day
2503 made a good core router, back in the day...  (we had two! A 2503 
and a 4500, with a E1 between them...)

This newfangled 2900 stuff, nobody needs that much RAM in a router!
/old age day

gert
-- 
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
g...@greenie.muc.de
fax: +49-89-35655025   
g...@net.informatik.tu-muenchen.de




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Young whippersnapper :-). We had no need of those newfangled 2500s. We had 
AGS+es and liked it! (Still have a CGS running IOS 8.0 lying about somewhere...)
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] raspberry pi

2013-11-20 Thread Marco Campos 

Thinking of using it at home for email, http, ftp, DHCP, DNS server
and AirPlay sound device :)

It will replace my current WinXP PC has it will be silent and use
less energy. Maybe it will also have a backup HDD attached to it... it
depends on the network performance.

On 20-11-2013 06:23, Preston Chilcote (pchilcot) wrote:
 Hi Everyone,
 I'm curious:  Does anyone use one or more raspberry pis in their network
 (for networking related stuff)?  What kinds of things are they used for?

 Thanks,
  Preston Chilcote





 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7200 - policy-map foo enter causes telnet/console to freeze?

2013-04-09 Thread Marco Marzetti 
Il giorno mar, 09/04/2013 alle 15.11 +1030, CiscoNSP List ha scritto:

 Hi guys,
 Have a 7200(G1), with existing policy-maps (Working fine) - Today, tried 
 adding a new policy-map(telnet session), and the telnet session froze after 
 hitting enter?
 
 (config)#policy-map TESTTEST  enter(telnet session frozen)
 
 Tried also via console, and get the same result? (No error messages on 
 console session)
 
 Anyone experienced this before?


In a simpl word: No.
What IOS version are you running?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Switching Loops

2013-03-25 Thread Marco Nesler 
You can use Flex Links

marco

2013/3/25 M K gunner_...@live.com

 Hi I was wondering if I can avoid switching loops without turning on
 spanning tree ?I have two connections between two switches and they are
 configured as access in the same vlan , and i do not want to configure
 spanning tree , how to avoid loops ?
 Thanks
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1000 and QOS

2012-09-17 Thread Marco Marzetti 
Il giorno mer, 22/08/2012 alle 14.23 +, Brian Turnbow ha scritto:

 Hello Everyone,
 
 I am trying to realize a qos configuration on an asr 1006 for pppoe services 
 being sold by our national incumbent.
 On a single GE interface I will receive two classes of services, cos 0 and 
 cos 1,  each with a set bandwidth. i.e. cos 0 100mbps cos 1 20mbps.
 Each dslam gets terminated using a vlan for each cos , so in the end I will 
 have n vlans for the cos 0 traffic and x vlans for the cos 1 traffic.
 Things gets complicated though as we want to assign a policy to the pppoe 
 sessions as well, as we will have varying line rates on the customer lines.
 Ideally I would like to be able to shape the n vlans to the cos 0 rate and 
 the x vlans to the cos 1 rate,
 and then be able to shape the single sessions as each will have a different 
 line rate.
 
 I have tried
 
 1) with the SE following us (on vacation now since we need him)  we thought 
 that service policy aggregation would be the way to go.
 http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/qos_policies_agg.html
 but when we assign the end user policy via radius it does not get applied and 
 we have the error
 policy TEST with fragment class can only be attached to ethernet subifc and 
 port-channel subifc
 Tinkered awhile with various configs but no go lets try something else..
 
 2) setting up a policy on the GE that shapes on match vlans , and sending 
 service policy for the users via radius.
 error message
 service-policy with queueing features on sessions is not allowed in 
 conjunction with interface based
 and the policy is not applied
 bummer
 I am thinking about trying to declare the interface bandwidth via radius and 
 then use bandwidth % instead of shape but that should be queueing as well and 
 also the scaling documents for the asr have big warnings on the use of 
 lcp:interface-config ...
 
 
 So here I am looking for a way to do this
 
 The only other thing that comes to mind is placing a box before the asr to 
 shape the vlans and just work on the sessions on the asr, but that means 
 another box to purchase, maintain, etc etc.
 
 If you've made it this far (sorry about the length)
 Has anyone done something similar, or have any suggestions ?
 
 Thanks in advance!
 
 Brian


Hello Brian,

We faced the same problem ( and, i bet, the same incumbent too ) earlier
in the summer.
We got out of it by placing an old Catalyst switch between the incumbent
and our BRAS.

Regards

Marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] HQF for broadband

2012-05-04 Thread Marco Marzetti 
Hello,

Is it possible to hierarchically shape the egress traffic of the PPPoE
sessions aggregated 
on a GigabitEthernet port on C7200 or C7600?
We must comply with the SLA offered by the carrier that carries to us
the aggregated 
sessions and, also, we would like to modify the per PPP session egress
bandwith limit with RADIUS.

Thank You
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] MQC and PA-A6

2012-04-16 Thread Marco Marzetti 
Hello,

Simple and plain question: does MQC work in hardware when attached to
ATM VP||PVC on c7200+PA-A6 ?

Thank You

Regards
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] WFQ and PPPoE on BRAS

2012-02-03 Thread Marco Marzetti 

Hello,

How is WFQ supposed to work on cisco when there's only PPPoE traffic on
the interface?

WFQ uses source and dst address/port values to identifies flows and the
distributes them among the queues ( AFAIK ), anyway i don't think IOS
inspect the PPP payload looking for them.

Thank You

Regards
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Problem with 7200 and 12.2(33)SRE upgrade

2012-01-14 Thread Marco Marzetti 
Hello,

Why had so MANY problems with 12.2(33) SRE ( and SRD too ) and ATM on C7200 
that we decided to revert to previous IOS ( ~12.3 ) and buy a new box to 
terminate the new ethernet services.

We experienced VC flapping and weird CLI counters.
Workaround for flapping was to remove and re-configure the ATM sub-interface.
We found no solution for counters

Ps. Since we opened a bug, Cisco reccomended us to upgrade to 15.1.

Hope this help

Jon Harald Bøvre c...@bovre.no ha scritto:

Hi

You mention DSL, radius and PPP.

We had similar problems some years ago, PPPoA/l2tp tunnels did not come
up from all clients (7206 acted as LNS)
Our upgrade was from 12.2T something to 12.3T something, cannot remember
details.

After several tries of this upgrade on several routers we opened a TAC
case, and had a possible solution back within record breaking half an
hour.
Problem:
Early versions of IOS did not check all parameters coming back from ACS
Radius
We had an errored/missing configuration on our ACS Radius
Somewhere in 12.3 train this behaviour was changed to check all
parameters
Now the LNS refused tho make the connections.
After making the neccesary adjustment on the ACS we had no problems with
the upgrade.
There is a BUG ID for this, search
Later these routers have been upgraded to 12.2(24)T, and one to 15.0
something without problems

Dont know if this relates to your problems.

Also check ATM support in your IOS, as ATM has started to fade away from
newer IOS

Jon Harald Bøvre









On 4. jan. 2012 20:12 Walter Keen walter.k...@rainierconnect.net
wrote:

 Hi, I have a router I'm trying to move to a SR train, or more
 specifically 12.2(33)SRE from 12.3(15a) but I have a reports from DSL
 users of being unable to get to most places after that upgrade, which
 we
 reverted.
 
 We've even setup a test router, and tried to duplicate it, with no
 luck
 so far. We do have one production router with that IOS (SRE) that
 works
 fine.
 
 About the only difference I can find is hardware (CPU/midplane)
 revisions and bootloader versions.
 
 I'm starting to wonder if anyone else on this list has encountered
 similar issues.
 All are NPE-G1, some with 512m ram, others with 1G ram
 
 C7200-1 uses NAT(I know), PPP, radius, tacacs, ospf, bgp. C7200-2 and
 -3 use the same without NAT. We've tried replicating the config of -1
 onto -4 (the lab system) without being able to reproduce the issue.
 unfortunately these are all out of a support contract
 
 C7200-1 (with the issue):
 current IOS 12.3(15a)
 ROM: 12.3(4r)T3
 SB-1 CPU at 700MHz, Implementation 1, Rev 0.2, 512KB L2 Cache
 4 slot VXR midplane, Version 2.0
 Bootloader: 12.3(9), RELEASE SOFTWARE (fc2)
 Exhibited packet loss to ATM sub-interfaces (DSL customers)
 when moving to 12.2(33)SRE
 
 
 C7200-2 (another with the issue):
 current IOS 12.4(25b)
 ROM: 12.3(4r)T3
 SB-1 CPU at 700MHz, Implementation 1025, Rev 0.2, 512KB L2 Cache
 4 slot VXR midplane, Version 2.6
 Bootloader: 12.4(12), RELEASE SOFTWARE (fc1)
 Exhibited packet loss to ATM sub-interfaces (DSL customers)
 when moving to 12.2(33)SRE
 
 C7200-3 (working in production on SRE):
 current IOS 12.2(33)SRE
 ROM: 12.2(20030826:190624) [BLD-npeg1_rommon_r11 102], DEVELOPMENT
 SOFTWARE
 SB-1 CPU at 700MHz, Implementation 1025, Rev 0.2, 512KB L2 Cache
 4 slot VXR midplane, Version 2.11
 Bootloader: 12.4(12), RELEASE SOFTWARE (fc1)
 
 
 C7200-4 (lab system, trying to replicate problem -- working on SRE):
 current IOS 12.2(33)SRE
 ROM: 12.3(4r)T1 fc1
 SB-1 CPU at 700MHz, Implementation 1025, Rev 0.2, 512KB L2 Cache
 4 slot VXR midplane, Version 2.6
 Bootloader: none listed in 'sh ver' output
 
 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ADSL-PORTAL service

2012-01-14 Thread Marco Marzetti 
Hello,

Instead of reject the sessions, to send out-of-credit users to a captive 
portal using RADIUS attribute 104 would be easy if your server has any sort of 
SQL backend.

Hope this help

john travolta johnbe...@yahoo.com ha scritto:

Hi all,

We want to provide a portal service for our broadband users (PPPOE), where 
they can check their balance, recharge their account and etc. we are using a 
cisco 7201 as BRAS, it is required that a user with no credit still be able to 
access this portal, right now the users are authenticated by a AAA server and 
the IP allocation is done by the AAA too, the problem is when the user has no 
credit will not be authenticated, will not get an IP address and will not be 
able to access the portal. what are the existing case scenarios to accomplish 
this.

Yours,
John 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] daisy-chain hop limit

2011-03-14 Thread Marco Regini 
Hi,

i have to daisy-chain 28 cisco switch, my humble is only about
spanning-tree (rapid-pvst).

I think I will work for the reasons I wrote below but if you have any
experience please help me.

 

When the chain is closed the max-distance from the root bridge is 14 (
more than 7 but I know it works).

 

When some link failure occurs and opens the chain the max-distance from
the root bridge raise to 28 but there is no possible loop in a broken
daisy-chain.

 

If the root-bridge dies eventually... I don't know, but I think I will
not incur in any loops: only take more time to choose a new bridge-root
and putting the port in forwarding state.

 

Marco Regini

 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BGP Router

2011-01-12 Thread marco 
On Wed, 12 Jan 2011 23:04:28 +1100, Reuben Farrelly
reuben-cisco-...@reub.net wrote:

 Yes this switch is fine for running BGP with the caveat that you won't 
 be able to take a full BGP table on this hardware.  I believe the 
 hardware TCAM is limited to about 250,000 routes.

Yep. The ME6500 is pretty much a fixed-config SUP32.

 Regards,

   Marco.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Tool To Backup Configurations

2011-01-04 Thread marco 
On Tue, 4 Jan 2011 08:57:21 +, Righa Shake righa.sh...@gmail.com
wrote:

 Am looking for a tool that i can use to backup  Cisco configurations
with
 ease.
 
 The tool could be opensource or commercial.

RANCID has been mentioned a few times. On the commercial end, we use Kiwi
(Solarwinds now) CatTools. Works fine too.

http://www.kiwisyslog.com/kiwi-cattools-overview/

Regards,

 Marco.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] SIP to ISDN Call Progress

2010-11-15 Thread Marco Marzetti 

Hello,

I have a problem with SIP to ISDN internetworking on Cisco IOS.
I'm unable to receive early-media messages from the ISDN side of the call.
Hardware and software versions are: Cisco 2800 Software
(C2800NM-ENTSERVICES-M), Version 12.4(20)T6, RELEASE SOFTWARE (fc2).

# debug isdn q931 int Se0/1/0:15
Nov 15 10:06:54.437 CET: ISDN Se0/1/0:15 Q931: Applying typeplan for
sw-type 0x12 is 0x0 0x1, Calling num 03631970XXX
Nov 15 10:06:54.441 CET: ISDN Se0/1/0:15 Q931: Sending SETUP  callref =
0x0D0D callID = 0x980D switch = primary-net5 interface = User 
Nov 15 10:06:54.441 CET: ISDN Se0/1/0:15 Q931: TX - SETUP pd = 8  callref
= 0x0D0D 
Bearer Capability i = 0x8090A3 
Standard = CCITT 
Transfer Capability = Speech  
Transfer Mode = Circuit 
Transfer Rate = 64 kbit/s 
Channel ID i = 0xA9839F 
Exclusive, Channel 31 
Calling Party Number i = 0x0180, '03631970XXX' 
Plan:ISDN, Type:Unknown 
Called Party Number i = 0x81, '199151119' 
Plan:ISDN, Type:UnknownsipSPIUpdateRtcpSession: sx79861: 
started RTP
timer in state STATE_SENT_ALERTING

Nov 15 10:06:54.457 CET: ISDN Se0/1/0:15 Q931: RX - SETUP_ACK pd = 8 
callref = 0x8D0D 
Channel ID i = 0xA9839F 
Exclusive, Channel 31


Nov 15 10:06:56.745 CET: ISDN Se0/1/0:15 Q931: RX - CALL_PROC pd = 8 
callref = 0x8D0D
Nov 15 10:07:18.206 CET: ISDN Se0/1/0:15 Q931: RX - ALERTING pd = 8 
callref = 0x8D0D
Nov 15 10:07:18.302 CET: ISDN Se0/1/0:15 Q931: RX - CONNECT pd = 8 
callref = 0x8D0D
Nov 15 10:07:18.302 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is now
connected to 199151119 N/A
Nov 15 10:07:18.302 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is now
connected to 199151119 N/A
Nov 15 10:07:18.302 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is now
connected to 199151119 N/A
Nov 15 10:07:18.302 CET: ISDN Se0/1/0:15 Q931: TX - CONNECT_ACK pd = 8 
callref = 0x0D0DsipSPIUpdateRtcpSession: sx79861: started RTP timer in
state STATE_SENT_ALERTING

Nov 15 10:07:21.294 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is now
connected to 199151119 N/A
Nov 15 10:07:21.294 CET: %ISDN-6-DISCONNECT: Interface Serial0/1/0:30 
disconnected from 199151119 , call lasted 2 seconds
Nov 15 10:07:21.294 CET: ISDN Se0/1/0:15 Q931: TX - DISCONNECT pd = 8 
callref = 0x0D0D 
Cause i = 0x8090 - Normal call clearing
Nov 15 10:07:21.306 CET: ISDN Se0/1/0:15 Q931: RX - RELEASE pd = 8 
callref = 0x8D0D
Nov 15 10:07:21.306 CET: ISDN Se0/1/0:15 Q931: TX - RELEASE_COMP pd = 8 
callref = 0x0D0D

The router places the call to our public switch and cut-through the voice
path only after the CONNECT message ignoring the CALL_PROC messages and the
relative early-audio
stream.
Looking at the SIP side of the call no SIP 183 Progress is sent by the
router between the Trying and the Ringing messages.

I would expect the router to generate proper SIP signaling and cut-through
in the backward direction the voice path after the CALL_PROC message has
been received.

Any help?

Thank you
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SIP to ISDN Call Progress

2010-11-15 Thread Marco Marzetti 

On Mon, 15 Nov 2010 13:44:26 +0100, Roger Wiklund co...@xy.org wrote:
 Exactly what problems are you experiencing? One way audio? No
 ringback? DTMF issues etc?
 
 Have you tried voice rtp send-recv? This is used for cut Through
 Two-Way Audio Early. Not sure it will help though.
 

http://www.cisco.com/en/US/docs/ios/12_2/voice/command/reference/vrf_t.html#wp1076026
 
 /Roger
 
 On Mon, Nov 15, 2010 at 10:36 AM, Marco Marzetti ma...@lamehost.it
wrote:

Hello,

I'm experiencing no audio in the backward direction when in-band
information are
generated from the remote switch.
I'm unable to hear other telco's alert messages, like The number you've
dialed is not in service.

Thank You


 Hello,

 I have a problem with SIP to ISDN internetworking on Cisco IOS.
 I'm unable to receive early-media messages from the ISDN side of the
 call.
 Hardware and software versions are: Cisco 2800 Software
 (C2800NM-ENTSERVICES-M), Version 12.4(20)T6, RELEASE SOFTWARE (fc2).

 # debug isdn q931 int Se0/1/0:15
 Nov 15 10:06:54.437 CET: ISDN Se0/1/0:15 Q931: Applying typeplan for
 sw-type 0x12 is 0x0 0x1, Calling num 03631970XXX
 Nov 15 10:06:54.441 CET: ISDN Se0/1/0:15 Q931: Sending SETUP  callref =
 0x0D0D callID = 0x980D switch = primary-net5 interface = User
 Nov 15 10:06:54.441 CET: ISDN Se0/1/0:15 Q931: TX - SETUP pd = 8
  callref
 = 0x0D0D
        Bearer Capability i = 0x8090A3
                Standard = CCITT
                Transfer Capability = Speech
                Transfer Mode = Circuit
                Transfer Rate = 64 kbit/s
        Channel ID i = 0xA9839F
                Exclusive, Channel 31
        Calling Party Number i = 0x0180, '03631970XXX'
                Plan:ISDN, Type:Unknown
        Called Party Number i = 0x81, '199151119'
                Plan:ISDN, Type:UnknownsipSPIUpdateRtcpSession: sx79861:
 started RTP
 timer in state STATE_SENT_ALERTING

 Nov 15 10:06:54.457 CET: ISDN Se0/1/0:15 Q931: RX - SETUP_ACK pd = 8
 callref = 0x8D0D
        Channel ID i = 0xA9839F
                Exclusive, Channel 31


 Nov 15 10:06:56.745 CET: ISDN Se0/1/0:15 Q931: RX - CALL_PROC pd = 8
 callref = 0x8D0D
 Nov 15 10:07:18.206 CET: ISDN Se0/1/0:15 Q931: RX - ALERTING pd = 8
 callref = 0x8D0D
 Nov 15 10:07:18.302 CET: ISDN Se0/1/0:15 Q931: RX - CONNECT pd = 8
 callref = 0x8D0D
 Nov 15 10:07:18.302 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is
now
 connected to 199151119 N/A
 Nov 15 10:07:18.302 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is
now
 connected to 199151119 N/A
 Nov 15 10:07:18.302 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is
now
 connected to 199151119 N/A
 Nov 15 10:07:18.302 CET: ISDN Se0/1/0:15 Q931: TX - CONNECT_ACK pd = 8
 callref = 0x0D0DsipSPIUpdateRtcpSession: sx79861: started RTP timer in
 state STATE_SENT_ALERTING

 Nov 15 10:07:21.294 CET: %ISDN-6-CONNECT: Interface Serial0/1/0:30 is
now
 connected to 199151119 N/A
 Nov 15 10:07:21.294 CET: %ISDN-6-DISCONNECT: Interface Serial0/1/0:30
 disconnected from 199151119 , call lasted 2 seconds
 Nov 15 10:07:21.294 CET: ISDN Se0/1/0:15 Q931: TX - DISCONNECT pd = 8
 callref = 0x0D0D
        Cause i = 0x8090 - Normal call clearing
 Nov 15 10:07:21.306 CET: ISDN Se0/1/0:15 Q931: RX - RELEASE pd = 8
 callref = 0x8D0D
 Nov 15 10:07:21.306 CET: ISDN Se0/1/0:15 Q931: TX - RELEASE_COMP pd =
8
 callref = 0x0D0D

 The router places the call to our public switch and cut-through the
voice
 path only after the CONNECT message ignoring the CALL_PROC messages and
 the
 relative early-audio
 stream.
 Looking at the SIP side of the call no SIP 183 Progress is sent by
the
 router between the Trying and the Ringing messages.

 I would expect the router to generate proper SIP signaling and
 cut-through
 in the backward direction the voice path after the CALL_PROC message
has
 been received.

 Any help?

 Thank you
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SIP to ISDN Call Progress

2010-11-15 Thread Marco Marzetti 

On Mon, 15 Nov 2010 13:51:49 +0100, Brian Turnbow b.turn...@twt.it
wrote:
 Hi Marco
 
 See inline
 
 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
 boun...@puck.nether.net] On Behalf Of Marco Marzetti
 Sent: lunedì 15 novembre 2010 10:36
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] SIP to ISDN Call Progress
 
 
 Hello,
 
 I have a problem with SIP to ISDN internetworking on Cisco IOS.
 I'm unable to receive early-media messages from the ISDN side of the
 call.
 Hardware and software versions are: Cisco 2800 Software
 (C2800NM-ENTSERVICES-M), Version 12.4(20)T6, RELEASE SOFTWARE (fc2).
 
 # debug isdn q931 int Se0/1/0:15
 Nov 15 10:06:54.437 CET: ISDN Se0/1/0:15 Q931: Applying typeplan for
 sw-type 0x12 is 0x0 0x1, Calling num 03631970XXX
 Nov 15 10:06:54.441 CET: ISDN Se0/1/0:15 Q931: Sending SETUP  callref =
 0x0D0D callID = 0x980D switch = primary-net5 interface = User
 Nov 15 10:06:54.441 CET: ISDN Se0/1/0:15 Q931: TX - SETUP pd = 8
 callref
 = 0x0D0D
  Bearer Capability i = 0x8090A3
  Standard = CCITT
  Transfer Capability = Speech
  Transfer Mode = Circuit
  Transfer Rate = 64 kbit/s
  Channel ID i = 0xA9839F
  Exclusive, Channel 31
  Calling Party Number i = 0x0180, '03631970XXX'
  Plan:ISDN, Type:Unknown
  Called Party Number i = 0x81, '199151119'
  Plan:ISDN, Type:UnknownsipSPIUpdateRtcpSession: sx79861:
 started RTP
 timer in state STATE_SENT_ALERTING
 
 Nov 15 10:06:54.457 CET: ISDN Se0/1/0:15 Q931: RX - SETUP_ACK pd = 8
 callref = 0x8D0D
  Channel ID i = 0xA9839F
  Exclusive, Channel 31
 
 
 Nov 15 10:06:56.745 CET: ISDN Se0/1/0:15 Q931: RX - CALL_PROC pd = 8
 callref = 0x8D0D
 
 
 There is no progress indicator indicating that inband information is now
 available.
 So no opening of the audio channel. You can play around with the
progress
 indicators you send out with your setup to manipulate this 
 Try searching for no ringback , no busytones  on the cisco website for
an
 in depth explanation.
 
 

Hello,

I configured my dial-peer in this way:
dial-peer voice 1400 pots
 voice cut-through alert
 preference 4
 destination-pattern 199151119
 progress_ind setup enable 1
 no digit-strip
 port 0/0/1:15
!

Now i see the PI reminder:

Nov 15 14:39:07.121 CET: ISDN Se0/1/0:15 Q931: TX - SETUP pd = 8  callref
= 0x1C5C 
Bearer Capability i = 0x8090A3 
Standard = CCITT 
Transfer Capability = Speech  
Transfer Mode = Circuit 
Transfer Rate = 64 kbit/s 
Channel ID i = 0xA9839F 
Exclusive, Channel 31 
Progress Ind i = 0x8181 - Call not end-to-end ISDN, may have in-band 
info

Calling Party Number i = 0x0180, '03631970353' 
Plan:ISDN, Type:Unknown 
Called Party Number i = 0x81, '199151119' 
Plan:ISDN, Type:Unknown
Nov 15 14:39:07.133 CET: ISDN Se0/1/0:15 Q931: RX - SETUP_ACK pd = 8 
callref = 0x9C5C 
Channel ID i = 0xA9839F 
Exclusive, Channel 31
Nov 15 14:39:08.253 CET: ISDN Se0/1/0:15 Q931: RX - CALL_PROC pd = 8 
callref = 0x9C5C

Looking at this:
http://www.cisco.com/en/US/tech/tk1077/technologies_tech_note09186a0080094c33.shtml#progresstones
I would expect the call to be cutted-throug after the SETUP_ACK has been
received.
Anyway I have the same problem, no audio i sent to my phone before the
CONNECT message.

Thank You
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SIP to ISDN Call Progress

2010-11-15 Thread Marco Marzetti 

On Mon, 15 Nov 2010 13:00:21 +, Ryan West rw...@zyedge.com wrote:
 Please post your sanitized sip-ua config.  You may be missing your
 progress mappings. 
 
 Sent from handheld 
 
 On Nov 15, 2010, at 5:36 AM, Marco Marzetti ma...@lamehost.it wrote:
 

Hello,

My sip-ua setting is totally plain.
What setup do you reccomend?

Thank You


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Problems with dot1q trunk over EoMPLS with WS-X6148-GE-TX

2010-08-08 Thread Marco Matarazzo 
Hi all,

was trying to configure an EoMPLS link between two 6500s:

Router1
6506 w/VS-S720-10G IOS 12.2(33)SXI2
Customer facing blade: WS-X6148-RJ-45

Router2
6503 w/WS-SUP32-10GE-3B IOS 12.2(33)SXI2
Customer facing blade: WS-X6148-GE-TX

The routers are connected between via the Sup integrated 10Gb interface, mtu
on them is 9000.

EoMPLS works fine if there's no dot1q trunk going over the VC. If there's
one set, everything SEEMS to work, pings go thru, dns requests are fine, I
can access any vlans from anywhere etc. Problems is with that I cannot
access any internet page of downloading anything, all the connections stall!
Seems like a MTU problem to me so begin troubleshooting and find that the
maximum packet size that can travel between this dot1q trunk over EoMPLS is
1496 instead of 1500.

On both routers of course the VC is up:

Router1#sh mpls l2 vc

Local intf Local circuit  Dest addressVC ID  Status
-  -- --- --
--
Fa2/32 Ethernet   x.y.z.56   71172104   UP

Router2##sh mpls l2 vc

Local intf Local circuit  Dest addressVC ID  Status
-  -- --- --
--
Gi2/3  Ethernet   x.y.z.40   71172104   UP

And the MTU of the VC is 1500:

Router1##sh mpls l2 vc 71172104 det
Local interface: Fa2/32 up, line protocol up, Ethernet up
  Destination address: x.y.z.56, VC ID: 71172104, VC status: up
Output interface: Te5/5, imposed label stack {700}
Preferred path: not configured
Default path: active
Next hop: x.y.z.14
  Create time: 03:32:35, last status change time: 03:32:35
  Signaling protocol: LDP, peer x.y.z.56:0 up
Targeted Hello: x.y.z.40(LDP Id) - x.y.z.56
MPLS VC labels: local 969, remote 700
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Remote interface description: -VC-71172104--
  Sequencing: receive disabled, send disabled
  VC statistics:
packet totals: receive 1959291, send 3518574
byte totals:   receive 1809500293, send 700321865
packet drops:  receive 0, send 0

Router2##sh mpls l2 vc 71172104 det
Local interface: Gi2/3 up, line protocol up, Ethernet up
  Destination address: x.y.z.40, VC ID: 71172104, VC status: up
Output interface: Te1/2, imposed label stack {969}
Preferred path: not configured
Default path: active
Next hop: x.y.z.13
  Create time: 3d19h, last status change time: 03:30:59
  Signaling protocol: LDP, peer x.y.232.40:0 up
Targeted Hello: x.y.z.56(LDP Id) - x.y.z.40
MPLS VC labels: local 700, remote 969
Group ID: local 0, remote 0
MTU: local 1500, remote 1500
Remote interface description: -VC-71172104--
  Sequencing: receive disabled, send disabled
  VC statistics:
packet totals: receive 50349195, send 5715589
byte totals:   receive 10440236044, send 5129079765
packet drops:  receive 0, send 0

This is the port config:

Router1#sh run int fa 2/32
Building configuration...

Current configuration : 245 bytes
!
interface FastEthernet2/32
 description -VC-71172104--
 no ip address
 ip verify unicast source reachable-via any allow-default
 no ip redirects
 no ip proxy-arp
 xconnect x.y.z.56 71172104 encapsulation mpls

Router2##sh run int gi 2/3
Building configuration...

Current configuration : 257 bytes
!
interface GigabitEthernet2/3
 description -VC-71172104--
 no ip address
 ip verify unicast source reachable-via any
 no ip redirects
 no ip proxy-arp
 speed 100
 duplex full
 xconnect x.y.z.40 71172104 encapsulation mpls


Unfortunately I cannot bump up the mtu on WS-X6148-GE-TX (need the A version
for that!), but this is the port where the xconnect is terminating, so I was
under the impression that I wouldn't need jumbo frames support as the labels
would just be  passed thru the TenG mpls enabled interfaces, isn't it? I
verified that lowering the interface mtu of the client machines makes
everything work again. Played with the mpls mtu command, but it does not
seem to have any effect whatsoever.
Oddly enough, I see giants increasing on Router1, but not on Router2. I
assume these are the dot1q trunk packets, but then why I'm seeing the
counter increasing only on one side? The customer says on his switch
interfaces, the mtu is 1500 on both trunks.
So do you think I really need to bump the blade to at least WS-X6148A-GE-TX
for this config to work, or am I missing something else?

Thanks!
]\/[arco
-- 
I'm Winston Wolf, I solve problems.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Weird ACL behaviour

2010-06-18 Thread Marco Matarazzo 
On Fri, Jun 18, 2010 at 3:52 PM, Rodney Dunn rod...@cisco.com wrote:

 Ben forgot to mention the development engineers are porting it over to the
 SR train for 7600 as it was one they missed in the cross port of applicable
 fixes.


So are also the 7600 affected? I thought only the 6500 trains were, at least
it looked this way from the bug toolkit!

Cheers,
]\/[arco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Weird ACL behaviour

2010-06-17 Thread Marco Matarazzo 
Hi all,

I'm facing a strange behaviour on an ACL just wanted to know if someone has
encountered a similar issue? Here're the facts:

I'm using a Cisco 6509 on SXI2, I've setup Netflow to collect and send
traffic to a collector. The collector is on my management network. The
relevant configs:

[...snip...]

mls netflow interface
mls flow ip interface-full
mls nde sender

[... some interfaces has ip flow ingress configured...]

interface FastEthernet3/48
 description Management Network
 ip address 10.16.x.y 255.255.255.0
 ip access-group Management out
 no ip proxy-arp

ip flow-export source FastEthernet3/48
ip flow-export version 9 origin-as
ip flow-export destination 10.16.x.z 9995

ip access-list extended Management
 deny   ip any any

with this configuration in place the collector only receives flows generated
by CPU switch traffic. All the traffic generated by the mls nde sender
command does get blocked by the ACL. As soon as I remove the ACL the traffic
flows fine. I was under the assumption that traffic generated by the router
was not affected by the ACLs, and in fact all the rest of the traffic is
fine... Maybe I'm catching a bug here, or is that written somewhere that
packets created by the mls gets blocked by ACLs?

Cheers,
]\/[arco


-- 
I'm Winston Wolf, I solve problems.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Weird ACL behaviour

2010-06-17 Thread Marco Matarazzo 
On Thu, Jun 17, 2010 at 4:29 PM, Benjamin Lovell belov...@cisco.com wrote:

 The code path for MLS netflow versus software netflow is not the same. For
 MLS netflow the export records are created by the DFC/PFC so it's not
 surprising that they act differently than locally generated traffic.


I'm not surprised that the flows are created by different 'entities' inside
the 6500. Another evidence is the fact that mls  record are created with a
source port different than the software created records.
I just found it unexpected that this 'entity' was considered external by the
point of view of the ACL. Once you know it, I can punch an hole in the ACL,
but wanted to be sure this is expected and not actually a bug of some sort
(in the software or in the documentation! ;)

Thanks!
]\/[arco
-- 
I'm Winston Wolf, I solve problems.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Weird ACL behaviour

2010-06-17 Thread Marco Matarazzo 
Fantastic Ben, looks like you catched it! Will punch an hole in the ACL,
waiting for the next software upgrade cycle then!

Cheers,
]\/[arco

On Thu, Jun 17, 2010 at 6:38 PM, Benjamin Lovell belov...@cisco.com wrote:

 Marco,

 This looks like
 CSCtc54878NDE direct export packets are checked by egress ACL

 When the packets are exported by the SP(MLS netflow) the flag for hardware
 to ignore ACL checks is not set. Fixed in SXI4.

 -Ben



 On Jun 17, 2010, at 11:52 AM, Rodney Dunn wrote:

  If it is an inconsistency in implementation between the software and
 hardware generated records it should be clearly articulated as a gotcha in
 the configuration guide. Ben is checking on both parts for us.

 Rodney



 On 6/17/10 11:15 AM, Marco Matarazzo wrote:

 On Thu, Jun 17, 2010 at 4:29 PM, Benjamin Lovellbelov...@cisco.com
  wrote:

  The code path for MLS netflow versus software netflow is not the same.
 For
 MLS netflow the export records are created by the DFC/PFC so it's not
 surprising that they act differently than locally generated traffic.


 I'm not surprised that the flows are created by different 'entities'
 inside
 the 6500. Another evidence is the fact that mls  record are created with
 a
 source port different than the software created records.
 I just found it unexpected that this 'entity' was considered external by
 the
 point of view of the ACL. Once you know it, I can punch an hole in the
 ACL,
 but wanted to be sure this is expected and not actually a bug of some
 sort
 (in the software or in the documentation! ;)

 Thanks!
 ]\/[arco

 ___

 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/





-- 
I'm Winston Wolf, I solve problems.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] MVR and PIM

2010-02-22 Thread Marco Regini 
Hi and thanks for the help to my previous post multicast on  transit
LAN.

 

I read about Multicast Vlan Registration, the configuration seems very
easy but in my network there are some multicast sources and receivers
that are not directly connected to the mvr apparatus. Have you any
suggestions on how to deal with this situation?

 

To do a concrete example I have:

 

Source--- PIM_ROUTER --- MVR_SWITCH ---MVR_SWITCH---Receiver

 

 and also

 

Receiver--- PIM_ROUTER --- MVR_SWITCH ---MVR_SWITCH---Source

 

Marco

 

 

 

 

 

 

 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] multicast on transit LAN

2010-02-18 Thread Marco Regini 
Hi,
i did some progress on this topic, with the help of ip igmp helper
address.
At L3 my network lab is like this, the vlan/network between 3560 and
3750 is the vlan 100.

Customers_cpe--Cisco3560-|
Customers_cpe--Cisco3560-|
Customers_cpe--Cisco3560-|
-|---Cisco3750---Core
Customers_cpe--Cisco3560-|


Al L1 is simply a daisy-chain on the gigabit interface with a trunk that
carry only the vlan100.

Well, IGMP snooping, CGMP, RGMP do not limit the multicast packet on
the vlan 100, I do not know why. Perhaps this is because all apparatus
are routing and switching the vlan 100: on cisco doc I see dedicated L2
only switch connecting customers cpe and provider router. But this is
only an ipotesis, I need to capture some traffic to understand.

The workaround I have found is to put on the customer interface ip igmp
helper address 151.1.1.1, in this way the multicast join/leave of the
customers cpe are forwarded by the 3560 to the Cisco3750. 
This has 2 nice effect:

1)   IGMP snooping start working on Vlan100.
2)   show ip igmp groups on the 4006 show me multicast group
registration on all the 3560.

Questions:

 Why a need igmp helper address hack?
 Is anyone of you using igmp helper address in a production
environment? 



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] netiquette

2010-02-17 Thread Marco Regini 
Thanks.

So if I post a question to cisco-nsp@puck.nether.net and t...@gmail.com
answer to me directly, I can't replay to the mailing list but only to tom?

Even if the message is only about technical stuff?

Marco

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mikael Abrahamsson
Sent: mercoledì 17 febbraio 2010 09:54
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] netiquette


Since this has now happened to me TWICE in 24 hours, I feel I need to post 
this because it seems enough people doesn't know about it:

http://lowendmac.com/lists/netiquette.shtml

Never post private (off-list) correspondence to the list without the 
permission of the sender.

-- 
Mikael Abrahamssonemail: swm...@swm.pp.se
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] multicast on transit LAN

2010-02-16 Thread Marco Regini 
Hi,

I 'am in a serious problem with multicast because my distribution (
Cisco Catalyst 3750) and access apparatus ( Cisco Catalyst 3560)  see
each over via a common

network ( build on the common vlan 100).  Physically they are in
daisy-chain with the gigabit interface, the gigabit are in trunk, all
the L3 interface are SVI.

 

The problem is to limit the multicast traffic on this vlan because at L2
it is like a broadcast. Have you any suggestions?

 

 

I read documentation about CGMP,RGMP but on the notes there is written
that this stuff works only  when multicast routers are connected via a
L2 switch, and regarding the vlan 100 my cisco are both router ( there
is a svi ) and switch.

 

Another idea is to use IGMP snooping but my multicast receivers/sources
are not in this vlan: so no IGMP traffic pass in this vlan.

My last chance is to proxy the IGMP, let me explain:

 

Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750

 

If a configure the Catalyst3560 to proxy the igmp join/leave to upstream
Catalyst3750 perhaps I give a chance to IGMP snooping to start working
on Vlan100.

 

  Marco Regini

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] multicast on transit LAN

2010-02-16 Thread Marco Regini 
Hi Phil,
all my cisco are routing the multicast, the problem is that the l3 link between 
them are not point-to-point.

I tried to enable rgmp,cgmp ... but seems they assumes the apparatus being a 
router or a switch ( if the cisco has a svi on the vlan 100 it is a router, if 
not is a switch). I'am not sure if proxing the IGMP will works, because IGMP 
snooping probably has the same limitation, but I want to tray; do you know how 
to enable it?



This is a pseudo configuration of apparatus, what lines I need to proxy the 
IGMP arriving to the access interface Fa0/30?

!
interface Vlan 100
  description L3 DAESY-CHAIN-NUMBER-100
  ip address 172.16.100.1 255.255.255.0
  ip pim sparse-dense-mode
!
interface range Gi 0/1 - 4
 description L2 DAESY-CHAIN-NUMBER-100
 switchport mode trunk
 switchport trunk allowed vlan 100
! 

On the access apparatus there are the Customers interface.

!
interface Fa0/30
 description L2 Customer Smith
 switchport access vlan 30
!
!
interface Vlan 30
 description L3 Customer Smith
 ip address 10.0.30.1 255.255.255.240
!






-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers
Sent: martedì 16 febbraio 2010 16:37
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] multicast on transit LAN

On 02/16/2010 11:29 AM, Marco Regini wrote:
 My last chance is to proxy the IGMP, let me explain:



 Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750

So the 3560 and 3750 are routing the multicast?

In that case you probably need PIM snooping on the layer2 equipment 
between them. If you don't have that, then yes - IGMP proxy is an option.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] multicast on transit LAN

2010-02-16 Thread Marco Regini 
Hi Jon,
MVR is a very interesting feauture, thanks. I need some time to reflect, may be 
I'am not going to use it  this time but knowing i can do multicast in this way 
is important.

One question: how I use MVR with PIM?

On my 3570 ( my distribution router) I configure a svi 101

!
int Vlan 101
 description L3 FOR MVR MULTICAST
 ip address 172.16.101.1 255.255.255.0
 ip pim sparse-dense-mode
!

On my Catalyst 3560 ( my access apparatus) I do not create a svi 101 but simply 
put mvr on the access interface:

!
interface Fa0/30
 description L2 Customer Smith
 switchport access vlan 30
 mvr type receiver
 mvr vlan 101 group 228.1.23.4
!
!
interface Vlan 30
 description L3 Customer Smith
 ip address 10.0.30.1 255.255.255.240
!


-Original Message-
From: Bøvre Jon Harald [mailto:jon.harald.bo...@hafslund.no] 
Sent: martedì 16 febbraio 2010 13:47
To: Marco Regini; cisco-nsp@puck.nether.net
Subject: SV: multicast on transit LAN

 
Might not solve your problem but have a look at a MVR vlan.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swigmp.html#wp1035931


Jon 



-Opprinnelig melding-
Fra: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] På vegne av Marco Regini
Sendt: 16. februar 2010 12:29
Til: cisco-nsp@puck.nether.net
Emne: [c-nsp] multicast on transit LAN

Hi,

I 'am in a serious problem with multicast because my distribution ( Cisco 
Catalyst 3750) and access apparatus ( Cisco Catalyst 3560)  see each over via a 
common

network ( build on the common vlan 100).  Physically they are in daisy-chain 
with the gigabit interface, the gigabit are in trunk, all the L3 interface are 
SVI.

 

The problem is to limit the multicast traffic on this vlan because at L2 it is 
like a broadcast. Have you any suggestions?

 

 

I read documentation about CGMP,RGMP but on the notes there is written that 
this stuff works only  when multicast routers are connected via a
L2 switch, and regarding the vlan 100 my cisco are both router ( there is a svi 
) and switch.

 

Another idea is to use IGMP snooping but my multicast receivers/sources are not 
in this vlan: so no IGMP traffic pass in this vlan.

My last chance is to proxy the IGMP, let me explain:

 

Receiver --Vlan7-- Fa0/7.Catalyst3560.Gi0/1---Vlan100-Gi0/1.Catalyst3750

 

If a configure the Catalyst3560 to proxy the igmp join/leave to upstream 
Catalyst3750 perhaps I give a chance to IGMP snooping to start working on 
Vlan100.

 

  Marco Regini

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] multicast on transit LAN

2010-02-16 Thread Marco Regini 
Hi Phil,
I apologize if I'm obscure, and thanks a lot :-) for your patience. 

I have

Layer3/Layer2--Layer3/Layer2 --Layer3/Layer2-- ...

The vlan 100 span the entire chain (the cisco are interconnected via the fc 
gigabit interface with 802.1q trunk), each node on the chain has a interface 
vlan 100 with address on the same network.

The customer, the multicast sender/receiver are on the FastEthernet interfaces, 
in their dedicated vlan and network.

Regarding Pim Snooping my poor 3560,3750 do not support it, but in the 
documentation I found again that you need the cisco
be or a router or a switch, not both.

But I'm not an expert so do not trust very much what I say.

Cheers



-Original Message-
From: Phil Mayers [mailto:p.may...@imperial.ac.uk] 
Sent: martedì 16 febbraio 2010 18:19
To: Marco Regini
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] multicast on transit LAN

On 02/16/2010 04:45 PM, Marco Regini wrote:
 Hi Phil, all my cisco are routing the multicast, the problem is that
 the l3 link between them are not point-to-point.

Understood. You have the config:

layer3 -- layer2 -- (...) -- layer2 -- layer3

...and the multicast needs to pass between the layer3 devices.

The layer3 devices are using PIM to speak to each other, yes?

In which case, you need PIM snooping on the layer2 devices.

What are the layer2 devices? How many are there? Who runs them?


 I tried to enable rgmp,cgmp ... but seems they assumes the apparatus
 being a router or a switch ( if the cisco has a svi on the vlan 100
 it is a router, if not is a switch). I'am not sure if proxing the

I'm sorry, I don't understand you.

RGMP and CGMP are different things, which serve different purposes.

 IGMP will works, because IGMP snooping probably has the same
 limitation, but I want to tray; do you know how to enable it?



 This is a pseudo configuration of apparatus, what lines I need to
 proxy the IGMP arriving to the access interface Fa0/30?

I'm sorry, I don't understand. That configuration cannot possibly work.

Can you give a more detailed configuration?

I've never used IGMP proxy on a cisco, and upon examination it looks 
like it might be a different feature than I thought - the docs seem to 
link it to unidirectional tunnels.

You really need PIM snooping.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN Tunnel Question

2010-01-10 Thread Marco 

Il 29/12/09 04.58, O n i ha scritto:

thanks!


CUT


i can post the partial config after i edite out some details

On Thu, Dec 24, 2009 at 15:50, swap mccie19...@gmail.com  wrote:



Well, post your config pls 

Bye.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU

2009-12-11 Thread Marco Eulenfeld 
Hi,
 
On Fri, Dec 11, 2009 at 10:19:40AM +, Zoe O'Connell wrote:
 critical number of sessions in Idle (More than 5, less than 20) the CPU

we even saw it with 2 IDLE sessions (after a reboot) where the CPU
went to 50% permanently. only a shutdown of that IDLE session
helped. 
 
 point. This behaviour has been confirmed on 12.2(33)SRC4 and
 12.2(33)SRD2, with other possible reports on SXF, SRC3, SRC5 and also on
 
12.2(33)SRA4 was/ is on that box.
 
br

 marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Dumb question of the day (on vlans)

2009-07-25 Thread Marco van den Bovenkamp 

Security Admin (NetSec) wrote:


Been having trouble setting up vlans on a Cisco 2950 switch.  I add one using 
the typical method via CLI:

Int vlan x
Ip address 192.xxx.yyy.zzz 255.255.255.240
No ip route-cache
No shut

The CLI screen notes that the vlan is up. As soon as I add another vlan (vlan 
y) vlan y will come up but vlan x will administratively go down.  This process 
is repeated each time I add a vlan so that only one vlan is up at any one time, 
which is the last vlan created.  Please note that I have vlan 1 shutdown and it 
is not used.

Question is how do I keep all my vlans up simultaneously?


You don't, at least not like that. A 2950 is a pure L2 switch, and it 
can have only one IP address at the same time, purely for management 
purposes. So as soon as you assign an IP adress to a VLAN interface (the 
'int vlan xxx' command), the other one will go admin down.


You create L2 VLANs with the 'vlan xxx' command.

Regards,

Marco.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SXI1 is out

2009-04-01 Thread Marco van den Bovenkamp 

Mike Louis wrote:


SXI didn't support Netflow export from a VRF other than the global table. The 
command option wasn't available in the ip flow export command syntax.

Here is what I am seeing in SXI

6509(config)#ip flow-export destination 10.1.1.3 9996 ?
  cr

The vrf flag was available in SXH.

Has that been fixed in SXI1?


Probably not. I ran into the same thing when trying to run NetFlow on a 
number of ME6524s. SXH had it, SXI didn't.


TAC said: 'It wasn't fully functional in SXH and worked only for 
software flows. It's removed in SXI and there are no plans to bring it 
back'.


Bummer :-(

Regards,

Marco.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3400

2009-03-11 Thread marco 

 I need to find out how many routes a Cisco ME3400 can hold. Anyone with an
 idea or pointer as to where I can find out? Any help would be appreciated.

Datasheet says 5000:
http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps6580/product_data_sheet0900aecd8034fef3.html

 Regards,

Marco.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] BGP outbound loadsharing

2009-01-31 Thread Marco 

Kevin wrote:
 
 If you have connections to differnt ISPs and cannot
 take full routes then requesting partial routes
 and/or filtering received routes may enable you to
 do some path based TE.
 
 If you have multiple links to the same ISP you can
 set maximum-paths for bgp to install multiple next-hops
 for the same path in the fib.

I've only read something it, however there is also a 
useful feature called BGP LINK BANDWIDTH  used to 
enable multipath load balancing for external links 
with unequal bandwidth capacity. Traffic is sent 
proportionally to the bandwidth of the 
links that are used to exit the AS.
It requires bgp-multipath(iBGP/eBGP) enabled too.
 
Honestly, I'm not sure if this ext-community
ovverrides all the other best path selection criterias
and if we can use it when we are multihomed to
multiple ISP
 
I think is not explained clearly,but if you want to learn
more check
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftbgplb.html#wp1047649
 
Comment please!
 
 
 
_
Quante ne sai? Gioca con i 50 nuovi schemi di CrossWire!
http://livesearch.games.msn.com/crosswire/play_it/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS Overlapping VPN problem (lab simulation)

2009-01-17 Thread Marco 


 Marco  wrote on Friday, January 16, 2009 20:53:

 this is expected. routes imported into a VRF x are not exported by this
 VRF to other VRFs, so a bit like BGP's rule where routes received from
 an iBGP speaker are not advertised to other iBGP speakers. So you cannot
 loop back the traffic on the PE itself.
[...]

 oli
 
 
Ok, I have just realized I completly misundestood the data flow diagram. 
 
I thought that if A-central is in VPN with B-central and B-central is in 
VPN with its remote sites, then A-central should reach B-central and via 
B-central ALL its sites(A sites) . WRONG!.
 
A-central(vrf AC) sees only B-central(vrf-BC) routes. A separate routing
instance(VRF-B), gives B-cental connectivity to sites B1 and B2.
Vrf-B routes are imported(RT 2:2) in vrf-BC on Pe2, but are not exported back 
with RT 3:100 to vrf-AC on Pe1
 
 
So easy when you know how it works.My idea of overlapping was just too large:P
 
It's time for an espresso
 
Thanks
 
Regards
_
Party… con Eventi!
http://events.live.com/?showunauth=1
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Policing Confusion

2009-01-05 Thread marco 
 Aaron Riemer wrote:

 ...I am trying to achieve is to police virus updates
 from our server so that this traffic can only obtain
 128Kbps of the remote sites bandwidth.

 Attaching this as an outbound policy-map at the remote site will only
 affect traffic outbound from that site. You'll need to either use an
 outbound policy at your central site where the server is, or use an
 inbound policy at the remote site.

I think that an inbound policy at the remote end won't help. The
policing/shaping can only act when the packets have already been
transmitted across the link, eating up the bandwidth in the process. What
happens to them afterwards won't affect that (short of messing with TCP
windows by selectively delaying/dropping ACKs and higher-order stuff like
that, which simple policing won't address).

Regards,

   Marco.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PA-POS-1OC3 vs. PA-A3-OC3SMI

2008-09-19 Thread marco 

 Yep. The PA-MC-STM-1:
 http://www.cisco.com/en/US/prod/collateral/modules/ps2033/ps2762/product_data_sheet09186a008007d6c0.html

 This card looks like it's more at home on the Europe side of the pond,
 i.e. handling STM1s, and breaking service down to E1s.

You're absolutely right, of course. Mea culpa. Odd, though, that this card
exists and its -OC3 brother doesn't...
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PA-POS-1OC3 vs. PA-A3-OC3SMI

2008-09-18 Thread Marco van den Bovenkamp 

David Aldworth wrote:

Hmm. Okay, so the PA-MC-T3 breaks the DS3 down to individual DS1's 
(T1's). Is there nothing equivalent at the OC3 level?


Yep. The PA-MC-STM-1: 
http://www.cisco.com/en/US/prod/collateral/modules/ps2033/ps2762/product_data_sheet09186a008007d6c0.html


Regards,

Marco.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3?

2008-08-27 Thread Marco d'Itri 
On Aug 26, Ian Cox [EMAIL PROTECTED] wrote:

 PA-POS-OC3 has been supported in both FlexWANs since they FCS'd. Maybe
 that particular PA has the idprom messed up. Try doing a sh diagbus with
 it inserted and see what the PA idprom is telling the system.
FYI: thanks to Ian I found out that the problem is that FlexWANs do
not support OIR even for plug-in, not just for unplugging.
The Ethernet PA I first tried worked when hotplugged, but the POS one
just failed unless I first unplugged the FlexWAN.


BTW: my FlexWANs happily accepted a 256 MB SODIMM from my old MSFC2, and
even work with one 256 MB and one 64 MB banks (CEF is enabled only on
the first slot now, but I do not need the other one anyway).

-- 
ciao,
Marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3?

2008-08-26 Thread Marco d'Itri 
When I plug in the PA I get this:

SLOT 5/0: 00:00:03: %PA-2-UNDEFIO: Unsupported I/O Controller (type 65535) in 
I/O Bay. The I/O Controller network interfaces will be unavailable. 

a normal fast ethernet PA works fine.
cisco.com says that the PA is supported even by non-enhanced FlexWANs.

IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 
12.2(18)SXF13, RELEASE SOFTWARE (fc1)

-- 
ciao,
Marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] which IOS supports sup720 + FlexWAN + PA-POS-OC3?

2008-08-26 Thread Marco d'Itri 
On Aug 26, Ian Cox [EMAIL PROTECTED] wrote:

 PA-POS-OC3 has been supported in both FlexWANs since they FCS'd. Maybe
 that particular PA has the idprom messed up. Try doing a sh diagbus with
 it inserted and see what the PA idprom is telling the system.

This is the output for card back in the 7200 where it has been in use so
far:

picard.mil#show diag 3
Slot 3: 
POS Single Width, Single Mode Port adapter, 1 port
Port adapter is analyzed
Port adapter insertion time 13:18:33 ago
EEPROM contents at hardware discovery:
Hardware revision 2.0   Board revision A0
Serial number 1xx6  Part number73-3193-02
FRU Part Number:  PA-POS-OC3SMI=

Test history  0x0   RMA number 00-00-00
EEPROM format version 1
EEPROM contents (hex):
  0x20: 01 95 02 00 00 E8 71 06 49 0C 79 02 00 00 00 00
  0x30: 50 00 00 00 99 08 27 00 00 00 FF FF FF FF FF FF


 Marco d'Itri wrote:
  When I plug in the PA I get this:
  
  SLOT 5/0: 00:00:03: %PA-2-UNDEFIO: Unsupported I/O Controller (type 65535) 
  in I/O Bay. The I/O Controller network interfaces will be unavailable. 
  
  a normal fast ethernet PA works fine.
  cisco.com says that the PA is supported even by non-enhanced FlexWANs.
  
  IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 
  12.2(18)SXF13, RELEASE SOFTWARE (fc1)
  

-- 
ciao,
Marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup32 TCAM limit

2008-06-26 Thread marco 

 What I do not understand is what would happen to the routes being
 inserted
 above this limit. Would such routes be 'soft' routed ? Is there also a
 treshold for

 Prefixes that cannot fit in the TCAM are punted to the MSFC, and thus
 software switched, probably in an interrupt based CEF path.

That's what supposed to happen, yes. But I ran into this recently (with a
SUP720 now upgraded to XL) and the box didn't punt the packets. It just
hardware switched them based on what was in the TCAM.

Result was that the correct route was in the routing table and CEF FIB,
but packets got dropped or shunted elsewhere without any sign except the
TCAM_FULL messages, and those didn't look right either (no route in the
message at all or junk chars where it should be).

This was the sup running hybrid, IOS 12.2(17d)SXB8 on the MSFC and CatOS
8.6(1) on the SP.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sup32 TCAM limit

2008-06-26 Thread marco 
  From what I understand, the 'less specific prefix' punted routes would
 not be a problem, the problem was if less specific where in the TCAMs
 while more specifics not ? This would make for some interesting routing
 :-)

So it did :-)
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Upgrading SUP720 to SUP720-3BXL while switch is hot..is it possible?

2008-06-19 Thread Marco van den Bovenkamp 

Richard J. Sears wrote:


We have a 6500 switch in our network with two SUP720 engines running in
SSO mode. One engine is Active and the other is Standby HOT. Engines are
located in slot 5 and slot 6.

We are also running NSF.

I want to upgrade the engines to SUP720-3BXLs without taking the switch
off line.


No can do. You cannot mix XL  non-XL supervisors in the same chassis. 
The best you can do is preconfig the new sups, power down the switch, 
put the new sups in and power it back on.


I've been through this an upgrade like it myself recently: pull 
redundant sup, upgrade it to 3BXL, power down switch, swap upgraded sup 
with active sup, power switch back on, upgrade second sup and plug it 
back in.


Regards,

Marco.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Mystery Cisco device

2008-06-07 Thread Marco van den Bovenkamp 

Eric Andrews wrote:


It's a 1U Cisco device, two XENPAKs on the right and 24 SFP ports in
groups of 8 on the left. Console and aux ports on the front, and two
removable AC power supplies in the back. I couldn't see the model
number on the front, but it ends in 10GE. It says WS-4991 on the
back, but Google doesn't know anything about that.

Anyone know what this beast is?


Probably an ME4924-10GE: 
http://www.cisco.com/en/US/prod/collateral/switches/ps6568/ps7009/product_data_sheet0900aecd8052f36b.html


Regards,

Marco.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco support for ASNv4 (4 byte ASN)

2008-05-05 Thread Marco Huggenberger 
Hi Skeeve

2008/5/5 Skeeve Stevens [EMAIL PROTECTED]:
 Can someone let me know if/when Cisco supports 4byte AS Numbers in
  BGP in the current IOS stream (not XR or XE).

12.5T late 2008 in the meantime use AS23456 ;)

Cheers

Marco

PS: Good starting point for ASN32 compatiblity is my micro-site at:
http://www.swissix.ch/asn32/doku.php
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Core to access links. Use single etherchannel?

2008-04-24 Thread marco 

 If I remember correctly, whenever an Etherchannel changes from two or
 more members to one member (or vice versa), an STP reconvergence is
 triggered.  Assuming that to be correct, you'll still have an STP blip
 during a link/card failure.  :(

No, an Etherchannel is a single link as far as STP is concerned, and
members coming or going will happen 'below' the STP level.

 Marco.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6500 vs. 7600 revisited again

2008-04-09 Thread marco 
Hi,

 There is a 3B - 3BXL upgrade, which used to cost exactly the same as the
 price difference between a Sup720/3B and a Sup720/3BXL (so it's not a
 we'll send you a new Sup720).

Yup. The WS-F6K-PFC3BXL= is just that: a new -3BXL PFC and some memory to
upgrade the Sup itself to 1GB RAM.

   Regards,

Marco van den Bovenkamp.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] max-metric router-lsa never stops waiting

2008-03-21 Thread Marco d'Itri 
I have max-metric router-lsa on-startup wait-for-bgp configured on all
of my routers, but on two of my 7200 it never exists the waiting state:

 Originating router-LSAs with maximum metric
Condition: on startup while BGP is converging, State: active

Cisco IOS Software, 7200 Software (C7200-K91P-M), Version 12.2(31)SB2, RELEASE 
SOFTWARE (fc1)
Cisco IOS Software, 7200 Software (C7200-K91P-M), Version 12.2(31)SB6, RELEASE 
SOFTWARE (fc1)

What could cause this?

-- 
ciao,
Marco
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750 SVI vs Routed port

2008-02-25 Thread Marco van den Bovenkamp 
[EMAIL PROTECTED] wrote:

 Is there a difference in performance on the 3750 platform between a SVI
 (vLAN) interface and a routed port (no switchport in interface config),
 in terms of IP routing?

No. A 'routed port' on a 3750 is mostly just an SVI on a internal VLAN 
with only one port in it. So there isn't really all that much difference 
between them.

Regards,

Marco.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco have a metro ethernet ring standard 'REP'

2007-09-18 Thread Marco Huggenberger 
2007/9/18, Will Hargrave [EMAIL PROTECTED]:
 ... not widely announced, but available in ME-series switches, from
 12.2(40)SE.
http://www.cisco.com/en/US/products/hw/switches/ps5532/products_configuration_guide_chapter09186a0080878947.html

Hmm, what is the difference between REP and FLEX (which is available
on the 3560 series switches)?
http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a0080878d27.html

M.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 32bit ASNs on 12.0S

2007-08-31 Thread Marco Huggenberger 
Hi Folks

2007/8/31, Gert Doering [EMAIL PROTECTED]:
 It doesn't (and neither does any other IOS version publically available).
 Rumors say that 32 bit ASN support will appear early next year.
 (IOS XR *does* have 32-bit ASN, as far as I have been told).

Status for ASN Integration in different hardware/software can be found
on the experiment report from SwissIX ASN32 Project [1]

IOS will support ist starting at 12.5.T Early to late 2008 [2] and IOS
XR it's already implemented [3]

Cheers

Marco


[1] http://www.swissix.ch/asn32/
[2] http://www.swissix.ch/asn32/doku.php?id=ios
[3] http://www.swissix.ch/asn32/doku.php?id=ios_xr
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Larger scale router rollout tools?

2007-07-03 Thread Marco Huggenberger 
2007/7/3, Phil Mayers [EMAIL PROTECTED]:
 Also, on recent IOS you can scp *to* the box and it works just like a
 scp config-fragment router:running-config

We successfully use the archive command (on 12.4.x IOS):

code
archive
 path tftp://ip-of-your-tftp-server/$h
 write-memory
 time-period 1440
/code

This command enables auto-archivement of your configuration
within a time period (1440 = minutes, means all 24 hours) to
a pre-configured path (path to local flash: is also available but we prefer an
external copy). That's it!

Just my 2 rappen*

Marco


* rappen = swiss cents
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/