[c-nsp] 3750 tcam log
Hello Everyone, I have a 3750 stack running 12.2(35)SE2 that had the cpu shoot up this weekend and imediately thought that we had exhausted our tcam space but looking it seems that this is not the issue. We have prefered routing and 9 routed interfaces actually configured. There was no jump in the number of routes over the weekend , so I am trying to nail down what caused the jump. 3750E-Jenner#sh platform tcam utilization CAM Utilization for ASIC# 0 MaxUsed Masks/Values Masks/values Unicast mac addresses:400/3200 19/87 IPv4 IGMP groups + multicast routes: 144/1152 6/26 IPv4 unicast directly-connected routes: 400/3200 19/87 IPv4 unicast indirectly-connected routes:1040/8320192/1436 IPv4 policy based routing aces: 512/512 2/2 IPv4 qos aces:528/528 82/82 IPv4 security aces: 1024/1024 80/80 What worries me is this 3750E-Jenner#sh platform tcam log-results CAM Log Results Total Number of PortASICs: 1 ASIC 0 Lookup Invalid, value 0 TCAM Index 0, TCAM Table Index -1 Cam Log Keys key-0: 0F-E37E-BEFFFD7F key-1: 05-00088002- key-2: 01-00118010-03008000 key-3: 01-00118010-03008000 Notes: a) key-0 is most recent cam key b) key-0 contains lsb's and key-3 contains msb's c) watch for Lookup field in cam key for validating results d) TCAM Table Index -1 indicates invalid results Lookup invalid and table index -1 don't look very promising but I cannot find anything on the web Can anyone offer a clue as to if this is a problem? I tried clear ip route * but that had no effect. As the stack is in production I have not reloaded yet and am trying to see if it can be avoided. Thanks in advance Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 tcam log
Hello all, I am posting this as a follow up. It seems it was related to tcam resource exhaustion. I reduced the number of routes going into the 3750 and now see 3750E-Jenner#sh platform tcam log-results CAM Log Results Total Number of PortASICs: 1 ASIC 0 Lookup L3 Local Forwarding, value C TCAM Index 4336, TCAM Table Index 4336 Cam Log Keys key-0: C0-00204009-3EADA0E0 key-1: C0-002011E9-51D04AB0 key-2: C0-00200C0A-53BF0E27 key-3: C0-00201008-5271CC44 Notes: a) key-0 is most recent cam key b) key-0 contains lsb's and key-3 contains msb's c) watch for Lookup field in cam key for validating results d) TCAM Table Index -1 indicates invalid results No more invalid results. There were no listings in the sh platform ip unicast failed routes/adj , so I do not know if it was corrupted, or related to too much information. I've been looking for a mib that we can poll but have not found anything for the 3750 (only the 6500) does anyone know of a way to track this besides a script? Thanks Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Turnbow Sent: martedì 10 aprile 2007 19.15 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 3750 tcam log Hello Everyone, I have a 3750 stack running 12.2(35)SE2 that had the cpu shoot up this weekend and imediately thought that we had exhausted our tcam space but looking it seems that this is not the issue. We have prefered routing and 9 routed interfaces actually configured. There was no jump in the number of routes over the weekend , so I am trying to nail down what caused the jump. 3750E-Jenner#sh platform tcam utilization CAM Utilization for ASIC# 0 MaxUsed Masks/Values Masks/values Unicast mac addresses:400/3200 19/87 IPv4 IGMP groups + multicast routes: 144/1152 6/26 IPv4 unicast directly-connected routes: 400/3200 19/87 IPv4 unicast indirectly-connected routes:1040/8320192/1436 IPv4 policy based routing aces: 512/512 2/2 IPv4 qos aces:528/528 82/82 IPv4 security aces: 1024/1024 80/80 What worries me is this 3750E-Jenner#sh platform tcam log-results CAM Log Results Total Number of PortASICs: 1 ASIC 0 Lookup Invalid, value 0 TCAM Index 0, TCAM Table Index -1 Cam Log Keys key-0: 0F-E37E-BEFFFD7F key-1: 05-00088002- key-2: 01-00118010-03008000 key-3: 01-00118010-03008000 Notes: a) key-0 is most recent cam key b) key-0 contains lsb's and key-3 contains msb's c) watch for Lookup field in cam key for validating results d) TCAM Table Index -1 indicates invalid results Lookup invalid and table index -1 don't look very promising but I cannot find anything on the web Can anyone offer a clue as to if this is a problem? I tried clear ip route * but that had no effect. As the stack is in production I have not reloaded yet and am trying to see if it can be avoided. Thanks in advance Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 1811 DNS Server overload
Do you have dns spoofing on ? If so turn it off. That is what causes dns proxy You can disable dns lookups completly with no ip domain lookup Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Skeeve Stevens Sent: lunedì 16 aprile 2007 15.07 To: 'Cisco-nsp' Subject: [c-nsp] Cisco 1811 DNS Server overload I have an 1811 temporarily doing NAT for about 200 clients and at the moment and while it generally is working ok, the DNS facility of the router is freaking out. Some show logging: *Apr 16 11:55:53.425: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (13/0),process = DNS Server. -Traceback= 0x8099C694 0x80AB26B0 0x80AB5DB0 0x80AB6834 0x80AB7ACC 0x800D7ACC 0x800DB410 *Apr 16 11:59:59.721: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (30/0),process = DNS Server. -Traceback= 0x822F21DC 0x8099C78C 0x80AB6508 0x80AB7ACC 0x800D7ACC 0x800DB410 And yesterday it crashed: Router uptime is 1 day, 2 hours, 42 minutes System returned to ROM by error - an Illegal Opcode exception, PC 0x83B1A8E4 at 20:17:29 AEST Sun Apr 15 2007 I would like to actually stop the 1811 caching DNS queries but I can't figure out how to. I would just prefer it relay every request or some other solutions perhaps that could be suggested here. This would at least keep the router up and running. Any help would be muchly appreciated. .Skeeve ___ Skeeve Stevens, RHCE Email: [EMAIL PROTECTED] Website: www.skeeve.org - Telephone: (0414) 753 383 skype://skeeve Address: P.O Box 1035, Epping, NSW, 1710, Australia eIntellego - [EMAIL PROTECTED] - www.eintellego.net ___ I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 3750 high cpu from icmp
Hello Everyone, I have been working on a 3750 that has a high cpu usage and wanted to ask for some help. My first thought was tcam space , but that was ok and I don't see any bad adjacencies or routes. The switch has high interupt cpu levels and checking into it I have found that it seems to be related to ICMP messages getting kicked to the cpu. sh plat port-asic stats drop Shows this increasing counter (a few seconds apart) Supervisor TxQueue Drop Statistics Queue 11: 36618954 Supervisor TxQueue Drop Statistics Queue 11: 36622889 And I have traced this queue down to icmp. The cpu controller shows high icmp packets arriving to the cpu.(again a few seconds apart) 3750E-Jenner#sh controllers cpu-interface | i icmp icmp 1525306547 0 0 0 0 3750E-Jenner#sh controllers cpu-interface | i icmp icmp 1525456328 0 0 0 0 Tracing on the vlan I found alot of icmp redirects being bounced around so I tried disabling redirects and the cpu usage went down dramatically yet it is still high. I was able to run a debug debug platform cpu-queues icmp-q And see alot of these messages. ICMP-Q:Dropped redirect disabled on L3 IF: Local Port Fwding L3If:Vlan82 L2If:FastEthernet1/0/11 It seems that with no redirects the packets gets sent to the cpu that proceeds to drop the packet. I tried to implement copp to see about limiting the messages sent to the cpu , but it does not seem possible on the 3750. Control-plane is there yet if I try to apply the service policy I get an error message QoS: policymap is supported on physical, VLAN, and ES interfaces only Service Policy attachment failed error: failed to install policy map control-plane-in Besides redesigning to avoid icmp redirects anyone have any ideas? Thanks in advance Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 high cpu from icmp
Yes and there were none. The icmp queue debugs also list source / destination macs and Ips where you can see that it would be the 3750 that needs to generate a redirect. Brian -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: lunedì 14 maggio 2007 11.07 To: Brian Turnbow Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3750 high cpu from icmp On Mon, May 14, 2007, Brian Turnbow wrote: Wanted to post an update on this in case anyone else ever has problems. The only way I found to resolve this issue was to move traffic onto different interfaces , removing the router on a stick routing. Did you stick the port into a SPAN group and get a traffic dump? See if some other device is actually sending your 3750 ICMP redirects? Adrian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VoIP without QoS
Hi George We run Voip services to enterprises and only do Qos on the (small) termination lines up/down with llq. Otherwise the core has no Qos and plenty of bandwidth. Works great as long as there is bandwidth and the routers can handle the forwarding. Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nassess, George Sent: martedì 22 maggio 2007 18.35 To: cisco-nsp@puck.nether.net Subject: [c-nsp] VoIP without QoS Hello List, I am in the process of extending our distributed VoIP call center to a partner company, and their networking staff are extremely adamant that they do not wish to implement QoS on their remote LAN, the DS3 link that the voice traffic will traverse, or the core LAN in our shared datacenter. I am fairly well aware of the arguments on both sides of the debate of Mr. QoS (me) versus Mr. Excess bandwidth (them) but I wanted to know if there is anyone on the list who has actually deployed an enterprise VoIP solution without QoS, and whether the deployment was successful as an ongoing solution or if QoS had to be added at a later date. Thanks in advance for any experiences you can share, Gus Nasses [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ADSL QOS
Hi Ian, You need to use the pre classify on the virtual template qos pre-classify Search llq for vpn on cco Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ian MacKinnon Sent: martedì 19 giugno 2007 15.41 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ADSL QOS We are using BT for DSL here in the UK, and I am trying to prioritise voice over the connection. On our L2TP gateway I have :- policy-map 1MegLLQ class voice priority 1000 policy-map shape1Meg class class-default shape average 100 service-policy 1MegLLQ interface Virtual-Template1 ip unnumbered Loopback3 ip access-group adsl2-out out no logging event link-status load-interval 30 no snmp trap link-status no peer default ip address ppp authentication chap l2tptunnel ppp authorization l2tptunnel - Ignored: ppp accounting l2tptunnel And I apply the service policy to the user via radius. This is 7200 NPE-G1 running 12.4(2)T5 I can see the policy being applied and a show policy-map interface viblah seems to show it working. But when I send 1Meg of traffic to the CPE the voice to the CPE still breaks up. does anybody have this working? - Done. -- Forwarded message -- From: Ian MacKinnon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Tue, 19 Jun 2007 14:39:26 +0100 Subject: ADLS QOS on 7200 Hi All, We are using BT for DSL here in the UK, and I am trying to prioritise voice over the connection. On our L2TP gateway I have :- policy-map 1MegLLQ class voice priority 1000 policy-map shape1Meg class class-default shape average 100 service-policy 1MegLLQ interface Virtual-Template1 ip unnumbered Loopback3 ip access-group adsl2-out out no logging event link-status load-interval 30 no snmp trap link-status no peer default ip address ppp authentication chap l2tptunnel ppp authorization l2tptunnel ppp accounting l2tptunnel And I apply the service policy to the user via radius. This is 7200 NPE-G1 running 12.4(2)T5 I can see the policy being applied and a show policy-map interface viblah seems to show it working. But when I send 1Meg of traffic to the CPE the voice to the CPE still breaks up. does anybody have this working? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] AS5400XM Question
Yes it can do it You need a data dial peer to use to specify which are data calls. http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110d2b.html Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Stewart Sent: venerdì 29 giugno 2007 16.23 To: cisco-nsp@puck.nether.net Subject: [c-nsp] AS5400XM Question Hi folks We are having an issue with dial-up customers and hoping someone can shed some light on a possible solution. There are several options and one of them could involve a configuration change on our 5400XM At a remote POP, we have 10 T1's coming into a AS5400XM box which then takes these *voice* T1's and sends them off to our Metaswitch system. The T1's are handling regular voice calls plus they are now handling modem traffic recently as well When the modem traffic hits the Metaswitch, it is then sent off to a series of T1's to our Nortel CVX1800 box Roughly 80% of the clients dialing in are having no problems, but 20% of them are having handshaking problems on dial-up. It seems (on the surface) that the further away these customers are geographically, the more likely they are having the problem - but that's unconfirmed for sure My question is specifically.. can the AS5400XM handle the modem calls in these voice T1's? So, if it's a modem calling then the 5400 will terminate the modem call and become the NAS but if it's voice then it will continue on it's current path to our Metaswitch? OR, is there something in this configuration that could be causing some of this grief? The remote POP is connected via 100 meg fiber back to our main facilities which is where the Metaswitch is located. There is no packet loss, jitter etc. on the connection - looks great/clean. Config looks like this: voice call carrier capacity active ! voice service voip fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711ulaw controller T1 6/0 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp description 211T1 - Local Transiting - IXC ! controller T1 6/1 framing sf linecode ami ds0-group 0 timeslots 1-2 type none service mgcp description 212T1 - 711 ! controller T1 6/2 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp description 201T1 - Bill and Keep ! controller T1 6/3 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp description 202T1 - Bill and Keep ! controller T1 6/4 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp description 203T1 - Bill and Keep ! controller T1 6/5 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp description 204T1 - Bill and Keep ! controller T1 6/6 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp description 205T1 - Bill and Keep ! controller T1 6/7 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp description 206T1 - Bill and Keep ! controller T1 7/0 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp description 207T1 - Bill and Keep ! controller T1 7/1 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp description 208T1 - Bill and Keep ! controller T1 7/2 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp description 209T1 - Bill and Keep ! controller T1 7/3 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp description 210T1 - Bill and Keep ! controller T1 7/4 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp ! controller T1 7/5 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp ! controller T1 7/6 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp ! controller T1 7/7 framing sf linecode ami ds0-group 0 timeslots 1-24 type none service mgcp ! interface Group-Async0 no ip address encapsulation slip group-range 2/00 5/107 ! voice-port 6/0:0 echo-cancel coverage 64 ! voice-port ! voice-port 6/2:0 echo-cancel coverage 64 ! voice-port 6/3:0 echo-cancel coverage 64 ! voice-port 6/4:0 echo-cancel coverage 64 ! voice-port 6/5:0 echo-cancel coverage 64 ! voice-port 6/6:0 echo-cancel coverage 64 ! voice-port 6/7:0 echo-cancel coverage 64 ! voice-port 7/7:0 echo-cancel coverage 64 ! voice-port 7/0:0 echo-cancel coverage 64 ! voice-port 7/1:0 echo-cancel coverage 64 ! voice-port 7/2:0 echo-cancel coverage 64 ! voice-port 7/4:0 echo-cancel coverage 64 ! voice-port 7/5:0 echo-cancel coverage 64 ! voice-port 7/6:0 echo-cancel coverage 64 ! voice-port 7/3:0 echo-cancel coverage 64 ! mgcp mgcp call-agent xxx.xxx.xxx.xx service-type mgcp version 1.0 mgcp dtmf-relay voip codec low-bit-rate mode nte-gw mgcp max-waiting-delay 500 mgcp restart-delay 2 mgcp package-capability dtmf-package mgcp package-capability mf-package mgcp tse payload 102 no mgcp timer
Re: [c-nsp] Unicast storms
It will vary a bit between switches But here is how it is described by cisco. Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold. Storm control uses one of these methods to measure traffic activity: *Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic *Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.1(22)EA1 or later) With either method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms. Unicast flooding does not worry about known or unknown macs, just the amount of traffic. There is Unknown Unicast Flood Blocking or UUFB available on some platforms to block the flooding of unknown unicast traffic. Regards Brian -Original Message- From: Vincent De Keyzer [mailto:[EMAIL PROTECTED] Sent: martedì 3 luglio 2007 14.43 To: Brian Turnbow; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Unicast storms Brian, I don't think this is the way unicast storm-control is supposed to work. Of course the traffic on the LAN is bursty, but that's just fine; what I think Cisco tried to address with this feature is the unicast flood due to unknown destination MAC address. Foundry has similar (equivalent?) features, and they are less ambiguously named: broadcast limit, multicast limit and unknown-unicast limit. Now this is all only guesswork, since I have never seen this feature clearly explained on CCO... Vincent -Original Message- From: Brian Turnbow [mailto:[EMAIL PROTECTED] Sent: lundi 2 juillet 2007 18:46 To: Vincent De Keyzer; Francois Ropert; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Unicast storms It would be all unicast traffic measured in 1 second intervals , not just unknown destinations, so you might want to try setting up a rate limit with permit actions to see if you are having bursts of traffic. Brian -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Vincent De Keyzer Sent: lunedì 2 luglio 2007 18.01 To: 'Francois Ropert'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Unicast storms I have configured _unicast_ storm-control on our LAN recently, and it keeps kicking in all of the time (something like 50 times per hour). The configured treshhold is quite high (10% - that's 100 Mbps on GigE ports!...). I believe there is something wrong - where do I start troubleshooting this? Read the rxload% and input in show interface command to see if are you really under the 10% assuming you haven't snmp nor netflow. Well, I have snmp, but this is not my understanding of unicast storm: as far as I understand, unicast storm is defined as traffic with an unknown destination MAC address. I don't think you can see this with 'sh int' or SNMP, can you? Vincent ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cheap Cisco Voice Solution
Staying in the cisco family there is also the linksys line which is far less expensive. I've used the phones and ata's but not the pbx. Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Stewart Sent: venerdì 13 luglio 2007 15.05 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cheap Cisco Voice Solution Hi folks... I'm trying to come up with a cheap Cisco solution for IP Phone deployment. The reason I stress cheap is because it's for my house;) I need to take 3 SIP connections and one analog land-line into a router/box of some form and then feed some Cisco IP Phones. I believe I'm looking at CallManager Express and Unity Express no matter how I try to look at it... and a minimum of a 2821 router? Just looking for ideas/options ;) Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Catalyst6506 w/ sup1amsfc2 6148-ge-tx large packets aredropped
Are you running the interface as a trunk port ? If not you can try setting up as a trunk port setting your native vlan as the vlan with the traffic (this needs to be done in conjuction with t system) Your other options are trying to lower the packet size, This can be done by lowering your mtu , looking into ip tcp mss adjust or the like Or you can change your interface , for example use the sup1A interface. Regards Brian -Original Message- From: Comm-AG [mailto:[EMAIL PROTECTED] Sent: martedì 9 ottobre 2007 12.55 To: Brian Turnbow; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Catalyst6506 w/ sup1amsfc2 6148-ge-tx large packets aredropped Brian, Thanks for your input. Can you suggest a work-around for the problem that I am havingshould I set the MTU lower on the incoming L3 interface ? At this point, all applications which send large packets (1500 bytes) are failing Rgds, Anthony -Original Message- From: Brian Turnbow [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 09, 2007 5:56 PM To: Comm-AG; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Catalyst6506 w/ sup1amsfc2 6148-ge-tx large packets aredropped The 6148 supports up to 1518 frame size , the 6148A does 9216. This may be your problem Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Comm-AG Sent: martedì 9 ottobre 2007 9.22 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Catalyst6506 w/ sup1amsfc2 6148-ge-tx large packets aredropped Hi, I have a problem isolated to 6148-ge-tx line-card. The line-card connects a number of service provider connections. When large packets are switched between different ports on the same card, large packets are dropped. The problem has become apparent since our international service provider (call it T-Systems) upgraded their CE router and required us to run dot1q on the 6148-ge-tx interface. Since then, all traffic switched from other sources to the T-Systems port has this problem where large packets are dropped. If we move services to another card leaving the T-Systems connection as it was, the problem goes away. Any help would be appreciated. Thanks Anthony ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Flowmask Config?
Do a show mls netflow flowmask Nat requires interface full flow Take a look here http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/netflow.html Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Skeeve Stevens Sent: lunedì 10 dicembre 2007 15.24 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Flowmask Config? Hey guys, I am trying to setup NAT for a few machines on a private network which enters a 7609 on a Ethernet interface. When I put the NAT commands, this error appears in the logs, and the NAT does not work. Can someone point me in the right direction to figure out what is going on? ...Skeeve === Error Message %FM_EARL7-4-MLS_FLOWMASK_CONFLICT : mls flowmask may not be honored on interface [chars] due to flowmask conflict Explanation The configured MLS flow mask conflicts with other features/QoS configuration. The traffic on this interface will be sent to software under this condition. NetFlow data export may not function correctly for this interface under this condition. Recommended Action Remove the conflicting configuration and re-configure the MLS flowmask -- Skeeve Stevens, RHCE [EMAIL PROTECTED] / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - [EMAIL PROTECTED] - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7604/sup32
Hi, 7600 is a hardware forwarding platform(basically a catalyst 6500), whereas the 7200 is processor based. The 7600 can forward much much more traffic. With full routes however the sup-32 isn't going to cut it you need the 720 with PFC3BXL. The sup32 doesn't have enough tcam space for full routes anymore. To confuse the matter cisco has divided the 6500/7600 into 2 groups and features will vary. The 6500 will use sup -xxx as the processor The 7600 will use rsp -xxx as the processor There has been alot of talk about this on the list Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Kent Sent: martedì 8 gennaio 2008 16.45 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 7604/sup32 So, I'm looking at the cisco web pages and I see the 7600 is pushed big-time as a service provider edge device, and yet I see that the sup32-3b has a 300Mhz processor, and so it is not much faster than an NPE-300 (262Mhz). I stopped taking full routes on NPE-300 equipment a couple of years ago, moving to an npe-g1. So, what's the scoop with the 7600/sup32-3b?It seems like a step back to me, other than the 8 built-in gigE ports. I'm looking at an application where the box would push a total of about 1Gbs over two gigE upstreams. It would have two gigE internal neighbors, each with full bgp routes... so four full tables. I'm concerned about the issue of traceroutes looking bad as they pass through the box (which confuses EndUsers), due to the cpu load from the bgp scanner. Thanks, -mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] npe-g2
Hello We are in the processes of deploying our first npe-g2 in production and I wanted to see what the consensus is for a stable ios version. The router will be used for pppoa termination and will be running mpls vpn, bgp cbwfq/llq qos. thanks in advance Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TP/IPSEC VPN for MS Windows PCs
Hi Felix, Why not use the cisco client ? It's free (as long as you are entitled to the crypto ios at least) and the configuration and maintenace is going to be much easier than with windows in the long run. There is a technote on configuring l2tp ipsec between windows and ios http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080094501.shtml Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Felix Nkansah Sent: mercoledì 16 gennaio 2008 17.01 To: cisco-nsp@puck.nether.net Subject: [c-nsp] L2TP/IPSEC VPN for MS Windows PCs Hi, I need to build a remote-access vpn solution for my company. The preference is to use the microsoft windows xp built-in dialup vpn client, rather than having to install additional software (such as the Cisco VPN client). Has anyone deployed this solution for some clients (L2TP/IPSEC)? I would be terminating the connections on an IOS router. The configuration guides I have found from cisco.com dont seem to help me. Should be glad that you share your experiences, suggestions, and helpful links with me. Regards, Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISDN : Dial on demand
I decided to use the command clear int bri 0 between each site for hanging up the current call. use Isdn disconnect or Isdn test disconnect Depending on your version Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2960 not switching packets (hub-like behavior)
Most times this is related to the arp aging time on the sending device vs mac aging time on the switch. The switch will learn the location of the mac when it transmits, but after not recieving data sourced from the mac for more than the aging time the mac gets removed from the mac addres table . The sending device still has the arp entry so it will still send packets to the destination mac and the switch will start flooding the packets. Check to see if the destination mac is in your mac table on the switch and the arp table on the originating device. Then try and reconfigure the arp timeoutes lower than the mac aging time by lowering one or raising the other. Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Neils Christoffersen Sent: giovedì 17 gennaio 2008 17.10 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 2960 not switching packets (hub-like behavior) I have a WS-C2960-48TT-L running c2960-lanbasek9-mz.122-25.SEE4 Sniffing traffic on a connected workstation, I can see unicast traffic destined for other systems connected to the switch. I know this isn't normal behavior but I have been unable to diagnose the problem. Reloading did not resolve it. This is a very simple configuration (single switch behind a firewall, no vlans) and the network is not highly utilized. Suggestions? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 3560 layer3 performance
Check out this thread http://puck.nether.net/pipermail/cisco-nsp/2007-May/040374.html I had a similar issue with a 3750, the cause was redirected traffic Even though ip redirects were disabled on the vlan interface they were being punted to the cpu and then dropped. Try a 3750E-Jenner#sh controller cpu-interface | i icmp icmp 1886230815 0 0 0 0 3750E-Jenner#sh controller cpu-interface | i icmp icmp 1886236301 0 0 0 0 3750E-Jenner#sh controller cpu-interface | i icmp icmp 1886239093 0 0 0 0 To see if thet are increasing. The only way I was able to resolve this was by moving the traffic so that it was routed between two seperate interfaces. Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Louis Sent: martedì 22 gennaio 2008 4.53 To: Mark Kent; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] cisco 3560 layer3 performance Are both models the WS-C3560G-48TS-S version? The first device you mentioned, is it running layer 2 only, into the L2 access switchport and then out to the L2 trunk? From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Mark Kent [EMAIL PROTECTED] Sent: Monday, January 21, 2008 10:31 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] cisco 3560 layer3 performance Hello, I've got a cisco 3560 (WS-C3560G-48TS-S) pulling in (80Mbs, 6500pps) on one switch port, and sending it out a trunk... cpu load is 5%. Another cisco 3560, pulling in that same traffic on a trunk and sending it out a layer3 point-to-point gigE is running at 70 to 80% (cpu hog is IP Input). In fact, the cpu load is roughly the same as the Mbs load. 50Mbs = 50%. Now, I know it's a small switch in the cisco line. But wouldn't we expect it to do a fair bit better than this? It looks like it will crap out at 100Mbs of layer3 traffic. Thanks, -mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 vs. 7600 revisited again
Indeed, folks have tested Sup32 with a 3BXL update, and it works, but it's unsupported, and most likely there is a check in recent IOS versions Ato make sure it doesn't work anymore. We told you this is not supported!. I remember seeing this roadshow www.cisco.at/partner/pdf/Tkrewedl_Roadshow_jan05_catalyst_TK.pdf Notice the page about sup 32 upgradability Sure would been nice Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ISP Essentials?
Check out this site ftp://ftp-eng.cisco.com/cons/ There is an isp essetialns posted from 2002 and there is alot of material and presentations that are useful. Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard Jones Sent: giovedì 17 aprile 2008 17.27 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco ISP Essentials? Hi, I've just been looking through Cisco ISP Essentials, which seems like an interesting, if dated (2001), read. There doesn't seem to be a second edition, so can anyone recommend a more modern equivalent, perhaps that includes MPLS? (In case you haven't seen it, it's a collection of best practices for ISPs with Cisco networks - starting from centralised logging and which IOS versions to track, and going up through BGP topologies and various IGP related stuff) Best Regards, Howie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Standby mode switchport status
Standby is for backup interfaces. Do you have switchport backup interfaace xxx in your config? Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Storey Sent: Wednesday, April 23, 2008 9:28 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Standby mode switchport status Hi all, I have a 2940 switch with an SFP based gigabit uplink port. Im plugging it into an Alcatel radio unit, which seems to be reporting that the link is up (there is a tick showing up in the management interface that represents Port Up which also goes away when I unplug the fibre), but on the Cisco I see the following: Switch#sh int gi0/1 GigabitEthernet0/1 is standby mode, line protocol is down (disabled) Switch#sh ip int brief InterfaceIP-Address OK? Method Status Protocol GigabitEthernet0/1 unassigned YES unset standby mode down Given what I said above about the Alcatel unit, it seems as though perhaps the Alcatel is receiving signal from the Cisco, but the Cisco isnt recognising anything. Have tried different fibre leads, plugging into different devices, different SFPs, but nothing. Does anyone have any idea what standby mode means, and whether it could be responsible for this behaviour? Ive done a bit of searching to try and find out what this means, but have so far come accross nothing that helps. Hoping someone here will have some ideas. Thanks, Tom ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Blocking VTP
There was set vtp port x/x disable in catos at least for 6500s . I don't think it ever worked it's way into ios though. Number 2 will do the job for you. Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: Wednesday, April 23, 2008 11:57 AM To: [EMAIL PROTECTED] Cc: 'Gert Doering'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Blocking VTP Skeeve Stevens wrote: I can't believe there isn't: I'm sorry to say whether you believe it or not has little to do with the reality of the situation. To the best of my (by no means encyclopaedic) knowledge, there is no such thing. In any event, Tassos has already suggested: 1) make the port an access port 2) block 01-00-0C-CC-CC-CC (used by CDP too) 3) use transparent vtp v1 different domain 4) block vlan 1 (although actually that's not possible) Have you tried those? It seems like number 2 in a MAC ACL ought to be pretty bulletproof. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] R: Re: Blocking VTP
The catos command blocks the processing and forwarding of vtp packets recieved on the interface. i'm not sure about how the ios version works. - Messaggio originale - Da: Tassos Chatzithomaoglou [EMAIL PROTECTED] Inviato: mercoledi 23 aprile 2008 20.14 A: Peter Rathlev [EMAIL PROTECTED] Cc: Brian Turnbow [EMAIL PROTECTED]; cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net Oggetto: Re: [c-nsp] Blocking VTP http://www.cisco.com/en/US/docs/ios/lanswitch/command/reference/lsw_u1.html#wp1013452 I guess enabling vtp on your internal ports and disabling it on your external ones would accomplish the needed security. I don't know what happens if global vtp (on) and per-port vtp (off) are configured simultaneously. -- Tassos Peter Rathlev wrote on 23/4/2008 8:01 μμ: On Wed, 2008-04-23 at 13:27 +0200, Brian Turnbow wrote: There was set vtp port x/x disable in catos at least for 6500s . I don't think it ever worked it's way into ios though. 12.2(33)SXH seems to have something called Per port VTP enable/disable, where you can put vtp disable under an interface configuration. I don't know if this just makes the switch transparent to PDUs received from that port, or if it actually blocks the PDUs. I hope for the latter. It's probably something they lifted from CatOS; I heard that it was their plan to make the SX train have the same features as CatOS... Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C3560 as CPE, possible TCAM contention
Note that the tcam utilization is based on the assumtion of up to 8 routed interfaces If you have more you will not be able to reach the max values. We have some with similar values on routing templates that work fine, this particular unit has 13 routed interfaces. Unicast mac addresses:400/3200 29/163 IPv4 IGMP groups + multicast routes: 144/1152 6/26 IPv4 unicast directly-connected routes: 400/3200 29/163 IPv4 unicast indirectly-connected routes:1040/8320246/1873 IPv4 policy based routing aces: 512/512 2/2 IPv4 qos aces:528/528 82/82 IPv4 security aces: 1024/1024103/103 As tassos mentioned checking the sh controllers cpu can tell you what kind of traffic is making to the cpu Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rathlev Sent: Tuesday, April 29, 2008 4:11 PM To: cisco-nsp Subject: [c-nsp] C3560 as CPE, possible TCAM contention Hi, I'm looking at some C3560s acting CPEs. One of them has 13 VRFs in a VRF Lite configuration, 36 BGP neighbors and around 2300 prefixes. (It's not a pretty design, but that's out of my hands.) It has started doing software switching, with very degraded performance of course. I can see the following: CPE_1#show platform tcam utilization CAM Utilization for ASIC# 0 MaxUsed Masks/ValuesMasks/values Unicast mac addresses:784/6272 23/110 IPv4 IGMP groups + multicast routes: 144/1152 6/26 IPv4 unicast directly-connected routes: 784/6272 23/110 IPv4 unicast indirectly-connected routes: 272/2176252/1921 IPv4 policy based routing aces: 0/0 0/0 IPv4 qos aces:528/528 31/31 IPv4 security aces: 1024/1024 27/27 Note: Allocation of TCAM entries per feature uses a complex algorithm. The above information is meant to provide an abstract view of the current TCAM utilization CPE_1#show platform ip unicast statistics Global Stats: HWFwdLoc:0 HWFwdSec:194077183 UnRes:0 UnSup:0 NoAdj:0 EncapFail:0 CPUAdj:150183381 Null:0 Drop:0 Prev Global Stats: HWFwdLoc:0 HWFwdSec:194077183 UnRes:0 UnSup:0 NoAdj:0 EncapFail:0 CPUAdj:150183381 Null:0 Drop:0 CPE_1#show platform ip unicast table Platform unicast IPv4 Table dump (# of entries 14) Name ID Label Mask IPv4:Default 0 0 0x7F IPv4:VRF012811 64 0x7F IPv4:VRF024012 65 0x7F IPv4:VRF024023 66 0x7F IPv4:VRF024034 67 0x7F IPv4:VRF024045 68 0x7F IPv4:VRF024056 69 0x7F IPv4:VRF024067 70 0x7F IPv4:VRF024198 71 0x7F IPv4:VRF024339 72 0x7F IPv4:VRF0243410 73 0x7F IPv4:VRF0243611 74 0x7F IPv4:VRF0243812 75 0x7F IPv4:VRF0243913 76 0x7F CPE_1# CPE_1#show platform ip unicast failed route Total of 0 covering fib entries Entries covered by Actual default route(0.0.0.0/0) cut Total of 2 entries covered by 0.0.0.0/0 Tbl:2 Entries covered by Actual default route(0.0.0.0/0) cut Total of 2 entries covered by 0.0.0.0/0 Tbl:3 Entries covered by Actual default route(0.0.0.0/0) cut Total of 5 entries covered by 0.0.0.0/0 Tbl:5 Entries covered by Actual default route(0.0.0.0/0) cut Total of 115 entries covered by 0.0.0.0/0 Tbl:6 Entries covered by Actual default route(0.0.0.0/0) cut Total of 29 entries covered by 0.0.0.0/0 Tbl:9 Entries covered by Actual default route(0.0.0.0/0) cut Total of 34 entries covered by 0.0.0.0/0 Tbl:10 Entries covered by Actual default route(0.0.0.0/0) cut Total of 128 entries covered by 0.0.0.0/0 Tbl:11 Entries covered by Actual default route(0.0.0.0/0) cut Total of 94 entries covered by 0.0.0.0/0 Tbl:12 Entries covered by Actual default route(0.0.0.0/0) cut Total of 96 entries covered by 0.0.0.0/0 Tbl:13 CPE_1# (I've left out the specific prefixes and changed the CPE name.) It's running desktop default SDM template, and the best option so far seems to change to the routing template. (Should've been done from the beginning, it's only doing routing, with customer L3 equipment on the LAN side.) The problem is: How can I _know_ if TCAM contention is the problem?
Re: [c-nsp] BGP Route selection
Setting the metric is not going to affect your BGP route selection. On router A you can set the weight Or on router 2 you can prepend an AS.(you could have used local preference if the as was the same) Check out http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431.shtml On how BGP selects paths Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Roberton Sent: venerdì 23 maggio 2008 16.09 To: Pete Templin Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Route selection All The network in question is actually 90.0.0.0. All routers are in their own separate AS. The route in question is a connected network not redistributed. To make it clearer; Router X has network 90.0.0.0 connected Router X advertises to both Router1 and Router2. Router 1 sends it on to Router A Router 2 has a route map that does 'set metric 50' and then passes it onto RouterA. We want RouterA to go via Router1 whenever Router1 is up Router A BGP table entry is shown here; * 90.0.0.0 10.40.1.6 50 0 64604 1000 i * 10.40.1.2 0 64603 1000 i Router A puts 10.40.1.2 route into global routing table Router1 goes down Router A puts 10.40.1.6 route into global routing table Router1 comes up RouterA puts entry back in BGP table but leaves route in global table alone. Any help appreciated. On Fri, May 23, 2008 at 1:20 PM, Pete Templin [EMAIL PROTECTED] wrote: Gary Roberton wrote: I have router A receiving network 80.0.0.0 from router 1 and router 2. Router 2 weights its metric so that it is less favourable. Are routers 1 and 2 in your AS, or in another AS? Also, please clarify 'weights its metric' - do you mean it adjusts weight, it adjusts metric, it adjusts origin, etc.? In router A's BGP table I can see both routes and the route from Router 1 is placed in the global routing table. Fine. Are you seeing the various BGP knobs showing the settings you'd expect from above? When you turn off Router1, Router A removes the route from the routing table and installs the less favoured route from Router2. What you would expect. When I turn on Router1, Router A does not put the better route back into the routing table, even though it sees both in its BGP table. Are you seeing the various BGP knobs showing the settings you'd expect from above? pt ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Both my borders crashed?
SegV exceptions are related to software issues, there is a doc on the cisco site on how to troubleshoot them. The short answer is you are going to need to change your ios release. Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shaun R. Sent: mercoledì 28 maggio 2008 9.43 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Both my borders crashed? Both my border routers look to have crashed at the same time. Anybody know why from this error? If not how can i find out what happened? Both routers are 7206VXR-NPE-G2's border2 uptime is 2 days, 19 hours, 20 minutes System returned to ROM by error - a SegV exception, PC 0x13EF030 at 05:05:00 UTC Sun May 25 2008 System image file is bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin border1 uptime is 2 days, 19 hours, 19 minutes System returned to ROM by error - a SegV exception, PC 0x13EF030 at 07:51:26 UTC Fri Mar 30 2001 System image file is bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Route selection
You might want to check back on the mail and the context the phrase was used in. As the path was coming in from two different Ases using MED it wasn't working. He could have configured the end router to always compare MED, but by default it won't be used. Brian -Original Message- From: Gert Doering [mailto:[EMAIL PROTECTED] Sent: giovedì 29 maggio 2008 22.20 To: Brian Turnbow Cc: Gary Roberton; Pete Templin; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Route selection Hi, On Fri, May 23, 2008 at 05:08:58PM +0200, Brian Turnbow wrote: Setting the metric is not going to affect your BGP route selection. Read up on the BGP decision algorithm :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Applying bandwidth to an ATM VC path
Check out PVP http://www.cisco.com/en/US/tech/tk39/tk48/technologies_q_and_a_item09186a008011a901.shtml#qa13 Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of james edwards Sent: lunedì 9 giugno 2008 5.38 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Applying bandwidth to an ATM VC path I have an ATM path from my LEC between me and another CLEC (Foo). The LEC applies bandwidth to the VC and then I work with the other side to divvy up the bandwidth among the PVC's in this path. So if I buy 4 megs CBR from the LEC I can divvy bandwidth as follows: interface ATM3/0.3123 point-to-point description VC path 5 to CLEC Foo /// MPLS-VPN bandwidth 1000 ip verify unicast reverse-path ip address x.x.x.x/xx ip pim dense-mode ip mroute-cache ip policy route-map foobar pvc 5/32 protocol ip x.x.x.x broadcast cbr 1000 oam-pvc manage encapsulation aal5snap ! ! interface ATM3/0.3124 point-to-point description VC path 5 to CLEC Foo /// Peering connection bandwidth 3000 ip verify unicast reverse-path ip address x.x.x.x/xx no ip mroute-cache ip policy route-map foobar pvc 5/33 protocol ip x.x.x.x broadcast cbr 3000 oam-pvc manage encapsulation aal5snap The other side (CLEC Foo) matches the same amount of bandwidth per PVC as I configed. So now I want to apply the 4 megs to just the VC (5) and not individual PVC's, letting them ride up to the VC limit of 4 megs cbr. I have done this on ATM (Lucent) and Frame Relay switches but can't find a doc at Cisco to guide me for a router. The gear I am doing this on is a 7206 VXR NPE-400, PA-A3-OC3, running IOS c7200-is-mz.122-19b. I will be moving to 12.2 SB shortly. Can anyone point me in the right direction ? Thanks, -- James H. Edwards Senior Network Systems Administrator Judicial Information Division [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ATM to Frame internetworking
And lastly to map the atm to frame and translate it. connect ADSL2FRAMEDPVC Serial6/0:0 33 ATM5/0 2/357 service-interworking If I remember correctly, it's been awhile, using service-interworking you need to use service translation. Ie connect ADSL2FRAMEDPVC Serial6/0:0 33 ATM5/0 2/357 service-interworking service translation Regards Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7200s (VXRs and not) and MPLS capabilities
The 7200s non vxr will do mpls just fine. I ran some in the past with npe 225s for mpls L3 VPNs with no problem. Having said that I would spend the extra money and get a vxr chassis, especially if you are going to be doing VoIP. You can still go with an older NPE to save money but you will have protection twords the future, by just changing the NPE. The 7200 non vxr supports up to the NPE 225, 300s will work with some older ios code even if it is a non supported configuration. Newer ios trains will not boot with anything bigger than a 225. If you do need full routes you have to go with the npe 400 that supports 512M of ram anything prior maxes out at 256M. Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Shore Sent: giovedì 12 giugno 2008 0.45 To: 'Cisco-nsp' Subject: [c-nsp] 7200s (VXRs and not) and MPLS capabilities Does anyone have any links to info on the MPLS capabilities of the non-VXR 7200s and how they stack up against their VXR siblings (cousins?)? We have an option of picking up some inexpensive non-VXRs (I don't know what CPUs yet) and are considering using these to terminate DS3s of T1 customers. VRFs for MPLS VPN would be in use for some of the customers. MLPPP for some as well. QoS for voice. Other than that it should be very basic. I'm hoping that no one would want full tables, though I can't recall what the IPv4 route limits are for processors before the G1. For that matter we also have the option of picking up some cheap 7500s, though I'm less inclined to use these for anything. Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] R: Re: 7200s (VXRs and not) and MPLS capabilities
It gives you support for newer npes. Non vxrs max out at npe225. - Messaggio originale - Da: David Coulson [EMAIL PROTECTED] Inviato: sabato 14 giugno 2008 3.15 A: Eric Kagan [EMAIL PROTECTED] Cc: 'Justin Shore' [EMAIL PROTECTED]; Brian Turnbow [EMAIL PROTECTED]; Cisco-nsp cisco-nsp@puck.nether.net Oggetto: Re: [c-nsp] 7200s (VXRs and not) and MPLS capabilities Eric Kagan wrote: It also eliminates the need to get the NON-VXR's out (which you will probably end up doing sooner than later and quickly regret the NON-VXR move). We did the same thing about 4 years ago and I swore at myself as I swapped out each one with a VXR over the past 2 years.. What does the VXR piece get you? I thought there was a huge discussion about it, and the result was 'nothing'? David ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7200s (VXRs and not) and MPLS capabilities
I even need a VXR to run a NPE-300? Yes. Don't tell that to this router System image file is slot0:c7200-p-mz.120-32.S7.bin cisco 7206 (NPE300) processor with 262144K/32768K bytes of memory. Processor board ID 18283396 R7000 CPU at 262Mhz, Implementation 39, Rev 2.1, 256KB L2 Cache 6 slot midplane, Version 1.3 12.0 will run a npe300 on a non vxr chassis. Newer Ios will not boot however. That said it is an unsupported configuration from cisco. So use it at your own risk. Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Surge protection on leased lines
Hello, We have several customers that our having problems every time a storm goes through. Our national telco company seems to offer no lightning protection on their lines, and every storm causes a line outage and burns up the attached wic. We've made sure the chassis are grounded , but would also like to try and install a surge protection detween the v.35 interface of the telco and our CPEs. I see that Cisco offers a surge protection cable for smart serial interfaces, but not for classic serial interfaces. I wanted ask what others would recommend / experiences regarding surge protection on leased lines. Thanks in advance Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560 ACL performance?
We use them and have never experienced problems as long as you keep in the tcam space. With too many routes/acls ecc they punt to cpu. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian MacNevin Sent: venerdì 15 agosto 2008 6.00 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 3560 ACL performance? Hi So the marketing machine tells me 3650s do ACLs in hardware and zero performance hit blah blah. Anyone had any real world experience with high loads of packets on every interface under a simple ACL? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 snmp and vty acls ?
COPP is done in hardware ACL on VTY/SNMP is software as far as I remember -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Fitzwater Sent: mercoledì 13 agosto 2008 22.17 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 6500 snmp and vty acls ? Does anyone know if VTY and snmp ACLs are implemented in hardware or software on a 6500 with 720-CXL running 12.2(33)SXH. I am trying to understand COPP and move away from the VTY and SNMP ACLs. Thanks for any info. Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] UBR+ and service-policy on ATM PVCs
In order to use qos on atm pvc you need to use abr/vbr/cbr UBR and + are for best effort services offering no bandwidth guarantee so you cannot utilize the service policy That said we mainly use 12.2(31)SB11 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raphael Bouaziz Sent: lunedì 25 agosto 2008 14.58 To: cisco-nsp@puck.nether.net Subject: [c-nsp] UBR+ and service-policy on ATM PVCs Hi all, I am trying to find the right IOS version to use on 7200s w/ NPE-400/NPE-G1 that both support UBR+ and QoS (service policies) on a per-vc basis. Today we use 12.2(16)B2 to terminate ATM PVCs (from xDSL lines) on these routers, it works fine. But this (old) version lacks QoS support. When testing newer versions (I tried 12.3 12.4 mainline, 12.2SB, 12.4T) that could support QoS, we rise an issue with UBR+. Commands are accepted but ignored, and PVCs get configured with UBR at physical linerate. ATM interfaces are PA-A3-OC3MM w/ hardware version 2.0. Which IOS version should we use? Thanks. -- Raphael Bouaziz. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Surge protection on leased lines
Thanks for the response. They are external csus but they are telco property and they don't want us to touch them. We have asked several times that they install protection coming into the building but no go... They install a remote powered integrated shdsl modem/csu in an all plastic housing and the only place we Have been able to connect a ground is to the v.35 mount on the integrated csu. No help there. Lighting strike= burned modem/csu= burned wic The v.35 protector would be a try to at least save our wic cards and costs of dispatching a Tech for every passing storm. Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Hennigan Sent: lunedì 25 agosto 2008 17.34 To: Cisco Mailing list Subject: Re: [c-nsp] Surge protection on leased lines Brian Turnbow wrote: Hello, We have several customers that our having problems every time a storm goes through. Our national telco company seems to offer no lightning protection on their lines, and every storm causes a line outage and burns up the attached wic. We've made sure the chassis are grounded , but would also like to try and install a surge protection detween the v.35 interface of the telco and our CPEs. I see that Cisco offers a surge protection cable for smart serial interfaces, but not for classic serial interfaces. I wanted ask what others would recommend / experiences regarding surge protection on leased lines. This is an external CSU? I think you want it between the telco smartjack and the CSU, not on the v.35. This should be two pairs of wires. First thing to do is ensure that the telco smartjack, the CSU, and the router are solidly connected to a common ground, as this may be the source of the problem if the sneak current is not coming across the leased line. There are a number of companies making lightning protectors for twisted pair lines, Reliable Electric and Polyphaser are two. But, triple-check the grounding first because if it's common-mode across a ground differential the protectors won't help. -- Jay Hennigan - CCIE #7880 - Network Engineering - [EMAIL PROTECTED] Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RTP related question
You can use saa on cisco routers to simmulate traffic and gather stats (jitter packet loss ecc). That won't tell if the ports oare open but you can check line quality ecc. http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a00801b1a1e.shtml Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tseveendorj Ochirlantuu Sent: martedì 2 settembre 2008 3.54 To: [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Subject: [c-nsp] RTP related question Hi I couldn't imagine how to test RTP between 2 points. How do I know remote RTP ports open? Sincerely, Tseveen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OK, what is a cheap and dirty hack to test a port
If I simply assign something like IP 127.0.0.5/30 to the port and throw a ton of traffic to 127.0.0.6, will the packets actually go out the port? Or will the router see that the port is looped and just discard the traffic? From the router running extended pings to the 127.0.0.5 address (the interface physical address) Wil ldo it for you. http://www.cisco.com/en/US/tech/tk713/tk628/technologies_tech_note09186a 00800a7599.shtml Regards Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206VXR and CBWFQ
Please don't tell that to this router policy-map llq class sipRTP priority 512 class class-default fair-queue random-detect vc-class atm CVPHDSL-VoIP vbr-nrt 1524 1524 encapsulation aal5snap interface ATM3/0.20842 point-to-point description cust 1 ip address192.168.0.41 255.255.255.252 pvc CVPH_CUSTVOIP 208/42 class-vc CVPHDSL-VoIP service-policy out llq 7200-accessjn3#sh policy-map int ATM3/0.20842 ATM3/0.20842: VC 208/42 - Service-policy output: llq queue stats for all priority classes: queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 5466056/418685691 Class-map: sipRTP (match-all) 5466056 packets, 418685691 bytes 5 minute offered rate 61000 bps, drop rate 0 bps Match: access-group 5 Priority: 512 kbps, burst bytes 12800, b/w exceed drops: 0 Class-map: class-default (match-any) 492783 packets, 493906760 bytes 5 minute offered rate 509000 bps, drop rate 0 bps Match: any 492783 packets, 493906760 bytes 5 minute rate 509000 bps Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops/flowdrops) 0/50/0/50 (pkts output/bytes output) 492733/493866217 Fair-queue: per-flow queue limit 16 Exp-weight-constant: 9 (1/512) Mean queue depth: 0 packets class Transmitted Random drop Tail/Flow drop Minimum Maximum Mark pkts/bytespkts/bytes pkts/bytesthresh thresh prob 0 486842/493318682 0/0 50/40543 2040 1/10 1 54/22464 0/0 0/0 2240 1/10 2 6/746 0/0 0/0 2440 1/10 3 0/0 0/0 0/0 2640 1/10 4 5/330 0/0 0/0 2840 1/10 5 20/12000/0 0/0 3040 1/10 65753/515372 0/0 0/0 3240 1/10 7 53/74230/0 0/0 3440 1/10 http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a0080094cf6.shtml Brian From: Victor Cappuccio [mailto:[EMAIL PROTECTED] Sent: venerdì 17 ottobre 2008 18.52 To: Brian Turnbow Cc: Networkers; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7206VXR and CBWFQ Hi, Subinterfaces and software interfaces do not have their own separate transmit (Tx) ring; therefore, no congestion can occur. These interface types include dialers, tunnels, and Frame Relay subinterfaces, and will only congest when their main hardware interface Tx ring congests. The Tx ring state is an indication of congestion for software interfaces. router(config)# interface Serial0/0.1 router(config-subif)# service-policy output test CBWFQ : Not supported on subinterfaces 1.- Create a child or lower-level policy that configures a queueing mechanism. In the example below, we configure LLQ using the priority command and CBWFQ using the bandwidth command. Refer to Congestion Management Overview for more information. policy-map child class voice priority 512 2. Create a parent or top-level policy that applies class-based shaping. Apply the child policy as a command under the parent policy since the admission control for the child class is done based on the shaping rate for the parent class. policy-map parent class class-default shape average 200 service-policy child 3. Apply the parent policy to the subinterface. interface Serial0/0.1 service-policy parent Cisco Page: http://tinyurl.com/ytt8ge Note: Class-based shaping works at the interface and subinterface level. Cisco IOS 12.2(2.5) introduces the ability to configure shaping on the main interface and IP addresses on the subinterfaces. thanks, Victor Cappuccio CCIE R/S# 20657 CCSI# 30452 www.anetworkerblog.com On Fri, Oct 17, 2008 at 6:19 PM, Brian Turnbow [EMAIL PROTECTED] wrote: Your pvc needs to be abr/vbr/cbr You can't do it on ubr Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Networkers Sent: venerdì 17 ottobre 2008 17.10 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 7206VXR and CBWFQ Whenever I try to apply the following I get an error message about how CBWFQ can't be applied to subinterfaces. What
Re: [c-nsp] 7206VXR and CBWFQ
Cisco IOS Software, 7200 Software (C7200P-JS-M), Version 12.2(31)SB13, RELEASE SOFTWARE (fc1) Brian From: Networkers [mailto:[EMAIL PROTECTED] Sent: domenica 2 novembre 2008 18.20 To: Brian Turnbow; Victor Cappuccio Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7206VXR and CBWFQ What code rev is in there? Thanks, Chris On 10/20/08 3:20 AM, Brian Turnbow [EMAIL PROTECTED] wrote: Please don't tell that to this router policy-map llq class sipRTP priority 512 class class-default fair-queue random-detect vc-class atm CVPHDSL-VoIP vbr-nrt 1524 1524 encapsulation aal5snap interface ATM3/0.20842 point-to-point description cust 1 ip address192.168.0.41 255.255.255.252 pvc CVPH_CUSTVOIP 208/42 class-vc CVPHDSL-VoIP service-policy out llq 7200-accessjn3#sh policy-map int ATM3/0.20842 ATM3/0.20842: VC 208/42 - Service-policy output: llq queue stats for all priority classes: queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 5466056/418685691 Class-map: sipRTP (match-all) 5466056 packets, 418685691 bytes 5 minute offered rate 61000 bps, drop rate 0 bps Match: access-group 5 Priority: 512 kbps, burst bytes 12800, b/w exceed drops: 0 Class-map: class-default (match-any) 492783 packets, 493906760 bytes 5 minute offered rate 509000 bps, drop rate 0 bps Match: any 492783 packets, 493906760 bytes 5 minute rate 509000 bps Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops/flowdrops) 0/50/0/50 (pkts output/bytes output) 492733/493866217 Fair-queue: per-flow queue limit 16 Exp-weight-constant: 9 (1/512) Mean queue depth: 0 packets class Transmitted Random drop Tail/Flow drop Minimum Maximum Mark pkts/bytespkts/bytes pkts/bytes thresh thresh prob 0 486842/493318682 0/0 50/40543 2040 1/10 1 54/22464 0/0 0/0 2240 1/10 2 6/746 0/0 0/0 2440 1/10 3 0/0 0/0 0/0 2640 1/10 4 5/330 0/0 0/0 2840 1/10 5 20/12000/0 0/0 3040 1/10 65753/515372 0/0 0/0 3240 1/10 7 53/74230/0 0/0 3440 1/10 http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a0080094cf6.shtml Brian From: Victor Cappuccio [mailto:[EMAIL PROTECTED] Sent: venerdì 17 ottobre 2008 18.52 To: Brian Turnbow Cc: Networkers; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 7206VXR and CBWFQ Hi, Subinterfaces and software interfaces do not have their own separate transmit (Tx) ring; therefore, no congestion can occur. These interface types include dialers, tunnels, and Frame Relay subinterfaces, and will only congest when their main hardware interface Tx ring congests. The Tx ring state is an indication of congestion for software interfaces. router(config)# interface Serial0/0.1 router(config-subif)# service-policy output test CBWFQ : Not supported on subinterfaces 1.- Create a child or lower-level policy that configures a queueing mechanism. In the example below, we configure LLQ using the priority command and CBWFQ using the bandwidth command. Refer to Congestion Management Overview for more information. policy-map child class voice priority 512 2. Create a parent or top-level policy that applies class-based shaping. Apply the child policy as a command under the parent policy since the admission control for the child class is done based on the shaping rate for the parent class
[c-nsp] CISCO-AAL5-MIB
Hello all, I have some vxrs running 12.2.31SB13 and have run into a strange situation. We use snmp for statistics gathering ecc . Specifically we use the aal5 mib for atm info gathering 1.3.6.1.4.1.9.9.66.1.1.1.1.1 Everything seemed to be going fine but now I see that some vcs do not show up in the mib. I can see the aal5 interface in the ifindex and browsing .1.3.6.1.2.1.2.2 everything is fine there are statistics names ecc for the interfaces Yet in the cisco mib nothing, and there is also nothing in the ATM-EXT-Mib for these pvcs as well. There is no configuration difference between the pvcs correctly showing up and those that aren't. I have checked the bug toolkit yet not found anything. Has anyone ran into this? Any suggestions? Thanks Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GSR no ldp all of a sudden
I would start with what was done here ? Nov 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Tech Sent: giovedì 6 novembre 2008 17.39 To: cisco-nsp@puck.nether.net Subject: [c-nsp] GSR no ldp all of a sudden Hi I have a couple of GSR's and 7600'2 running ldp in an an MPLS test environment. All of a sudden 1 GSR has lost all its LDP neighours. I have cleared the mpls ldp neighours, and finally ended up rebooting the router with no success Here is an brief output of some ldp commands: -here the LDP suddenly dropped Nov 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Nov 6 14:47:05 GMT: %LDP-5-GR: GR session 5.14.95.243:0 (inst. 3): interrupted--recovery pending Nov 6 14:47:05 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.243:0 (0) is DOWN (Session KeepAlive Timer expired) Nov 6 14:47:28 GMT: %LDP-5-GR: GR session 5.14.95.245:0 (inst. 2): interrupted--recovery pending Nov 6 14:47:28 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.245:0 (0) is DOWN (Session KeepAlive Timer expired) Nov 6 14:47:37 GMT: %LDP-5-GR: GR session 5.14.95.244:0 (inst. 1): interrupted--recovery pending rt-lon-12#sh mpls ldp neighbor rt-lon-12#sh mpls ldp discovery Local LDP Identifier: 5.14.95.246:0 Discovery Sources: Interfaces: Port-channel1 (ldp): xmit/recv LDP Id: 5.14.95.243:0 Port-channel2 (ldp): xmit/recv LDP Id: 5.14.95.244:0 Port-channel3 (ldp): xmit/recv LDP Id: 5.14.95.245:0 rt-lon-12#sh mpls interfaces Interface IP Tunnel Operational GigabitEthernet0/0/0 Yes No Yes GigabitEthernet0/0/1 Yes No Yes GigabitEthernet0/0/2 Yes No Yes GigabitEthernet0/0/3 Yes No Yes GigabitEthernet0/0/4 Yes No Yes GigabitEthernet0/0/5 Yes No Yes Port-channel1 Yes (ldp) No Yes Port-channel2 Yes (ldp) No Yes Port-channel3 Yes (ldp) No Yes Anyone have any ideas? This has been working for over a month now and all other routers are up and using LDP successfully. In fact the other GSR this is connected to is a carbon-copy, bar IP addresses Regards Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vrf-lite and pppoA interfaces
Hi Wayne, Take a look into assigning via radius the vrf for the ppoa sessions. If you google on the list you will find several discussions on the issue. You can then use vrf aware firewall features (like vrf aware nat ecc) for internet access. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_vrfaw.html Other options are listed here http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00801281f1.shtml Regards Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wayne Lee Sent: giovedì 6 novembre 2008 18.51 To: cisco-nsp@puck.nether.net Subject: [c-nsp] vrf-lite and pppoA interfaces Hello List I have a dedicated LNS for what we call our pwan customers, all connections are ADSL PPPoA and they all use private IP ranges as there is currently no internet access. We have about 150 connections spread over 8 customers, these are currently grouped by customer and then separated from other pwans using access-lists which are applied via radius. We want to allow internet access to these pwans and move them into a vrf-lite setup with one vrf per pwan so this also gives us the abillty to allow over-lapping IP space. My vrf knowledge is (very) limited and I'm struggling to understand the best way to make this work. I have tested a basic vrf setup (with success) in the lab but this was with 3 routers and no PPPoA/virtual-access interfaces. My confusion is about the ip vrf forwarding, in the lab I put this on each ethernet on the main router but in the PPPoA setup there will not be a dedicated ethernet per vrf, also I'll not need traffic between vrf's so do I just need to export the routes to the rib so the customers can get internet traffic? Help, clue sticks and any advice will be very welcome. Thanks Wayne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS for broadband aggregation
We're stil on 12.2.31SB13 with g2s mainly due to an issue we found with tcp header compression with SRC We have some small vbr connections for voip with header compression enabled and found that a telnet session over the link would cause the router to crash in SRC. Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Stewart Sent: venerdì 7 novembre 2008 14.23 To: 'Rinse Kloek'; 'Roddy Strachan' Cc: 'Cisco-nsp' Subject: Re: [c-nsp] Cisco IOS for broadband aggregation We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very brave and ran some 12.4T code for a while and had a major issue every 3-4 weeks that required a reboot (inbound sessions would just stop coming in pretty much via l2tp tunnels). On the NPE-1G's we're running same release with no issue neither Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rinse Kloek Sent: Thursday, November 06, 2008 4:14 PM To: Roddy Strachan Cc: Cisco-nsp Subject: Re: [c-nsp] Cisco IOS for broadband aggregation What kind of features do you use with the 7206VXR box ? We are also looking to upgrade to 12.2.31SB13 because we have some problems with 12.2(31)SB6. regards Rinse Roddy Strachan schreef: Ruben, Funny you mention it. I've just finished an upgrade of a mixture of 7301 and 7206vxr to 12.2(31)SB13. Had a 7301 running in production for 1 week, no issues, the LNS seems a lot more stable if you ask me. Don't know how the 7206 will go as they have been in production less than an hour :). So far so good, no real issues to report. On 7/11/08 8:03 AM, Ruben Alvarez [EMAIL PROTECTED] wrote: Hi All, I'm upgrading IOS on my c7206VXR with an npe-300 and: UBR7200-I/O-2FE/E PA-A3-T3= PA-IMA-T1= PA-4E= I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't seen much about it. I assume it's got the same features as (28)? If anyone has any feedback let me know. Thanks. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Length Limit? 7600
You can always save /boot to/from a copy saved to disk Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Prall Sent: venerdì 7 novembre 2008 15.01 To: 'Paul Stewart'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Config Length Limit? 7600 NVRAM space, then you can use service compress-config but that makes boot time slower. You have 2MB of NVRAM, mine states 1917KB. But crypto keys and the such don't show up in sh run and they do take space. Also snmp ifindex takes space as well. David -- http://dcp.dcptech.com -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Paul Stewart Sent: Friday, November 07, 2008 8:23 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Config Length Limit? 7600 Hi there... Is there any limits we need to be aware of on a Sup720-3BXL 7600 in regards to size of configuration files? One of our core routers is hitting about 35k lines of config currently and we may need to add upwards of 50k more to the configuration in the near future this is mainly prefix-lists etc. Thanks, Paul ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] interface packets/sec MIB
RFC 1213 .1.3.6.1.2.1.2.2.1 Inside you may find unicast packets and non unicast packets Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Samit Sent: giovedì 13 novembre 2008 9.36 To: cisco-nsp@puck.nether.net Subject: [c-nsp] interface packets/sec MIB Hi list, I want to graph the in/out pps counter of every individual interface of my routers, but I could not find the MIB for it. Anyone knows the MIB for this? Regards, Samit ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] R: ISDN to VoIP dial-peer Question
use translation rules. add a prefix inbound on each side and use that for routing. i.e add 111 from pots and 222 from ip outgoing on pots the destination pattern 222T will strip the 222 and sendit out clean on the ip side 111T , you will need to traslate outgoing to remove the 111 as voip perrs do not digt strip regards Brian Da: [EMAIL PROTECTED] per conto di Dan Armstrong Inviato: mar 18/11/2008 20.45 A: Cisco-nsp Oggetto: [c-nsp] ISDN to VoIP dial-peer Question I'm trying to setup a seemingly simple application with an AS-5400XM as a PSTN gateway for a hosted VoIP service. Sip proxy users on one side, PRI on the other side. I setup 2 dialpeers, one for each. I just want every call coming off the ISDN PRI to be sent to the SIP proxy, and vice versa. I (foolishly) used .T in both dial peer configurations, in hopes of accomplishing this without any major configuration: dial-peer voice 1 voip destination-pattern .T session protocol sipv2 session target sip-server codec g711ulaw ! dial-peer voice 70 pots destination-pattern .T direct-inward-dial port 7/0:1:D The problem is that the pots dial peer also matches itself much (most) of the time, and when a call comes in, it gets sent back out to the telco, who sends it back to me, and only then do we send it to the SIP server. This is causing almost every call from PSTN to use up 3 channels on the PRI! The recommended solution is to list all the DIDs on the SIP side in my dialpeer however there are thousands of DIDs, few of them are sequential. We're LNPing customer numbers onto the PRI all the time - to manually keep a list of the DIDs inside each AS-5400's dial-peer config is completely impractical. Surely I'm not the first person to encounter this? Is there a simple solution here? Can the 5400 consult an outside directory? Can it be told not to send a call back out a dial peer that it received it on? Is there some fancy prefixing method I haven't thought of? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] R: Tunnel keepalive in NAT environment problem
why not set up saa to ping through the tunnel on each router? It will keep the tunnel up without having to set up keepalive. Brian Da: [EMAIL PROTECTED] per conto di Brett Frankenberger Inviato: mar 18/11/2008 19.48 A: Oliver Boehmer (oboehmer) Cc: cisco-nsp@puck.nether.net Oggetto: Re: [c-nsp] Tunnel keepalive in NAT environment problem On Tue, Nov 18, 2008 at 02:03:08PM +0100, Oliver Boehmer (oboehmer) wrote: Well, it looks like the linux NAT/firewall is not NAT'ing the keepalive GRE packets correctly, otherwise they would not arrive with the 172.16.1.1 src address on router2. Not sure what's happening there, but I would focus my attention on the NAT/firewall box.. I guess NAT for the other GRE packets work just fine? Maybe related to the different protocol type (0x0) or the lack of payload in the GRE keepalive packet? oli The issue is that a GRE keepalive packet has the originating tunnel endpoint IP address as the destination address of the encapsulated packet. That is, consider the following: interface tunnel1 tunnel source 10.0.0.1 tunnel destination 20.0.0.2 tunnel keepalive (Not sure I've got the syntax right, but you get the idea.) A keepalive packet generated by the router will look like the following: IP header: Source=10.0.0.1 Destination=20.0.0.2 Protocol=GRE GRE Header: Protocol=IP Encapsulated Packet: IP Header: Source=? (Not Inportant) Dest=10.0.0.1 Proto=GRE GRE Header: 0x The idea is that the router at the far end will received the packet, remove the outer header, and transmit the encapsulated packet. (The router at the far end will, then, not do any special processing all for a keepalive packet originating from the near end.) THe issue with keepalive is that the 10.0.0.1 appears in the encapsulated packet, so if that's being NAT'd somewhere, for keepalive to work, the NAT needs to translate the address on the encapsulated packet also. AFAIK, essentially no NATs will do that. So, anyway, suppose that 10.0.0.1 is being NAT'd to 30.0.0.1. The far end router then receives: IP header: Source=30.0.0.1 Destination=20.0.0.2 Protocol=GRE GRE Header: Protocol=IP Encapsulated Packet: IP Header: Source=? (Not Inportant) Dest=10.0.0.1 Proto=GRE GRE Header: 0x The far end router's normal GRE processing then involves removing the outer header, and attempting to send the following packer: IP Header: Source=? (Not Important) Dest=10.0.0.1 Proto=GRE GRE Header: 0x This fails because the far end router has no path to get to 10.0.0.1, because it should be sending to 30.0.0.1. The reason that isn't a problem for other GRE packets is that, in general, there's no requirement that the encapsulated packet be translated by the NAT, because, in general, the tunnel endpoint IP addresses don't appear as source or destination addresses on the encapsulated packet. More generally, GRE works fine through NAT as long as the expectation is that one or both of the tunnel endpoint addresses will be translated, but the packets flowing through the tunnel don't need NAT. However, once you enable keepalive, you effectively create a requirement that the encapsulated packets be translated, because Cisco GRE keepalive depends on using the tunnel origin/destination address in encapsulated packet. This also, in general, breaks keepalives when a tunnel interface has ip forwarding vrf ' and tunnel vrf where and aren't the same. (This is because the keepalive processing on the far end will result in a packet being send in vrf to a destination IP address that is reallyin vrf .) And, yes, I think this is horribly broken. A much better GRE keepalive implementation would be to just send IP header: Source=30.0.0.1 Destination=20.0.0.2 Protocol=GRE GRE Header: Protocol=KeepaliveRequest and have the far end router generate a IP header: Source=20.0.0.2 Destination=30.0.0.1 Protocol=GRE GRE Header: Protocol=KeepaliveResponse This would work through NAT and through complicated VRF configurations. But that's not what Cisco implemented. -- Brett ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] wireless access-controll feature in ios software
you mean the authentication proxy in ios? http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/iosfw2_1.html Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arne Larsen / Region Nordjylland Sent: martedì 25 novembre 2008 21.53 To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] wireless access-controll feature in ios software Hi all. I'm searching my memory about an IOS that I seem to remember, that can authenticate wireless users via an authentication website configured directly in the IOS box. But I just can't remember what or where it was. Is there someone here that remember anything about this; I believe that it was an unsupported feature. /Arne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stream Association Failed: Requested codec=0x5=g711ulaw, Negotiated codec=0xFFFFFFFF=No Code
A dial peer pots cannot have a codec You need to place it the voip dial peer. The defualt codec is g729 , you can change it by setting a default codec clas using voice class codec Regards Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aljula Hasa Sent: mercoledì 14 gennaio 2009 12.32 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Stream Association Failed: Requested codec=0x5=g711ulaw,Negotiated codec=0x=No Code Hi, I am trying to run TCL IVR v2.0 script. The voice/audio is not heard. TCL IVR application seems to run ok but don't hear voice for the reason Stream Association Failed: Requested codec=0x5=g711ulaw, Negotiated codec=0x=No Code. How to set codec g711ulaw in gateway? The dial-peer is pots. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS Question - Applying QoS using MQC
Why not use a service policy on the input interface to color your traffic? This can be sent by radius as well depending on your ios. With this method you could even classify different incoming traffic(ie high priority, normal ecc) inside the VPN. Then match based on dscp. Much more flexible Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Andy Saykao Sent: venerdì 23 gennaio 2009 0.58 To: cisco-nsp@puck.nether.net Subject: [c-nsp] MPLS Question - Applying QoS using MQC Hi All, I have just have a few questions about MQC and how to use the class-map match command to match incoming traffic from MPLS VPN customers at the PE so that we can apply the correct QoS treatment. 1/ Match Sub-Interfaces ??? For example, we have some MPLS VPN customers that are connected via sub-interfaces (eg: Gi0/1.902) and the class-map match command doens't allow you to match on sub-interfaces. Any ideas on how to match traffic from sub-interfaces? interface GigabitEthernet0/1.902 description PE to CE_CUST_A_1 encapsulation dot1Q 902 ip vrf forwarding NSTEST ip address 10.15.99.9 255.255.255.252 ! test-mpls-cr(config)#class-map match-all TEST test-mpls-cr(config-cmap)#match input-interface gigabitEthernet 0/1.902 ^ % Invalid input detected at '^' marker. Can we just match on VLAN instead??? test-mpls-cr(config)#class-map match-all TEST test-mpls-cr(config-cmap)#match input-interface vlan ? 1-4095 Vlan interface number 2/ Match ADSL ??? Some MPLS VPN customers are also connected via ADSL (PPPoX) and get placed in the corresponding VRF by radius. How do we perform a match on these MPLS VPN customers that are connecting via ADSL? I see that we can match on virtual-template but currently all of our ADSL subscribers use the same virtual-template. test-mpls-cr(config)#class-map match-all TEST test-mpls-cr(config-cmap)#match input-interface virtual-template ? 1-1000 Virtual-Template interface number If I set up a new virtual-template for MPLS VPN customers this might work, but then not all ADSL MPLSVPN customers will want to pay for QoS, so I guess we will have to create TWO new virtual-templates (one for those MPLS VPN customers who want QoS and the other for customers who don't want to pay for QoS). Any others ideas on how this can be accomplised? 3/ Match ATM interfaces??? How do I match MPLS VPN customers that are connected via ATM??? interface ATM1/0.304470 point-to-point bandwidth 2048 ip vrf forwarding NSTEST ip address 10.15.100.1 255.255.255.252 ip flow ingress atm route-bridged ip no atm enable-ilmi-trap pvc 10/100 ubr 2048 encapsulation aal5snap Given that MPLS VPN customer's can use overlapping IP addresses, I don't think we can match on source or destination IP addresses. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Hardware limitations on SUP32 with LDP and full routing table
As has been said before...it's unfortunate cisco decided not to do a Sup32-3bxl. It renders the Sup32 unsuitable for use in networks where a Sup2 doesn't cut it, but Sup720-3bxl is overkill. Especially after they said they would (at lest at this roadshow) http://www.cisco.at/partner/pdf/Tkrewedl_Roadshow_jan05_catalyst_TK.pdf I've heard that some have tried it and it worked , this was quite awhile ago though I'm sure newer IOS checks and complains if it finds a bxl. Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7200VXR for Session Border Controller
You need to look for unified border element , it used to be multiservice ip to ip gateway. There should be some basic examble on the site as well. Here is the configuration guide http://www.ciscosystems.com/en/US/docs/ios/voice/cube/configuration/guide/12_4t/vb_12_4t_book.html Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of chris.f...@yahoo.ca Sent: lunedì 9 febbraio 2009 19.02 To: Cisco NSP Subject: [c-nsp] 7200VXR for Session Border Controller Hello, We are looking to deploy a SBC for SIP subscribers and are looking at using a 7204VXR. We are not needing transcoding facilities but simply forwarding SIP INVITES and signalling to and from a SIP server to subscribers. The documentation regarding the setup of such a system is terse, therefore any pointers to related information or example configs would be appreciated. Thanks, C. Flav ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] snmp-server ifindex persist - store data on flash/disk?
I'm guessing you want the fixed ifindex for snmp polling purposes. If that is the case try the aal5 cisco mib where you can poll based on vc data. Note that it seems to not work well if you have persistent indexes in use , at least on 12.2SB. Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Hennigan Sent: martedì 10 marzo 2009 0.15 To: cisco-nsp@puck.nether.net Subject: [c-nsp] snmp-server ifindex persist - store data on flash/disk? We have a number of 7206VXR boxes terminating ATM ADSL aggregation circuits. With a large number of interfaces, the persistent index table is too large for NVRAM and the interface IDs change on reboot just as if the command weren't specified. Is there a workaround or command to store the persistent data on the flash disk which has plenty of room? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206 NON VXR
225 is the last supported version 300 will work depending on ios version. It is not supported by cisco and 12.1 and above don't let you boot with a 300 in it 12.0 will. System returned to ROM by reload at 11:33:21 CEST Fri Aug 22 2008 System restarted at 11:34:44 CEST Fri Aug 22 2008 System image file is disk1:c7200-p-mz.120-32.S11.bin cisco 7206 (NPE300) processor with 262144K/32768K bytes of memory. Processor board ID 18283396 R7000 CPU at 262Mhz, Implementation 39, Rev 2.1, 256KB L2 Cache 6 slot midplane, Version 1.3 Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Samantha (Regional Connect) Sent: martedì 17 marzo 2009 17.22 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 7206 NON VXR Hey Guys What is the max processor board I can use with a non vxr chasis? Thanks Samantha ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 High Cpu IP Input
You can use show controller cpu to help see whats going to the cpu Make sure you have no ip redirects and no proxy arp on all the interfaces. How many routed interfaces do you have ? The output below for max is for 8 routed interfaces if you have more you should change to the desktop switching template. With your roughly your values for indirectly connected routes and 13 ip interfaces on a box I needed to switch the template sdm prefer routing requies reload. Regards Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Chris Lane Sent: venerdì 24 aprile 2009 1.09 To: Peter Rathlev Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3750 High Cpu IP Input sh platform tcam utilization CAM Utilization for ASIC# 0 MaxUsed Masks/ValuesMasks/values Unicast mac addresses:784/6272 37/235 IPv4 IGMP groups + multicast routes: 144/1152 6/26 IPv4 unicast directly-connected routes: 784/6272 37/235 IPv4 unicast indirectly-connected routes: 272/2176 52/326 IPv4 policy based routing aces: 0/0 0/0 IPv4 qos aces:528/528 18/18 IPv4 security aces: 1024/1024 57/57 Note: Allocation of TCAM entries per feature uses a complex algorithm. The above information is meant to provide an abstract view of the current TCAM utilization Hope this helps. On Thu, Apr 23, 2009 at 4:41 PM, Peter Rathlev pe...@rathlev.dk wrote: On Thu, 2009-04-23 at 16:15 -0400, Chris Lane wrote: This box has been in production for over a year and doesn't really do to much as you can see from my orig thread it moves about 11MB. This just started late last night yet we didn't add any new customer nor did anybody even touch switch as the device is remote. I read in an older thread regarding same thing that the person rebooted and of course it resolved issue. I am planning to do that Early tomorrow am, but i really want to know what the heck is causing this. Yes CEF is running. What about TCAM utilisation (show platform tcam utilization)? Regards, Peter -- //CL ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3750 High Cpu IP Input
how many routed interfaces do you have ( sh ip int brief with ip addresses ) ? if more than 8 change the sdm template to routing you can use sh platform ip unicast failed route to see if routes are failing to be programmed into tcam Brian From: Chris Lane [mailto:clane1...@gmail.com] Sent: venerdì 24 aprile 2009 11.17 To: Brian Turnbow Cc: Peter Rathlev; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3750 High Cpu IP Input sh controllers cpu-interface ASICRxbiterr RxunderFwdctfix Txbuflos Rxbufloc Rxbufdrain - ASIC0 0 0 0 0 0 0 ASIC1 0 0 0 0 0 0 cpu-queue-frames retrieved droppedinvalidhol-block stray - -- -- -- -- -- rpc 0 0 0 0 0 stp 1807 0 0 0 0 ipc 0 0 0 0 0 routing protocol 15163260 0 0 0 L2 protocol 27 0 0 0 0 remote console0 0 0 0 0 sw forwarding 9150 0 0 0 host 2014 0 0 0 0 broadcast 1766 0 0 0 0 cbt-to-spt0 0 0 0 0 igmp snooping 15186510 0 0 0 icmp 45 0 0 0 0 logging 0 0 0 0 0 rpf-fail 0 0 0 0 0 queue14 0 0 0 0 0 cpu heartbeat 14116 0 0 0 0 ODD i have disabled IGMP SNOOPING... On Fri, Apr 24, 2009 at 4:19 AM, Brian Turnbow b.turn...@twt.it wrote: You can use show controller cpu to help see whats going to the cpu Make sure you have no ip redirects and no proxy arp on all the interfaces. How many routed interfaces do you have ? The output below for max is for 8 routed interfaces if you have more you should change to the desktop switching template. With your roughly your values for indirectly connected routes and 13 ip interfaces on a box I needed to switch the template sdm prefer routing requies reload. Regards Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Chris Lane Sent: venerdì 24 aprile 2009 1.09 To: Peter Rathlev Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 3750 High Cpu IP Input sh platform tcam utilization CAM Utilization for ASIC# 0 MaxUsed Masks/ValuesMasks/values Unicast mac addresses:784/6272 37/235 IPv4 IGMP groups + multicast routes: 144/1152 6/26 IPv4 unicast directly-connected routes: 784/6272 37/235 IPv4 unicast indirectly-connected routes: 272/2176 52/326 IPv4 policy based routing aces: 0/0 0/0 IPv4 qos aces:528/528 18/18 IPv4 security aces: 1024/1024 57/57 Note: Allocation of TCAM entries per feature uses a complex algorithm. The above information is meant to provide an abstract view of the current TCAM utilization Hope this helps. On Thu, Apr 23, 2009 at 4:41 PM, Peter Rathlev pe...@rathlev.dk wrote: On Thu, 2009-04-23 at 16:15 -0400, Chris Lane wrote: This box has been in production for over a year and doesn't really do to much as you can see from my orig thread it moves about 11MB. This just started late last night yet we didn't add any new customer nor did anybody even touch switch as the device is remote. I read in an older thread regarding same thing that the person rebooted and of course it resolved issue. I am planning to do that Early tomorrow am, but i really want to know what the heck is causing this. Yes CEF is running. What about TCAM utilisation (show platform tcam utilization)? Regards
Re: [c-nsp] Reload without confirmation
In the past I used snmp dto do this, you need to enable snmp-server system-shutdown Before it is possible, and it is not possible on all platforms, but is it takes this command it should work I don't have the mib handy , but can dig for it if you can't find it Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Freedman Sent: mercoledì 24 giugno 2009 15.11 To: Jared Mauch; 'Cisco-nsp' Subject: Re: [c-nsp] Reload without confirmation -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No, same problem : #reload at 01:00 Reload scheduled for 01:00:00 BST Thu Jun 25 2009 (in 10 hours and 50 minutes) by user on vty0 (10.0.0.1) Reload reason: Reload Command Proceed with reload? [confirm] #reload in 5 Reload scheduled for 14:15:10 BST Wed Jun 24 2009 (in 5 minutes) by user on vty0 (10.0.0.1) Reload reason: Reload Command Proceed with reload? [confirm] Dave. Jared Mauch wrote: You can't use reload at to meet your needs? Jared Mauch On Jun 24, 2009, at 8:25 AM, David Freedman david.freed...@uk.clara.net wrote: Am trying to reload a low end IOS device (c800 in this case) without displaying a confirmation prompt. My issue is that the platform needing to issue the command can not see the VTY output so could not be expected to respond to a confirmation prompt, looked in vain for some kind of /noconfirm flag but didn't find one... Does not appear to be possible with SNMP (even though it accepts the snmp-server shutdown command). My current solution is to use an EEM applet called manually with a single action of reload , unfortunately this only applies to 800 images with EEM (I would guess ADV images only) Anybody come up with a better solution? TIA Dave. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpCJdsACgkQtFWeqpgEZrKvBACfbYQtmF5uafzBsT5a5/PKG+yc F9AAn3FACyAOtutlm5IsjA0RBe/DDsFW =wWko -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] round-trip differences towards google
As google is not a single server but a cloud of clusters of servers you are getting routed by a load balancer of some sort. In a nutshell this is what happens, the IP address 209.85.227.103 is a virtual address that gets sent to various real servers. As the source address changes the load balancer sends to the request to different real servers. It is actually much more complicated, if you search for google infrastructure or google network architecture you can find much more detail. The video about how google uses containers in their data center is very interesting. Regards Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rens Sent: mercoledì 8 luglio 2009 11.39 To: cisco-nsp@puck.nether.net Subject: [c-nsp] round-trip differences towards google Hi all, I'm having some difficulties understand some round-trip difference on the same router just by changing the source interface: Pings are done towards a resolved IP of www.google.be ping 209.85.227.103 repeat 50 Type escape sequence to abort. Sending 50, 100-byte ICMP Echos to 209.85.227.103, timeout is 2 seconds: !! Success rate is 100 percent (50/50), round-trip min/avg/max = 8/9/12 ms ping 209.85.227.103 repeat 50 source AT3/0.102 Type escape sequence to abort. Sending 50, 100-byte ICMP Echos to 209.85.227.103, timeout is 2 seconds: Packet sent with a source address of xxx !! Success rate is 100 percent (50/50), round-trip min/avg/max = 8/9/12 ms ping 209.85.227.103 repeat 50 source AT3/0.134 Type escape sequence to abort. Sending 50, 100-byte ICMP Echos to 209.85.227.103, timeout is 2 seconds: Packet sent with a source address of xxx !! Success rate is 100 percent (50/50), round-trip min/avg/max = 80/83/88 ms ping 209.85.227.103 repeat 50 source lo0 Type escape sequence to abort. Sending 50, 100-byte ICMP Echos to 209.85.227.103, timeout is 2 seconds: Packet sent with a source address of xxx !! Success rate is 100 percent (50/50), round-trip min/avg/max = 80/83/88 ms Is this google magic depending on my source IP address? Regards, Rens ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Manually set WS-X6148-GE-TX MTU size (1500, 1518)
1518 = 1500 payload(ie IP) + 18Byte ethernet header and trailer You need the 6148A to go higher Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of falz Sent: mercoledì 29 luglio 2009 20.04 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Manually set WS-X6148-GE-TX MTU size (1500, 1518) Specs on WS-X6148-GE-TX say there is a maximum MTU of 1518: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sheet0900aecd8017376e_ps4835_Products_Data_Sheet.html However, on a 6500 running SXH, it will not let me use the mtu command to adjust. I am trying to up the MTU for MPLS. Any way to do this manually or is this something that's supported in hardware and automatically upped slightly if a port were a trunk port, for example? Trying to avoid purchasing WS-X6516-GE-TX or WS-X6748-GE-TX if possible. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP unnumbered vlan subinterfaces question
Not sure what's attached to the IP, or what you want to achieve , but a different approach would be to add no keepalive to the ethernet so it is always up. Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Michael Ulitskiy Sent: lunedì 3 agosto 2009 17.10 To: cisco-nsp@puck.nether.net Subject: [c-nsp] IP unnumbered vlan subinterfaces question Hello, Guys, are there any drawbacks of doing the following: interface Lo0 ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet0/0.1 encapsulation dot1q 1 native ip unnumbered Lo0 ! ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 ! as opposed to having ip address configured directly on the interface as usual? I need that ip address to stay always up regardless of Fa0/0 state, 'cause it's used for other services that should stay up and I'd prefer to avoid assigning another ip address exclusively for loopback use. It seems to work in my lab, but I thought I'd better ask... Thanks, Michael ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7500 for DSL aggregation - RSP memory error?
It's been awhile since I've had one but The MD error is a memory parity error. 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 Means that it was received on cybus1 ( slots5-7) This comes from the VIP, so I don't think your standby processor is causing it. You need to check on your vip. I've never been brave enough to try a 7500 for dsl aggregation:) I'd pick up a 7200 instead. Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Walter Keen Sent: martedì 4 agosto 2009 11.51 To: cisco-nsp@puck.nether.net Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? I've got a 7507 with dual RSP8's attempting to use rsp-jsv-mz.124-8.bin configured for rpr-plus, but keep getting this around every 10 minutes or so. It results in a loss of connectivity for end-users of course, until the system recovers. My initial guess is something is wrong with the standby processor (slot 3) or perhaps the memory in it. I've had the tech pull it out to see if the system stabalizes and will bring it back to the lab if it does. Anyone else ran into this in the past? sea-agg-1# 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %RSP-3-ERROR: MD error 0081 -Traceback= 0x40588B14 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 8bytes (0x7) -Traceback= 0x40588930 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: physical address (bits 20:12) 0E2000 -Traceback= 0x40588A50 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 6E -Traceback= 0x40588A74 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Error Interrupt register 0xB 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Other Interrupt register 0x100 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE RX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYBUS Error Cmd/Addr 0x8001A80, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address Low 0xC 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %RSP-3-ERROR: End of MEMD error interrupt processing -Traceback= 0x40589298 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-CXBUSERR: Slot 5, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 5, Internal Error due to VIP crash 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from FULL to DOWN, Neighbor Down: Interface down or detached 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54
Re: [c-nsp] 3750 Suggestions?
It'll give for more mac space , but you'll have the same problem with routes. Vlan is basically a layer 2 only template so all your ip routes with not be hardware forwarded. For this you'd need an external router.You could try and take a 3750 out of the stack and use it as the router , the default template gives 6k mac and 8k IP routes, but in you original post it shows over 6k arp entries so it may make it better but is not a complete solution. You mentioned also a 4948 or a 6500 , I think the right choice depends on your current traffic requirements and expected growth in both traffic ports and hosts, with the 6500 giving the maximum room for expansion. Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Manaf Al Oqlah Sent: giovedì 6 agosto 2009 14.29 To: Carl Jones; cisco-nsp Subject: Re: [c-nsp] 3750 Suggestions? use the desktop vlan template -- From: Carl Jones c...@outerloop.net Sent: Thursday, August 06, 2009 4:21 AM To: cisco-nsp cisco-nsp@puck.nether.net Subject: [c-nsp] 3750 Suggestions? Hi all, I'm looking for something suitable to take the load from our 3750G stack. But I'm not quite sure what the best solution would be. Some details of the issues I'm seeing: https://puck.nether.net/pipermail/cisco-nsp/2009-August/062932.html I anticipate the new setup will eventually need to handle roughly double the number of IPs and VLANs the stack is currently (not) handling, with 4 routed interfaces (2x GigE, 2x FE). A couple of suggestions I've had so far is a router to handle everything L3, and use the VLAN template on the 3750s. Or replace them with a 6500 series switch. Or use a 4948 for L3 and/or replacing the 3750s. Any suggestions appreciated. Regards, Carl ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Leaking specific routes from a VRF
-Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of luismi Sent: lunedì 7 settembre 2009 10.17 To: Tomas Caslavsky Cc: ivan.d...@raxon.es; cisco-nsp@puck.nether.net; Daniska Tomas Subject: Re: [c-nsp] Leaking specific routes from a VRF Hi all, We are doing some tests here with the code provided by Tomas. We have several questions that we were not able to find a proper answer over internet that we would like to share with you to see if we can understand everything correctly: a) ip prefix-list has a parameter called le so we can create the rule like this: ip prefix-list FTP_NET seq 1 permit 10.53.0.224/29 le 32 Why is the reason to use le parameter? we saw it in several examples over internet but we don't understand it yet. What is the impact if we don't use it? Le works like less than or equal to So 10.53.0.224/29 le 32 matches any route less than or equal to a /32 inside your /29. So if for example 10.53.0.228/32 arrives it matches, as will 10.53.0.224/30 or 10.53.0.224/29 Without le you match only the /29 so in the above example only the /29 matches. This makes the use of prefix lists very flexible. b) Is there any difference if we use a normal ACL instead a prefix-list in the route-map? we also saw several configurations using ACLs and it seems to do the same. You can use them as well but lose the flexibility. Brian Regards and thanks in advance. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2801 as console server
-Is there a way to access the async line from within the router itself ? So just a telnet/ssh to the router and then something like 'connect line XXX' ? The connect command on the router seems an equivalent of telnet for outgoing tcp sessions and I don't see another command that could do this. I've done this in the past by connecting to an IP address on the router - the one assigned to the ethernet interface for example. We use a 2511 as a console server for last resort access to devices. In the worst case scenario if the ethernet interface is down we access it via the console port. If that's the case then the ethernet IP address won't be reachable. I've assigned a loopback IP address (192.168.0.0/32 I think) and use that instead (router telnet 192.168.0.0 2001) If you create aliases on the router you can then just use the router name for example ip host accessjn2 2002 192.168.7.4 ip host accessjn3 2003 192.168.7.4 ip host accessjn6 2006 192.168.7.4 Then just telnet accessjn2 Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS best practices
The 3560 buffering discussion has reminded me: It's not hard to find documentation on configuring QoS, but I haven't yet found any best practices reagarding how to specifically classify, i.e. what traffic goes in what queue with what DSCP/CoS marking. RFC 4594 is a good start For VoIP it seems there are some notes, so it seems very best practice to use EF for voice traffic and AF31 for signaling. But what about all other traffic? This is cisco's. I recently got into a discussion with another supplier about AF31 As a Cisco shop we used AF31 for VoIP signalling, they used CS5 as per RFC4594. So Even here it is not so clear. Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Flow Control and 10GE interfaces
-Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: lunedì 23 novembre 2009 17.05 To: Gert Doering Cc: Matthew Melbourne; cisco-nsp@puck.nether.net; Ross Vandegrift Subject: Re: [c-nsp] Flow Control and 10GE interfaces Gert Doering wrote: Hi, On Mon, Nov 23, 2009 at 08:41:58AM -0500, Ross Vandegrift wrote: The answer is very simple: if someone thinks that ethernet flow control is the answer, the burden of proof is on them to answer difficult questions about what the actual problem is, what flow control is going to solve, and why they think that it won't cause more problems than its worth. At best it does nothing, realistically it interferes with TCP flow control, and at worst it pauses your storage and breaks every client. I tend to disagree with this statement in this broadness. We've seen problems where lack of flow control combined with a switch with too-tiny buffers and bursty ingress traffic led to buffer overflow on egress, and packet loss. If the switch would use flow control here to space the ingress traffic better (that is: stop and restart the flow for milliseconds at a time), packet loss would be avoidable. Of course, this can indeed fire backwards - as in: one egress port is way overloaded, and flow control spreads the pain from there to all other egress ports served by the ingress port in question. So indeed, flow control is not a panacea. I agree with this :-) An interesting wrinkle (to some) is that stock flow control is not QoS (i.e. 802.1p codepoint) aware - it's all-or-nothing, meaning your low-bandwidth diffserv/EF flow gets paused as well as your less-then best-effort 999.9mbit/sec FTP transfer :o( There's a flow control extension somewhere for per-802.1p flow control, but I can't find the references for this. The nexus family does PFC (no it's not a card, they reused the acronym) http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-542809.html Basically enables sending a pause per class. They did it for FCOE and it is proprietary , the white paper has the standard mumbo jumbo about how it is becoming a standard and everyone is adapting cisco's proposal.. Brian QoS seems to have gone out of fashion however, so whether this is relevant is another matter ;o) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic QoS on ATM subinterfaces
You can't do it with ubr/ubr+ interfaces ,you need to set a different class of service. Here is an example technote http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a0080094cf6.shtml Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dave Weis Sent: martedì 24 novembre 2009 16.45 To: Tim Franklin Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Basic QoS on ATM subinterfaces Tim Franklin wrote: I've got a PA-A3-OC3 that is terminating a large number of PPPoA connections. I need to do basic QoS/prioritization for voice traffic. I am using a subinterface per VPI with a vc-class to reference the virtual-template. I have set up a parent/child policy-map as the documentation suggested but trying to apply it doesn't work: router(config)#int atm4/0 router(config-if)#service-policy output VOICE-PARENT GTS : Not supported on this interface No, this won't work. You've got several places you can apply the template: -On the sub-interface -On the PVC, with the outer shaper removed -On the virtual-access (via the virtual-template) If you're bulk-terminating a bunch of PPPoA sessions, I'd suggest that you want it applied to the virtual-access interface. You can do this by either applying it to the virtual-template (if you're sure you always want the same policy for all the users), or push it back from RADIUS as a Cisco-avpair as each virtual-access interface is cloned. OK, something like this: class-map match-all EVERYTHING match access-group name EVERYTHING class-map match-all IS-VOICE match access-group name IS-VOICE ! ! policy-map IS-VOICE class IS-VOICE priority percent 75 set dscp ef class EVERYTHING set dscp default vc-class atm pppoa-1 encapsulation aal5mux ppp Virtual-Template1 interface Virtual-Template1 ip unnumbered Loopback0 ip accounting output-packets no logging event link-status peer default ip address pool adsl1 ppp authentication pap chap radius-ppp ppp authorization radius-ppp ppp link reorders ppp multilink ppp multilink fragment disable service-policy output IS-VOICE ip access-list standard EVERYTHING permit any ! ip access-list extended IS-VOICE permit ip 192.168.221.0 0.0.0.63 any I have applied this configuration but the only interfaces that show up in show queueing are MLP bundles. The PVC's that show up after that section all list the queueing as FIFO still: router#show queueing Current fair queue configuration: Interface DiscardDynamic Reserved LinkPriority threshold queues queuesqueues queues Virtual-Access180 64 256 256 8 1 Virtual-Access207 64 256 256 8 1 Virtual-Access450 64 256 256 8 1 Virtual-Access541 64 256 256 8 1 Virtual-Access573 64 256 256 8 1 Virtual-Access574 64 256 256 8 1 Virtual-Access575 64 256 256 8 1 Virtual-Access595 64 256 256 8 1 Virtual-Access597 64 256 256 8 1 Virtual-Access599 64 256 256 8 1 Virtual-Access640 64 256 256 8 1 Virtual-Access651 64 256 256 8 1 Virtual-Access654 64 256 256 8 1 Current DLCI priority queue configuration: Current priority queue configuration: List Queue Args Current custom queue configuration: VC 15/155 - VC 15/155: Per VC queueing is FIFO. VC 14/99 - VC 14/99: Per VC queueing is FIFO. VC 13/43 - VC 13/43: Per VC queueing is FIFO. VC 11/187 - VC 11/187: Per VC queueing is FIFO. VC 10/531 - VC 10/531: Per VC queueing is FIFO. VC 10/275 - VC 10/275: Per VC queueing is FIFO. VC 15/156 - VC 15/156: Per VC queueing is FIFO. Have I missed something else? Thanks dave -- Dave Weis 515-224-9229 djw...@internetsolver.com http://www.internetsolver.com/ Please check out our Complete Support Service http://www.internetsolver.com/completesupport/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] what is it with 3550s?
-Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeff Bacon Sent: mercoledì 3 febbraio 2010 18.03 To: cisco-nsp@puck.nether.net Subject: [c-nsp] what is it with 3550s? They seem to be an incredibly popular device, especially for telcos as CPE devices. Why? (I have no use for them, really, and they appear to be EOL, I'm just really curious.) It depends on the model etc but they have an advantage over the 3750s in the way they slice up tcam resources. Like the 3550-12s had a reference of 24k routes with 16 svis , as compared to a 3750-12 that does max 20k with 8 svis Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] find window's machine from Cisco Router
Though not as reliable as a port scanner, you could do something like this even from remote access-list 101 permit udp any any range 137 138 log access-list 101 permit any any interface fa1 ip access-group 101 in Then Show log to see netbios packet users Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Andrew Gabriel Sent: venerdì 5 febbraio 2010 9.01 To: vijay gore Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Use a port scanner like NMAP. -Andrew. On Fri, Feb 5, 2010 at 12:45 PM, vijay gore vijaygor...@gmail.com wrote: Dear Team, anybody cal tell me how to check window machine connected in Cisco Router, for ex. in show arp we are getting bunch of ip and MAC , how to verify from them which is linux machine ip and which windows machine ip ,, or if there is any other command OR other way to rectify to find it Router#sho arp Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] find window's machine from Cisco Router
sorry forgot the ip access-list 101 permit ip any any Brian Turnbow Network Manager TWT S.p.A. From: vijay gore [mailto:vijaygor...@gmail.com] Sent: venerdì 5 febbraio 2010 10.42 To: Brian Turnbow Cc: Andrew Gabriel; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Dear Sir, access-list 101 permit any any % Unrecognized command On Fri, Feb 5, 2010 at 2:08 PM, Brian Turnbow b.turn...@twt.it wrote: Though not as reliable as a port scanner, you could do something like this even from remote access-list 101 permit udp any any range 137 138 log access-list 101 permit any any interface fa1 ip access-group 101 in Then Show log to see netbios packet users Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Andrew Gabriel Sent: venerdì 5 febbraio 2010 9.01 To: vijay gore Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Use a port scanner like NMAP. -Andrew. On Fri, Feb 5, 2010 at 12:45 PM, vijay gore vijaygor...@gmail.com wrote: Dear Team, anybody cal tell me how to check window machine connected in Cisco Router, for ex. in show arp we are getting bunch of ip and MAC , how to verify from them which is linux machine ip and which windows machine ip ,, or if there is any other command OR other way to rectify to find it Router#sho arp Internet 192.168.8.3 6 002a.ae73.ce1b ARPA FastEthernet1 Internet 192.168.8.4 111 002s.ae73.46de ARPA FastEthernet1 Internet 192.168.8.5 1 002s.ae73.4778 ARPA FastEthernet1 Internet 192.168.8.6 0 002s.ae73.db74 ARPA FastEthernet1 Internet 192.168.8.12 18 002s.1913.6daa ARPA FastEthernet1 Internet 192.168.8.13 31 002s.ae73.d0f7 ARPA FastEthernet1 Internet 192.168.8.14 11 002s.1913.676c ARPA FastEthernet1 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] find window's machine from Cisco Router
it looks like you have loggin enabled for warings only try logging buffered debugging another alternative if the first does not log, is to do a debug ip packet using an access list that matches only netbios. this could be more processor intensive. first create access-list 102 permit udp any any range 137 138 then debug ip packet 102 when done don't forget undebug all Brian From: vijay gore [mailto:vijaygor...@gmail.com] Sent: venerdì 5 febbraio 2010 10.57 To: Brian Turnbow Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] find window's machine from Cisco Router Dear Sir, it's giving me below output, it's not showing net bios packet users, Router#sho log Syslog logging: enabled (1 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level debugging, 40 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level warnings, 10 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. ESM: 0 messages dropped Trap logging: level informational, 43 message lines logged Log Buffer (51200 bytes): *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up *Oct 1 15:38:06.639: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up *Oct 1 15:38:12.823: %LINK-3-UPDOWN: Interface FastEthernet9, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet8, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet7, changed state to up *Oct 1 15:38:12.827: %LINK-3-UPDOWN: Interface FastEthernet6, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet5, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet4, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet3, changed state to up *Oct 1 15:38:12.831: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Renumbering serial interfaces
Besides the reload in xx that several have mentioned you can also put secondary Ips on the link Nad then cancel the primary. I.e. interface ATM0/0.32 point-to-point Ip add 2.2.2.2 255.255.255.252 secondary Telnet/ssh to this address using source address 2.2.2.1 Then no ip add 1.1.1.1 255.255.255.252 The 2.2.2.2 address becomes the priamry and you should not loose the management session. Don't forget to cancell the reload Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of james edwards Sent: mercoledì 17 febbraio 2010 19.20 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Renumbering serial interfaces I have a bunch of T-1 (ATM) interfaces that I need to renumber. I have always done this with 2 people, one on each end. Is it possible for one person to do this, from one end ? If I am on the near side, I log into the far sides serial IP and do this: LALMR_2620(config)#interface ATM0/0.32 point-to-point LALMR_2620(config-subif)#ip address 1.1.1.1 255.255.255.252 LALMR_2620(config-subif)#^Z -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwa...@nmcourts.gov ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Renumbering serial interfaces
Sorry the last line should be ip address 208.70.109.156 255.255.255.255 Making the secondary primary, and removing the primary. I remember doing it with no ip address x.x.x.x but I just tried and it gives me the same error. Too much lunch I think. Brian -Original Message- From: Steve Bertrand [mailto:st...@ibctech.ca] Sent: giovedì 18 febbraio 2010 14.22 To: Brian Turnbow Cc: james edwards; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Renumbering serial interfaces On 2010.02.18 03:22, Brian Turnbow wrote: Besides the reload in xx that several have mentioned you can also put secondary Ips on the link Nad then cancel the primary. I.e. interface ATM0/0.32 point-to-point Ip add 2.2.2.2 255.255.255.252 secondary Telnet/ssh to this address using source address 2.2.2.1 Then no ip add 1.1.1.1 255.255.255.252 The 2.2.2.2 address becomes the priamry and you should not loose the management session. Does this work differently on a serial interface? On an fa int: route-server1(config)#int lo75 route-server1(config-if)#ip address 208.70.109.155 255.255.255.255 route-server1(config-if)#ip address 208.70.109.156 255.255.255.255 sec route-server1(config-if)#no ip address 208.70.109.155 255.255.255.255 Must delete secondary before deleting primary Steve ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR v VXR
Hello, I've got a pair of 7200VXRs w/ NPE400s doing bba for 3 ATM DS3s as well as T-1 aggregation and a server farm. I was looking at my options for upgrading and consolidating these boxes and I think it would either be an 7200VXR-G1 (G2?) or an ASR1002. These two options seem to carry similar price tags, so I'm looking for feedback. Is it mostly a question of desired feature set? Also, I realize that the ASR doesn't support ATM DS3. What solutions are people using to terminate these circuits? I was thinking maybe a small ATM switch? Does such a thing exist anymore? Note that the ASR does not support PPPoA which you may be using in ATM. AFAIK it is not coming any time soon. We use G2 and G1s and G2s out perform g1s for forwarding packets. Cisco upgrade path for us would be to 10k series, of course this changes the budget. Not that an asr plus a 8500 would differ much Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SecureACS Appliance AD Authentication
-Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ryan Lambert Sent: lunedì 1 marzo 2010 17.48 To: Saxon Jones Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SecureACS Appliance AD Authentication yeah, sorry, I might not have been as specific as I needed to be with that. I do fail back to local auth when TACACS fails, but of course if the backend DB I'm configured for in the appliance fails, TACACS is still considered up, so it will never revert to local auth unless I physically unplug the ACS appliance or stop services. That's what I was trying to avoid, but I didn't see any neat ways of doing it. Don't use ACS but I beleive the ACS solution involves two ACS servers and database replication for this type of availabitlity. With Radiator (and others) this is easily configurable, if the first source fails you can ask a second and they can be db flat file etc. Brian On Mon, Mar 1, 2010 at 11:05 AM, Saxon Jones saxon.jo...@gmail.com wrote: Something like: aaa authentication login default group tacacs+ *enable* aaa authentication enable default group tacacs+ *enable* And set your enable secret; if TACACS+ is unavailable then you can login with whatever username you like but using the enable secret as your password and enable password. As long as your TACACS+ server is reachable you can't use the enable secret for auth so if just your AD connector fails then disconnect the TACACS+ server and you can then login with that secret. -saxon __ Saxon Jones Email: saxon.jo...@gmail.com Telephone: (780) 669-0899 Toll-free: (866) 701-8022 x2 United Kingdom: 0(1315)168664 On 1 March 2010 08:17, Ryan Lambert thirdfrl@gmail.com wrote: We've only got a handful of folks accessing certain devices, and the permissions are relatively static. Nothing fancy going on here. After some tinkering I've been able to get them talking with ACS. The only issue I'm running up against is that if the external DB fails out, I'm unable to authenticate with no local rollback. I guess part of this is because my unknown user policy is to fail the attempt (security reasons obv.). Unless anyone has any creative ideas, I guess I'll just need to rely on primary secondary DBs. Alternatively I suppose if it's a dire emergency I can log in via ACS Admin and reconfigure the username for local... although that's not really ideal for our environment. TIA, Ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2 Link Failover
But this handshake is done at the time of beginging when PORTCHANNEL COMES up. ONce etherchannel is up , link are brought out of the etherchannel when physical interface goes down. Actually there are periodic packets in lcap, depending on what you are using they can be configured. IIRC 30 seconds is the default. Brian On Wed, Mar 31, 2010 at 6:00 PM, Tim Vollebregt t.vollebr...@leaseweb.comwrote: Hi, I assume you are using the channel-group mode on mode right now, when the physical is up your switch will balance packets. You should try using the channel-group mode active (LACP), as there is an handshake in the LACP protocol. When there is no end-to-end connectivity, and the handshake doesn't succeed it will remove the port from the LACP bundle. Regards, Tim -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of jack daniels Sent: woensdag, 31 maart, 2010 14:10 To: cisco-nsp@puck.nether.net Subject: [c-nsp] L2 Link Failover Hi guys, I'm facing a solution challage , appriaciate if you guys can help PC1---(VLAN 2)SW1-METRO ETHERNET Link 1 --SW2 (VLAN2)---PC2 |-Metro ETHERNET LINK 2 ---| I have L2 extended LAN between SW1 and SW2 across Metro ethernet network from SP. I have CONFIGURED ETHERCHANNEL using both LINKS But issue is when in between my link 1 or my link 2 goes down , BUT My links in PORTCHANNEL are UP. SO traffic is blackholed. Please advise ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3660 url filter
Hi, I am looking to do the url filtering on my cisco 3660 router. Hi Bunny, You can use nbar Try googling nbar youtube you will find many examples Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3660 url filter
Hi, I have tested the nbar with the examples given in the google, But didn't get the success, Can anybody share the working example. Regards Daljit Singh try here http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffi c_nbar.html Brian --- On Wed, 3/31/10, Brian Turnbow b.turn...@twt.it wrote: From: Brian Turnbow b.turn...@twt.it Subject: RE: [c-nsp] Cisco 3660 url filter To: Bunny Singh jump2fl...@yahoo.com, cisco-nsp@puck.nether.net Date: Wednesday, March 31, 2010, 5:07 PM Hi, I am looking to do the url filtering on my cisco 3660 router. Hi Bunny, You can use nbar Try googling nbar youtube you will find many examples Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Remote Parking Gates VPN to Campus Network with 3G
-Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of schilling Sent: martedì 13 aprile 2010 16.58 To: Luan Nguyen Cc: cisco-nsp Subject: Re: [c-nsp] Remote Parking Gates VPN to Campus Network with 3G We talked about 880s, but the environmental operating rage of nonoperating temperature -4 to 149F is not that promising give that we are in Florida :-) and these parking gates are exposed outside and in a mental box. Not cheap but take a look at the 3200 mobile routers they can do vpn and wireless. They should be able to handle that range of temps. Brian Schilling On Tue, Apr 13, 2010 at 10:29 AM, Luan Nguyen l...@netcraftsmen.net wrote: You could use EZVPN client on those 880 ISRs if you choose to go the client way. From what I heard, it's hard to get ASA these day. If I am in your shoes, I would use dual ISR2 routers (for redundancy) such as 2911 instead of ASA and 880s to form a dual hub DMVPN/IPSEC cloud. 30 CPEs DMVPN shouldn't be a concern provisioning/managing wise. --- Luan Nguyen Chesapeake NetCraftsmen, LLC. - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Huawei instead of Cisco
What about the CPE side? We have been offered Huawei devices to be used as G.SHDSL.bis termination devices (on the CPE side), and they look quite interesting - a Cisco 1841 with a SHDSL-WIC would also work, of course, but the WIC is just too expensive for a CPE... We have a couple installed , and they have been very reliable although with very basic configs. It is a good sign that I can't even remeber where they were installed :) In the end though we found that used/refurbed cisco was competative, made our techs happier, and our customers prefer to see the cisco bridge... Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RFC 4797 Support?
Hi, I have a question: Other than something like 2547oDMVPN, is there any implementation of an RFC4797 style PE-PE interconnect using an IP only (no mpls) core? Where the outer-most transit label is replaced with an IP header, or GRE header? You can do mpls on a gre tunnel, just configure the tunnel interface for mpls and watch out for mtu issues... Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multiple E1s on 2821
Peter Hicks wrote: All, We have three E1 voice circuits on a 2821 - two from the same provider on on E1 0/0/0 and E1 0/0/1, and a third from a different provider on a E1 0/1/0 - a separate VIC. After fixing a broken fan on the router, the third E1 is experiencing slip seconds. The other two are clean, and I suspect this is due to the router being configure to use the clock from E1 0/0/0. There is no loss of service, however I'm keen to sort out this problem as it might affect service in the future. How can I resolve the problem? Is it possible to use a different clock for each VIC? Unforutnatly it depends on your hardware.. The 2nd gen cards will do it , the first gen cards no. You need to add independent at the end of the clock source under the controller. I think the 2nd gens are vwic-2xxx IIRC Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 Series PPPoA
Anyone heard anything on PPPoA on the ASR 1000 series yet? As far as i know it isn't supported (yet?) but i might be wrong :) PPPoA would make it a superb replacement for our 720X series We've been told it won't happen at least any time soon and to go with 10k as an upgrade path... Not really in the same price range though!!! Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 Series PPPoA
Anyone heard anything on PPPoA on the ASR 1000 series yet? As far as i know it isn't supported (yet?) but i might be wrong :) PPPoA would make it a superb replacement for our 720X series We've been told it won't happen at least any time soon and to go with 10k as an upgrade path... Not really in the same price range though!!! https://www.cisco.com/en/US/docs/ios/ios_xe/2/xe_2_5_newfeatlist.html Lists pppoa ipv6, pppoe on ATM , ppp session queueing on atm So it looks like they are getting close, Tassos may be right on with 3.x. I am going to talk to our account team and I think I'll wait before forking out a ton of cash for ESRs... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] pop site battery backup recommendations
Yes, you would be much better served by an online UPS, which would be anything in the Smart-UPS RT series if you want to stick with APC. Below that it's just line interactive. An online UPS also has a bypass in them, so in theory any faults should cause the unit to switch to bypass and send an alarm rather than dumping the load. I'll stress the in theory part because it's still a relay in the RT series, not a static bypass, and the UPS can't monitor the health of a relay. Units with a static bypass can monitor the health of the SCR that makes up the bypass. Some have dual ingress as well one for the active line and one for the bypass line. If they do put in two seperate lines with two seperate circuit breakers. That way a fault in the UPS will trip only the breaker on the active line and if everything works correctly :), your UPS will bypass on to the standby line. Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird Traceroute Issue to Specific Destination
Hi all Please see comments in line -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Paul Stewart Sent: martedì 21 settembre 2010 17.48 To: 'Heath Jones' Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Weird Traceroute Issue to Specific Destination Hehe. yeah, I hear ya.. At first I thought this is just one of those hey, dummy look at the routing table..;) What's killing me is that every hop from the 7200 right to our Internet edge shows the 0.0.0.0/0 OSPF route as preferred which is what's expected. dis2-rtr-mb#show ip route xx.xxx.2.226 % Network not in table dis2-rtr-mb#show ip cef xx.xxx.2.226 0.0.0.0/0, version 8684984, epoch 1, cached adjacency xx.xxx.0.226 0 packets, 0 bytes via xx.xxx.0.226, Vlan4, 0 dependencies next hop xx.xxx.0.226, Vlan4 valid cached adjacency You may want to try sh ip cef exact-route with source and destination to see if it changes, as well as the sh mls cef flavours on the 6500/7600s and don't forget to check labels if you have mpls. Brian Paul From: Heath Jones [mailto:hj1...@gmail.com] Sent: Tuesday, September 21, 2010 11:38 AM To: Paul Stewart Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Weird Traceroute Issue to Specific Destination I need a coffee or 2, I am misreading absolutely everything today!! Ok so that IP is not the customer IP - it's the destination on the other side of the net somewhere.. Gert is correct, the routing and forwarding tables will show you what is different about that ip. On 21 September 2010 16:23, Heath Jones hj1...@gmail.com wrote: If my understanding is correct here, then the DSL user is probably blocking inbound icmp so you would expect the traceroutes you see.. (just constant timeouts). Lets take a step back here... What problem is the customer reporting? On 21 September 2010 16:04, Paul Stewart p...@paulstewart.org wrote: Yes, loopback is in place and the source . yes, loopback in routing table (redistributed via OSPF). This 7206VXR has been in production for over 4 years and we have no issues reaching any other websites. I'm confident that if the remote IP was blocking us or something of that nature that the traceroute would at least transverse our igp properly . Thanks, Paul From: Heath Jones [mailto:hj1...@gmail.com] Sent: Tuesday, September 21, 2010 11:00 AM To: Paul Stewart Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Weird Traceroute Issue to Specific Destination If it's not a firewall, its probably routing.. Is the 7206VXR using a loopback for the source of the icmp request packets, and do you have a route back to this ip in your igp? On 21 September 2010 15:17, Paul Stewart p...@paulstewart.org wrote: Thank you - good thinking but I checked and there's nothing in there to limit ICMP at all..;) Paul From: Heath Jones [mailto:hj1...@gmail.com] Sent: Tuesday, September 21, 2010 10:05 AM To: Paul Stewart Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Weird Traceroute Issue to Specific Destination Hi Paul - perhaps you have a firewall filter preventing the ingress icmp replies (to the 7206VXR)..? On 21 September 2010 14:54, Paul Stewart p...@paulstewart.org wrote: Hi folks.. We have a customer who is connected over DSL who is having issues getting to a certain remote site more often than not. Sometime they can reach this site, but most of the time they cannot. They connect to a 7206VXR, which then connects to a 6509 which then connections to 6509, 6509, then 7606 out to Internet. Long story short, there is no reported issues along this connectivity at all and we can only replicate this complaint to one remote IP address. Logically, we would push this back and say not our problem which we're confident it's not *but* there's one strange thing that is bugging me and I can't put logic around this (I also have a terrible head cold and not thinking straight). When logged into the 7206VXR where the customer connects via DSL, a traceroute to the Internet loops normally like this: acs1-con-bb#traceroute www.cnn.com http://www.cnn.com/ Translating www.cnn.com http://www.cnn.com/ ...domain server (208.67.222.222) [OK] Type escape sequence to abort. Tracing the route to www.cnn.com http://www.cnn.com/ (157.166.224.26) 1 xx.xxx.7.65 0 msec 0 msec 0 msec 2 xx.xx.120.25 8 msec 8 msec 8 msec 3 core2-rtr-to-ge4-12-vl4.nexicom.net http://core2-rtr-to-ge4-12-vl4.nexicom.net/ (98.124.0.226) 20 msec 16 msec 88 msec 4 ge4-0-0.core1.toronto1.nexicom.net http://ge4-0-0.core1.toronto1.nexicom.net/ (98.124.59.17) 16 msec 20 msec 16 msec 5
Re: [c-nsp] SegV exception On 7206 LNS
My Cisco 7206VXR with NPE-G2 runs as an LNS terminating PPPOE sessions. It also terminates a DS3 used for data T1s. About once a week or so, a SegV exception happens, and the router resets itself. I have no idear why. There seems to be no pattern to it, and I can't figure out for the life of me why this is happening. Does anyone have an idea about what I should be looking at? Segv are software always errors. You can try debugging it , first step could be output interpreter. But you should be looking at upgrading/downgrading your IOS :) On our g2s we run 12.2SB/SC for this type of service Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] much to much filtered packets punted to CPU on 7604
see both counters from sh access-list and sh tcam interface.. increasing at nearly the same rate (see below). I use 2 extended ACLs applied to an interface for filtering inbound/outbound traffic. There is plenty of TCAM space, I don't use log statement, no ip unreachables is configured on each interface. What I'm missing. Below you have mls rate-limit unicast ip icmp unreachable acl-drop 1000 10 So 1000 pps will pass, try mls rate-limit unicast ip icmp unreachable acl-drop 0 To stop any packet dropped by acl getting to the cpu mls rate-limit unicast ip rpf-failure 0 mls rate-limit unicast ip icmp redirect 0 mls rate-limit unicast ip icmp unreachable no-route 1000 10 mls rate-limit unicast ip icmp unreachable acl-drop 1000 10 mls rate-limit unicast ip errors 1000 10 mls rate-limit all ttl-failure 1000 10 mls rate-limit all mtu-failure 1000 10 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Suggested Time - 1pm CET + US/Eastern - Wednesday - Re: CCO Login to ftp.cisco.com hosed [was Re: FYI: SXI5 posted]
But there *could* be someone out there downloading new IOS who doesn't have a support contract! That's *literally* stealing food from the mouths of Cisco coders! In the same way as the music, movie and software industries decide that they're not selling as much as they think they should, and introduce various DRM measures that achieve nothing other than to inconvenience and alienate legitimate customers, Cisco have decided they're not selling as many support contracts as they think they should, and have introduced the New Improved Download Experience and the IOS 15 nodelocked licence clusterfuck. Welcome to the future... As for selling contracts they made that so easy as well They are now just upgrading the download experience to match. It's a coordinated effort. First alienate partners, then customers. Hopefully next up is management , then maybe things will change! Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SIP to ISDN Call Progress
Hello, I configured my dial-peer in this way: dial-peer voice 1400 pots voice cut-through alert preference 4 destination-pattern 199151119 progress_ind setup enable 1 no digit-strip port 0/0/1:15 ! Better to use progress_ind setup enable 3 Telling the network that the originating address is not ISDN. This will tell the remote side I don't generate tones please do it for me (more or less:)) You may also add progress_ind alert enable 8 progress_ind progress enable 8 forcing the router to treat the incoming alerts as in band info is now available. Now i see the PI reminder: Nov 15 14:39:07.121 CET: ISDN Se0/1/0:15 Q931: TX - SETUP pd = 8 callref = 0x1C5C Bearer Capability i = 0x8090A3 Standard = CCITT Transfer Capability = Speech Transfer Mode = Circuit Transfer Rate = 64 kbit/s Channel ID i = 0xA9839F Exclusive, Channel 31 Progress Ind i = 0x8181 - Call not end-to-end ISDN, may have in- band info Calling Party Number i = 0x0180, '03631970353' Plan:ISDN, Type:Unknown Called Party Number i = 0x81, '199151119' Plan:ISDN, Type:Unknown Nov 15 14:39:07.133 CET: ISDN Se0/1/0:15 Q931: RX - SETUP_ACK pd = 8 callref = 0x9C5C Channel ID i = 0xA9839F Exclusive, Channel 31 Nov 15 14:39:08.253 CET: ISDN Se0/1/0:15 Q931: RX - CALL_PROC pd = 8 callref = 0x9C5C Here there is still no indicator saying inband info is now available. So the gateway does not open the channel. Ciao Brian Looking at this: http://www.cisco.com/en/US/tech/tk1077/technologies_tech_note09186a0080 094c33.shtml#progresstones I would expect the call to be cutted-throug after the SETUP_ACK has been received. Anyway I have the same problem, no audio i sent to my phone before the CONNECT message. Thank You ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ATM Subinterface QoS
Trying to add service-policy output MAP-1536-OUT to the subinterface gives me the error GTS : Not supported on this interface If I add it to the PVC I get the error GTS : Not supported over ATM VCs Hi Dave Short answer Can't apply it to a ubr interface(default) use ABR/VBR/CBR For a longer answer Take a look at http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a00800c96e5.shtml Regards Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP next-ASN check built-in ?
Hi See in-line -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of tim Sent: lunedì 11 aprile 2011 11:17 To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP next-ASN check built-in ? Hi list, I thought I had read something about that but cannot find the pointers anymore: Does the Cisco default-configuration check in BGP inbound announcements, if the first ASN of the AS path is the ASN which is configured as neighbor ... remote-as? Yes, you can disable it with no bgp-enforce-first-as globally for BGP. Example, is the following check built-in the BGP code and therefore not needed to configure: router bgp 65001 neighbor 129.168.1.1 remote as 65002 ... neighbor 129.168.1.1 filter-list 1 in ! ip as-path access-list 1 permit ^65002_ ip as-path access-list 1 deny .* If so, at some exchange-points there are route-servers which strip their own ASN out of the path. How would one configure such a setup from the client side? Using the command above will accept the route-server announcements. Then use your filters to decide what to accept from the route servers. HTH Brian Thanks in advance, -tim -- t...@haitabu.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorized to retain, read, copy or disseminate this message or any part of it. Please consider your environmental responsibility before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MQC and PA-A6
Hi -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Marco Marzetti Sent: lunedì 16 aprile 2012 16:13 To: cisco-nsp@puck.nether.net Subject: [c-nsp] MQC and PA-A6 Hello, Simple and plain question: does MQC work in hardware when attached to ATM VP||PVC on c7200+PA-A6 ? Simple answer No Longer answer , it does have a SAR that does ATM shaping ( i.e vbr abr etc) in hardware , but all the ip stuff will be done on the router cpu. Ciao Brian Thank You Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorized to retain, read, copy or disseminate this message or any part of it. Please consider your environmental responsibility before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LNS Error %VPDN-3-NORESOURCE:
Hi, Hi. Thanks for the reply. What I noticed today was, I tried to authenticate one vrf-enabled l2tp session and one global (no- vrf). The one with VRF can't authenticate. Giving me the error of LNS no resources for user... But the one with no-vrf was able to authenticate successfully. The below config only shows one virtual template, do you have a second for the VRF ? I believe you need to differentiate . Regards Brian My tcpdump on the radius server says Authentication Request, and Authentication Accept. Router debug also shows CHAP login response is PASS. I tried also using my other LNS (NPE-G1) and any vrf-enabled session is successful. Both VRF-enabled and GLobal L2tp session terminates on the same vpdn-group. I have similar config on both LNS routers. Here's my LNS config: vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname LNS1 source-ip x.x.x.x local name ABC lcp renegotiation on-mismatch l2tp tunnel password 7 09123456 l2tp tunnel timeout no-session 600 ip tos reflect interface Virtual-Template1 mtu 1462 ip unnumbered Loopback0 ip tcp adjust-mss 1422 peer default ip address pool LNSPool keepalive 60 ppp authentication chap radius-ppp Here's the debug pp/aaa/vpdn output: Jun 15 09:34:07.823: VPDN Received L2TUN socket message Incoming Jun 15 09:34:07.823: AAA/BIND(01E7): Bind i/f Jun 15 09:34:07.823: VPDN uid:393 L2TUN socket session accept requested Jun 15 09:34:07.823: VPDN uid:393 Setting up dataplane for L2-L2, no idb Jun 15 09:34:07.827: VPDN Received L2TUN socket message Connected Jun 15 09:34:07.827: AAA/BIND(01E7): Bind i/f Virtual-Template1 Jun 15 09:34:07.827: VPDN uid:393 VPDN session up Jun 15 09:34:07.831: AAA/AUTHEN/PPP (01E7): Pick method list 'radius-ppp' Jun 15 09:34:07.831: ppp393 PPP: Sent CHAP LOGIN Request Jun 15 09:34:07.831: ppp393 PPP: Received LOGIN Response PASS Jun 15 09:34:07.835: VPDN uid:393 disconnect (L2X) IETF: 9/nas-error Ascend: 62/VPDN No Resources Jun 15 09:34:07.835: VPDN uid:393 vpdn shutdown session, result=4, error=4, vendor_err=0, syslog_error_code=15, syslog_key_type=1 Jun 15 09:34:07.835: %VPDN-3-NORESOURCE: L2TP LNS no resources for user x...@test.net; Result 4, Error 4, SSS Manager disconnected session Jun 15 09:34:07.835: VPDN uid:393 VPDN/AAA: accounting stop sent Jun 15 09:34:07.835: ppp393 CHAP: O FAILURE id 1 len 26 msg is Authentication failure thanks From: Oliver Boehmer (oboehmer) oboeh...@cisco.com To: ar ar_...@yahoo.com; Tim Warnock tim...@timoid.org Cc: cisco-nsp cisco-nsp@puck.nether.net Sent: Friday, June 15, 2012 7:19 PM Subject: RE: [c-nsp] LNS Error %VPDN-3-NORESOURCE: I tried SRE6 already. I got the same error. Unfortunately I dont have any TAC support for this box. Could this be a possible NPE-G2 problem? #sho ver Cisco IOS Software, 7200 Software (C7200P-ADVIPSERVICESK9-M), Version 12.2(33)SRE6, RELEASE SOFTWARE (fc1) Jun 14 23:10:54.455: ppp76 PPP: Sent CHAP LOGIN Request Jun 14 23:10:54.455: ppp76 PPP: Received LOGIN Response PASS Jun 14 23:10:54.459: %VPDN-3-NORESOURCE: L2TP LNS LNS1 no resources for user t...@xyz.net; Result 4, Error 4, SSS Manager disconnected session Jun 14 23:10:54.459: ppp76 CHAP: O FAILURE id 1 len 26 msg is Authentication failure don't think this is related to the platform, some debugs are in order to find out what's happening (my l2tp/vpdn skills are a bit rusty, though ;-) debug radius debug aaa author debug aaa per-user debug vpdn event debug vpdn error debug vpdn l2x-ev debug vpdn l2x-er debug vpdn sss err debug vpdn sss ev can you share the full configs of both devices offline/unicast? oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorized to retain, read, copy or disseminate this message or any part of it. Please consider your environmental responsibility before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR1000 and QOS
Hello Everyone, I am trying to realize a qos configuration on an asr 1006 for pppoe services being sold by our national incumbent. On a single GE interface I will receive two classes of services, cos 0 and cos 1, each with a set bandwidth. i.e. cos 0 100mbps cos 1 20mbps. Each dslam gets terminated using a vlan for each cos , so in the end I will have n vlans for the cos 0 traffic and x vlans for the cos 1 traffic. Things gets complicated though as we want to assign a policy to the pppoe sessions as well, as we will have varying line rates on the customer lines. Ideally I would like to be able to shape the n vlans to the cos 0 rate and the x vlans to the cos 1 rate, and then be able to shape the single sessions as each will have a different line rate. I have tried 1) with the SE following us (on vacation now since we need him) we thought that service policy aggregation would be the way to go. http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/qos_policies_agg.html but when we assign the end user policy via radius it does not get applied and we have the error policy TEST with fragment class can only be attached to ethernet subifc and port-channel subifc Tinkered awhile with various configs but no go lets try something else.. 2) setting up a policy on the GE that shapes on match vlans , and sending service policy for the users via radius. error message service-policy with queueing features on sessions is not allowed in conjunction with interface based and the policy is not applied bummer I am thinking about trying to declare the interface bandwidth via radius and then use bandwidth % instead of shape but that should be queueing as well and also the scaling documents for the asr have big warnings on the use of lcp:interface-config ... So here I am looking for a way to do this The only other thing that comes to mind is placing a box before the asr to shape the vlans and just work on the sessions on the asr, but that means another box to purchase, maintain, etc etc. If you've made it this far (sorry about the length) Has anyone done something similar, or have any suggestions ? Thanks in advance! Brian --- This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorized to retain, read, copy or disseminate this message or any part of it. Please consider your environmental responsibility before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Port Errors
-Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Harry Hambi Sent: martedì 28 agosto 2012 11:17 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Port Errors Hi All, I have a module (16 SFM-capable 16 port 10/100/1000mb RJ45) in a 6500 chasis running IOS Version 12.1(23), giving the following errors Aug 26 06:41:48.965: %PM_SCP-SP-6-LCP_FW_ERR_INFORM: Module 9 is experiencing t e following error: Pinnacle #0, Frames with Bad Packet CRC Error (PI_CI_S_PKTCR _ERR - 0xC7) = 1100 Aug 26 09:11:49.090: %PM_SCP-SP-6- LCP_FW_ERR_INFORM: Module 9 is experiencing t e following error: Pinnacle #0, Frames with Bad Packet CRC Error (PI_CI_S_PKTCR _ERR - 0xC7) = 983 I recently swapped out this module, the errors cleared for a while but have now started again. Any ideas appreciated. What do the port counters say? Packets with crc errors are hiting the asic. Check the port counters, cabling and device on the other side of the connection. Brian Rgds Harry Harry Hambi BEng(Hons) MIET Rsgb http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorized to retain, read, copy or disseminate this message or any part of it. Please consider your environmental responsibility before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Port Errors
Hi All, I have a module (16 SFM-capable 16 port 10/100/1000mb RJ45) in a 6500 chasis running IOS Version 12.1(23), giving the following errors Aug 26 06:41:48.965: %PM_SCP-SP-6-LCP_FW_ERR_INFORM: Module 9 is experiencing t e following error: Pinnacle #0, Frames with Bad Packet CRC Error (PI_CI_S_PKTCR _ERR - 0xC7) = 1100 Aug 26 09:11:49.090: %PM_SCP-SP-6- LCP_FW_ERR_INFORM: Module 9 is experiencing t e following error: Pinnacle #0, Frames with Bad Packet CRC Error (PI_CI_S_PKTCR _ERR - 0xC7) = 983 I recently swapped out this module, the errors cleared for a while but have now started again. Any ideas appreciated. What do the port counters say? Packets with crc errors are hiting the asic. Check the port counters, cabling and device on the other side of the connection. Ooops... Cisco docs say PM_SCP-6 Error Message%PM_SCP-6-LCP_FW_ERR_INFORM: Module [dec] is experiencing the following error: [chars] ExplanationThe module is reporting an error condition, where [dec] is the module number, and [chars] is the error. This condition is usually caused by an improperly seated linecard or a hardware failure. If the error message is seen on all of the linecards, the cause is an improperly seated module. Recommended ActionReseat and reset the linecard or the module. If the error message persists after the module is reset, copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Search for resolved software issues using the Bug Toolkit at http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet at http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the information you have gathered. Attach the following information to your case in nonzipped, plain-text (.txt) format: the output of the show logging and show tech-support commands and your pertinent troubleshooting logs. I guess it is not related to the traffic on the port ... Try reseating the module and checking the connector blocks/pins. As you have changed the cards you could try changing the slot on the chassis. Regards Brian Brian Rgds Harry Harry Hambi BEng(Hons) MIET Rsgb http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorized to retain, read, copy or disseminate this message or any part of it. Please consider your environmental responsibility before printing this e- mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorized to retain, read, copy or disseminate this message or any part of it. Please consider your environmental responsibility before printing this e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720 SVI ACL deny punted? (no logging)
A couple of ideas 1 to generate an ip unreachable ? try disabling them on the SVI 2 I remember something about acl and netflow (punts to create flows) but it was sup-2. I'm not sure if it still applies to sup-720 Brian -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Peter Rathlev Sent: mercoledì 29 agosto 2012 11:18 To: cisco-nsp Subject: [c-nsp] Sup720 SVI ACL deny punted? (no logging) Good morning all, I'm stumped researching a slightly overloaded Supervisor 720 on one of our aggregation devices. I've discovered that an access-list applied to a SVI means denied packets are punted to the CPU. There's no log statement. The packets have no IP options, TTL=64, DSCP=0x28 and frame length 60 bytes. When I create an ERSPAN session capturing source cpu rp tx I see all the packets that are denied. As soon as I remove the ACL from the SVI I don't see the packets. (They destination host does not exist but the network in question is not connected to this device.) Shouldn't the Sup720 always be able to deny things in hardware? Does anybody know how to see exactly why the packets are punted? Example packet captured via ERSPAN: 10:59:30.790477 00:1e:ca:ed:45:7f 00:00:0c:07:ac:02, ethertype IPv4 (0x0800), length 60: (tos 0xa0, ttl 64, id 8722, offset 0, flags [none], proto: UDP (17), length: 41) 192.0.2.205.5001 203.0.113.40.5000: UDP, length 13 Configuration and output from show commands follows, addresses replaced: ip access-list extended petrat-telefoni-temp deny ip any host 198.51.100.10 deny ip any host 203.0.113.40 permit ip any any ! interface Vlan41 description SKS IP-telefoner ip vrf forwarding TDC02401 ip address 192.0.2.2 255.255.255.0 ip access-group petrat-telefoni-temp in ip helper-address 172. ip helper-address 10.85.45.30 no ip redirects no ip proxy-arp ip flow ingress ntp disable standby 2 ip 192.0.2.1 standby 2 timers 1 3 standby 2 priority 140 standby 2 preempt delay minimum 20 reload 300 standby 2 authentication md5 key-string 7 hidden standby 2 track 1 decrement 50 standby 2 track 5 decrement 50 hold-queue 256 in ! Switch#sh tcam interface vlan41 acl in ip detail * Global Defaults not shared --- DPort - Destination Port SPort - Source PortTCP-F - U -URG Pro - Protocol I - Inverted LOU TOS - TOS Value- A -ACK rtr - Router MRFM - M -MPLS Packet TN- T -Tcp Control - P -PSH COD - C -Bank Care Flag - R -Recirc. Flag - N -Non-cachable - R -RST - I -OrdIndep. Flag - F -Fragment Flag CAP - Capture Flag - S -SYN - D -Dynamic Flag - M -More Fragments F-P - FlowMask-Prior. - F -FIN T - V(Value)/M(Mask)/R(Result) X - XTAG (*) - Bank Priority --- Interface: 41 label: 6 lookup_type: 0 protocol: IP packet-type: 0 +-+-+---+---+---+---+-- -+---++-+---+--+---+---+ |T|Index| Dest Ip Addr | Source Ip Addr| DPort | SPort | TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P| +-+-+---+---+---+---+-- -+---++-+---+--+---+---+ Entries from Bank 0 V 18396 0.0.0.0 0.0.0.0 P=0 P=0- - 0 0 0 -- --- 0-0 M 18404 0.0.0.0 0.0.0.0 0 0- - 0 0 0 R rslt: L3_DENY_RESULTrtr_rslt: L3_DENY_RESULT hit_cnt=0 Entries from Bank 1 V 36141 198.51.100.10 0.0.0.0 P=0 P=0- - 0 0 0 -- C-- 1-0 M 36143 255.255.255.255 0.0.0.0 0 0- - 0 0 0 R rslt: L3_DENY_RESULT (*)rtr_rslt: L3_DENY_RESULT (*) hit_cnt=0 V 36142203.0.113.40 0.0.0.0 P=0 P=0- - 0 0 0 -- C-- 1-0 - M 36143 255.255.255.255 0.0.0.0 0 0- - 0 0 0 - R rslt: L3_DENY_RESULT (*)rtr_rslt: L3_DENY_RESULT (*) hit_cnt=4073 - V 36304 0.0.0.0 0.0.0.0 P=0 P=0- - 0 0 0 -- C-- 1-0 - M 36305 0.0.0.0 0.0.0.0 0 0- - 0 0 0 - R rslt: PERMIT_RESULT (*) rtr_rslt: PERMIT_RESULT (*) hit_cnt=197546 - V 36828 0.0.0.0 0.0.0.0 P=0 P=0- - 0 0 0 -- --- 0-0 M 36836 0.0.0.0 0.0.0.0