On Sat, 2013-03-09 at 04:15 -0600, William McCall wrote:
On 03/08/2013 09:57 AM, Peter Rathlev wrote:
Is there a way to rate-limit this kind of punting? Standard mls
rate-limit doesn't seem to have anything useful, unless I'm just too
tired to see it.
Looks like CoPP might do it in
On Sun, 10 Mar 2013, Gordon Bryan wrote:
Also, even in a completely private core, a PE still becomes exposed to
the outside world on its PE-to-CE interface when delivering Internet
services. Has anyone developed any proficient methods for locking down
these interfaces and making them
On (2013-03-10 21:44 +), Gordon Bryan wrote:
I like the concept of private addressing (core hiding being one) but having
never seen it deployed in anger I'm concerned that it might not be as simple
as it seems and may break other things. I've read that traceroute and PMTUD
are at risk
Hi,
On Sun, Mar 10, 2013 at 09:44:12PM +, Gordon Bryan wrote:
I like the concept of private addressing (core hiding being one) but having
never seen it deployed in anger I'm concerned that it might not be as simple
as it seems and may break other things. I've read that traceroute and
Hello Expert,
If i am a transit ISP, is it recommanded to enable dampening feature ?
Regards,
Ahmed
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at
Thanks for the kind replyWhat i am trying to do is that I have WiMAX network
and ASN GW , we are trying to remove the ASN GW from the network and get the
WiMAX authenticated from the router/switch without any authentication system
BR,
Date: Fri, 8 Mar 2013 19:27:08 +0100
From:
On (2013-03-11 11:23 +0300), Ahmed Hilmy wrote:
If i am a transit ISP, is it recommanded to enable dampening feature ?
If you want to be my Transit ISP, it's highly inadvisable.
Fixing dampening would be very easy, just make it negative local_pref
penalty, instead of removing it from RIB. It
Hello All,
Does anyone know exactly what's meant by sub-optimal routing issues ?
Is there any method to allow the Route-Reflector to send all routes to clients
(not the best one) ?
Thank you Best Regards,
Sherif
Does anyone know exactly what's meant by sub-optimal routing issues ?
it means that a RR makes a routing decision on its client's behalf, and
its best path might not be necessarily the one the clients would have
picked (especially when the decision is based on the IGP metric to the
next-hop).
On (2013-03-11 08:45 +), sherif mostafa wrote:
Does anyone know exactly what's meant by sub-optimal routing issues ?
Packets taking path which is not most desirable.
Is there any method to allow the Route-Reflector to send all routes to
clients (not the best one) ?
There is BGP
Andrey/Andrew,
It will be a very small network to begin with - single P router, single PE
router and a number of switches for hosting. This will hopefuly quickly scale
to a dual-site configuration with two P routers and two PE routers but even
then it will still be small in the grand scheme
On 11/03/2013 8:52 PM, Gordon Bryan wrote:
Andrey/Andrew,
It will be a very small network to begin with - single P router,
single PE router and a number of switches for hosting. This will
hopefuly quickly scale to a dual-site configuration with two P
routers and two PE routers but even then it
Hi,
On Mon, Mar 11, 2013 at 10:18:31AM +, Gordon Bryan wrote:
Can I ask what your thoughts are on core IP addressing? Do you have specified
global ranges for this purpose with matching iACLs or do you use another
method altogether.
We use a dedicated IPv4 /24 for all core links which
On 11/03/2013 9:43 PM, Gert Doering wrote:
Hi,
On Mon, Mar 11, 2013 at 10:18:31AM +, Gordon Bryan wrote:
Can I ask what your thoughts are on core IP addressing? Do you have
specified global ranges for this purpose with matching iACLs or do
you use another method altogether.
We use a
On (2013-03-11 11:43 +0100), Gert Doering wrote:
What we're currently not so good at is protect the PE-CE link - the
We've solved this by not announcing the PE address of PE-CE. Occasionally
we need to announce the CE address, maybe for management purposes, maybe
for something else. Then we
Thanks Sahu for your reply, would you please clarify this point ( just
make it negative local_pref penalty ) ?
On Monday, March 11, 2013, Saku Ytti wrote:
On (2013-03-11 11:23 +0300), Ahmed Hilmy wrote:
If i am a transit ISP, is it recommanded to enable dampening feature ?
If you want
On (2013-03-11 14:08 +0300), Ahmed Hilmy wrote:
Thanks Sahu for your reply, would you please clarify this point ( just
make it negative local_pref penalty ) ?
It's not something you can do. It's just something I wish vendors would
implement.
Today if dampening triggers, route is removed
Hi,
On Mon, Mar 11, 2013 at 12:54:25PM +0200, Saku Ytti wrote:
On (2013-03-11 11:43 +0100), Gert Doering wrote:
What we're currently not so good at is protect the PE-CE link - the
We've solved this by not announcing the PE address of PE-CE. Occasionally
we need to announce the CE
On 11/03/2013 08:23, Ahmed Hilmy wrote:
If i am a transit ISP, is it recommanded to enable dampening feature ?
What problem are you trying to fix by enabling flap dampening?
If you need to implement it, you should take a look at:
https://tools.ietf.org/html/draft-ymbk-rfd-usable
Nick
Hi all,
Was just doing a little bit of reading and had a look at
http://rs2.swissix.ch/cgi-bin/bgplg?cmd=show+ip+bgp+source-asreq=15169
Specifically:
flags destination gateway lpref med aspath origin
*1.1.1.0/24 91.206.52.74 100 0 15169 i
I never
IIRC changing the virtual IP address on the Cisco WLCs is also strongly not
recommended
Is it not? We've been using a valid public address for ages. Not seen any
problems as a result.
--
Matt Balyuzi
Networks Group
Imperial College London
___
RIPEs view on this is:
http://www.ripe.net/ripe/docs/ripe-378
And in short: Dated 2006...
4.0 Recommendation
This Routing Working Group document proposes that with the current
implementations of BGP flap damping, the application of flap damping in ISP
networks is NOT recommended. The
On 11/03/2013 12:12, Andrew Miehs wrote:
This Routing Working Group document proposes that with the current
implementations of BGP flap damping, the application of flap damping in ISP
networks is NOT recommended
RIPE's current view on RFD is:
http://www.ripe.net/ripe/docs/ripe-580
This
On 11/03/2013 12:05, Andrew Miehs wrote:
flags destination gateway lpref med aspath origin
*1.1.1.0/24 91.206.52.74 100 0 15169 i
http://www.potaroo.net/studies/1slash8/1slash8.html
the prefix has moved from AS237 to as15169, but Geoff Huston is
On (2013-03-11 12:18 +), Nick Hilliard wrote:
RIPE's current view on RFD is:
http://www.ripe.net/ripe/docs/ripe-580
I don't believe this is generally supported by RIPE community, I don't
understand how it became RIPE-580 so fast.
--
++ytti
On 11/03/2013 12:25, Saku Ytti wrote:
I don't believe this is generally supported by RIPE community, I don't
understand how it became RIPE-580 so fast.
I suspect on the basis of: oh, that looks interesting. The I-D is
preferable as an informational reference - the review mechanisms are quite
a
Hi,
On Mon, Mar 11, 2013 at 02:25:21PM +0200, Saku Ytti wrote:
On (2013-03-11 12:18 +), Nick Hilliard wrote:
RIPE's current view on RFD is:
http://www.ripe.net/ripe/docs/ripe-580
I don't believe this is generally supported by RIPE community, I don't
understand how it became
Hi allI have cisco ME-C6524GT-8S connected to cisco ME-C3750-24TE via a trunk
connection I configured sub interface on the 6524 and access port on the 3750
interface GigabitEthernet1/29.16 description New Connection encapsulation dot1Q
119 ip address x.x.x.x x.x.x.x
interface FastEthernet1/0/7
We use a dedicated IPv4 /24 for all core links which is heavily ACLed at
all external borders.
I also found it useful to use a separate range for loopback ip addresses -
as it works nicely with filters for prefix prioritization and label
allocation/advertisement.
adam
-Original Message-
Is there any method to allow the Route-Reflector to send all routes to
clients (not the best one)?
If you have mpls in your core, you can use unique RD per VRF per PE -this
will allow the RR to consider all the paths for a particular prefix as
unique prefixes and advertise all of them to the PEs.
On 3/11/2013 7:05 AM, Andrew Miehs wrote:
Hi all,
Was just doing a little bit of reading and had a look at
http://rs2.swissix.ch/cgi-bin/bgplg?cmd=show+ip+bgp+source-asreq=15169
Specifically:
flags destination gateway lpref med aspath origin
*1.1.1.0/24
On 11/03/13 13:42, Tony Varriale wrote:
engineer worth their salt does not use this.
Maybe. But a lot of people *have* used it, because I've seen it when
doing webauth logins e.g. in airports, train networks, etc. And by
definition, the people unwise enough to use it are also likely to be
On 11/03/13 14:37, Phil Mayers wrote:
Cisco wrote docs suggesting that people did this:
Enter the IP address of the controller's virtual interface. You should
enter a fictitious, unassigned IP address, such as 1.1.1.1.
On 11/03/13 14:49, Sandy Breeze wrote:
On 11/03/13 14:37, Phil Mayers wrote:
Cisco wrote docs suggesting that people did this:
Enter the IP address of the controller's virtual interface. You should
enter a fictitious, unassigned IP address, such as 1.1.1.1.
Hi,
Maybe. But a lot of people *have* used it, because I've seen it when
doing webauth logins e.g. in airports, train networks, etc. And by
definition, the people unwise enough to use it are also likely to be
the people unwise enough to return and fix things up in the
installations they did.
Yes. You can do it with BGP Add path attributes. It should be a available now.
-Judy
--- On Mon, 3/11/13, Adam Vitkovsky adam.vitkov...@swan.sk wrote:
From: Adam Vitkovsky adam.vitkov...@swan.sk
Subject: Re: [c-nsp] Route-Reflector Sub-optimal Routing
To: 'sherif mostafa'
cisco 7k 6.1.2
We are seeing delays when ssh-ing to system just before the banner page comes
up.
Once session is up we see no delay.
It has become very consistent when we log-in recently and the delay is always
just before the banner is displayed.
Debugging of the SSH session at client
I was just reading a bit about next-hop tracking and neighbor fall-over and
now I'm a little confused about what fall-over actually does. The docs say
that it enables fast peering session deactivation, but I can't tell what
that really means. The wording in the docs makes it sound a lot like BFD,
I seem to remember this a couple years ago working with Nexus 5K. Is AAA
involved? Or your SSH clients order of protocol selection?
Chuck
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeffrey G. Fitzwater
Sent:
On (2013-03-11 10:52 -0600), John Neiberger wrote:
Can someone shed some light on this? What is fall-over really doing and
when might it be useful?
Without BFD it means that eBGP is torn down when egress interface to
neighbour goes down. It's on by default.
--
++ytti
On (2013-03-11 19:07 +0200), Saku Ytti wrote:
On (2013-03-11 10:52 -0600), John Neiberger wrote:
Can someone shed some light on this? What is fall-over really doing and
when might it be useful?
Without BFD it means that eBGP is torn down when egress interface to
neighbour goes down.
Can someone shed some light on this? What is fall-over really doing and
when might it be useful?
sorry for the confusion ;-) neighbor fall-over (without the BFD keyword)
is for multihop/non-directly-connected peers like the default behaviour
fast-external-fallover for directly connected
On Mon, Mar 11, 2013 at 11:12 AM, Oliver Boehmer (oboehmer)
oboeh...@cisco.com wrote:
Can someone shed some light on this? What is fall-over really doing and
when might it be useful?
sorry for the confusion ;-) neighbor fall-over (without the BFD keyword)
is for
I recall that APNIC, the unfortunate custodians of 1.0.0.0/8, had
declared that the two prefixes 1.1.1.0/24 and 1.2.3.0/24 would never be
allocated to an actual customer network, given the extensive use of them in
private network situations like these (1.1.1.1 and 1.2.3.4 respectively
being the
In the case I'm thinking of using it, we do all over our internal BGP
peering to loopbacks, which are in OSPF. If we enable fallover, it sounds
like the peer will be torn down as soon as that
next hop is removed from the routing table.
Which is generally not something folks do in iBGP, there
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John Neiberger wrote:
In the case I'm thinking of using it, we do all over our internal BGP
peering to loopbacks, which are in OSPF. If we enable fallover, it sounds
like the peer will be torn down as soon as that next hop is removed from
the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John Neiberger wrote:
I was just reading a bit about next-hop tracking and neighbor fall-over and
now I'm a little confused about what fall-over actually does. The docs say
that it enables fast peering session deactivation, but I can't tell what
On Mar 11, 2013, at 10:52 AM, John Neiberger wrote:
I was just reading a bit about next-hop tracking and neighbor fall-over and
now I'm a little confused about what fall-over actually does. The docs say
that it enables fast peering session deactivation, but I can't tell what
that really
Hi Jeffrey,
As Chuck highlighted this could be due to a delay reaching the AAA server.
I would also try disabling DNS lookups with no ip domain-lookup because
when SSH is established the reverse record for the IP might be requested
causing a delay.
You could also do an ethanalyzer capture in
On Mon, Mar 11, 2013 at 11:29 AM, Bruce Pinsky b...@whack.org wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John Neiberger wrote:
In the case I'm thinking of using it, we do all over our internal BGP
peering to loopbacks, which are in OSPF. If we enable fallover, it sounds
like
Check also if there is a login delay command configured :)
luck
On 03/11/2013 10:31 PM, Tóth András wrote:
Hi Jeffrey,
As Chuck highlighted this could be due to a delay reaching the AAA server.
I would also try disabling DNS lookups with no ip domain-lookup because
when SSH is established the
The delay is also there with TELNET… I enabled it for testing.
Jeff
On Mar 11, 2013, at 14:31 , Tóth András wrote:
Hi Jeffrey,
As Chuck highlighted this could be due to a delay reaching the AAA server.
I would also try disabling DNS lookups with no ip domain-lookup because when
SSH is
Hi Peter,
MAC learning is fully hardware based on 6500 Sup720, therefore even if it's
flapping it will not cause packets to be software switched, nor CPU usage
to increase due to learning.
Did you rectify the MAC flapping issue? If so, did you see an improvement
with those flows, i.e. did they
Sent from a mobile device
On 12/03/2013, at 2:55, Jeffrey G. Fitzwater jf...@princeton.edu wrote:
cisco 7k 6.1.2
We are seeing delays when ssh-ing to system just before the banner page comes
up.
Misconfigured tacacs/ aaa settings?
___
On 3/11/2013 9:37 AM, Phil Mayers wrote:
On 11/03/13 13:42, Tony Varriale wrote:
engineer worth their salt does not use this.
Maybe. But a lot of people *have* used it, because I've seen it when
doing webauth logins e.g. in airports, train networks, etc. And by
definition, the people
On 3/11/2013 9:49 AM, Sandy Breeze wrote:
On 11/03/13 14:37, Phil Mayers wrote:
Cisco wrote docs suggesting that people did this:
Enter the IP address of the controller's virtual interface. You
should enter a fictitious, unassigned IP address, such as 1.1.1.1.
Hi,
Just an update to this - If I remove switch virtual link from the portchans,
and then re-apply them to the tenGig ints, the portchan comes up?
Portchan conf (That fails): (Hotmail will probably screw the formatting):
interface Port-channel5
switchport
switchport mode trunk
57 matches
Mail list logo
