Re: [c-nsp] BGP Regex to allow ISP customers

you *ARE* ASN 100, you will not see _100_ in your BGP RIB, as your ASN is only prepended when advertising the route to an external ASN. In that case, you can just match for client ASNs: "_((55|56)(_)?)+$" -- Brandon Ewing

Re: [c-nsp] ASR9001 Vs ASR1006

what? Is XR 6.0.1 not supported on the ASR9001? All the release notes contradict that. Or did you mean the non-X 1K routers? -- Brandon Ewing (nicot...@warningg.com) pgpKD8QtT4pEd.pgp Description: PGP signature _

[c-nsp] ME3600X 15.2S memory leak

we are doing is L3VPN. -- Brandon Ewing (nicot...@warningg.com) pgpiNTpKpYoMV.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp

Re: [c-nsp] ibgp on 6509 with sup2?

Sup2T, if anyone else ever stumbles across this thread. Expands the usefulness of the 6840-X-LE switches, or other Sup2T platforms without XL TCAM. -- Brandon Ewing (nicot...@warningg.com) pgp3iZ1kbDuB5.pgp Description: PGP signature _

[c-nsp] IOS-XR vimrc?

-indent at all on following new-lines, and the default tab settings insert a tab instead of spaces. I did a little investigation of the underlying OS -- has anyone tried editing/creating /pkg/etc/vim/vimrc to have some more sane settings? Does it persist with system upgrades/reboots? -- Brandon

Re: [c-nsp] IOS: catch 22 when enabling new bgp neighbors

. You can override inbound policy on a per-neighbor basis, but outbound policy will be in lockstep for multiple neighbors in the same peer-group. The above is why we prefer templates instead of groups, but that does nothing to solve the original problem. -- Brandon Ewing

Re: [c-nsp] 6880-X XL vs. ASR

observed in the history of the VSS concept, I can also highly recommend keeping the brains separate and running a NHRP to handle your redundancy. -- Brandon Ewing(nicot...@warningg.com) pgpYQQMRtjhl5.pgp Description: PGP signature

Re: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software

UTC (GMT) Has anyone had any luck finding the fixed 8.3(2.40) images? The latest interims I can find are 2.39. Emailed TAC, but no response yet. -- Brandon Ewing(nicot...@warningg.com) pgprRSnkMrcu4.pgp Description: PGP signature

[c-nsp] ME3600 - xconnect, vlan remap, and STP

, and MSTP on the other? How can we ensure that the MST0 BPDU is replicated into each PVST instance when we are doing the mapping? -- Brandon Ewing(nicot...@warningg.com) pgp9Kz9Mx2dAo.pgp Description: PGP signature

Re: [c-nsp] ME-3600 Can't see ip pim vrf neighbor

version or licensing preventing it from showing. me01#sdm prefer ? default default template ip ip template -- Brandon Ewing(nicot...@warningg.com) pgpRjrs58cD7T.pgp Description: PGP signature

[c-nsp] Cisco and BGP MED

, localpref 100, valid, external, best -- Brandon Ewing(nicot...@warningg.com) pgpu3AE0cjgO9.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo

[c-nsp] Default routes, OSPF zones, and BGP

approaches would be appreciated. -- Brandon Ewing(nicot...@warningg.com) pgpVnbp1iQm8F.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo

Re: [c-nsp] Dell switches (specifically PowerConnect 7048P) and Ciscos

did crashed the Powerconnect as it attempted to create 4000+ vLANs at once. -- Brandon Ewing(nicot...@warningg.com) pgpylZs81Xeyw.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net

Re: [c-nsp] VS-S720-10G (6509 VSS Engine) 10G Port Issue

experience about this case. We successfully converted a pair of VSS switches into two standalone switches without issue, but continuing to use the supervisor 10GE ports as a 20GE port channel between the two switches. We have had no issues with performance on the ports. -- Brandon Ewing

Re: [c-nsp] Rapid-PVST and RSTP compatibility

at this, mapping vLANS to an MST instance on a Powerconnect created that vLAN on the switch. Since we were pre-mapping the entire 4K vlan range on our Cisco devices, this blew up the first Powerconnect we tried it on. Note: This was 2+ years ago, on a 53xx-class device. -- Brandon Ewing

Re: [c-nsp] Cisco Crashinfo file

file. https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl?locale=en -- Brandon Ewing(nicot...@warningg.com) pgpnzZok0zZFI.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp

Re: [c-nsp] Cisco 6509 sup2 NVRAM corrupted..

of my head, but you should be able to get one from your local electronics store. -- Brandon Ewing(nicot...@warningg.com) pgptVCoc5DFNM.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp

Re: [c-nsp] Is Inter-AS option B supported on Catalyst 6500 SXI code?

#wp1015775 -- Brandon Ewing(nicot...@warningg.com) pgp8saKGIiBVF.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive

Re: [c-nsp] VPN L2L connecting to SSL VPN user?

using packet-tracer to debug, but you can't really simulate incoming encrypted traffic using it. :/ -- Brandon Ewing(nicot...@warningg.com) pgp3QJcLPsXrD.pgp Description: PGP signature ___ cisco-nsp mailing list

Re: [c-nsp] VSS - Horror stories, show-stoppers, other personal experience?

processor supporting two chassis. -- Brandon Ewing(nicot...@warningg.com) pgpibd78Y41YA.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo

Re: [c-nsp] VPN for Android

IPSEC session, like rooting their phones and compiling vpnc themselves. jms There's an app in the market now, if you have a firmware/kernel with tun.ko pre-installed. I tested it last night, and was able to connect to ipsec on 3G. http://code.google.com/p/get-a-robot-vpnc/ -- Brandon Ewing

Re: [c-nsp] SXJ - The good, the bad, the ugly?

SXI4 or SXI5 -- Brandon Ewing(nicot...@warningg.com) pgpCd2VDGADYx.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive

Re: [c-nsp] ASR 1002-F NetFlow

with a src AS or dst AS 0 represent your own AS. Not sure if this is true on the ASR platform. -- Brandon Ewing(nicot...@warningg.com) pgpPI3a8Uol9A.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp

Re: [c-nsp] Safer DDOS drops

try adding a deny ip any host 208.71.159.144 fragments line? It's possible the router is trying to reassemble the fragments to compare them to the ACL -- someone with more experience on the 6500 platform's ACL quirks could comment. -- Brandon Ewing(nicot

Re: [c-nsp] 3560 vs 4948 shared buffer memory

. -- Brandon Ewing(nicot...@warningg.com) pgpRdOMGPZFrz.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http

Re: [c-nsp] BGP Black hole

it to 2 hops instead of disabling it will not do any check at all? I would imagine that the disable-connected-check is more useful, as egp-multihop anything implies disabling the connected check completely. The number just specifies what TTL will be used by the BGP packets. -- Brandon Ewing

Re: [c-nsp] CoPP IS-IS traffic on N7k

in Netflow when control plane traffic is passed to the route processor? I tried the ones listed as Control Plane Interface, SPAN RP Interface, and SPAN SP Interface, but none of my exported flows have any of their iface #s listed as the outgoing interface. -- Brandon Ewing

Re: [c-nsp] 3560E TCAM Question

-connected routes: 2048/2048 1365/1365 IPv4 unicast indirectly-connected routes:1024/1024190/190 I believe direct-connected routes also includes IP-ARP entries in TCAM. -- Brandon Ewing(nicot...@warningg.com) pgpgHGKzkCeDW.pgp

Re: [c-nsp] 3560 SVI

. Another case would be an incorrect netmask, with proxy-arp enabled on another ip-routing device in the broadcast network. -- Brandon Ewing(nicot...@warningg.com) pgp47B1M3uzWB.pgp Description: PGP signature

Re: [c-nsp] Uneven LACP load-balancing

Receive Utilization Transmit Utilization Gi0/51 10 And I've confirmed via NetFlow that a non-trivial amount of data is exchanged between those two IPs. -- Brandon Ewing(nicot...@warningg.com) pgpYmdzl2I8Fm.pgp

Re: [c-nsp] Uneven LACP load-balancing

On Fri, Nov 12, 2010 at 11:40:37AM -0600, Brandon Ewing wrote: Unfotunately, I don't know if the layer-2 hashing method on src-dst-ip is independent of whichever CEF algorithm I choose, or if both load balancing levels always use the same algorithm. As a follow-up, I tried switching

[c-nsp] Uneven LACP load-balancing

on multiple switches, and all switches are running 12.2(50)SE1 ip services -- Brandon Ewing(nicot...@warningg.com) pgpP7i41pd3Zt.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net

Re: [c-nsp] App to manage pushing out changes

fell swoop. -- Brandon Ewing(nicot...@warningg.com) pgpAStzghilaK.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive

Re: [c-nsp] MST Reserved VLANs on Nexus 5010

exist. They had lost our business by then. Dell is the same way. In lab tests on their Powerconnect switches, attempting to map uncreated vLANs to an MST instance creates them. This was bad when attempting to map all vlans to MST01, switch went nuts and had to be power-cycled. -- Brandon Ewing

Re: [c-nsp] Transfer speed issues on 3560G

tested with UDP, and got the same results as before. If anyone has any additional ideas as to what to check, it would be appreciated. -- Brandon Ewing(nicot...@warningg.com) pgpt2OBdBnRIa.pgp Description: PGP signature

[c-nsp] Transfer speed issues on 3560G

not result in a net increase of overall speed. It appears that any flow in between two ports can only reach 100mb/s. Anyone have any idea where I can look to find the root cause? -- Brandon Ewing(nicot...@warningg.com) pgpxxUBJInuQ0.pgp Description: PGP

[c-nsp] OSPF for Routed Access -- OSPF in IP Base on 3650/3750?

-- does anyone know if the feature is coming in the next release? It'd be very desirable to be able to do simple OSPF without upgrading to the IP Services license. -- Brandon Ewing(nicot...@warningg.com) pgpxPrNBt7cGn.pgp Description: PGP signature

Re: [c-nsp] Tracking config changes

RANCID) to collect the new revision and mail out the diffs. (see snmp-server enable traps config) Dave. This does not work correctly on all platforms. See my previous post http://markmail.org/message/4envqn5aepv6nbci and test prior to production. -- Brandon Ewing

[c-nsp] 3550s, SDM, and Feature Manager

0082 -- Brandon Ewing(nicot...@warningg.com) pgpDu2TPH3oaR.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo

Re: [c-nsp] same mac for different ip addr

switches maintain a different layer 2 forwarding database for each vLAN, so the same MAC in multiple vLANs is handled appropriately. If it's aliases, it still isn't an issue, as the layer 3 device will gladly store the same MAC address in the ARP table for multiple IPs. -- Brandon Ewing

Re: [c-nsp] Port-channel weirdness VSS

will always prefer to egress on a locally connected link over traversing the VSL. -- Brandon Ewing(nicot...@warningg.com) pgp1ZnmtToXjD.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp

Re: [c-nsp] Question - VLAN tagging Catalyst 6500 to Linux Host

a vlan. You can see this with: show vlan internal usage Mack This is actually controlled by vlan internal allocation policy (ascending|descending). If set to ascending, it starts at 1005 and starts counting up -- if descending, starts at 4094 and counts down. -- Brandon Ewing

Re: [c-nsp] Sup720 CoPP, limits on CPU performance

issues if you drop exceeded traffic. -- Brandon Ewing(nicot...@warningg.com) pgpNxDasFVO3n.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo

Re: [c-nsp] Sup720 CoPP, limits on CPU performance

action in your default, or you risk rate-limiting/dropping ARP gleans? -- Brandon Ewing(nicot...@warningg.com) pgpVcykkedJHw.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net

Re: [c-nsp] Current BGP BCP for anchoring and announcing local prefixes

, -Drew Linux-based route server using iBGP. Our IPs get our nullroute community and our upstreams' nullroute communities, external IPs get our nullroute community and no-export for source-based RTBH. -- Brandon Ewing(nicot...@warningg.com) pgp986dClKq1m.pgp

Re: [c-nsp] what is it with 3550s?

On Tue, Feb 23, 2010 at 06:35:11AM -0500, Devon True wrote: The 4948 does support input and output service policies. -- Devon But does not support IPv6 in hardware, IIRC. Something to keep in mind. -- Brandon Ewing(nicot...@warningg.com

Re: [c-nsp] Cisco 6500/Sup720 ARP CoPP

qos protocol arp still seems to indicate that ARP traffic is being dropped somewhere, even though software and hardware counters for the ARP class show 0 drops. -- Brandon Ewing(nicot...@warningg.com) pgpPS0J2fNFEa.pgp Description: PGP signature

Re: [c-nsp] what is it with 3550s?

with source routing header options unicast-routing Enable unicast routing IPv6 on 3550 is software-switched, as the ASICs on the platform aren't big enough for v6 addressing. -- Brandon Ewing(nicot...@warningg.com) pgpapi2BeuTij.pgp Description: PGP

Re: [c-nsp] BGP - Announcing routes to Internet providers.

the traffic to be dropped at the ingress edge instead of crossing your network from ingress to where the annoucement is sourced. -- Brandon Ewing(nicot...@warningg.com) pgpW1MtSYXItB.pgp Description: PGP signature

Re: [c-nsp] Linux VPN client suggestion?

. -- Brandon Ewing(nicot...@warningg.com) pgpEXlA0dt6YC.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http

Re: [c-nsp] So when is IPv6 failover coming to the ASA?

www service-object icmp echo ! Then utilize it in an ACL: access-list TEST-ACL permit object-group TEST any host 1.2.3.4 -- Brandon Ewing(nicot...@warningg.com) pgpwFHlupYFHR.pgp Description: PGP signature

Re: [c-nsp] 6500 - stateful failover, reason?

-- Brandon Ewing(nicot...@warningg.com) pgpXqkXpHHcVN.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http

Re: [c-nsp] 6500 - stateful failover, reason?

the NSF message, the adjacency will already have been dropped. -- Brandon Ewing(nicot...@warningg.com) pgpnCovm8J1YT.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https

Re: [c-nsp] mapping CPU IDs to reality

/technologies_tech_note09186a0080094a94.shtml ENTITY-MIB::entPhysicalTable will map a processor to an entity ID CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex maps the entity ID to a processor index. CISCO-PROCESS-MIB::cpmCPUTotalTable lists processor utilization by procesor index. -- Brandon Ewing

Re: [c-nsp] Cisco Catalyst 2960PD-8TT-L

to only do show version, show vlan, and show running-config. -- Brandon Ewing(nicot...@warningg.com) pgpAhc5BeevwK.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https

Re: [c-nsp] Monitoring BGP with NAGIOS

of information regarding BGP SNMP http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=enstep=2mibName=BGP4-MIB -- Brandon Ewing(nicot...@warningg.com) pgp6sPG2LVuDS.pgp Description: PGP signature ___ cisco-nsp

Re: [c-nsp] PIX/ASA Change Control

on it, allowing one to see when/how/why changes were made to the configurations. Maintaining a working directory locally on the server where you can check out revisions and perform svn diff on is also useful. -- Brandon Ewing(nicot...@warningg.com) pgpK1ObcOWWOC.pgp

Re: [c-nsp] No GRP images for GSR's?

Looks like in the new browser, they're filed as 12000 Performance Route Processor Engine images. Filename is still gsr-p-mz, which runs on the GRP. Note that 12.0(32)S12 contains the 4-byte ASN problems discussed here and on NANOG, so 12.0(32)S11 is your best bet. -- Brandon Ewing

Re: [c-nsp] ME3400

-attached section, and each IP - ARP address is an adjacency in the directly-attached section, so it's really more a limitation on the amount of ARP entries the switch can store. -- Brandon Ewing(nicot...@warningg.com) pgpmU1fmntwyC.pgp Description: PGP

Re: [c-nsp] vpn client issues with ASA

-authentication none to the RA tunnel-group to disable XAUTH. -- Brandon Ewing(nicot...@warningg.com) pgpDmlfoo7VVJ.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https

Re: [c-nsp] Active Supervisor on 6500 - SNMP?

::cRFCfgRedundancyMode.0 = INTEGER: hotStandbyRedundant(8) CISCO-RF-MIB::cRFCfgRedundancyModeDescr.0 = STRING: SSO (Stateful Switchover) -- Brandon Ewing(nicot...@warningg.com) pgpFJLK1V1vu0.pgp Description: PGP signature ___ cisco

Re: [c-nsp] 32 bit ASN

/docs/ios/12_0s/release/ntes/120SNEWF.html#wp3521658 I loaded it on a test router yesterday -- I immediately ran into the issue discussed last week on NANOG: http://markmail.org/message/3ofvjyggayfxezna -- Brandon Ewing(nicot...@warningg.com) pgpFPx02JXeH5

[c-nsp] 3750 software stability

Can anyone here provide thoughts / suggestions regarding the version of IOS for the 3750 platform that has the least problems, and offers the most stability? Featureset is not an issue, as layer 3 functions are not required, just QoS/LACP. -- Brandon Ewing