[c-nsp] 3750-X VRF CEF Issue
Hi all, there is something funky going on a stack of 3750Xs that we have VRF-Lite enabled on: SW11(config)#ip vrf TEST SW11(config-vrf)#rd 65000:13 SW11(config-vrf)#int vl161 SW11(config-if)#do sh run int vl161 Building configuration... Current configuration : 129 bytes ! interface Vlan161 description TEST no ip address no ip redirects no ip unreachables no ip proxy-arp arp timeout 300 end SW11(config-if)#ip vrf forwarding TEST % CEF table 0x11 does not exist (Vlan161). SW11(config-if)# System image file is flash:/c3750e-universalk9-mz.150-2.SE2.bin There are 12 VRFs already defined in the switch and they are working without any trouble. Anyone seen something like this before? Best regards, Jan signature.asc Description: OpenPGP digital signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Differences between Supervisor Engine 6L-E and 6-E
Hi guys, can anyone give me an indication of the exact differences between Supervisor Engine 6L-E and Supervisor Engine 6-E for Cat 4506-E Thanks in advance... Regards, Alex ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] WARNING: Netflow Hardware assisted NAT not supported on 65xx on the same interface even with Sup2T
Hi all, I leave it here JFTR, to prevent someone else to make the same error as I did with NAT, Netflow and Sup2T (just as Matthew Huff did before me with Sup720). According to Cisco because of CSCud36118, enabling NAT (ip nat outside) and Flexible NetFlow (ip flow monitor MonitorFlow input) on the same interface force NAT traffic to be software switched even with Sup2T. Although TAC states that this is software limitation, I've been told that there it no plan to support this feature combination in hardware. HTH -Original Message- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Huff Sent: Friday, August 26, 2011 10:26 AM To: 'cisco-nsp at puck.nether.net' Subject: [c-nsp] WARNING: Netflow Data Export Hardware assisted NAT not supported on 76xx/65xx on the same interface Last winter we purchased a pair of 7606 routers to use out at the NYSE colo facility. We connect via a 1gb fiber to the SFTI LCN for market data and FIX traffic. We fully expected to be able to use hardware assisted NAT and NDE to monitor the traffic. The netflow output we get is random, sporadic and very incomplete. After dealing with our Sales team and TAC, we have finally got them to admit that it doesn't work when NAT and NDE are configured on the same interface. Nowhere in the Cisco marketing literature, Cisco Documentation, or even Cisco bug lists does it mention this. There are some caveats listed regarding NDE and NAT (flow mask conflicts, and fragments), but even given that, the caveats imply that it will work if the caveats don't apply or the flowmask conflicts are resolved. Also, there are no warnings when configuring it. The feature manager shows no errors or conflicts, etc... At every step, in my opinion, cisco has been reluctant to admit that it doesn't work. Only when confronted with the evidence, they did finally admit it. Had we known of this limitation, we would have purchased different hardware including possibly another vendor's solution. I'm looking at using SPAN to replicate the data and send it to a linux box to then create netflow data exports, however, given the nature of the data (high bandwidth and microburst), I'm not sure that the Linux box will work accurately. I assumed the PFC would be doing the exports in hardware giving us the most accurate realtime look at the market data. Evidently I was wrong. I'm sending this so that no one else will make the same mistake we did as well as being in the nsp archives. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Differences between Supervisor Engine 6L-E and 6-E
http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_models_comparison.html On Friday, October 11, 2013, Alex D. wrote: Hi guys, can anyone give me an indication of the exact differences between Supervisor Engine 6L-E and Supervisor Engine 6-E for Cat 4506-E Thanks in advance... Regards, Alex __**_ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/**mailman/listinfo/cisco-nsphttps://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/**pipermail/cisco-nsp/http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Differences between Supervisor Engine 6L-E and 6-E
Many thanks for the quick reply. This answers all my open questions... Regards, Alex Am 11.10.2013 12:58, schrieb Joshua Morgan: http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_models_comparison.html On Friday, October 11, 2013, Alex D. wrote: Hi guys, can anyone give me an indication of the exact differences between Supervisor Engine 6L-E and Supervisor Engine 6-E for Cat 4506-E Thanks in advance... Regards, Alex ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] asr9k (xr 4.1.2) null 0 traffic not showing packets in packets out
I have a static route pointing to null 0. I know I have traffic flowing towards null 0, but sh int null 0 shows no packets out. Why not ? I have 7609's that I point static routes to at null 0 and I see packets out, and I get to mrtg traffic graph that blackholed traffic. But I don't seem to see the same thing in asr9k. is there a way to see that traffic that is going out null 0 on my asr9k ? Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR1001 QoS on port-channel sub-interfaces
Hi all, We have recently purchased an ASR1001 and seem to be hitting some limitations regarding QOS on sub-interfaces on port channels. I can police on per-subscriber basis fine, handing down the policies from our radius server. I would also like to police the aggregate on the sub-interface that happens to be on a port-channel. When attempting to apply the service-policy to the sub-interface, it seems to apply fine; however when verifying the policy-map on the interface, I can see that it is in suspended mode and not applying. When I attempt the suggested work-around of lacp fast-switchover with lacp max-bundle 1 on the port-channel, the sub-interface policy is able to successfully apply. However, we straight away lose a half our performance for standby. In order to attempt to resolve, I have upgraded to version asr1001-universalk9.03.10.00a.S.153-3.S0a-ext.bin. This did not resolve. This blog post by another network engineer sums up the issue perfectly, it was an over a year ago, so hoping the issue got some traction in Cisco. http://thenetworksbroken.blogspot.com.au/2012/09/cisco-asr-1001-queuing-on-pppoe.html Any assistance would be greatly appreciated. Kind Regards, [cid:(null)]http://www.gosford.nsw.gov.au/ Chris Gibbs Network and Security Engineer | Information Management Technology Gosford City Council www.gosford.nsw.gov.auhttp://www.gosford.nsw.gov.au/ PO Box 21 Gosford NSW 2250 Phone: (02) 4325 Mobile: 0408 222 496 Fax:(02) 4323 2477 chris.gi...@gosford.nsw.gov.aumailto:chris.gi...@gosford.nsw.gov.au The information contained in this email may be confidential. You should only disclose, re-transmit, copy, distribute, act in reliance on or commercialise the information if you are authorised to do so. Gosford City Council does not represent, warrant or guarantee that the communication is free of errors, virus or interference. Gosford City Council complies with the Privacy and Personal Information Protection Act (1998). See Council's Privacy Statement at http://www.gosford.nsw.gov.au/council/privacy.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WARNING: Netflow Hardware assisted NAT not supported on 65xx on the same interface even with Sup2T
FYI, At least cisco went back end and added caveats to the documentation about this limitation. Since I had combed through all the documentation beforehand, had the caveat been there, it would have been likely we would have purchased a different set of hardware. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of oldnick Sent: Friday, October 11, 2013 2:46 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] WARNING: Netflow Hardware assisted NAT not supported on 65xx on the same interface even with Sup2T Hi all, I leave it here JFTR, to prevent someone else to make the same error as I did with NAT, Netflow and Sup2T (just as Matthew Huff did before me with Sup720). According to Cisco because of CSCud36118, enabling NAT (ip nat outside) and Flexible NetFlow (ip flow monitor MonitorFlow input) on the same interface force NAT traffic to be software switched even with Sup2T. Although TAC states that this is software limitation, I've been told that there it no plan to support this feature combination in hardware. HTH -Original Message- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Huff Sent: Friday, August 26, 2011 10:26 AM To: 'cisco-nsp at puck.nether.net' Subject: [c-nsp] WARNING: Netflow Data Export Hardware assisted NAT not supported on 76xx/65xx on the same interface Last winter we purchased a pair of 7606 routers to use out at the NYSE colo facility. We connect via a 1gb fiber to the SFTI LCN for market data and FIX traffic. We fully expected to be able to use hardware assisted NAT and NDE to monitor the traffic. The netflow output we get is random, sporadic and very incomplete. After dealing with our Sales team and TAC, we have finally got them to admit that it doesn't work when NAT and NDE are configured on the same interface. Nowhere in the Cisco marketing literature, Cisco Documentation, or even Cisco bug lists does it mention this. There are some caveats listed regarding NDE and NAT (flow mask conflicts, and fragments), but even given that, the caveats imply that it will work if the caveats don't apply or the flowmask conflicts are resolved. Also, there are no warnings when configuring it. The feature manager shows no errors or conflicts, etc... At every step, in my opinion, cisco has been reluctant to admit that it doesn't work. Only when confronted with the evidence, they did finally admit it. Had we known of this limitation, we would have purchased different hardware including possibly another vendor's solution. I'm looking at using SPAN to replicate the data and send it to a linux box to then create netflow data exports, however, given the nature of the data (high bandwidth and microburst), I'm not sure that the Linux box will work accurately. I assumed the PFC would be doing the exports in hardware giving us the most accurate realtime look at the market data. Evidently I was wrong. I'm sending this so that no one else will make the same mistake we did as well as being in the nsp archives. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WARNING: Netflow Hardware assisted NAT not supported on 65xx on the same interface even with Sup2T
On 11/10/13 14:11, Matthew Huff wrote: FYI, At least cisco went back end and added caveats to the documentation about this limitation. Since I had combed through all the documentation beforehand, had the caveat been there, it would have been likely we would have purchased a different set of hardware. Have they pulled that great Cisco trick of updating the docs but not updating the last edited timestamp, fooling you into thinking it's always been there? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WARNING: Netflow Hardware assisted NAT not supported on 65xx on the same interface even with Sup2T
No idea. I didn't check at the time. Since the document is updated regularly, I doubt they needed any subterfuge. The last modified date is now July 30th, 2013. It's in Configuring NetFlow and NDE in the Cisco 7600 Series Router Software Configuration Guide Cisco IOS Release 15S documentation. This is what was added: Note NDE and NAT configuration on the same interface is not supported. NDE requires flows to age out periodicaly for it to export its statistics. NAT installs hardware shortcuts that do not age. Hence, NDE for NAT'd flows does not work correctly. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Friday, October 11, 2013 11:24 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] WARNING: Netflow Hardware assisted NAT not supported on 65xx on the same interface even with Sup2T On 11/10/13 14:11, Matthew Huff wrote: FYI, At least cisco went back end and added caveats to the documentation about this limitation. Since I had combed through all the documentation beforehand, had the caveat been there, it would have been likely we would have purchased a different set of hardware. Have they pulled that great Cisco trick of updating the docs but not updating the last edited timestamp, fooling you into thinking it's always been there? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1001 QoS on port-channel sub-interfaces
FYI - I have had two TAC cases open on this issue Jan this year and July 2012 - The latest from TAC is: Currently, our engineering is working on aggregate port-channel QoS. We don’t have an exact release at this time, but we can say that support will be no sooner than XE3.11, and may be later. From: chris.gi...@gosford.nsw.gov.au To: cisco-nsp@puck.nether.net Date: Fri, 11 Oct 2013 13:46:05 + Subject: [c-nsp] ASR1001 QoS on port-channel sub-interfaces Hi all, We have recently purchased an ASR1001 and seem to be hitting some limitations regarding QOS on sub-interfaces on port channels. I can police on per-subscriber basis fine, handing down the policies from our radius server. I would also like to police the aggregate on the sub-interface that happens to be on a port-channel. When attempting to apply the service-policy to the sub-interface, it seems to apply fine; however when verifying the policy-map on the interface, I can see that it is in suspended mode and not applying. When I attempt the suggested work-around of lacp fast-switchover with lacp max-bundle 1 on the port-channel, the sub-interface policy is able to successfully apply. However, we straight away lose a half our performance for standby. In order to attempt to resolve, I have upgraded to version asr1001-universalk9.03.10.00a.S.153-3.S0a-ext.bin. This did not resolve. This blog post by another network engineer sums up the issue perfectly, it was an over a year ago, so hoping the issue got some traction in Cisco. http://thenetworksbroken.blogspot.com.au/2012/09/cisco-asr-1001-queuing-on-pppoe.html Any assistance would be greatly appreciated. Kind Regards, [cid:(null)]http://www.gosford.nsw.gov.au/ Chris Gibbs Network and Security Engineer | Information Management Technology Gosford City Council www.gosford.nsw.gov.auhttp://www.gosford.nsw.gov.au/ PO Box 21 Gosford NSW 2250 Phone: (02) 4325 Mobile: 0408 222 496 Fax:(02) 4323 2477 chris.gi...@gosford.nsw.gov.aumailto:chris.gi...@gosford.nsw.gov.au The information contained in this email may be confidential. You should only disclose, re-transmit, copy, distribute, act in reliance on or commercialise the information if you are authorised to do so. Gosford City Council does not represent, warrant or guarantee that the communication is free of errors, virus or interference. Gosford City Council complies with the Privacy and Personal Information Protection Act (1998). See Council's Privacy Statement at http://www.gosford.nsw.gov.au/council/privacy.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Fwd: RTP permission and related attacks/threats
HI Guys, I have to permit RTP traffic from internal network to other organizations (under different management) on gateway devices (routers, switches). I am curious to know if there are known attacks/threats when upd range 16384-32767 is permited. RTP source/destination can be desk phone or PC with softphone. If yes then can we configure gateway routers/switches to protect from these attacks. We have cisco 7200, 6500, 3550, 3560, 3750 switches as gateway devices. One more quick question are there only two ways (NBAR and ACL with udp range) on routers/switches to identify/match RTP traffic? I know Firewalls provide feature like inspect, AGL etc to dynamically identify RTP ports by inspecting control traffic. Your input will be highly appreciated Regards ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/