from:"Aaron"

Re: [c-nsp] IOS XR filter route from OSPF?

2023-11-30 Thread Aaron via cisco-nsp

Are you running BFD on the link as well?

On Thu, Nov 30, 2023 at 8:33 AM Drew Weaver via cisco-nsp <
cisco-nsp@puck.nether.net> wrote:

> Can you point me towards a hint on how you implement import/export filters
> in OSPF on IOS XR?
>
> Are you referring to 'distribute lists'?
>
> Another thing that is a bit quirky from my standpoint is why when the
> remote router gets knocked offline BFD on the OSPF process doesn't kill the
> route immediately.
>
> It seems like it takes 15-20 seconds for the route to be removed entirely
> from OSPF from when the transport goes down.
>
> Thanks,
> -Drew
>
>
>
>
> -Original Message-
> From: cisco-nsp  On Behalf Of Mark
> Tinka via cisco-nsp
> Sent: Tuesday, November 28, 2023 10:34 AM
> To: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] IOS XR filter route from OSPF?
>
>
>
> On 11/28/23 17:02, Nick Hilliard via cisco-nsp wrote:
>
> >
> > prefix filtering is a defining feature of a policy routing protocol.
> > OSPF is a link-state protocol, and doesn't support the concept of
> > having different visibility of prefixes inside the same area.  If you
> > want that with OSPF, you'll need to divide your network into different
> > areas, which is messy. Probably better off using bgp for this.
>
> Filtering in link state routing protocols is a bit of a misnomer,
> technically speaking... but, you can use import/export filters on routers
> with OSPF and IS-IS.
>
> It would not necessarily limit the LSA/LSP flooding scope, but you end up
> with the desired outcome (all manner of caveats apply).
>
> All that said, the usefulness of an IGP is in its homogeneous view of the
> network from and by all participating nodes. Bad things can happen when one
> partitions IGP's, especially in an unintended way. As you say, BGP is
> better for this kind of thing, as typically, IGP's should carry
> infrastructure prefixes, and you don't really want to filter those as they
> provide basic router-to-router connectivity.
>
> Mark.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp=DwIGaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=vULDC6NcfEryzxgZJwBX01MI1hvcl6imhD3JeJk-APbysS6EeiyW2iYo-iNe2hyv=bxKox8AZsSqTO0SucoYYO20srO8SW3Ewq1Ip_709ASQ=
> archive at
> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_=DwIGaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=vULDC6NcfEryzxgZJwBX01MI1hvcl6imhD3JeJk-APbysS6EeiyW2iYo-iNe2hyv=5zW-HHWMmy0AUPIFDaod5TRgutJC7tKZzMTyflG8bS0=
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Internet border router recommendations and experiences

2023-02-24 Thread Aaron Gould via cisco-nsp

https://apps.juniper.net/home/port-checker/index.html

nice website to check port mix capabilities.

-Aaron

On 2/22/2023 5:06 PM, Thomas Scott via cisco-nsp wrote:

Yes - 400 Gbps throughput total If I recall correctly.

The MX204 has four rate-selectable ports that can be configured as

100-Gigabit Ethernet ports or 40-Gigabit Ethernet ports, or each port can
be configured as four 10-Gigabit Ethernet ports (by using a breakout
cable). The MX204 also has eight 10-Gigabit Ethernet ports. The four
rate-selectable ports support QSFP28 and QSFP+ transceivers, whereas the
eight 10-Gigabit Ethernet ports support SFP+ transceivers

https://www.juniper.net/documentation/us/en/hardware/mx204/topics/concept/mx204-description.html

Best Regards,
-Thomas Scott

On Wed, Feb 22, 2023 at 5:19 PM Eric Louie via cisco-nsp <
cisco-nsp@puck.nether.net> wrote:

Oh geez, I just realized I left a zero off the interface - we need 100G
interfaces both upstream (x1) and downstream (x2)
That probably changes the product choices a little bit.
Anyone with 100G Internet feeds want to let me know what you're using for
a border router? I saw one reply for Arista already.
Does the MX204 have 100GE interfaces and throughput?
-e-

Eric Louie
619-743-5375 Cell/text
Stay in this moment, it's the only one you really have
Take the time to be compassionate today

On Wednesday, February 22, 2023 at 12:43:52 PM PST, Mark Tinka
wrote:

On 2/22/23 20:29, Eric Louie wrote:

Mark, thanks. We were quoted a MX304 for the Internet edge from
Juniper. How has your experience been with it? are you 10G upstream and
downstream? Any IPS on the 10G connection?

The MX304 is not worth the money, for as long as the MX204 exists.

We tried an NCS-5501 and it was a disaster, in a word. The 10G
interface, uRPF, source-based blackholing, and routing table depth with
Cisco is a limiting factor in their product line.

Broadcom-based systems should always be looked at with one eye open,
i.e., test test test before you commit. This applies to any vendor, not
just Cisco.

Mark.

___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

--
-Aaron

___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] How can one escalate within Cisco TAC?

2023-02-08 Thread Aaron via cisco-nsp

i think the problem is they let the good ones go.

On Wednesday, February 8, 2023, Mark Tinka via cisco-nsp <
cisco-nsp@puck.nether.net> wrote:

>
>
> On 2/8/23 10:23, Saku Ytti via cisco-nsp wrote:
>
> Working would be much more pleasurable if half the
>> world's white collar workers wouldn't be unemployed plat card holders
>> and cruising without output, while looking down on people doing 3 jobs
>> and not qualifying for a mortgage.
>>
>
> Sadly, as folk move up in career, title, status and income, they tend to
> become less useful on a real, practical, rubber-meets-the-road level.
> Which, in all fairness, I would be okay with if they had a team that made
> them look good. But in most cases, they don't even have that, or if they
> do, find a proper way to muck that up as well.
>
> It's a general issue - not to pick only on Cisco.
>
> Mark.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Large prefix lists/sets on IOS-XR

2022-12-08 Thread Aaron via cisco-nsp

netconf?

On Thu, Dec 8, 2022 at 6:03 PM Sander Steffann via cisco-nsp <
cisco-nsp@puck.nether.net> wrote:

> Hi,
>
> What is the best/most efficient/most convenient way to push large prefix
> lists or sets to an XR router for BGP prefix filtering? Pushing thousands
> of lines through the CLI seems foolish, I tried using the load command but
> it seems horribly slow. What am I missing? :)
>
> Cheers!
> Sander
>
> ---
> for every complex problem, there’s a solution that is simple, neat, and
> wrong
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NTP network design considerations

2022-10-14 Thread Aaron via cisco-nsp

You can setup a raspberry pi as a server and do GPS. Not sure on the
scalability (how many devices it can handle) of that but it does work.
I would do at least 3 in different servers/locations, then have my routers
slave off them and peer with each other.
It is internal and is cheap.
There are a few sources on the internet that I trust for time. It depends
on your level of comfort.

Aaron

On Fri, Oct 14, 2022 at 2:43 PM harbor235 via cisco-nsp <
cisco-nsp@puck.nether.net> wrote:

> I hear what your saying but NTP is an active attack vector, I don't trust
> outside resources implicitly and traffic segmentation is a prudent measure
> especially if you are getting internet time. Now if you have your own
> stratum1 then I understand your point more.
>
>
> Mike
>
> On Fri, Oct 14, 2022 at 10:45 AM Gert Doering  wrote:
>
> > Hi,
> >
> > On Fri, Oct 14, 2022 at 10:27:16AM -0400, harbor235 via cisco-nsp wrote:
> > > How are you integrating NTP into your infrastructures? Is it part of
> your
> > > management network(s)?
> >
> > NTP servers (appliances from Meinberg and regular FreeBSD servers,
> > basically)
> > are just sitting "on the Internet" and our machines sync to them, and
> > monitor their relative times (= so if one is misbehaving, NTP will
> > do the right thing on its own, and monitoring will tell us so we can
> > fix it).
> >
> > The machines protect themselves by local iptables rules for SSH/https,
> > and in-band by NTP access rules ("serve time to everyone, serve larger
> > responses only to management systems, do not believe anyone").
> >
> > I've never understood this obsession on filtering things that are
> intended
> > to be put out in the wild.
> >
> > gert
> >
> > --
> > "If was one thing all people took for granted, was conviction that if you
> >  feed honest figures into a computer, honest figures come out. Never
> > doubted
> >  it myself till I met a computer with a sense of humor."
> >  Robert A. Heinlein, The Moon is a Harsh
> > Mistress
> >
> > Gert Doering - Munich, Germany
> > g...@greenie.muc.de
> >
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Link down affecting BGP peer

2022-05-05 Thread Aaron

Are the sessions that bounced hashed to use the failed/turned off link?


On Thu, May 5, 2022 at 12:07 PM Hank Nussbacher  wrote:

> I have 4 individual links defined as part of a Bundle-ether (IOS-XR
> 5.3.3 on ASR9010):
>
> interface TenGigE0/2/0/1
>   bundle id 2 mode active
>   flow-control bidirectional
>   carrier-delay up 100 down 4000
> ! They are all part of a bundle...
> interface Bundle-Ether2
>   mtu 9192
>   bundle minimum-active links 2
>
> When I shut off just 1 of these 4 links - the bundle stays up yet
> certain BGP sessions flap for about 5 seconds - different peers
> depending on which of the 4 links gets turned down.
>
> My BGP config:
> router bgp 378
>   rpki server x.139.197.151
>transport tcp port 8282
>refresh-time 600
>   !
>   bgp log neighbor changes detail
>   address-family ipv4 unicast
>bgp dampening 5 750 3000 10
>bgp attribute-download
> !
>   neighbor x.x.125.1
>remote-as 5
>address-family ipv4 unicast
> send-community-ebgp
> soft-reconfiguration inbound
>
> What could be causing the bgp peer to flap even though the LAG stays up?
>
> Thanks,
> Hank
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS-XR Vs. NTP in a duel to the death.

2021-11-02 Thread Aaron

I typically use 3 external as servers and then have the core peer with
themselves. I don't think that will help in this case but it does seem like
something is borked.

On Tue, Nov 2, 2021 at 8:42 AM Lukas Tribus  wrote:

> I don't think you will get anywhere without actually capturing the
> entire NTP traffic between the host and the NTP server and analyzing
> it.
>
> Lukas
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] vs isis delay propagation of loopback interfec

2020-12-15 Thread Aaron

+1 overload bit.

On Tue, Dec 15, 2020 at 1:58 PM Saku Ytti  wrote:

> Hey,
>
> > Can someone help me out here? I'm trying to find a way to delay the
> > propagation of a loopback interface in isis.
> >
> > The problem is the border node in sd-access, which uses the loopback
> > interface for Lisp, and as soon the fabric sees the interface it sends
> > traffic to the address.
> >
> > But at this time bgp might not be ready out of the fabric.
>
> I assume this means you have multiple options in iBGP and you are
> redirecting it too early. Perhaps:
>
> set-overload-bit on-startup wait-for-bgp
>
> Or perhaps have another loopback for services which is iBGP only carried.
>
> --
>   ++ytti
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 Break Into ROMMON

2020-12-04 Thread Aaron

great news.

On Friday, December 4, 2020, Scott Miller  wrote:

> This worked!  I pulled the SD card, slotted into a linux laptop, renamed
> the "good" ios file to the "bad" name, slotted the SD card back into the
> 920 and booted it up.  Came up like a champ.  Then, corrected my mistake
> and of course ... removed "no service password-recovery" so that doesn't
> bite me again.
>
> Thanks to all who offered suggestions.  Many thanks.
>
> On Fri, Dec 4, 2020 at 5:18 AM Cassidy B. Larson 
> wrote:
>
> > I believe the bootflash is an SD card inside, you could pop it out and
> see
> > if you can modify it on another asr920 or device, renaming the new
> filename
> > to the one it's looking for.  Long shot, but who knows, might work?
> >
> > On Thu, Dec 3, 2020 at 5:24 PM Scott Miller  wrote:
> >
> >> Ya I tried that too, it still tries to find the wrong ios file and
> start's
> >> its loop again.  This one might be a brick.
> >>
> >> On Thu, Dec 3, 2020 at 5:15 PM Aaron  wrote:
> >>
> >> > Try this
> >> >
> >> >
> >> >
> >> https://packetlife.net/blog/2010/oct/11/recovering-no-
> service-password-recovery-service/
> >> >
> >> >
> >> > On Thursday, December 3, 2020, Aaron  wrote:
> >> >
> >> >> Looks like you need to talk to TAC. The password recovery being
> >> disabled
> >> >> is not your friend.
> >> >>
> >> >> https://community.cisco.com/t5/routing/asr-920-boot-fail/
> td-p/3834996
> >> >>
> >> >>
> >> >> On Thursday, December 3, 2020, Scott Miller 
> >> wrote:
> >> >>
> >> >>> The output didn't seem to format well, let's try it again:
> >> >>>
> >> >>> System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1)
> >> >>> Technical Support: http://www.cisco.com/techsupport
> >> >>> Copyright (c) 2015 by cisco Systems, Inc.
> >> >>> Compiled Wed 01-Jul-15 03:53 by sdcunha
> >> >>> Starting Initialization of FMAN0
> >> >>> Loading ucode for FMAN0, size: 31424, ver: 106.04.14
> >> >>> Silicon Rev Major:Minor [1:1]
> >> >>> Initializing the pci..
> >> >>> IOFPGA version[17082912]
> >> >>> Boot ROM0
> >> >>> Last reset cause: BootFromUpgradeRegFail
> >> >>> UEA platform with 1572863 Kbytes of main memory
> >> >>>
> >> >>> PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
> >> >>>
> >> >>> .Break detected: (0x1)
> >> >>> Do you want to reset the router to the factory default
> >> >>> configuration and proceed [y/n] ?y
> >> >>>
> >> >>> Router rebooting with factory default configuration
> >> >>>
> >> >>> System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1)
> >> >>> Technical Support: http://www.cisco.com/techsupport
> >> >>> Copyright (c) 2015 by cisco Systems, Inc.
> >> >>> Compiled Wed 01-Jul-15 03:53 by sdcunha
> >> >>> Starting Initialization of FMAN0
> >> >>> Loading ucode for FMAN0, size: 31424, ver: 106.04.14
> >> >>> Silicon Rev Major:Minor [1:1]
> >> >>> Initializing the pci..
> >> >>> IOFPGA version[17082912]
> >> >>> Boot ROM0
> >> >>> Last reset cause: BootFromUpgradeRegFail
> >> >>> UEA platform with 1572863 Kbytes of main memory
> >> >>>
> >> >>> PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
> >> >>>
> >> >>> .Resetting upgrade counter from failed upgrade
> >> >>> Directory asr920-universalk9_npe.16.06.05a.SPA.bin not found
> >> >>> Unable to locate asr920-universalk9_npe.16.06.05a.SPA.bin directory
> >> >>> Unable to load asr920-universalk9_npe.16.06.05a.SPA.bin
> >> >>> boot: error executing "boot
> >> >>> bootflash:asr920-universalk9_npe.16.06.05a.SPA.bin"
> >> >>> autoboot: boot failed, restarting...
> >> >>>
> >> >>> On Thu, Dec 3, 2020 at 4:32 PM Scott Miller 
> >> wrote:
> >> >>>
> >> >>> > I have a ASR-920-12SZ-IM, which I inadvertently entered the wrong
> >> boot
> >> >>

Re: [c-nsp] ASR920 Break Into ROMMON

2020-12-03 Thread Aaron

Try this

https://packetlife.net/blog/2010/oct/11/recovering-no-service-password-recovery-service/


On Thursday, December 3, 2020, Aaron  wrote:

> Looks like you need to talk to TAC. The password recovery being disabled
> is not your friend.
>
> https://community.cisco.com/t5/routing/asr-920-boot-fail/td-p/3834996
>
>
> On Thursday, December 3, 2020, Scott Miller  wrote:
>
>> The output didn't seem to format well, let's try it again:
>>
>> System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1)
>> Technical Support: http://www.cisco.com/techsupport
>> Copyright (c) 2015 by cisco Systems, Inc.
>> Compiled Wed 01-Jul-15 03:53 by sdcunha
>> Starting Initialization of FMAN0
>> Loading ucode for FMAN0, size: 31424, ver: 106.04.14
>> Silicon Rev Major:Minor [1:1]
>> Initializing the pci..
>> IOFPGA version[17082912]
>> Boot ROM0
>> Last reset cause: BootFromUpgradeRegFail
>> UEA platform with 1572863 Kbytes of main memory
>>
>> PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
>>
>> .Break detected: (0x1)
>> Do you want to reset the router to the factory default
>> configuration and proceed [y/n] ?y
>>
>> Router rebooting with factory default configuration
>>
>> System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1)
>> Technical Support: http://www.cisco.com/techsupport
>> Copyright (c) 2015 by cisco Systems, Inc.
>> Compiled Wed 01-Jul-15 03:53 by sdcunha
>> Starting Initialization of FMAN0
>> Loading ucode for FMAN0, size: 31424, ver: 106.04.14
>> Silicon Rev Major:Minor [1:1]
>> Initializing the pci..
>> IOFPGA version[17082912]
>> Boot ROM0
>> Last reset cause: BootFromUpgradeRegFail
>> UEA platform with 1572863 Kbytes of main memory
>>
>> PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
>>
>> .Resetting upgrade counter from failed upgrade
>> Directory asr920-universalk9_npe.16.06.05a.SPA.bin not found
>> Unable to locate asr920-universalk9_npe.16.06.05a.SPA.bin directory
>> Unable to load asr920-universalk9_npe.16.06.05a.SPA.bin
>> boot: error executing "boot
>> bootflash:asr920-universalk9_npe.16.06.05a.SPA.bin"
>> autoboot: boot failed, restarting...
>>
>> On Thu, Dec 3, 2020 at 4:32 PM Scott Miller  wrote:
>>
>> > I have a ASR-920-12SZ-IM, which I inadvertently entered the wrong boot
>> > command in the config, saved the config and rebooted.  Now it's stuck
>> in a
>> > boot loop.  I've tried breaking the boot, it asks if I want to reset to
>> > factory default, and I enter "y", it reboots but still tries to find
>> that
>> > same bad ios file I entered in the initial configuration which was
>> supposed
>> > to have been whipped when it went to factory default.  I can't for the
>> life
>> > of me figure out how to get into ROMMON on this box.  Each time I break
>> the
>> > boot, it just goes back to the same question, asking if I want to
>> factory
>> > default.
>> >
>> > Here's what it's doing:
>> >
>> >
>> > System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1) Technical
>> > Support: http://www.cisco.com/techsupport Copyright (c) 2015 by cisco
>> > Systems, Inc. Compiled Wed 01-Jul-15 03:53 by sdcunha Starting
>> > Initialization of FMAN0 Loading ucode for FMAN0, size: 31424, ver:
>> > 106.04.14 Silicon Rev Major:Minor [1:1] Initializing the pci.. IOFPGA
>> > version[17082912] Boot ROM0 Last reset cause: BootFromUpgradeRegFail UEA
>> > platform with 1572863 Kbytes of main memory PASSWORD RECOVERY
>> FUNCTIONALITY
>> > IS DISABLED .Break detected: (0x1) Do you want to reset the router
>> to
>> > the factory default configuration and proceed [y/n] ?y Router rebooting
>> > with factory default configuration System Bootstrap, Version 15.5(3r)S2,
>> > RELEASE SOFTWARE (fc1) Technical Support:
>> http://www.cisco.com/techsupport
>> > Copyright (c) 2015 by cisco Systems, Inc. Compiled Wed 01-Jul-15 03:53
>> by
>> > sdcunha Starting Initialization of FMAN0 Loading ucode for FMAN0, size:
>> > 31424, ver: 106.04.14 Silicon Rev Major:Minor [1:1] Initializing the
>> pci..
>> > IOFPGA version[17082912] Boot ROM0 Last reset cause:
>> BootFromUpgradeRegFail
>> > UEA platform with 1572863 Kbytes of main memory PASSWORD RECOVERY
>> > FUNCTIONALITY IS DISABLED .Resetting upgrade counter from failed
>> > upgrade Directory asr920-universalk9_npe.16.06.05a.SPA.bin not found
>> Unable
>> > to locate asr920-unive

Re: [c-nsp] ASR920 Break Into ROMMON

2020-12-03 Thread Aaron

Looks like you need to talk to TAC. The password recovery being disabled is
not your friend.

https://community.cisco.com/t5/routing/asr-920-boot-fail/td-p/3834996


On Thursday, December 3, 2020, Scott Miller  wrote:

> The output didn't seem to format well, let's try it again:
>
> System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 2015 by cisco Systems, Inc.
> Compiled Wed 01-Jul-15 03:53 by sdcunha
> Starting Initialization of FMAN0
> Loading ucode for FMAN0, size: 31424, ver: 106.04.14
> Silicon Rev Major:Minor [1:1]
> Initializing the pci..
> IOFPGA version[17082912]
> Boot ROM0
> Last reset cause: BootFromUpgradeRegFail
> UEA platform with 1572863 Kbytes of main memory
>
> PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
>
> .Break detected: (0x1)
> Do you want to reset the router to the factory default
> configuration and proceed [y/n] ?y
>
> Router rebooting with factory default configuration
>
> System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 2015 by cisco Systems, Inc.
> Compiled Wed 01-Jul-15 03:53 by sdcunha
> Starting Initialization of FMAN0
> Loading ucode for FMAN0, size: 31424, ver: 106.04.14
> Silicon Rev Major:Minor [1:1]
> Initializing the pci..
> IOFPGA version[17082912]
> Boot ROM0
> Last reset cause: BootFromUpgradeRegFail
> UEA platform with 1572863 Kbytes of main memory
>
> PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
>
> .Resetting upgrade counter from failed upgrade
> Directory asr920-universalk9_npe.16.06.05a.SPA.bin not found
> Unable to locate asr920-universalk9_npe.16.06.05a.SPA.bin directory
> Unable to load asr920-universalk9_npe.16.06.05a.SPA.bin
> boot: error executing "boot
> bootflash:asr920-universalk9_npe.16.06.05a.SPA.bin"
> autoboot: boot failed, restarting...
>
> On Thu, Dec 3, 2020 at 4:32 PM Scott Miller  wrote:
>
> > I have a ASR-920-12SZ-IM, which I inadvertently entered the wrong boot
> > command in the config, saved the config and rebooted.  Now it's stuck in
> a
> > boot loop.  I've tried breaking the boot, it asks if I want to reset to
> > factory default, and I enter "y", it reboots but still tries to find that
> > same bad ios file I entered in the initial configuration which was
> supposed
> > to have been whipped when it went to factory default.  I can't for the
> life
> > of me figure out how to get into ROMMON on this box.  Each time I break
> the
> > boot, it just goes back to the same question, asking if I want to factory
> > default.
> >
> > Here's what it's doing:
> >
> >
> > System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1) Technical
> > Support: http://www.cisco.com/techsupport Copyright (c) 2015 by cisco
> > Systems, Inc. Compiled Wed 01-Jul-15 03:53 by sdcunha Starting
> > Initialization of FMAN0 Loading ucode for FMAN0, size: 31424, ver:
> > 106.04.14 Silicon Rev Major:Minor [1:1] Initializing the pci.. IOFPGA
> > version[17082912] Boot ROM0 Last reset cause: BootFromUpgradeRegFail UEA
> > platform with 1572863 Kbytes of main memory PASSWORD RECOVERY
> FUNCTIONALITY
> > IS DISABLED .Break detected: (0x1) Do you want to reset the router to
> > the factory default configuration and proceed [y/n] ?y Router rebooting
> > with factory default configuration System Bootstrap, Version 15.5(3r)S2,
> > RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/
> techsupport
> > Copyright (c) 2015 by cisco Systems, Inc. Compiled Wed 01-Jul-15 03:53 by
> > sdcunha Starting Initialization of FMAN0 Loading ucode for FMAN0, size:
> > 31424, ver: 106.04.14 Silicon Rev Major:Minor [1:1] Initializing the
> pci..
> > IOFPGA version[17082912] Boot ROM0 Last reset cause:
> BootFromUpgradeRegFail
> > UEA platform with 1572863 Kbytes of main memory PASSWORD RECOVERY
> > FUNCTIONALITY IS DISABLED .Resetting upgrade counter from failed
> > upgrade Directory asr920-universalk9_npe.16.06.05a.SPA.bin not found
> Unable
> > to locate asr920-universalk9_npe.16.06.05a.SPA.bin directory Unable to
> load
> > asr920-universalk9_npe.16.06.05a.SPA.bin boot: error executing "boot
> > bootflash:asr920-universalk9_npe.16.06.05a.SPA.bin" autoboot: boot
> failed,
> > restarting...
> >
> >  The boot file  bootflash:asr920-universalk9_npe.16.06.05a.SPA.bin is
> > invalid and does not exist.  The correct file which is on the box
> > is  bootflash:asr920igp-universalk9_npe.16.06.05a.SPA.bin
> >
> > Anyone know how to break into ROMMON to blow out this config?  I've been
> > at it for a couple hours, nothing I've found googling seems to work.
> >
> > Thanks.
> >
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net

Re: [c-nsp] AAA on IOS-XR (NCS540)

2020-12-03 Thread Aaron

This isn't at typo is it?

aaa authentication login default group TACACS line!

should it be
aaa authentication login default group TACACS line   <<< no !

On Thu, Dec 3, 2020 at 2:13 PM Eric Van Tol  wrote:

> No, all I have is:
>
> control-plane
> management-plane
>   inband
>interface TenGigE0/0/0/27
> allow all
>!
>interface TenGigE0/0/0/23.1550
> allow all
>!
>interface TenGigE0/0/0/25.1550
> allow all
>!
>   !
>
> What exactly does this do? I mean, I have an inkling, but I wouldn’t
> expect TACACS to work at all if I was missing a config to allow it to
> respond to the router.
>
> From: Scott Miller 
> Date: Thursday, December 3, 2020 at 1:52 PM
> To: Eric Van Tol 
> Cc: "cisco-nsp@puck.nether.net" 
> Subject: Re: [c-nsp] AAA on IOS-XR (NCS540)
>
>
> EXTERNAL - Do not click links or open attachments from an unverified
> source/sender.
> Do you have the control-plane set up?
>
> tacacs source-interface Loopback100 vrf default
> tacacs-server host 11.11.11.11 port 49
>  key 7 
> !
> tacacs-server host 22.22.22.22 port 49
>  key 7 
> !
>
> aaa accounting exec default start-stop group acs-tacacs
> aaa accounting system default start-stop group acs-tacacs
> aaa accounting commands default start-stop group acs-tacacs
> aaa group server tacacs+ acs-tacacs
>  server 11.11.11.11
>  server 22.22.22.22
> !
> aaa authorization exec default group acs-tacacs local
> aaa authorization commands default group acs-tacacs none
> aaa authentication login default group acs-tacacs local
>
> line console
>  exec-timeout 10 0
> !
> line default
>  password 7 
>  exec-timeout 30 0
>  session-timeout 30
>  transport input ssh
> !
> vty-pool default 0 20
>
> control-plane
>  management-plane
>   inband
>interface all
> allow all peer
>  address ipv4 11.12.12.12
>  address ipv4 11.13.13.13
>  address ipv4 11.14.14.14
>
>
>
> On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol  e...@atlantech.net>> wrote:
> Hi all,
> I’m going nuts here trying to get my AAA set up on an NCS. The goal is to
> authenticate against TACACS on VTY lines but either use the local user
> database or line/enable for console access and I cannot get it right.
> Sometimes my VTY authentication fails the first time and it requires you to
> put in your password a second time, even though the TACACS servers are
> definitely available. I cannot get console access to work properly at all.
> I’m running XR 7.1.1. Here’s the aaa portion of the config:
>
> tacacs source-interface Loopback1 vrf default
> tacacs-server host 192.168.45.126 port 49
> key 7 **
> single-connection
> !
> tacacs-server host 192.168.46.126 port 49
> key 7 **
> timeout 3
> single-connection
> !
> username admin
> group root-lr
> group cisco-support
> secret 10  $secretpass
> !
> aaa group server tacacs+ TACACS
> server 192.168.45.126
> server 192.168.46.126
> !
> aaa authorization exec CONSOLE local
> aaa authorization exec default group TACACS local
> aaa authentication login CONSOLE local line
> aaa authentication login default group TACACS line!
> !
> line console
> password 7 **
> authorization exec CONSOLE
> login authentication CONSOLE
> !
> line default
> password 7 **
> timeout login response 30
> authorization exec default
> login authentication default
> exec-timeout 0 0
> access-class ingress access-protect
> session-timeout 120
> transport input ssh
> !
>
> I’ve tried different permutations of the line console config and can’t get
> the right combination. Can someone point me in the right direction here?
>
> Thanks in advance,
> evt
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9k RSP440

2020-11-12 Thread Aaron

6.6.x should work too.  After that I think everything else is the 64bit.

What is everyones opinion of the 64bit XR?

On Thu, Nov 12, 2020 at 4:37 PM  wrote:

> Never ends :)
>
> -Aaron
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Sanity check OSPF/BGP

2020-10-08 Thread Aaron

You didn't specify the platform or code version it is running. Would help
with platform specifics


On Thu, Oct 8, 2020 at 11:47 AM  wrote:

> I wonder if bgp neighboring isn't timing out quickly enough for your
> satisfaction and holding routes for a few minutes
>
>
> -Original Message-
> From: cisco-nsp  On Behalf Of Drew
> Weaver
> Sent: Thursday, October 8, 2020 8:01 AM
> To: 'cisco-nsp@puck.nether.net' 
> Subject: [c-nsp] Sanity check OSPF/BGP
>
> Hello,
>
> I have two sets of core routers due to a transition period from one set to
> the other.
>
> I have noticed that when there is a connectivity disruption between the two
> sets of core routers and one upstream peering/edge router:
>
> Oct  7 12:01:14 EDT: %OSPF-5-ADJCHG: Process 1, Nbr  on
> TenGigabitEthernet2/1 from FULL to DOWN, Neighbor Down: BFD node down
>
> 
>
> Oct  7 12:03:29 EDT: %BGP-5-ADJCHANGE: neighbor  Down BGP
> Notification sent
>
> What I expect to happen is:
>
>   The route to the peering edge router's loopback interface is
> withdrawn when OSPF/OSPFv3 closes.
>   The core router will close the BGP session when the route to
> the dead peering edge router is withdrawn and will begin using one of the 5
> other copies of the same route that it has.
>
> Things I have implemented to avoid this:
>
>   The peering edge router and the core routers peer with IP
> addresses that are only learnable via OSPF and aren't available in any
> other
> protocol. [It's not part of our IP space]
>
> I guess I just need a sanity check regarding whether my assumption that it
> shouldn't be null routing traffic for 2+ minutes if one of our peering edge
> routers gets hit by a meteor is correct since we have 5 peering edge
> routers.
>
> Thanks in advance friends,
> -Drew
>
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EOBC0/0 ifInErrors

2020-09-30 Thread Aaron

you could deduce if it is a line card or by adding 1 line card at a time.

On Wednesday, September 30, 2020, Nick Hilliard  wrote:

> Aaron wrote on 30/09/2020 20:11:
>
>> He is suggesting reseating all cards. Starting with the Supervisor.
>>
>
> correct. power down the box, carefully reseat all cards, power up, see if
> that fixes it.
>
> If it doesn't fix it, then open a TAC case.  If the unit isn't under
> support, then you have a problem because this type of error could be one of
> the cards, or the sup, or the backplane and it's really hard to tell which
> without swapping units out.  If you can check out the EOBC on the line
> cards using remote login, that might give useful information, maybe.
>
> Nick
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EOBC0/0 ifInErrors

2020-09-30 Thread Aaron

You may need to ask TAC. Unfortunately I do not know.
He is suggesting reseating all cards. Starting with the Supervisor.


On Wed, Sep 30, 2020 at 10:14 AM Eugene Grosbein  wrote:

> 30.09.2020 19:03, Nick Hilliard wrote:
>
> > Eugene Grosbein wrote on 30/09/2020 05:14:
> >> Yesterday I've created mrtg graph for the counter and it shows steady
> rate in a range of 16-32 per second.
> >
> > I'd say that is sup + line card reseating territory.
>
> What does it mean?
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EOBC0/0 ifInErrors

2020-09-29 Thread Aaron

sharp increase recently (weekly, daily, hourly).  I'd be more concerned
with daily and hourly (or less).
How frequently do you see them and what is the amount?

On Tue, Sep 29, 2020 at 9:41 AM Eugene Grosbein  wrote:

> 29.09.2020 18:56, Nick Hilliard wrote:
>
> > Eugene Grosbein wrote on 29/09/2020 10:08:
> >> Walking SNMP ifTable for Cisco 7606/RSP720-3C-GE I've found that virtual
> >> interface EOBC0/0 (Ethernet out-of-band channel) has increasing counter
> IF-MIB::ifInErrors.
> >> No visible problems with the box, though.
> >>
> >> Should I worry about this ifInErrors growth?
> >
> > possibly. If the errors are significant, you should try reseating the
> rsp720 and possibly some of the cards to see if that helps.
>
> Define "significant" :-) This router has uptime over 1 year.
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Mass-renaming interfaces

2020-09-28 Thread Aaron

Unfortunately no.

On Mon, Sep 28, 2020 at 8:50 AM Eugene Grosbein  wrote:

> 28.09.2020 17:12, James Bensley wrote:
>
> > On Mon, 28 Sep 2020 at 07:35, Eugene Grosbein 
> wrote:
> >> One of my 7201 routers has four GigabitEthernet interfaces but uses
> only two,
> >> one for IP uplink and another as client-sided downlink with multiple
> >> sub-interfaces named like GigabitEthernet0/1.10 (encapsulation dot1Q).
> >>
> >> It need reconfiguration to use 2x1G port-channles. I already did such
> reconfiguration
> >> for same 7201 router with small number of sub-interfaces and know this
> is doable
> >> changing sub-interfaces from GigabitEthernet0/1.N to Port-channel1.N
> >>
> >> This time the router has about 800 sub-interfaces. I can do some
> scripting
> >> to prepare incremental configuration removing/re-creating
> sub-interfaces,
> >> but I presume high CPU load for router while reconfiguring, long
> procedure time
> >> and notable service degradation or even interruption.
> >>
> >> Is there same another, more lightweight way to mass-rename
> sub-interfaces
> >> while switching from single parent interface to Port-channel?
> >
> > Hi Eugene,
> >
> > If you don't want to do this over a series of incremental changes then
> > you can make one "big bang" change by taking a copy of the running
> > configuration, making all the changes to that, and uploading it to the
> > router as a replacement start-up config file, then just reboot the
> > router to apply the config in one action. However, this approach is
> > risky, you need to test that new full configuration file (confirm that
> > the change only relate to the interface renaming, and that there are
> > no mistakes, typos, wrong VLAN numbers etc.), which is quite tricky.
> >
> > If you've ever wanted a pet project to get you into some network
> > automation and programming stuff this sounds like an ideal project to
> > me. You can definitely do this with Python tools like NAPALM and
> > Nornir. Then you can automate the changes and automate the testing of
> > the changes, and the rollback if required, in either multiple stages
> > or as one giant change; whatever suits your circumstances best.
>
> I've already wrote my script using AWK, it took moderate amount of time
> to write and debug; it resulted in less than 50 lines. For each
> sub-interface
> it removes all "ip route" commands referring to it (if any) then removes
> the interface,
> then adds it back with new name, then re-adds removed routes changing
> interface name.
>
> It's quick-n-dirty but works and is fine for one-time job.
>
> My question was if IOS has some better way to rename sub-interfaces I
> could be unaware of.
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Help Cisco IOS XR 9001

2020-09-23 Thread Aaron

CPP is the other issue.
ex
control-plane
 management-plane
  inband
   interface hundred-gige0/1/1
   allow SSH
   allow blah


On Wed, Sep 23, 2020 at 12:51 PM Ted Pelas Johansson 
wrote:

> Regarding isis, it looks like you have MTU mismatch since you configured
> 1600 byte on both platforms.
>
> IOS/XE doesn't count the Ethernet header (1600) while XR/JunOS does (1614).
>
> You also need to add the interface under `mpls ldp`.
>
> Sent from my Phone
>
> > On 23 Sep 2020, at 17:25, Olivier CALVANO  wrote:
> >
> > Hello,
> >
> > I am asking you for a little help, I just got an ASR9001 router and I am
> a
> > little confused with the IOS XR completely different from my ASR1001.
> >
> > 1- First problem, ISIS seems not to work
> >
> > on my ASR1001X I have:
> > interface TenGigabitEthernet7/1
> > mtu 1600
> > ip address 192.168.1.1 255.255.255.252
> > ip router isis
> > mpls label protocol ldp
> > mpls ip
> >
> > router isis
> > net 49.0001...0450.00
> > is-type level-2-only
> > metric-style wide
> > redistribute connected
> > !
> > address-family ipv6
> >  multi-topology
> >  redistribute connected
> >  redistribute static
> > exit-address-family
> >
> > connected on this port, I have the ASR9001 with in conf:
> >
> > interface TenGigE0/0/2/0
> > mtu 1600
> > ipv4 address 192.168.1.2 255.255.255.252
> >
> > router isis WanCmp
> > is-type level-2-only
> > net 49.0001...0452.00
> > address-family ipv6 unicast
> > !
> > interface TenGigE0/0/2/0
> >  address-family ipv4 unicast
> >  !
> > !
> > !
> >
> >
> > but when i put sh isis topo
> > Wed Sep 23 07:45:50.378 UTC
> >
> > IS-IS phibee paths to IPv4 Unicast (Level-2) routers
> > System Id   Metric  Next-HopInterface   SNPA
> > ASR9001  --
> >
> > Anyone have a idea of the problems ?
> >
> >
> > 2- SSH/Telnet access to the router
> >
> > currently I have to connect the ASR9001 router via the MgmtEth0 / RSP0 /
> > CPU0 / 0 port to access it.
> >
> > Unable to go through the wan classic TenGigE0 / 0/2/0 interface
> >
> > in my configuration, i have:
> >
> > telnet vrf default ipv4 server max-servers 10
> >
> > line console
> > exec-timeout 1440 0
> > escape-character 0x5a
> > session-limit 10
> > disconnect-character 0x59
> > session-timeout 100
> > transport input telnet ssh
> > transport output telnet ssh
> > transport preferred none
> > !
> > line default
> > exec-timeout 1440 0
> > access-class ingress admin-nets
> > transport input all
> > transport output telnet ssh
> > transport preferred none
> >
> > vty-pool default 0 5 line-template default
> > control-plane
> > management-plane
> >  out-of-band
> >   interface TenGigE0/0/2/0
> >allow SSH peer
> > address ipv4 192.168.0.0/21
> >!
> >allow Telnet peer
> > address ipv4 192.168.0.0/21
> >!
> >
> >
> > ssh server v2
> > ssh server vrf default
> > ssh server vrf Mgmt-intf
> > end
> >
> >
> > if i want connect on wan interface, i have all time a connexion refused
> >
> >
> >
> >
> >
> > thanks for your help
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Question about 9410R interface naming

2020-09-11 Thread Aaron

i am doing some automation on that platform and just realized that week



On Thursday, September 10, 2020, Nick Cutting  wrote:

> Nexus has it right - everything is "E"
>
>
> From: cisco-nsp  On Behalf Of
> aar...@gvtc.com
> Sent: Thursday, September 10, 2020 5:58 PM
> To: 'Nick Hilliard' 
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] Question about 9410R interface naming
>
> This message originates from outside of your organisation.
>
> Juniper was good with port id's until the MX204 :)
>
> Now XE doesn't always mean 10 gig
>
> set interfaces xe-0/1/4 gigether-options speed 1g
>
> agould@dallas-204-1> show interfaces xe-0/1/4 | grep speed
> Link-level type: Flexible-Ethernet, MTU: 9216, MRU: 9224, LAN-PHY mode,
> Speed: 10Gbps, BPDU Error: None,
> Speed Configuration: 1G
>
> -aaron
>
>
> ___
> cisco-nsp mailing list cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp ps://protect-eu.mimecast.com/s/j-_eCzmZNsRQxEHgvzZs?domain=puck.nether.net
> >
> archive at http://puck.nether.net/pipermail/cisco-nsp/ protect-eu.mimecast.com/s/oxvvCAn47H9LnBfYRor0?domain=puck.nether.net>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Question about 9410R interface naming

2020-09-10 Thread Childs, Aaron

Good Morning Drew,

They are TenGigabitethernet Interfaces:

PortNameStatus  VlanDuplex  Speed   Type
Te10/0/44   connected   xxx a-full  a-1000  
100/1000/2.5G/5G/10GBaseTX

Have a good day,
Aaron

Aaron Childs   Director
Infrastructure Services 
Information Technology Services
Wilson Hall - 577 Western Ave. Westfield MA 01086
P  413.572.5527   F 413.572.5615
aa...@westfield.ma.edu


-Original Message-
From: cisco-nsp  On Behalf Of Drew Weaver
Sent: Thursday, September 10, 2020 11:03 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Question about 9410R interface naming

Caution External Email: This email originated outside of WSU. Do not click 
links, open attachments, or respond if it appears to be suspicious.

Hi,

I have a quirky question about the 9410's Interface naming/numbering.

These switches appear to support 1G 2.5G, 5G and 10G interfaces.

Do the names of the interfaces change depending on the speed?

Is it ethernet1/1/1 no matter what? Or does it change to GigabitEthernet1/1/1 
or TenGigabitEthernet1/1/1 depending on how it's configured?

If anyone knows I would appreciate it.

Thanks,
-Drew

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Core - distrubution

2020-09-09 Thread Aaron

use ipv6

On Wednesday, September 9, 2020, harbor235  wrote:

> How are you IP'ng your connector networks between core and distribution?
> Public space or private? I do not like the potential overlap with
> management networks and I cannot DNS mike connector networks making my
> traceroutes look pretty.
>
> I also like loopbacks publicly routable as well? Some organizations use
> RFC1918 netwblocks for connector networks and loopbacks, is it just
> preference or am I missing other reasons not to use 1918?
>
> Mike
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Upgrading NXOS

2020-09-02 Thread Aaron

good luck

On Wednesday, September 2, 2020, Drew Weaver  wrote:

> Nevermind, I think I found it.
>
> There is a tiny tmp partition called /nxos/tmp that is full.
>
> Thanks anyway,
> -Drew
>
>
> -Original Message-
> From: cisco-nsp  On Behalf Of Drew
> Weaver
> Sent: Wednesday, September 2, 2020 1:58 PM
> To: 'Aaron' 
> Cc: 'cisco-nsp@puck.nether.net' 
> Subject: Re: [c-nsp] Upgrading NXOS
>
> Howdy and thanks for replying.
>
> So the switch is running 7.0(3)I1(3)
> According to docs:
>
> Upgrading from Cisco NX-OS Release 7.0(3)1(2), Release 7.0(3)I1(3), or
> Release 7.0(3)I1(3a), requires installing a patch for Cisco Nexus 9500
> platform switches only. For more information on the upgrade patch, see
> Patch Upgrade Instructions.
>
> So I tried to install the two patches that are needed to upgrade
> 7.0(3)I1(3) which are:
>
> CSCuy16604
> CSCuy16606
>
> NXLAB# install activate n9000-dk9.7.0.3.I1.3.CSCuy16604.bin
> Install operation 26 failed because there was no space left on device
>
> I have no idea which device it is saying has no space.
>
> NXLAB# dir | i free
> 229980663808 bytes free
>
> NXLAB# dir volatile: | i free
>   629145600 bytes free
>
> Any clue?
>
> From: Aaron 
> Sent: Wednesday, September 2, 2020 11:37 AM
> To: Drew Weaver 
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] Upgrading NXOS
>
> Check to see if you have to upgrade to an intermediate version first.
> There was an issue that would brick the switch if you tried to go straight
> to the latest version.
>
> On Wed, Sep 2, 2020 at 8:54 AM Drew Weaver  drew.wea...@thenap.com>> wrote:
> Hello,
>
> Current version: 7.0(3)I1(3)
>
> Upgrading a 9508:
>
> Checked for errata and it said something about bios upgrades failing due
> to the bootrom monitoring so I set this:
>
> diagnostic monitor interval module 1 test PrimaryBootROM hour 23 min 59
> second 59 diagnostic monitor interval module 2 test PrimaryBootROM hour 23
> min 59 second 59 diagnostic monitor interval module 3 test PrimaryBootROM
> hour 23 min 59 second 59 diagnostic monitor interval module 1 test
> SecondaryBootROM hour 23 min 59 second 59 diagnostic monitor interval
> module 2 test SecondaryBootROM hour 23 min 59 second 59 diagnostic monitor
> interval module 3 test SecondaryBootROM hour 23 min 59 second 59 diagnostic
> monitor interval module 27 test PrimaryBootROM hour 23 min 59 second 59
> diagnostic monitor interval module 28 test PrimaryBootROM hour 23 min 59
> second 59 diagnostic monitor interval module 27 test SecondaryBootROM hour
> 23 min 59 second 59 diagnostic monitor interval module 28 test
> SecondaryBootROM hour 23 min 59 second 59
>
> Issue this command:
>
> install all nxos nxos.7.0.3.I4.8z.bin
>
> goes through the process and gets to BIOS update part:
>
> Module 1: Refreshing compact flash and upgrading bios/loader/bootrom.
> Warning: please do not remove or power off the module at this time.
> [] 100% -- SUCCESS
>
> Module 2: Refreshing compact flash and upgrading bios/loader/bootrom.
> Warning: please do not remove or power off the module at this time.
> [#   ]   0% -- FAIL.
> Return code 0x4071000C (BIOS erase failed).
> CAUTION: The BIOS/loader/bootrom of above module may be in corrupted
> state. Please try programming it again and DO NOT reboot without
> programming it successfully, otherwise you have to manually take out the
> flash from the card and program it in a BIOS programming station.
>
> Resetting boot variables. Please wait.
>
> Install has failed. Return code 0x40930015 (Pre-upgrade of a module
> failed).
> Please identify the cause of the failure, and try 'install all' again.
>
> I've tried it a few times and it always fails.
>
> Any way to manually try to update the bios outside of the install all
> process or am I doing this incorrectly to begin with?
>
> I have read some instructions that say you just set the new .bin file as
> the boot parameter and reboot it and it magically takes care of everything.
> Then the other instructions I read says don't do that incase the bios
> upgrade fails while its rebooting.
>
> Thanks if anyone has run into this before. May just scrap this thing.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net https://puck.nether.net/
> mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Upgrading NXOS

2020-09-02 Thread Aaron

Check to see if you have to upgrade to an intermediate version first. There
was an issue that would brick the switch if you tried to go straight to the
latest version.

On Wed, Sep 2, 2020 at 8:54 AM Drew Weaver  wrote:

> Hello,
>
> Current version: 7.0(3)I1(3)
>
> Upgrading a 9508:
>
> Checked for errata and it said something about bios upgrades failing due
> to the bootrom monitoring so I set this:
>
> diagnostic monitor interval module 1 test PrimaryBootROM hour 23 min 59
> second 59
> diagnostic monitor interval module 2 test PrimaryBootROM hour 23 min 59
> second 59
> diagnostic monitor interval module 3 test PrimaryBootROM hour 23 min 59
> second 59
> diagnostic monitor interval module 1 test SecondaryBootROM hour 23 min 59
> second 59
> diagnostic monitor interval module 2 test SecondaryBootROM hour 23 min 59
> second 59
> diagnostic monitor interval module 3 test SecondaryBootROM hour 23 min 59
> second 59
> diagnostic monitor interval module 27 test PrimaryBootROM hour 23 min 59
> second 59
> diagnostic monitor interval module 28 test PrimaryBootROM hour 23 min 59
> second 59
> diagnostic monitor interval module 27 test SecondaryBootROM hour 23 min 59
> second 59
> diagnostic monitor interval module 28 test SecondaryBootROM hour 23 min 59
> second 59
>
> Issue this command:
>
> install all nxos nxos.7.0.3.I4.8z.bin
>
> goes through the process and gets to BIOS update part:
>
> Module 1: Refreshing compact flash and upgrading bios/loader/bootrom.
> Warning: please do not remove or power off the module at this time.
> [] 100% -- SUCCESS
>
> Module 2: Refreshing compact flash and upgrading bios/loader/bootrom.
> Warning: please do not remove or power off the module at this time.
> [#   ]   0% -- FAIL.
> Return code 0x4071000C (BIOS erase failed).
> CAUTION: The BIOS/loader/bootrom of above module may be in corrupted
> state. Please try programming it again and DO NOT reboot without
> programming it successfully, otherwise you have to manually take out the
> flash from the card and program it in a BIOS programming station.
>
> Resetting boot variables. Please wait.
>
> Install has failed. Return code 0x40930015 (Pre-upgrade of a module
> failed).
> Please identify the cause of the failure, and try 'install all' again.
>
> I've tried it a few times and it always fails.
>
> Any way to manually try to update the bios outside of the install all
> process or am I doing this incorrectly to begin with?
>
> I have read some instructions that say you just set the new .bin file as
> the boot parameter and reboot it and it magically takes care of everything.
> Then the other instructions I read says don't do that incase the bios
> upgrade fails while its rebooting.
>
> Thanks if anyone has run into this before. May just scrap this thing.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] GLC-T on 9500-32C - 17.x IOS-XE

2020-08-14 Thread Aaron DuShey

Having an issue where GLC-T's aren't working on 17.x trains on 9500-32C. They 
show as recognized under a 'sh int status', and the remote device will link, 
but the 9k side has no link. Tried hard-coding but still no joy. They do work 
on 16.12 without any special configuration. It is showing it as compatible in 
the (of questionable reliability) optics compatibility matrix [1]. We are using 
FS QSFP adapters which work fine with 10/1G fiber based optics.

We've opened a case with TAC, but am curious if any of you have flavors of 
GLC-T's that are working on 17.x code or any related feedback.
Thanks in advance,
Aaron

1. https://tmgmatrix.cisco.com/?npid=193
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BGP Maximum Prefix limit on Edge routers

2020-08-11 Thread Aaron

Absolutely. Make sure to add enough overhead, 25%, so you do not keep
getting warning messages in the logs.
These are the defaults for XR

To prevent a peer from flooding BGP with advertisements, a limit is
placed on the number of prefixes that are accepted from a peer for
each supported address family. The default limits can be overridden
through configuration of the maximum-prefix limit command for the peer
for the appropriate address family. The following default limits are
used if the user does not configure the maximum number of prefixes for
the address family:IPv4 Unicast: 1048576IPv4 Labeled-unicast:
131072IPv4 Tunnel: 1048576IPv6 Unicast: 524288IPv6
Labeled-unicast: 131072IPv4 Multicast: 131072IPv6 Multicast:
131072IPv4 MVPN: 2097152VPNv4 Unicast: 2097152IPv4 MDT:
131072VPNv6 Unicast: 1048576L2VPN EVPN: 2097152

On Tue, Aug 11, 2020 at 9:20 AM Curtis Piehler  wrote:

> Yes this is a common practice to follow for extra security measures.  In
> the off chance a provider starts flooding your network with more than what
> is required it will safe guard your network.  You can set a slightly higher
> warning threshold.  Usually more prevalent in MPLS environments as there
> are more memory constraints on carrying Internet routes in multiple VRFs
> could be detrimental to memory.  Unlikely it would happen but always need
> to think of better ways to safe guard your network.  For as long as humans
> are in existence there will always be room for error.
>
> On Tue, Aug 11, 2020, 9:09 AM Yham  wrote:
>
> > Hello Gentlemen,
> >
> > I wanted to ask if this is common practice to apply Maximum prefix limit
> on
> > BGP neighborship with Internet providers from where you are getting the
> > entire routing table. I know its consider a best practice but want to
> know
> > if its also common.
> > If yes, what would be the max limit of routes? Google search tells me
> that
> > the size of the routing table today is approx 800K prefixes
> >
> > Thanks
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Rehosting a perpetual CSR1000V license

2020-07-21 Thread Aaron

I'm gonna hate when Flash is EOL. We have servers that use that GUI thing.
I agree, I hate it too.
I don't want to throw out a decent server just because flash no longer
works. I hope Adobe don't have a programmed kill switch.

On Tue, Jul 21, 2020 at 1:21 PM Mark Tinka  wrote:

>
>
> On 21/Jul/20 18:54, joe mcguckin wrote:
> > We don’t buy anything that can’t be managed with a serial connection.
> That means no fancy web based guis.
>
> iLO on servers is pretty reliable. It has helped us out plenty times.
>
>
> >  Licensing is in the same category… A piece of equipment has to do
> something extraordinary before we’d consider purchasing it, if it
> implements some sort of license key scheme.  We’ve purchased Juniper M
> series routers in the past and were extremely happy with them (Hey! They
> actually did what Juniper said they would do without 2 or 3 rounds of
> hardware upgrades), but I was initially put off because there are license
> keys embedded in the base software. Then I realized that when the keys
> expired in 10 years, the boxes would be in the landfill by that time...
>
> Well, pretty much everything shipping these days either has or can be
> deployed by license.
>
> It is the key way for vendors to implement the same silicon across a
> myriad of platforms, without "losing" money.
>
> Mark.
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Rehosting a perpetual CSR1000V license

2020-07-21 Thread Aaron

ethernet console should be on the list.

On Tue, Jul 21, 2020 at 1:01 PM joe mcguckin  wrote:

> We don’t buy anything that can’t be managed with a serial connection. That
> means no fancy web based guis. Licensing is in the same category… A piece
> of equipment has to do something extraordinary before we’d consider
> purchasing it, if it implements some sort of license key scheme.  We’ve
> purchased Juniper M series routers in the past and were extremely happy
> with them (Hey! They actually did what Juniper said they would do without 2
> or 3 rounds of hardware upgrades), but I was initially put off because
> there are license keys embedded in the base software. Then I realized that
> when the keys expired in 10 years, the boxes would be in the landfill by
> that time...
>
> Joe
>
>
> Joe McGuckin
> ViaNet Communications
>
> j...@via.net
> 650-207-0372 cell
> 650-213-1302 office
> 650-969-2124 fax
>
>
>
> > On Jul 21, 2020, at 8:44 AM, Mark Tinka  wrote:
> >
> >
> >
> > On 21/Jul/20 17:34, Seth Mattinen wrote:
> >
> >>
> >>
> >> Someone jumped in and sent me an updated license. As far as why it
> >> can't be done online, I'm not sure. I haven't tried to rehost anything
> >> in a while.
> >
> > The joy of when things just work :-).
> >
> > We had to because we had some boxes fail in that period. Fair point, the
> > servers had been nearly 7 years old, so can't blame them.
> >
> > Nonetheless, glad you're back up and running.
> >
> > Mark.
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TE FRR vs PATH OPTION PROTECTION

2020-06-12 Thread Aaron

Ive done FRR with success.

On Fri, Jun 12, 2020 at 8:20 AM emmanuel manoni 
wrote:

> Hi experts,
>
> I'm trying to deploy MPLS TE tunnel protection method with as minimal
> switchover time as possible, which one between TE FRR and Path Option
> should I choose and why?If I deploy both of them,what are pros and cons if
> there are any?
>
> Thanks in advance
>
> Regards,
> Emmanuel
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS-XR IS-IS authentication

2020-06-03 Thread Aaron

I believe the OP was about interop between cisco and juniper using
key-chains.

On Wed, Jun 3, 2020 at 1:56 AM Phil Bedard  wrote:

> There shouldn't be an issue using keychains for these functions, I have XR
> and XE devices running IS-IS between each other with keychains on both
> without an issue.
>
> One thing to always watch out for is inadvertent spaces after you type in
> a clear text password.
>
> Thanks,
> Phil
>
> On 5/28/20, 3:44 AM, "cisco-nsp on behalf of Mark Tinka" <
> cisco-nsp-boun...@puck.nether.net on behalf of mark.ti...@seacom.mu>
> wrote:
>
>
>
> On 27/May/20 21:08, Eric Van Tol wrote:
> > Unless I get suggestions otherwise, I suppose I'll just not use
> keys, which seems prohibitive, particularly if a password needs changing at
> some point. The 'lsp-password' without a key chain seems to work just fine.
> :-/
>
> In IOS and IOS XE, we use key chains.
>
> In IOS XR, we use "lsp-password hmac-md5" at the "router isis" level,
> and "hello-password hmac-md5" at the "router isis 1 interface" level.
>
> Mark.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9001 BGP scaling and memory shortage

2020-05-20 Thread Aaron

eXR is Linux based 64 bit vs classic XR which is the 32 bit qnx kernel.
Some releases have both

On Wednesday, May 20, 2020, Drew Weaver  wrote:

> Slightly unrelated to this thread but also sort of related.
>
> Did anyone else notice that this file appears in the ASR9001 IOS XR file
> list now?
>
> asr9k-9000v-nV-x64-1.0.0.0-r702.x86_64.rpm
>
> I was under the impression that ASR 9001 couldn't run x86_64 software and
> also... why is it an RPM rather than a tar?
>
>
>
> -Original Message-
> From: cisco-nsp  On Behalf Of Alexandr
> Gurbo
> Sent: Wednesday, May 20, 2020 3:32 AM
> To: Vladimir Troitskiy 
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] ASR9001 BGP scaling and memory shortage
>
>
> All in GRT, 3 full tables, 2 big IX, couple private peers. No MPLS, only
> routing.
>
> On Wed, 20 May 2020 11:44:05 +0500
> Vladimir Troitskiy  wrote:
>
> > Hello Alexandr,
> >
> > Thank you for your input! We are using IOS XR 5.3.4 and 6.1.4 - no
> > significant difference in memory consumption between them.
> > How many peers/routes do you have on this box? Are those peers
> > configured in a GRT or in a VRF?
> >
> > ср, 20 мая 2020 г. в 11:17, Alexandr Gurbo :
> >
> > > Hello Vladimir,
> > >
> > > What version IOS XR are you using?
> > > We are doesn't have problems with FIB inconsistency. IOS XR 6.6.3.
> > >
> > > #show processes memory detail location 0/RSP0/CPU0 Wed May 20
> > > 09:09:23.240 MSK
> > > JIDText   Data   Stack  DynamicDyn-Limit  Shm-Tot
> > > Phy-TotProcess
> > > -- -- -- -- -- --
> > > --
> > > -- ---
> > > 1087   1M10M   624K   818M  1658M
>  218M
> > >  829M  bgp
> > >
> > > #show memory summary location 0/0/CPU0 Wed May 20 09:10:34.206 MSK
> > > node:  node0_0_CPU0
> > > --
> > > Physical Memory: 8192M total
> > >  Application Memory : 7985M (4258M available)
> > >  Image: 78M (bootram: 78M)
> > >  Reserved: 128M, IOMem: 0, flashfsys: 0  Total shared window: 495M
> > >
> > > --
> > > Alexandr Gurbo 
> > >
> > --
> > Best regards,
> > Vladimir Troitsky
>
>
> --
> Alexandr Gurbo 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] RSVP-TE (MPLS-TE) and LDP question

2020-05-11 Thread Aaron Gould

Thanks James for the confirmation as that's precisely what I'm seeing.
Would be nice to see a link to a cisco document or someone out there online
that speaks to this 

-Aaron

-Original Message-
From: James Jun [mailto:ja...@towardex.com] 
Sent: Monday, May 11, 2020 3:26 PM
To: Aaron Gould
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] RSVP-TE (MPLS-TE) and LDP question

On Mon, May 11, 2020 at 01:02:23PM -0500, Aaron Gould wrote:
> Seems that when I try to use RSVP in place of LDP for label distribution,
I
> cannot completely remove mpls ldp configs from IOS XR, but I can from IOS
XE

It's an implementation 'bug' on IOS XR.

If you have L3VPN type service (also affects labeled-ucast, including 6PE),
you *must*
have 'mpls ldp' and router-id configured at minimum, even if you are not
using any LDP
adjacency whatsoever.  I believe ldp process needs to run to allocate labels
for l3vpn,
even if you do not use LDP transport.

So, just leave 'mpls ldp' and router-id configured below it.  As long as you
don't 
have LDP adjacencies defined, and there are no LDP tunnels configured, you
won't have
any LDP in use.

P routers are not affected, as they do not need to allocate labels for VPN
services.

James

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] RSVP-TE (MPLS-TE) and LDP question

2020-05-11 Thread Aaron Gould

Seems that when I try to use RSVP in place of LDP for label distribution, I
cannot completely remove mpls ldp configs from IOS XR, but I can from IOS XE

 

On an RSVP-TE Tunnel headend, I have .

 

IOS XR (XRv9000)

 

mpls ldp

router-id 10.0.0.11

 

.and if I remove that with "no mpls ldp" I loose connectivity to the MPLS
L3VPN that is also on that PE

 

But.in IOS XE (csr1000v) I have.

 

mpls ldp router-id lo0 force

 

.and if I remove that with "no mpls ldp router-id Loopback0" (and also
remove "mpls ip" from the pe---p uplink) I am still good to the MPLS L3VPN
that is also on that PE

 

I don't understand what is going on with this minimal ldp config in IOS XR
that causes L3VPN to no longer work after I remove that small config shown
above.

 

As a side note, I can remove that ldp config from XR p core nodes.. Just not
XR pe nodes

.furthermore, I think since I have that ldp config in my PE's, I have LFIB
"Unlabelled" entries in my PE, I guess since I have no LDP config in the
transit P nodes.  But in XE since I can remove that ldp config I no longer
have Unlabelled lfib entries and a nice clean lfib with only the L3vpn
aggregate label

 

 

-Aaron

 

 

 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] virtual routers - L2-type vpn's

2020-05-08 Thread Aaron Gould

Using csr1000v in EVE-NG, yesterday I was able to do mp2mp vpls (rfc4761 bgp
ad, bgp sig) using (3) csr1000v routers and it all worked, control plane
*and* data plane, all CE's behind the csr1000v pe's could ping each other.
(i test rfc4762 bgp ad, ldp sig, but only with 2 csr1000v and it worked... i
may go back and at in a third csr1000v later).  

 

but, my question and problem was.  XRv would not pass traffic in those vpls
tests.  control plane would work, configs would commit, and neighbor
pseudowires would even go UP and establish to the other pe's (csr1000v's)
BUT, i got nasty traceback errors on XRv and data plane would not pass
traffic.

 

Has anyone been successful in getting VPLS to work in XRv ?

 

What about EVPN in XRv?  .does EVPN/MPLS forwarding work in XRv?  

 

 

Tracebacks errors I got on XRv following the commit of the VPLS config..

 

RP/0/RP0/CPU0:May  7 22:03:47.917 : fib_mgr[224]: %MGBL-DPC-2-SW_ERR :
Failed to configure l2vpn_ldi (Invalid DPA id 17)  : fib_mgr : (PID=4352) :
-Traceback= 7f60faf970ca 7f60fafb5582 7f6105a1a270 7f6105a27740 7f6105a28a70
7f61186492f5 7f6118486919 7f6118484064 7f61244fcec8 7f61244fefe9 5ebe3a
5f9054 5fb5d8 605062 6fe214 538d69

 

 

RP/0/RP0/CPU0:May  7 22:03:47.917 : fib_mgr[224]:
%ROUTING-FIB-3-PLATF_UPD_FAIL : FIB platform update failed:
Obj=DATA_TYPE_LOADINFO[ptr=0x114a949f8,refc=0x1,flags=0x80c441]
Action=MODIFY Proto=ipv4. Cerr='dpc_rm_svr' detected the 'warning' condition
'Internal invalid parameter found.'  : fib_mgr : (PID=4352) :  -Traceback=
7f61244fefe9 5ebe3a 5f9054 5fb5d8 605062 6fe214 538d69 565efc 567d65 688000
68a9fc 68adf8 43c59a 7f61229daa21 7f61229ebb6e 42376e

 

 

RP/0/RP0/CPU0:May  7 22:03:47.918 : fib_mgr[224]: %ROUTING-FIB-3-PD_FAIL :
FIB platform error: fib_ldi_platform_update 2077: PD action MODIFY failed
for passed_ldi 0x114a949f8 type DATA_TYPE_LOADINFO flags 0x80c441. Shared
LDI 0x114a949f8 num_slots 1 num_buckets 1 depth 2 ldi type 1 ldi protocol
mpls flags 0x80c441  : 0x4b88b400 'dpc_rm_svr' detected the 'warning'
condition 'Internal invalid parameter found.'   : fib_mgr : (PID=4352) :
-Traceback= 5f9054 5fb5d8 605062 6fe214 538d69 565efc 567d65 688000 68a

9fc 68adf8 43c59a 7f6122(TRUNCATED)

 

 

-Aaron

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ONS15454 MSPP controller upgrades

2020-04-18 Thread Aaron

have you looked at the ncs software/docs

On Saturday, April 18, 2020, Curtis Piehler  wrote:

> Is there any good documentation online of upgrading the software on the
> ONS15454 platform?  (MSPP, not MSTP).  I know this platform is way end of
> life but unfortunately optical MUX's will just run until they are decom'd
> usually.  The current MSPPs are managed via a CTC over a ring topology.
>
> Thanks
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] [External] SDx open standard?

2020-03-26 Thread Aaron Gould

Yeah, while certifying for mef-cecp, you gain an appreciation for their
purpose in that space at least.  (they do have other certifications).  Lots
of focus on functions and standards that exists at UNI's, ENNI's, services
in between, etc.

MEF has 3 scopes of certifications...
-Services - you as a SP can actually work with MEF (IOMETRIX) and get your
network actually stamped and certified by MEF
-Gear - vendors submit their equipment to MEF for testing (possibly onsite
at vendor location) for proving out standard MEF-type service (ELINE, ELAN,
ETREE, EACCESS, etc) and gain MEF stamp of approval
-Professional - like MEF-CECP, etc, people can get career certifications

I recall they started with MEF, then MEF 2.0, now MEF 3.0

https://www.mef.net/certification/mef-certification-programs


-Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
adamv0...@netconsultings.com
Sent: Thursday, March 26, 2020 12:00 PM
To: sth...@nethelp.no; t...@pelican.org
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] [External] SDx open standard?



> sth...@nethelp.no
> Sent: Thursday, March 26, 2020 3:42 PM
> 
> >>> I spent 10 min browsing MEF web site and still do not know what "MEF"
> >>> stands for ... Looks to me like yet one more  commercial entity to
> >>> drain a little bit of cash out of the vendors while perhaps help
> >>> with marketing and sales a bit.
> >>
> >> Metro Ethernet Forum. They've been around for a while.
> >>
> >
> > In fairness, that term is almost entirely absent from the web site, as
far as I
> can see.
> >
> > Is it an expansion that's been deliberately dropped in the face of
expanding
> to work on SDN, NDV, et al beyond their original Metro Ethernet scope?
And
> now MEF is just MEF?
> 
> No idea. But it sure *sounds* like rather significant scope creep.
> 
How I view MEF is in their role of facilitator/mediator for inter-operator
standards. 
Their original work on Metro Ethernet standards and network certification
was very helpful for the industry (certainly some ~8 years back when ME was
blooming and everyone was jumping the bandwagon).
Now with the hype around SDN NFV and automation of service provisioning they
seem like a natural choice of existing body for mediating
inter-operator/provider standards (work on LSO...) they have stellar
materials on NFV and SDN I recommend everyone to read in order to fill in
the gaps and unite our dictionary (same like for the ME dictionary)
And recently they are doing similar thing for SD-WAN...

adam

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] [External] SDx open standard?

2020-03-26 Thread Aaron Gould

Perhaps that, and also, I think they may be substituting that term "mef" for
"ce" more recently.  perhaps to imply that its capabilities are now
beyond the "metro" and extend into "carrier" space and beyond.  Trying to
make some educated guesses/recollections.

-Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
t...@pelican.org
Sent: Thursday, March 26, 2020 10:25 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] [External] SDx open standard?

On Thursday, 26 March, 2020 15:15, sth...@nethelp.no said:

>> I spent 10 min browsing MEF web site and still do not know what "MEF"
>> stands for ... Looks to me like yet one more  commercial entity to drain
a
>> little bit of cash out of the vendors while perhaps help with marketing
and
>> sales a bit.
> 
> Metro Ethernet Forum. They've been around for a while.
> 

In fairness, that term is almost entirely absent from the web site, as far
as I can see.

Is it an expansion that's been deliberately dropped in the face of expanding
to work on SDN, NDV, et al beyond their original Metro Ethernet scope?  And
now MEF is just MEF?

Regards,
Tim.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] [External Email] Re: big uptime - what you got ?

2020-02-10 Thread Aaron

I'm sure there is a 2511 somewhere that beats all of these.

On Mon, Feb 10, 2020 at 2:35 PM  wrote:

> >> cisco LS1010 (R4600) processor with 65536K bytes of memory.
> >
> > It was just matter of time until someone shows up with LS1010 :)
> >
> > (Un)fortunately our LS1010s are long gone but the uptimes were 12+
> > years on many of them.
>
> Darn, I had done my best to try to forget everything related to the
> number 53 :-)
>
> But yeah, we had LS1010 too, at a previous employer.
>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] [External Email] Re: big uptime - what you got ?

2020-02-10 Thread Aaron Gould

Oh my gosh a friggin lightstream 1010 up almost 17 years!  That's about as
long as atm has been dead.  Lol

You gotta tell me for reals if you still have cells going through that box ?

-Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alex
D.
Sent: Monday, February 10, 2020 1:15 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] [External Email] Re: big uptime - what you got ?

Cisco Internetwork Operating System Software
IOS (tm) LS1010 WA4-5 Software (LS1010-WPK2-M), Version 12.1(12c)EY,
EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Fri 02-Aug-02 09:13 by eaarmas
Image text-base: 0x60010958, data-base: 0x60F9A000

ROM: System Bootstrap, Version 11.2(1.4.WA3.0) [integ 1.4.WA3.0],
RELEASE SOFTWARE
ROM: LS1010 WA4-5 Software (LS1010-WPK2-M), Version 12.1(12c)EY, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)

atm-03 uptime is 16 years, 43 weeks, 3 days, 8 hours, 34 minutes
System returned to ROM by power-on
System restarted at 12:11:39 MEZ Wed Apr 16 2003
System image file is "bootflash:ls1010-wpk2-mz.121-12c.EY.bin"

cisco LS1010 (R4600) processor with 65536K bytes of memory.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] big uptime - what you got ?

2020-02-10 Thread Aaron Gould

Ha, wow, Sascha holds first place !

...uptime is 14 years, 48 weeks, 4 days, 22 hours, 18 minutes

My gosh, up since 2005 !

-Aaron



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] big uptime - what you got ?

2020-02-10 Thread Aaron Gould

Non-believers I say, non-believers, lol

Jk, thanks, hey could be a bug, doubt it though

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] big uptime - what you got ?

2020-02-10 Thread Aaron Gould

What, and have to reset that uptime counter, never!  Lol

Dude it's bridging eth frames just fine, why would i

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] big uptime - what you got ?

2020-02-10 Thread Aaron Gould

Holy cow!  Beat that 

 

dsw2-4503#sh ver | in uptime

dsw2-4503 uptime is 11 years, 2 weeks, 1 day, 23 hours, 3 minutes

 

dsw2-4503#sh ver | in IOS

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M),
Version 12.2(31)SGA1, RELEASE SOFTWARE (fc3)

 

-Aaron

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] question with adj-rib-out and policy engine order and show commands

2020-02-09 Thread Aaron Gould

Question with adj-rib-out and policy engines.  I've look at bassam halabi's
explanation in inet routing archs, googles, etc, etc.

 

Is "show ip bpg neighbor 1.2.3.2 advertised-routes" PRE-outbound-policy or
POST-outbound-policy?

 

someone please explain why I see r1 "show ip bpg neighbor 1.2.3.2
advertised-routes" showing metric 2, but I see on r2 that it rcv's it change
as planned to metric 17.

 

My question is really just about why I see metric 2 on advertise-route route
of r1, when I know it's getting set to metric 17.  Why don't I see what the
policy is changing it to on the sending router, r1 ?

 

I tried to only include pertinent info to keep this short and to the point.

 

*** R1. Sending an advertisement..

 

r1#sh ip bgp neighbors 1.2.3.2 advertised-routes | be Network

   Network  Next HopMetric LocPrf Weight Path

*> 10.0.2.1/32  10.0.1.1 2 32768 ?

 

r1#sh run | sec router bgp

router bgp 123

...

neighbor 1.2.3.2 route-map my-routemap-xmit out

 

route-map my-routemap-xmit, permit, sequence 10

ip address prefix-lists: my-prefixlist-out

  Set clauses:

metric 17

 

r1#sh ip prefix-list

   seq 1 permit 10.0.2.1/32

 

*** R2... Receiving that advertisement correctly as altered Metric 17

 

r2#sh ip bgp neighbors 1.2.3.1 routes | be Network

   Network  Next HopMetric LocPrf Weight Path

*> 10.0.2.1/32  1.2.3.1 17 0 123 ?

 

Total number of prefixes 1

r2#

r2#sh ip ro bgp

 10.0.0.0/32 is subnetted, 1 subnets

B   10.0.2.1 [20/17] via 1.2.3.1, 09:40:38

 

-Aaron

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] show isis neighbors - system id shown

2020-02-02 Thread Aaron Gould

Thanks y'all

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] show isis neighbors - system id shown

2020-02-02 Thread Aaron Gould

funny, for a moment there it actually displayed the sys id of r1 instead of
the word "r1"

 

is there a reason why ?

 

r2#sh isis neighbors

 

System Id  Type Interface IP Address  State Holdtime Circuit Id

.. L1   Fa0/0 1.2.3.1 UP23   r2.01

.. L2   Fa0/0 1.2.3.1 UP24   r2.01

 

r2#sh isis neighbors

 

System Id  Type Interface IP Address  State Holdtime Circuit Id

r1 L1   Fa0/0 1.2.3.1 UP27   r2.01

r1 L2   Fa0/0 1.2.3.1 UP28   r2.01

r2#sh isis neighbors

 

System Id  Type Interface IP Address  State Holdtime Circuit Id

r1 L1   Fa0/0 1.2.3.1 UP23   r2.01

r1 L2   Fa0/0 1.2.3.1 UP24   r2.01

r2#sh isis neighbors

 

System Id  Type Interface IP Address  State Holdtime Circuit Id

r1 L1   Fa0/0 1.2.3.1 UP22   r2.01

r1 L2   Fa0/0 1.2.3.1 UP23   r2.01

r2#sh isis neighbors

 

System Id  Type Interface IP Address  State Holdtime Circuit Id

r1 L1   Fa0/0 1.2.3.1 UP21   r2.01

r1 L2   Fa0/0 1.2.3.1 UP22   r2.01

r2#

 

-Aaron

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Central Services Topology - Design question

2020-01-13 Thread Aaron Gould

Ah, and don't forget "additive" as it was crucial in not removing an rt, but
rather, adding another rt to the already present rt.

A nice way of having multiple extend community attributes (rt's) to be able
to match on.

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Central Services Topology - Design question

2020-01-13 Thread Aaron Gould

When I started sharing some routes from one vrf to another vrf during my
deployment of cgnat, I came to understand that a vrf in my mind seemed to be
less about the name you give it, and more about the RT's you import and
export to accomplished the desired routing.

Further to that point, one day I typo'd a vrf name, and was stunned to
realize that everything was still working!  ...came to realize that the vrf
name doesn't matter, since mp-ibgp doesn't advertised anything of the
name... simply the rd, rt stuff matters.

To Saku's point, if you have local and separate vrf's, I'm pretty sure I had
to use an auto-export command in juniper to allow that local route sharing.

-Aaron

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] new ASR9901 ios update problem

2019-10-29 Thread Aaron Gould

Btw, good job, and thanks Jürgen for the informative and detailed
instruction on XR upgrade.

-Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Aaron Gould
Sent: Tuesday, October 29, 2019 10:23 AM
To: c...@marenda.net; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] new ASR9901 ios update problem

You just gave me another reason to like Juniper   :|

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] new ASR9901 ios update problem

2019-10-29 Thread Aaron Gould

You just gave me another reason to like Juniper   :|

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] new ASR9901 ios update problem

2019-10-23 Thread Aaron Gould

It got jumbled ... I'll try again...


admin install add disk1:asr9k-mgbl-px.pie-4.3.4
disk1:asr9k-mpls-px.pie-4.3.4 disk1:asr9k-mini-px.pie-4.3.4
disk1:asr9k-fpd-px.pie-4.3.4 synchronous

admin install activate disk0:asr9k-mgbl-px-4.3.4 disk0:asr9k-mpls-px-4.3.4
disk0:asr9k-mini-px-4.3.4 disk0:asr9k-fpd-px-4.3.4 synchronous

(after reboot occurs)

admin install commit



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] new ASR9901 ios update problem

2019-10-23 Thread Aaron Gould

Unsure about ASR9901 running 6.5.2... but I just now upgraded ASR9006 from
4.1.2 to 4.3.4

The process is pretty much...

admin install add ...
admin install activate ...
admin install commit

...that's pretty much it in simplest terms... (I'll say I don't fully
understand all the caveats and nuances with bridge smu's, time expiry issue,
bug fix smu packages, bundle all pie's into a tar ball, etc,etc)...

But in its simplest form, that's it.

admin install add disk1:asr9k-mgbl-px.pie-4.3.4
disk1:asr9k-mpls-px.pie-4.3.4 disk1:asr9k-mini-px.pie-4.3.4
disk1:asr9k-fpd-px.pie-4.3.4 synchronous
admin install activate disk0:asr9k-mgbl-px-4.3.4 disk0:asr9k-mpls-px-4.3.4
disk0:asr9k-mini-px-4.3.4 disk0:asr9k-fpd-px-4.3.4 synchronous
(after reboot occurs)
admin install commit

You have may other pies you require, just add this into the list above.
I had issues with tftp, so I simply ftp the files into disk1 and executed
install from that location
I had issues with a clock and also fpd, simply set the clock to something
like 2009 and add that fpd pie.  That's what I did, worked.


- Aaron



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1002-X + SPA-1X10GE-L-V2 (10gb)

2019-09-05 Thread Aaron

clean the fiber.

On Thursday, September 5, 2019, Sheremet Roman  wrote:

> Hi,
>
> Yep   we   change card to brand new and update our IOS, now looks best
> now:
>
> ASR1002#sh platform | in 10G
>  0/3  SPA-1X10GE-L-V2 ok1w0d
>
> But we have one more problem, media errors:
>
> ASR1002# sh int TenGigabitEthernet 0/3/0 | in err
>
>  227 input errors, 181 CRC, 46 frame, 0 overrun, 0 ignored
>  362103129 packets output, 194841004589 bytes, 0 underruns
>  0 output errors, 0 collisions, 5 interface resets
>  0 babbles, 0 late collision, 0 deferred
>
> And  amount growing up Fiber is good, we reuse same fiber which we
> use with 1G link, we just move it to 10G.
>
> Any idea how to debug this ? Or possible we need some settings for 10G
> links?  (I use 10G first time). Maybe something like as frame size, or
> MTU, etc
>
>
>
> > Hi,
>
> > We have Cisco ASR1002-X
> > Cisco IOS Software, IOS-XE Software
>
>
>
>
>
>
> --
> С уважением,
>  Sheremet  mailto:ro...@kharkov.org.ua
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl

2019-08-26 Thread Aaron

And to not reset the configuration back... How is that for security

On Mon, Aug 26, 2019 at 9:21 AM Brian Turnbow  wrote:

> The dualrate script is for changing from 1G to 10G  and vice versa.
> So asr920 needs a vty access to run the script in telnet and since there
> is
> not one available it removes ssh
> Nice workaround!
>
> More info here
>
> https://www.cisco.com/c/en/us/td/docs/routers/asr920/b_Chassis_Guide_asr920/console-port.html
>
>
>
>
> Brian
>
> > -Original Message-
> > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
> > Jared Mauch
> > Sent: lunedì 26 agosto 2019 15:10
> > To: Aaron
> > Cc: Gert Doering; cisco-nsp@puck.nether.net
> > Subject: Re: [c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl
> >
> > I’ll say this in public (now) - Changing the security posture on the
> VTYs
> > is a
> > great reason to not use this product at the moment.  I’ve seen many
> people
> > not monitor their devices for these types of changes, and this is a
> great
> > case
> > to study.
> >
> > Time for some retraining of people.
> >
> > - Jared
> >
> > > On Aug 26, 2019, at 9:07 AM, Aaron  wrote:
> > >
> > > Any unexpected config change should be an automatic tac case.
> > > Totally unexpected. Reminds me of the days when swapping a flash card
> > > on a gsr could crash it.
> > > This is a new one .
> > >
> > > On Monday, August 26, 2019, Gert Doering  wrote:
> > >
> > >> Hi,
> > >>
> > >> does anyone know what "EEM:Mandatory.dualrate_eem.tcl" is?
> > >>
> > >> We have an ASR920 that grew an unexpected config change upon
> > >> insertion of a DAC cable into port ten0/0/12, and "unexpected config
> > >> change" always triggers an investigation here (who, why, what).  One
> > >> part of it was somewhat related
> > >>
> > >> interface TenGigabitEthernet0/0/12
> > >>  description ...
> > >>  no ip address
> > >> + negotiation auto
> > >>  service instance 200 ethernet
> > >>
> > >> ... but the other part was more interesting
> > >>
> > >> line vty 0 4
> > >>  access-class 9 in
> > >> - exec-timeout 240 0
> > >>  ipv6 access-class VTY-v6 in
> > >> - transport input telnet ssh
> > >> + transport preferred none
> > >> + transport input none
> > >> + transport output none
> > >>  escape-character 3
> > >>
> > >> "uh, what?".  So we investigated and found a few log messages about
> > >> that script...
> > >>
> > >> Aug 20 13:45:30 CEST: %TRANSCEIVER-6-INSERTED:  F0: iomd:
> > >> transceiver module inserted in TenGigabitEthernet0/0/12  Aug 20
> > >> 13:45:45 CEST: %IOSXE_SPA-6-DUAL_RATE_CHANGE:
> > >> TenGigabitEthernet0/0/12: MODE_1G
> > >> Aug 20 13:45:47 CEST: %SYS-5-CONFIG_I: Configured from console by  on
> > >> vty1
> > >> (EEM:Mandatory.dualrate_eem.tcl)
> > >> Aug 20 13:46:14 CEST: %SYS-5-CONFIG_I: Configured from console by  on
> > >> vty1
> > >> (EEM:Mandatory.dualrate_eem.tcl)
> > >> Aug 20 13:46:15 CEST: %SYS-5-CONFIG_I: Configured from console by  on
> > >> vty0
> > >> (EEM:Mandatory.dualrate_eem.tcl)
> > >> Aug 20 13:46:17 CEST: %TRANSCEIVER-6-REMOVED:  F0: iomd:
> > Transceiver
> > >> module removed from TenGigabitEthernet0/0/12 Aug 20 13:46:20 CEST:
> > >> %IOSXE-5-PLATFORM:  F0: Aug 20 13:46:20
> > >> %SYSTEM-3-SYSTEM_SHELL_LOG: Shell started: vty 1 Aug 20 13:46:20
> > >> CEST: %IOSXE-5-PLATFORM:  F0: Aug 20 13:46:20
> > >> %SYSTEM-3-SYSTEM_SHELL_LOG: 2019/08/20 13:46:19 : Shell access was
> > >> granted to user ; Trace file: , /harddisk/tracelogs/system_
> > >> shell_R0-0.2264_0.20190820134619.bin
> > >> ug 20 13:46:26 CEST: %HA_EM-6-LOG: Mandatory.dualrate_eem.tcl:
> > >> DUAL_RATE_CHANGE Re-configuration of interface
> > >> TenGigabitEthernet0/0/12 to start re-configuring Aug 20 13:46:28
> > >> CEST: %SYS-5-CONFIG_I: Configured from console by  on vty1
> > >> (EEM:Mandatory.dualrate_eem.tcl)
> > >> Aug 20 13:46:39 CEST: %SYS-5-CONFIG_C: Running-config file is
> > >> Modified
> > >>
> > >>
> > >> ... and 441 (!!) lines in the tacacs command accounting log, wh

Re: [c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl

2019-08-26 Thread Aaron

Any unexpected config change should be an automatic tac case.
Totally unexpected. Reminds me of the days when swapping a flash card on a
gsr could crash it.
This is a new one .

On Monday, August 26, 2019, Gert Doering  wrote:

> Hi,
>
> does anyone know what "EEM:Mandatory.dualrate_eem.tcl" is?
>
> We have an ASR920 that grew an unexpected config change upon insertion
> of a DAC cable into port ten0/0/12, and "unexpected config change" always
> triggers an investigation here (who, why, what).  One part of it was
> somewhat related
>
>  interface TenGigabitEthernet0/0/12
>   description ...
>   no ip address
> + negotiation auto
>   service instance 200 ethernet
>
> ... but the other part was more interesting
>
>  line vty 0 4
>   access-class 9 in
> - exec-timeout 240 0
>   ipv6 access-class VTY-v6 in
> - transport input telnet ssh
> + transport preferred none
> + transport input none
> + transport output none
>   escape-character 3
>
> "uh, what?".  So we investigated and found a few log messages about that
> script...
>
> Aug 20 13:45:30 CEST: %TRANSCEIVER-6-INSERTED:  F0: iomd:  transceiver
> module inserted in TenGigabitEthernet0/0/12
> 
> Aug 20 13:45:45 CEST: %IOSXE_SPA-6-DUAL_RATE_CHANGE:
> TenGigabitEthernet0/0/12: MODE_1G
> Aug 20 13:45:47 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty1
> (EEM:Mandatory.dualrate_eem.tcl)
> Aug 20 13:46:14 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty1
> (EEM:Mandatory.dualrate_eem.tcl)
> Aug 20 13:46:15 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty0
> (EEM:Mandatory.dualrate_eem.tcl)
> Aug 20 13:46:17 CEST: %TRANSCEIVER-6-REMOVED:  F0: iomd:  Transceiver
> module removed from TenGigabitEthernet0/0/12
> Aug 20 13:46:20 CEST: %IOSXE-5-PLATFORM:  F0: Aug 20 13:46:20
> %SYSTEM-3-SYSTEM_SHELL_LOG: Shell started: vty 1
> Aug 20 13:46:20 CEST: %IOSXE-5-PLATFORM:  F0: Aug 20 13:46:20
> %SYSTEM-3-SYSTEM_SHELL_LOG: 2019/08/20 13:46:19 : Shell access was granted
> to user ; Trace file: , /harddisk/tracelogs/system_
> shell_R0-0.2264_0.20190820134619.bin
> ug 20 13:46:26 CEST: %HA_EM-6-LOG: Mandatory.dualrate_eem.tcl:
> DUAL_RATE_CHANGE Re-configuration of interface TenGigabitEthernet0/0/12 to
> start re-configuring
> Aug 20 13:46:28 CEST: %SYS-5-CONFIG_I: Configured from console by  on vty1
> (EEM:Mandatory.dualrate_eem.tcl)
> Aug 20 13:46:39 CEST: %SYS-5-CONFIG_C: Running-config file is Modified
>
>
> ... and 441 (!!) lines in the tacacs command accounting log, which
> mostly looked like "it replayed the whole config, line by line"...
> until it hit the vty section, which then got messed up...
>
> Aug 20 13:47:08 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
> stoptask_id=2166timezone=CEST   service=shell
> start_time=1566301628priv-lvl=15 cmd=configure terminal 
> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
> stoptask_id=2167timezone=CEST   service=shell
> start_time=1566301629priv-lvl=15 cmd=line vty 0 4 
> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
> stoptask_id=2168timezone=CEST   service=shell
> start_time=1566301629priv-lvl=15 cmd=no login authentication 
> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
> stoptask_id=2169timezone=CEST   service=shell
> start_time=1566301629priv-lvl=15 cmd=no authorization exec 
> Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
> stoptask_id=2170timezone=CEST   service=shell
> start_time=1566301629priv-lvl=15 cmd=no authorization commands 15
> 
> Aug 20 13:47:10 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
> stoptask_id=2171timezone=CEST   service=shell
> start_time=1566301630priv-lvl=15 cmd=no transport preferred 
> ...
> Aug 20 13:47:10 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
> stoptask_id=2174timezone=CEST   service=shell
> start_time=1566301630priv-lvl=15 cmd=no exec-timeout 
> Aug 20 13:47:11 router unknown tty3EEM:Mandatory.dualrate_eem.tcl
> stoptask_id=2175timezone=CEST   service=shell
> start_time=1566301631priv-lvl=1  cmd=no length 
> Aug 20 13:47:11 router unknown tty2EEM:Mandatory.dualrate_eem.tcl
> stoptask_id=2177timezone=CEST   service=shell
> start_time=1566301631priv-lvl=15 cmd=write memory 
>
>
> shall I state that I find this a somewhat surprising behaviour?
>
> Haven't opened a TAC case yet (no time) but hopefully someone here
> has see this before and found some more useful results.
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>

Re: [c-nsp] Inter-VRF with NAT

2019-08-19 Thread Aaron Gould

We have lots of zyxel's and manage all them with their public address.  Why 
don't you just do that? 

-Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mike
Sent: Sunday, August 18, 2019 3:14 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Inter-VRF with NAT

> Hi Mike,
>
> I'm not sure I've understood your network topology to be honest. Are you 
> saying that you have Cisco devices with a single WAN link that doesn't 
> support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs 
> over different VLANs, e.g. internet in global routing table over VLAN 10, 
> management VRF over VLAN 20 etc? And you basically want multiple VRFs between 
> the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your 
> management traffic or need layer 2 connectivity to every CPE?

My cpe devices are typically zyxel. On the wan interface of these
devices, we usually have one service which is customer internet access
(pppoe or dhcp), and then another service which is mapped at either a
different vlan or a different vci/vpl, which is for management (and it's
always dhcp). So, from the perspective of the device, it only has one
routing table - the global table - and the 'default route' will normally
be the internet service gateway.  A common short-sightedness in these is
that they can't do policy routing, and they can't have a seperate
routing table where management network traffic uses a gateway different
than the internet service gateway.

The broadband aggregation router will have layer 2 to the subscriber.
So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20
would be management traffic. I would like to have vlan 20 in a seperate
vrf, and I would like to be able to assign it an ip address
(172.16.1.1), and I want to hand out addresses to the cpe in the range
of 172.16.1.x. But, because the CPE are braindead, I need to arrange
things so management access to the cpe all appear to come from
172.16.1.1. That way, the devices won't need to consult the routing
table for a gateway and will instead simply arp for the  172.16.1.1 as
it's on the same l3 network segment. This is the only way to deal with
devices that don't know the correct gateway back. The only way I know
how to accomplish this is with nat, unless there was some other socks
type proxy on my asr1000 I don't know about.

Mike-

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] netconf-yang feature candidate-datastore

2019-08-05 Thread Aaron

The XML requirement doesn't sound odd since this is netconf/yang we are
talking about.

On Mon, Aug 5, 2019 at 11:42 AM Saku Ytti  wrote:

> Hey Adam,
>
> On Mon, 5 Aug 2019 at 17:08,  wrote:
>
> > Was just wondering why I can't configure "netconf-yang feature
> > candidate-datastore"  on csr1k?
>
> Unsure what your problem is, but enable netconf-yang first, then try
> candidate. I've used the CSR1k candidate storage with python and
> kotlin library and was able to move from config A to config B with
> very trivial config.  One problem is that it will only accept XML
> config, not native IOS format, which is kinda dumb, as obviously the
> system is capable of doing native => xml => native.
>
> --
>   ++ytti
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1002-X + SPA-1X10GE-L-V2 (10gb)

2019-07-26 Thread Aaron

has this card worked in a different chassis?
i suspect a bad card


On Thursday, July 25, 2019, Andrew K.  wrote:

> I have this same issue with this same behavior. A reboot was also required
> to get it to detect.  The kicker is we have one of these cards in the
> chassis working already. TAC told me to RMA the SPA.
>
> We are sending a second SPA-1X10GE-L-V2 that was tested in an ASR1002 (not
> an X, all we had to test).
>
> #sh ver
> Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M),
> Version 15.2(4)S7, RELEASE SOFTWARE (fc4)
>
> IOS XE Version: 03.07.07.S
>
> #sh plat
> Chassis type: ASR1002-X
>
> Slot  TypeState Insert time (ago)
> - --- - -
> 0 ASR1002-X   ok 7w1d
>  0/0  6XGE-BUILT-IN   ok 7w1d
>  0/1  SPA-1X10GE-L-V2 out of service 2w0d
>  0/2  SPA-1X10GE-L-V2 ok 7w1d
> R0ASR1002-X   ok, active 7w1d
> F0ASR1002-X   ok, active 7w1d
> P0ASR1002-PWR-AC  ok 7w1d
> P1ASR1002-PWR-AC  ok 7w1d
>
> Slot  CPLD VersionFirmware Version
> - --- ---
> 0 12042303 15.2(4r)S1
> R012042303 15.2(4r)S1
> F012042303 15.2(4r)S1
>
>
> #sh hw-module subslot all oir
> ModuleModelOperational Status
> -  
> subslot 0/0   6XGE-BUILT-INok
> subslot 0/1   SPA-1X10GE-L-V2  out of service(failed too many times)
> subslot 0/2   SPA-1X10GE-L-V2  ok
>
>
>
> On 7/25/2019 8:49 AM, Sheremet Roman wrote:
>
>> Hi,
>>
>> We have Cisco ASR1002-X
>> Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSAL-M),
>> Version 15.3(2)S1, RELEASE SOFTWARE (fc1)
>> IOS XE Version: 03.09.01.S
>>
>> and 10g module SPA-1X10GE-L-V2
>>
>> So,  module  wont  work,  anyone  use same? OIR not detect this module
>> automatically but after reload module not works also...
>>
>>
>> Please look my details:
>>
>> Border-ASR1002#sh hw-module subslot all oir
>> ModuleModelOperational Status
>> -  
>> subslot 0/0   6XGE-BUILT-INok
>> subslot 0/1   SPA-1X10GE-L-V2  out of service(failed too many times)
>> subslot 0/2   SPA-8X1GE-V2 ok
>>
>> Border-ASR1002#sh platform hardware slot 0 spa status
>> Bay  SPA Type  State   PST   POK   SOK   PENB  RST
>>  DENB  HSS
>> 
>> ---
>> 06XGE-BUILT-IN Online  0 1 1 1 1 0
>>  1
>> 1SPA-1XTENGE-XFP-V2Offline 0 0 0 0 0 1
>>  0
>> 2SPA-8X1GE-V2  Online  0 1 1 1 1 0
>>  1
>> 3Empty Detection   1 0 0 0 0 1
>>  0
>>
>> Border-ASR1002#sh hw-module all fpd
>>
>>  == == ==
>> ===
>>   H/W   Field Programmable   Current   Min.
>> Required
>> Slot Card Type   Ver.  Device: "ID-Name"Version
>> Version
>>  == == == ===
>> ==
>>   0/0 6XGE-BUILT-IN   1.0   1-2KP HSPA BULLSEY 2.34
>> 2.34
>>  -- -- -- ---
>> --
>>   0/1 SPA-1X10...   1.2   1-10GE I/O FPGA1.9 1.9
>>  -- -- -- ---
>> --
>>   0/2 SPA-8X1GE-V21.0   1-GE I/O FPGA  1.10
>> 1.10
>>  == == ==
>> ===
>>
>> Border-ASR1002#sh platform
>> Chassis type: ASR1002-X
>>
>> Slot  TypeState Insert time (ago)
>> - --- - -
>> 0 ASR1002-X   ok04:21:49
>>   0/0  6XGE-BUILT-IN   ok04:20:55
>>   0/1  SPA-1X10GE-L-V2 out of service04:19:44
>>   0/2  SPA-8X1GE-V2ok04:20:54
>> R0ASR1002-X   ok, active04:21:49
>> F0ASR1002-X   ok, active04:21:49
>> P0ASR1002-PWR-AC  ok04:21:20
>> P1ASR1002-PWR-AC  ok04:21:19
>>
>>
>> Logs:
>>
>> Jul 25 08:06:36.160: %SPA_OIR-3-HW_INIT_TIMEOUT: subslot 0/1
>> Jul 25 08:06:41.160: %SPA_OIR-3-RECOVERY_RELOAD: subslot 0/1: Attempting
>> recovery by reloading SPA
>> Jul 25 08:06:41.161: %SPA_OIR-6-OFFLINECARD: SPA (SPA-1X10GE-L-V2)
>> offline in subslot 0/1
>> Jul 25 08:06:41.161: %IOSXE_RP_ALARM-6-INFO: CLEAR CRITICAL SPA subslot
>> 0/1 Failed
>> Jul 25 08:06:41.161: %IOSXE_RP_ALARM-6-INFO: ASSERT MAJOR SPA

Re: [c-nsp] ASR 920 Replacement

2019-06-27 Thread Aaron Gould

Why are we worried about XR boot times ?

RP/0/RSP0/CPU0:g-9k#sh ver | in "uptime|IOS"
Thu Jun 27 14:20:49.013 CDT
Cisco IOS XR Software, Version 4.1.2[Default]
g-9k uptime is 5 years, 14 weeks, 3 days, 12 hours, 10 minutes

RP/0/RSP0/CPU0:c-9k#sh ver | in "uptime|IOS"
Thu Jun 27 14:20:55.287 CDT
Cisco IOS XR Software, Version 4.1.2[Default]
c-9k uptime is 5 years, 21 weeks, 4 days, 44 minutes

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] XRv (eve-ng)

2019-06-05 Thread Aaron Gould

XRv9k

 

-aaron

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] XRv (eve-ng)

2019-06-05 Thread Aaron

Is that XRv or XRv9K?
XRv was great as it didn't require as many resources.

On Wed, Jun 5, 2019 at 10:28 AM Aaron Gould  wrote:

> Have you all been able to use EVE-NG ?  My gosh, what an awesome emulator.
>
>
>
> I have eve-ng running…
>
>
>
> XRv
>
> vMX
>
> vQFX
>
>
>
> (this might end up being a much larger topic)  BTW, Why does Juniper do
> what appears to be such a better job with CP/FP (control plane/forwarding
> plane) separation ?  I’m speaking about XR and Junos and also how clean
> Junos vMX seems to be done as I work with it in EVE-NG when compared to XRv.
>
>
>
> XRv is still one node.
>
>
>
> vMX is 2 nodes… VCP and VFP.
>
>
>
> Also, in XRv I can’t add martini-type access pw’s into an l2vpn nor can I
> add routing on a BVI….. but, conversely I can do all those things in vMX
>
>
>
> As nice as XR(v) is, it still seems to be playing catch-up to (v)MX.  Is
> this true in your mind ?
>
>
>
> Stepping away from the eve-ng emulator for a moment, over the years of
> working with XR I was so pleased with how it improved upon classic IOS….
> But then I began working with Junos a few years ago, and wow, it seemed to
> take routing os to a whole other level than XR did… again, this could be in
> my head, but curious what others think, IF, you have actually done enough
> work on both platforms to know enough to speak to it.
>
>
>
> -Aaron
>
>
>
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] XRv (eve-ng)

2019-06-05 Thread Aaron Gould

Have you all been able to use EVE-NG ?  My gosh, what an awesome emulator.

 

I have eve-ng running…

 

XRv

vMX

vQFX

 

(this might end up being a much larger topic)  BTW, Why does Juniper do what 
appears to be such a better job with CP/FP (control plane/forwarding plane) 
separation ?  I’m speaking about XR and Junos and also how clean Junos vMX 
seems to be done as I work with it in EVE-NG when compared to XRv.

 

XRv is still one node.

 

vMX is 2 nodes… VCP and VFP.

 

Also, in XRv I can’t add martini-type access pw’s into an l2vpn nor can I add 
routing on a BVI….. but, conversely I can do all those things in vMX

 

As nice as XR(v) is, it still seems to be playing catch-up to (v)MX.  Is this 
true in your mind ?

 

Stepping away from the eve-ng emulator for a moment, over the years of working 
with XR I was so pleased with how it improved upon classic IOS…. But then I 
began working with Junos a few years ago, and wow, it seemed to take routing os 
to a whole other level than XR did… again, this could be in my head, but 
curious what others think, IF, you have actually done enough work on both 
platforms to know enough to speak to it.

 

-Aaron

 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] A9K-VSM-500

2019-05-08 Thread Aaron Gould

my personal notes from testing vsm-500 from a few years ago...

*** my testing showed good with pings, BUT TERRIBLE and NON-existent web 
surfing until changing MTU of vnics from 1514 to 9216

interface TenGigE0/3/1/0
 description vsm
 mtu 9216
!
interface TenGigE0/3/1/1
 description vsm
 mtu 9216
!
interface TenGigE0/3/1/2
 description vsm
 mtu 9216
!
interface TenGigE0/3/1/3
 description vsm
 mtu 9216
!
interface TenGigE0/3/1/4
 description vsm
 mtu 9216
!
interface TenGigE0/3/1/5
 description vsm
 mtu 9216
!
interface TenGigE0/3/1/6
 description vsm
 mtu 9216
!
interface TenGigE0/3/1/7
 description vsm
 mtu 9216
!
interface TenGigE0/3/1/8
 description vsm
 mtu 9216
!
interface TenGigE0/3/1/9
 description vsm
 mtu 9216
!
interface TenGigE0/3/1/10
 description vsm
 mtu 9216
!
interface TenGigE0/3/1/11
 description vsm
 mtu 9216

--

also i have a document but i can't find it online anywhere... it's titled 
"ASR9K CGv6 on VSM troubleshooting guide"

there is a section subtitled..."3. VSM packet flow troubleshooting"

NOTE 1 : Be aware about CSCuo63064 which explain the packet drops for packet 
which supposed to be  fragmented on VSM

Symptom: Packets requiring fragmentation are silently dropped with 
DROP_FRM_FRM_ERR_XAUI9 error count 

Conditions: Observed with NAT44 on VSM with packet sizes above 1514 bytes.

Workaround: Increase the interface MTU on the VSM physical interfaces to match 
the ingress interface 

More Info: For better NAT44 performance, Cisco recommends keeping the default 
physical interface MTU 

This one is targetted to be fixed in 5.2.2 XR release

NOTE 2: Be aware about default MTU for ServiceApp interfaces

in 5.1.3 and 5.2.0: MTU is 1514 (not configurable) in 5.2.2: ServiceApp 
interface will be set by default to Jumbo frame size (not configurable)

CSCuo63064

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo63064 

-Aaron

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco IOS ping utility reports lower RTT than possible

2019-05-03 Thread Aaron

The initial is most likely due to arp. Depending how long it is between
runs, the arp cache may clear.

On Fri, May 3, 2019 at 10:57 AM Octavio Alvarez 
wrote:

> On 5/3/19 5:14 AM, Martin T wrote:
> > Hi Octavio,
> >
> > instead of a two-card laptop I used the available ports in server
> > named "svr", but in principle I built the setup you described:
> >
> > CISCO1921[Gi0/0] <-> [eno1]test-br[eno2] <-> [eno3]svr
>
> I intended to have an independent measurement tool (including an
> independent clock) but that should be good enough too, as it's highly
> unlikely that you have serious clock drifting issues.
>
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
>
> > As seen above, minimum measurement was 8ms and average was 9ms.
>
> I don't know how far (in ms) is the router from the server but max=12ms
> also looks way off.
>
> > Cisco IOS ping command inserts the timestamp into the payload of the
> > ICMP "echo request" message and at least it seems to increment it, i.e
> > that part seems to be fine.
>
> Does it? If you are referring to the -ttt output than that is done by
> tcpdump.
>
> Good experiment. Sorry to say that I don't know why the measurements are
> so inaccurate. I kow the Cisco ISR 1912 is a very low-end device but I
> don't know if so enough to get into this level of inaccuracy.
>
> Octavio.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ME3600 - ping drop seen

2019-04-24 Thread Aaron Gould

I have an ME3600 running 15.4(3)S3. and I saw a systematic drop on pings,
making me think there was some sort of built-in control plane protection.

 

(pinging the ME3600 from a remote device)

!!!.!.!!!.!!!.!!!.!!!.

!!!.!!!.!!!.!!!.!!!.

 

I downgraded it to 15.2(4)S5 and no longer see the drops.

 

(pinging the ME3600 from a remote device)

!!

!!

!!

 

Is there somewhere I could've seen these drops in a counter somewhere?  Or a
way to enable/disable that behavior?

 

-Aaron

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IS-IS as PE-CE protocol

2019-03-21 Thread Aaron Gould

The only place I run bgp on pe-ce is for internet uplinks… (junos)

I use a few options to make it work…
- peer-as 123
- local-as 456
- local-as private
- local-as no-prepend-global-as

That works for me.

 

-Aaron

 

From: Nathan Lannine [mailto:nathan.lann...@gmail.com] 
Sent: Thursday, March 21, 2019 8:11 AM
To: Aaron Gould
Cc: Michael Hallgren; Mark Tinka; Cisco-nsp
Subject: Re: [c-nsp] IS-IS as PE-CE protocol

 

On Thu, Mar 21, 2019 at 9:02 AM Aaron Gould  wrote:

Which reminds me... I recall if pe-ce is bgp, then redis into l3vpn is natural 
and automatic true ?

-Aaron

 

As an implementer of MPLS/L3VPN in the enterprise, this is very interesting to 
me because I am all IGP internally.  I sort of assumed that in the provider 
space that L3VPNs would be accomplished the same way, with an IGP as PE-CE 
protocol for L3VPN, but here we are.  So, in the case of BGP as PE-CE protocol 
and a small client AS, do you all in the provider space require multiple 
private ASNs per VPN?  I mean (blatant free training request here) how does 
this get handled by the VPN customer?

 

Just navel gazing here, but I am wondering if there would be any benefit to me 
running BGP as my own PE-CE protocol.

 

Thank you,

Nathan 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IS-IS as PE-CE protocol

2019-03-21 Thread Aaron Gould

Which reminds me... I recall if pe-ce is bgp, then redis into l3vpn is natural 
and automatic true ?

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] UDP/0 ACL IOSXR issue?

2019-02-08 Thread Aaron Gould

Unsure about xr and be-specific acl treatment... however I do recall
BVI-related acl's having issues either in or out... don't recall, been a
while...

...in my newer juniper platform, I'm blocking the heck out of udp/0... geez,
there's a lot of volumetric attacks coming on that port.and 389 and
53 and 123

- Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Bryan Holloway
Sent: Friday, February 8, 2019 1:38 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] UDP/0 ACL IOSXR issue?

Anyone aware of any issues with filtering destination UDP/0 at ingress 
points on IOS XR?

We're running 5.3.4 SP8 and have telemetries to help us RTBH when the 
need arises.

UDP/0 is a well-known vector for this sort of attack. However, what I'm 
seeing is that packets seem to be getting past our ACLs even though we 
are explicitly denying them.

"hardware counters" seem to corroborate that we're getting matches.

... and yet we're still seeing the traffic beyond the ingress.

Curious if anyone else has seen this.

Our egress-facing interface is a BE, if it matters ...


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] segment routing/evpn on ASR920

2019-01-30 Thread Aaron Gould

Ummm, that too.  LOL

-Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
James Bensley
Sent: Wednesday, January 30, 2019 9:05 AM
To: Tom Ammon; Cisco-nsp List
Subject: Re: [c-nsp] segment routing/evpn on ASR920

On Wed, 30 Jan 2019 at 02:36, Tom Ammon  wrote:
>
> Has anybody tried running segment routing on ASR920? If so, did you run in
> to any caveats? What about EVPN over segment routing on that platform? The
> SR configuration guide for this platform lists segment routing, but
doesn't
> call out EVPN specifically - it only lists VPLS and L2VPN.
>
> Tom

Hi Tom,

Last I spoke to the ASR920 BU (Q4 last year) EVPN was still a roadmap
feature and SR was only just being released so I assume it's bug
central at this point in time.

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] segment routing/evpn on ASR920

2019-01-30 Thread Aaron Gould

I read that SR/SPRING is an alternative to LDP or RSVP... seems that
SR/SPRING is a label distribution protocol.  Meaning, in my mind, it's a way
to learn labels...mpls labels I guess.  If so, would we refer to EVPN as
EVPN-SR?  If so, would it follow that a non-sr network, one that has
employed ldp for label learning, with evpn, would be referred to as EVPN-LDP
?  I'm not thinking so.

Further, I recall reading that EVPN is Control Plane, and has a few
different options for Fwd'ing plane...

EVPN-VXLAN
EVPN-PBB
EVPN-MPLS
...perhaps others...

Tom, I wonder if we/you should look for ASR920 docs/support for EVPN-MPLS in
your desire to see if EVPN will work over SR?

I could be way off.  

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR 99xx IOS-XR images are all EoL/EoS?

2018-12-20 Thread Aaron

we are running 6.4.2 in classic xr. no confidence with 64 bit at the
moment. need to see testing results from cisco first

On Thursday, December 20, 2018, Charles Spurgeon <
c.spurg...@austin.utexas.edu> wrote:

> * Tom Hill  [2018-12-19 20:19:09 +]:
>
> > On 19/12/2018 19:59, Charles Spurgeon wrote:
> > > Does anyone have info on what is going on? What are people running on
> > > their ASR 99xx platforms?
> >
> > It matters deeply which 99xx, and what supervisor(s) you have in it.
> >
> >  9904 uses the same RSPs as 9006/9010.
> >  9906 and 9910 use a different RSP, with expandable 'S' capacity.
> >  9912 and 9922 use an RP, with the 'S' function entirely removed.
> >
> > A recent BRKARC-2003 (from Cisco Live!) will have more details.
> >
> > In this instance I suspect the 9904 is witnessing a push from Cisco to
> > move their customers towards 3rd generation supervisors and above;
> > that's RSP-880[-RL] and newer in the 9904's case. This will be because
> > those generations support the 64-bit variant of IOS-XR.
> >
>
> Thanks. Our 9904s have RSP880s and a 8X100GE-TR line card in each, so
> we're good for a 64-bit conversion.
>
> Meanwhile, our support channel dug up the info that a 6.5.2 EMR
> release is planned for Jan/Feb 2019.
>
> They also provided a link to an ASR software guidance doc at:
> https://community.cisco.com/t5/service-providers-documents/ios-xr-release-
> strategy-and-deployment-recommendation/ta-p/3165422
>
> Given this info we plan to upgrade from 5.3.4 to 6.4.2 to get onto
> supported code and then we'll use the 6.5 release to convert to 64-bit
> operation during our summer maintenance in 2019.
>
> -Charles
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Ipv6 address plan

2018-10-11 Thread Aaron

 Check out the white paper on terastream

On Thursday, October 11, 2018, harbor235  wrote:

> Gents,
>
> I have a green field IPv6 infrastructure that I am standing up, I plan on
> allocating unique IPv6 net block ranges for infrastructure nets
> (loopbacks/routerid, pt-to-pts), service delivery allocations (customer
> services), North of the security boundary layer, south of security boundary
> layer etc .
>
> Any other best practices learned from your IPv6 deployments that would
> assist on my deployment?
>
>
> Mike
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Telemetry real life use cases

2018-08-06 Thread Aaron Gould

What are you all using for a telemetry collector ?

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CMs security

2018-07-29 Thread Aaron Gould

My cable modem mgmt and mta (voice) ip's are on different subnet than CPE. 
And we have an ACL on the CMTS to not allow customer ip's to communicate with 
those cm ip's

Aaron

> On Jul 29, 2018, at 5:38 PM, ring...@mail.com wrote:
> 
> Hi all,
> 
> Wondering what do you guys prefer as best practice to block connectivity like 
> ping, http and everything else between CMs (docsis plant)?
> 
> How do you do and manage it?
> 
> ton
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] XRv (eve-ng)

2018-07-27 Thread Aaron Gould

Just to circle back with all of you my problem with not being able to
login to XRv was just a terminal emulator issue. Windows Telnet window was
messing up the root account creation at the beginning when XR boots up and i
guess adding a special character and messing it up. On the eve-ng community
chat, a guy named Rusty was able to figure it out be just having me use a
different terminal ... putty and mtputty work fine...

 NO root-system username is configured. Need to
configure root-system username. Configuration lock is
held by another agent. Please wait. [.OK]

--- Administrative User Dialog ---

Enter root-system username: RP/0/RP0/CPU0:Jul 27 15:59:25.628 :
smartlicserver[373]: %LICENSE-SMART_LIC-3-COMM_FAILED : Communications
failure with Cisco licensing cloud: Communications init failure

% Entry must not be null.

Enter root-system username: xrv
Enter secret:
Use the 'configure' command to modify this configuration.
User Access Verification

Username: xrv
Password:


RP/0/RP0/CPU0:ios#

I'm in now !!

-Aaron

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] XRv (eve-ng)

2018-07-26 Thread Aaron Gould

Anyone seen this issue before and know how to fix ?

same problem even with XRv Full asr9000 version 6.3.2 i can't login ,
for some reason it thinks i'm an "unknown" user or something like that.
please note that it does not ask me for a password... as soon as i type the
username, it comes back and says "Failed authentication attempt by user
'' from 'console'..."

so i see this with xrv versions...

5.1.1
5.3.0
6.3.2

- Aaron

Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): XR control plane: 5120MB RAM
Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): XR packet memory: 128MB RAM
Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): Centralized LC: 9216MB RAM
Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): Data plane core assignment:
2-3
Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): Control plane core
assignment: 0-1



#
#
#  Welcome to the Cisco IOS XRv9k platform
#
#
#
#Please wait for Cisco IOS XR to start.
#
#
#
#Copyright (c) 2014-2017 by Cisco Systems, Inc.
#
#
#



Cisco IOS XR console will start on the 1st serial port
Cisco IOS XR aux console will start on the 2nd serial port
Cisco Calvados console   will start on the 3rd serial port
Cisco Calvados aux   will start on the 4th serial port
Telnet escape character is '^Q'.
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^Q'.
init: Unable to create device: /dev/kmsg
mount: can't find /dev in /etc/fstab
mkdir: cannot create directory '/run': File exists
bootlogd: ioctl(/dev/pts/2, TIOCCONS): Device or resource busy
Running postinst /etc/rpm-postinsts/100-dnsmasq...
update-rc.d: /etc/init.d/run-postinsts exists during rc.d purge (continuing)
 Removing any system startup links for run-postinsts ...
  /etc/rcS.d/S99run-postinsts
Configuring network interfaces... done.
Starting system message bus: dbus.
Starting OpenBSD Secure Shell server: sshd
  generating ssh RSA key...
  generating ssh ECDSA key...
  generating ssh DSA key...
  generating ssh ED25519 key...
sshd start/running, process 2150
Starting rpcbind daemon...done.
Starting random number generator daemonUnable to open file: /dev/tpm0
can't open any entropy source
Maybe RNG device modules are not loaded

.
Starting system log daemon...0
tftpd-hpa disabled in /etc/default/tftpd-hpa
Starting internet superserver: xinetd.
Libvirt not initialized for container instance
Starting crond: OK
SIOCSIFTXQLEN: No such device
SIOCSIFTXQLEN: No such device


ios con0/RP0/CPU0 is now available
.
0/RP0/ADMIN0:Jul 26 13:44:19.747 : wd_memmon[3051]:
%INFRA-WD_MEMMON-4-MEM_WARN :  Memory usage %: 80, Total memory: 1048576kb,
Free memory: 219200kb, State: MI
NOR, Minor Threshold %: 80


 NO root-system username is configured. Need to
configure root-system username. 

 --- Administrative User Dialog ---


  Enter root-system username: admin

  Enter secret:


  % Entry must not be null.
  Enter secret:
  % Entry must not be null.
  Enter secret:
  % Entry must not be null.
  Enter secret:
  Enter secret again:
  % Entry must not be null.

Use the 'configure' command to modify this configuration.
User Access Verification

Username:
Username: admin
Password: RP/0/RP0/CPU0:Jul 26 13:46:02.536 : exec[66886]:
%SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user
'' from 'console' on
 'con0_RP0_CPU0'

User Access Verification

Username: root
Password: RP/0/RP0/CPU0:Jul 26 13:46:05.708 : exec[66886]:
%SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user
'' from 'console' on
 'con0_RP0_CPU0'

User Access Verification

Username: cisco
Password: RP/0/RP0/CPU0:Jul 26 13:46:09.619 : exec[66886]:
%SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user
'' from 'console' on
 'con0_RP0_CPU0'

RP/0/RP0/CPU0:Jul 26 13:46:10.120 : exec[66886]: %MGBL-exec-3-LOGIN_AUTHEN :
Login Authentication failed. Exiting...

% Authentication failed



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] XRv (eve-ng)

2018-07-25 Thread Aaron Gould

Any idea why this is happening?  I can boot XRv just fine (5.3.0) but i get
a few errors and can't login with default username (admin) and no password..
i get some SAM errors and nvram errors.. then logging in with admin, no
password, or an account that it *forces* me to create, but are failed

 

-Aaron

 

..

Section:idt offset:0x006c
base:fed185bc
Section:pgdir offset:0x0070
Page Directory d000: PAE

System page at phys:00017000 user:fed15000 kern:fed17000
Starting next program at vfe0419f8
Unable to access "/dev/ser1" (2)
Restricted Rights Legend

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Cisco IOS XR Software for the Cisco XR IOSXRv, Version 5.3.0
Copyright (c) 2015 by Cisco Systems, Inc.
Jul 25 12:19:04.167: Install Setup: Booting with committed software

SAM detects CA certificate(Code Signing Server Certificate
Authority,O=Cisco,C=US) has expired. The validity period is Oct 17, 2000
01:46:24 UTC - Oct 17, 2015
01:51:47 UTC. Continue at risk? (Y/N) [Default: N w/in 10]: RP/0/0/CPU0:Jul
25 12:19:23.786 : sam_server[352]: %SECURITY-SAM-3-ERROR_2_PARAM : Failed
setting I_
BIT on backup file, /disk0/sam_certdb
RP/0/0/CPU0:Jul 25 12:19:38.085 : sam_server[352]: %SECURITY-SAM-4-WARNING :
Failed to initialize nvram digest
RP/0/0/CPU0:Jul 25 12:20:24.202 : cfgmgr-rp[152]: %MGBL-CONFIG-3-STARTUP :
Configuration Manager could not find any admin configuration to apply from
'/disk0:/c
onfig/admin/admin.cfg'.


ios con0/0/CPU0 is now available

 

 NO root-system username is configured. Need to
configure root-system username. 

--- Administrative User Dialog ---

Enter root-system username: admin

Username "admin" is locked, please choose another.

Enter root-system username:

% Entry must not be null.

Enter root-system username: rusty
Enter secret:
% Entry must not be null.
Enter secret:
Enter secret again:
% Entry must not be null.

Use the 'admin' mode 'configure' command to modify this configuration.

Please login with any configured user/password, or cisco/cisco

User Access Verification

Username:
Username: rusty
Password:
RP/0/0/CPU0:Jul 25 12:23:44.338 : exec[65692]:
%SECURITY-login-4-AUTHEN_FAILED : Failed authentication attempt by user
'' from 'console' on 'con0_0_CPU
0'

User Access Verification

Username:

User Access Verification

Username:
Username: admin
Password:
RP/0/0/CPU0:Jul 25 12:23:48.008 : exec[65692]:
%SECURITY-login-4-AUTHEN_FAILED : Failed authentication attempt by user
'' from 'console' on 'con0_0_CPU
0'

% Authentication failed
RP/0/0/CPU0:Jul 25 12:23:48.528 : exec[65692]: %MGBL-exec-3-LOGIN_AUTHEN :
Login Authentication failed. Exiting..

 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF+BGP and MPLS Q's

2018-07-19 Thread Aaron Gould

I was waiting for that, lol

Sort of a long story, as everyone knows, networks usually have a story to tell 
in order to understand why they are the way they are If many of us sat back 
and designed a new network from the ground up, it would be pretty for a day or 
two, and then eventually grow into something else  If you leave the company 
and a new guy comes in, he would probably say , "what idiot designed this 
network ":/

 Then when he left the company, someone else would come in and say the same 
thing about him, lol

originally I did have a backbone area 0 and a very small MPLS network with core 
IGP area 1, ...well, area 1 continued to grow, and area 0 was eventually 
decommissioned, and know area 1 remains :)

I guess I could work through maintenance windows and convert everything to 
area 0, but I don't feel motivated to do so

Works fine

Aaron

> On Jul 19, 2018, at 5:34 PM, Nick Cutting  wrote:
> 
> Quick question as I am clueless on large SP networks (I'm a MSP guy not an 
> ISP guy )- why not area 0.0.0.0 ?
> 
> 
> -Original Message-
> From: cisco-nsp  On Behalf Of Aaron Gould
> Sent: Thursday, July 19, 2018 6:08 PM
> To: ring...@mail.com
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] OSPF+BGP and MPLS Q's
> 
> This message originates from outside of your organisation.
> 
> If you think your network is going to continue to grow , dual route reflector 
> cluster is a huge must have in my mind, I love how you can add address 
> families to one neighbor and let it bounce while the other neighbor stays up 
> with all your routes still there
> 
> I have ran a 100 node single area OSPF (area 0.0.0.1) MPLS/LDP network for 
> several years, I believe simplicity and only as much complexity as is 
> required for the job
> 
> 
> Aaron
> 
>> On Jul 19, 2018, at 2:32 PM, ring...@mail.com wrote:
>> 
>> Hi all,
>> 
>> I have some practical design questions.
>> 
>> 1. Is there a better way of doing the HA than having adjacencies to the 
>> router (can be 3 hops away) over two different VLANs and different OSPF cost 
>> over trunk links with BFD enabled? 
>> 2. Do you find less practical a MPLS network on a multi-area design vs a 
>> single-area design?
>> 4. At what point would you introduce RouteReflectors in the network 
>> (e.g. when 5, 10, 20 IBGP connections?)
>> 
>> Can come up with some more in the meantime ;)
>> 
>> Thanks!
>> Ton
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF+BGP and MPLS Q's

2018-07-19 Thread Aaron Gould

If you think your network is going to continue to grow , dual route reflector 
cluster is a huge must have in my mind, I love how you can add address families 
to one neighbor and let it bounce while the other neighbor stays up with all 
your routes still there

I have ran a 100 node single area OSPF (area 0.0.0.1) MPLS/LDP network for 
several years, I believe simplicity and only as much complexity as is required 
for the job


Aaron

> On Jul 19, 2018, at 2:32 PM, ring...@mail.com wrote:
> 
> Hi all,
> 
> I have some practical design questions.
> 
> 1. Is there a better way of doing the HA than having adjacencies to the 
> router (can be 3 hops away) over two different VLANs and different OSPF cost 
> over trunk links with BFD enabled? 
> 2. Do you find less practical a MPLS network on a multi-area design vs a 
> single-area design?
> 4. At what point would you introduce RouteReflectors in the network (e.g. 
> when 5, 10, 20 IBGP connections?)
> 
> Can come up with some more in the meantime ;)
> 
> Thanks!
> Ton
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EVPN Book/paper recommendation

2018-07-13 Thread Aaron Gould

Maybe something here

https://forums.juniper.net/t5/Tech-Cafe-Ask-the-Author-MPLS-in/EVPN-advantag
e-over-L2VPN-VPLS/td-p/291810

http://shop.oreilly.com/product/0636920033905.do

https://www.safaribooksonline.com/library/view/mpls-in-the/9781491905449/ch0
8.html

-Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Tails Pipes
Sent: Friday, July 13, 2018 7:02 PM
To: Kasper Adel
Cc: Cisco-nsp
Subject: Re: [c-nsp] EVPN Book/paper recommendation

Hi

This is about using EVPN for IXPs, a bit closer.

https://www.trex.fi/2017/Ralf-Korschner-VXLAN-EVPN-in-a-Nuttshell.pdf

Ciao
Rich



On Fri, Jul 13, 2018 at 4:55 PM, Kasper Adel  wrote:

> good stuff here, maybe not on the L2VPN part.
>
> https://www.reddit.com/r/networking/comments/8ubqmc/evpn_is_confusing/?st=
> JIYNSFZA=ba954c8b
>
>
>
>
> On Fri, Jul 13, 2018 at 4:42 PM, Sami Joseph 
> wrote:
>
> > Heya
> >
> > I'm looking for book/paper recommendation on EVPN, specially for
> use-cases
> > in Carrier Ethernet deployments, replacing IETF L2VPN implementation and
> > deployments?
> >
> > I found this book by Ivan Pepen., but it doesnt cover that.
> > https://blog.ipspace.net/2018/06/book-evpn-in-data-center.html
> >
> > THX
> > Sam
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAT logging ASR1k

2018-07-09 Thread Aaron Gould

You wanna see the juniper configs for your ASR1006?

Not sure why we didn't use netflow.  I guess because syslog worked and that's 
where the docs led me

Aaron

> On Jul 9, 2018, at 2:52 AM, Ring Bit  wrote:
> 
> Hi Aaron,
> 
> Could you post the nat configs? 
> 
> Why not use Netflow? 
> 
> Thanks.
> T.
> 
>> Sent: Sunday, July 08, 2018 at 10:14 PM
>> From: "Aaron Gould" 
>> To: ring...@mail.com
>> Cc: cisco-nsp@puck.nether.net
>> Subject: Re: [c-nsp] NAT logging ASR1k
>> 
>> Bulk logging and port block allocation (PBA)?  
>> 
>> https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-bpa.html
>> 
>> I do PBA in groups of 100 ports on my CGNAT deployment (juniper) and use 
>> syslog to log.  Using port block allocation caused the syslogging to slow 
>> down significantly 
>> 
>> Aaron
>> 
>>> On Jul 8, 2018, at 10:12 AM, ring...@mail.com wrote:
>>> 
>>> Hi everybody,
>>> 
>>> Have an ASR 1006 doing NAT translations, it is having  around 300k+ and 
>>> wanted to ask for a recommendation about logging those NAT translations. 
>>> 
>>> Tried it with a collector via Netflow v9 with the export command "ip nat 
>>> log translationsflow-export v9 udp destination"  command the CPU spiked to 
>>> 100%. 
>>> 
>>> Is there a recommendation as a workaround or have alternative solution 
>>> which is easy on resources to those massive NAT translations?
>>> 
>>> Thanks,
>>> T.
>>> ___
>>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
>> 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NAT logging ASR1k

2018-07-08 Thread Aaron Gould

Bulk logging and port block allocation (PBA)?  

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-bpa.html

I do PBA in groups of 100 ports on my CGNAT deployment (juniper) and use syslog 
to log.  Using port block allocation caused the syslogging to slow down 
significantly 

Aaron

> On Jul 8, 2018, at 10:12 AM, ring...@mail.com wrote:
> 
> Hi everybody,
> 
> Have an ASR 1006 doing NAT translations, it is having  around 300k+ and 
> wanted to ask for a recommendation about logging those NAT translations. 
> 
> Tried it with a collector via Netflow v9 with the export command "ip nat log 
> translationsflow-export v9 udp destination"  command the CPU spiked to 100%. 
> 
> Is there a recommendation as a workaround or have alternative solution which 
> is easy on resources to those massive NAT translations?
> 
> Thanks,
> T.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] XR on GNS3

2018-05-31 Thread Aaron Gould

I used XRv in GNS3 I think I used both 5.1.1 and 5.3.0 ... I recall getting
some good use out of it.

I'm not a systems guy, so climbing the learning curve and asking for help
from the communities online was what I had to do in order to figure out how
to get it show up inside the GNS3 app (used virtual box, and recall ova,
vmdk, qemu, etc, etc)  then it was useable and working.  I also did
Juniper Olive/vMX.

A couple things

I don't think I ever got the Layer 2 forwarding to work.  L3 routing worked
and packets would flow... but L2 bridging and MPLS Layer 2 type things I
don't think I ever got to properly flow.

I also would have to bounce interfaces using a batch file anytime I
restarted gns3 or even if I added a new instance of XRv... so because of
that, I would never reboot my windows vm that it was all contained inside
and tried not to close gns3 app

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] line con 0 as terminal server on Cat6500?

2018-05-18 Thread Aaron Gould

I've actually taken out a little 2600 just to act as a 1-port terminal server 
for this exact purpose 

(maybe you can even use an old 2500) 

Aaron

> On May 18, 2018, at 6:00 AM, Aaron Gould <aar...@gvtc.com> wrote:
> 
> I'm not sure if you can use a console port for connecting to another router's 
> console port , but you can use the auxiliary (aux) port to do that.  I've 
> done it many times
> 
> Aaron
> 
>> On May 18, 2018, at 1:55 AM, Patrick M. Hausen <hau...@punkt.de> wrote:
>> 
>> Hi all,
>> 
>> last weekend one switch in our VSS pair failed. Redundancy/VSS
>> did work and we kept our connectivity besides a couple of hosts
>> that only have a single uplink and were connected to that particular
>> chassis.
>> 
>> When I came to the data centre I found the failed chassis in rommon.
>> A simple "boot" command restored everything to working order.
>> 
>> Now to spare me that drive in case that happens again - is it possible
>> to use the console port of a working Catalyst 6500 to act as a terminal
>> server for the other one? We have quite a lot of spare rollover cables ;-)
>> 
>> I found these instructions but I think I'm missing something:
>> https://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/5466-comm-server.html
>> 
>> ip host other 2000 1.2.3.4
>> 
>> Core2#telnet 1.2.3.4 2000
>> Trying 1.2.3.4, 2000 ... 
>> % Connection refused by remote host
>> 
>> I used the real IP address of looppback0, of course.
>> 
>> 
>> Side note/question: any idea what could cause a Cat6500 VS-S720-10G
>> to fail, reset (I can understand *that*) and then not boot into IOS and stay
>> in rommon?
>> 
>> Standby BOOT variable = 
>> sup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1;disk0:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1;
>> Standby Configuration register is 0x2102 
>> 
>> Core2#dir slavesup-bootdisk:
>> ...
>> s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin
>> 
>> 
>> Thanks!
>> Patrick
>> -- 
>> punkt.de GmbHInternet - Dienstleistungen - Beratung
>> Kaiserallee 13aTel.: 0721 9109-0 Fax: -100
>> 76133 Karlsruhei...@punkt.dehttp://punkt.de
>> AG Mannheim 108285Gf: Juergen Egeling
>> 
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] line con 0 as terminal server on Cat6500?

2018-05-18 Thread Aaron Gould

I'm not sure if you can use a console port for connecting to another router's 
console port , but you can use the auxiliary (aux) port to do that.  I've done 
it many times

Aaron

> On May 18, 2018, at 1:55 AM, Patrick M. Hausen <hau...@punkt.de> wrote:
> 
> Hi all,
> 
> last weekend one switch in our VSS pair failed. Redundancy/VSS
> did work and we kept our connectivity besides a couple of hosts
> that only have a single uplink and were connected to that particular
> chassis.
> 
> When I came to the data centre I found the failed chassis in rommon.
> A simple "boot" command restored everything to working order.
> 
> Now to spare me that drive in case that happens again - is it possible
> to use the console port of a working Catalyst 6500 to act as a terminal
> server for the other one? We have quite a lot of spare rollover cables ;-)
> 
> I found these instructions but I think I'm missing something:
> https://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/5466-comm-server.html
> 
> ip host other 2000 1.2.3.4
> 
> Core2#telnet 1.2.3.4 2000
> Trying 1.2.3.4, 2000 ... 
> % Connection refused by remote host
> 
> I used the real IP address of looppback0, of course.
> 
> 
> Side note/question: any idea what could cause a Cat6500 VS-S720-10G
> to fail, reset (I can understand *that*) and then not boot into IOS and stay
> in rommon?
> 
> Standby BOOT variable = 
> sup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1;disk0:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1;
> Standby Configuration register is 0x2102 
> 
> Core2#dir slavesup-bootdisk:
> ...
> s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin
> 
> 
> Thanks!
> Patrick
> -- 
> punkt.de GmbHInternet - Dienstleistungen - Beratung
> Kaiserallee 13aTel.: 0721 9109-0 Fax: -100
> 76133 Karlsruhei...@punkt.dehttp://punkt.de
> AG Mannheim 108285Gf: Juergen Egeling
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multicast in VRF

2018-03-21 Thread Aaron Gould

I wonder if it gets pruned right after the first packet maybe you have to 
do some igmp config for the underlying vlan804 receiver segment's L2 interfaces

I'm guessing as it's been a while since I did much with mcast

-Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jan 
Gregor
Sent: Monday, March 19, 2018 2:23 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Multicast in VRF

Hi guys,

I am stumped by a multicast issue on one of my 6500 switches running 
s72033-adventerprisek9-mz.151-2.SY11.bin code. Actually it is two 6500s in VSS, 
but it should not matter, correct me if I am wrong.

The topology is fairly simple, a source is connected to one VLAN on 6500, then 
the receiver is on another VLAN on the same 6500. Both VLANs are in the same 
VRF. Both VLANs are configured for PIM Sparse mode. 
Multicast routing is enabled for the VRF. Relevant config:
vrf definition TEST
  rd 65000:803
  !
  address-family ipv4
  exit-address-family
!
ip multicast-routing
ip multicast-routing vrf TEST
!
ip pim vrf TEST rp-address 10.0.0.1
!
interface Vlan803
  description SOURCE
  vrf forwarding TEST
  ip address 10.0.0.1 255.255.255.0
  ip pim sparse-mode
  arp timeout 300
!
interface Vlan804
  description RECEIVER
  vrf forwarding TEST
  ip address 192.168.2.1 255.255.255.0
  ip pim sparse-mode
  load-interval 30
  arp timeout 300

I see multicast routing entries in the mroute table for the VRF increasing:
sh ip mroute vrf TEST
...
Outgoing interface flags: H - Hardware switched, A - Assert winner
  Timers: Uptime/Expires
  Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.192.2.196), 00:24:57/stopped, RP 10.0.0.1, flags: SJC
   Incoming interface: Null, RPF nbr 0.0.0.0
   Outgoing interface list:
 Vlan804, Forward/Sparse, 00:24:57/00:02:40

(10.0.0.11, 239.192.2.196), 00:24:57/00:02:57, flags: T
   Incoming interface: Vlan803, RPF nbr 0.0.0.0, RPF-MFD
   Outgoing interface list:
 Vlan804, Forward/Sparse, 00:24:57/00:02:40, H

sh ip mroute vrf TEST count
IP Multicast Statistics
2 routes using 1102 bytes of memory
1 groups, 1.00 average sources per group Forwarding Counts: Pkt Count/Pkts per 
second/Avg Pkt Size/Kilobits per second Other counts: Total/RPF failed/Other 
drops(OIF-null, rate-limit etc)

Group: 239.192.2.196, Source count: 1, Packets forwarded: 1503, Packets
received: 1503
   RP-tree: Forwarding: 0/0/0/0, Other: 0/0/0
   Source: 10.0.0.11/32, Forwarding: 1503/1/84/0, Other: 1503/0/0

sh ip mroute vrf TEST count
IP Multicast Statistics
2 routes using 1102 bytes of memory
1 groups, 1.00 average sources per group Forwarding Counts: Pkt Count/Pkts per 
second/Avg Pkt Size/Kilobits per second Other counts: Total/RPF failed/Other 
drops(OIF-null, rate-limit etc)

Group: 239.192.2.196, Source count: 1, Packets forwarded: 1510, Packets
received: 1510
   RP-tree: Forwarding: 0/0/0/0, Other: 0/0/0
   Source: 10.0.0.11/32, Forwarding: 1510/1/84/0, Other: 1510/0/0

I am testing it by running ping on the source "ping -t 64 239.192.2.196". I see 
packets leaving the source as verified by tcpdump. 
However packets are not making it to the receiver as verified by tcpdump.

Funny thing is that when I clear the mroute table on the switch by issuing 
"clear ip mroute vrf TEST *" I receive EXACTLY ONE ping packet on the receiver, 
then again nothing:
20:17:02.576050 IP 10.0.0.11 > 239.192.2.196: ICMP echo request, id 11724, seq 
625, length 64

Any pointers would be greatly appreciated.

Best regards,

Jan Gregor



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 3048 airflow configuration

2018-03-16 Thread Aaron

bow and afr

On Thursday, March 15, 2018, Carsten Bormann  wrote:

> On Mar 15, 2018, at 20:48, Garrett Skjelstad 
> wrote:
> >
> > port-side
>
> What do you call the other side?  Starboard?
>
> (SCNR.)
>
> Grüße, Carsten
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue

2018-02-05 Thread Aaron Gould

Thanks y’all, to be clear, are you saying “…VPLS. Segment Routing…”  you view 
those as fad technologies ?  …or the opposite?

 

Yeah, I remember working for the US Navy in San Diego in 1999 and sitting in a 
class taught be a vendor-provided SE, FORE Systems.  The class was about, yep 
you guessed it with the mention of the vendor (FORE)…class was on ATM… LANE…. 
Etc.  You may recall that in the late 90’s, early 2000’s, ATM was going to save 
the world.  At one point in the class, the instructor paused and made a 
seemingly prophetic statement… he said, all this ATM stuff is new and great and 
all that, but he then erased the board and said this will all be superseded by 
this technology in the next several years… and he wrote 4 letters on the 
board…. M-P-L-S…. then we all stared at him and didn’t know what he was talking 
about, because ATM was new and awesome and we were completely taken up in the 
latest 20 million dollar US Navy atm-to-the-desktop project…. And also , we had 
no idea what he was talking about with mpls…. Then he erased those 4 letters 
and went back to talking about LECS, LES, BUS, LEC operations in LANE ELAN’s….  
K   LOL….

 

-Aaron

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue

2018-02-01 Thread Aaron Gould

As my teenage son would say. "bet" !

-Aaron

--

Heck yeah, pair of cheapest asr920 at each end and PWs between the DCs and 
you're done.

adam

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue

2018-02-01 Thread Aaron Gould

So I think (I could be wrong as I'm not a server guy) that all this L2
network emulation is because of server virtualization and moving vm's or
vmotion or something like that, and that they need to be in same ip subnet
(aka bcast domain) correct ?

*if* that's true, and *if* all this layer 2 networking madness is because of
that point stated above, I would think that someone (vendors/standards
bodies/companies) would/should be working really hard to make that server
stuff work in different bcast domains (different subnets)...so we wouldn't
have to do all that L2 stuff

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue

2018-01-30 Thread Aaron Gould

Ha, thanks Justin, I just read the answer to my question I just posted...
OTV is cisco proprietary.  Is OTV gaining steam in the industry as a
potential ietf standard ?

Interesting things you mention about assigning asics, and linecard
dependancies...

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue

2018-01-30 Thread Aaron Gould

Thanks, so is OTV cisco proprietary ? 

-Aaron 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue

2018-01-30 Thread Aaron Gould

Thanks

"With regards to the load-sharing in L2
 -problem is you'll never get IP like load-sharing in L2 since Ethernet is
fundamentally flawed in this regard as it just can't associate same mac
address with two ports."

I thought with bgp-mac-routes in evpn, you could engineer traffic with same
knobs used in bgp-ip-routes. ?

I thought with evpn, you could have active-active multi-homed forwarding
across 2 ports, 2 CE's. ?

-Aaron 
  


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue

2018-01-29 Thread Aaron Gould

I'm just trying to learn about OTV as I haven't heard much about it...  is
OTV an IETF standard ?

Also, I wonder why I would use one of these (EVPN, VX-LAN, OTV) over the
other ?  let me know if those 3 don't belong in the same comparison family.


I just watched a cisco video and see that the OVT AED (authoritative edge
device is only one, so I guess multi-active-active forwarders which EVPN
brags about can't be done in OTV ?)

Also, I see OTV is gre encaped, and I hear that vxlan is udp encaped, and
evpn, I forget, but I think is just eompls, so I guess vxlan or otv can be
done over non-mpls clouds ?...maybe these are things that would push
me/others in one direction or the other when choosing a l2-emulation
mechanism for DC or whatever we need it for.

- Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ip vrf autoclassify source - loss of connectivity to hosts

2018-01-25 Thread Aaron Gould

What is this syntax ?  Is this an IOS command ?  "Cisco-AVpair =
"ip:vrf-id=VRF1"

- Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] me3600 ospf %100 cpu blowup

2018-01-15 Thread Aaron Gould

ospf neighbors won't come up either with different mtu's

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark
Tinka
Sent: Monday, January 15, 2018 8:00 AM
To: Aaron
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] me3600 ospf %100 cpu blowup

On 14/Jan/18 17:36, Aaron wrote:

> Size of the ospf table

Been a long while since I ran OSPF in production - but I know IS-IS tests
the MTU as adjacencies are built, and won't work unless PDU's are sent
unfragmented across the wire.

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] me3600 ospf %100 cpu blowup

2018-01-15 Thread Aaron Gould

I had something similar happen to me a couple months ago, and posted it
here...

[c-nsp] ospf database size - affects that underlying transport mtu might
have

https://www.mail-archive.com/cisco-nsp@puck.nether.net/msg65794.html


- Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] me3600 ospf %100 cpu blowup

2018-01-14 Thread Aaron

Size of the ospf table

On Sunday, January 14, 2018, Mark Tinka  wrote:

>
>
> On 13/Jan/18 18:33, adamv0...@netconsultings.com wrote:
>
> > Hmm could it be that you hit the mtu limit of your links (which is not
> 9216
> > but just 9000)?
>
> That would make sense - but if it's been working all this time, what
> changed?
>
> Is your transport network dark or leased?
>
> Mark.
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ip vrf autoclassify source - loss of connectivity to hosts

2018-01-12 Thread Aaron Gould

This "ip vrf autoclassify source" feature looks to be a very nice auto-pbr
solution for allowing multiple vrf's on one interface!

I'd like to know if anyone has used it, particularly in the cable modem
world...on Cisco uBR7246VXR, uBR10k, cbr8 

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] me3600 ospf %100 cpu blowup

2018-01-12 Thread Aaron Gould

I'll take a stab at it...

Show log... (prior to reboot, so you may need to look at syslog...)

If you see NILE ASIC errors of some sort, I recall TAC telling me there isn't a 
fix and reboot is required.  :|

I recall the nile asic thing being l2vpn related so I dunno about the ospf 
thing

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

1 2 3 4 5 6 7 8 9 >

1 - 100 of 884 matches

Mail list logo