Re: [c-nsp] IOS XR filter route from OSPF?
Are you running BFD on the link as well? On Thu, Nov 30, 2023 at 8:33 AM Drew Weaver via cisco-nsp < cisco-nsp@puck.nether.net> wrote: > Can you point me towards a hint on how you implement import/export filters > in OSPF on IOS XR? > > Are you referring to 'distribute lists'? > > Another thing that is a bit quirky from my standpoint is why when the > remote router gets knocked offline BFD on the OSPF process doesn't kill the > route immediately. > > It seems like it takes 15-20 seconds for the route to be removed entirely > from OSPF from when the transport goes down. > > Thanks, > -Drew > > > > > -Original Message- > From: cisco-nsp On Behalf Of Mark > Tinka via cisco-nsp > Sent: Tuesday, November 28, 2023 10:34 AM > To: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] IOS XR filter route from OSPF? > > > > On 11/28/23 17:02, Nick Hilliard via cisco-nsp wrote: > > > > > prefix filtering is a defining feature of a policy routing protocol. > > OSPF is a link-state protocol, and doesn't support the concept of > > having different visibility of prefixes inside the same area. If you > > want that with OSPF, you'll need to divide your network into different > > areas, which is messy. Probably better off using bgp for this. > > Filtering in link state routing protocols is a bit of a misnomer, > technically speaking... but, you can use import/export filters on routers > with OSPF and IS-IS. > > It would not necessarily limit the LSA/LSP flooding scope, but you end up > with the desired outcome (all manner of caveats apply). > > All that said, the usefulness of an IGP is in its homogeneous view of the > network from and by all participating nodes. Bad things can happen when one > partitions IGP's, especially in an unintended way. As you say, BGP is > better for this kind of thing, as typically, IGP's should carry > infrastructure prefixes, and you don't really want to filter those as they > provide basic router-to-router connectivity. > > Mark. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_cisco-2Dnsp=DwIGaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=vULDC6NcfEryzxgZJwBX01MI1hvcl6imhD3JeJk-APbysS6EeiyW2iYo-iNe2hyv=bxKox8AZsSqTO0SucoYYO20srO8SW3Ewq1Ip_709ASQ= > archive at > https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pipermail_cisco-2Dnsp_=DwIGaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw=vULDC6NcfEryzxgZJwBX01MI1hvcl6imhD3JeJk-APbysS6EeiyW2iYo-iNe2hyv=5zW-HHWMmy0AUPIFDaod5TRgutJC7tKZzMTyflG8bS0= > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Internet border router recommendations and experiences
https://apps.juniper.net/home/port-checker/index.html nice website to check port mix capabilities. -Aaron On 2/22/2023 5:06 PM, Thomas Scott via cisco-nsp wrote: Yes - 400 Gbps throughput total If I recall correctly. The MX204 has four rate-selectable ports that can be configured as 100-Gigabit Ethernet ports or 40-Gigabit Ethernet ports, or each port can be configured as four 10-Gigabit Ethernet ports (by using a breakout cable). The MX204 also has eight 10-Gigabit Ethernet ports. The four rate-selectable ports support QSFP28 and QSFP+ transceivers, whereas the eight 10-Gigabit Ethernet ports support SFP+ transceivers https://www.juniper.net/documentation/us/en/hardware/mx204/topics/concept/mx204-description.html Best Regards, -Thomas Scott On Wed, Feb 22, 2023 at 5:19 PM Eric Louie via cisco-nsp < cisco-nsp@puck.nether.net> wrote: Oh geez, I just realized I left a zero off the interface - we need 100G interfaces both upstream (x1) and downstream (x2) That probably changes the product choices a little bit. Anyone with 100G Internet feeds want to let me know what you're using for a border router? I saw one reply for Arista already. Does the MX204 have 100GE interfaces and throughput? -e- Eric Louie 619-743-5375 Cell/text Stay in this moment, it's the only one you really have Take the time to be compassionate today On Wednesday, February 22, 2023 at 12:43:52 PM PST, Mark Tinka wrote: On 2/22/23 20:29, Eric Louie wrote: Mark, thanks. We were quoted a MX304 for the Internet edge from Juniper. How has your experience been with it? are you 10G upstream and downstream? Any IPS on the 10G connection? The MX304 is not worth the money, for as long as the MX204 exists. We tried an NCS-5501 and it was a disaster, in a word. The 10G interface, uRPF, source-based blackholing, and routing table depth with Cisco is a limiting factor in their product line. Broadcom-based systems should always be looked at with one eye open, i.e., test test test before you commit. This applies to any vendor, not just Cisco. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How can one escalate within Cisco TAC?
i think the problem is they let the good ones go. On Wednesday, February 8, 2023, Mark Tinka via cisco-nsp < cisco-nsp@puck.nether.net> wrote: > > > On 2/8/23 10:23, Saku Ytti via cisco-nsp wrote: > > Working would be much more pleasurable if half the >> world's white collar workers wouldn't be unemployed plat card holders >> and cruising without output, while looking down on people doing 3 jobs >> and not qualifying for a mortgage. >> > > Sadly, as folk move up in career, title, status and income, they tend to > become less useful on a real, practical, rubber-meets-the-road level. > Which, in all fairness, I would be okay with if they had a team that made > them look good. But in most cases, they don't even have that, or if they > do, find a proper way to muck that up as well. > > It's a general issue - not to pick only on Cisco. > > Mark. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Large prefix lists/sets on IOS-XR
netconf? On Thu, Dec 8, 2022 at 6:03 PM Sander Steffann via cisco-nsp < cisco-nsp@puck.nether.net> wrote: > Hi, > > What is the best/most efficient/most convenient way to push large prefix > lists or sets to an XR router for BGP prefix filtering? Pushing thousands > of lines through the CLI seems foolish, I tried using the load command but > it seems horribly slow. What am I missing? :) > > Cheers! > Sander > > --- > for every complex problem, there’s a solution that is simple, neat, and > wrong > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP network design considerations
You can setup a raspberry pi as a server and do GPS. Not sure on the scalability (how many devices it can handle) of that but it does work. I would do at least 3 in different servers/locations, then have my routers slave off them and peer with each other. It is internal and is cheap. There are a few sources on the internet that I trust for time. It depends on your level of comfort. Aaron On Fri, Oct 14, 2022 at 2:43 PM harbor235 via cisco-nsp < cisco-nsp@puck.nether.net> wrote: > I hear what your saying but NTP is an active attack vector, I don't trust > outside resources implicitly and traffic segmentation is a prudent measure > especially if you are getting internet time. Now if you have your own > stratum1 then I understand your point more. > > > Mike > > On Fri, Oct 14, 2022 at 10:45 AM Gert Doering wrote: > > > Hi, > > > > On Fri, Oct 14, 2022 at 10:27:16AM -0400, harbor235 via cisco-nsp wrote: > > > How are you integrating NTP into your infrastructures? Is it part of > your > > > management network(s)? > > > > NTP servers (appliances from Meinberg and regular FreeBSD servers, > > basically) > > are just sitting "on the Internet" and our machines sync to them, and > > monitor their relative times (= so if one is misbehaving, NTP will > > do the right thing on its own, and monitoring will tell us so we can > > fix it). > > > > The machines protect themselves by local iptables rules for SSH/https, > > and in-band by NTP access rules ("serve time to everyone, serve larger > > responses only to management systems, do not believe anyone"). > > > > I've never understood this obsession on filtering things that are > intended > > to be put out in the wild. > > > > gert > > > > -- > > "If was one thing all people took for granted, was conviction that if you > > feed honest figures into a computer, honest figures come out. Never > > doubted > > it myself till I met a computer with a sense of humor." > > Robert A. Heinlein, The Moon is a Harsh > > Mistress > > > > Gert Doering - Munich, Germany > > g...@greenie.muc.de > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Link down affecting BGP peer
Are the sessions that bounced hashed to use the failed/turned off link? On Thu, May 5, 2022 at 12:07 PM Hank Nussbacher wrote: > I have 4 individual links defined as part of a Bundle-ether (IOS-XR > 5.3.3 on ASR9010): > > interface TenGigE0/2/0/1 > bundle id 2 mode active > flow-control bidirectional > carrier-delay up 100 down 4000 > ! They are all part of a bundle... > interface Bundle-Ether2 > mtu 9192 > bundle minimum-active links 2 > > When I shut off just 1 of these 4 links - the bundle stays up yet > certain BGP sessions flap for about 5 seconds - different peers > depending on which of the 4 links gets turned down. > > My BGP config: > router bgp 378 > rpki server x.139.197.151 >transport tcp port 8282 >refresh-time 600 > ! > bgp log neighbor changes detail > address-family ipv4 unicast >bgp dampening 5 750 3000 10 >bgp attribute-download > ! > neighbor x.x.125.1 >remote-as 5 >address-family ipv4 unicast > send-community-ebgp > soft-reconfiguration inbound > > What could be causing the bgp peer to flap even though the LAG stays up? > > Thanks, > Hank > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS-XR Vs. NTP in a duel to the death.
I typically use 3 external as servers and then have the core peer with themselves. I don't think that will help in this case but it does seem like something is borked. On Tue, Nov 2, 2021 at 8:42 AM Lukas Tribus wrote: > I don't think you will get anywhere without actually capturing the > entire NTP traffic between the host and the NTP server and analyzing > it. > > Lukas > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vs isis delay propagation of loopback interfec
+1 overload bit. On Tue, Dec 15, 2020 at 1:58 PM Saku Ytti wrote: > Hey, > > > Can someone help me out here? I'm trying to find a way to delay the > > propagation of a loopback interface in isis. > > > > The problem is the border node in sd-access, which uses the loopback > > interface for Lisp, and as soon the fabric sees the interface it sends > > traffic to the address. > > > > But at this time bgp might not be ready out of the fabric. > > I assume this means you have multiple options in iBGP and you are > redirecting it too early. Perhaps: > > set-overload-bit on-startup wait-for-bgp > > Or perhaps have another loopback for services which is iBGP only carried. > > -- > ++ytti > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR920 Break Into ROMMON
great news. On Friday, December 4, 2020, Scott Miller wrote: > This worked! I pulled the SD card, slotted into a linux laptop, renamed > the "good" ios file to the "bad" name, slotted the SD card back into the > 920 and booted it up. Came up like a champ. Then, corrected my mistake > and of course ... removed "no service password-recovery" so that doesn't > bite me again. > > Thanks to all who offered suggestions. Many thanks. > > On Fri, Dec 4, 2020 at 5:18 AM Cassidy B. Larson > wrote: > > > I believe the bootflash is an SD card inside, you could pop it out and > see > > if you can modify it on another asr920 or device, renaming the new > filename > > to the one it's looking for. Long shot, but who knows, might work? > > > > On Thu, Dec 3, 2020 at 5:24 PM Scott Miller wrote: > > > >> Ya I tried that too, it still tries to find the wrong ios file and > start's > >> its loop again. This one might be a brick. > >> > >> On Thu, Dec 3, 2020 at 5:15 PM Aaron wrote: > >> > >> > Try this > >> > > >> > > >> > > >> https://packetlife.net/blog/2010/oct/11/recovering-no- > service-password-recovery-service/ > >> > > >> > > >> > On Thursday, December 3, 2020, Aaron wrote: > >> > > >> >> Looks like you need to talk to TAC. The password recovery being > >> disabled > >> >> is not your friend. > >> >> > >> >> https://community.cisco.com/t5/routing/asr-920-boot-fail/ > td-p/3834996 > >> >> > >> >> > >> >> On Thursday, December 3, 2020, Scott Miller > >> wrote: > >> >> > >> >>> The output didn't seem to format well, let's try it again: > >> >>> > >> >>> System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1) > >> >>> Technical Support: http://www.cisco.com/techsupport > >> >>> Copyright (c) 2015 by cisco Systems, Inc. > >> >>> Compiled Wed 01-Jul-15 03:53 by sdcunha > >> >>> Starting Initialization of FMAN0 > >> >>> Loading ucode for FMAN0, size: 31424, ver: 106.04.14 > >> >>> Silicon Rev Major:Minor [1:1] > >> >>> Initializing the pci.. > >> >>> IOFPGA version[17082912] > >> >>> Boot ROM0 > >> >>> Last reset cause: BootFromUpgradeRegFail > >> >>> UEA platform with 1572863 Kbytes of main memory > >> >>> > >> >>> PASSWORD RECOVERY FUNCTIONALITY IS DISABLED > >> >>> > >> >>> .Break detected: (0x1) > >> >>> Do you want to reset the router to the factory default > >> >>> configuration and proceed [y/n] ?y > >> >>> > >> >>> Router rebooting with factory default configuration > >> >>> > >> >>> System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1) > >> >>> Technical Support: http://www.cisco.com/techsupport > >> >>> Copyright (c) 2015 by cisco Systems, Inc. > >> >>> Compiled Wed 01-Jul-15 03:53 by sdcunha > >> >>> Starting Initialization of FMAN0 > >> >>> Loading ucode for FMAN0, size: 31424, ver: 106.04.14 > >> >>> Silicon Rev Major:Minor [1:1] > >> >>> Initializing the pci.. > >> >>> IOFPGA version[17082912] > >> >>> Boot ROM0 > >> >>> Last reset cause: BootFromUpgradeRegFail > >> >>> UEA platform with 1572863 Kbytes of main memory > >> >>> > >> >>> PASSWORD RECOVERY FUNCTIONALITY IS DISABLED > >> >>> > >> >>> .Resetting upgrade counter from failed upgrade > >> >>> Directory asr920-universalk9_npe.16.06.05a.SPA.bin not found > >> >>> Unable to locate asr920-universalk9_npe.16.06.05a.SPA.bin directory > >> >>> Unable to load asr920-universalk9_npe.16.06.05a.SPA.bin > >> >>> boot: error executing "boot > >> >>> bootflash:asr920-universalk9_npe.16.06.05a.SPA.bin" > >> >>> autoboot: boot failed, restarting... > >> >>> > >> >>> On Thu, Dec 3, 2020 at 4:32 PM Scott Miller > >> wrote: > >> >>> > >> >>> > I have a ASR-920-12SZ-IM, which I inadvertently entered the wrong > >> boot > >> >>
Re: [c-nsp] ASR920 Break Into ROMMON
Try this https://packetlife.net/blog/2010/oct/11/recovering-no-service-password-recovery-service/ On Thursday, December 3, 2020, Aaron wrote: > Looks like you need to talk to TAC. The password recovery being disabled > is not your friend. > > https://community.cisco.com/t5/routing/asr-920-boot-fail/td-p/3834996 > > > On Thursday, December 3, 2020, Scott Miller wrote: > >> The output didn't seem to format well, let's try it again: >> >> System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1) >> Technical Support: http://www.cisco.com/techsupport >> Copyright (c) 2015 by cisco Systems, Inc. >> Compiled Wed 01-Jul-15 03:53 by sdcunha >> Starting Initialization of FMAN0 >> Loading ucode for FMAN0, size: 31424, ver: 106.04.14 >> Silicon Rev Major:Minor [1:1] >> Initializing the pci.. >> IOFPGA version[17082912] >> Boot ROM0 >> Last reset cause: BootFromUpgradeRegFail >> UEA platform with 1572863 Kbytes of main memory >> >> PASSWORD RECOVERY FUNCTIONALITY IS DISABLED >> >> .Break detected: (0x1) >> Do you want to reset the router to the factory default >> configuration and proceed [y/n] ?y >> >> Router rebooting with factory default configuration >> >> System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1) >> Technical Support: http://www.cisco.com/techsupport >> Copyright (c) 2015 by cisco Systems, Inc. >> Compiled Wed 01-Jul-15 03:53 by sdcunha >> Starting Initialization of FMAN0 >> Loading ucode for FMAN0, size: 31424, ver: 106.04.14 >> Silicon Rev Major:Minor [1:1] >> Initializing the pci.. >> IOFPGA version[17082912] >> Boot ROM0 >> Last reset cause: BootFromUpgradeRegFail >> UEA platform with 1572863 Kbytes of main memory >> >> PASSWORD RECOVERY FUNCTIONALITY IS DISABLED >> >> .Resetting upgrade counter from failed upgrade >> Directory asr920-universalk9_npe.16.06.05a.SPA.bin not found >> Unable to locate asr920-universalk9_npe.16.06.05a.SPA.bin directory >> Unable to load asr920-universalk9_npe.16.06.05a.SPA.bin >> boot: error executing "boot >> bootflash:asr920-universalk9_npe.16.06.05a.SPA.bin" >> autoboot: boot failed, restarting... >> >> On Thu, Dec 3, 2020 at 4:32 PM Scott Miller wrote: >> >> > I have a ASR-920-12SZ-IM, which I inadvertently entered the wrong boot >> > command in the config, saved the config and rebooted. Now it's stuck >> in a >> > boot loop. I've tried breaking the boot, it asks if I want to reset to >> > factory default, and I enter "y", it reboots but still tries to find >> that >> > same bad ios file I entered in the initial configuration which was >> supposed >> > to have been whipped when it went to factory default. I can't for the >> life >> > of me figure out how to get into ROMMON on this box. Each time I break >> the >> > boot, it just goes back to the same question, asking if I want to >> factory >> > default. >> > >> > Here's what it's doing: >> > >> > >> > System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1) Technical >> > Support: http://www.cisco.com/techsupport Copyright (c) 2015 by cisco >> > Systems, Inc. Compiled Wed 01-Jul-15 03:53 by sdcunha Starting >> > Initialization of FMAN0 Loading ucode for FMAN0, size: 31424, ver: >> > 106.04.14 Silicon Rev Major:Minor [1:1] Initializing the pci.. IOFPGA >> > version[17082912] Boot ROM0 Last reset cause: BootFromUpgradeRegFail UEA >> > platform with 1572863 Kbytes of main memory PASSWORD RECOVERY >> FUNCTIONALITY >> > IS DISABLED .Break detected: (0x1) Do you want to reset the router >> to >> > the factory default configuration and proceed [y/n] ?y Router rebooting >> > with factory default configuration System Bootstrap, Version 15.5(3r)S2, >> > RELEASE SOFTWARE (fc1) Technical Support: >> http://www.cisco.com/techsupport >> > Copyright (c) 2015 by cisco Systems, Inc. Compiled Wed 01-Jul-15 03:53 >> by >> > sdcunha Starting Initialization of FMAN0 Loading ucode for FMAN0, size: >> > 31424, ver: 106.04.14 Silicon Rev Major:Minor [1:1] Initializing the >> pci.. >> > IOFPGA version[17082912] Boot ROM0 Last reset cause: >> BootFromUpgradeRegFail >> > UEA platform with 1572863 Kbytes of main memory PASSWORD RECOVERY >> > FUNCTIONALITY IS DISABLED .Resetting upgrade counter from failed >> > upgrade Directory asr920-universalk9_npe.16.06.05a.SPA.bin not found >> Unable >> > to locate asr920-unive
Re: [c-nsp] ASR920 Break Into ROMMON
Looks like you need to talk to TAC. The password recovery being disabled is not your friend. https://community.cisco.com/t5/routing/asr-920-boot-fail/td-p/3834996 On Thursday, December 3, 2020, Scott Miller wrote: > The output didn't seem to format well, let's try it again: > > System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 2015 by cisco Systems, Inc. > Compiled Wed 01-Jul-15 03:53 by sdcunha > Starting Initialization of FMAN0 > Loading ucode for FMAN0, size: 31424, ver: 106.04.14 > Silicon Rev Major:Minor [1:1] > Initializing the pci.. > IOFPGA version[17082912] > Boot ROM0 > Last reset cause: BootFromUpgradeRegFail > UEA platform with 1572863 Kbytes of main memory > > PASSWORD RECOVERY FUNCTIONALITY IS DISABLED > > .Break detected: (0x1) > Do you want to reset the router to the factory default > configuration and proceed [y/n] ?y > > Router rebooting with factory default configuration > > System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 2015 by cisco Systems, Inc. > Compiled Wed 01-Jul-15 03:53 by sdcunha > Starting Initialization of FMAN0 > Loading ucode for FMAN0, size: 31424, ver: 106.04.14 > Silicon Rev Major:Minor [1:1] > Initializing the pci.. > IOFPGA version[17082912] > Boot ROM0 > Last reset cause: BootFromUpgradeRegFail > UEA platform with 1572863 Kbytes of main memory > > PASSWORD RECOVERY FUNCTIONALITY IS DISABLED > > .Resetting upgrade counter from failed upgrade > Directory asr920-universalk9_npe.16.06.05a.SPA.bin not found > Unable to locate asr920-universalk9_npe.16.06.05a.SPA.bin directory > Unable to load asr920-universalk9_npe.16.06.05a.SPA.bin > boot: error executing "boot > bootflash:asr920-universalk9_npe.16.06.05a.SPA.bin" > autoboot: boot failed, restarting... > > On Thu, Dec 3, 2020 at 4:32 PM Scott Miller wrote: > > > I have a ASR-920-12SZ-IM, which I inadvertently entered the wrong boot > > command in the config, saved the config and rebooted. Now it's stuck in > a > > boot loop. I've tried breaking the boot, it asks if I want to reset to > > factory default, and I enter "y", it reboots but still tries to find that > > same bad ios file I entered in the initial configuration which was > supposed > > to have been whipped when it went to factory default. I can't for the > life > > of me figure out how to get into ROMMON on this box. Each time I break > the > > boot, it just goes back to the same question, asking if I want to factory > > default. > > > > Here's what it's doing: > > > > > > System Bootstrap, Version 15.5(3r)S2, RELEASE SOFTWARE (fc1) Technical > > Support: http://www.cisco.com/techsupport Copyright (c) 2015 by cisco > > Systems, Inc. Compiled Wed 01-Jul-15 03:53 by sdcunha Starting > > Initialization of FMAN0 Loading ucode for FMAN0, size: 31424, ver: > > 106.04.14 Silicon Rev Major:Minor [1:1] Initializing the pci.. IOFPGA > > version[17082912] Boot ROM0 Last reset cause: BootFromUpgradeRegFail UEA > > platform with 1572863 Kbytes of main memory PASSWORD RECOVERY > FUNCTIONALITY > > IS DISABLED .Break detected: (0x1) Do you want to reset the router to > > the factory default configuration and proceed [y/n] ?y Router rebooting > > with factory default configuration System Bootstrap, Version 15.5(3r)S2, > > RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/ > techsupport > > Copyright (c) 2015 by cisco Systems, Inc. Compiled Wed 01-Jul-15 03:53 by > > sdcunha Starting Initialization of FMAN0 Loading ucode for FMAN0, size: > > 31424, ver: 106.04.14 Silicon Rev Major:Minor [1:1] Initializing the > pci.. > > IOFPGA version[17082912] Boot ROM0 Last reset cause: > BootFromUpgradeRegFail > > UEA platform with 1572863 Kbytes of main memory PASSWORD RECOVERY > > FUNCTIONALITY IS DISABLED .Resetting upgrade counter from failed > > upgrade Directory asr920-universalk9_npe.16.06.05a.SPA.bin not found > Unable > > to locate asr920-universalk9_npe.16.06.05a.SPA.bin directory Unable to > load > > asr920-universalk9_npe.16.06.05a.SPA.bin boot: error executing "boot > > bootflash:asr920-universalk9_npe.16.06.05a.SPA.bin" autoboot: boot > failed, > > restarting... > > > > The boot file bootflash:asr920-universalk9_npe.16.06.05a.SPA.bin is > > invalid and does not exist. The correct file which is on the box > > is bootflash:asr920igp-universalk9_npe.16.06.05a.SPA.bin > > > > Anyone know how to break into ROMMON to blow out this config? I've been > > at it for a couple hours, nothing I've found googling seems to work. > > > > Thanks. > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net
Re: [c-nsp] AAA on IOS-XR (NCS540)
This isn't at typo is it? aaa authentication login default group TACACS line! should it be aaa authentication login default group TACACS line <<< no ! On Thu, Dec 3, 2020 at 2:13 PM Eric Van Tol wrote: > No, all I have is: > > control-plane > management-plane > inband >interface TenGigE0/0/0/27 > allow all >! >interface TenGigE0/0/0/23.1550 > allow all >! >interface TenGigE0/0/0/25.1550 > allow all >! > ! > > What exactly does this do? I mean, I have an inkling, but I wouldn’t > expect TACACS to work at all if I was missing a config to allow it to > respond to the router. > > From: Scott Miller > Date: Thursday, December 3, 2020 at 1:52 PM > To: Eric Van Tol > Cc: "cisco-nsp@puck.nether.net" > Subject: Re: [c-nsp] AAA on IOS-XR (NCS540) > > > EXTERNAL - Do not click links or open attachments from an unverified > source/sender. > Do you have the control-plane set up? > > tacacs source-interface Loopback100 vrf default > tacacs-server host 11.11.11.11 port 49 > key 7 > ! > tacacs-server host 22.22.22.22 port 49 > key 7 > ! > > aaa accounting exec default start-stop group acs-tacacs > aaa accounting system default start-stop group acs-tacacs > aaa accounting commands default start-stop group acs-tacacs > aaa group server tacacs+ acs-tacacs > server 11.11.11.11 > server 22.22.22.22 > ! > aaa authorization exec default group acs-tacacs local > aaa authorization commands default group acs-tacacs none > aaa authentication login default group acs-tacacs local > > line console > exec-timeout 10 0 > ! > line default > password 7 > exec-timeout 30 0 > session-timeout 30 > transport input ssh > ! > vty-pool default 0 20 > > control-plane > management-plane > inband >interface all > allow all peer > address ipv4 11.12.12.12 > address ipv4 11.13.13.13 > address ipv4 11.14.14.14 > > > > On Thu, Dec 3, 2020 at 11:33 AM Eric Van Tol e...@atlantech.net>> wrote: > Hi all, > I’m going nuts here trying to get my AAA set up on an NCS. The goal is to > authenticate against TACACS on VTY lines but either use the local user > database or line/enable for console access and I cannot get it right. > Sometimes my VTY authentication fails the first time and it requires you to > put in your password a second time, even though the TACACS servers are > definitely available. I cannot get console access to work properly at all. > I’m running XR 7.1.1. Here’s the aaa portion of the config: > > tacacs source-interface Loopback1 vrf default > tacacs-server host 192.168.45.126 port 49 > key 7 ** > single-connection > ! > tacacs-server host 192.168.46.126 port 49 > key 7 ** > timeout 3 > single-connection > ! > username admin > group root-lr > group cisco-support > secret 10 $secretpass > ! > aaa group server tacacs+ TACACS > server 192.168.45.126 > server 192.168.46.126 > ! > aaa authorization exec CONSOLE local > aaa authorization exec default group TACACS local > aaa authentication login CONSOLE local line > aaa authentication login default group TACACS line! > ! > line console > password 7 ** > authorization exec CONSOLE > login authentication CONSOLE > ! > line default > password 7 ** > timeout login response 30 > authorization exec default > login authentication default > exec-timeout 0 0 > access-class ingress access-protect > session-timeout 120 > transport input ssh > ! > > I’ve tried different permutations of the line console config and can’t get > the right combination. Can someone point me in the right direction here? > > Thanks in advance, > evt > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net> > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9k RSP440
6.6.x should work too. After that I think everything else is the 64bit. What is everyones opinion of the 64bit XR? On Thu, Nov 12, 2020 at 4:37 PM wrote: > Never ends :) > > -Aaron > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sanity check OSPF/BGP
You didn't specify the platform or code version it is running. Would help with platform specifics On Thu, Oct 8, 2020 at 11:47 AM wrote: > I wonder if bgp neighboring isn't timing out quickly enough for your > satisfaction and holding routes for a few minutes > > > -Original Message- > From: cisco-nsp On Behalf Of Drew > Weaver > Sent: Thursday, October 8, 2020 8:01 AM > To: 'cisco-nsp@puck.nether.net' > Subject: [c-nsp] Sanity check OSPF/BGP > > Hello, > > I have two sets of core routers due to a transition period from one set to > the other. > > I have noticed that when there is a connectivity disruption between the two > sets of core routers and one upstream peering/edge router: > > Oct 7 12:01:14 EDT: %OSPF-5-ADJCHG: Process 1, Nbr on > TenGigabitEthernet2/1 from FULL to DOWN, Neighbor Down: BFD node down > > > > Oct 7 12:03:29 EDT: %BGP-5-ADJCHANGE: neighbor Down BGP > Notification sent > > What I expect to happen is: > > The route to the peering edge router's loopback interface is > withdrawn when OSPF/OSPFv3 closes. > The core router will close the BGP session when the route to > the dead peering edge router is withdrawn and will begin using one of the 5 > other copies of the same route that it has. > > Things I have implemented to avoid this: > > The peering edge router and the core routers peer with IP > addresses that are only learnable via OSPF and aren't available in any > other > protocol. [It's not part of our IP space] > > I guess I just need a sanity check regarding whether my assumption that it > shouldn't be null routing traffic for 2+ minutes if one of our peering edge > routers gets hit by a meteor is correct since we have 5 peering edge > routers. > > Thanks in advance friends, > -Drew > > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EOBC0/0 ifInErrors
you could deduce if it is a line card or by adding 1 line card at a time. On Wednesday, September 30, 2020, Nick Hilliard wrote: > Aaron wrote on 30/09/2020 20:11: > >> He is suggesting reseating all cards. Starting with the Supervisor. >> > > correct. power down the box, carefully reseat all cards, power up, see if > that fixes it. > > If it doesn't fix it, then open a TAC case. If the unit isn't under > support, then you have a problem because this type of error could be one of > the cards, or the sup, or the backplane and it's really hard to tell which > without swapping units out. If you can check out the EOBC on the line > cards using remote login, that might give useful information, maybe. > > Nick > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EOBC0/0 ifInErrors
You may need to ask TAC. Unfortunately I do not know. He is suggesting reseating all cards. Starting with the Supervisor. On Wed, Sep 30, 2020 at 10:14 AM Eugene Grosbein wrote: > 30.09.2020 19:03, Nick Hilliard wrote: > > > Eugene Grosbein wrote on 30/09/2020 05:14: > >> Yesterday I've created mrtg graph for the counter and it shows steady > rate in a range of 16-32 per second. > > > > I'd say that is sup + line card reseating territory. > > What does it mean? > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EOBC0/0 ifInErrors
sharp increase recently (weekly, daily, hourly). I'd be more concerned with daily and hourly (or less). How frequently do you see them and what is the amount? On Tue, Sep 29, 2020 at 9:41 AM Eugene Grosbein wrote: > 29.09.2020 18:56, Nick Hilliard wrote: > > > Eugene Grosbein wrote on 29/09/2020 10:08: > >> Walking SNMP ifTable for Cisco 7606/RSP720-3C-GE I've found that virtual > >> interface EOBC0/0 (Ethernet out-of-band channel) has increasing counter > IF-MIB::ifInErrors. > >> No visible problems with the box, though. > >> > >> Should I worry about this ifInErrors growth? > > > > possibly. If the errors are significant, you should try reseating the > rsp720 and possibly some of the cards to see if that helps. > > Define "significant" :-) This router has uptime over 1 year. > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mass-renaming interfaces
Unfortunately no. On Mon, Sep 28, 2020 at 8:50 AM Eugene Grosbein wrote: > 28.09.2020 17:12, James Bensley wrote: > > > On Mon, 28 Sep 2020 at 07:35, Eugene Grosbein > wrote: > >> One of my 7201 routers has four GigabitEthernet interfaces but uses > only two, > >> one for IP uplink and another as client-sided downlink with multiple > >> sub-interfaces named like GigabitEthernet0/1.10 (encapsulation dot1Q). > >> > >> It need reconfiguration to use 2x1G port-channles. I already did such > reconfiguration > >> for same 7201 router with small number of sub-interfaces and know this > is doable > >> changing sub-interfaces from GigabitEthernet0/1.N to Port-channel1.N > >> > >> This time the router has about 800 sub-interfaces. I can do some > scripting > >> to prepare incremental configuration removing/re-creating > sub-interfaces, > >> but I presume high CPU load for router while reconfiguring, long > procedure time > >> and notable service degradation or even interruption. > >> > >> Is there same another, more lightweight way to mass-rename > sub-interfaces > >> while switching from single parent interface to Port-channel? > > > > Hi Eugene, > > > > If you don't want to do this over a series of incremental changes then > > you can make one "big bang" change by taking a copy of the running > > configuration, making all the changes to that, and uploading it to the > > router as a replacement start-up config file, then just reboot the > > router to apply the config in one action. However, this approach is > > risky, you need to test that new full configuration file (confirm that > > the change only relate to the interface renaming, and that there are > > no mistakes, typos, wrong VLAN numbers etc.), which is quite tricky. > > > > If you've ever wanted a pet project to get you into some network > > automation and programming stuff this sounds like an ideal project to > > me. You can definitely do this with Python tools like NAPALM and > > Nornir. Then you can automate the changes and automate the testing of > > the changes, and the rollback if required, in either multiple stages > > or as one giant change; whatever suits your circumstances best. > > I've already wrote my script using AWK, it took moderate amount of time > to write and debug; it resulted in less than 50 lines. For each > sub-interface > it removes all "ip route" commands referring to it (if any) then removes > the interface, > then adds it back with new name, then re-adds removed routes changing > interface name. > > It's quick-n-dirty but works and is fine for one-time job. > > My question was if IOS has some better way to rename sub-interfaces I > could be unaware of. > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help Cisco IOS XR 9001
CPP is the other issue. ex control-plane management-plane inband interface hundred-gige0/1/1 allow SSH allow blah On Wed, Sep 23, 2020 at 12:51 PM Ted Pelas Johansson wrote: > Regarding isis, it looks like you have MTU mismatch since you configured > 1600 byte on both platforms. > > IOS/XE doesn't count the Ethernet header (1600) while XR/JunOS does (1614). > > You also need to add the interface under `mpls ldp`. > > Sent from my Phone > > > On 23 Sep 2020, at 17:25, Olivier CALVANO wrote: > > > > Hello, > > > > I am asking you for a little help, I just got an ASR9001 router and I am > a > > little confused with the IOS XR completely different from my ASR1001. > > > > 1- First problem, ISIS seems not to work > > > > on my ASR1001X I have: > > interface TenGigabitEthernet7/1 > > mtu 1600 > > ip address 192.168.1.1 255.255.255.252 > > ip router isis > > mpls label protocol ldp > > mpls ip > > > > router isis > > net 49.0001...0450.00 > > is-type level-2-only > > metric-style wide > > redistribute connected > > ! > > address-family ipv6 > > multi-topology > > redistribute connected > > redistribute static > > exit-address-family > > > > connected on this port, I have the ASR9001 with in conf: > > > > interface TenGigE0/0/2/0 > > mtu 1600 > > ipv4 address 192.168.1.2 255.255.255.252 > > > > router isis WanCmp > > is-type level-2-only > > net 49.0001...0452.00 > > address-family ipv6 unicast > > ! > > interface TenGigE0/0/2/0 > > address-family ipv4 unicast > > ! > > ! > > ! > > > > > > but when i put sh isis topo > > Wed Sep 23 07:45:50.378 UTC > > > > IS-IS phibee paths to IPv4 Unicast (Level-2) routers > > System Id Metric Next-HopInterface SNPA > > ASR9001 -- > > > > Anyone have a idea of the problems ? > > > > > > 2- SSH/Telnet access to the router > > > > currently I have to connect the ASR9001 router via the MgmtEth0 / RSP0 / > > CPU0 / 0 port to access it. > > > > Unable to go through the wan classic TenGigE0 / 0/2/0 interface > > > > in my configuration, i have: > > > > telnet vrf default ipv4 server max-servers 10 > > > > line console > > exec-timeout 1440 0 > > escape-character 0x5a > > session-limit 10 > > disconnect-character 0x59 > > session-timeout 100 > > transport input telnet ssh > > transport output telnet ssh > > transport preferred none > > ! > > line default > > exec-timeout 1440 0 > > access-class ingress admin-nets > > transport input all > > transport output telnet ssh > > transport preferred none > > > > vty-pool default 0 5 line-template default > > control-plane > > management-plane > > out-of-band > > interface TenGigE0/0/2/0 > >allow SSH peer > > address ipv4 192.168.0.0/21 > >! > >allow Telnet peer > > address ipv4 192.168.0.0/21 > >! > > > > > > ssh server v2 > > ssh server vrf default > > ssh server vrf Mgmt-intf > > end > > > > > > if i want connect on wan interface, i have all time a connexion refused > > > > > > > > > > > > thanks for your help > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question about 9410R interface naming
i am doing some automation on that platform and just realized that week On Thursday, September 10, 2020, Nick Cutting wrote: > Nexus has it right - everything is "E" > > > From: cisco-nsp On Behalf Of > aar...@gvtc.com > Sent: Thursday, September 10, 2020 5:58 PM > To: 'Nick Hilliard' > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] Question about 9410R interface naming > > This message originates from outside of your organisation. > > Juniper was good with port id's until the MX204 :) > > Now XE doesn't always mean 10 gig > > set interfaces xe-0/1/4 gigether-options speed 1g > > agould@dallas-204-1> show interfaces xe-0/1/4 | grep speed > Link-level type: Flexible-Ethernet, MTU: 9216, MRU: 9224, LAN-PHY mode, > Speed: 10Gbps, BPDU Error: None, > Speed Configuration: 1G > > -aaron > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net> > https://puck.nether.net/mailman/listinfo/cisco-nsp ps://protect-eu.mimecast.com/s/j-_eCzmZNsRQxEHgvzZs?domain=puck.nether.net > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ protect-eu.mimecast.com/s/oxvvCAn47H9LnBfYRor0?domain=puck.nether.net> > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question about 9410R interface naming
Good Morning Drew, They are TenGigabitethernet Interfaces: PortNameStatus VlanDuplex Speed Type Te10/0/44 connected xxx a-full a-1000 100/1000/2.5G/5G/10GBaseTX Have a good day, Aaron Aaron Childs Director Infrastructure Services Information Technology Services Wilson Hall - 577 Western Ave. Westfield MA 01086 P 413.572.5527 F 413.572.5615 aa...@westfield.ma.edu -Original Message- From: cisco-nsp On Behalf Of Drew Weaver Sent: Thursday, September 10, 2020 11:03 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Question about 9410R interface naming Caution External Email: This email originated outside of WSU. Do not click links, open attachments, or respond if it appears to be suspicious. Hi, I have a quirky question about the 9410's Interface naming/numbering. These switches appear to support 1G 2.5G, 5G and 10G interfaces. Do the names of the interfaces change depending on the speed? Is it ethernet1/1/1 no matter what? Or does it change to GigabitEthernet1/1/1 or TenGigabitEthernet1/1/1 depending on how it's configured? If anyone knows I would appreciate it. Thanks, -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Core - distrubution
use ipv6 On Wednesday, September 9, 2020, harbor235 wrote: > How are you IP'ng your connector networks between core and distribution? > Public space or private? I do not like the potential overlap with > management networks and I cannot DNS mike connector networks making my > traceroutes look pretty. > > I also like loopbacks publicly routable as well? Some organizations use > RFC1918 netwblocks for connector networks and loopbacks, is it just > preference or am I missing other reasons not to use 1918? > > Mike > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Upgrading NXOS
good luck On Wednesday, September 2, 2020, Drew Weaver wrote: > Nevermind, I think I found it. > > There is a tiny tmp partition called /nxos/tmp that is full. > > Thanks anyway, > -Drew > > > -Original Message- > From: cisco-nsp On Behalf Of Drew > Weaver > Sent: Wednesday, September 2, 2020 1:58 PM > To: 'Aaron' > Cc: 'cisco-nsp@puck.nether.net' > Subject: Re: [c-nsp] Upgrading NXOS > > Howdy and thanks for replying. > > So the switch is running 7.0(3)I1(3) > According to docs: > > Upgrading from Cisco NX-OS Release 7.0(3)1(2), Release 7.0(3)I1(3), or > Release 7.0(3)I1(3a), requires installing a patch for Cisco Nexus 9500 > platform switches only. For more information on the upgrade patch, see > Patch Upgrade Instructions. > > So I tried to install the two patches that are needed to upgrade > 7.0(3)I1(3) which are: > > CSCuy16604 > CSCuy16606 > > NXLAB# install activate n9000-dk9.7.0.3.I1.3.CSCuy16604.bin > Install operation 26 failed because there was no space left on device > > I have no idea which device it is saying has no space. > > NXLAB# dir | i free > 229980663808 bytes free > > NXLAB# dir volatile: | i free > 629145600 bytes free > > Any clue? > > From: Aaron > Sent: Wednesday, September 2, 2020 11:37 AM > To: Drew Weaver > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] Upgrading NXOS > > Check to see if you have to upgrade to an intermediate version first. > There was an issue that would brick the switch if you tried to go straight > to the latest version. > > On Wed, Sep 2, 2020 at 8:54 AM Drew Weaver drew.wea...@thenap.com>> wrote: > Hello, > > Current version: 7.0(3)I1(3) > > Upgrading a 9508: > > Checked for errata and it said something about bios upgrades failing due > to the bootrom monitoring so I set this: > > diagnostic monitor interval module 1 test PrimaryBootROM hour 23 min 59 > second 59 diagnostic monitor interval module 2 test PrimaryBootROM hour 23 > min 59 second 59 diagnostic monitor interval module 3 test PrimaryBootROM > hour 23 min 59 second 59 diagnostic monitor interval module 1 test > SecondaryBootROM hour 23 min 59 second 59 diagnostic monitor interval > module 2 test SecondaryBootROM hour 23 min 59 second 59 diagnostic monitor > interval module 3 test SecondaryBootROM hour 23 min 59 second 59 diagnostic > monitor interval module 27 test PrimaryBootROM hour 23 min 59 second 59 > diagnostic monitor interval module 28 test PrimaryBootROM hour 23 min 59 > second 59 diagnostic monitor interval module 27 test SecondaryBootROM hour > 23 min 59 second 59 diagnostic monitor interval module 28 test > SecondaryBootROM hour 23 min 59 second 59 > > Issue this command: > > install all nxos nxos.7.0.3.I4.8z.bin > > goes through the process and gets to BIOS update part: > > Module 1: Refreshing compact flash and upgrading bios/loader/bootrom. > Warning: please do not remove or power off the module at this time. > [] 100% -- SUCCESS > > Module 2: Refreshing compact flash and upgrading bios/loader/bootrom. > Warning: please do not remove or power off the module at this time. > [# ] 0% -- FAIL. > Return code 0x4071000C (BIOS erase failed). > CAUTION: The BIOS/loader/bootrom of above module may be in corrupted > state. Please try programming it again and DO NOT reboot without > programming it successfully, otherwise you have to manually take out the > flash from the card and program it in a BIOS programming station. > > Resetting boot variables. Please wait. > > Install has failed. Return code 0x40930015 (Pre-upgrade of a module > failed). > Please identify the cause of the failure, and try 'install all' again. > > I've tried it a few times and it always fails. > > Any way to manually try to update the bios outside of the install all > process or am I doing this incorrectly to begin with? > > I have read some instructions that say you just set the new .bin file as > the boot parameter and reboot it and it magically takes care of everything. > Then the other instructions I read says don't do that incase the bios > upgrade fails while its rebooting. > > Thanks if anyone has run into this before. May just scrap this thing. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net> > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/ > mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Upgrading NXOS
Check to see if you have to upgrade to an intermediate version first. There was an issue that would brick the switch if you tried to go straight to the latest version. On Wed, Sep 2, 2020 at 8:54 AM Drew Weaver wrote: > Hello, > > Current version: 7.0(3)I1(3) > > Upgrading a 9508: > > Checked for errata and it said something about bios upgrades failing due > to the bootrom monitoring so I set this: > > diagnostic monitor interval module 1 test PrimaryBootROM hour 23 min 59 > second 59 > diagnostic monitor interval module 2 test PrimaryBootROM hour 23 min 59 > second 59 > diagnostic monitor interval module 3 test PrimaryBootROM hour 23 min 59 > second 59 > diagnostic monitor interval module 1 test SecondaryBootROM hour 23 min 59 > second 59 > diagnostic monitor interval module 2 test SecondaryBootROM hour 23 min 59 > second 59 > diagnostic monitor interval module 3 test SecondaryBootROM hour 23 min 59 > second 59 > diagnostic monitor interval module 27 test PrimaryBootROM hour 23 min 59 > second 59 > diagnostic monitor interval module 28 test PrimaryBootROM hour 23 min 59 > second 59 > diagnostic monitor interval module 27 test SecondaryBootROM hour 23 min 59 > second 59 > diagnostic monitor interval module 28 test SecondaryBootROM hour 23 min 59 > second 59 > > Issue this command: > > install all nxos nxos.7.0.3.I4.8z.bin > > goes through the process and gets to BIOS update part: > > Module 1: Refreshing compact flash and upgrading bios/loader/bootrom. > Warning: please do not remove or power off the module at this time. > [] 100% -- SUCCESS > > Module 2: Refreshing compact flash and upgrading bios/loader/bootrom. > Warning: please do not remove or power off the module at this time. > [# ] 0% -- FAIL. > Return code 0x4071000C (BIOS erase failed). > CAUTION: The BIOS/loader/bootrom of above module may be in corrupted > state. Please try programming it again and DO NOT reboot without > programming it successfully, otherwise you have to manually take out the > flash from the card and program it in a BIOS programming station. > > Resetting boot variables. Please wait. > > Install has failed. Return code 0x40930015 (Pre-upgrade of a module > failed). > Please identify the cause of the failure, and try 'install all' again. > > I've tried it a few times and it always fails. > > Any way to manually try to update the bios outside of the install all > process or am I doing this incorrectly to begin with? > > I have read some instructions that say you just set the new .bin file as > the boot parameter and reboot it and it magically takes care of everything. > Then the other instructions I read says don't do that incase the bios > upgrade fails while its rebooting. > > Thanks if anyone has run into this before. May just scrap this thing. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] GLC-T on 9500-32C - 17.x IOS-XE
Having an issue where GLC-T's aren't working on 17.x trains on 9500-32C. They show as recognized under a 'sh int status', and the remote device will link, but the 9k side has no link. Tried hard-coding but still no joy. They do work on 16.12 without any special configuration. It is showing it as compatible in the (of questionable reliability) optics compatibility matrix [1]. We are using FS QSFP adapters which work fine with 10/1G fiber based optics. We've opened a case with TAC, but am curious if any of you have flavors of GLC-T's that are working on 17.x code or any related feedback. Thanks in advance, Aaron 1. https://tmgmatrix.cisco.com/?npid=193 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Maximum Prefix limit on Edge routers
Absolutely. Make sure to add enough overhead, 25%, so you do not keep getting warning messages in the logs. These are the defaults for XR To prevent a peer from flooding BGP with advertisements, a limit is placed on the number of prefixes that are accepted from a peer for each supported address family. The default limits can be overridden through configuration of the maximum-prefix limit command for the peer for the appropriate address family. The following default limits are used if the user does not configure the maximum number of prefixes for the address family:IPv4 Unicast: 1048576IPv4 Labeled-unicast: 131072IPv4 Tunnel: 1048576IPv6 Unicast: 524288IPv6 Labeled-unicast: 131072IPv4 Multicast: 131072IPv6 Multicast: 131072IPv4 MVPN: 2097152VPNv4 Unicast: 2097152IPv4 MDT: 131072VPNv6 Unicast: 1048576L2VPN EVPN: 2097152 On Tue, Aug 11, 2020 at 9:20 AM Curtis Piehler wrote: > Yes this is a common practice to follow for extra security measures. In > the off chance a provider starts flooding your network with more than what > is required it will safe guard your network. You can set a slightly higher > warning threshold. Usually more prevalent in MPLS environments as there > are more memory constraints on carrying Internet routes in multiple VRFs > could be detrimental to memory. Unlikely it would happen but always need > to think of better ways to safe guard your network. For as long as humans > are in existence there will always be room for error. > > On Tue, Aug 11, 2020, 9:09 AM Yham wrote: > > > Hello Gentlemen, > > > > I wanted to ask if this is common practice to apply Maximum prefix limit > on > > BGP neighborship with Internet providers from where you are getting the > > entire routing table. I know its consider a best practice but want to > know > > if its also common. > > If yes, what would be the max limit of routes? Google search tells me > that > > the size of the routing table today is approx 800K prefixes > > > > Thanks > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rehosting a perpetual CSR1000V license
I'm gonna hate when Flash is EOL. We have servers that use that GUI thing. I agree, I hate it too. I don't want to throw out a decent server just because flash no longer works. I hope Adobe don't have a programmed kill switch. On Tue, Jul 21, 2020 at 1:21 PM Mark Tinka wrote: > > > On 21/Jul/20 18:54, joe mcguckin wrote: > > We don’t buy anything that can’t be managed with a serial connection. > That means no fancy web based guis. > > iLO on servers is pretty reliable. It has helped us out plenty times. > > > > Licensing is in the same category… A piece of equipment has to do > something extraordinary before we’d consider purchasing it, if it > implements some sort of license key scheme. We’ve purchased Juniper M > series routers in the past and were extremely happy with them (Hey! They > actually did what Juniper said they would do without 2 or 3 rounds of > hardware upgrades), but I was initially put off because there are license > keys embedded in the base software. Then I realized that when the keys > expired in 10 years, the boxes would be in the landfill by that time... > > Well, pretty much everything shipping these days either has or can be > deployed by license. > > It is the key way for vendors to implement the same silicon across a > myriad of platforms, without "losing" money. > > Mark. > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Rehosting a perpetual CSR1000V license
ethernet console should be on the list. On Tue, Jul 21, 2020 at 1:01 PM joe mcguckin wrote: > We don’t buy anything that can’t be managed with a serial connection. That > means no fancy web based guis. Licensing is in the same category… A piece > of equipment has to do something extraordinary before we’d consider > purchasing it, if it implements some sort of license key scheme. We’ve > purchased Juniper M series routers in the past and were extremely happy > with them (Hey! They actually did what Juniper said they would do without 2 > or 3 rounds of hardware upgrades), but I was initially put off because > there are license keys embedded in the base software. Then I realized that > when the keys expired in 10 years, the boxes would be in the landfill by > that time... > > Joe > > > Joe McGuckin > ViaNet Communications > > j...@via.net > 650-207-0372 cell > 650-213-1302 office > 650-969-2124 fax > > > > > On Jul 21, 2020, at 8:44 AM, Mark Tinka wrote: > > > > > > > > On 21/Jul/20 17:34, Seth Mattinen wrote: > > > >> > >> > >> Someone jumped in and sent me an updated license. As far as why it > >> can't be done online, I'm not sure. I haven't tried to rehost anything > >> in a while. > > > > The joy of when things just work :-). > > > > We had to because we had some boxes fail in that period. Fair point, the > > servers had been nearly 7 years old, so can't blame them. > > > > Nonetheless, glad you're back up and running. > > > > Mark. > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TE FRR vs PATH OPTION PROTECTION
Ive done FRR with success. On Fri, Jun 12, 2020 at 8:20 AM emmanuel manoni wrote: > Hi experts, > > I'm trying to deploy MPLS TE tunnel protection method with as minimal > switchover time as possible, which one between TE FRR and Path Option > should I choose and why?If I deploy both of them,what are pros and cons if > there are any? > > Thanks in advance > > Regards, > Emmanuel > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS-XR IS-IS authentication
I believe the OP was about interop between cisco and juniper using key-chains. On Wed, Jun 3, 2020 at 1:56 AM Phil Bedard wrote: > There shouldn't be an issue using keychains for these functions, I have XR > and XE devices running IS-IS between each other with keychains on both > without an issue. > > One thing to always watch out for is inadvertent spaces after you type in > a clear text password. > > Thanks, > Phil > > On 5/28/20, 3:44 AM, "cisco-nsp on behalf of Mark Tinka" < > cisco-nsp-boun...@puck.nether.net on behalf of mark.ti...@seacom.mu> > wrote: > > > > On 27/May/20 21:08, Eric Van Tol wrote: > > Unless I get suggestions otherwise, I suppose I'll just not use > keys, which seems prohibitive, particularly if a password needs changing at > some point. The 'lsp-password' without a key chain seems to work just fine. > :-/ > > In IOS and IOS XE, we use key chains. > > In IOS XR, we use "lsp-password hmac-md5" at the "router isis" level, > and "hello-password hmac-md5" at the "router isis 1 interface" level. > > Mark. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9001 BGP scaling and memory shortage
eXR is Linux based 64 bit vs classic XR which is the 32 bit qnx kernel. Some releases have both On Wednesday, May 20, 2020, Drew Weaver wrote: > Slightly unrelated to this thread but also sort of related. > > Did anyone else notice that this file appears in the ASR9001 IOS XR file > list now? > > asr9k-9000v-nV-x64-1.0.0.0-r702.x86_64.rpm > > I was under the impression that ASR 9001 couldn't run x86_64 software and > also... why is it an RPM rather than a tar? > > > > -Original Message- > From: cisco-nsp On Behalf Of Alexandr > Gurbo > Sent: Wednesday, May 20, 2020 3:32 AM > To: Vladimir Troitskiy > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] ASR9001 BGP scaling and memory shortage > > > All in GRT, 3 full tables, 2 big IX, couple private peers. No MPLS, only > routing. > > On Wed, 20 May 2020 11:44:05 +0500 > Vladimir Troitskiy wrote: > > > Hello Alexandr, > > > > Thank you for your input! We are using IOS XR 5.3.4 and 6.1.4 - no > > significant difference in memory consumption between them. > > How many peers/routes do you have on this box? Are those peers > > configured in a GRT or in a VRF? > > > > ср, 20 мая 2020 г. в 11:17, Alexandr Gurbo : > > > > > Hello Vladimir, > > > > > > What version IOS XR are you using? > > > We are doesn't have problems with FIB inconsistency. IOS XR 6.6.3. > > > > > > #show processes memory detail location 0/RSP0/CPU0 Wed May 20 > > > 09:09:23.240 MSK > > > JIDText Data Stack DynamicDyn-Limit Shm-Tot > > > Phy-TotProcess > > > -- -- -- -- -- -- > > > -- > > > -- --- > > > 1087 1M10M 624K 818M 1658M > 218M > > > 829M bgp > > > > > > #show memory summary location 0/0/CPU0 Wed May 20 09:10:34.206 MSK > > > node: node0_0_CPU0 > > > -- > > > Physical Memory: 8192M total > > > Application Memory : 7985M (4258M available) > > > Image: 78M (bootram: 78M) > > > Reserved: 128M, IOMem: 0, flashfsys: 0 Total shared window: 495M > > > > > > -- > > > Alexandr Gurbo > > > > > -- > > Best regards, > > Vladimir Troitsky > > > -- > Alexandr Gurbo > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSVP-TE (MPLS-TE) and LDP question
Thanks James for the confirmation as that's precisely what I'm seeing. Would be nice to see a link to a cisco document or someone out there online that speaks to this -Aaron -Original Message- From: James Jun [mailto:ja...@towardex.com] Sent: Monday, May 11, 2020 3:26 PM To: Aaron Gould Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] RSVP-TE (MPLS-TE) and LDP question On Mon, May 11, 2020 at 01:02:23PM -0500, Aaron Gould wrote: > Seems that when I try to use RSVP in place of LDP for label distribution, I > cannot completely remove mpls ldp configs from IOS XR, but I can from IOS XE It's an implementation 'bug' on IOS XR. If you have L3VPN type service (also affects labeled-ucast, including 6PE), you *must* have 'mpls ldp' and router-id configured at minimum, even if you are not using any LDP adjacency whatsoever. I believe ldp process needs to run to allocate labels for l3vpn, even if you do not use LDP transport. So, just leave 'mpls ldp' and router-id configured below it. As long as you don't have LDP adjacencies defined, and there are no LDP tunnels configured, you won't have any LDP in use. P routers are not affected, as they do not need to allocate labels for VPN services. James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RSVP-TE (MPLS-TE) and LDP question
Seems that when I try to use RSVP in place of LDP for label distribution, I cannot completely remove mpls ldp configs from IOS XR, but I can from IOS XE On an RSVP-TE Tunnel headend, I have . IOS XR (XRv9000) mpls ldp router-id 10.0.0.11 .and if I remove that with "no mpls ldp" I loose connectivity to the MPLS L3VPN that is also on that PE But.in IOS XE (csr1000v) I have. mpls ldp router-id lo0 force .and if I remove that with "no mpls ldp router-id Loopback0" (and also remove "mpls ip" from the pe---p uplink) I am still good to the MPLS L3VPN that is also on that PE I don't understand what is going on with this minimal ldp config in IOS XR that causes L3VPN to no longer work after I remove that small config shown above. As a side note, I can remove that ldp config from XR p core nodes.. Just not XR pe nodes .furthermore, I think since I have that ldp config in my PE's, I have LFIB "Unlabelled" entries in my PE, I guess since I have no LDP config in the transit P nodes. But in XE since I can remove that ldp config I no longer have Unlabelled lfib entries and a nice clean lfib with only the L3vpn aggregate label -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] virtual routers - L2-type vpn's
Using csr1000v in EVE-NG, yesterday I was able to do mp2mp vpls (rfc4761 bgp ad, bgp sig) using (3) csr1000v routers and it all worked, control plane *and* data plane, all CE's behind the csr1000v pe's could ping each other. (i test rfc4762 bgp ad, ldp sig, but only with 2 csr1000v and it worked... i may go back and at in a third csr1000v later). but, my question and problem was. XRv would not pass traffic in those vpls tests. control plane would work, configs would commit, and neighbor pseudowires would even go UP and establish to the other pe's (csr1000v's) BUT, i got nasty traceback errors on XRv and data plane would not pass traffic. Has anyone been successful in getting VPLS to work in XRv ? What about EVPN in XRv? .does EVPN/MPLS forwarding work in XRv? Tracebacks errors I got on XRv following the commit of the VPLS config.. RP/0/RP0/CPU0:May 7 22:03:47.917 : fib_mgr[224]: %MGBL-DPC-2-SW_ERR : Failed to configure l2vpn_ldi (Invalid DPA id 17) : fib_mgr : (PID=4352) : -Traceback= 7f60faf970ca 7f60fafb5582 7f6105a1a270 7f6105a27740 7f6105a28a70 7f61186492f5 7f6118486919 7f6118484064 7f61244fcec8 7f61244fefe9 5ebe3a 5f9054 5fb5d8 605062 6fe214 538d69 RP/0/RP0/CPU0:May 7 22:03:47.917 : fib_mgr[224]: %ROUTING-FIB-3-PLATF_UPD_FAIL : FIB platform update failed: Obj=DATA_TYPE_LOADINFO[ptr=0x114a949f8,refc=0x1,flags=0x80c441] Action=MODIFY Proto=ipv4. Cerr='dpc_rm_svr' detected the 'warning' condition 'Internal invalid parameter found.' : fib_mgr : (PID=4352) : -Traceback= 7f61244fefe9 5ebe3a 5f9054 5fb5d8 605062 6fe214 538d69 565efc 567d65 688000 68a9fc 68adf8 43c59a 7f61229daa21 7f61229ebb6e 42376e RP/0/RP0/CPU0:May 7 22:03:47.918 : fib_mgr[224]: %ROUTING-FIB-3-PD_FAIL : FIB platform error: fib_ldi_platform_update 2077: PD action MODIFY failed for passed_ldi 0x114a949f8 type DATA_TYPE_LOADINFO flags 0x80c441. Shared LDI 0x114a949f8 num_slots 1 num_buckets 1 depth 2 ldi type 1 ldi protocol mpls flags 0x80c441 : 0x4b88b400 'dpc_rm_svr' detected the 'warning' condition 'Internal invalid parameter found.' : fib_mgr : (PID=4352) : -Traceback= 5f9054 5fb5d8 605062 6fe214 538d69 565efc 567d65 688000 68a 9fc 68adf8 43c59a 7f6122(TRUNCATED) -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ONS15454 MSPP controller upgrades
have you looked at the ncs software/docs On Saturday, April 18, 2020, Curtis Piehler wrote: > Is there any good documentation online of upgrading the software on the > ONS15454 platform? (MSPP, not MSTP). I know this platform is way end of > life but unfortunately optical MUX's will just run until they are decom'd > usually. The current MSPPs are managed via a CTC over a ring topology. > > Thanks > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [External] SDx open standard?
Yeah, while certifying for mef-cecp, you gain an appreciation for their purpose in that space at least. (they do have other certifications). Lots of focus on functions and standards that exists at UNI's, ENNI's, services in between, etc. MEF has 3 scopes of certifications... -Services - you as a SP can actually work with MEF (IOMETRIX) and get your network actually stamped and certified by MEF -Gear - vendors submit their equipment to MEF for testing (possibly onsite at vendor location) for proving out standard MEF-type service (ELINE, ELAN, ETREE, EACCESS, etc) and gain MEF stamp of approval -Professional - like MEF-CECP, etc, people can get career certifications I recall they started with MEF, then MEF 2.0, now MEF 3.0 https://www.mef.net/certification/mef-certification-programs -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of adamv0...@netconsultings.com Sent: Thursday, March 26, 2020 12:00 PM To: sth...@nethelp.no; t...@pelican.org Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] [External] SDx open standard? > sth...@nethelp.no > Sent: Thursday, March 26, 2020 3:42 PM > > >>> I spent 10 min browsing MEF web site and still do not know what "MEF" > >>> stands for ... Looks to me like yet one more commercial entity to > >>> drain a little bit of cash out of the vendors while perhaps help > >>> with marketing and sales a bit. > >> > >> Metro Ethernet Forum. They've been around for a while. > >> > > > > In fairness, that term is almost entirely absent from the web site, as far as I > can see. > > > > Is it an expansion that's been deliberately dropped in the face of expanding > to work on SDN, NDV, et al beyond their original Metro Ethernet scope? And > now MEF is just MEF? > > No idea. But it sure *sounds* like rather significant scope creep. > How I view MEF is in their role of facilitator/mediator for inter-operator standards. Their original work on Metro Ethernet standards and network certification was very helpful for the industry (certainly some ~8 years back when ME was blooming and everyone was jumping the bandwagon). Now with the hype around SDN NFV and automation of service provisioning they seem like a natural choice of existing body for mediating inter-operator/provider standards (work on LSO...) they have stellar materials on NFV and SDN I recommend everyone to read in order to fill in the gaps and unite our dictionary (same like for the ME dictionary) And recently they are doing similar thing for SD-WAN... adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [External] SDx open standard?
Perhaps that, and also, I think they may be substituting that term "mef" for "ce" more recently. perhaps to imply that its capabilities are now beyond the "metro" and extend into "carrier" space and beyond. Trying to make some educated guesses/recollections. -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of t...@pelican.org Sent: Thursday, March 26, 2020 10:25 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] [External] SDx open standard? On Thursday, 26 March, 2020 15:15, sth...@nethelp.no said: >> I spent 10 min browsing MEF web site and still do not know what "MEF" >> stands for ... Looks to me like yet one more commercial entity to drain a >> little bit of cash out of the vendors while perhaps help with marketing and >> sales a bit. > > Metro Ethernet Forum. They've been around for a while. > In fairness, that term is almost entirely absent from the web site, as far as I can see. Is it an expansion that's been deliberately dropped in the face of expanding to work on SDN, NDV, et al beyond their original Metro Ethernet scope? And now MEF is just MEF? Regards, Tim. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [External Email] Re: big uptime - what you got ?
I'm sure there is a 2511 somewhere that beats all of these. On Mon, Feb 10, 2020 at 2:35 PM wrote: > >> cisco LS1010 (R4600) processor with 65536K bytes of memory. > > > > It was just matter of time until someone shows up with LS1010 :) > > > > (Un)fortunately our LS1010s are long gone but the uptimes were 12+ > > years on many of them. > > Darn, I had done my best to try to forget everything related to the > number 53 :-) > > But yeah, we had LS1010 too, at a previous employer. > > Steinar Haug, Nethelp consulting, sth...@nethelp.no > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [External Email] Re: big uptime - what you got ?
Oh my gosh a friggin lightstream 1010 up almost 17 years! That's about as long as atm has been dead. Lol You gotta tell me for reals if you still have cells going through that box ? -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alex D. Sent: Monday, February 10, 2020 1:15 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] [External Email] Re: big uptime - what you got ? Cisco Internetwork Operating System Software IOS (tm) LS1010 WA4-5 Software (LS1010-WPK2-M), Version 12.1(12c)EY, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Fri 02-Aug-02 09:13 by eaarmas Image text-base: 0x60010958, data-base: 0x60F9A000 ROM: System Bootstrap, Version 11.2(1.4.WA3.0) [integ 1.4.WA3.0], RELEASE SOFTWARE ROM: LS1010 WA4-5 Software (LS1010-WPK2-M), Version 12.1(12c)EY, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) atm-03 uptime is 16 years, 43 weeks, 3 days, 8 hours, 34 minutes System returned to ROM by power-on System restarted at 12:11:39 MEZ Wed Apr 16 2003 System image file is "bootflash:ls1010-wpk2-mz.121-12c.EY.bin" cisco LS1010 (R4600) processor with 65536K bytes of memory. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] big uptime - what you got ?
Ha, wow, Sascha holds first place ! ...uptime is 14 years, 48 weeks, 4 days, 22 hours, 18 minutes My gosh, up since 2005 ! -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] big uptime - what you got ?
Non-believers I say, non-believers, lol Jk, thanks, hey could be a bug, doubt it though -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] big uptime - what you got ?
What, and have to reset that uptime counter, never! Lol Dude it's bridging eth frames just fine, why would i -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] big uptime - what you got ?
Holy cow! Beat that dsw2-4503#sh ver | in uptime dsw2-4503 uptime is 11 years, 2 weeks, 1 day, 23 hours, 3 minutes dsw2-4503#sh ver | in IOS Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(31)SGA1, RELEASE SOFTWARE (fc3) -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] question with adj-rib-out and policy engine order and show commands
Question with adj-rib-out and policy engines. I've look at bassam halabi's explanation in inet routing archs, googles, etc, etc. Is "show ip bpg neighbor 1.2.3.2 advertised-routes" PRE-outbound-policy or POST-outbound-policy? someone please explain why I see r1 "show ip bpg neighbor 1.2.3.2 advertised-routes" showing metric 2, but I see on r2 that it rcv's it change as planned to metric 17. My question is really just about why I see metric 2 on advertise-route route of r1, when I know it's getting set to metric 17. Why don't I see what the policy is changing it to on the sending router, r1 ? I tried to only include pertinent info to keep this short and to the point. *** R1. Sending an advertisement.. r1#sh ip bgp neighbors 1.2.3.2 advertised-routes | be Network Network Next HopMetric LocPrf Weight Path *> 10.0.2.1/32 10.0.1.1 2 32768 ? r1#sh run | sec router bgp router bgp 123 ... neighbor 1.2.3.2 route-map my-routemap-xmit out route-map my-routemap-xmit, permit, sequence 10 ip address prefix-lists: my-prefixlist-out Set clauses: metric 17 r1#sh ip prefix-list seq 1 permit 10.0.2.1/32 *** R2... Receiving that advertisement correctly as altered Metric 17 r2#sh ip bgp neighbors 1.2.3.1 routes | be Network Network Next HopMetric LocPrf Weight Path *> 10.0.2.1/32 1.2.3.1 17 0 123 ? Total number of prefixes 1 r2# r2#sh ip ro bgp 10.0.0.0/32 is subnetted, 1 subnets B 10.0.2.1 [20/17] via 1.2.3.1, 09:40:38 -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] show isis neighbors - system id shown
Thanks y'all -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] show isis neighbors - system id shown
funny, for a moment there it actually displayed the sys id of r1 instead of the word "r1" is there a reason why ? r2#sh isis neighbors System Id Type Interface IP Address State Holdtime Circuit Id .. L1 Fa0/0 1.2.3.1 UP23 r2.01 .. L2 Fa0/0 1.2.3.1 UP24 r2.01 r2#sh isis neighbors System Id Type Interface IP Address State Holdtime Circuit Id r1 L1 Fa0/0 1.2.3.1 UP27 r2.01 r1 L2 Fa0/0 1.2.3.1 UP28 r2.01 r2#sh isis neighbors System Id Type Interface IP Address State Holdtime Circuit Id r1 L1 Fa0/0 1.2.3.1 UP23 r2.01 r1 L2 Fa0/0 1.2.3.1 UP24 r2.01 r2#sh isis neighbors System Id Type Interface IP Address State Holdtime Circuit Id r1 L1 Fa0/0 1.2.3.1 UP22 r2.01 r1 L2 Fa0/0 1.2.3.1 UP23 r2.01 r2#sh isis neighbors System Id Type Interface IP Address State Holdtime Circuit Id r1 L1 Fa0/0 1.2.3.1 UP21 r2.01 r1 L2 Fa0/0 1.2.3.1 UP22 r2.01 r2# -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Central Services Topology - Design question
Ah, and don't forget "additive" as it was crucial in not removing an rt, but rather, adding another rt to the already present rt. A nice way of having multiple extend community attributes (rt's) to be able to match on. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Central Services Topology - Design question
When I started sharing some routes from one vrf to another vrf during my deployment of cgnat, I came to understand that a vrf in my mind seemed to be less about the name you give it, and more about the RT's you import and export to accomplished the desired routing. Further to that point, one day I typo'd a vrf name, and was stunned to realize that everything was still working! ...came to realize that the vrf name doesn't matter, since mp-ibgp doesn't advertised anything of the name... simply the rd, rt stuff matters. To Saku's point, if you have local and separate vrf's, I'm pretty sure I had to use an auto-export command in juniper to allow that local route sharing. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] new ASR9901 ios update problem
Btw, good job, and thanks Jürgen for the informative and detailed instruction on XR upgrade. -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron Gould Sent: Tuesday, October 29, 2019 10:23 AM To: c...@marenda.net; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] new ASR9901 ios update problem You just gave me another reason to like Juniper :| -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] new ASR9901 ios update problem
You just gave me another reason to like Juniper :| -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] new ASR9901 ios update problem
It got jumbled ... I'll try again... admin install add disk1:asr9k-mgbl-px.pie-4.3.4 disk1:asr9k-mpls-px.pie-4.3.4 disk1:asr9k-mini-px.pie-4.3.4 disk1:asr9k-fpd-px.pie-4.3.4 synchronous admin install activate disk0:asr9k-mgbl-px-4.3.4 disk0:asr9k-mpls-px-4.3.4 disk0:asr9k-mini-px-4.3.4 disk0:asr9k-fpd-px-4.3.4 synchronous (after reboot occurs) admin install commit ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] new ASR9901 ios update problem
Unsure about ASR9901 running 6.5.2... but I just now upgraded ASR9006 from 4.1.2 to 4.3.4 The process is pretty much... admin install add ... admin install activate ... admin install commit ...that's pretty much it in simplest terms... (I'll say I don't fully understand all the caveats and nuances with bridge smu's, time expiry issue, bug fix smu packages, bundle all pie's into a tar ball, etc,etc)... But in its simplest form, that's it. admin install add disk1:asr9k-mgbl-px.pie-4.3.4 disk1:asr9k-mpls-px.pie-4.3.4 disk1:asr9k-mini-px.pie-4.3.4 disk1:asr9k-fpd-px.pie-4.3.4 synchronous admin install activate disk0:asr9k-mgbl-px-4.3.4 disk0:asr9k-mpls-px-4.3.4 disk0:asr9k-mini-px-4.3.4 disk0:asr9k-fpd-px-4.3.4 synchronous (after reboot occurs) admin install commit You have may other pies you require, just add this into the list above. I had issues with tftp, so I simply ftp the files into disk1 and executed install from that location I had issues with a clock and also fpd, simply set the clock to something like 2009 and add that fpd pie. That's what I did, worked. - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1002-X + SPA-1X10GE-L-V2 (10gb)
clean the fiber. On Thursday, September 5, 2019, Sheremet Roman wrote: > Hi, > > Yep we change card to brand new and update our IOS, now looks best > now: > > ASR1002#sh platform | in 10G > 0/3 SPA-1X10GE-L-V2 ok1w0d > > But we have one more problem, media errors: > > ASR1002# sh int TenGigabitEthernet 0/3/0 | in err > > 227 input errors, 181 CRC, 46 frame, 0 overrun, 0 ignored > 362103129 packets output, 194841004589 bytes, 0 underruns > 0 output errors, 0 collisions, 5 interface resets > 0 babbles, 0 late collision, 0 deferred > > And amount growing up Fiber is good, we reuse same fiber which we > use with 1G link, we just move it to 10G. > > Any idea how to debug this ? Or possible we need some settings for 10G > links? (I use 10G first time). Maybe something like as frame size, or > MTU, etc > > > > > Hi, > > > We have Cisco ASR1002-X > > Cisco IOS Software, IOS-XE Software > > > > > > > -- > С уважением, > Sheremet mailto:ro...@kharkov.org.ua > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl
And to not reset the configuration back... How is that for security On Mon, Aug 26, 2019 at 9:21 AM Brian Turnbow wrote: > The dualrate script is for changing from 1G to 10G and vice versa. > So asr920 needs a vty access to run the script in telnet and since there > is > not one available it removes ssh > Nice workaround! > > More info here > > https://www.cisco.com/c/en/us/td/docs/routers/asr920/b_Chassis_Guide_asr920/console-port.html > > > > > Brian > > > -Original Message- > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > > Jared Mauch > > Sent: lunedì 26 agosto 2019 15:10 > > To: Aaron > > Cc: Gert Doering; cisco-nsp@puck.nether.net > > Subject: Re: [c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl > > > > I’ll say this in public (now) - Changing the security posture on the > VTYs > > is a > > great reason to not use this product at the moment. I’ve seen many > people > > not monitor their devices for these types of changes, and this is a > great > > case > > to study. > > > > Time for some retraining of people. > > > > - Jared > > > > > On Aug 26, 2019, at 9:07 AM, Aaron wrote: > > > > > > Any unexpected config change should be an automatic tac case. > > > Totally unexpected. Reminds me of the days when swapping a flash card > > > on a gsr could crash it. > > > This is a new one . > > > > > > On Monday, August 26, 2019, Gert Doering wrote: > > > > > >> Hi, > > >> > > >> does anyone know what "EEM:Mandatory.dualrate_eem.tcl" is? > > >> > > >> We have an ASR920 that grew an unexpected config change upon > > >> insertion of a DAC cable into port ten0/0/12, and "unexpected config > > >> change" always triggers an investigation here (who, why, what). One > > >> part of it was somewhat related > > >> > > >> interface TenGigabitEthernet0/0/12 > > >> description ... > > >> no ip address > > >> + negotiation auto > > >> service instance 200 ethernet > > >> > > >> ... but the other part was more interesting > > >> > > >> line vty 0 4 > > >> access-class 9 in > > >> - exec-timeout 240 0 > > >> ipv6 access-class VTY-v6 in > > >> - transport input telnet ssh > > >> + transport preferred none > > >> + transport input none > > >> + transport output none > > >> escape-character 3 > > >> > > >> "uh, what?". So we investigated and found a few log messages about > > >> that script... > > >> > > >> Aug 20 13:45:30 CEST: %TRANSCEIVER-6-INSERTED: F0: iomd: > > >> transceiver module inserted in TenGigabitEthernet0/0/12 Aug 20 > > >> 13:45:45 CEST: %IOSXE_SPA-6-DUAL_RATE_CHANGE: > > >> TenGigabitEthernet0/0/12: MODE_1G > > >> Aug 20 13:45:47 CEST: %SYS-5-CONFIG_I: Configured from console by on > > >> vty1 > > >> (EEM:Mandatory.dualrate_eem.tcl) > > >> Aug 20 13:46:14 CEST: %SYS-5-CONFIG_I: Configured from console by on > > >> vty1 > > >> (EEM:Mandatory.dualrate_eem.tcl) > > >> Aug 20 13:46:15 CEST: %SYS-5-CONFIG_I: Configured from console by on > > >> vty0 > > >> (EEM:Mandatory.dualrate_eem.tcl) > > >> Aug 20 13:46:17 CEST: %TRANSCEIVER-6-REMOVED: F0: iomd: > > Transceiver > > >> module removed from TenGigabitEthernet0/0/12 Aug 20 13:46:20 CEST: > > >> %IOSXE-5-PLATFORM: F0: Aug 20 13:46:20 > > >> %SYSTEM-3-SYSTEM_SHELL_LOG: Shell started: vty 1 Aug 20 13:46:20 > > >> CEST: %IOSXE-5-PLATFORM: F0: Aug 20 13:46:20 > > >> %SYSTEM-3-SYSTEM_SHELL_LOG: 2019/08/20 13:46:19 : Shell access was > > >> granted to user ; Trace file: , /harddisk/tracelogs/system_ > > >> shell_R0-0.2264_0.20190820134619.bin > > >> ug 20 13:46:26 CEST: %HA_EM-6-LOG: Mandatory.dualrate_eem.tcl: > > >> DUAL_RATE_CHANGE Re-configuration of interface > > >> TenGigabitEthernet0/0/12 to start re-configuring Aug 20 13:46:28 > > >> CEST: %SYS-5-CONFIG_I: Configured from console by on vty1 > > >> (EEM:Mandatory.dualrate_eem.tcl) > > >> Aug 20 13:46:39 CEST: %SYS-5-CONFIG_C: Running-config file is > > >> Modified > > >> > > >> > > >> ... and 441 (!!) lines in the tacacs command accounting log, wh
Re: [c-nsp] ASR920 and EEM:Mandatory.dualrate_eem.tcl
Any unexpected config change should be an automatic tac case. Totally unexpected. Reminds me of the days when swapping a flash card on a gsr could crash it. This is a new one . On Monday, August 26, 2019, Gert Doering wrote: > Hi, > > does anyone know what "EEM:Mandatory.dualrate_eem.tcl" is? > > We have an ASR920 that grew an unexpected config change upon insertion > of a DAC cable into port ten0/0/12, and "unexpected config change" always > triggers an investigation here (who, why, what). One part of it was > somewhat related > > interface TenGigabitEthernet0/0/12 > description ... > no ip address > + negotiation auto > service instance 200 ethernet > > ... but the other part was more interesting > > line vty 0 4 > access-class 9 in > - exec-timeout 240 0 > ipv6 access-class VTY-v6 in > - transport input telnet ssh > + transport preferred none > + transport input none > + transport output none > escape-character 3 > > "uh, what?". So we investigated and found a few log messages about that > script... > > Aug 20 13:45:30 CEST: %TRANSCEIVER-6-INSERTED: F0: iomd: transceiver > module inserted in TenGigabitEthernet0/0/12 > > Aug 20 13:45:45 CEST: %IOSXE_SPA-6-DUAL_RATE_CHANGE: > TenGigabitEthernet0/0/12: MODE_1G > Aug 20 13:45:47 CEST: %SYS-5-CONFIG_I: Configured from console by on vty1 > (EEM:Mandatory.dualrate_eem.tcl) > Aug 20 13:46:14 CEST: %SYS-5-CONFIG_I: Configured from console by on vty1 > (EEM:Mandatory.dualrate_eem.tcl) > Aug 20 13:46:15 CEST: %SYS-5-CONFIG_I: Configured from console by on vty0 > (EEM:Mandatory.dualrate_eem.tcl) > Aug 20 13:46:17 CEST: %TRANSCEIVER-6-REMOVED: F0: iomd: Transceiver > module removed from TenGigabitEthernet0/0/12 > Aug 20 13:46:20 CEST: %IOSXE-5-PLATFORM: F0: Aug 20 13:46:20 > %SYSTEM-3-SYSTEM_SHELL_LOG: Shell started: vty 1 > Aug 20 13:46:20 CEST: %IOSXE-5-PLATFORM: F0: Aug 20 13:46:20 > %SYSTEM-3-SYSTEM_SHELL_LOG: 2019/08/20 13:46:19 : Shell access was granted > to user ; Trace file: , /harddisk/tracelogs/system_ > shell_R0-0.2264_0.20190820134619.bin > ug 20 13:46:26 CEST: %HA_EM-6-LOG: Mandatory.dualrate_eem.tcl: > DUAL_RATE_CHANGE Re-configuration of interface TenGigabitEthernet0/0/12 to > start re-configuring > Aug 20 13:46:28 CEST: %SYS-5-CONFIG_I: Configured from console by on vty1 > (EEM:Mandatory.dualrate_eem.tcl) > Aug 20 13:46:39 CEST: %SYS-5-CONFIG_C: Running-config file is Modified > > > ... and 441 (!!) lines in the tacacs command accounting log, which > mostly looked like "it replayed the whole config, line by line"... > until it hit the vty section, which then got messed up... > > Aug 20 13:47:08 router unknown tty3EEM:Mandatory.dualrate_eem.tcl > stoptask_id=2166timezone=CEST service=shell > start_time=1566301628priv-lvl=15 cmd=configure terminal > Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl > stoptask_id=2167timezone=CEST service=shell > start_time=1566301629priv-lvl=15 cmd=line vty 0 4 > Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl > stoptask_id=2168timezone=CEST service=shell > start_time=1566301629priv-lvl=15 cmd=no login authentication > Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl > stoptask_id=2169timezone=CEST service=shell > start_time=1566301629priv-lvl=15 cmd=no authorization exec > Aug 20 13:47:09 router unknown tty3EEM:Mandatory.dualrate_eem.tcl > stoptask_id=2170timezone=CEST service=shell > start_time=1566301629priv-lvl=15 cmd=no authorization commands 15 > > Aug 20 13:47:10 router unknown tty3EEM:Mandatory.dualrate_eem.tcl > stoptask_id=2171timezone=CEST service=shell > start_time=1566301630priv-lvl=15 cmd=no transport preferred > ... > Aug 20 13:47:10 router unknown tty3EEM:Mandatory.dualrate_eem.tcl > stoptask_id=2174timezone=CEST service=shell > start_time=1566301630priv-lvl=15 cmd=no exec-timeout > Aug 20 13:47:11 router unknown tty3EEM:Mandatory.dualrate_eem.tcl > stoptask_id=2175timezone=CEST service=shell > start_time=1566301631priv-lvl=1 cmd=no length > Aug 20 13:47:11 router unknown tty2EEM:Mandatory.dualrate_eem.tcl > stoptask_id=2177timezone=CEST service=shell > start_time=1566301631priv-lvl=15 cmd=write memory > > > shall I state that I find this a somewhat surprising behaviour? > > Haven't opened a TAC case yet (no time) but hopefully someone here > has see this before and found some more useful results. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de >
Re: [c-nsp] Inter-VRF with NAT
We have lots of zyxel's and manage all them with their public address. Why don't you just do that? -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mike Sent: Sunday, August 18, 2019 3:14 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Inter-VRF with NAT > Hi Mike, > > I'm not sure I've understood your network topology to be honest. Are you > saying that you have Cisco devices with a single WAN link that doesn't > support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs > over different VLANs, e.g. internet in global routing table over VLAN 10, > management VRF over VLAN 20 etc? And you basically want multiple VRFs between > the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your > management traffic or need layer 2 connectivity to every CPE? My cpe devices are typically zyxel. On the wan interface of these devices, we usually have one service which is customer internet access (pppoe or dhcp), and then another service which is mapped at either a different vlan or a different vci/vpl, which is for management (and it's always dhcp). So, from the perspective of the device, it only has one routing table - the global table - and the 'default route' will normally be the internet service gateway. A common short-sightedness in these is that they can't do policy routing, and they can't have a seperate routing table where management network traffic uses a gateway different than the internet service gateway. The broadband aggregation router will have layer 2 to the subscriber. So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20 would be management traffic. I would like to have vlan 20 in a seperate vrf, and I would like to be able to assign it an ip address (172.16.1.1), and I want to hand out addresses to the cpe in the range of 172.16.1.x. But, because the CPE are braindead, I need to arrange things so management access to the cpe all appear to come from 172.16.1.1. That way, the devices won't need to consult the routing table for a gateway and will instead simply arp for the 172.16.1.1 as it's on the same l3 network segment. This is the only way to deal with devices that don't know the correct gateway back. The only way I know how to accomplish this is with nat, unless there was some other socks type proxy on my asr1000 I don't know about. Mike- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] netconf-yang feature candidate-datastore
The XML requirement doesn't sound odd since this is netconf/yang we are talking about. On Mon, Aug 5, 2019 at 11:42 AM Saku Ytti wrote: > Hey Adam, > > On Mon, 5 Aug 2019 at 17:08, wrote: > > > Was just wondering why I can't configure "netconf-yang feature > > candidate-datastore" on csr1k? > > Unsure what your problem is, but enable netconf-yang first, then try > candidate. I've used the CSR1k candidate storage with python and > kotlin library and was able to move from config A to config B with > very trivial config. One problem is that it will only accept XML > config, not native IOS format, which is kinda dumb, as obviously the > system is capable of doing native => xml => native. > > -- > ++ytti > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1002-X + SPA-1X10GE-L-V2 (10gb)
has this card worked in a different chassis? i suspect a bad card On Thursday, July 25, 2019, Andrew K. wrote: > I have this same issue with this same behavior. A reboot was also required > to get it to detect. The kicker is we have one of these cards in the > chassis working already. TAC told me to RMA the SPA. > > We are sending a second SPA-1X10GE-L-V2 that was tested in an ASR1002 (not > an X, all we had to test). > > #sh ver > Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), > Version 15.2(4)S7, RELEASE SOFTWARE (fc4) > > IOS XE Version: 03.07.07.S > > #sh plat > Chassis type: ASR1002-X > > Slot TypeState Insert time (ago) > - --- - - > 0 ASR1002-X ok 7w1d > 0/0 6XGE-BUILT-IN ok 7w1d > 0/1 SPA-1X10GE-L-V2 out of service 2w0d > 0/2 SPA-1X10GE-L-V2 ok 7w1d > R0ASR1002-X ok, active 7w1d > F0ASR1002-X ok, active 7w1d > P0ASR1002-PWR-AC ok 7w1d > P1ASR1002-PWR-AC ok 7w1d > > Slot CPLD VersionFirmware Version > - --- --- > 0 12042303 15.2(4r)S1 > R012042303 15.2(4r)S1 > F012042303 15.2(4r)S1 > > > #sh hw-module subslot all oir > ModuleModelOperational Status > - > subslot 0/0 6XGE-BUILT-INok > subslot 0/1 SPA-1X10GE-L-V2 out of service(failed too many times) > subslot 0/2 SPA-1X10GE-L-V2 ok > > > > On 7/25/2019 8:49 AM, Sheremet Roman wrote: > >> Hi, >> >> We have Cisco ASR1002-X >> Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSAL-M), >> Version 15.3(2)S1, RELEASE SOFTWARE (fc1) >> IOS XE Version: 03.09.01.S >> >> and 10g module SPA-1X10GE-L-V2 >> >> So, module wont work, anyone use same? OIR not detect this module >> automatically but after reload module not works also... >> >> >> Please look my details: >> >> Border-ASR1002#sh hw-module subslot all oir >> ModuleModelOperational Status >> - >> subslot 0/0 6XGE-BUILT-INok >> subslot 0/1 SPA-1X10GE-L-V2 out of service(failed too many times) >> subslot 0/2 SPA-8X1GE-V2 ok >> >> Border-ASR1002#sh platform hardware slot 0 spa status >> Bay SPA Type State PST POK SOK PENB RST >> DENB HSS >> >> --- >> 06XGE-BUILT-IN Online 0 1 1 1 1 0 >> 1 >> 1SPA-1XTENGE-XFP-V2Offline 0 0 0 0 0 1 >> 0 >> 2SPA-8X1GE-V2 Online 0 1 1 1 1 0 >> 1 >> 3Empty Detection 1 0 0 0 0 1 >> 0 >> >> Border-ASR1002#sh hw-module all fpd >> >> == == == >> === >> H/W Field Programmable Current Min. >> Required >> Slot Card Type Ver. Device: "ID-Name"Version >> Version >> == == == === >> == >> 0/0 6XGE-BUILT-IN 1.0 1-2KP HSPA BULLSEY 2.34 >> 2.34 >> -- -- -- --- >> -- >> 0/1 SPA-1X10... 1.2 1-10GE I/O FPGA1.9 1.9 >> -- -- -- --- >> -- >> 0/2 SPA-8X1GE-V21.0 1-GE I/O FPGA 1.10 >> 1.10 >> == == == >> === >> >> Border-ASR1002#sh platform >> Chassis type: ASR1002-X >> >> Slot TypeState Insert time (ago) >> - --- - - >> 0 ASR1002-X ok04:21:49 >> 0/0 6XGE-BUILT-IN ok04:20:55 >> 0/1 SPA-1X10GE-L-V2 out of service04:19:44 >> 0/2 SPA-8X1GE-V2ok04:20:54 >> R0ASR1002-X ok, active04:21:49 >> F0ASR1002-X ok, active04:21:49 >> P0ASR1002-PWR-AC ok04:21:20 >> P1ASR1002-PWR-AC ok04:21:19 >> >> >> Logs: >> >> Jul 25 08:06:36.160: %SPA_OIR-3-HW_INIT_TIMEOUT: subslot 0/1 >> Jul 25 08:06:41.160: %SPA_OIR-3-RECOVERY_RELOAD: subslot 0/1: Attempting >> recovery by reloading SPA >> Jul 25 08:06:41.161: %SPA_OIR-6-OFFLINECARD: SPA (SPA-1X10GE-L-V2) >> offline in subslot 0/1 >> Jul 25 08:06:41.161: %IOSXE_RP_ALARM-6-INFO: CLEAR CRITICAL SPA subslot >> 0/1 Failed >> Jul 25 08:06:41.161: %IOSXE_RP_ALARM-6-INFO: ASSERT MAJOR SPA
Re: [c-nsp] ASR 920 Replacement
Why are we worried about XR boot times ? RP/0/RSP0/CPU0:g-9k#sh ver | in "uptime|IOS" Thu Jun 27 14:20:49.013 CDT Cisco IOS XR Software, Version 4.1.2[Default] g-9k uptime is 5 years, 14 weeks, 3 days, 12 hours, 10 minutes RP/0/RSP0/CPU0:c-9k#sh ver | in "uptime|IOS" Thu Jun 27 14:20:55.287 CDT Cisco IOS XR Software, Version 4.1.2[Default] c-9k uptime is 5 years, 21 weeks, 4 days, 44 minutes -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (eve-ng)
XRv9k -aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (eve-ng)
Is that XRv or XRv9K? XRv was great as it didn't require as many resources. On Wed, Jun 5, 2019 at 10:28 AM Aaron Gould wrote: > Have you all been able to use EVE-NG ? My gosh, what an awesome emulator. > > > > I have eve-ng running… > > > > XRv > > vMX > > vQFX > > > > (this might end up being a much larger topic) BTW, Why does Juniper do > what appears to be such a better job with CP/FP (control plane/forwarding > plane) separation ? I’m speaking about XR and Junos and also how clean > Junos vMX seems to be done as I work with it in EVE-NG when compared to XRv. > > > > XRv is still one node. > > > > vMX is 2 nodes… VCP and VFP. > > > > Also, in XRv I can’t add martini-type access pw’s into an l2vpn nor can I > add routing on a BVI….. but, conversely I can do all those things in vMX > > > > As nice as XR(v) is, it still seems to be playing catch-up to (v)MX. Is > this true in your mind ? > > > > Stepping away from the eve-ng emulator for a moment, over the years of > working with XR I was so pleased with how it improved upon classic IOS…. > But then I began working with Junos a few years ago, and wow, it seemed to > take routing os to a whole other level than XR did… again, this could be in > my head, but curious what others think, IF, you have actually done enough > work on both platforms to know enough to speak to it. > > > > -Aaron > > > > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (eve-ng)
Have you all been able to use EVE-NG ? My gosh, what an awesome emulator. I have eve-ng running… XRv vMX vQFX (this might end up being a much larger topic) BTW, Why does Juniper do what appears to be such a better job with CP/FP (control plane/forwarding plane) separation ? I’m speaking about XR and Junos and also how clean Junos vMX seems to be done as I work with it in EVE-NG when compared to XRv. XRv is still one node. vMX is 2 nodes… VCP and VFP. Also, in XRv I can’t add martini-type access pw’s into an l2vpn nor can I add routing on a BVI….. but, conversely I can do all those things in vMX As nice as XR(v) is, it still seems to be playing catch-up to (v)MX. Is this true in your mind ? Stepping away from the eve-ng emulator for a moment, over the years of working with XR I was so pleased with how it improved upon classic IOS…. But then I began working with Junos a few years ago, and wow, it seemed to take routing os to a whole other level than XR did… again, this could be in my head, but curious what others think, IF, you have actually done enough work on both platforms to know enough to speak to it. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] A9K-VSM-500
my personal notes from testing vsm-500 from a few years ago... *** my testing showed good with pings, BUT TERRIBLE and NON-existent web surfing until changing MTU of vnics from 1514 to 9216 interface TenGigE0/3/1/0 description vsm mtu 9216 ! interface TenGigE0/3/1/1 description vsm mtu 9216 ! interface TenGigE0/3/1/2 description vsm mtu 9216 ! interface TenGigE0/3/1/3 description vsm mtu 9216 ! interface TenGigE0/3/1/4 description vsm mtu 9216 ! interface TenGigE0/3/1/5 description vsm mtu 9216 ! interface TenGigE0/3/1/6 description vsm mtu 9216 ! interface TenGigE0/3/1/7 description vsm mtu 9216 ! interface TenGigE0/3/1/8 description vsm mtu 9216 ! interface TenGigE0/3/1/9 description vsm mtu 9216 ! interface TenGigE0/3/1/10 description vsm mtu 9216 ! interface TenGigE0/3/1/11 description vsm mtu 9216 -- also i have a document but i can't find it online anywhere... it's titled "ASR9K CGv6 on VSM troubleshooting guide" there is a section subtitled..."3. VSM packet flow troubleshooting" NOTE 1 : Be aware about CSCuo63064 which explain the packet drops for packet which supposed to be fragmented on VSM Symptom: Packets requiring fragmentation are silently dropped with DROP_FRM_FRM_ERR_XAUI9 error count Conditions: Observed with NAT44 on VSM with packet sizes above 1514 bytes. Workaround: Increase the interface MTU on the VSM physical interfaces to match the ingress interface More Info: For better NAT44 performance, Cisco recommends keeping the default physical interface MTU This one is targetted to be fixed in 5.2.2 XR release NOTE 2: Be aware about default MTU for ServiceApp interfaces in 5.1.3 and 5.2.0: MTU is 1514 (not configurable) in 5.2.2: ServiceApp interface will be set by default to Jumbo frame size (not configurable) CSCuo63064 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo63064 -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS ping utility reports lower RTT than possible
The initial is most likely due to arp. Depending how long it is between runs, the arp cache may clear. On Fri, May 3, 2019 at 10:57 AM Octavio Alvarez wrote: > On 5/3/19 5:14 AM, Martin T wrote: > > Hi Octavio, > > > > instead of a two-card laptop I used the available ports in server > > named "svr", but in principle I built the setup you described: > > > > CISCO1921[Gi0/0] <-> [eno1]test-br[eno2] <-> [eno3]svr > > I intended to have an independent measurement tool (including an > independent clock) but that should be good enough too, as it's highly > unlikely that you have serious clock drifting issues. > > > Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms > > > As seen above, minimum measurement was 8ms and average was 9ms. > > I don't know how far (in ms) is the router from the server but max=12ms > also looks way off. > > > Cisco IOS ping command inserts the timestamp into the payload of the > > ICMP "echo request" message and at least it seems to increment it, i.e > > that part seems to be fine. > > Does it? If you are referring to the -ttt output than that is done by > tcpdump. > > Good experiment. Sorry to say that I don't know why the measurements are > so inaccurate. I kow the Cisco ISR 1912 is a very low-end device but I > don't know if so enough to get into this level of inaccuracy. > > Octavio. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ME3600 - ping drop seen
I have an ME3600 running 15.4(3)S3. and I saw a systematic drop on pings, making me think there was some sort of built-in control plane protection. (pinging the ME3600 from a remote device) !!!.!.!!!.!!!.!!!.!!!. !!!.!!!.!!!.!!!.!!!. I downgraded it to 15.2(4)S5 and no longer see the drops. (pinging the ME3600 from a remote device) !! !! !! Is there somewhere I could've seen these drops in a counter somewhere? Or a way to enable/disable that behavior? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IS-IS as PE-CE protocol
The only place I run bgp on pe-ce is for internet uplinks… (junos) I use a few options to make it work… - peer-as 123 - local-as 456 - local-as private - local-as no-prepend-global-as That works for me. -Aaron From: Nathan Lannine [mailto:nathan.lann...@gmail.com] Sent: Thursday, March 21, 2019 8:11 AM To: Aaron Gould Cc: Michael Hallgren; Mark Tinka; Cisco-nsp Subject: Re: [c-nsp] IS-IS as PE-CE protocol On Thu, Mar 21, 2019 at 9:02 AM Aaron Gould wrote: Which reminds me... I recall if pe-ce is bgp, then redis into l3vpn is natural and automatic true ? -Aaron As an implementer of MPLS/L3VPN in the enterprise, this is very interesting to me because I am all IGP internally. I sort of assumed that in the provider space that L3VPNs would be accomplished the same way, with an IGP as PE-CE protocol for L3VPN, but here we are. So, in the case of BGP as PE-CE protocol and a small client AS, do you all in the provider space require multiple private ASNs per VPN? I mean (blatant free training request here) how does this get handled by the VPN customer? Just navel gazing here, but I am wondering if there would be any benefit to me running BGP as my own PE-CE protocol. Thank you, Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IS-IS as PE-CE protocol
Which reminds me... I recall if pe-ce is bgp, then redis into l3vpn is natural and automatic true ? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] UDP/0 ACL IOSXR issue?
Unsure about xr and be-specific acl treatment... however I do recall BVI-related acl's having issues either in or out... don't recall, been a while... ...in my newer juniper platform, I'm blocking the heck out of udp/0... geez, there's a lot of volumetric attacks coming on that port.and 389 and 53 and 123 - Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Bryan Holloway Sent: Friday, February 8, 2019 1:38 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] UDP/0 ACL IOSXR issue? Anyone aware of any issues with filtering destination UDP/0 at ingress points on IOS XR? We're running 5.3.4 SP8 and have telemetries to help us RTBH when the need arises. UDP/0 is a well-known vector for this sort of attack. However, what I'm seeing is that packets seem to be getting past our ACLs even though we are explicitly denying them. "hardware counters" seem to corroborate that we're getting matches. ... and yet we're still seeing the traffic beyond the ingress. Curious if anyone else has seen this. Our egress-facing interface is a BE, if it matters ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] segment routing/evpn on ASR920
Ummm, that too. LOL -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James Bensley Sent: Wednesday, January 30, 2019 9:05 AM To: Tom Ammon; Cisco-nsp List Subject: Re: [c-nsp] segment routing/evpn on ASR920 On Wed, 30 Jan 2019 at 02:36, Tom Ammon wrote: > > Has anybody tried running segment routing on ASR920? If so, did you run in > to any caveats? What about EVPN over segment routing on that platform? The > SR configuration guide for this platform lists segment routing, but doesn't > call out EVPN specifically - it only lists VPLS and L2VPN. > > Tom Hi Tom, Last I spoke to the ASR920 BU (Q4 last year) EVPN was still a roadmap feature and SR was only just being released so I assume it's bug central at this point in time. Cheers, James. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] segment routing/evpn on ASR920
I read that SR/SPRING is an alternative to LDP or RSVP... seems that SR/SPRING is a label distribution protocol. Meaning, in my mind, it's a way to learn labels...mpls labels I guess. If so, would we refer to EVPN as EVPN-SR? If so, would it follow that a non-sr network, one that has employed ldp for label learning, with evpn, would be referred to as EVPN-LDP ? I'm not thinking so. Further, I recall reading that EVPN is Control Plane, and has a few different options for Fwd'ing plane... EVPN-VXLAN EVPN-PBB EVPN-MPLS ...perhaps others... Tom, I wonder if we/you should look for ASR920 docs/support for EVPN-MPLS in your desire to see if EVPN will work over SR? I could be way off. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 99xx IOS-XR images are all EoL/EoS?
we are running 6.4.2 in classic xr. no confidence with 64 bit at the moment. need to see testing results from cisco first On Thursday, December 20, 2018, Charles Spurgeon < c.spurg...@austin.utexas.edu> wrote: > * Tom Hill [2018-12-19 20:19:09 +]: > > > On 19/12/2018 19:59, Charles Spurgeon wrote: > > > Does anyone have info on what is going on? What are people running on > > > their ASR 99xx platforms? > > > > It matters deeply which 99xx, and what supervisor(s) you have in it. > > > > 9904 uses the same RSPs as 9006/9010. > > 9906 and 9910 use a different RSP, with expandable 'S' capacity. > > 9912 and 9922 use an RP, with the 'S' function entirely removed. > > > > A recent BRKARC-2003 (from Cisco Live!) will have more details. > > > > In this instance I suspect the 9904 is witnessing a push from Cisco to > > move their customers towards 3rd generation supervisors and above; > > that's RSP-880[-RL] and newer in the 9904's case. This will be because > > those generations support the 64-bit variant of IOS-XR. > > > > Thanks. Our 9904s have RSP880s and a 8X100GE-TR line card in each, so > we're good for a 64-bit conversion. > > Meanwhile, our support channel dug up the info that a 6.5.2 EMR > release is planned for Jan/Feb 2019. > > They also provided a link to an ASR software guidance doc at: > https://community.cisco.com/t5/service-providers-documents/ios-xr-release- > strategy-and-deployment-recommendation/ta-p/3165422 > > Given this info we plan to upgrade from 5.3.4 to 6.4.2 to get onto > supported code and then we'll use the 6.5 release to convert to 64-bit > operation during our summer maintenance in 2019. > > -Charles > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ipv6 address plan
Check out the white paper on terastream On Thursday, October 11, 2018, harbor235 wrote: > Gents, > > I have a green field IPv6 infrastructure that I am standing up, I plan on > allocating unique IPv6 net block ranges for infrastructure nets > (loopbacks/routerid, pt-to-pts), service delivery allocations (customer > services), North of the security boundary layer, south of security boundary > layer etc . > > Any other best practices learned from your IPv6 deployments that would > assist on my deployment? > > > Mike > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Telemetry real life use cases
What are you all using for a telemetry collector ? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CMs security
My cable modem mgmt and mta (voice) ip's are on different subnet than CPE. And we have an ACL on the CMTS to not allow customer ip's to communicate with those cm ip's Aaron > On Jul 29, 2018, at 5:38 PM, ring...@mail.com wrote: > > Hi all, > > Wondering what do you guys prefer as best practice to block connectivity like > ping, http and everything else between CMs (docsis plant)? > > How do you do and manage it? > > ton > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (eve-ng)
Just to circle back with all of you my problem with not being able to login to XRv was just a terminal emulator issue. Windows Telnet window was messing up the root account creation at the beginning when XR boots up and i guess adding a special character and messing it up. On the eve-ng community chat, a guy named Rusty was able to figure it out be just having me use a different terminal ... putty and mtputty work fine... NO root-system username is configured. Need to configure root-system username. Configuration lock is held by another agent. Please wait. [.OK] --- Administrative User Dialog --- Enter root-system username: RP/0/RP0/CPU0:Jul 27 15:59:25.628 : smartlicserver[373]: %LICENSE-SMART_LIC-3-COMM_FAILED : Communications failure with Cisco licensing cloud: Communications init failure % Entry must not be null. Enter root-system username: xrv Enter secret: Use the 'configure' command to modify this configuration. User Access Verification Username: xrv Password: RP/0/RP0/CPU0:ios# I'm in now !! -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (eve-ng)
Anyone seen this issue before and know how to fix ? same problem even with XRv Full asr9000 version 6.3.2 i can't login , for some reason it thinks i'm an "unknown" user or something like that. please note that it does not ask me for a password... as soon as i type the username, it comes back and says "Failed authentication attempt by user '' from 'console'..." so i see this with xrv versions... 5.1.1 5.3.0 6.3.2 - Aaron Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): XR control plane: 5120MB RAM Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): XR packet memory: 128MB RAM Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): Centralized LC: 9216MB RAM Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): Data plane core assignment: 2-3 Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): Control plane core assignment: 0-1 # # # Welcome to the Cisco IOS XRv9k platform # # # #Please wait for Cisco IOS XR to start. # # # #Copyright (c) 2014-2017 by Cisco Systems, Inc. # # # Cisco IOS XR console will start on the 1st serial port Cisco IOS XR aux console will start on the 2nd serial port Cisco Calvados console will start on the 3rd serial port Cisco Calvados aux will start on the 4th serial port Telnet escape character is '^Q'. Trying 127.0.0.1... Connected to localhost. Escape character is '^Q'. init: Unable to create device: /dev/kmsg mount: can't find /dev in /etc/fstab mkdir: cannot create directory '/run': File exists bootlogd: ioctl(/dev/pts/2, TIOCCONS): Device or resource busy Running postinst /etc/rpm-postinsts/100-dnsmasq... update-rc.d: /etc/init.d/run-postinsts exists during rc.d purge (continuing) Removing any system startup links for run-postinsts ... /etc/rcS.d/S99run-postinsts Configuring network interfaces... done. Starting system message bus: dbus. Starting OpenBSD Secure Shell server: sshd generating ssh RSA key... generating ssh ECDSA key... generating ssh DSA key... generating ssh ED25519 key... sshd start/running, process 2150 Starting rpcbind daemon...done. Starting random number generator daemonUnable to open file: /dev/tpm0 can't open any entropy source Maybe RNG device modules are not loaded . Starting system log daemon...0 tftpd-hpa disabled in /etc/default/tftpd-hpa Starting internet superserver: xinetd. Libvirt not initialized for container instance Starting crond: OK SIOCSIFTXQLEN: No such device SIOCSIFTXQLEN: No such device ios con0/RP0/CPU0 is now available . 0/RP0/ADMIN0:Jul 26 13:44:19.747 : wd_memmon[3051]: %INFRA-WD_MEMMON-4-MEM_WARN : Memory usage %: 80, Total memory: 1048576kb, Free memory: 219200kb, State: MI NOR, Minor Threshold %: 80 NO root-system username is configured. Need to configure root-system username. --- Administrative User Dialog --- Enter root-system username: admin Enter secret: % Entry must not be null. Enter secret: % Entry must not be null. Enter secret: % Entry must not be null. Enter secret: Enter secret again: % Entry must not be null. Use the 'configure' command to modify this configuration. User Access Verification Username: Username: admin Password: RP/0/RP0/CPU0:Jul 26 13:46:02.536 : exec[66886]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '' from 'console' on 'con0_RP0_CPU0' User Access Verification Username: root Password: RP/0/RP0/CPU0:Jul 26 13:46:05.708 : exec[66886]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '' from 'console' on 'con0_RP0_CPU0' User Access Verification Username: cisco Password: RP/0/RP0/CPU0:Jul 26 13:46:09.619 : exec[66886]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '' from 'console' on 'con0_RP0_CPU0' RP/0/RP0/CPU0:Jul 26 13:46:10.120 : exec[66886]: %MGBL-exec-3-LOGIN_AUTHEN : Login Authentication failed. Exiting... % Authentication failed ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] XRv (eve-ng)
Any idea why this is happening? I can boot XRv just fine (5.3.0) but i get a few errors and can't login with default username (admin) and no password.. i get some SAM errors and nvram errors.. then logging in with admin, no password, or an account that it *forces* me to create, but are failed -Aaron .. Section:idt offset:0x006c base:fed185bc Section:pgdir offset:0x0070 Page Directory d000: PAE System page at phys:00017000 user:fed15000 kern:fed17000 Starting next program at vfe0419f8 Unable to access "/dev/ser1" (2) Restricted Rights Legend cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco IOS XR Software for the Cisco XR IOSXRv, Version 5.3.0 Copyright (c) 2015 by Cisco Systems, Inc. Jul 25 12:19:04.167: Install Setup: Booting with committed software SAM detects CA certificate(Code Signing Server Certificate Authority,O=Cisco,C=US) has expired. The validity period is Oct 17, 2000 01:46:24 UTC - Oct 17, 2015 01:51:47 UTC. Continue at risk? (Y/N) [Default: N w/in 10]: RP/0/0/CPU0:Jul 25 12:19:23.786 : sam_server[352]: %SECURITY-SAM-3-ERROR_2_PARAM : Failed setting I_ BIT on backup file, /disk0/sam_certdb RP/0/0/CPU0:Jul 25 12:19:38.085 : sam_server[352]: %SECURITY-SAM-4-WARNING : Failed to initialize nvram digest RP/0/0/CPU0:Jul 25 12:20:24.202 : cfgmgr-rp[152]: %MGBL-CONFIG-3-STARTUP : Configuration Manager could not find any admin configuration to apply from '/disk0:/c onfig/admin/admin.cfg'. ios con0/0/CPU0 is now available NO root-system username is configured. Need to configure root-system username. --- Administrative User Dialog --- Enter root-system username: admin Username "admin" is locked, please choose another. Enter root-system username: % Entry must not be null. Enter root-system username: rusty Enter secret: % Entry must not be null. Enter secret: Enter secret again: % Entry must not be null. Use the 'admin' mode 'configure' command to modify this configuration. Please login with any configured user/password, or cisco/cisco User Access Verification Username: Username: rusty Password: RP/0/0/CPU0:Jul 25 12:23:44.338 : exec[65692]: %SECURITY-login-4-AUTHEN_FAILED : Failed authentication attempt by user '' from 'console' on 'con0_0_CPU 0' User Access Verification Username: User Access Verification Username: Username: admin Password: RP/0/0/CPU0:Jul 25 12:23:48.008 : exec[65692]: %SECURITY-login-4-AUTHEN_FAILED : Failed authentication attempt by user '' from 'console' on 'con0_0_CPU 0' % Authentication failed RP/0/0/CPU0:Jul 25 12:23:48.528 : exec[65692]: %MGBL-exec-3-LOGIN_AUTHEN : Login Authentication failed. Exiting.. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF+BGP and MPLS Q's
I was waiting for that, lol Sort of a long story, as everyone knows, networks usually have a story to tell in order to understand why they are the way they are If many of us sat back and designed a new network from the ground up, it would be pretty for a day or two, and then eventually grow into something else If you leave the company and a new guy comes in, he would probably say , "what idiot designed this network ":/ Then when he left the company, someone else would come in and say the same thing about him, lol originally I did have a backbone area 0 and a very small MPLS network with core IGP area 1, ...well, area 1 continued to grow, and area 0 was eventually decommissioned, and know area 1 remains :) I guess I could work through maintenance windows and convert everything to area 0, but I don't feel motivated to do so Works fine Aaron > On Jul 19, 2018, at 5:34 PM, Nick Cutting wrote: > > Quick question as I am clueless on large SP networks (I'm a MSP guy not an > ISP guy )- why not area 0.0.0.0 ? > > > -Original Message- > From: cisco-nsp On Behalf Of Aaron Gould > Sent: Thursday, July 19, 2018 6:08 PM > To: ring...@mail.com > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] OSPF+BGP and MPLS Q's > > This message originates from outside of your organisation. > > If you think your network is going to continue to grow , dual route reflector > cluster is a huge must have in my mind, I love how you can add address > families to one neighbor and let it bounce while the other neighbor stays up > with all your routes still there > > I have ran a 100 node single area OSPF (area 0.0.0.1) MPLS/LDP network for > several years, I believe simplicity and only as much complexity as is > required for the job > > > Aaron > >> On Jul 19, 2018, at 2:32 PM, ring...@mail.com wrote: >> >> Hi all, >> >> I have some practical design questions. >> >> 1. Is there a better way of doing the HA than having adjacencies to the >> router (can be 3 hops away) over two different VLANs and different OSPF cost >> over trunk links with BFD enabled? >> 2. Do you find less practical a MPLS network on a multi-area design vs a >> single-area design? >> 4. At what point would you introduce RouteReflectors in the network >> (e.g. when 5, 10, 20 IBGP connections?) >> >> Can come up with some more in the meantime ;) >> >> Thanks! >> Ton >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF+BGP and MPLS Q's
If you think your network is going to continue to grow , dual route reflector cluster is a huge must have in my mind, I love how you can add address families to one neighbor and let it bounce while the other neighbor stays up with all your routes still there I have ran a 100 node single area OSPF (area 0.0.0.1) MPLS/LDP network for several years, I believe simplicity and only as much complexity as is required for the job Aaron > On Jul 19, 2018, at 2:32 PM, ring...@mail.com wrote: > > Hi all, > > I have some practical design questions. > > 1. Is there a better way of doing the HA than having adjacencies to the > router (can be 3 hops away) over two different VLANs and different OSPF cost > over trunk links with BFD enabled? > 2. Do you find less practical a MPLS network on a multi-area design vs a > single-area design? > 4. At what point would you introduce RouteReflectors in the network (e.g. > when 5, 10, 20 IBGP connections?) > > Can come up with some more in the meantime ;) > > Thanks! > Ton > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EVPN Book/paper recommendation
Maybe something here https://forums.juniper.net/t5/Tech-Cafe-Ask-the-Author-MPLS-in/EVPN-advantag e-over-L2VPN-VPLS/td-p/291810 http://shop.oreilly.com/product/0636920033905.do https://www.safaribooksonline.com/library/view/mpls-in-the/9781491905449/ch0 8.html -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tails Pipes Sent: Friday, July 13, 2018 7:02 PM To: Kasper Adel Cc: Cisco-nsp Subject: Re: [c-nsp] EVPN Book/paper recommendation Hi This is about using EVPN for IXPs, a bit closer. https://www.trex.fi/2017/Ralf-Korschner-VXLAN-EVPN-in-a-Nuttshell.pdf Ciao Rich On Fri, Jul 13, 2018 at 4:55 PM, Kasper Adel wrote: > good stuff here, maybe not on the L2VPN part. > > https://www.reddit.com/r/networking/comments/8ubqmc/evpn_is_confusing/?st= > JIYNSFZA=ba954c8b > > > > > On Fri, Jul 13, 2018 at 4:42 PM, Sami Joseph > wrote: > > > Heya > > > > I'm looking for book/paper recommendation on EVPN, specially for > use-cases > > in Carrier Ethernet deployments, replacing IETF L2VPN implementation and > > deployments? > > > > I found this book by Ivan Pepen., but it doesnt cover that. > > https://blog.ipspace.net/2018/06/book-evpn-in-data-center.html > > > > THX > > Sam > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT logging ASR1k
You wanna see the juniper configs for your ASR1006? Not sure why we didn't use netflow. I guess because syslog worked and that's where the docs led me Aaron > On Jul 9, 2018, at 2:52 AM, Ring Bit wrote: > > Hi Aaron, > > Could you post the nat configs? > > Why not use Netflow? > > Thanks. > T. > >> Sent: Sunday, July 08, 2018 at 10:14 PM >> From: "Aaron Gould" >> To: ring...@mail.com >> Cc: cisco-nsp@puck.nether.net >> Subject: Re: [c-nsp] NAT logging ASR1k >> >> Bulk logging and port block allocation (PBA)? >> >> https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-bpa.html >> >> I do PBA in groups of 100 ports on my CGNAT deployment (juniper) and use >> syslog to log. Using port block allocation caused the syslogging to slow >> down significantly >> >> Aaron >> >>> On Jul 8, 2018, at 10:12 AM, ring...@mail.com wrote: >>> >>> Hi everybody, >>> >>> Have an ASR 1006 doing NAT translations, it is having around 300k+ and >>> wanted to ask for a recommendation about logging those NAT translations. >>> >>> Tried it with a collector via Netflow v9 with the export command "ip nat >>> log translationsflow-export v9 udp destination" command the CPU spiked to >>> 100%. >>> >>> Is there a recommendation as a workaround or have alternative solution >>> which is easy on resources to those massive NAT translations? >>> >>> Thanks, >>> T. >>> ___ >>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT logging ASR1k
Bulk logging and port block allocation (PBA)? https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-bpa.html I do PBA in groups of 100 ports on my CGNAT deployment (juniper) and use syslog to log. Using port block allocation caused the syslogging to slow down significantly Aaron > On Jul 8, 2018, at 10:12 AM, ring...@mail.com wrote: > > Hi everybody, > > Have an ASR 1006 doing NAT translations, it is having around 300k+ and > wanted to ask for a recommendation about logging those NAT translations. > > Tried it with a collector via Netflow v9 with the export command "ip nat log > translationsflow-export v9 udp destination" command the CPU spiked to 100%. > > Is there a recommendation as a workaround or have alternative solution which > is easy on resources to those massive NAT translations? > > Thanks, > T. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XR on GNS3
I used XRv in GNS3 I think I used both 5.1.1 and 5.3.0 ... I recall getting some good use out of it. I'm not a systems guy, so climbing the learning curve and asking for help from the communities online was what I had to do in order to figure out how to get it show up inside the GNS3 app (used virtual box, and recall ova, vmdk, qemu, etc, etc) then it was useable and working. I also did Juniper Olive/vMX. A couple things I don't think I ever got the Layer 2 forwarding to work. L3 routing worked and packets would flow... but L2 bridging and MPLS Layer 2 type things I don't think I ever got to properly flow. I also would have to bounce interfaces using a batch file anytime I restarted gns3 or even if I added a new instance of XRv... so because of that, I would never reboot my windows vm that it was all contained inside and tried not to close gns3 app -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] line con 0 as terminal server on Cat6500?
I've actually taken out a little 2600 just to act as a 1-port terminal server for this exact purpose (maybe you can even use an old 2500) Aaron > On May 18, 2018, at 6:00 AM, Aaron Gould <aar...@gvtc.com> wrote: > > I'm not sure if you can use a console port for connecting to another router's > console port , but you can use the auxiliary (aux) port to do that. I've > done it many times > > Aaron > >> On May 18, 2018, at 1:55 AM, Patrick M. Hausen <hau...@punkt.de> wrote: >> >> Hi all, >> >> last weekend one switch in our VSS pair failed. Redundancy/VSS >> did work and we kept our connectivity besides a couple of hosts >> that only have a single uplink and were connected to that particular >> chassis. >> >> When I came to the data centre I found the failed chassis in rommon. >> A simple "boot" command restored everything to working order. >> >> Now to spare me that drive in case that happens again - is it possible >> to use the console port of a working Catalyst 6500 to act as a terminal >> server for the other one? We have quite a lot of spare rollover cables ;-) >> >> I found these instructions but I think I'm missing something: >> https://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/5466-comm-server.html >> >> ip host other 2000 1.2.3.4 >> >> Core2#telnet 1.2.3.4 2000 >> Trying 1.2.3.4, 2000 ... >> % Connection refused by remote host >> >> I used the real IP address of looppback0, of course. >> >> >> Side note/question: any idea what could cause a Cat6500 VS-S720-10G >> to fail, reset (I can understand *that*) and then not boot into IOS and stay >> in rommon? >> >> Standby BOOT variable = >> sup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1;disk0:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1; >> Standby Configuration register is 0x2102 >> >> Core2#dir slavesup-bootdisk: >> ... >> s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin >> >> >> Thanks! >> Patrick >> -- >> punkt.de GmbHInternet - Dienstleistungen - Beratung >> Kaiserallee 13aTel.: 0721 9109-0 Fax: -100 >> 76133 Karlsruhei...@punkt.dehttp://punkt.de >> AG Mannheim 108285Gf: Juergen Egeling >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] line con 0 as terminal server on Cat6500?
I'm not sure if you can use a console port for connecting to another router's console port , but you can use the auxiliary (aux) port to do that. I've done it many times Aaron > On May 18, 2018, at 1:55 AM, Patrick M. Hausen <hau...@punkt.de> wrote: > > Hi all, > > last weekend one switch in our VSS pair failed. Redundancy/VSS > did work and we kept our connectivity besides a couple of hosts > that only have a single uplink and were connected to that particular > chassis. > > When I came to the data centre I found the failed chassis in rommon. > A simple "boot" command restored everything to working order. > > Now to spare me that drive in case that happens again - is it possible > to use the console port of a working Catalyst 6500 to act as a terminal > server for the other one? We have quite a lot of spare rollover cables ;-) > > I found these instructions but I think I'm missing something: > https://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/5466-comm-server.html > > ip host other 2000 1.2.3.4 > > Core2#telnet 1.2.3.4 2000 > Trying 1.2.3.4, 2000 ... > % Connection refused by remote host > > I used the real IP address of looppback0, of course. > > > Side note/question: any idea what could cause a Cat6500 VS-S720-10G > to fail, reset (I can understand *that*) and then not boot into IOS and stay > in rommon? > > Standby BOOT variable = > sup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1;disk0:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1; > Standby Configuration register is 0x2102 > > Core2#dir slavesup-bootdisk: > ... > s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin > > > Thanks! > Patrick > -- > punkt.de GmbHInternet - Dienstleistungen - Beratung > Kaiserallee 13aTel.: 0721 9109-0 Fax: -100 > 76133 Karlsruhei...@punkt.dehttp://punkt.de > AG Mannheim 108285Gf: Juergen Egeling > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast in VRF
I wonder if it gets pruned right after the first packet maybe you have to do some igmp config for the underlying vlan804 receiver segment's L2 interfaces I'm guessing as it's been a while since I did much with mcast -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jan Gregor Sent: Monday, March 19, 2018 2:23 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Multicast in VRF Hi guys, I am stumped by a multicast issue on one of my 6500 switches running s72033-adventerprisek9-mz.151-2.SY11.bin code. Actually it is two 6500s in VSS, but it should not matter, correct me if I am wrong. The topology is fairly simple, a source is connected to one VLAN on 6500, then the receiver is on another VLAN on the same 6500. Both VLANs are in the same VRF. Both VLANs are configured for PIM Sparse mode. Multicast routing is enabled for the VRF. Relevant config: vrf definition TEST rd 65000:803 ! address-family ipv4 exit-address-family ! ip multicast-routing ip multicast-routing vrf TEST ! ip pim vrf TEST rp-address 10.0.0.1 ! interface Vlan803 description SOURCE vrf forwarding TEST ip address 10.0.0.1 255.255.255.0 ip pim sparse-mode arp timeout 300 ! interface Vlan804 description RECEIVER vrf forwarding TEST ip address 192.168.2.1 255.255.255.0 ip pim sparse-mode load-interval 30 arp timeout 300 I see multicast routing entries in the mroute table for the VRF increasing: sh ip mroute vrf TEST ... Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.192.2.196), 00:24:57/stopped, RP 10.0.0.1, flags: SJC Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Vlan804, Forward/Sparse, 00:24:57/00:02:40 (10.0.0.11, 239.192.2.196), 00:24:57/00:02:57, flags: T Incoming interface: Vlan803, RPF nbr 0.0.0.0, RPF-MFD Outgoing interface list: Vlan804, Forward/Sparse, 00:24:57/00:02:40, H sh ip mroute vrf TEST count IP Multicast Statistics 2 routes using 1102 bytes of memory 1 groups, 1.00 average sources per group Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc) Group: 239.192.2.196, Source count: 1, Packets forwarded: 1503, Packets received: 1503 RP-tree: Forwarding: 0/0/0/0, Other: 0/0/0 Source: 10.0.0.11/32, Forwarding: 1503/1/84/0, Other: 1503/0/0 sh ip mroute vrf TEST count IP Multicast Statistics 2 routes using 1102 bytes of memory 1 groups, 1.00 average sources per group Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc) Group: 239.192.2.196, Source count: 1, Packets forwarded: 1510, Packets received: 1510 RP-tree: Forwarding: 0/0/0/0, Other: 0/0/0 Source: 10.0.0.11/32, Forwarding: 1510/1/84/0, Other: 1510/0/0 I am testing it by running ping on the source "ping -t 64 239.192.2.196". I see packets leaving the source as verified by tcpdump. However packets are not making it to the receiver as verified by tcpdump. Funny thing is that when I clear the mroute table on the switch by issuing "clear ip mroute vrf TEST *" I receive EXACTLY ONE ping packet on the receiver, then again nothing: 20:17:02.576050 IP 10.0.0.11 > 239.192.2.196: ICMP echo request, id 11724, seq 625, length 64 Any pointers would be greatly appreciated. Best regards, Jan Gregor ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 3048 airflow configuration
bow and afr On Thursday, March 15, 2018, Carsten Bormannwrote: > On Mar 15, 2018, at 20:48, Garrett Skjelstad > wrote: > > > > port-side > > What do you call the other side? Starboard? > > (SCNR.) > > Grüße, Carsten > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
Thanks y’all, to be clear, are you saying “…VPLS. Segment Routing…” you view those as fad technologies ? …or the opposite? Yeah, I remember working for the US Navy in San Diego in 1999 and sitting in a class taught be a vendor-provided SE, FORE Systems. The class was about, yep you guessed it with the mention of the vendor (FORE)…class was on ATM… LANE…. Etc. You may recall that in the late 90’s, early 2000’s, ATM was going to save the world. At one point in the class, the instructor paused and made a seemingly prophetic statement… he said, all this ATM stuff is new and great and all that, but he then erased the board and said this will all be superseded by this technology in the next several years… and he wrote 4 letters on the board…. M-P-L-S…. then we all stared at him and didn’t know what he was talking about, because ATM was new and awesome and we were completely taken up in the latest 20 million dollar US Navy atm-to-the-desktop project…. And also , we had no idea what he was talking about with mpls…. Then he erased those 4 letters and went back to talking about LECS, LES, BUS, LEC operations in LANE ELAN’s…. K LOL…. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
As my teenage son would say. "bet" ! -Aaron -- Heck yeah, pair of cheapest asr920 at each end and PWs between the DCs and you're done. adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
So I think (I could be wrong as I'm not a server guy) that all this L2 network emulation is because of server virtualization and moving vm's or vmotion or something like that, and that they need to be in same ip subnet (aka bcast domain) correct ? *if* that's true, and *if* all this layer 2 networking madness is because of that point stated above, I would think that someone (vendors/standards bodies/companies) would/should be working really hard to make that server stuff work in different bcast domains (different subnets)...so we wouldn't have to do all that L2 stuff -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
Ha, thanks Justin, I just read the answer to my question I just posted... OTV is cisco proprietary. Is OTV gaining steam in the industry as a potential ietf standard ? Interesting things you mention about assigning asics, and linecard dependancies... -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
Thanks, so is OTV cisco proprietary ? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
Thanks "With regards to the load-sharing in L2 -problem is you'll never get IP like load-sharing in L2 since Ethernet is fundamentally flawed in this regard as it just can't associate same mac address with two ports." I thought with bgp-mac-routes in evpn, you could engineer traffic with same knobs used in bgp-ip-routes. ? I thought with evpn, you could have active-active multi-homed forwarding across 2 ports, 2 CE's. ? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
I'm just trying to learn about OTV as I haven't heard much about it... is OTV an IETF standard ? Also, I wonder why I would use one of these (EVPN, VX-LAN, OTV) over the other ? let me know if those 3 don't belong in the same comparison family. I just watched a cisco video and see that the OVT AED (authoritative edge device is only one, so I guess multi-active-active forwarders which EVPN brags about can't be done in OTV ?) Also, I see OTV is gre encaped, and I hear that vxlan is udp encaped, and evpn, I forget, but I think is just eompls, so I guess vxlan or otv can be done over non-mpls clouds ?...maybe these are things that would push me/others in one direction or the other when choosing a l2-emulation mechanism for DC or whatever we need it for. - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip vrf autoclassify source - loss of connectivity to hosts
What is this syntax ? Is this an IOS command ? "Cisco-AVpair = "ip:vrf-id=VRF1" - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] me3600 ospf %100 cpu blowup
ospf neighbors won't come up either with different mtu's -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark Tinka Sent: Monday, January 15, 2018 8:00 AM To: Aaron Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] me3600 ospf %100 cpu blowup On 14/Jan/18 17:36, Aaron wrote: > Size of the ospf table Been a long while since I ran OSPF in production - but I know IS-IS tests the MTU as adjacencies are built, and won't work unless PDU's are sent unfragmented across the wire. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] me3600 ospf %100 cpu blowup
I had something similar happen to me a couple months ago, and posted it here... [c-nsp] ospf database size - affects that underlying transport mtu might have https://www.mail-archive.com/cisco-nsp@puck.nether.net/msg65794.html - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] me3600 ospf %100 cpu blowup
Size of the ospf table On Sunday, January 14, 2018, Mark Tinkawrote: > > > On 13/Jan/18 18:33, adamv0...@netconsultings.com wrote: > > > Hmm could it be that you hit the mtu limit of your links (which is not > 9216 > > but just 9000)? > > That would make sense - but if it's been working all this time, what > changed? > > Is your transport network dark or leased? > > Mark. > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip vrf autoclassify source - loss of connectivity to hosts
This "ip vrf autoclassify source" feature looks to be a very nice auto-pbr solution for allowing multiple vrf's on one interface! I'd like to know if anyone has used it, particularly in the cable modem world...on Cisco uBR7246VXR, uBR10k, cbr8 -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] me3600 ospf %100 cpu blowup
I'll take a stab at it... Show log... (prior to reboot, so you may need to look at syslog...) If you see NILE ASIC errors of some sort, I recall TAC telling me there isn't a fix and reboot is required. :| I recall the nile asic thing being l2vpn related so I dunno about the ospf thing -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/