Re: [c-nsp] Internet border router recommendations and experiences
https://apps.juniper.net/home/port-checker/index.html nice website to check port mix capabilities. -Aaron On 2/22/2023 5:06 PM, Thomas Scott via cisco-nsp wrote: Yes - 400 Gbps throughput total If I recall correctly. The MX204 has four rate-selectable ports that can be configured as 100-Gigabit Ethernet ports or 40-Gigabit Ethernet ports, or each port can be configured as four 10-Gigabit Ethernet ports (by using a breakout cable). The MX204 also has eight 10-Gigabit Ethernet ports. The four rate-selectable ports support QSFP28 and QSFP+ transceivers, whereas the eight 10-Gigabit Ethernet ports support SFP+ transceivers https://www.juniper.net/documentation/us/en/hardware/mx204/topics/concept/mx204-description.html Best Regards, -Thomas Scott On Wed, Feb 22, 2023 at 5:19 PM Eric Louie via cisco-nsp < cisco-nsp@puck.nether.net> wrote: Oh geez, I just realized I left a zero off the interface - we need 100G interfaces both upstream (x1) and downstream (x2) That probably changes the product choices a little bit. Anyone with 100G Internet feeds want to let me know what you're using for a border router? I saw one reply for Arista already. Does the MX204 have 100GE interfaces and throughput? -e- Eric Louie 619-743-5375 Cell/text Stay in this moment, it's the only one you really have Take the time to be compassionate today On Wednesday, February 22, 2023 at 12:43:52 PM PST, Mark Tinka wrote: On 2/22/23 20:29, Eric Louie wrote: Mark, thanks. We were quoted a MX304 for the Internet edge from Juniper. How has your experience been with it? are you 10G upstream and downstream? Any IPS on the 10G connection? The MX304 is not worth the money, for as long as the MX204 exists. We tried an NCS-5501 and it was a disaster, in a word. The 10G interface, uRPF, source-based blackholing, and routing table depth with Cisco is a limiting factor in their product line. Broadcom-based systems should always be looked at with one eye open, i.e., test test test before you commit. This applies to any vendor, not just Cisco. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSVP-TE (MPLS-TE) and LDP question
Thanks James for the confirmation as that's precisely what I'm seeing. Would be nice to see a link to a cisco document or someone out there online that speaks to this -Aaron -Original Message- From: James Jun [mailto:ja...@towardex.com] Sent: Monday, May 11, 2020 3:26 PM To: Aaron Gould Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] RSVP-TE (MPLS-TE) and LDP question On Mon, May 11, 2020 at 01:02:23PM -0500, Aaron Gould wrote: > Seems that when I try to use RSVP in place of LDP for label distribution, I > cannot completely remove mpls ldp configs from IOS XR, but I can from IOS XE It's an implementation 'bug' on IOS XR. If you have L3VPN type service (also affects labeled-ucast, including 6PE), you *must* have 'mpls ldp' and router-id configured at minimum, even if you are not using any LDP adjacency whatsoever. I believe ldp process needs to run to allocate labels for l3vpn, even if you do not use LDP transport. So, just leave 'mpls ldp' and router-id configured below it. As long as you don't have LDP adjacencies defined, and there are no LDP tunnels configured, you won't have any LDP in use. P routers are not affected, as they do not need to allocate labels for VPN services. James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RSVP-TE (MPLS-TE) and LDP question
Seems that when I try to use RSVP in place of LDP for label distribution, I cannot completely remove mpls ldp configs from IOS XR, but I can from IOS XE On an RSVP-TE Tunnel headend, I have . IOS XR (XRv9000) mpls ldp router-id 10.0.0.11 .and if I remove that with "no mpls ldp" I loose connectivity to the MPLS L3VPN that is also on that PE But.in IOS XE (csr1000v) I have. mpls ldp router-id lo0 force .and if I remove that with "no mpls ldp router-id Loopback0" (and also remove "mpls ip" from the pe---p uplink) I am still good to the MPLS L3VPN that is also on that PE I don't understand what is going on with this minimal ldp config in IOS XR that causes L3VPN to no longer work after I remove that small config shown above. As a side note, I can remove that ldp config from XR p core nodes.. Just not XR pe nodes .furthermore, I think since I have that ldp config in my PE's, I have LFIB "Unlabelled" entries in my PE, I guess since I have no LDP config in the transit P nodes. But in XE since I can remove that ldp config I no longer have Unlabelled lfib entries and a nice clean lfib with only the L3vpn aggregate label -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] virtual routers - L2-type vpn's
Using csr1000v in EVE-NG, yesterday I was able to do mp2mp vpls (rfc4761 bgp ad, bgp sig) using (3) csr1000v routers and it all worked, control plane *and* data plane, all CE's behind the csr1000v pe's could ping each other. (i test rfc4762 bgp ad, ldp sig, but only with 2 csr1000v and it worked... i may go back and at in a third csr1000v later). but, my question and problem was. XRv would not pass traffic in those vpls tests. control plane would work, configs would commit, and neighbor pseudowires would even go UP and establish to the other pe's (csr1000v's) BUT, i got nasty traceback errors on XRv and data plane would not pass traffic. Has anyone been successful in getting VPLS to work in XRv ? What about EVPN in XRv? .does EVPN/MPLS forwarding work in XRv? Tracebacks errors I got on XRv following the commit of the VPLS config.. RP/0/RP0/CPU0:May 7 22:03:47.917 : fib_mgr[224]: %MGBL-DPC-2-SW_ERR : Failed to configure l2vpn_ldi (Invalid DPA id 17) : fib_mgr : (PID=4352) : -Traceback= 7f60faf970ca 7f60fafb5582 7f6105a1a270 7f6105a27740 7f6105a28a70 7f61186492f5 7f6118486919 7f6118484064 7f61244fcec8 7f61244fefe9 5ebe3a 5f9054 5fb5d8 605062 6fe214 538d69 RP/0/RP0/CPU0:May 7 22:03:47.917 : fib_mgr[224]: %ROUTING-FIB-3-PLATF_UPD_FAIL : FIB platform update failed: Obj=DATA_TYPE_LOADINFO[ptr=0x114a949f8,refc=0x1,flags=0x80c441] Action=MODIFY Proto=ipv4. Cerr='dpc_rm_svr' detected the 'warning' condition 'Internal invalid parameter found.' : fib_mgr : (PID=4352) : -Traceback= 7f61244fefe9 5ebe3a 5f9054 5fb5d8 605062 6fe214 538d69 565efc 567d65 688000 68a9fc 68adf8 43c59a 7f61229daa21 7f61229ebb6e 42376e RP/0/RP0/CPU0:May 7 22:03:47.918 : fib_mgr[224]: %ROUTING-FIB-3-PD_FAIL : FIB platform error: fib_ldi_platform_update 2077: PD action MODIFY failed for passed_ldi 0x114a949f8 type DATA_TYPE_LOADINFO flags 0x80c441. Shared LDI 0x114a949f8 num_slots 1 num_buckets 1 depth 2 ldi type 1 ldi protocol mpls flags 0x80c441 : 0x4b88b400 'dpc_rm_svr' detected the 'warning' condition 'Internal invalid parameter found.' : fib_mgr : (PID=4352) : -Traceback= 5f9054 5fb5d8 605062 6fe214 538d69 565efc 567d65 688000 68a 9fc 68adf8 43c59a 7f6122(TRUNCATED) -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [External] SDx open standard?
Yeah, while certifying for mef-cecp, you gain an appreciation for their purpose in that space at least. (they do have other certifications). Lots of focus on functions and standards that exists at UNI's, ENNI's, services in between, etc. MEF has 3 scopes of certifications... -Services - you as a SP can actually work with MEF (IOMETRIX) and get your network actually stamped and certified by MEF -Gear - vendors submit their equipment to MEF for testing (possibly onsite at vendor location) for proving out standard MEF-type service (ELINE, ELAN, ETREE, EACCESS, etc) and gain MEF stamp of approval -Professional - like MEF-CECP, etc, people can get career certifications I recall they started with MEF, then MEF 2.0, now MEF 3.0 https://www.mef.net/certification/mef-certification-programs -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of adamv0...@netconsultings.com Sent: Thursday, March 26, 2020 12:00 PM To: sth...@nethelp.no; t...@pelican.org Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] [External] SDx open standard? > sth...@nethelp.no > Sent: Thursday, March 26, 2020 3:42 PM > > >>> I spent 10 min browsing MEF web site and still do not know what "MEF" > >>> stands for ... Looks to me like yet one more commercial entity to > >>> drain a little bit of cash out of the vendors while perhaps help > >>> with marketing and sales a bit. > >> > >> Metro Ethernet Forum. They've been around for a while. > >> > > > > In fairness, that term is almost entirely absent from the web site, as far as I > can see. > > > > Is it an expansion that's been deliberately dropped in the face of expanding > to work on SDN, NDV, et al beyond their original Metro Ethernet scope? And > now MEF is just MEF? > > No idea. But it sure *sounds* like rather significant scope creep. > How I view MEF is in their role of facilitator/mediator for inter-operator standards. Their original work on Metro Ethernet standards and network certification was very helpful for the industry (certainly some ~8 years back when ME was blooming and everyone was jumping the bandwagon). Now with the hype around SDN NFV and automation of service provisioning they seem like a natural choice of existing body for mediating inter-operator/provider standards (work on LSO...) they have stellar materials on NFV and SDN I recommend everyone to read in order to fill in the gaps and unite our dictionary (same like for the ME dictionary) And recently they are doing similar thing for SD-WAN... adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [External] SDx open standard?
Perhaps that, and also, I think they may be substituting that term "mef" for "ce" more recently. perhaps to imply that its capabilities are now beyond the "metro" and extend into "carrier" space and beyond. Trying to make some educated guesses/recollections. -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of t...@pelican.org Sent: Thursday, March 26, 2020 10:25 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] [External] SDx open standard? On Thursday, 26 March, 2020 15:15, sth...@nethelp.no said: >> I spent 10 min browsing MEF web site and still do not know what "MEF" >> stands for ... Looks to me like yet one more commercial entity to drain a >> little bit of cash out of the vendors while perhaps help with marketing and >> sales a bit. > > Metro Ethernet Forum. They've been around for a while. > In fairness, that term is almost entirely absent from the web site, as far as I can see. Is it an expansion that's been deliberately dropped in the face of expanding to work on SDN, NDV, et al beyond their original Metro Ethernet scope? And now MEF is just MEF? Regards, Tim. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [External Email] Re: big uptime - what you got ?
Oh my gosh a friggin lightstream 1010 up almost 17 years! That's about as long as atm has been dead. Lol You gotta tell me for reals if you still have cells going through that box ? -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alex D. Sent: Monday, February 10, 2020 1:15 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] [External Email] Re: big uptime - what you got ? Cisco Internetwork Operating System Software IOS (tm) LS1010 WA4-5 Software (LS1010-WPK2-M), Version 12.1(12c)EY, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Fri 02-Aug-02 09:13 by eaarmas Image text-base: 0x60010958, data-base: 0x60F9A000 ROM: System Bootstrap, Version 11.2(1.4.WA3.0) [integ 1.4.WA3.0], RELEASE SOFTWARE ROM: LS1010 WA4-5 Software (LS1010-WPK2-M), Version 12.1(12c)EY, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) atm-03 uptime is 16 years, 43 weeks, 3 days, 8 hours, 34 minutes System returned to ROM by power-on System restarted at 12:11:39 MEZ Wed Apr 16 2003 System image file is "bootflash:ls1010-wpk2-mz.121-12c.EY.bin" cisco LS1010 (R4600) processor with 65536K bytes of memory. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] big uptime - what you got ?
Ha, wow, Sascha holds first place ! ...uptime is 14 years, 48 weeks, 4 days, 22 hours, 18 minutes My gosh, up since 2005 ! -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] big uptime - what you got ?
Non-believers I say, non-believers, lol Jk, thanks, hey could be a bug, doubt it though -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] big uptime - what you got ?
What, and have to reset that uptime counter, never! Lol Dude it's bridging eth frames just fine, why would i -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] big uptime - what you got ?
Holy cow! Beat that dsw2-4503#sh ver | in uptime dsw2-4503 uptime is 11 years, 2 weeks, 1 day, 23 hours, 3 minutes dsw2-4503#sh ver | in IOS Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(31)SGA1, RELEASE SOFTWARE (fc3) -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] question with adj-rib-out and policy engine order and show commands
Question with adj-rib-out and policy engines. I've look at bassam halabi's explanation in inet routing archs, googles, etc, etc. Is "show ip bpg neighbor 1.2.3.2 advertised-routes" PRE-outbound-policy or POST-outbound-policy? someone please explain why I see r1 "show ip bpg neighbor 1.2.3.2 advertised-routes" showing metric 2, but I see on r2 that it rcv's it change as planned to metric 17. My question is really just about why I see metric 2 on advertise-route route of r1, when I know it's getting set to metric 17. Why don't I see what the policy is changing it to on the sending router, r1 ? I tried to only include pertinent info to keep this short and to the point. *** R1. Sending an advertisement.. r1#sh ip bgp neighbors 1.2.3.2 advertised-routes | be Network Network Next HopMetric LocPrf Weight Path *> 10.0.2.1/32 10.0.1.1 2 32768 ? r1#sh run | sec router bgp router bgp 123 ... neighbor 1.2.3.2 route-map my-routemap-xmit out route-map my-routemap-xmit, permit, sequence 10 ip address prefix-lists: my-prefixlist-out Set clauses: metric 17 r1#sh ip prefix-list seq 1 permit 10.0.2.1/32 *** R2... Receiving that advertisement correctly as altered Metric 17 r2#sh ip bgp neighbors 1.2.3.1 routes | be Network Network Next HopMetric LocPrf Weight Path *> 10.0.2.1/32 1.2.3.1 17 0 123 ? Total number of prefixes 1 r2# r2#sh ip ro bgp 10.0.0.0/32 is subnetted, 1 subnets B 10.0.2.1 [20/17] via 1.2.3.1, 09:40:38 -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] show isis neighbors - system id shown
Thanks y'all -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] show isis neighbors - system id shown
funny, for a moment there it actually displayed the sys id of r1 instead of the word "r1" is there a reason why ? r2#sh isis neighbors System Id Type Interface IP Address State Holdtime Circuit Id .. L1 Fa0/0 1.2.3.1 UP23 r2.01 .. L2 Fa0/0 1.2.3.1 UP24 r2.01 r2#sh isis neighbors System Id Type Interface IP Address State Holdtime Circuit Id r1 L1 Fa0/0 1.2.3.1 UP27 r2.01 r1 L2 Fa0/0 1.2.3.1 UP28 r2.01 r2#sh isis neighbors System Id Type Interface IP Address State Holdtime Circuit Id r1 L1 Fa0/0 1.2.3.1 UP23 r2.01 r1 L2 Fa0/0 1.2.3.1 UP24 r2.01 r2#sh isis neighbors System Id Type Interface IP Address State Holdtime Circuit Id r1 L1 Fa0/0 1.2.3.1 UP22 r2.01 r1 L2 Fa0/0 1.2.3.1 UP23 r2.01 r2#sh isis neighbors System Id Type Interface IP Address State Holdtime Circuit Id r1 L1 Fa0/0 1.2.3.1 UP21 r2.01 r1 L2 Fa0/0 1.2.3.1 UP22 r2.01 r2# -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Central Services Topology - Design question
Ah, and don't forget "additive" as it was crucial in not removing an rt, but rather, adding another rt to the already present rt. A nice way of having multiple extend community attributes (rt's) to be able to match on. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Central Services Topology - Design question
When I started sharing some routes from one vrf to another vrf during my deployment of cgnat, I came to understand that a vrf in my mind seemed to be less about the name you give it, and more about the RT's you import and export to accomplished the desired routing. Further to that point, one day I typo'd a vrf name, and was stunned to realize that everything was still working! ...came to realize that the vrf name doesn't matter, since mp-ibgp doesn't advertised anything of the name... simply the rd, rt stuff matters. To Saku's point, if you have local and separate vrf's, I'm pretty sure I had to use an auto-export command in juniper to allow that local route sharing. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] new ASR9901 ios update problem
Btw, good job, and thanks Jürgen for the informative and detailed instruction on XR upgrade. -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron Gould Sent: Tuesday, October 29, 2019 10:23 AM To: c...@marenda.net; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] new ASR9901 ios update problem You just gave me another reason to like Juniper :| -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] new ASR9901 ios update problem
You just gave me another reason to like Juniper :| -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] new ASR9901 ios update problem
It got jumbled ... I'll try again... admin install add disk1:asr9k-mgbl-px.pie-4.3.4 disk1:asr9k-mpls-px.pie-4.3.4 disk1:asr9k-mini-px.pie-4.3.4 disk1:asr9k-fpd-px.pie-4.3.4 synchronous admin install activate disk0:asr9k-mgbl-px-4.3.4 disk0:asr9k-mpls-px-4.3.4 disk0:asr9k-mini-px-4.3.4 disk0:asr9k-fpd-px-4.3.4 synchronous (after reboot occurs) admin install commit ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] new ASR9901 ios update problem
Unsure about ASR9901 running 6.5.2... but I just now upgraded ASR9006 from 4.1.2 to 4.3.4 The process is pretty much... admin install add ... admin install activate ... admin install commit ...that's pretty much it in simplest terms... (I'll say I don't fully understand all the caveats and nuances with bridge smu's, time expiry issue, bug fix smu packages, bundle all pie's into a tar ball, etc,etc)... But in its simplest form, that's it. admin install add disk1:asr9k-mgbl-px.pie-4.3.4 disk1:asr9k-mpls-px.pie-4.3.4 disk1:asr9k-mini-px.pie-4.3.4 disk1:asr9k-fpd-px.pie-4.3.4 synchronous admin install activate disk0:asr9k-mgbl-px-4.3.4 disk0:asr9k-mpls-px-4.3.4 disk0:asr9k-mini-px-4.3.4 disk0:asr9k-fpd-px-4.3.4 synchronous (after reboot occurs) admin install commit You have may other pies you require, just add this into the list above. I had issues with tftp, so I simply ftp the files into disk1 and executed install from that location I had issues with a clock and also fpd, simply set the clock to something like 2009 and add that fpd pie. That's what I did, worked. - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Inter-VRF with NAT
We have lots of zyxel's and manage all them with their public address. Why don't you just do that? -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mike Sent: Sunday, August 18, 2019 3:14 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Inter-VRF with NAT > Hi Mike, > > I'm not sure I've understood your network topology to be honest. Are you > saying that you have Cisco devices with a single WAN link that doesn't > support logical separation such as VLANs, e.g. ADSL [1] to run multiple VRFs > over different VLANs, e.g. internet in global routing table over VLAN 10, > management VRF over VLAN 20 etc? And you basically want multiple VRFs between > the CPE and it's gateway (BNG/LNS/PE) do that you don't have to NAT your > management traffic or need layer 2 connectivity to every CPE? My cpe devices are typically zyxel. On the wan interface of these devices, we usually have one service which is customer internet access (pppoe or dhcp), and then another service which is mapped at either a different vlan or a different vci/vpl, which is for management (and it's always dhcp). So, from the perspective of the device, it only has one routing table - the global table - and the 'default route' will normally be the internet service gateway. A common short-sightedness in these is that they can't do policy routing, and they can't have a seperate routing table where management network traffic uses a gateway different than the internet service gateway. The broadband aggregation router will have layer 2 to the subscriber. So, vlan 10 would service pppoe/dhcp to the internet, while vlan 20 would be management traffic. I would like to have vlan 20 in a seperate vrf, and I would like to be able to assign it an ip address (172.16.1.1), and I want to hand out addresses to the cpe in the range of 172.16.1.x. But, because the CPE are braindead, I need to arrange things so management access to the cpe all appear to come from 172.16.1.1. That way, the devices won't need to consult the routing table for a gateway and will instead simply arp for the 172.16.1.1 as it's on the same l3 network segment. This is the only way to deal with devices that don't know the correct gateway back. The only way I know how to accomplish this is with nat, unless there was some other socks type proxy on my asr1000 I don't know about. Mike- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 920 Replacement
Why are we worried about XR boot times ? RP/0/RSP0/CPU0:g-9k#sh ver | in "uptime|IOS" Thu Jun 27 14:20:49.013 CDT Cisco IOS XR Software, Version 4.1.2[Default] g-9k uptime is 5 years, 14 weeks, 3 days, 12 hours, 10 minutes RP/0/RSP0/CPU0:c-9k#sh ver | in "uptime|IOS" Thu Jun 27 14:20:55.287 CDT Cisco IOS XR Software, Version 4.1.2[Default] c-9k uptime is 5 years, 21 weeks, 4 days, 44 minutes -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (eve-ng)
XRv9k -aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (eve-ng)
Have you all been able to use EVE-NG ? My gosh, what an awesome emulator. I have eve-ng running… XRv vMX vQFX (this might end up being a much larger topic) BTW, Why does Juniper do what appears to be such a better job with CP/FP (control plane/forwarding plane) separation ? I’m speaking about XR and Junos and also how clean Junos vMX seems to be done as I work with it in EVE-NG when compared to XRv. XRv is still one node. vMX is 2 nodes… VCP and VFP. Also, in XRv I can’t add martini-type access pw’s into an l2vpn nor can I add routing on a BVI….. but, conversely I can do all those things in vMX As nice as XR(v) is, it still seems to be playing catch-up to (v)MX. Is this true in your mind ? Stepping away from the eve-ng emulator for a moment, over the years of working with XR I was so pleased with how it improved upon classic IOS…. But then I began working with Junos a few years ago, and wow, it seemed to take routing os to a whole other level than XR did… again, this could be in my head, but curious what others think, IF, you have actually done enough work on both platforms to know enough to speak to it. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] A9K-VSM-500
my personal notes from testing vsm-500 from a few years ago... *** my testing showed good with pings, BUT TERRIBLE and NON-existent web surfing until changing MTU of vnics from 1514 to 9216 interface TenGigE0/3/1/0 description vsm mtu 9216 ! interface TenGigE0/3/1/1 description vsm mtu 9216 ! interface TenGigE0/3/1/2 description vsm mtu 9216 ! interface TenGigE0/3/1/3 description vsm mtu 9216 ! interface TenGigE0/3/1/4 description vsm mtu 9216 ! interface TenGigE0/3/1/5 description vsm mtu 9216 ! interface TenGigE0/3/1/6 description vsm mtu 9216 ! interface TenGigE0/3/1/7 description vsm mtu 9216 ! interface TenGigE0/3/1/8 description vsm mtu 9216 ! interface TenGigE0/3/1/9 description vsm mtu 9216 ! interface TenGigE0/3/1/10 description vsm mtu 9216 ! interface TenGigE0/3/1/11 description vsm mtu 9216 -- also i have a document but i can't find it online anywhere... it's titled "ASR9K CGv6 on VSM troubleshooting guide" there is a section subtitled..."3. VSM packet flow troubleshooting" NOTE 1 : Be aware about CSCuo63064 which explain the packet drops for packet which supposed to be fragmented on VSM Symptom: Packets requiring fragmentation are silently dropped with DROP_FRM_FRM_ERR_XAUI9 error count Conditions: Observed with NAT44 on VSM with packet sizes above 1514 bytes. Workaround: Increase the interface MTU on the VSM physical interfaces to match the ingress interface More Info: For better NAT44 performance, Cisco recommends keeping the default physical interface MTU This one is targetted to be fixed in 5.2.2 XR release NOTE 2: Be aware about default MTU for ServiceApp interfaces in 5.1.3 and 5.2.0: MTU is 1514 (not configurable) in 5.2.2: ServiceApp interface will be set by default to Jumbo frame size (not configurable) CSCuo63064 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo63064 -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ME3600 - ping drop seen
I have an ME3600 running 15.4(3)S3. and I saw a systematic drop on pings, making me think there was some sort of built-in control plane protection. (pinging the ME3600 from a remote device) !!!.!.!!!.!!!.!!!.!!!. !!!.!!!.!!!.!!!.!!!. I downgraded it to 15.2(4)S5 and no longer see the drops. (pinging the ME3600 from a remote device) !! !! !! Is there somewhere I could've seen these drops in a counter somewhere? Or a way to enable/disable that behavior? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IS-IS as PE-CE protocol
The only place I run bgp on pe-ce is for internet uplinks… (junos) I use a few options to make it work… - peer-as 123 - local-as 456 - local-as private - local-as no-prepend-global-as That works for me. -Aaron From: Nathan Lannine [mailto:nathan.lann...@gmail.com] Sent: Thursday, March 21, 2019 8:11 AM To: Aaron Gould Cc: Michael Hallgren; Mark Tinka; Cisco-nsp Subject: Re: [c-nsp] IS-IS as PE-CE protocol On Thu, Mar 21, 2019 at 9:02 AM Aaron Gould wrote: Which reminds me... I recall if pe-ce is bgp, then redis into l3vpn is natural and automatic true ? -Aaron As an implementer of MPLS/L3VPN in the enterprise, this is very interesting to me because I am all IGP internally. I sort of assumed that in the provider space that L3VPNs would be accomplished the same way, with an IGP as PE-CE protocol for L3VPN, but here we are. So, in the case of BGP as PE-CE protocol and a small client AS, do you all in the provider space require multiple private ASNs per VPN? I mean (blatant free training request here) how does this get handled by the VPN customer? Just navel gazing here, but I am wondering if there would be any benefit to me running BGP as my own PE-CE protocol. Thank you, Nathan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IS-IS as PE-CE protocol
Which reminds me... I recall if pe-ce is bgp, then redis into l3vpn is natural and automatic true ? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] UDP/0 ACL IOSXR issue?
Unsure about xr and be-specific acl treatment... however I do recall BVI-related acl's having issues either in or out... don't recall, been a while... ...in my newer juniper platform, I'm blocking the heck out of udp/0... geez, there's a lot of volumetric attacks coming on that port.and 389 and 53 and 123 - Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Bryan Holloway Sent: Friday, February 8, 2019 1:38 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] UDP/0 ACL IOSXR issue? Anyone aware of any issues with filtering destination UDP/0 at ingress points on IOS XR? We're running 5.3.4 SP8 and have telemetries to help us RTBH when the need arises. UDP/0 is a well-known vector for this sort of attack. However, what I'm seeing is that packets seem to be getting past our ACLs even though we are explicitly denying them. "hardware counters" seem to corroborate that we're getting matches. ... and yet we're still seeing the traffic beyond the ingress. Curious if anyone else has seen this. Our egress-facing interface is a BE, if it matters ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] segment routing/evpn on ASR920
Ummm, that too. LOL -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James Bensley Sent: Wednesday, January 30, 2019 9:05 AM To: Tom Ammon; Cisco-nsp List Subject: Re: [c-nsp] segment routing/evpn on ASR920 On Wed, 30 Jan 2019 at 02:36, Tom Ammon wrote: > > Has anybody tried running segment routing on ASR920? If so, did you run in > to any caveats? What about EVPN over segment routing on that platform? The > SR configuration guide for this platform lists segment routing, but doesn't > call out EVPN specifically - it only lists VPLS and L2VPN. > > Tom Hi Tom, Last I spoke to the ASR920 BU (Q4 last year) EVPN was still a roadmap feature and SR was only just being released so I assume it's bug central at this point in time. Cheers, James. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] segment routing/evpn on ASR920
I read that SR/SPRING is an alternative to LDP or RSVP... seems that SR/SPRING is a label distribution protocol. Meaning, in my mind, it's a way to learn labels...mpls labels I guess. If so, would we refer to EVPN as EVPN-SR? If so, would it follow that a non-sr network, one that has employed ldp for label learning, with evpn, would be referred to as EVPN-LDP ? I'm not thinking so. Further, I recall reading that EVPN is Control Plane, and has a few different options for Fwd'ing plane... EVPN-VXLAN EVPN-PBB EVPN-MPLS ...perhaps others... Tom, I wonder if we/you should look for ASR920 docs/support for EVPN-MPLS in your desire to see if EVPN will work over SR? I could be way off. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Telemetry real life use cases
What are you all using for a telemetry collector ? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CMs security
My cable modem mgmt and mta (voice) ip's are on different subnet than CPE. And we have an ACL on the CMTS to not allow customer ip's to communicate with those cm ip's Aaron > On Jul 29, 2018, at 5:38 PM, ring...@mail.com wrote: > > Hi all, > > Wondering what do you guys prefer as best practice to block connectivity like > ping, http and everything else between CMs (docsis plant)? > > How do you do and manage it? > > ton > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (eve-ng)
Just to circle back with all of you my problem with not being able to login to XRv was just a terminal emulator issue. Windows Telnet window was messing up the root account creation at the beginning when XR boots up and i guess adding a special character and messing it up. On the eve-ng community chat, a guy named Rusty was able to figure it out be just having me use a different terminal ... putty and mtputty work fine... NO root-system username is configured. Need to configure root-system username. Configuration lock is held by another agent. Please wait. [.OK] --- Administrative User Dialog --- Enter root-system username: RP/0/RP0/CPU0:Jul 27 15:59:25.628 : smartlicserver[373]: %LICENSE-SMART_LIC-3-COMM_FAILED : Communications failure with Cisco licensing cloud: Communications init failure % Entry must not be null. Enter root-system username: xrv Enter secret: Use the 'configure' command to modify this configuration. User Access Verification Username: xrv Password: RP/0/RP0/CPU0:ios# I'm in now !! -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (eve-ng)
Anyone seen this issue before and know how to fix ? same problem even with XRv Full asr9000 version 6.3.2 i can't login , for some reason it thinks i'm an "unknown" user or something like that. please note that it does not ask me for a password... as soon as i type the username, it comes back and says "Failed authentication attempt by user '' from 'console'..." so i see this with xrv versions... 5.1.1 5.3.0 6.3.2 - Aaron Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): XR control plane: 5120MB RAM Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): XR packet memory: 128MB RAM Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): Centralized LC: 9216MB RAM Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): Data plane core assignment: 2-3 Thu Jul 26 13:35:26 UTC 2018 (/proc/self/fd/9): Control plane core assignment: 0-1 # # # Welcome to the Cisco IOS XRv9k platform # # # #Please wait for Cisco IOS XR to start. # # # #Copyright (c) 2014-2017 by Cisco Systems, Inc. # # # Cisco IOS XR console will start on the 1st serial port Cisco IOS XR aux console will start on the 2nd serial port Cisco Calvados console will start on the 3rd serial port Cisco Calvados aux will start on the 4th serial port Telnet escape character is '^Q'. Trying 127.0.0.1... Connected to localhost. Escape character is '^Q'. init: Unable to create device: /dev/kmsg mount: can't find /dev in /etc/fstab mkdir: cannot create directory '/run': File exists bootlogd: ioctl(/dev/pts/2, TIOCCONS): Device or resource busy Running postinst /etc/rpm-postinsts/100-dnsmasq... update-rc.d: /etc/init.d/run-postinsts exists during rc.d purge (continuing) Removing any system startup links for run-postinsts ... /etc/rcS.d/S99run-postinsts Configuring network interfaces... done. Starting system message bus: dbus. Starting OpenBSD Secure Shell server: sshd generating ssh RSA key... generating ssh ECDSA key... generating ssh DSA key... generating ssh ED25519 key... sshd start/running, process 2150 Starting rpcbind daemon...done. Starting random number generator daemonUnable to open file: /dev/tpm0 can't open any entropy source Maybe RNG device modules are not loaded . Starting system log daemon...0 tftpd-hpa disabled in /etc/default/tftpd-hpa Starting internet superserver: xinetd. Libvirt not initialized for container instance Starting crond: OK SIOCSIFTXQLEN: No such device SIOCSIFTXQLEN: No such device ios con0/RP0/CPU0 is now available . 0/RP0/ADMIN0:Jul 26 13:44:19.747 : wd_memmon[3051]: %INFRA-WD_MEMMON-4-MEM_WARN : Memory usage %: 80, Total memory: 1048576kb, Free memory: 219200kb, State: MI NOR, Minor Threshold %: 80 NO root-system username is configured. Need to configure root-system username. --- Administrative User Dialog --- Enter root-system username: admin Enter secret: % Entry must not be null. Enter secret: % Entry must not be null. Enter secret: % Entry must not be null. Enter secret: Enter secret again: % Entry must not be null. Use the 'configure' command to modify this configuration. User Access Verification Username: Username: admin Password: RP/0/RP0/CPU0:Jul 26 13:46:02.536 : exec[66886]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '' from 'console' on 'con0_RP0_CPU0' User Access Verification Username: root Password: RP/0/RP0/CPU0:Jul 26 13:46:05.708 : exec[66886]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '' from 'console' on 'con0_RP0_CPU0' User Access Verification Username: cisco Password: RP/0/RP0/CPU0:Jul 26 13:46:09.619 : exec[66886]: %SECURITY-LOGIN-4-AUTHEN_FAILED : Failed authentication attempt by user '' from 'console' on 'con0_RP0_CPU0' RP/0/RP0/CPU0:Jul 26 13:46:10.120 : exec[66886]: %MGBL-exec-3-LOGIN_AUTHEN : Login Authentication failed. Exiting... % Authentication failed ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] XRv (eve-ng)
Any idea why this is happening? I can boot XRv just fine (5.3.0) but i get a few errors and can't login with default username (admin) and no password.. i get some SAM errors and nvram errors.. then logging in with admin, no password, or an account that it *forces* me to create, but are failed -Aaron .. Section:idt offset:0x006c base:fed185bc Section:pgdir offset:0x0070 Page Directory d000: PAE System page at phys:00017000 user:fed15000 kern:fed17000 Starting next program at vfe0419f8 Unable to access "/dev/ser1" (2) Restricted Rights Legend cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco IOS XR Software for the Cisco XR IOSXRv, Version 5.3.0 Copyright (c) 2015 by Cisco Systems, Inc. Jul 25 12:19:04.167: Install Setup: Booting with committed software SAM detects CA certificate(Code Signing Server Certificate Authority,O=Cisco,C=US) has expired. The validity period is Oct 17, 2000 01:46:24 UTC - Oct 17, 2015 01:51:47 UTC. Continue at risk? (Y/N) [Default: N w/in 10]: RP/0/0/CPU0:Jul 25 12:19:23.786 : sam_server[352]: %SECURITY-SAM-3-ERROR_2_PARAM : Failed setting I_ BIT on backup file, /disk0/sam_certdb RP/0/0/CPU0:Jul 25 12:19:38.085 : sam_server[352]: %SECURITY-SAM-4-WARNING : Failed to initialize nvram digest RP/0/0/CPU0:Jul 25 12:20:24.202 : cfgmgr-rp[152]: %MGBL-CONFIG-3-STARTUP : Configuration Manager could not find any admin configuration to apply from '/disk0:/c onfig/admin/admin.cfg'. ios con0/0/CPU0 is now available NO root-system username is configured. Need to configure root-system username. --- Administrative User Dialog --- Enter root-system username: admin Username "admin" is locked, please choose another. Enter root-system username: % Entry must not be null. Enter root-system username: rusty Enter secret: % Entry must not be null. Enter secret: Enter secret again: % Entry must not be null. Use the 'admin' mode 'configure' command to modify this configuration. Please login with any configured user/password, or cisco/cisco User Access Verification Username: Username: rusty Password: RP/0/0/CPU0:Jul 25 12:23:44.338 : exec[65692]: %SECURITY-login-4-AUTHEN_FAILED : Failed authentication attempt by user '' from 'console' on 'con0_0_CPU 0' User Access Verification Username: User Access Verification Username: Username: admin Password: RP/0/0/CPU0:Jul 25 12:23:48.008 : exec[65692]: %SECURITY-login-4-AUTHEN_FAILED : Failed authentication attempt by user '' from 'console' on 'con0_0_CPU 0' % Authentication failed RP/0/0/CPU0:Jul 25 12:23:48.528 : exec[65692]: %MGBL-exec-3-LOGIN_AUTHEN : Login Authentication failed. Exiting.. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF+BGP and MPLS Q's
I was waiting for that, lol Sort of a long story, as everyone knows, networks usually have a story to tell in order to understand why they are the way they are If many of us sat back and designed a new network from the ground up, it would be pretty for a day or two, and then eventually grow into something else If you leave the company and a new guy comes in, he would probably say , "what idiot designed this network ":/ Then when he left the company, someone else would come in and say the same thing about him, lol originally I did have a backbone area 0 and a very small MPLS network with core IGP area 1, ...well, area 1 continued to grow, and area 0 was eventually decommissioned, and know area 1 remains :) I guess I could work through maintenance windows and convert everything to area 0, but I don't feel motivated to do so Works fine Aaron > On Jul 19, 2018, at 5:34 PM, Nick Cutting wrote: > > Quick question as I am clueless on large SP networks (I'm a MSP guy not an > ISP guy )- why not area 0.0.0.0 ? > > > -Original Message- > From: cisco-nsp On Behalf Of Aaron Gould > Sent: Thursday, July 19, 2018 6:08 PM > To: ring...@mail.com > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] OSPF+BGP and MPLS Q's > > This message originates from outside of your organisation. > > If you think your network is going to continue to grow , dual route reflector > cluster is a huge must have in my mind, I love how you can add address > families to one neighbor and let it bounce while the other neighbor stays up > with all your routes still there > > I have ran a 100 node single area OSPF (area 0.0.0.1) MPLS/LDP network for > several years, I believe simplicity and only as much complexity as is > required for the job > > > Aaron > >> On Jul 19, 2018, at 2:32 PM, ring...@mail.com wrote: >> >> Hi all, >> >> I have some practical design questions. >> >> 1. Is there a better way of doing the HA than having adjacencies to the >> router (can be 3 hops away) over two different VLANs and different OSPF cost >> over trunk links with BFD enabled? >> 2. Do you find less practical a MPLS network on a multi-area design vs a >> single-area design? >> 4. At what point would you introduce RouteReflectors in the network >> (e.g. when 5, 10, 20 IBGP connections?) >> >> Can come up with some more in the meantime ;) >> >> Thanks! >> Ton >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF+BGP and MPLS Q's
If you think your network is going to continue to grow , dual route reflector cluster is a huge must have in my mind, I love how you can add address families to one neighbor and let it bounce while the other neighbor stays up with all your routes still there I have ran a 100 node single area OSPF (area 0.0.0.1) MPLS/LDP network for several years, I believe simplicity and only as much complexity as is required for the job Aaron > On Jul 19, 2018, at 2:32 PM, ring...@mail.com wrote: > > Hi all, > > I have some practical design questions. > > 1. Is there a better way of doing the HA than having adjacencies to the > router (can be 3 hops away) over two different VLANs and different OSPF cost > over trunk links with BFD enabled? > 2. Do you find less practical a MPLS network on a multi-area design vs a > single-area design? > 4. At what point would you introduce RouteReflectors in the network (e.g. > when 5, 10, 20 IBGP connections?) > > Can come up with some more in the meantime ;) > > Thanks! > Ton > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EVPN Book/paper recommendation
Maybe something here https://forums.juniper.net/t5/Tech-Cafe-Ask-the-Author-MPLS-in/EVPN-advantag e-over-L2VPN-VPLS/td-p/291810 http://shop.oreilly.com/product/0636920033905.do https://www.safaribooksonline.com/library/view/mpls-in-the/9781491905449/ch0 8.html -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tails Pipes Sent: Friday, July 13, 2018 7:02 PM To: Kasper Adel Cc: Cisco-nsp Subject: Re: [c-nsp] EVPN Book/paper recommendation Hi This is about using EVPN for IXPs, a bit closer. https://www.trex.fi/2017/Ralf-Korschner-VXLAN-EVPN-in-a-Nuttshell.pdf Ciao Rich On Fri, Jul 13, 2018 at 4:55 PM, Kasper Adel wrote: > good stuff here, maybe not on the L2VPN part. > > https://www.reddit.com/r/networking/comments/8ubqmc/evpn_is_confusing/?st= > JIYNSFZA=ba954c8b > > > > > On Fri, Jul 13, 2018 at 4:42 PM, Sami Joseph > wrote: > > > Heya > > > > I'm looking for book/paper recommendation on EVPN, specially for > use-cases > > in Carrier Ethernet deployments, replacing IETF L2VPN implementation and > > deployments? > > > > I found this book by Ivan Pepen., but it doesnt cover that. > > https://blog.ipspace.net/2018/06/book-evpn-in-data-center.html > > > > THX > > Sam > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT logging ASR1k
You wanna see the juniper configs for your ASR1006? Not sure why we didn't use netflow. I guess because syslog worked and that's where the docs led me Aaron > On Jul 9, 2018, at 2:52 AM, Ring Bit wrote: > > Hi Aaron, > > Could you post the nat configs? > > Why not use Netflow? > > Thanks. > T. > >> Sent: Sunday, July 08, 2018 at 10:14 PM >> From: "Aaron Gould" >> To: ring...@mail.com >> Cc: cisco-nsp@puck.nether.net >> Subject: Re: [c-nsp] NAT logging ASR1k >> >> Bulk logging and port block allocation (PBA)? >> >> https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-bpa.html >> >> I do PBA in groups of 100 ports on my CGNAT deployment (juniper) and use >> syslog to log. Using port block allocation caused the syslogging to slow >> down significantly >> >> Aaron >> >>> On Jul 8, 2018, at 10:12 AM, ring...@mail.com wrote: >>> >>> Hi everybody, >>> >>> Have an ASR 1006 doing NAT translations, it is having around 300k+ and >>> wanted to ask for a recommendation about logging those NAT translations. >>> >>> Tried it with a collector via Netflow v9 with the export command "ip nat >>> log translationsflow-export v9 udp destination" command the CPU spiked to >>> 100%. >>> >>> Is there a recommendation as a workaround or have alternative solution >>> which is easy on resources to those massive NAT translations? >>> >>> Thanks, >>> T. >>> ___ >>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT logging ASR1k
Bulk logging and port block allocation (PBA)? https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-bpa.html I do PBA in groups of 100 ports on my CGNAT deployment (juniper) and use syslog to log. Using port block allocation caused the syslogging to slow down significantly Aaron > On Jul 8, 2018, at 10:12 AM, ring...@mail.com wrote: > > Hi everybody, > > Have an ASR 1006 doing NAT translations, it is having around 300k+ and > wanted to ask for a recommendation about logging those NAT translations. > > Tried it with a collector via Netflow v9 with the export command "ip nat log > translationsflow-export v9 udp destination" command the CPU spiked to 100%. > > Is there a recommendation as a workaround or have alternative solution which > is easy on resources to those massive NAT translations? > > Thanks, > T. > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XR on GNS3
I used XRv in GNS3 I think I used both 5.1.1 and 5.3.0 ... I recall getting some good use out of it. I'm not a systems guy, so climbing the learning curve and asking for help from the communities online was what I had to do in order to figure out how to get it show up inside the GNS3 app (used virtual box, and recall ova, vmdk, qemu, etc, etc) then it was useable and working. I also did Juniper Olive/vMX. A couple things I don't think I ever got the Layer 2 forwarding to work. L3 routing worked and packets would flow... but L2 bridging and MPLS Layer 2 type things I don't think I ever got to properly flow. I also would have to bounce interfaces using a batch file anytime I restarted gns3 or even if I added a new instance of XRv... so because of that, I would never reboot my windows vm that it was all contained inside and tried not to close gns3 app -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] line con 0 as terminal server on Cat6500?
I've actually taken out a little 2600 just to act as a 1-port terminal server for this exact purpose (maybe you can even use an old 2500) Aaron > On May 18, 2018, at 6:00 AM, Aaron Gould <aar...@gvtc.com> wrote: > > I'm not sure if you can use a console port for connecting to another router's > console port , but you can use the auxiliary (aux) port to do that. I've > done it many times > > Aaron > >> On May 18, 2018, at 1:55 AM, Patrick M. Hausen <hau...@punkt.de> wrote: >> >> Hi all, >> >> last weekend one switch in our VSS pair failed. Redundancy/VSS >> did work and we kept our connectivity besides a couple of hosts >> that only have a single uplink and were connected to that particular >> chassis. >> >> When I came to the data centre I found the failed chassis in rommon. >> A simple "boot" command restored everything to working order. >> >> Now to spare me that drive in case that happens again - is it possible >> to use the console port of a working Catalyst 6500 to act as a terminal >> server for the other one? We have quite a lot of spare rollover cables ;-) >> >> I found these instructions but I think I'm missing something: >> https://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/5466-comm-server.html >> >> ip host other 2000 1.2.3.4 >> >> Core2#telnet 1.2.3.4 2000 >> Trying 1.2.3.4, 2000 ... >> % Connection refused by remote host >> >> I used the real IP address of looppback0, of course. >> >> >> Side note/question: any idea what could cause a Cat6500 VS-S720-10G >> to fail, reset (I can understand *that*) and then not boot into IOS and stay >> in rommon? >> >> Standby BOOT variable = >> sup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1;disk0:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1; >> Standby Configuration register is 0x2102 >> >> Core2#dir slavesup-bootdisk: >> ... >> s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin >> >> >> Thanks! >> Patrick >> -- >> punkt.de GmbHInternet - Dienstleistungen - Beratung >> Kaiserallee 13aTel.: 0721 9109-0 Fax: -100 >> 76133 Karlsruhei...@punkt.dehttp://punkt.de >> AG Mannheim 108285Gf: Juergen Egeling >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] line con 0 as terminal server on Cat6500?
I'm not sure if you can use a console port for connecting to another router's console port , but you can use the auxiliary (aux) port to do that. I've done it many times Aaron > On May 18, 2018, at 1:55 AM, Patrick M. Hausenwrote: > > Hi all, > > last weekend one switch in our VSS pair failed. Redundancy/VSS > did work and we kept our connectivity besides a couple of hosts > that only have a single uplink and were connected to that particular > chassis. > > When I came to the data centre I found the failed chassis in rommon. > A simple "boot" command restored everything to working order. > > Now to spare me that drive in case that happens again - is it possible > to use the console port of a working Catalyst 6500 to act as a terminal > server for the other one? We have quite a lot of spare rollover cables ;-) > > I found these instructions but I think I'm missing something: > https://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/5466-comm-server.html > > ip host other 2000 1.2.3.4 > > Core2#telnet 1.2.3.4 2000 > Trying 1.2.3.4, 2000 ... > % Connection refused by remote host > > I used the real IP address of looppback0, of course. > > > Side note/question: any idea what could cause a Cat6500 VS-S720-10G > to fail, reset (I can understand *that*) and then not boot into IOS and stay > in rommon? > > Standby BOOT variable = > sup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1;disk0:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1; > Standby Configuration register is 0x2102 > > Core2#dir slavesup-bootdisk: > ... > s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin > > > Thanks! > Patrick > -- > punkt.de GmbHInternet - Dienstleistungen - Beratung > Kaiserallee 13aTel.: 0721 9109-0 Fax: -100 > 76133 Karlsruhei...@punkt.dehttp://punkt.de > AG Mannheim 108285Gf: Juergen Egeling > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multicast in VRF
I wonder if it gets pruned right after the first packet maybe you have to do some igmp config for the underlying vlan804 receiver segment's L2 interfaces I'm guessing as it's been a while since I did much with mcast -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jan Gregor Sent: Monday, March 19, 2018 2:23 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Multicast in VRF Hi guys, I am stumped by a multicast issue on one of my 6500 switches running s72033-adventerprisek9-mz.151-2.SY11.bin code. Actually it is two 6500s in VSS, but it should not matter, correct me if I am wrong. The topology is fairly simple, a source is connected to one VLAN on 6500, then the receiver is on another VLAN on the same 6500. Both VLANs are in the same VRF. Both VLANs are configured for PIM Sparse mode. Multicast routing is enabled for the VRF. Relevant config: vrf definition TEST rd 65000:803 ! address-family ipv4 exit-address-family ! ip multicast-routing ip multicast-routing vrf TEST ! ip pim vrf TEST rp-address 10.0.0.1 ! interface Vlan803 description SOURCE vrf forwarding TEST ip address 10.0.0.1 255.255.255.0 ip pim sparse-mode arp timeout 300 ! interface Vlan804 description RECEIVER vrf forwarding TEST ip address 192.168.2.1 255.255.255.0 ip pim sparse-mode load-interval 30 arp timeout 300 I see multicast routing entries in the mroute table for the VRF increasing: sh ip mroute vrf TEST ... Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.192.2.196), 00:24:57/stopped, RP 10.0.0.1, flags: SJC Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Vlan804, Forward/Sparse, 00:24:57/00:02:40 (10.0.0.11, 239.192.2.196), 00:24:57/00:02:57, flags: T Incoming interface: Vlan803, RPF nbr 0.0.0.0, RPF-MFD Outgoing interface list: Vlan804, Forward/Sparse, 00:24:57/00:02:40, H sh ip mroute vrf TEST count IP Multicast Statistics 2 routes using 1102 bytes of memory 1 groups, 1.00 average sources per group Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc) Group: 239.192.2.196, Source count: 1, Packets forwarded: 1503, Packets received: 1503 RP-tree: Forwarding: 0/0/0/0, Other: 0/0/0 Source: 10.0.0.11/32, Forwarding: 1503/1/84/0, Other: 1503/0/0 sh ip mroute vrf TEST count IP Multicast Statistics 2 routes using 1102 bytes of memory 1 groups, 1.00 average sources per group Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc) Group: 239.192.2.196, Source count: 1, Packets forwarded: 1510, Packets received: 1510 RP-tree: Forwarding: 0/0/0/0, Other: 0/0/0 Source: 10.0.0.11/32, Forwarding: 1510/1/84/0, Other: 1510/0/0 I am testing it by running ping on the source "ping -t 64 239.192.2.196". I see packets leaving the source as verified by tcpdump. However packets are not making it to the receiver as verified by tcpdump. Funny thing is that when I clear the mroute table on the switch by issuing "clear ip mroute vrf TEST *" I receive EXACTLY ONE ping packet on the receiver, then again nothing: 20:17:02.576050 IP 10.0.0.11 > 239.192.2.196: ICMP echo request, id 11724, seq 625, length 64 Any pointers would be greatly appreciated. Best regards, Jan Gregor ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
Thanks y’all, to be clear, are you saying “…VPLS. Segment Routing…” you view those as fad technologies ? …or the opposite? Yeah, I remember working for the US Navy in San Diego in 1999 and sitting in a class taught be a vendor-provided SE, FORE Systems. The class was about, yep you guessed it with the mention of the vendor (FORE)…class was on ATM… LANE…. Etc. You may recall that in the late 90’s, early 2000’s, ATM was going to save the world. At one point in the class, the instructor paused and made a seemingly prophetic statement… he said, all this ATM stuff is new and great and all that, but he then erased the board and said this will all be superseded by this technology in the next several years… and he wrote 4 letters on the board…. M-P-L-S…. then we all stared at him and didn’t know what he was talking about, because ATM was new and awesome and we were completely taken up in the latest 20 million dollar US Navy atm-to-the-desktop project…. And also , we had no idea what he was talking about with mpls…. Then he erased those 4 letters and went back to talking about LECS, LES, BUS, LEC operations in LANE ELAN’s…. K LOL…. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
As my teenage son would say. "bet" ! -Aaron -- Heck yeah, pair of cheapest asr920 at each end and PWs between the DCs and you're done. adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
So I think (I could be wrong as I'm not a server guy) that all this L2 network emulation is because of server virtualization and moving vm's or vmotion or something like that, and that they need to be in same ip subnet (aka bcast domain) correct ? *if* that's true, and *if* all this layer 2 networking madness is because of that point stated above, I would think that someone (vendors/standards bodies/companies) would/should be working really hard to make that server stuff work in different bcast domains (different subnets)...so we wouldn't have to do all that L2 stuff -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
Ha, thanks Justin, I just read the answer to my question I just posted... OTV is cisco proprietary. Is OTV gaining steam in the industry as a potential ietf standard ? Interesting things you mention about assigning asics, and linecard dependancies... -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
Thanks, so is OTV cisco proprietary ? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
Thanks "With regards to the load-sharing in L2 -problem is you'll never get IP like load-sharing in L2 since Ethernet is fundamentally flawed in this regard as it just can't associate same mac address with two ports." I thought with bgp-mac-routes in evpn, you could engineer traffic with same knobs used in bgp-ip-routes. ? I thought with evpn, you could have active-active multi-homed forwarding across 2 ports, 2 CE's. ? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multihomed OTV on CSR Lab - Mac Address Issue
I'm just trying to learn about OTV as I haven't heard much about it... is OTV an IETF standard ? Also, I wonder why I would use one of these (EVPN, VX-LAN, OTV) over the other ? let me know if those 3 don't belong in the same comparison family. I just watched a cisco video and see that the OVT AED (authoritative edge device is only one, so I guess multi-active-active forwarders which EVPN brags about can't be done in OTV ?) Also, I see OTV is gre encaped, and I hear that vxlan is udp encaped, and evpn, I forget, but I think is just eompls, so I guess vxlan or otv can be done over non-mpls clouds ?...maybe these are things that would push me/others in one direction or the other when choosing a l2-emulation mechanism for DC or whatever we need it for. - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip vrf autoclassify source - loss of connectivity to hosts
What is this syntax ? Is this an IOS command ? "Cisco-AVpair = "ip:vrf-id=VRF1" - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] me3600 ospf %100 cpu blowup
ospf neighbors won't come up either with different mtu's -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark Tinka Sent: Monday, January 15, 2018 8:00 AM To: Aaron Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] me3600 ospf %100 cpu blowup On 14/Jan/18 17:36, Aaron wrote: > Size of the ospf table Been a long while since I ran OSPF in production - but I know IS-IS tests the MTU as adjacencies are built, and won't work unless PDU's are sent unfragmented across the wire. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] me3600 ospf %100 cpu blowup
I had something similar happen to me a couple months ago, and posted it here... [c-nsp] ospf database size - affects that underlying transport mtu might have https://www.mail-archive.com/cisco-nsp@puck.nether.net/msg65794.html - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip vrf autoclassify source - loss of connectivity to hosts
This "ip vrf autoclassify source" feature looks to be a very nice auto-pbr solution for allowing multiple vrf's on one interface! I'd like to know if anyone has used it, particularly in the cable modem world...on Cisco uBR7246VXR, uBR10k, cbr8 -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] me3600 ospf %100 cpu blowup
I'll take a stab at it... Show log... (prior to reboot, so you may need to look at syslog...) If you see NILE ASIC errors of some sort, I recall TAC telling me there isn't a fix and reboot is required. :| I recall the nile asic thing being l2vpn related so I dunno about the ospf thing -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ip vrf autoclassify source - loss of connectivity to hosts
On occasion I'm seeing loss of connectivity to test hosts that are part of a subnet belonging to a vrf autoclassify subnet Below I show the interface and the vrf autoclassify commands. 10.145.255.0/24 is source classified into vrf "three" I couple times over the last few weeks I've seen loss of connectivity to a host. I looked closer today and saw 2 hosts with this problem, and noticed that the cef vrf three entry for those 2 broken hosts, were missing from the cef vrf three table. What might be causing this? Has anyone had a problem like this at all, or more particularly with using vrf autoclassify feature? I tried to recreate the problem by simple deleting the cef entry. this causes loss of connectivity to the host, but 10-25 seconds later, the entry is back into the cef vrf table and connectivity is good again. However, during the time of the actual observed problem, connectivity was only restored when I removed dhcp config from the host and reapplied it, which I'm guessing generated enough of traffic or certain traffic type, to cause cef table repopulate and connectivity was good again. interface Bundle1 vrf forwarding one ip vrf autoclassify source ip dhcp relay information trusted ip address 111.222.111.225 255.255.255.248 secondary ip address 10.13.254.1 255.255.255.0 secondary ip address 10.255.2.1 255.255.255.0 secondary ip address 10.145.255.1 255.255.255.0 secondary vrf three . cmts0.test#sh ip cef vrf three | in 10.145. 10.145.254.1/32 receive Loopback100 10.145.255.0/24 attached Bundle1 10.145.255.0/32 receive Bundle1 10.145.255.1/32 receive Bundle1 10.145.255.2/32 attached Bundle1 10.145.255.220/32attached Bundle1 10.145.255.255/32receive Bundle1 cmts0.test#cle arp vrf three 10.145.255.2 cmts0.test#cle arp vrf three 10.145.255.2 cmts0.test#cle arp vrf three 10.145.255.2 cmts0.test#cle arp vrf three 10.145.255.2 cmts0.test#cle arp vrf three 10.145.255.2 cmts0.test#cle arp vrf three 10.145.255.2 cmts0.test#cle arp vrf three 10.145.255.2 cmts0.test#cle arp vrf three 10.145.255.2 cmts0.test#cle arp vrf three 10.145.255.2 cmts0.test#cle arp vrf three 10.145.255.2 cmts0.test#sh ip cef vrf three | in 10.145. 10.145.254.1/32 receive Loopback100 10.145.255.0/24 attached Bundle1 10.145.255.0/32 receive Bundle1 10.145.255.1/32 receive Bundle1 10.145.255.220/32attached Bundle1 10.145.255.255/32receive Bundle1 (about 10-25 seconds later, 10.145.244.2 is back in cef table and is once again pingable) cmts0.test#sh ip cef vrf three | in 10.145. 10.145.254.1/32 receive Loopback100 10.145.255.0/24 attached Bundle1 10.145.255.0/32 receive Bundle1 10.145.255.1/32 receive Bundle1 10.145.255.2/32 attached Bundle1 10.145.255.220/32attached Bundle1 10.145.255.255/32receive Bundle1 - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Supply Chain issues in Amsterdam?
We had a supply chain issue a while back with Cisco we use more Juniper gear now.:| ...options are good - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3750G backplane throughput
but while I'm thinking about it... What in the heck are you doing using a 3750 for uplink to provider!! LOL (Just kidding, I couldn't resist) - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ospf database size - affects that underlying transport mtu might have
Cisco tac didn't want to do ignore-mtu because I think they said there was something else further in the neighborship process that must have a sufficient transport mtu to make work... so we had to shrink the end point mtu's where the neighbors were located (my cisco asr901 at the cell tower site, and my cisco asr9006 at my core... everything in the middle was 3 different 3rd parties transporting my 901 and 9k via layer 2 ) -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ospf database size - affects that underlying transport mtu might have
This is a *single area* ospf environment, that has been stable for years.. But now suddenly is having issues with new ospf neightbor adjacencies , which are riding a 3rd party transport network Anyone ever experienced anything strange with underlying transport network mtu possibly causing ospf neighbor adjacency to be broken ? I'm asking if the underlying 3rd party transport layer 2 network has a smaller mtu than the endpoint ospf ip interface have, could this cause those ospf neighbors to not fully establish ? .and I'm also asking this if the single ospf area has grown large enough to cause some sort of initial database packet to be larger than that underlying 3rd party mtu is providing -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco ip nat question
You may be able to accomplish it with proxy arp and not have to nat I recall proxy arp will allow hosts to arp for everything, and the router to arp reply to any and all arps on the subnet with its own mac address -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Juniper MX240 & MX480
The thing that caused me to evaluate replacing my ASR9k 15-node network was when Cisco told me if I replaced my RSP-4G routing engine with newest one, all my 1st gen Trident linecards would stop working. :| So since I had to fork-lift everything , I thought it was time to re-eval what is out there. We needed CGNAT also. We decided to go with MXX960's with MS-MPC's in them. MPC-7E linecards with QSFP28 interfaces for building a 100 gig mpls core I liked the Juniper CGNAT better than the Cisco ASR9000 VSM-500 - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Juniper MX240 & MX480
Dang, MX204 has possible (4) 100 gig interfaces ... 1RU ! (I heard something about juniper summit or vale a while back...maybe that's these 150 and 204) https://www.juniper.net/us/en/products-services/routing/mx-series/compare?p= MX204 Someone is already using them, guessing a facebook fna caching site... http://new.commverge.com/Announcements/tabid/83/EntryId/176/CommVerge-Hong-K ong-deploys-Juniper-MX-204-Routing-Switch-in-Facebook-Hong-Kong-Site.aspx I read something about MPLSoUDP , VXLAN , EVPN, SR-MPLS and SR-V6... seems like it does newer stuff. Yeah, this is the wrong list... hey, y'all started it , lol -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] config example xconnent between ASR9K and 6500
Please send this output... show run l2vpn bridge group BG_MST_VALLE bridge-domain BD_MST-VALLE-VLAN-70 - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] config example xconnent between ASR9K and 6500
An the ASR9k, send the error during commit and then also the "show configuration failed" output. That looks like a manual ldp-based vpls config Are you trying to do manual ldp vpls on a 6500 ? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] config example xconnent between ASR9K and 6500
What is Smart Edge ? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] config example xconnent between ASR9K and 6500
Oh ok I think I see what you mean. So if you configure a PW with a static label, then does that mean you have to handle the pw on the next hop device or otherwise statically map the lsp at every hop along the way ? I’ve always done end to end dynamic pw’s… so I’m very familiar with mtu drama, soft (control plane) and hard (fwd’ing plane). -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] config example xconnent between ASR9K and 6500
Thanks Curtis, Are you saying that mtu’s only matter if you force a static mpls label ? -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] config example xconnent between ASR9K and 6500
I put the MTU show command below, because we all know how much MTU is a gotcha in MPLS L2VPN's... ** 9k... interface Loopback0 ipv4 address 10.101.0.15 255.255.255.255 interface TenGigE0/0/0/1.103 l2transport description eline - company-a encapsulation dot1q 2995 rewrite ingress tag pop 1 symmetric mtu 1518 l2protocol cpsv tunnel l2vpn xconnect group eline p2p company-a interface TenGigE0/0/0/1.103 neighbor ipv4 10.101.44.2 pw-id 2995 verify sh l2v xcon group eline xc-name company-a sh l2v xcon group eline xc-name company-a detail sh l2v xcon group eline xc-name company-a detail | in MTU ** Sorry I don't have a 6500, but if 6500 is like a IOS-based ME3600 then interface Loopback0 ip address 10.101.44.2 255.255.255.255 interface GigabitEthernet0/5 description eline - company-a switchport trunk allowed vlan none switchport mode trunk load-interval 30 service instance 1 ethernet encapsulation default l2protocol tunnel xconnect 10.101.0.15 2995 encapsulation mpls mtu 1500 verify... sh xcon int g0/5 sh mpls l2 vc interface g0/5 sh mpls l2 vc interface g0/5 detail sh mpls l2 vc interface g0/5 detail | in MTU - Aaron Gould ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ISIS/BFD Monitoring
Kiwi syslogd or maybe splunk -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF equal cost load balancing
In my mpls cloud I usually would lag dual gige's together to feed my PE boxes with more bandwidth. Worked well for me -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF equal cost load balancing
I just read this. I wonder if it applies. https://www.cisco.com/en/US/products/hw/modules/ps2033/prod_technical_reference09186a00800afeb7.html How CEF load balancing works …. If the destination is on a remote network reachable via a next hop router, the entry in the route cache is consisting of the destination network. If parallel paths exist this does not provide load balancing, as only one path would be used. …. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF equal cost load balancing
Are you doing a 2-port etherchannel between the 920 and 3600 ? Asking since you seem to be asking question about etherchannel load balancing and hashing ...or... Are you doing 2 separate layer 3 subnets between the 920 and 3600 ? asking since your subject heading implies so. (ospf equal cost LB) ...you might be confusing/mixing 2 different subjects and how-to's in the same explanation. I think you mentioned the 920 is network side and 3600 is closer to customer... if so, please go to 920 and show a customer route on the 3600 that you wish you would load balance please... sanitize your output to protect the innocent... Show ip route a.b.c.d Show ip arp of next hop If it goes via L2 Show mac-address-table address .. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 3850 eigrp - sending goodbye - can't ping any 224.0.0.10
Thanks Nick, to begin with please keep in mind, this was fine for a year or more, until last night when they replaced a 3750, with a 3850. They have 6840's, 6509's, 3750's, and 3850's... they are all eigrp neighbors fully meshed. I'm the SP. I provide this customer a mpls vpls rfc4762 (bgp ad w/ldp sig). (I have a mix of cisco me3600's and juniper acx5048's providing that vpls elan) All those cisco devices mentioned above are the customer edge. On all those ce's is an untagged L3 interface. All those ce interfaces eigrp neighbor with all others. I tried on 2 other ce devices and COULD ping 224.0.0.10 and get responses from all other ce's. BUT, on that one 3850-24 port, when I pinged 224.0.0.10, it died immediately with "." one failure, and that's it. Strange. Yes, I did do a static eigrp neighbor between the 3850-48port and the 3850-24port and the neighbor stayed stable for over 3 minutes (previously, the goodbye eigrp teardown was happening every 80 seconds) I don't have access at the moment, it's the customer gear and they allow me remote access only when they need my help. I told them to take my findings and call the cisco tac -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] cisco 3850 eigrp - sending goodbye - can't ping any 224.0.0.10
I was just working with a customer that has a 3850 - 24 port that continually sends goodbye tlv every 80 seconds He also has a 3850 48 port that works fine The 3850 24 port can NOT ping 224.0.0.10 at all The 3850 48 port can ping 224.0.0.10 and gets responses from all the eigrp neighbors on the vlan Router eigrp 1 configs are same - Aaron Gould ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nfSen / nfDump
netflow -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Friday, August 4, 2017 3:08 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] nfSen / nfDump On 03/08/17 22:53, Aaron Gould wrote: > I do 1/512 sample rate on my asr9k's and usually multiple numbers > gathered in nfsen by 512 to normalize sflow? Or netflow? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nfSen / nfDump
We run Nfsen 1.3.6 - Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick Cutting Sent: Tuesday, August 1, 2017 4:00 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] nfSen / nfDump Slightly off topic, however related to the solarwinds talks of last week. Just wondering what versions of nfSen and nfdump you fine people are running - and on what operating system, e.g debian / red hat etc. I understand Nfsen has not been updated since 2011 - is this a problem - or is it just that rocksteady? How comprehensive is the sFlow support - this is one reason we are moving away from solarwinds. (and we got rid of all our CaatOS gear - solarwinds was great at CatoS!) Any input greatly appreciated Nick Cutting ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nfSen / nfDump
I do 1/512 sample rate on my asr9k's and usually multiple numbers gathered in nfsen by 512 to normalize -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Patrick Cole Sent: Tuesday, August 1, 2017 6:17 PM To: Nick CuttingCc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] nfSen / nfDump Nick, Nfsen/nfdump is pretty rock solid. I've been running it for many years without too many dramas. I use a combination of sflow / netflow within our network. The only issue I have is it seems to incorrectly show packet rate for sflow but is fine with netflow (due to the 1 in 1024 sample rate with sflow more than likely - there may be a fix I havn't spent a lot of time on it) PC Tue, Aug 01, 2017 at 08:59:54PM +, Nick Cutting wrote: > Slightly off topic, however related to the solarwinds talks of last week. > > Just wondering what versions of nfSen and nfdump you fine people are running - and on what operating system, e.g debian / red hat etc. > > I understand Nfsen has not been updated since 2011 - is this a problem - or is it just that rocksteady? > > How comprehensive is the sFlow support - this is one reason we are > moving away from solarwinds. (and we got rid of all our CaatOS gear - > solarwinds was great at CatoS!) > > Any input greatly appreciated > > Nick Cutting > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Patrick Cole Senior Network Specialist World Without Wires PO Box 869. Palm Beach, QLD, 4221 Ph: 0410 626 630 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic IP to Port finding question on Cisco 3850
Yes 3750#sh ip arp 10.101.15.21 Protocol Address Age (min) Hardware Addr Type Interface Internet 10.101.15.21 147 001c.5779.d841 ARPA Vlan4000 -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 7707 as Internet Edge Router?
Please let me know what y'all mean by this comment regarding *policing on LAG's*. I'm thinking about doing this and would like to know what you mean by that. -Aaron Gould "We have refused to use the ASR9000 as an edge router because of how Cisco implement policing on LAG's, in general. However, we use them quite extensively as border and peering routers." ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic IP to Port finding question on Cisco 3850
Are you talking about like this ? 3750#sh ip arp vlan 4000 Protocol Address Age (min) Hardware Addr Type Interface Internet 10.101.15.1 171 4055.3970.f265 ARPA Vlan4000 Internet 10.101.15.7 171 0cd5.02c0.cd4c ARPA Vlan4000 Internet 10.101.15.16- 0013.8039.eac1 ARPA Vlan4000 Internet 10.101.15.21 185 001c.5779.d841 ARPA Vlan4000 3750#sh mac address-table dynamic | in 4055.3970.f265 40004055.3970.f265DYNAMIC Gi1/0/26 -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Wednesday, July 26, 2017 11:16 AM To: cisco-nspSubject: [c-nsp] Basic IP to Port finding question on Cisco 3850 I think this is a basic question but Googling has not helped me much so I’m hopeful someone can shed the clue light on me a bit. I’m trying to find the specific port an IP address is attached to on a 3850 in L3 mode with SVI interfaces. SO for example if I do a show arp a.b.c.d I’ll get the MAC and the SVI attached. If I do a show VLAN ID X I see the port members but there are many, let’s say 10 or more per VLAN. Is there an easy way to detect which port either the IP is received on or the MAC address that is displayed in the show arp? Everything I’m doing seems to show the SVI that’s in play but not the specific gig port that the device is attached to and mapped to the VLAN as a member. This seems like the sort of thing that would be easy to figure out but I’m stumped. Any pointers would be most appreciated. Thanks and sorry for such a rudimentary question. Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9k LC fib programming problem
Very interesting (concerning) I had a stuck ACL entry the other day on an ASR9006... Blocking outbound traffic in an ipv4 acl on an interface... removed the /24 I was blocking still couldn't pass traffic to it... Removed the outbound acl completely from the interface...commit...reapplied the outbound acl to the interfacecommit Fixed. Yeah, seemed like a stuck entry somewhere. I hope you find your stuck routing issue -Aaron Gould ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9K - 6PE packets punted to RP
Thanks James...they mention it's the changing of the v6 next-hop from recursive to non-recursive or vice versa that causes an issue https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo20651 I see 6VPE is also mentioned as possibly affected. Seems like I'm not completely safe since I run 6VPE :| -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9K - 6PE packets punted to RP
I've tested and running in some places dual-stacked over MPLS L3VPN (6*V*PE)... I haven't seen any problems with 6VPE via my ASR9k's as of yet... just thought I'd let you know in case you could go with 6VPE rather than 6PE and avoid your issues. Just a thought. Sorry I don't have info about 6PE and punting issues. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] STM-1 over MPLS using ASR920
This it ? http://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/mpls /mp-basic-xe-3s-asr920-book/mp-basic-xe-3s-asr920-book_chapter_0111.html#GUI D-BF893529-A91C-499C-AE8F-7B13A4AA9A3F - Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lukas Tribus Sent: Tuesday, July 11, 2017 10:10 AM To: George Giannousopoulos; cisco-nsp Subject: Re: [c-nsp] STM-1 over MPLS using ASR920 Hello Georg, > Has anyone ever tried to transport transparently STM-1 over MPLS using > ASR920? > Can you share your experiences and any issues you have possibly faced? > > Consider the following topology > > SDH #1 <=> ASR920 #1 <==MPLS==> ASR920 #2 <=> SDH #2 > > ASR920 supports the A900-IMA4OS which could be one solution. > It also supports the TSoP Smart SFP Wondering the same exact thing, did you came to any conclusion about this? Thanks, Lukas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] timers on ipv6 routes in IOS
Something I've always liked is seeing the timer on a route. but I'm not seeing this in ipv6 on IOS. IOS XR has timers though. Anyone know an easy way to see the update timer on a v6 route in IOS ? .this is an ME3600 running IOS 15.2(4)S5. eng-lab-3600-1#sh ip ro vrf one ... B*0.0.0.0/0 [200/0] via 10.101.0.2, 1d22h 10.0.0.0/8 is variably subnetted, 177 subnets, 12 masks B10.10.0.0/16 [200/0] via 10.101.4.103, 1d22h B10.12.0.0/16 [200/0] via 10.101.8.100, 1d22h B10.13.0.0/21 [200/0] via 10.101.4.103, 1d22h B10.13.12.0/22 [200/0] via 10.101.8.100, 1d22h B10.13.254.0/24 [200/0] via 10.101.12.100, 1d22h B10.15.0.0/16 [200/0] via 10.101.4.103, 1d22h B10.16.0.0/21 [200/0] via 10.101.16.101, 1d22h B10.16.8.0/21 [200/0] via 10.101.16.101, 1d22h B10.16.16.0/21 [200/0] via 10.101.16.101, 1d22h B10.16.24.0/21 [200/0] via 10.101.16.102, 1d22h B10.16.32.0/21 [200/0] via 10.101.16.102, 1d22h B10.16.40.0/21 [200/0] via 10.101.16.102, 1d22h B10.16.48.0/21 [200/0] via 10.101.8.100, 1d22h B10.21.0.0/19 [200/0] via 10.101.0.1, 1d22h B10.21.32.0/19 [200/0] via 10.101.0.1, 1d22h B10.21.64.0/19 [200/0] via 10.101.0.1, 1d22h B10.22.0.0/19 [200/0] via 10.101.0.1, 1d22h B10.22.32.0/19 [200/0] via 10.101.0.1, 1d22h B10.22.64.0/19 [200/0] via 10.101.0.1, 1d22h B10.23.0.0/19 [200/0] via 10.101.0.1, 1d22h B10.23.32.0/19 [200/0] via 10.101.0.1, 1d22h B10.23.64.0/19 [200/0] via 10.101.0.1, 1d22h B10.24.0.0/19 [200/0] via 10.101.0.8, 1d22h B10.24.32.0/19 [200/0] via 10.101.0.8, 1d22h eng-lab-3600-1#sh ipv6 ro vrf one ... B ::/0 [200/0] via 10.101.0.2%default, indirectly connected B 1234:1234::/32 [200/0] via 10.101.0.7%default, indirectly connected via 10.101.0.5%default, indirectly connected via 10.101.0.2%default, indirectly connected B 1234:1234:0:5::/64 [200/0] via 10.101.0.254%default, indirectly connected B 1234:1234:0:50::/64 [200/0] via 10.101.0.5%default, indirectly connected B 1234:1234:0:90::/64 [200/0] via 10.101.0.9%default, indirectly connected B 1234:1234:0:91::/64 [200/0] via 10.101.0.9%default, indirectly connected B 1234:1234:0:92::/64 [200/0] via 10.101.0.9%default, indirectly connected B 2605:6000:0:8::F:8000/127 [200/0] via 10.101.0.5%default, indirectly connected L FF00::/8 [0/0] via Null0, receive xr shows timers for v6 routes. RP/0/RSP0/CPU0:9k#sh route vrf one ipv6 unicast Thu Jun 22 10:27:26.793 CDT B* ::/0 [20/41] via fe80::aad0:e5ff:fede:c295, 2d04h, TenGigE0/1/0/1 B1234:1234::/32 [200/0] via ::, 14w2d, Null0 B1234:1234:0:5::/64 [200/0] via :::10.101.0.254 (nexthop in vrf default), 8w1d C1234:1234:0:50::/64 is directly connected, 12w0d, BVI4 L1234:1234:0:50::1/128 is directly connected, 12w0d, BVI4 B1234:1234:0:90::/64 [200/0] via :::10.101.0.9 (nexthop in vrf default), 13w1d B1234:1234:0:91::/64 [200/0] via :::10.101.0.9 (nexthop in vrf default), 00:08:09 B1234:1234:0:92::/64 [200/0] via :::10.101.0.9 (nexthop in vrf default), 00:09:49 C2468:2468:0:8::f:8000/127 is directly connected, 2y42w, TenGigE0/1/0/1 L2468:2468:0:8::f:8001/128 is directly connected, 2y42w, TenGigE0/1/0/1 RP/0/RSP0/CPU0:stlr-9k# -Aaron Gould ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Matching EXP bits in ME3600
You might be able to "show ip access-list EF-CLASS-ACL" and see which line is taking hits Also, would be curious to see what this shows also... sh policy-map interface g0/24 -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR9010 problem - CRC ERROR - DATA PATH FAILED
ASR9010 - 4.1.2 - RSP-4G I think this has happened before, about a year or so ago. Maybe has happened 3 times... but strangely, about a year apart in occurrence. I have XR TAC researching previous cases I've created regarding this asr9010 and issues like this to find out if I have in fact created multiple cases about this same problem, I'm pretty sure I have. - Aaron Details RP/0/RSP0/CPU0:blcn-9k#sh ver | in Chassis Mon Jun 5 07:00:18.129 CDT ASR-9010 DC Chassis RP/0/RSP0/CPU0:blcn-9k#show platform Mon Jun 5 06:58:03.807 CDT NodeType StateConfig State - 0/RSP0/CPU0 A9K-RSP-4G(Active)IOS XR RUN PWR,NSHUT,MON 0/RSP1/CPU0 A9K-RSP-4G(Standby) IOS XR RUN PWR,NSHUT,MON 0/0/CPU0A9K-2T20GE-L IOS XR RUN PWR,NSHUT,MON 0/1/CPU0A9K-2T20GE-L IOS XR RUN PWR,NSHUT,MON 0/2/CPU0A9K-4T-L IOS XR RUN PWR,NSHUT,MON 0/3/CPU0A9K-8T-L IOS XR RUN PWR,NSHUT,MON RP/0/RSP0/CPU0:blcn-9k#show install committed summary Mon Jun 5 06:58:51.716 CDT Committed Packages: disk0:asr9k-p-4.1.2.CSCtx74305-1.0.0 disk0:asr9k-mini-p-4.1.2 disk0:asr9k-doc-p-4.1.2 disk0:asr9k-k9sec-p-4.1.2 disk0:asr9k-mpls-p-4.1.2 disk0:asr9k-mgbl-p-4.1.2 disk0:asr9k-mcast-p-4.1.2 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR9010 problem - CRC ERROR - DATA PATH FAILED
Any idea why this happened? Serious problems.. Rebooted module, problems stopped. RP/0/RSP0/CPU0:blcn-9k#sh log | in "FABRIC|reset" Sat Jun 3 18:28:12.835 CDT LC/0/0/CPU0:Jun 3 16:11:12.936 : pfm_node_lc[267]: %FABRIC-FIA-1-SUSTAINED_CRC_ERR : Set|fia_lc[151622]|Crossbar Interface(0x1013000)|Fabric interface ASIC-0 has sustained CRC errors RP/0/RSP1/CPU0:Jun 3 16:13:47.759 : pfm_node_rp[327]: %PLATFORM-DIAGS-3-PUNT_FABRIC_DATA_PATH_FAILED : Set|online_diag_rsp[233590]|System Punt/Fabric/data Path Test(0x204)|failure threshold is 3, (slot, NP) failed: (0, 0) (0, 1) RP/0/RSP0/CPU0:Jun 3 16:14:07.963 : pfm_node_rp[327]: %PLATFORM-DIAGS-3-PUNT_FABRIC_DATA_PATH_FAILED : Set|online_diag_rsp[233590]|System Punt/Fabric/data Path Test(0x204)|failure threshold is 3, (slot, NP) failed: (0, 0) (0, 1) RP/0/RSP0/CPU0:blcn-9k#hw-module location 0/0/CPU0 reload Sat Jun 3 18:00:44.542 CDT WARNING: This will take the requested node out of service. Do you wish to continue?[confirm(y/n)]y sh log | in "FABRIC|reset" ... RP/0/RSP0/CPU0:Jun 3 18:00:49.706 : shelfmgr[362]: %PLATFORM-SHELFMGR-6-USER_RESET : Node 0/0/CPU0 is reset due to user reload request RP/0/RSP1/CPU0:Jun 3 18:00:58.565 : pfm_node_rp[327]: %PLATFORM-DIAGS-3-PUNT_FABRIC_DATA_PATH_FAILED : Clear|online_diag_rsp[233590]|System Punt/Fabric/data Path Test(0x204)|failure threshold is 3, (slot, NP) failed: (0, 0) (0, 1) RP/0/RSP0/CPU0:Jun 3 18:01:18.847 : pfm_node_rp[327]: %PLATFORM-DIAGS-3-PUNT_FABRIC_DATA_PATH_FAILED : Clear|online_diag_rsp[233590]|System Punt/Fabric/data Path Test(0x204)|failure threshold is 3, (slot, NP) failed: (0, 0) (0, 1) - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSP failover vs Chassis failover for switch/router clusters
I really like my data center Juniper EX4550's. I'm using these as Virtual Chassis using a vcm/vcp 128 gig card and 10' cable to make possible the virtual chassis. They have been solid performers for me for a few years. I'm not using them for mpls. I understand they don't do mpls l2vpn's. I recall testing mpls l3vpn's successfully in my eval period, but most folks want/need l2vpn in the dc. I create a bunch of lag (ae) interfaces up and down towards servers and core network... at the core network mpls pe ingress I do my mpls l2vpn tricks. {master:1} root@stlr-dcvc-4550> show chassis routing-engine | grep "uptime|model" Model EX4550-32F Uptime 1441 days, 17 hours, 54 minutes, 48 seconds Model EX4550-32F Uptime 1441 days, 18 hours, 15 minutes, 40 seconds - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASR vs Juniper
...i re-read some of your criteria... ummm, so I use MX104's and ACX5048's with MP-iBGP for just learning my internal core routes, not big table for world routes... so for what I use those boxes for, they are nice. -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron Gould Sent: Wednesday, May 24, 2017 9:36 AM To: 'Mark Tinka' <mark.ti...@seacom.mu>; 'Mark Mason' <mma...@jackhenry.com>; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco ASR vs Juniper About the MX104 and ACX5000 I have ~7,000 dsl customers being nat'd behind /24 of address space on a pair of MX104's... they run nicely on two mpls l3vpn's... nat inside vrf (ri) and nat outside vrf (ri) I have deployed (~30) ACX5048's as mpls p's and pe's and they are running well. I have hit a bug with VPLS that requires a vpls routing-instance bounce to revive, but JTAC just told me the PR is hitting D20 software and fixed in D25 still need to test that. But all in all, I like the ACX5048's. -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark Tinka Sent: Wednesday, May 24, 2017 2:16 AM To: Mark Mason <mma...@jackhenry.com>; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco ASR vs Juniper On 5/9/17 7:29 PM, Mark Mason wrote: > Alright crowd...Ready the rifles and prepare for battle...Cisco ASR or Juniper. Cost, operability, chassis lifespan new vs. old, memory requirements, etc. So many details. Feel free to take the post anywhere you'd like. I'm really liking the new ASR1000 family of routers. But we did the month since December last year, and any way we cut it, the MX480 works out cheaper. Stay away from the MX104 or ACX5000. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASR vs Juniper
About the MX104 and ACX5000 I have ~7,000 dsl customers being nat'd behind /24 of address space on a pair of MX104's... they run nicely on two mpls l3vpn's... nat inside vrf (ri) and nat outside vrf (ri) I have deployed (~30) ACX5048's as mpls p's and pe's and they are running well. I have hit a bug with VPLS that requires a vpls routing-instance bounce to revive, but JTAC just told me the PR is hitting D20 software and fixed in D25 still need to test that. But all in all, I like the ACX5048's. -Aaron -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark Tinka Sent: Wednesday, May 24, 2017 2:16 AM To: Mark Mason; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco ASR vs Juniper On 5/9/17 7:29 PM, Mark Mason wrote: > Alright crowd...Ready the rifles and prepare for battle...Cisco ASR or Juniper. Cost, operability, chassis lifespan new vs. old, memory requirements, etc. So many details. Feel free to take the post anywhere you'd like. I'm really liking the new ASR1000 family of routers. But we did the month since December last year, and any way we cut it, the MX480 works out cheaper. Stay away from the MX104 or ACX5000. Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASR vs Juniper
Hi James, I haven't done much with QoS on the ACX5048 yet. When I do, I don't think we will be doing as much as you described with the ME3600. I hardly did any QoS with my ME3600's occasional policer or shaper on efp here and there. -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASR vs Juniper
A few things come to mind... I enjoy my Cisco ASR9000 network running for ~5 years now... it's solid. I also like what I've seen recently in the Juniper ACX5048 (48/72 - 10 gig ports, or (6) 40 gig ports), which replaced lots of my older Cisco ME3600 boxes (only two 10 gig ports). I run MPLS L3VPN for my ISP customers. Interestingly Juniper will automatically redistribute static routes and connected networks into MPLS L3VPN. Cisco requires a redistribute command. Cisco is able to combine multiple vlan tags from same physical port into the same bridge-domain I haven't found a way to accomplish this in Juniper ACX5048, but I understand this is doable in Juniper MX platform. I'm also liking what I'm seeing with my dual node CGNat boundary of Juniper MX104's. During testing, the MS-MIC-16G CGNat capability of Juniper seemed nicer than the VSM-500 ASR9000 option. There was a /27 public scope limitation on Cisco. Not so on Juniperyou can add public-pool /32's if you so desire. Also, changing public pool crashed Cisco. Also, showing nat translations and viewing the outside public addresses of internet hosts wasn't nice in IOS XR you had to hunt and ask for specifics Junos shows it easily. In planning/discussing upgrading our existing ASR9000 ring to 100 gig, we found that we needed to upgrade to higher CPU... I think RSP440. But I recall that a short life on the RSP440 meant that we were being guided to go with the RSP880... but I think the RSP880 would cause all my trident linecards to no longer be useable. So we figured with that much impact me might as well look at other vendor options too. With that said, I'm planning a (5) node 100 gig "super"core and have been considering both the Cisco ASR9908 and Juniper MX960. They both seem like solid options. I've learned/tested a Juniper feature which is, the nicely contained logical systems (lsys) feature of turning up pretty isolated and separate router functions. I understand this capability is only available on Cisco GSR/CRS sized platforms but Juniper has it on many of its boxestesting it on MX104 now. - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS4200 - re-badged ASR920 / ASR900 ?
NCS code ? Going off what I know of the NCS5x00 it runs IOS XR 6.x So I guess that would be different from the 920 since I recall it ran XE -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS4200 - re-badged ASR920 / ASR900 ?
Maybe it's to generate more sales... Like the reese's peanut butter cup was good, but wait til you try the reese's peanut butter egg. ... LOL -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS4200 - re-badged ASR920 / ASR900 ?
Perhaps similar to what juniper does with the following... juniper acx5048 https://www.juniper.net/techpubs/en_US/release-independent/junos/information -products/pathway-pages/acx-series/acx5000/ juniper qfx5100 https://www.juniper.net/techpubs/en_US/release-independent/junos/information -products/pathway-pages/hardware/qfx-series/qfx5100.html -Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Broadband Aggregation/Termination
Thanks Andrew, yes we have logs (dhcp/cgnat) for subpoena/law enforcement stuff. We use hsrp for first hop redundancyand I think v6 RA's have first-hop redundancy built-in... however for faster failover times, I may opt for v6-hsrp... we'll see.. - Aaron ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/