Re: [c-nsp] IP SLA Scalability
On Thu, Oct 21, 2010 at 4:52 PM, Mikael Abrahamsson swm...@swm.pp.sewrote: On Thu, 21 Oct 2010, Ben Steele wrote: Has anyone ran a rather large amount of SLA probes from a router who can comment on the cpu performance characteristics on how it scaled for your particular platform? You should really contact your account team to get a comment from them. I've spoken to the product manager for IP SLA and I was quite surprised by some comments I got regarding the functionality and the thinking/handling of it within Cisco. Yes good advice and I plan to talk to an SE about it soon, but nothing quite like hearing people's real world experiences with it, like yourself :) Specifically looking to see if its feasible to expect a router to be able to go upwards of 500+ simultaneous monitors(looking at a total of about 10-15k pps of udp-jitter probes in total). I'd say Cisco doesn't have a product that has been designed to scale this far and is supposed to work for prolonged sustained testing like I guess you want to do. They consider 300 second of 50pps testing extremely long and if single high jitter packet in that long test occurs, the opinion seems to be that fixes for that is on a best-effort work priority. It's not something they really test on all platforms and all code. Not entirely sure what you mean here, the udp-jitter probe has a computational delay timestamp put into it by the responder to account for any cpu delays in the processing, however, how well that works in a generally non pre-emptive environment like IOS with a high number of monitors is yet to be seen(well, by me anyway.) Before anyone says that I should look at another vendor/solution, this is already being done in the background. I am purely after what a Cisco router can offer in this regards, i've never come across more than about 20 sla probes on a router before so am interested to hear the results. If you're doing this in an MPLS VPN scenario, you might want to make sure you test your code so it has timestamping for arrival time for packets even if they are labeled. I ran into this on a 7301 5 years ago, took 14 months for that TAC case to complete with the answer that timestamping wasn't done in labeled packets and as a result, any cpu spike would cause jitter in the measurements. Converting the router to IP only (putting it behind a MPLS PE router) solved the problem. Not MPLS VPN, but end-to-end LSP tunnel so still label switched either way, I would have expect the ip sla process to only be exposed to the IP layer before/after necessary imposition/disposition had occurred. Appreciate your feedback. Ben -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IP SLA Scalability
Hi, Has anyone ran a rather large amount of SLA probes from a router who can comment on the cpu performance characteristics on how it scaled for your particular platform? Specifically looking to see if its feasible to expect a router to be able to go upwards of 500+ simultaneous monitors(looking at a total of about 10-15k pps of udp-jitter probes in total). Also any thoughts on the best platform for the task? the 7201/ASR1002-F seem like a possible good fit and would like to aim for something in its category - price on the lowerish side of the scale, rack space used minimal, large cpu, mpls-te capable, can accept SFP optics. Ultimately the cheapest box for the task is what i'm after, those devices may be an overkill and if I can get away with a 3800 ISR or less then even better. Before anyone says that I should look at another vendor/solution, this is already being done in the background. I am purely after what a Cisco router can offer in this regards, i've never come across more than about 20 sla probes on a router before so am interested to hear the results. Cheers, Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] REP support on 7600
I didn't see any mention of IPv6 on the current data sheet either. 2010/9/12 Łukasz Bromirski luk...@bromirski.net On 2010-09-12 13:00, Mark Tinka wrote: On Saturday, September 11, 2010 04:21:55 pm Saku Ytti wrote: They have full blown MPLS support, LSR, LER, L2 and L3 MPLS VPN. But make sure everything you need is there, as it won't be feature complete at FCS. And all ports support MPLS; not like the fractured 3750ME. Right, because all ports on ME3600/3800 are connected to the same new silicon, driving the features/performance. As for the full blown MPLS support - ME3600 will not have VPLS, even after FCS. But there's EVC (like on the 7600 ES/ASR 9000), HQoS, and ton of new things that are coming down from higher-end platforms. -- Everything will be okay in the end. | Łukasz Bromirski If it's not okay, it's not the end. | http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASIC to switch port mapping
sh platform port-asic should list your ASIC's port groupings are almost always in groups, so you can work out what ports belong to a common ASIC by dividing the amount of ports you have by the amount of ASIC's listed, keep in mind you will probably have a dedicated ASIC for the 2 10G uplinks. On Fri, Sep 10, 2010 at 6:50 PM, Vincent Aniello vincent.anie...@pipelinefinancial.com wrote: This is on a 3650E switch. Thanks. --Vincent -Original Message- From: Nick Hilliard [mailto:n...@foobar.org] Sent: Friday, September 10, 2010 1:31 PM To: Vincent Aniello Cc: Heath Jones; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASIC to switch port mapping On 10/09/2010 18:18, Vincent Aniello wrote: I am trying to solve a output drops on switch ports on which bandwidth utilization does not seem to exceed the port speed. Seems like the drops are due to the buffers filling up and dropping frames. I am under the impression that each ASIC has their own buffer and if the buffer fills on a particular ASIC all ports that share that ASIC will also drop frames. If I know the switch interfaces associated with each ASIC I can redistribute the connections on the switch to better balance the load. What sort of card are you using? Nick Disclaimer: Any references to Pipeline performance contained herein are based on internal testing and / or historic performance levels which Pipeline expects to maintain or exceed but nevertheless does not guarantee. Congested networks, price volatility, or other extraordinary events may impede future trading activities and degrade performance statistics. Pipeline is a member of FINRA and SIPC. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on ingress
There isn't much you can do here if your provider isn't willing to play ball. What I would suggest is policing your ingress for all but your voip traffic to about 10% less than your maximum throughput, assuming the majority of your user traffic is tcp this should give you enough overhead for a voip stream or 2 depending on your codec. The last thing you want to do is try and run the T1 to capacity as you are at the peril of your providers egress policy whether that be policing, shaping or just tail drop, either one you don't want for your voip traffic. On Fri, Sep 10, 2010 at 7:44 PM, Jay Nakamura zeusda...@gmail.com wrote: I can't seem to figure out what to do with my situation, wondering if anyone had encountered this. Situation : Router : 1841 IOS 12.4T or 15.0M Internet T1, two eth Interfaces There are VoIP traffic (SIP RTP) and general internet traffic VoIP provider does not tag SIP/RTP with any kind of QoS in IP header. (DSCP/IPP) Internet provider can do QoS based on IPP but since VoIP traffic is not marked, it's not useful. Problem to solve : how to not drop ingress VoIP traffic when internet traffic is high as much as possible without capping the non-VoIP traffic to less than T1 bandwidth. Caveat : I understand that since it's not getting policed at the egress from the provider, any solution is not going to be perfect I can't limit the traffic on the Eth interface egress because traffic can go to either eth interface. Any thoughts? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 2 factor authentication
Out of curiosity can you tell me what led you to wanting 2FA for these devices, and how the traditional acl/tacacs method failed your requirements? Of course anyone who has implemented it is free to chime in, just generally interested in peoples security concerns around this and how you feel it mitigates whatever risks you were associating with it, also curious if it affected the way you handle OOB access aswell. Ben On Thu, Aug 26, 2010 at 6:06 AM, Mark Tech techcon...@yahoo.com wrote: Hi I am looking for a 2FA solution in order to connect to Cisco devices. I would like to use either Radius or TACACS as the AAA part, however I'd like to know whether/how I could interconnect this to a 2nd auth such as a token based RSA securID platform I'd appreciate any input if this is possible at all? Regards Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CCIE LAB EXAM
nsp isn't an alias for groupstudy, i'm sure it has been said countless times before but please don't use these lists for study partners/selling gear/how do I ping? type questions, keep it on topic with valuable questions that people in this industry actually care about. Ben On Mon, Aug 2, 2010 at 1:31 PM, Prakash Kalsaria kalsaria.prak...@gmail.com wrote: Hi, Every One I am going for CCIE SP lab exam any suggestion or any candidate Please Contact me Regards, Prakash Kalsaria http://prakashkalsaria.wordpress.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS Options for PPPoE over Ethernet
Use Radius to send an avpair of the bandwidth of the session back to the router then have a service-policy applied to your virtual-template(or you can send the service-policy back through radius too if you need to differentiate them between sessions) with a parent shaper that shapes bandwidth percent 100 or whatever you like(it will be the bandwidth returned via Radius that it references) and then your child QoS policy below that, you then have per session QoS based on the bandwidth of that unique session. Ben On Wed, Jul 21, 2010 at 9:02 AM, Dave Weis djw...@internetsolver.comwrote: I'm not finding a lot of good options to do QoS for PPPoE over Ethernet (as opposed to ATM) subscribers. We have varying speeds for the subscribers ranging from 256k to 40m so I can't use a hard coded amount to reserve for voice. In addition, some customers have a single port ATA and some will have 6-10 lines on an IAD. The setup has a single VLAN per DSLAM as a subinterface on a gig-E port in a 7200 VXR. Some of the newer equipment will obey 802.1p but the majority of our equipment does not. The authentication comes out of freeradius and the approximate downstream rate of each subscriber is recorded in the same table as the username/password so if I had to make static definitions for each speed tier I could do that. I don't need to do anything elaborate other than move any traffic to or from a specific subnet to the front of the queue. Thanks for any help Dave -- Dave Weis 515-224-9229 djw...@internetsolver.com http://www.internetsolver.com/ Please check out our Complete Support Service http://www.internetsolver.com/completesupport/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Community Problem (I think)
As Hobbs mentioned do a sh ip bgp neighbor your bgp peer and look for the prefix activity part which will tell you about prefixes that didn't get sent to that peer for various reasons. Have you looked at the communities attached to the prefixes you have learnt from your other peer that you aren't advertising?, do they have either no-advertise/no-export/local-as etc. on them? is the peer your receiving the feed from iBGP or eBGP? and is the peer your sending them to iBGP or eBGP? On Wed, Nov 18, 2009 at 5:40 PM, Skeeve Stevens ske...@eintellego.netwrote: But, the router isn't even sending them to the next router... between tagging them and re-sending them, they just aren't there so I would assume the neighbour they are being sent to is nothing to do with it? ...Skeeve -- Skeeve Stevens, CEO/Technical Director eintellego Pty Ltd - The Networking Specialists ske...@eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve www.linkedin.com/in/skeeve ; facebook.com/eintellego -- NOC, NOC, who's there? Not sure off-hand, but you can do show ip bgp neighbor and far down in the output you will see a section showing stats about why prefixes were dropped (route-map, dist-list, etc). What does it say? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP_PD / IPv6
The fix is to clear ipv6 dhcp client Dialer123 I use event manager to do this automagically for me like so: event manager applet monitor_ipv6_dhcp event syslog pattern DIALER-6-BIND action 1.0 cli command clear ipv6 dhcp client Dialer1 This reacts to an event in the log of DIALER-6-BIND which for me is my Dialer re-establishing its PPP session, do a clear int d123 and check your logs to verify this for you. You can view the results of event manager by: router#sh event manager history events No. Time of Event Event Type Name 1 Sat Nov 7 11:12:56 2009 syslog applet: monitor_ipv6_dhcp and of course a sh ipv6 dhcp interface d123 will show you your new lease aswell. Cheers, Ben On Sat, Nov 7, 2009 at 7:03 AM, vikas hazrati vikas.hazr...@googlemail.comwrote: Hello all I have been trying testing DHCP-PD functionality for ADSL / PPPoE users. Using basic cisco-site examples I was able to assign an IPv6 prefix to the CPE. The problem I am facing is the following: When the PPPoE session is torn down, the corresponding Virtual-Access interface (and ipv6 routes) are deleted from the NAS as expected, but in the CPE the DHCP-client remains up. So when the PPPoE session is restablished no new routes are installed in the NAS routing table for the DHCP delegated prefixes, so no traffic can be forwarded to the customer subnet. The question is how can I make sure that in a DHCP-PD environment, the DHCP client of the CPE is reinitialized when the PPPoE session used for internet connectivity is re-established The config used on the CPE side is really simple interface Dialer 123 encapsulation ppp dialer pool 123 ipv6 address autoconfig default ipv6 enable ipv6 dhcp client pd DHCP_PD ppp pap sent-username password 0 Any help is welcomed ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] do i *need* DFCs on the 6500?
On Thu, Sep 3, 2009 at 7:35 PM, Phil Mayers p.may...@imperial.ac.uk wrote: Ben Steele wrote: Unless you are hitting a cam limit on any of your resources on your SUP(very possible if you are exporting netflow) OR you are congesting the crossbar fabric(sh fabric util) which is pretty unlikely when you are talking a 24G linecard on a 40G fabric connection then you probably won't see any difference putting a DFC on a 6724 That depends completely on what other cards are on the box, what their offered forwarding load is, and whether they have DFCs. Hence asking him to check these values, or at least implying from that sentence that he should :) Remember these chassis are a hardware only based forwarding solution, so all your doing with a DFC is moving cam/asic resources off the sup, so in regards to your specific questions unless you have filled all your QoS queues on the sup you are going to see nothing more on the DFC, also the sup does (from memory) up to 100-200m pps in ipv6, I don't believe for a moment No. The PFC3 does 30Mpps IPv4 (and 15Mpps IPv6 I think). A DFC3 does 48Mpps IPv4 (and 24Mpps IPv6). http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_item09186a00809a7673.shtml A fully-populated and fully-DFCed 6509 does 400Mpps IPv4 or 200Mpps IPv6 (well, actually 192Mpps - 24x8 linecards). In this configuration, the PFC does very little. Ok my bad, my memory was for the full chassis not the individual PFC, should read docco next time before posting! i'm still quite certain our OP isn't doing 15Mpps of IPv6, if he is then he must be the IPv6 hub of the world. It's worth noting that a 6724 doing 64-bytes packets on all ports offers ~47Mpps forwarding load - well in excess of the PFC capacity. A chassis full of 6724s without DFCs at 10% load with 64-bytes packets also exceeds the PFC capacity. Obviously these are worst-case numbers but illustrative of the problems you can get yourself into if you don't capacity plan well. I think it's safe to say our OP is no where near these limits or he would definitely know about it, in fact I doubt anyone in the world has hit 47Mpps on any 6500 linecard(in a real world situation, no labs), please if someone has feel free to let me know about it. But yes capacity planning is very important. It's worth noting that some linecards have different (i.e. more flexible) rx tx queueing methods with a DFC versus the CFC. True but keep in mind the OP already has some DFC enabled linecards so I would assume he is familiar with what QoS he can and can't schedule on the CFC vs DFC, his particular comment related to performance and offloading of QoS - not features, the same goes for different line cards in general though, like the 4 and 8 port 10Gb line cards, totally different buffering capabilities, you need to choose your line card wisely, our OP already has his in place. There's also the bus-stall issues, which go away (supposedly) with a DFC installed since they're not connected to the bus. Interesting.. i'll take your word for that, can't say i've seen much in the way of bus stalls when working with them(at least in recent times) except the standard OIR one, i'll assume this is an actual performance impacting stall you are referring to, does this apply even if the chassis is in compact mode? you are even remotely close to this, and the global ipv6 routing table is no where near the cam limit for that either, by the way is your SUP an XL? does the DFC's on the 10G's match the sup or have they fallen back to the lowest common configuration? I'm not sure why you mention CAM limits, but it's worth noting that DFCs do not help with FIB CAM at all, since they hold a copy of the PFC FIB. Yeah my ipv6 FIB CAM statement was pretty irrelevant and was more me typing then realising i'm not sure if we are even talking XL or not here, wasn't the greatest sentence. Personally we get DFCs on everything since we're using plain -3B (or -3C not) rather than XL, and the cost of the DFC is a pretty minimal percentage of the linecard for the future-proofing. No doubt it's better to have a DFC than not have a DFC but some companies are tight with money and justifying just a few thousand for something you don't *really* need can be hard, while non XL upgrade might seem trivial I think you'll find to upgrade a 6724 from stock to a 3CXL DFC is around the price of the actual line card itself, that said neither of us know what PFC the OP is running :) We've also seen software bugs manifest on CFC cards in the past; this implies to me that Cisco prefer DFC chassis. Similarly some of the new linecards e.g. 6708/6716 are DFC-only. I suspect that will be the case going forward. Well from a performance point of view it makes sense, but it all equals $$ and companies are being stingier than ever with the GFC in everyones head. I still get the feeling the OP doesn't need the DFC, generally you
Re: [c-nsp] do i *need* DFCs on the 6500?
Unless you are hitting a cam limit on any of your resources on your SUP(very possible if you are exporting netflow) OR you are congesting the crossbar fabric(sh fabric util) which is pretty unlikely when you are talking a 24G linecard on a 40G fabric connection then you probably won't see any difference putting a DFC on a 6724 Remember these chassis are a hardware only based forwarding solution, so all your doing with a DFC is moving cam/asic resources off the sup, so in regards to your specific questions unless you have filled all your QoS queues on the sup you are going to see nothing more on the DFC, also the sup does (from memory) up to 100-200m pps in ipv6, I don't believe for a moment you are even remotely close to this, and the global ipv6 routing table is no where near the cam limit for that either, by the way is your SUP an XL? does the DFC's on the 10G's match the sup or have they fallen back to the lowest common configuration? ...or could it be that DFC's are only really useful to a particular deployment and I just *think* i need them? ;-) - I think you might be on the money here. If you give us the current utilization of your cam resources(from the sup) and the 6724 linecard throughput and what its functions are(netflow/qos/mac/acls etc) then we can tell you for sure. Ben On Wed, Sep 2, 2009 at 9:16 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: hi, okay, from the background of I know what the DFC is and how it operates etc... i know I want them - however, I need to justify the upgrade/part cost to sort out a couple of 6500's. in some of our 6500's, the 10G blades have DFCs already...but several 6724's dont (they just have CFC). ...as i said, I want them, but need to get some management/funding buy-in - and they dont want the 'what it does' information - they want some hard and fast facts that Cisco dont sem to want to tell me . so, the question is 1) is there any way of showing the sup720 strain/utilisation...particularly is there a way of showing DFC usage on the blades where we have them? 2) it offloads IPv6 and QoS - we're into both of those (and more so over the next year) - any particular insights into QoS performance/issues without DFC ? any throughput figures for IPv6 ? (i know that with CFC we're limited to the backplane (32mpps?) and we get ~ 48mpps per blade with DFC) ...or could it be that DFC's are only really useful to a particular deployment and I just *think* i need them? ;-) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] dampening for VPNv4
Are you referring to a BGP session between your PE and a CE or the MP-BGP session between your PE's? Either way I don't think aggressive dampening is a good idea and is just a bandaid to the real underlying problem, you have instability inside your vrf's IGP, this may be due to link flapping, poor summarization, mis-configuration etc.. You need to address the issue of why you are seeing an unusual amount of updates, i've setup mpls vpns with 100+ CE's in a single domain with no excessive BGP update problem - unless there was an actual fault in the vrf IGP which was causing the BGP updates. Ben On Tue, Sep 1, 2009 at 3:41 PM, Ved Labs vedl...@gmail.com wrote: Hi Team , any comments on this . Thanks, Ved. On Sat, Aug 29, 2009 at 5:05 PM, Ved Labs vedl...@gmail.com wrote: I would like to know the pros and cons for enabling the dampening for VPNv4 . I can see a lot of vpnv4 routes flapping and causing the cpu shoot . Thanks, Ved. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF fast convergence on Sup32/SXI
You can try OSPF fast hello's but the general consensus is to not use them purely because there is no pseudo preemption for it(unlike bfd) so if you have a busy router, or even a router with bursty busyness aka snmp polling you can draw false positives into your fast hello's. Having said that something like 2 sec hello with 6 sec dead timer has worked well for me before, you could try cutting that down to 1 and 3 respectively, it's probably just a matter of test and tweak and see what works for you. If you can work a solution that incorporates BFD you will be better off in the long run(as your router certainly won't get less busy as time goes on) if the ultimate goal is fast convergence with 5 exclamation marks :) Ben On Sun, Aug 30, 2009 at 12:45 AM, Gert Doering g...@greenie.muc.de wrote: Hi, for a new project, I have been tasked to build a network that does IGP fast convergence as fast as possible!!! (with 5 exclamation marks). Due to other reasons (... of course this needs to be FAST and cost NOTHING...), the routers will be 6504+Sup32s, planned IOS is SXH3a or SXI2. BFD won't be possible, as routing will be done on SVIs (thanks, Cisco) [*maybe* I can do this on port-channel dot1q subinterfaces, but I'm not yet sure how this will work out - can MUX-UNI be used to mix routed subinterfaces and switched VLANs? I've only used it to mix MPLS subfs and switched VLANs]. Now I'm looking for experience and recommendations about tweaking OSPF - how far have you (successfully) reduced OSPF hello timers? Any other success or horror stories about IGP fast convergence on Sup32? ... and yes, I'm aware that I won't be able to do sub-500ms on this platform. I'm not aiming for this :-) - something like 3s would be perfect, 10s would make $them grumble, but eventually accept it... gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ http://www.muc.de/%7Egert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Too dumb for SLB on ASR1Ks?
What part exactly doesn't work? just the load balancing? do you have IP connectivity ok to your real servers? how is that virtual IP being sent to the box? it's not listed anywhere in your configuration on how 10.10.237.x gets to the box. On Sat, Apr 4, 2009 at 2:01 AM, Elmar K. Bins e...@4ever.de wrote: Maybe someone can point me to a document that helps me through - or Rodney cuts in and tells me it's a bug ;) I have the following pretty simple (stripped down) configuration which does work on a 7201 and does not work on the ASR1000... (Yes, on the ASR the interface has 0/0/0 instead of 0/0 *g*) 7201 image is 12.4(4)XD10 IPBase ASR1K image is a derivative of 12.2(33)XNB (experimental version with a bugfix) Tests with standard 12.2(33)XNB1 failed as well. Feature set is AdvancedEnterpriseK9 on the ASR. If there's a hint that work has been done on SLB in newer releases, I'm willing to try that... Any idea very much appreciated here - I'm pretty much stuck and am not sure whether I'm looking at my stupidity or a bug. Yours, Elmar. ip slb serverfarm FARM-DNS real 10.10.236.12 inservice ! ip slb vserver VS-DNS virtual 10.10.237.53 udp 53 serverfarm FARM-DNS sticky 5 idle 5 delay 1 inservice ! ip slb vserver VS-DNS-TCP virtual 10.10.237.53 tcp dns serverfarm FARM-DNS sticky 10 idle 10 inservice ! interface GigabitEthernet0/0 no ip address load-interval 30 duplex auto speed auto media-type sfp negotiation auto ! interface GigabitEthernet0/0.701 encapsulation dot1Q 701 ip address 10.10.235.1 255.255.255.0 ! interface GigabitEthernet0/0.702 encapsulation dot1Q 702 ip address 10.10.236.1 255.255.255.0 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI1 is out
In fear of prosecution from section 70 of the CRIMES ACT 1914 I will simply say it is the successor to SXI, the SX series is an IOS available for the 6500 Platform. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps6017/ps9673/product_bulletin_c25-503086.html Ben On Thu, Apr 2, 2009 at 1:27 PM, Wilkinson, Alex alex.wilkin...@dsto.defence.gov.au wrote: 0n Wed, Apr 01, 2009 at 05:50:01PM +0300, Tassos Chatzithomaoglou wrote: ...but release notes haven't been updated yet. I'm having a maintenance window tomorrow and i was planning to upgrade 3 6500s from SXF9 to SXI, but since SXI1 came out, i'm thinking of moving directly to it. Anyone know what is fixed from SXI to SXI1? What is SXI1 ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10GE card for 7609
Yes you can use the WS-670x in the 7600 with an RSP, I have a couple of chassis with this at the moment, given they are the 6704(one with DFC) 10GE's but I can't see a 6708 not working either... 7600#sh mod Mod Ports Card Type Model Serial No. --- - -- -- --- 14 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SERIAL 24 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SERIAL 3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SERIAL 52 Route Switch Processor 720 (Active)RSP720-3CXL-GE SERIAL On Wed, Apr 1, 2009 at 2:54 AM, Geoffrey Pendery ge...@pendery.net wrote: The stuff we've been reading (look at Supervisor Engines Supported on the data sheets for Cisco Catalyst 6500 Series 10 Gigabit Ethernet Interface Modules, or browse the line cards for the 7600, or go into Configurator tool) claims that the RSP 720 won't support the X6704 or X6708 10 Gig LAN cards, only the SIP/SPA/ES WAN type cards. I don't mean to kick off a big 6500 vs 7600 storm again, but does anyone know if this is incorrect? Can we buy a new 7609-S chassis, put a new RSP 720 in it, put 7600 IOS on that Sup, then plug in a WS-X6708-10G-3C and have it work? -Geoff On Mon, Mar 30, 2009 at 4:41 AM, Mark Tech techcon...@yahoo.com wrote: Hi I have a prospect for a 10G upstream customer and Upstream ISP connections. I would need to connect these into our 7609s running RSP 720-3CXL's, at the moment I have found that the WS-X6704-10GE card may be suitable. My technical requirements are: 10Gbps line rate IPv4 Able to handle full Internet routing table Potentially IPv6 and MPLS in the future With the WS-X6704-10GE, there seems to be several options that are available with it i.e. Memory Option: MEM-XCEF720-256M Catalyst 6500 256MB DDR, xCEF720 (67xx interface, DFC3A) MEM-XCEF720-512M Cat 6500 512MB DDR, xCEF720 (67xx interface, DFC3A/DFC3B) MEM-XCEF720-1GB Catalyst 6500 1GB DDR, xCEF720 (67xx interface, DFC3BXL) Distributed Forwarding Card Option WS-F6700-CFC Catalyst 6500 Central Fwd Card for WS-X67xx modules WS-F6700-DFC3B Catalyst 6500 Dist Fwd Card, 256K Routes for WS-X67xx WS-F6700-DFC3A Catalyst 6500 Dist Fwd Card for WS-X67xx modules WS-F6700-DFC3BXL Catalyst 6500 Dist Fwd Card- 3BXL, for WS-X67xx WS-F6700-DFC3C Catalyst 6500 Dist Fwd Card for WS-X67xx modules WS-F6700-DFC3CXL Catalyst 6500 Dist Fwd Card- 3CXL, for WS-X67xx I assume that I would need MEM-XCEF720-1GB and WS-F6700-DFC3CXL? Regards Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10GE card for 7609
1GB on the DFC, 256MB definitely wouldn't cut it for us. On Wed, Apr 1, 2009 at 11:30 AM, Jon Wolberg j...@defenderhosting.comwrote: How much RAM do you have in your 6704? I have some too running in a RSP without issues and just got a new one. It refused to push the FIB to the DFC and blew up due to low memory. Our vendor only put a 256MB stick of RAM in this card when they usually have 1GB. Other than that, I haven't had any issues. Jon Wolberg Operations Manager PowerVPS / Defender Hosting Defender Technologies Group, LLC. - Original Message - From: Ben Steele illcrit...@gmail.com To: Geoffrey Pendery ge...@pendery.net Cc: cisco-nsp@puck.nether.net Sent: Tuesday, March 31, 2009 8:53:14 PM GMT -05:00 US/Canada Eastern Subject: Re: [c-nsp] 10GE card for 7609 Yes you can use the WS-670x in the 7600 with an RSP, I have a couple of chassis with this at the moment, given they are the 6704(one with DFC) 10GE's but I can't see a 6708 not working either... 7600#sh mod Mod Ports Card Type Model Serial No. --- - -- -- --- 14 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SERIAL 24 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SERIAL 3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SERIAL 52 Route Switch Processor 720 (Active)RSP720-3CXL-GE SERIAL On Wed, Apr 1, 2009 at 2:54 AM, Geoffrey Pendery ge...@pendery.net wrote: The stuff we've been reading (look at Supervisor Engines Supported on the data sheets for Cisco Catalyst 6500 Series 10 Gigabit Ethernet Interface Modules, or browse the line cards for the 7600, or go into Configurator tool) claims that the RSP 720 won't support the X6704 or X6708 10 Gig LAN cards, only the SIP/SPA/ES WAN type cards. I don't mean to kick off a big 6500 vs 7600 storm again, but does anyone know if this is incorrect? Can we buy a new 7609-S chassis, put a new RSP 720 in it, put 7600 IOS on that Sup, then plug in a WS-X6708-10G-3C and have it work? -Geoff On Mon, Mar 30, 2009 at 4:41 AM, Mark Tech techcon...@yahoo.com wrote: Hi I have a prospect for a 10G upstream customer and Upstream ISP connections. I would need to connect these into our 7609s running RSP 720-3CXL's, at the moment I have found that the WS-X6704-10GE card may be suitable. My technical requirements are: 10Gbps line rate IPv4 Able to handle full Internet routing table Potentially IPv6 and MPLS in the future With the WS-X6704-10GE, there seems to be several options that are available with it i.e. Memory Option: MEM-XCEF720-256M Catalyst 6500 256MB DDR, xCEF720 (67xx interface, DFC3A) MEM-XCEF720-512M Cat 6500 512MB DDR, xCEF720 (67xx interface, DFC3A/DFC3B) MEM-XCEF720-1GB Catalyst 6500 1GB DDR, xCEF720 (67xx interface, DFC3BXL) Distributed Forwarding Card Option WS-F6700-CFC Catalyst 6500 Central Fwd Card for WS-X67xx modules WS-F6700-DFC3B Catalyst 6500 Dist Fwd Card, 256K Routes for WS-X67xx WS-F6700-DFC3A Catalyst 6500 Dist Fwd Card for WS-X67xx modules WS-F6700-DFC3BXL Catalyst 6500 Dist Fwd Card- 3BXL, for WS-X67xx WS-F6700-DFC3C Catalyst 6500 Dist Fwd Card for WS-X67xx modules WS-F6700-DFC3CXL Catalyst 6500 Dist Fwd Card- 3CXL, for WS-X67xx I assume that I would need MEM-XCEF720-1GB and WS-F6700-DFC3CXL? Regards Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multichassis Multilink PPP
Do you control both ends of the link(s)? any reason you can't just run L3 without PPP on the links with a routing protocol for redundancy and use cef's load sharing abilities? I'd avoid the overhead and processing requirements of MMP if you can. On Thu, Mar 26, 2009 at 12:21 AM, James Edmondson biged7...@gmail.comwrote: Question for the pros. Need advise on having multiple (2 right now and separate carriers, 6 in the future) T1's spread across two 7606 routers acting as one logical pipe. 7606 | --- (WAN) Router 7606 Looking for redundancy of T1 circuits across two physical routers, Is MCMMP the answer, GLBP, or HSRP with multilink? Your suggestions are welcome. Thank you in advance. -- James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vpn configuration
DMVPN with GRE is your friend http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml On Thu, Mar 26, 2009 at 10:54 AM, Dan Letkeman danletke...@gmail.comwrote: Hello, I have the need to create a vpn between two routers. R2 is behind R1 which is doing nat, and R3 has an interface with a public ip. R3 has to initiate the vpn connection because it has a dynamic public ip. I also need to be able to run ospf across the vpn and monitor the vpn traffic. What would be the best way to do this? Does anyone have any configuration examples? Thanks Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPDN Multihop
Try it with vpdn authen-before-forward Ben On Tue, Feb 17, 2009 at 3:22 PM, Kurt Bales kwba...@kwbales.net wrote: Hi All, There is probably an obvious answer to this, but I am failing to make it work the way I want so I'm asking the resident experts. We are a wholesale ISP taking DSL tails as L2TP from carriers. We have an LNS which is currently setup to switch these sessions to downstream channel partners based on match against the domain/REALM. For one of the realms on which we receive L2TP sessions, we would like to select a destination (either locally terminated or switched-to-channel-partner) on a per-account basis. These currently are switched to us on a per-account basis by our upstream provider doing per-account authentication and A/V pairs to forward the sessions. Their A/V pairs are setting a tunnel-id for these. We thought was to leverage the multihop-hostname command under a request-dialin configured VPDN-group. The documentation on CCO seems to imply that it can be used to match against a VPDN tunnel-id, but we could not get that to work. multihop-hostname To enable a tunnel switch to initiate a tunnel based on the hostname or tunnel ID associated with an ingress tunnel, use the multihop-hostname command in VPDN request-dialin subgroup configuration mode. To disable this option, use the no form of this command. We tried configuring up a vpdn-group with a multihop hostname/initiate-to/local name/l2tp tunnel password, surely that would be enough to correctly match and therefore switch the session across to the downstream LNS? Unfortunately we could not get it to work, the error coming back was complaining that it could not assign a virtual-template to the session, which would seem to imply an attempt to terminate the session locally Feb 17 12:14:18: SSS MGR [uid:606]: Handling Policy Service Authorize action (1 pending sessions) Feb 17 12:14:18: SSS PM [uid:606][6858A474]: RM/VPDN disabled: RM/VPDN author not needed Feb 17 12:14:18: SSS PM [uid:606][6858A474]: AAA author needed for registered user Feb 17 12:14:18: SSS MGR [uid:606]: Got reply Need More Keys from PM Feb 17 12:14:18: SSS MGR [uid:606]: Handling Need More Keys action Feb 17 12:14:18: VPDN uid:606 disconnect (TEST-CMD) IETF: 9/nas-error Ascend: 62/VPDN No Resources Feb 17 12:14:18: VPDN uid:606 vpdn shutdown session, result=2, error=5, vendor_err=0 Feb 17 12:14:18: VPDN uid:606 VPDN/AAA: accounting stop sent Feb 17 12:14:18: L2TUN APP: uid:606handle/665997Destroying app session Feb 17 12:14:18: L2TUN APP: uid:606handle/665997Stopping service selection Feb 17 12:14:18: L2X SSS [uid:606]: Disc sent to SSS Feb 17 12:14:18: L2TP _:06839:70B5: Feb 17 12:14:18: L2TP _:06839:70B5: Shutting down session Feb 17 12:14:18: L2TP _:06839:70B5: Result Code Feb 17 12:14:18: L2TP _:06839:70B5: Call disconnected, refer to error msg (2) Feb 17 12:14:18: L2TP _:06839:70B5: Error Code Feb 17 12:14:18: L2TP _:06839:70B5: Insufficient resources (4) Feb 17 12:14:18: L2TP _:06839:70B5: Vendor Error Feb 17 12:14:18: L2TP _:06839:70B5: None (0) Feb 17 12:14:18: L2TP _:06839:70B5: Optional Message Feb 17 12:14:18: L2TP _:06839:70B5: No virtual-template specified Feb 17 12:14:18: L2TP _:06839:70B5: vpdn enable vpdn multihop vpdn aaa attribute nas-port vpdn-nas vpdn redirect vpdn logging vpdn logging local vpdn logging tunnel-drop vpdn history failure table-size 50 vpdn session-limit 2048 vpdn search-order multihop-hostname domain vpdn domain-delimiter @ suffix vpdn domain-delimiter / prefix ! vpdn-group customer3 request-dialin protocol l2tp multihop hostname tunnel-name initiate-to ip downstream LNS IP priority 1 local name my hostname l2tp tunnel password 0 mumble ! Any thoughts/suggestions? Regards, Kurt Bales ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-6500-SFM insertion into production box, much of an impact?
For those interested I put the SFM's in last night without a hitch, in fact it didn't even drop a packet(1s ping intervals) it just did the usual OIR Bus pause and one packet went up to 1600ms then everything went back to normal except packets were now using the new crossbar fabric(no reboot required), very smooth. Running 12.2(18)SXF4 Before: router#sh fab swi Global switching mode is Flow through dCEF mode is not enforced for system to operate Fabric module is not required for system to operate Modules are allowed to operate in bus mode Truncated mode is not allowed unless threshold is met Threshold for truncated mode operation is 2 SFM-capable cards Module Slot Switching Mode 1 Bus 3 Bus 5 Bus After: router#sh fab swi Global switching mode is Compact dCEF mode is not enforced for system to operate Fabric module is not required for system to operate Modules are allowed to operate in bus mode Truncated mode is not allowed unless threshold is met Threshold for truncated mode operation is 2 SFM-capable cards Module Slot Switching Mode 1 dCEF 3 Crossbar 5 Crossbar 6No Interfaces router#sh fab util slotchannel Ingress % Egress % 1 0 0 0 3 0 5 1 5 0 1 5 Ben On Mon, Feb 9, 2009 at 8:02 PM, Ben Steele illcrit...@gmail.com wrote: Thanks for all the replies, personally i'm thinking it will be a few second hiccup like you often get with OIR then on its way again but the fact i'm changing how the underlying switch fabric works with this makes it more interesting... i've scheduled an outage for this Sunday evening so I will let you all know how it goes. Cheers Ben On Mon, Feb 9, 2009 at 7:37 PM, Peter Rathlev pe...@rathlev.dk wrote: On Mon, 2009-02-09 at 10:26 +1030, Ben Steele wrote: I'm looking for some info on the insertion of a SFM into a live 6500(Sup2 obviously), can't seem to find any info on Cisco as to the consequences this may have to traffic flowing through the Bus at the time(ie dropped packet rates), Just to chime in with more non-certain knowlegde: When doing OIR the box does a bus stall AFAIK. This happens between when the pins start connecting and when all pins are connected. If this were to not cause any lost packets, the modules would have to buffer while the bus stall is in effect and retransmit whatever was on the wire when it happened. I don't think they do. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
Woops meant to reply all in case someone else wants to chime in. On Mon, Feb 16, 2009 at 4:59 PM, Ben Steele illcrit...@gmail.com wrote: You could do this with variance in eigrp, just add variance 2 into the eigrp config and it will load balance on a 2:1 ratio, if your links are equally matched in terms of latency you can look at enabling per-packet load sharing on the 2 egress interfaces to get an even more granular distribution, this can wreck some havoc with unequal paths and out of sequence packets though, however if equally similar in characteristics then performance is usually very good. Ben On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao andy.say...@staff.netspace.net.au wrote: Is it possible to aggregate and then load balance unequal ethernet circuits like so: I have two ethenet circuits on my Cisco router. Both have equal costs to the next hop. Ethernet Circuit #1- 200M Ethernet Circuit #2 - 100M Can I aggregate both ethernet circuits so that the total amount of bandwidth available to the next hop is is 300M? Can I then load balance it so both circuits are equally utilized? For example... * If I have 150M of traffic flowing to the next hop then the router would spread the load across both links like so: 100M through Ethernet Circuit #1. 50M through Ethernet Circuit #2. * The formula to use for this would be something like: Utilization / Total Bandwidth = percentage of utilization required per link 150/300 = 0.5 0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M 0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M * If there was a total of 250M of traffic flowing to the next hop, and applying the formula above, the router would work out that the load distributed across both ethernet links would be: 166M through Ethernet Circuit #1. 84M through Ethernet Circuit #2. Any ideas??? Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
So are these links your WAN links to your provider you are referring to? If so are you running BGP over them or just a static default? On Mon, Feb 16, 2009 at 5:09 PM, Andy Saykao andy.say...@staff.netspace.net.au wrote: Hi Ben, When I googled around, there were many discussions abvout using the variance command with eigrp but we don't run eigrp internally as our IGP. This is a typical setup where we need to upgrade some of our links, so we might upgrade 50M on the second leg and end up with a situation where the first leg is100M and the second leg is 150M. As you may know, some providers aren't so flexible so you can't just upgrade 25M on each leg because they increment by 50M per leg only. Hence my question if it was possible to load balance across unequal ethernet circuits without buying additional bandwidth for both circuits. Thanks. Andy -- *From:* Ben Steele [mailto:illcrit...@gmail.com] *Sent:* Monday, 16 February 2009 5:29 PM *To:* Andy Saykao *Subject:* Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth You could do this with variance in eigrp, just add variance 2 into the eigrp config and it will load balance on a 2:1 ratio, if your links are equally matched in terms of latency you can look at enabling per-packet load sharing on the 2 egress interfaces to get an even more granular distribution, this can wreck some havoc with unequal paths and out of sequence packets though, however if equally similar in characteristics then performance is usually very good. Ben On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao andy.say...@staff.netspace.net.au wrote: Is it possible to aggregate and then load balance unequal ethernet circuits like so: I have two ethenet circuits on my Cisco router. Both have equal costs to the next hop. Ethernet Circuit #1- 200M Ethernet Circuit #2 - 100M Can I aggregate both ethernet circuits so that the total amount of bandwidth available to the next hop is is 300M? Can I then load balance it so both circuits are equally utilized? For example... * If I have 150M of traffic flowing to the next hop then the router would spread the load across both links like so: 100M through Ethernet Circuit #1. 50M through Ethernet Circuit #2. * The formula to use for this would be something like: Utilization / Total Bandwidth = percentage of utilization required per link 150/300 = 0.5 0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M 0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M * If there was a total of 250M of traffic flowing to the next hop, and applying the formula above, the router would work out that the load distributed across both ethernet links would be: 166M through Ethernet Circuit #1. 84M through Ethernet Circuit #2. Any ideas??? Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth
Alternatively if you are using BGP, have a look at BGP Link Bandwidth http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftbgplb.html On Mon, Feb 16, 2009 at 5:32 PM, Tony td_mi...@yahoo.com wrote: Hi Andy, What do you run as IGP then so that we can help you out ? If static routes, then you can do it using by having multiple routes that are to the same destination. eg. on 2x serial links you might have: serial1 = 200Mbps (10.1.1.1/30) serial2 = 100Mbps (10.1.1.5/3) You would then add static routes like this: ip route x y serial1 ip route x y 10.1.1.2 ip route x y serial2 This way when you do show ip route x you would see something like: * directly connected via serial1 Route metric is 0, traffic share count is 1 * directly connected via serial2 Route metric is 0, traffic share count is 1 * 10.1.1.2 Route metric is 0, traffic share count is 1 Your router would then divide the traffic into three with one third going to each of the destinations configured. The fact that two of those destinations are the same link means that two thirds will go down your 200Mbps link and one third down your 100Mbps link. This is fairly basic and doesn't scale very well, but will work. regards, Tony. --- On Mon, 16/2/09, Andy Saykao andy.say...@staff.netspace.net.au wrote: From: Andy Saykao andy.say...@staff.netspace.net.au Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth To: Ben Steele illcrit...@gmail.com Cc: cisco-nsp@puck.nether.net Date: Monday, 16 February, 2009, 5:39 PM Hi Ben, When I googled around, there were many discussions abvout using the variance command with eigrp but we don't run eigrp internally as our IGP. This is a typical setup where we need to upgrade some of our links, so we might upgrade 50M on the second leg and end up with a situation where the first leg is100M and the second leg is 150M. As you may know, some providers aren't so flexible so you can't just upgrade 25M on each leg because they increment by 50M per leg only. Hence my question if it was possible to load balance across unequal ethernet circuits without buying additional bandwidth for both circuits. Thanks. Andy From: Ben Steele [mailto:illcrit...@gmail.com] Sent: Monday, 16 February 2009 5:29 PM To: Andy Saykao Subject: Re: [c-nsp] Load Balancing of Unequal Ethernet Bandwidth You could do this with variance in eigrp, just add variance 2 into the eigrp config and it will load balance on a 2:1 ratio, if your links are equally matched in terms of latency you can look at enabling per-packet load sharing on the 2 egress interfaces to get an even more granular distribution, this can wreck some havoc with unequal paths and out of sequence packets though, however if equally similar in characteristics then performance is usually very good. Ben On Mon, Feb 16, 2009 at 4:01 PM, Andy Saykao andy.say...@staff.netspace.net.au wrote: Is it possible to aggregate and then load balance unequal ethernet circuits like so: I have two ethenet circuits on my Cisco router. Both have equal costs to the next hop. Ethernet Circuit #1- 200M Ethernet Circuit #2 - 100M Can I aggregate both ethernet circuits so that the total amount of bandwidth available to the next hop is is 300M? Can I then load balance it so both circuits are equally utilized? For example... * If I have 150M of traffic flowing to the next hop then the router would spread the load across both links like so: 100M through Ethernet Circuit #1. 50M through Ethernet Circuit #2. * The formula to use for this would be something like: Utilization / Total Bandwidth = percentage of utilization required per link 150/300 = 0.5 0.5 x bandwidth of Ethernet #1 = 0.5 x 200 = 100M 0.5 x bandwidth of Ethernet #1 = 0.5 x 100 = 50M * If there was a total of 250M of traffic flowing to the next hop, and applying the formula above, the router would work out that the load distributed across both ethernet links would be: 166M through Ethernet Circuit #1. 84M through Ethernet Circuit #2. Any ideas??? Thanks. Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-6500-SFM insertion into production box, much of an impact?
Thanks for all the replies, personally i'm thinking it will be a few second hiccup like you often get with OIR then on its way again but the fact i'm changing how the underlying switch fabric works with this makes it more interesting... i've scheduled an outage for this Sunday evening so I will let you all know how it goes. Cheers Ben On Mon, Feb 9, 2009 at 7:37 PM, Peter Rathlev pe...@rathlev.dk wrote: On Mon, 2009-02-09 at 10:26 +1030, Ben Steele wrote: I'm looking for some info on the insertion of a SFM into a live 6500(Sup2 obviously), can't seem to find any info on Cisco as to the consequences this may have to traffic flowing through the Bus at the time(ie dropped packet rates), Just to chime in with more non-certain knowlegde: When doing OIR the box does a bus stall AFAIK. This happens between when the pins start connecting and when all pins are connected. If this were to not cause any lost packets, the modules would have to buffer while the bus stall is in effect and retransmit whatever was on the wire when it happened. I don't think they do. Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] WS-6500-SFM insertion into production box, much of an impact?
Howdy, I'm looking for some info on the insertion of a SFM into a live 6500(Sup2 obviously), can't seem to find any info on Cisco as to the consequences this may have to traffic flowing through the Bus at the time(ie dropped packet rates), and I want to know if the modules go from using Bus only backplane to crossbar as soon as the module initiates or whether a reload would actually be required for this. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-6500-SFM insertion into production box, much of an impact?
Thank you for cut and pasting the information from Cisco that i've already read :) Seriously though, that doesn't answer my question. On Mon, Feb 9, 2009 at 10:49 AM, Masood Ahmad Shah mas...@nexlinx.net.pkwrote: Yea it is hot-swappable. You must install the Switch Fabric Module in either slot 5 or slot 6 of the Catalyst 6506 switch. For redundancy, you can install a standby Switch Fabric Module. The module first installed functions as the primary module. When you install two Switch Fabric Modules at the same time, the module in slot 5 acts as the primary module, and the module in slot 6 acts as the backup. If you reset the module in slot 5, the module in slot 6 becomes the primary module. Regards, Masood Blog: http://weblogs.com.pk/jahil/ -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ben Steele Sent: Monday, February 09, 2009 4:57 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] WS-6500-SFM insertion into production box, much of an impact? Howdy, I'm looking for some info on the insertion of a SFM into a live 6500(Sup2 obviously), can't seem to find any info on Cisco as to the consequences this may have to traffic flowing through the Bus at the time(ie dropped packet rates), and I want to know if the modules go from using Bus only backplane to crossbar as soon as the module initiates or whether a reload would actually be required for this. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-6500-SFM insertion into production box, much of an impact?
Thanks Rubens, i'm aware of the line card requirements to operate in full compact mode, my question i'm really interested in is during the insertion of the module is there any dropped packets while the cards move from a Bus switching mode to compact switching. On Mon, Feb 9, 2009 at 12:06 PM, Rubens Kuhl rube...@gmail.com wrote: Remember that full SFM usage requires all modules to be fabric-enabled. If there are any line cards that aren't fabric enabled, all traffic will still go thru the bus, doesn't matter if it is an OIR or from power-up. Your question is if this OIR stands for Online Insertion and Removal or for Online Insertion and Reboot... although I don't know the answer, what I saw over the years is that even if it doesn't require a reboot, you will want to do one, because any issues will have after that will make you wonder whether if it's due to OIR or not, so you will end up rebooting anyway. So, reboot while you have a planned window to do so, not when you are under pressure. Rubens On Sun, Feb 8, 2009 at 9:56 PM, Ben Steele illcrit...@gmail.com wrote: Howdy, I'm looking for some info on the insertion of a SFM into a live 6500(Sup2 obviously), can't seem to find any info on Cisco as to the consequences this may have to traffic flowing through the Bus at the time(ie dropped packet rates), and I want to know if the modules go from using Bus only backplane to crossbar as soon as the module initiates or whether a reload would actually be required for this. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Virtual Routers
Actually I just realised after I sent this that you will need to PBR the last hop in the 6500 before the inside host too if you haven't brought it into a vrf otherwise the intial route will take hold and loop you back into the FWSM again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Steele Sent: Monday, 17 November 2008 9:39 PM To: 'Holemans Wim'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Virtual Routers You can do what you want without vrf using PBR, as you mentioned. Using the standard svclc vlans the flow of traffic would be: Outside Host -6500 VLAN 1 - FWSM - 6500 VLAN 2(PBR set ip next-hop IPS) - IPS - 6500 VLAN 3 - Inside Host So in this example physically the IPS would be cabled with 2 separate cables (in/out) in 2 different vlans on the 6500. Any reason that wouldn't work? Gives you the option to bypass the IPS by simply not including it in the IPS PBR acl. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Holemans Wim Sent: Monday, 17 November 2008 7:01 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Virtual Routers Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Virtual Routers
You can do what you want without vrf using PBR, as you mentioned. Using the standard svclc vlans the flow of traffic would be: Outside Host -6500 VLAN 1 - FWSM - 6500 VLAN 2(PBR set ip next-hop IPS) - IPS - 6500 VLAN 3 - Inside Host So in this example physically the IPS would be cabled with 2 separate cables (in/out) in 2 different vlans on the 6500. Any reason that wouldn't work? Gives you the option to bypass the IPS by simply not including it in the IPS PBR acl. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Holemans Wim Sent: Monday, 17 November 2008 7:01 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Virtual Routers Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SXI out
You'll have to beat all the girls off with your linecards with a t-shirt that cool! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hank Nussbacher Sent: Friday, 14 November 2008 5:34 AM To: Jared Mauch; Tim Durack Cc: cisco-nsp@puck.nether.net; Jared Mauch Subject: Re: [c-nsp] SXI out At 12:46 PM 13-11-08 -0500, Jared Mauch wrote: If people want to, I can set up a wiki where you can post test cases, results, configurations, feature data, etc.. Would that be of value? I can't wait for the black T-shirt: I have SXI - do you? -Hank - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Upgrading edge router
I'd try and go the ASR1002 option, it shouldn't be too far off your 35k budget without smartnet, although i'd recommend maintenance on the software as you will want access to TAC for bugs, also if you can option in the HA feature so you can get ISSU. With 5Gb of throughput, dual psu and 4Gb(SFP) int's out the box with room for expansion it's good bang for buck, the ASR is really aimed as the next generation 7200 swiss army knife, being a software based feature platform rather than a hardware(ie 7600/6500) it's a welcome new product and you should see good life out of it, it has some limitations in its current form, the only one that may concern you with your list that I can think of is lack of AToM MPLS support, but that is due out in upcoming software release. Put the quagga to rest! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Affan Basalamah Sent: Tuesday, 11 November 2008 9:19 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Upgrading edge router Hi all, I am network admin in university that have a UNIX PC that functions as core router and firewall to accomodate : - 2 x 45 Mb link to research education network (REN) - 100Mb link to local exchange point - 10Mb link to Internet Currently we accept partial route from Internet, and aggregated with REN prefixes, we have at least 30k prefixes. We would like to upgrade our router to accomodate : - new STM-1 link (physical connector is not STM1 port, but it is converted to Gigeth by our telco) - at least 4 1000BaseT port - firewall feature (packet filter and inspection) would be nice - IPv6 multicast and MPLS feature - can keep up the load at least for 5 years - budget around $35k I have done some research, and our choice could come to : - Cisco 7603 with Sup32. I think this is the cheapest solution with 8 port gigabit ethernet, but I don't know whether it could handle the load. I also see it as integrated packet inspection with PISA daughterboard, but I don't have any experience with that. The supervisor is a bit old compared to ASR1000. - Cisco ASR1002 with ESP-5G. Newer supervisor and enhanced with packet inspection, but I don't know whether it can suit the budget. - Juniper M7i with 2 x 1Gbps SFP port. It has better OS (but I haven't compare it to Cisco IOS-XE in ASR1000), but it doesn't have 4 gigabit ports, and separate AS module can cost you too much. I don't know whether it suits the budget. - Foundry NetIron MLX-4 with 20 port 1000BaseT. I haven't had experience with this box, but the specs looks promising, and maybe it suits the budget. I would like your suggestion about my plan above, perhaps I can come out with better plan. Thank you, Regards, -affan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008 7:53 AM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Upgrading edge router
Without looking at the article (don't have time right now) flexible packet matching and firewalling are definitely 2 different things, i'd say packet matching is referring more to something like NBAR with some additional features, remember it only says packet matching(not blocking), the latter is the full stateful firewall feature set, so if you aren't wanting it to do proper firewalling then you want that one. As for licenses this one is a little weird, basically adv enterprise is cheaper than adv ip even though it has all the features of adv ip, seems to be purely based on ppl not wanting features they will never use available on an image and Cisco making them pay more for that feature, my advice is buy the cheaper adv enterprise, it will do IPv6. -Original Message- From: Affan Basalamah [mailto:[EMAIL PROTECTED] Sent: Tuesday, 11 November 2008 10:25 PM To: Ben Steele Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Upgrading edge router Thank you for your prompt response, I would like to know a thing about ASR1000 software components : - It says on ASR1000 software ordering guide (http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_ c07-448862.html) that there is a FPM (flexible packet matching) service license and Firewall service license. I would like to know the difference between two license, since the latter cost the double from the former. - What version of IOS-XE is integrated in ASR1000 bundle ? Is it IP Base or Advanced IP Services ? I would like to run IPv6 on the router, so the router will need Advanced IP Services IOS. Regards, -affan On Tue, Nov 11, 2008 at 6:08 PM, Ben Steele [EMAIL PROTECTED] wrote: I'd try and go the ASR1002 option, it shouldn't be too far off your 35k budget without smartnet, although i'd recommend maintenance on the software as you will want access to TAC for bugs, also if you can option in the HA feature so you can get ISSU. With 5Gb of throughput, dual psu and 4Gb(SFP) int's out the box with room for expansion it's good bang for buck, the ASR is really aimed as the next generation 7200 swiss army knife, being a software based feature platform rather than a hardware(ie 7600/6500) it's a welcome new product and you should see good life out of it, it has some limitations in its current form, the only one that may concern you with your list that I can think of is lack of AToM MPLS support, but that is due out in upcoming software release. Put the quagga to rest! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Affan Basalamah Sent: Tuesday, 11 November 2008 9:19 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Upgrading edge router Hi all, I am network admin in university that have a UNIX PC that functions as core router and firewall to accomodate : - 2 x 45 Mb link to research education network (REN) - 100Mb link to local exchange point - 10Mb link to Internet Currently we accept partial route from Internet, and aggregated with REN prefixes, we have at least 30k prefixes. We would like to upgrade our router to accomodate : - new STM-1 link (physical connector is not STM1 port, but it is converted to Gigeth by our telco) - at least 4 1000BaseT port - firewall feature (packet filter and inspection) would be nice - IPv6 multicast and MPLS feature - can keep up the load at least for 5 years - budget around $35k I have done some research, and our choice could come to : - Cisco 7603 with Sup32. I think this is the cheapest solution with 8 port gigabit ethernet, but I don't know whether it could handle the load. I also see it as integrated packet inspection with PISA daughterboard, but I don't have any experience with that. The supervisor is a bit old compared to ASR1000. - Cisco ASR1002 with ESP-5G. Newer supervisor and enhanced with packet inspection, but I don't know whether it can suit the budget. - Juniper M7i with 2 x 1Gbps SFP port. It has better OS (but I haven't compare it to Cisco IOS-XE in ASR1000), but it doesn't have 4 gigabit ports, and separate AS module can cost you too much. I don't know whether it suits the budget. - Foundry NetIron MLX-4 with 20 port 1000BaseT. I haven't had experience with this box, but the specs looks promising, and maybe it suits the budget. I would like your suggestion about my plan above, perhaps I can come out with better plan. Thank you, Regards, -affan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008 7:53 AM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive
Re: [c-nsp] vrf-lite question
Use an export map on the GW to only export the routes for GW and not the other custs. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wayne Lee Sent: Tuesday, 11 November 2008 10:11 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] vrf-lite question Hello I've been playing with vrf-lite in dynamips and I've hit a problem. I have 4 routers and 3 vrf's (cust1, cust 2 and GW) configured on R0 R1---R0---R2 | | | R4 cust1 and cust2 import from GW and GW imports from cust1 and cust2. The problem I'm having is that cust1 can reach cust2 via GW and vice-versa. I'm using OSPF and BGP to redistribute but I do not know how to stop the customer VRF's from seeing each other, they do need internet access via GW which will be performing NAT and allow inbound ipsec connections to the different VRF's (R4 will be a Netscreen firewall in the data-centre) ip vrf cust1 rd 172.16.1.1:100 route-target export 172.16.1.1:100 route-target import 172.16.1.1:100 route-target import 10.254.254.254:300 ! ip vrf cust2 rd 172.16.2.1:200 route-target export 172.16.2.1:200 route-target import 172.16.2.1:200 route-target import 10.254.254.254:300 ! ip vrf juniperGW rd 10.254.254.254:300 route-target export 10.254.254.254:300 route-target import 10.254.254.254:300 route-target import 172.16.1.1:100 route-target import 172.16.2.1:200 interface FastEthernet1/0 description link to R1 ip vrf forwarding cust1 ip address 172.16.1.254 255.255.255.0 duplex half ! interface FastEthernet2/0 description link to R2 ip vrf forwarding cust2 ip address 172.16.2.254 255.255.255.0 duplex half ! interface FastEthernet3/0 description link to R3 ip address 172.16.254.1 255.255.255.252 duplex half ! interface FastEthernet4/0 description juniper gateway to internet ip vrf forwarding juniperGW ip address 10.254.254.254 255.255.255.0 duplex half ! router ospf 11 vrf cust1 log-adjacency-changes capability vrf-lite network 172.16.1.0 0.0.0.255 area 11 ! router ospf 12 vrf cust2 log-adjacency-changes capability vrf-lite network 172.16.2.0 0.0.0.255 area 12 ! router ospf 1 log-adjacency-changes redistribute connected subnets redistribute static subnets passive-interface default no passive-interface FastEthernet3/0 network 172.16.254.0 0.0.0.255 area 0 ! router ospf 10 vrf juniperGW log-adjacency-changes capability vrf-lite network 10.254.254.0 0.0.0.255 area 10 ! router bgp 65400 no synchronization bgp router-id 10.10.254.254 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf juniperGW redistribute ospf 10 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust2 redistribute ospf 12 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust1 redistribute ospf 11 no auto-summary no synchronization exit-address-family ! ip route vrf cust1 0.0.0.0 0.0.0.0 10.254.254.253 ip route vrf cust2 0.0.0.0 0.0.0.0 10.254.254.253 The end result I'm working towards will have ADSL PPPoA interfaces in each VRF and the Netscreen will provide internet access and VPN to other sites where we do not terminate the ADSL Thanks for your time Wayne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM Access-control lists
If you just add all your line numbers the same it will automatically bump the one its replacing up one. Ie say your permit ip any any is at line 4, if you just insert all your rules as line 4 you will find they bump each other up all the way to whatever line number you get too with the original line 4 statement at the very end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hitesh Vinzoda Sent: Tuesday, 11 November 2008 4:54 PM To: Cisco Mailing list Subject: [c-nsp] FWSM Access-control lists Dear All, Im having a production server subnet of around 150 servers ( 172.16.2.0/24) and all of them are sitting behind FWSM. Current ACL applied is permit ip any any. Now we have got the details of one server communicating on some ports for that we are going to apply the ACL. I came to know about the Line numbers in ACE but for me its not working. Say e.g. my LAN is untrusted (192.168.0.0/16) access-list test line 1 extended permit ip 192.168.2.0 host 172.16.2.20 eq www access-list test line 2 extended permit ip 192.168.2.0 host 172.16.2.20 eq smtp access-list test line 3 extended permit ip 192.168.2.0 host 172.16.2.20 eq 445 now for any other traffic for particular server will be denied access-list test line 500 extended permit ip any host 172.16.2.20 access-list test line 501 extended permit ip any any the fascinating thing here is that when i issue sh access-list command. it shows the line numbers for 500 and 501 as 4 5 respectively. i.e. any thing added later is appended. I want to have ip any any at line 15000 which will removed once all ACE for each server are in place. FWSM is running of 3.2 any ideas about getting line 500 501 and fixed at there respective places. Thanks in advance Hitesh Vinzoda ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008 7:53 AM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Layer-2 backup
Check out rapid spanning-tree (802.1w) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ambedkar Sent: Tuesday, 4 November 2008 3:16 PM To: cisco_nsp Subject: [c-nsp] Layer-2 backup hi, i want to implement layer-2 backup with minimum delay with cisco 2950 switches. i have seen flexlinks, but this is for cisco 3500 series and above. please help me in this regard. Thanks in advance. bye. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Monitoring tools for MPLS VPN customers
You definitely want a Management vrf that you leak into all your customer vrf's, from this you can use something like nagios or whatever your tool of choice is to alert to downed nodes, just remember not to overlap your CPE IP addressing even though they are in separate vrf's. As far as voip monitoring goes you can use ip sla on your routers to monitor jitter/loss/delay etc.. Check out - http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white _paper0900aecd8017531d.html and http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white _paper0900aecd801752ec.html For ideas on what ip sla can do for you, there are plenty of configuration examples around to look at too. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Saykao Sent: Friday, 31 October 2008 4:25 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Monitoring tools for MPLS VPN customers Hi All, We have some MPLS VPN customers waiting to come on board and have asked us about what sort of monitoring we can provide for all their sites. By monitoring I can only guess that the customer is asking us to identify when a VPN site goes down. Other desirable features might be to implement some SLA to monitor latency and round trip time for those customer's who rely heavily on VoIP. Ideally, the IT person for the organization should be doing most of this monitoring, but Management have asked me to investigate what we sort of monitring we can provide to the customer to help bring them on baord. We are currently using Cisco's MPLS Diagnostics Expert but this doesn't seem to have any proactive monitoring tool via it's SLA feature. We could set up a management station within a management VRF and run some monitoring software on it which is another option. Just curious to know what software Service Providers are using to proactively monitor their VPN customers. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10G 6704 and 6708
Am currently using quite a few 6704's, some with DFC(at 3CXL spec), some without. Nothing fancy really going on, they just work, have some using CX4 and some using long range fibre, of course we are on xenpaks rather than X2's with the 6704. The only issue i've had is a netflow bug when exporting from the DFC's (CSCsq14299) but that got fixed in SRB4. Haven't actually had one hit 10Gb yet so can't say how well they handle congestion or really high traffic flows but certainly 5Gbs is no problem. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of vince anton Sent: Friday, 31 October 2008 3:54 PM To: cisco-nsp Subject: [c-nsp] 10G 6704 and 6708 Hi, im looking at 10G cards for 7600 with SUP720-3BXL (running SXF) and wanted an opinion from the list ive seen posts in archives and cisco datasheets and im aware of the differences between the 6704 and 6708 (6708 comes with 3CXL, deeper buffers, etc...). the port density on the 6708 (though not at line rate) is attractive. no fancy features or requirements here, just plain old lan switching anyone cares to share experiences with these cards in production ? Thanks, anton ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF fast hellos
Because I couldn't see bfd support for 3750's, best it can do is UDLD, otherwise that would be my preferred method. Are you advising against fast hello's? Have you seen many issues with people using them? -Original Message- From: Rodney Dunn [mailto:[EMAIL PROTECTED] Sent: Wednesday, 29 October 2008 11:41 PM To: Ben Steele Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OSPF fast hellos Why don't you use BFD instead. It's designed with something called pseudo preemption from an OS scheduler perspective that helps reduce false positives and the fact that BFD frames are handled under interrupt and not process scheduled for rx/tx. Rodney On Wed, Oct 29, 2008 at 04:09:45PM +1030, Ben Steele wrote: Anyone currently using this in a fairly demanding environment? Ie 5-10Gbs+ Campus/DC model. Curious as to whether you've had any/many false dead peers with such a short interval, subsecond dead peer detection does sound very temping though. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.8.4/1752 - Release Date: 28/10/2008 10:04 AM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OSPF fast hellos
Anyone currently using this in a fairly demanding environment? Ie 5-10Gbs+ Campus/DC model. Curious as to whether you've had any/many false dead peers with such a short interval, subsecond dead peer detection does sound very temping though. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF over PPPoATM
What does an ospf debug show on the 2800 side? I've had issues before with DSL ospf and mis-matched network types due to the point-to-multipoint type of relationship you get with an LNS/client, does putting a /30 on the link make any difference? I think the debug is going to be the one that tells the story, if you don't even see hello's then you probably have something blocking it in between. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniele Orlandi Sent: Sunday, 26 October 2008 3:37 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OSPF over PPPoATM On Monday 20 October 2008 15:43:03 Marko Milivojevic wrote: Before I accuse intermediate DSLAM filtering them, could you post relevant interface and OSPF process configurations from both routers, please? Marko, Would it be possible for a DSLAM to implement filtering on the AAL5 encapsulated traffic? It would have to decapsulate and interpret UDP/IP packets to do it. Did you experience anything similar? I would point my finger at a IOS bug, however I tried several completely different IOSes on both the termination and DSL box with no change. Anyway, this is the relevant configuration: 7200 PPP terminator: -- interface ATM2/0 no ip address load-interval 30 atm sonet stm-1 atm pppatm passive no atm auto-configuration no atm ilmi-keepalive no atm address-registration no atm ilmi-enable range PPPOA-10 pvc 10/100 10/250 ubr 1000 dbs enable oam-range manage encapsulation aal5mux ppp Virtual-Template1 create on-demand interface Virtual-Template1 ip unnumbered Loopback0 no ip redirects no ip proxy-arp ip ospf message-digest-key 1 md5 7 ip ospf network point-to-point peer default ip address pool adsl ppp authentication pap callin adsl ppp authorization adsl ppp accounting adsl router ospf 9026 log-adjacency-changes area 0 authentication message-digest summary-address 62.212.6.0 255.255.255.0 summary-address 62.212.4.0 255.255.255.0 redistribute connected subnets redistribute static subnets network 62.212.0.0 0.0.31.255 area 0 - gw-dsl#sh ip ospf interface Vi2.21 Virtual-Access2.21 is up, line protocol is up Internet Address 0.0.0.0/0, Area 0 Process ID 9026, Router ID 62.212.3.248, Network Type POINT_TO_POINT, Cost: 100 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:00 Index 33/33, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1 2800 DSL Box: -- interface ATM0/1/0 no ip address no atm ilmi-keepalive dsl operating-mode auto pvc 8/35 encapsulation aal5mux ppp Virtual-Template1 interface Virtual-Template1 ip address negotiated ip ospf message-digest-key 1 md5 7 xxx ipv6 enable ppp pap sent-username uli.adsl password 7 xxx router ospf 9026 log-adjacency-changes area 0 authentication message-digest redistribute connected subnets redistribute static metric 200 subnets network 62.212.0.0 0.0.31.255 area 0 - gw-milano#sh ip ospf interface Vi1.1 Virtual-Access1.1 is up, line protocol is up Internet Address 62.212.6.189/32, Area 0 Process ID 9026, Router ID 62.212.3.243, Network Type POINT_TO_POINT, Cost: 284 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:07 Supports Link-local Signaling (LLS) Index 5/5, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1 Bye, -- Daniele Orlandi つづく ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.8.2/1742 - Release Date: 24/10/2008 6:08 PM
Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement
You can use EEM to run commands on other routers, it's not the best at doing remote telnet/ssh but it can do it to some extent, its the interactive stuff that seemed to really kill it last time I tried but a simple command would work, it may be better for that now. So essentially you would create your app on R1 based on the event of BGP peer going down, then the action would be to open a session to R0 and change that route-map for your communities and execute a clear ip bgp x.x.x.x out, whether you can do all of that via EEM remotely i'm not sure, on the same router would be no problem. You could just write an expect script if you have a unix host somewhere there for management and have the EEM trigger that if it's easier, I could even write you the expect script if you want, it's pretty simple. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, 26 October 2008 3:25 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] BGP Multihomed Selective/Conditional Advertisement In this particular setup the router R0 wouldn't be peering with ATT's router, it would get the default router from R1 with is my other router, so I would not get the neighbor down alert. (ISP Cogent)(ISP ATT) | | RO --- R1 Is there a way to use event manager to track a default route with communities set on it or defaul route with next hop to monitor as an event and take action based on that? Thank you, From: Ben Steele [mailto:[EMAIL PROTECTED] Sent: Fri 10/24/2008 8:55 PM To: 'Ben Steele'; Kacprzynski, Tomasz; [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Ah my apologies I should have read your original email, your problem is a little more trickier than that. After having read your original one though I believe you could probably do this with an event manager task used to watch logging for bgp neighbour failure you could trigger it to modify your export community and do a clear ip bgp x.x.x.x out Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Steele Sent: Saturday, 25 October 2008 10:44 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement If it's purely just for failover (ie you don't want to get billed for traffic down your failover link while your active is up) then why not just send the community: 174:70 70 Set customer route local preference to 70 This will make them use ATT's path until the ATT link goes down. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 25 October 2008 9:48 AM To: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Arie, Thank you for your response. In my situation, where everything is normal, I am actually sending their specific communities for them not to advertise my route to their peers. My only problem is how to change that automatically when my default route from ATT goes away (ATT circuit does down and I'm in a failover situation)? Thank you, -Original Message- From: Arie Vayner (avayner) [mailto:[EMAIL PROTECTED] Sent: Fri 10/24/2008 6:03 PM To: Kacprzynski, Tomasz; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Tom, Instead of not advertising a certain prefix, there is another alternative using BGP communities which are recognized by your upstream providers. Take a look for what Cogent supports for example (better ask them for the official list...): http://www.onesc.net/communities/as174/ You could play with the local pref communities or the no-export ones Its not the full answer, but just another idea... Let me know if you are still stuck... Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 24, 2008 23:07 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP Multihomed Selective/Conditional Advertisement I have been trying to figure out how to do this and maybe someone will be able to help me out. I have two ISP connections ISP ATT and ISP Cogent. (ISP Cogent)(ISP ATT) | | RO --- R1 ATT would be used for primarily internet and access to our webservers. Cogent would be primarily used to access Cognet's network that use VPN for incoming connections only. I do not want to have other networks besides Cogent's network using this path to access our webserver. I would like to have each other act as a backup for one another. For instance if ATT fails I want everyone on the internet use Cogent to access me. If Cogent fails I want everyone on the internet
Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement
If it's purely just for failover (ie you don't want to get billed for traffic down your failover link while your active is up) then why not just send the community: 174:70 70 Set customer route local preference to 70 This will make them use ATT's path until the ATT link goes down. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 25 October 2008 9:48 AM To: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Arie, Thank you for your response. In my situation, where everything is normal, I am actually sending their specific communities for them not to advertise my route to their peers. My only problem is how to change that automatically when my default route from ATT goes away (ATT circuit does down and I'm in a failover situation)? Thank you, -Original Message- From: Arie Vayner (avayner) [mailto:[EMAIL PROTECTED] Sent: Fri 10/24/2008 6:03 PM To: Kacprzynski, Tomasz; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Tom, Instead of not advertising a certain prefix, there is another alternative using BGP communities which are recognized by your upstream providers. Take a look for what Cogent supports for example (better ask them for the official list...): http://www.onesc.net/communities/as174/ You could play with the local pref communities or the no-export ones Its not the full answer, but just another idea... Let me know if you are still stuck... Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 24, 2008 23:07 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP Multihomed Selective/Conditional Advertisement I have been trying to figure out how to do this and maybe someone will be able to help me out. I have two ISP connections ISP ATT and ISP Cogent. (ISP Cogent)(ISP ATT) | | RO --- R1 ATT would be used for primarily internet and access to our webservers. Cogent would be primarily used to access Cognet's network that use VPN for incoming connections only. I do not want to have other networks besides Cogent's network using this path to access our webserver. I would like to have each other act as a backup for one another. For instance if ATT fails I want everyone on the internet use Cogent to access me. If Cogent fails I want everyone on the internet and the VPN connections on Cogent's network to use ATT. So basically what I was thinking to setup is to accept a default router from ATT and Cogent. Lower the local preference of Cogent and that way I would accomplish using ATT as primary internet access. The tricky part is with Cogent and using then to only access their local networks. Looking through communities I found out Cogent's communities that would not export my route to their peers and keep it internal within their AS. This works fine but the problem now is how do I failover if ATT fails? How do I automatically change my not-export community I'm sending to Cogent to start adverting the route to its peers? I looked at conditional advertisement, I was able to basically send the route map with not-export communities to Cogent if the default route from ATT is present. The problem with this is that once the default router disappears it doesn't advertise anything to Cogent, none of my routes are advertised to Cogent. I'm not sure if I could do this sort of a double condition such as if ATT's default route is present send out to Cogent a route map with prefixes to not-export my routes if ATT's default route is not present sent to Cogent a route map without any communities on my routes Basically I'm trying to figure out how I can have multihoming, but with the constrains that I want 1 ISP to be used for internet and the other to only access their AS, but still have the capability to automatically failover in case one of the circuits dies. Thank you for any input or help. Tom Kacprzynski Network Engineer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.8.2/1742 - Release Date: 24/10/2008 6:08 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement
Ah my apologies I should have read your original email, your problem is a little more trickier than that. After having read your original one though I believe you could probably do this with an event manager task used to watch logging for bgp neighbour failure you could trigger it to modify your export community and do a clear ip bgp x.x.x.x out Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Steele Sent: Saturday, 25 October 2008 10:44 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement If it's purely just for failover (ie you don't want to get billed for traffic down your failover link while your active is up) then why not just send the community: 174:70 70 Set customer route local preference to 70 This will make them use ATT's path until the ATT link goes down. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, 25 October 2008 9:48 AM To: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Arie, Thank you for your response. In my situation, where everything is normal, I am actually sending their specific communities for them not to advertise my route to their peers. My only problem is how to change that automatically when my default route from ATT goes away (ATT circuit does down and I'm in a failover situation)? Thank you, -Original Message- From: Arie Vayner (avayner) [mailto:[EMAIL PROTECTED] Sent: Fri 10/24/2008 6:03 PM To: Kacprzynski, Tomasz; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] BGP Multihomed Selective/Conditional Advertisement Tom, Instead of not advertising a certain prefix, there is another alternative using BGP communities which are recognized by your upstream providers. Take a look for what Cogent supports for example (better ask them for the official list...): http://www.onesc.net/communities/as174/ You could play with the local pref communities or the no-export ones Its not the full answer, but just another idea... Let me know if you are still stuck... Arie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 24, 2008 23:07 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] BGP Multihomed Selective/Conditional Advertisement I have been trying to figure out how to do this and maybe someone will be able to help me out. I have two ISP connections ISP ATT and ISP Cogent. (ISP Cogent)(ISP ATT) | | RO --- R1 ATT would be used for primarily internet and access to our webservers. Cogent would be primarily used to access Cognet's network that use VPN for incoming connections only. I do not want to have other networks besides Cogent's network using this path to access our webserver. I would like to have each other act as a backup for one another. For instance if ATT fails I want everyone on the internet use Cogent to access me. If Cogent fails I want everyone on the internet and the VPN connections on Cogent's network to use ATT. So basically what I was thinking to setup is to accept a default router from ATT and Cogent. Lower the local preference of Cogent and that way I would accomplish using ATT as primary internet access. The tricky part is with Cogent and using then to only access their local networks. Looking through communities I found out Cogent's communities that would not export my route to their peers and keep it internal within their AS. This works fine but the problem now is how do I failover if ATT fails? How do I automatically change my not-export community I'm sending to Cogent to start adverting the route to its peers? I looked at conditional advertisement, I was able to basically send the route map with not-export communities to Cogent if the default route from ATT is present. The problem with this is that once the default router disappears it doesn't advertise anything to Cogent, none of my routes are advertised to Cogent. I'm not sure if I could do this sort of a double condition such as if ATT's default route is present send out to Cogent a route map with prefixes to not-export my routes if ATT's default route is not present sent to Cogent a route map without any communities on my routes Basically I'm trying to figure out how I can have multihoming, but with the constrains that I want 1 ISP to be used for internet and the other to only access their AS, but still have the capability to automatically failover in case one of the circuits dies. Thank you for any input or help. Tom Kacprzynski Network Engineer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail
[c-nsp] Cisco CDS (content delivery system)
Anyone had much experience with one? We are looking at deploying one on a national level and while it sounds great and seems to do what we are after i'm curious as to anyones real world experience with one. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Explanation on mls aging timer affects
Hi All, Recently I changed some mls aging timers to a fairly aggressive (low) setting to fix a TCAM threshold issue we were hitting which was breaking netflow creation/export. I understand the different timers and how they affect the length of time a flow will stay in TCAM but i'm curious as to the possible negative side affects caused by having low timers with netflow(or anything else for that matter)? Would it just result in more flows being generated? This is what i'm currently running: mls aging fast time 5 threshold 32 mls aging long 300 mls aging normal 60 TCAM utilization is sitting nice at around 10-20% with these values, default had it hitting upwards of 90%+ Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] netflow issues on WS-F6700-DFC3CXL - 7600
I have already lodged a TAC for this (actually on my second TAC for same issue) but I thought i'd throw out here to see if anyone else has seen this as it has me perplexed at the moment. Problem: Netflow collector stops receiving flows from DFC on 7609-S but continues to receive flows from RSP, identical router with same hardware and code has no problems exporting netflow via DFC and RSP, all is well on that chassis. Have tried software upgrade from SRB2 to SRB3, problem still existed, moved 10Gb int onto non DFC line card to let RSP process netflow and it was no problems, pump out netflow all day long, move onto DFC and you get netflow for about 7-10 hours (well it was done at very early hours each time and then would die as the traffic built up in the morning) then it stops exporting flows for the DFC only. Weird thing is a sh mls netflow ip mod 1 (module where dfc is) is full of flows, and the table-contention info is showing it as creating netflows and not having failures, TCAM utilization is nice and low at around 7-10%, I did change mls aging timers to get this but that had no affect on netflow, it was more because I was hitting TCAM limits on the RSP. When the DFC failed exporting again this morning(around 10am) after I powered down the line card and brought it back up at 1am I checked the pps going out the dedicated netflow collector interface, I then turned off ip flow ingress on the DFC interface and didn't see a change in that interface output which is leading me to believe that it is indeed not making it out of the router despite the router thinking all is well. So as mentioned software upgrade has occurred, also an entire new line card was sent out via RMA from TAC (WS-X6704-10GE + DFC) and replaced and we still have the same problem, yet I don't have the problem on an exact same model and basically same config sitting next to it. Idprom shows the hardware revision to be different on the DFC's between the 2 chassis but the new RMA card was a different revision again and still have the same issue so...? Any ideas? J Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Maximizing Router capabilities
The whole Enterprise being cheaper than base is still a bit confusing to me having just put an order in for a couple of ASR1002's, can anyone explain to me why you would buy base when enterprise is cheaper and by default the 1002 is filled to 4GB RAM? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Asbjorn Hojmark - Lists Sent: Monday, 29 September 2008 7:01 AM To: 'Gert Doering' Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Maximizing Router capabilities Except on ASR1000, where the full-blown Advanced Enterprise image (positioned for Enterprise users) is 10kUSD list, vs. the stripped-down Advanced IP image (positioned for Service Providers) is 15kUSD. Well, and for the AdvEnt image, you need more RAM and FLASH, which amounts to 7kUSD, no? There's nothing wrong with buying AES but actually running AIS, not even by 'Cisco law'. -A ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.7.4/1695 - Release Date: 28/09/2008 1:30 PM ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Output drops on PPP multilink int
As a test try putting some fair-queuing on your multilink interface and see if the problem lessens/goes away, play with the values until you find your sweet spot. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Church, Charles Sent: Monday, 29 September 2008 11:02 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Output drops on PPP multilink int Anyone, Seeing lots of output drops on ppp multilink interfaces across our network, all multiple T1s, on 2600s through 3800 routers. The underlying T1 serial ints don't have many drops (maybe 0.1% of those found on the multilink int worst case). Any idea what would cause drops on the interface? There is no QOS or anything like that on the mu2 int, just an inbound ACL. Google search didn't really turn up anything too useful. CPU and memory on the routers look pretty good. T1s seem pretty clean, the couple routers I watched closely didn't have any T1 errors during the time frames when drops where occuring. All are running recent 12.3 or 12.4 mainline releases. Utilization on the multilink interface was low (under 25%), at least according to the 30 second load interval. Thanks, Chuck ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] separation of transit, peerings and this-AS traffic (long)
MED isn't going to solve this problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Koch Sent: Monday, 15 September 2008 9:01 AM To: Tomas Hlavacek Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] separation of transit, peerings and this-AS traffic (long) use meds On Sun, Sep 14, 2008 at 5:48 PM, Tomas Hlavacek [EMAIL PROTECTED] wrote: Greetings! I am thinking about a scenario, which is maybe quite common, but I do not know how to make that work. Say that an AS1 is receiving full BGP table from multiple upstreams, for example AS100 and AS200. AS1 has a customer, say AS2. There is one Ethernet physical connection between border routers of AS1 and AS2. AS2 is paying to AS1 for upstream and receives full BGP feed. AS1 has another customer AS3, paying for upstream also. Besides that AS1 and AS2 has a peering via some IX. AS2 is stub, so it is announcing only prefixes with as-path ^2$. AS1 is announcing ^1$ and ^1 3$ prefixes to its peers in the IX. AS1 preferres paths via IX by local-preferrence. The point is how to make packets traveling from upstreams of AS1 to AS2 not to take path via IX, but via direct Ethernet connection while traffic originating in AS1 and traffic from AS3 traveling trough AS1 take path via IX? I have two ideas: 1) policy based routing, bind some route-map to AS1's upstream-facing interfaces and set ip next-hop or set interface... But it does not scale well of course. 2) put transit neighbors (upstream and customers also) into vrf, for example: ip vrf transit rd 1:100 export map EXPORT_ALL import map IMPORT_ALL ! router bgp 1 network 1.1.1.0 mask 255.255.255.0 neighbor 2.2.2.1 remote-as 2 neighbor 2.2.2.1 route-map SET_IX_LOCPREF in neighbor 2.2.2.1 filter-list 1 ! address-family ipv4 vrf transit neighbor 1.1.0.1 remote-as 100 neighbor 1.1.0.1 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.1 description UPSTREAM1 neighbor 1.1.0.2 remote-as 200 neighbor 1.1.0.2 route-map SET_TRANSIT_LOCPREF in neighbor 1.1.0.2 description UPSTREAM2 neighbor 2.2.2.2 remote-as 2 neighbor 2.2.2.2 route-map SET_TRANSIT_LOCPREF in neighbor 2.2.2.2 description CUSTOMER AS2 neighbor 3.3.3.1 remote-as 3 neighbor 3.3.3.1 route-map SET_TRANSIT_LOCPREF in neighbor 3.3.3.1 description CUSTOMER AS3 ! ! route-map SET_IX_LOCPREF permit 10 set local-preference 200 ! route-map SET_TRANSIT_LOCPREF permit 10 set local-preference 100 ! route-map EXPORT_ALL permit 10 ! route-map IMPORT_ALL permit 10 ! I spent few hours in lab experimenting with this configuration. I am using old Cisco 1600, so there is possibility that issues I had could come from some bug in this EoL platform... For reference, I used IOS (tm) 1600 Software (C1600-SY-M), Version 12.2(37) RELEASE SOFTWARE (fc1) for experiments. Problems: 1) routes in vrf transit are learned to into vrf routing table and are announced in both directions from AS100 to AS2 and AS3 and vice-versa, as expected. But routes from vrf transit are not exported into global routing table nor imported from global into vrf. I tried everything (I put some prefix- or access-list to match ip address clause in IMPORT_ALL and EXPORT_ALL maps,...), but nothing appeared in the global table. It should be some misconfiguration over there but I do not see that. Any help would be appreciated. 2) Let's assume that the import and export works, so I have all transit routes in my global table and route 1.1.1.0/24 inside vrf transit (this is a route originated in AS2). Those routes are therefore in fact duplicated... Is there any mechanism or chance to overcome that? Something like default route in global table pointing into transit VRF and triggering one extra routing decission inside VRF? Or is the duplication somehow optimized and it won't be any problem even for full BGP table? (O course I mean full table on real routers... 7200 or 7600.) Is there any best-practice or common approach to that? Maybe something completly different which I am not aware of? Tomas -- Tomáš Hlaváček [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 netflow export and the switch cpu
It looks like the fix was to enable flow-sampling. Out of curiosity what are you using your netflow for? I'm asking because sampling obviously isn't ideal when you are trying to get completely accurate data for accounting. I am interested in hearing people's opinion on their methods of accounting when data hits well beyond the TCAM limit(and you're already on DFC's) and you are in an all Ethernet switched world (ie not broadband ppp radius accounting), do you try and distribute the netflow onto multiple boxes closer to the edge or do you opt for another method? There is the easy option of byte counting switchports via snmp, but if people are wanting statistics of who's been where(possible legal reasons) or where the majority of traffic is coming from then that is not enough, maybe a mix of sampled netflow and switchport byte counting? It feels a shame using DFC's for a margin of their capacity purely because you need the TCAM space to produce netflow. Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] WebVPN via RADIUS - how to identify by group?
Howdy all, Anyone know if it's possible to get as ASA to spit out the group name in an av-pair via radius when authenticating a user? (in this case webvpn). The issue i'm having is multiple clients on the one ASA authenticating via IAS/AD and the possibility of overlapping usernames between clients(groups), I need another identifier from the ASA to auth them against other than user/pass, ie group would be perfect. Any ideas? Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WebVPN via RADIUS - how to identify by group?
Problem with the group selection method is via a debug radius I don't see it send any attribute about the group to RADIUS(I did try this way at first) and therefore I can't get RADIUS to match on a group as well as user/pass, the [EMAIL PROTECTED] might be an option, have you tried this before by sending back a group attribute to the ASA from RADIUS and it actually acknowledging it and putting the WEBVPN user into that group?. Cheers Ben -Original Message- From: LaPorte, David [mailto:[EMAIL PROTECTED] Sent: Friday, 5 September 2008 9:54 PM To: Ben Steele Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] WebVPN via RADIUS - how to identify by group? You could pass the group as a realm to the RADIUS server by having the users log in as [EMAIL PROTECTED] The RADIUS server could authenticate them and return a Class=OU=GROUP; attribute to map them properly. You could also provide a group list to the user: http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a00808bd83d.shtml I prefer not to do this since it could make enumeration attacks a bit easier, but it has it's place. hope that helps, Dave Ben Steele wrote: Howdy all, Anyone know if it's possible to get as ASA to spit out the group name in an av-pair via radius when authenticating a user? (in this case webvpn). The issue i'm having is multiple clients on the one ASA authenticating via IAS/AD and the possibility of overlapping usernames between clients(groups), I need another identifier from the ASA to auth them against other than user/pass, ie group would be perfect. Any ideas? Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- David LaPorte, CISSP, CCNP Security Manager, Network and Server Systems Harvard University Information Systems --- Email: [EMAIL PROTECTED] PGP: 0x4DC3E508 4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommended 2800 ISR
If you don't plan on expanding that 20-30Mbit too much in the future even 2801 will handle that fairly comfortably, the main killer in your list is the IOS firewall, the rest would have been cef switched, i've done between 20-30Mbit on a 2801 with all the below running with no issues before, 2811 would definitely handle it ok. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Letkeman Sent: Friday, 5 September 2008 9:38 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Recommended 2800 ISR I was wondering if anyone has recommendations for a 2800 series router for a 20-30mbit internet connection. I would like to run a firewall IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommended 2800 ISR
Those figures aren't a real world typical example, they are based on small(64byte) packet sizes x pps the router can do, if you increase the byte size to above 1000 you can see those numbers quickly explode to a more realistic figure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Letkeman Sent: Friday, 5 September 2008 11:32 AM To: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Recommended 2800 ISR I have read that document before, do those numbers (2811 - 61.44mpbs CEF Fast switching) mean that it can process that bandwidth with nothing else running on the router? On Thu, Sep 4, 2008 at 7:43 PM, GIULIANO (UOL) [EMAIL PROTECTED] wrote: Dan, Yes. It is a good choice. Take a look: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerp erformance.pdf Its an initial guide for router performance. Att, Giuliano I was wondering if anyone has recommendations for a 2800 series router for a 20-30mbit internet connection. I would like to run a firewall IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 04/09/2008 18:54 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] c7604 starter kit
I'm pretty sure it is scheduled for release in an upcoming update, I know there was lots of hmmm's when I saw the list of current unsupported technologies during our companies presentation, but I seem to recall most of them set for release in the future, I mean it would be ridiculous to never support mpls-te on the ASR. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Tinka Sent: Friday, 5 September 2008 11:45 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] c7604 starter kit On Friday 05 September 2008 01:09:28 Saku Ytti wrote: L3 VPN yes, TE no sure. According to FN, MPLS-TE is unsupported. Quite surprising, actually... Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS on an Ethernet Sub-interface
Justin, the shape average is what you are wanting to shape the whole subinterface to in bps, ie if you wanted to shape it to 1Mb then you would have shape average 1024000, sometimes a nicer way to do it is just say shape average percent 100 which will reference the bandwidth statement on the interface instead. You are correct in your second statement that shaping average at 1Mb would result in 350Kb for a class with 35% Cheers Ben Overall I think that would work though I'm sure it needs some tweaking. My holdup is the shape average value. I'm trying to understand what it is that I'm shaping with that command. Should the shape value be the max I'm allowing for the VoIP classes referenced by the policy map, the max for the link, or some other value that I'm not thinking of? If it is the voip classes will that affect my percentage commands in the child classes? ie, if the shaping was set at 1Mbps would the 35% in the child come out at 350k? Thanks Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
An easier solution if you really need to go down that path is to allow all down the vpn (no split tunnel) and have static persistent routes on the client, setup a script or something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Looney Sent: Friday, 29 August 2008 10:25 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions So that would be ip access-list extended DefaultrouteWithoutListedNetsTunnel deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 permit ip any 10.2.60.0 0.0.0.255 But packets to 192.168.8.1 still go out through the tunnel. Well, yeah. Because it matches the access list. From the sounds of it, you need to list each local network specifically in the access list so it won't match. obviousThat will be tricky./obvious B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions
By default it will disable local lan access but that can be enabled easily and so can routes to other lans, anything with a more specific prefix than a default route will take precedence over the vpn client. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Haber Sent: Friday, 29 August 2008 8:30 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions On Fri, Aug 29, 2008 at 04:50:49PM +0930, Ben Steele wrote: An easier solution if you really need to go down that path is to allow all down the vpn (no split tunnel) and have static persistent routes on the client, setup a script or something. Since the client keeps its routing table including the route for the local network, I guess that the VPN Client interferes with the routing in some way. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LLQ + MLPPPoE - ?
That example is using a virtual-template, not a dialer, there used to be an issue some time ago where if you didn't run MLPPP on your dialer your QoS(CBWFQ) wouldn't work properly as it required an MLP Bundle to attach to, a work around for this was using virtual-template and ATM int for QoS. If you are using MLPPP as it appears you are by your config, then all that's needed in your ATM is to specify the correct service class (ie cbr/ubr/vbr) and speed, the tx-ring-limit will make sure you don't buffer up any packets in the ATM interface then all your magic should be done on the dialer with your service-policy. Make sure you set the bandwidth appropriately (ie subtract 15% for atm cell tax overhead) and you should see it all come to life through your MLP Bundle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Freedman Sent: Thursday, 28 August 2008 12:13 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] LLQ + MLPPPoE - ? Remove the service policy from your ATM int's and just leave it on your Dialer, then do a sh users and you should see an interface listed as the MLP Bundle, this is the one you want to be watching, if for example it is Vi4 then do a sh policy-map int vi4 I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094ad2.shtml which states: . When you use a combination of Class-based Marking or Class- based Policing and Class-based Queuing, the order of operations is this: 1. The service-policy command configured on the Virtual-Template interface marks or polices the packets. 2. The service-policy command on the ATM PVC queues the packets Is this not correct? David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LLQ + MLPPPoE - ?
I would say it sounds like one interface is performing differently to the other(performance wise) but if it works fine when using the multilink interface that doesn't make as much sense, do you notice any drops or errors of any sort on the atm int's when you have the dialer configuration up? Also check the output of a sh dsl int atmx for each one to see if you are erroring there or syncing at different speeds or have a low noise margin on one etc.. Out of curiosity did you set that ip mtu 1492 on your dialer when you were testing? As you would've been fragmenting otherwise trying to push 1500 byte over a 1500 byte link with pppoe Can you show me your exact config (minus passwords) that you are using when you are testing this including the output of a sh dsl int atmx for each int. Another thought might be worth trying the new 12.4.20T IOS given it's QoS overhaul with HQF and the improved latency results shown by someone in an earlier thread. From: David Freedman [mailto:[EMAIL PROTECTED] Sent: Thursday, 28 August 2008 10:12 AM To: Ben Steele; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE - ? Yes, it seems to be working when applied to the dialer (i.e , the class is seeing traffic matched and queued into the correct queue) but when the bundle contains more than one member, the latency and jitter increases when there is congestion, which leads me to think that either: 1. The queuing has stopped working or 2. This is a side effect of having more than one member in the bundle in this configuration. We've taken all the usual precautions (i.e disabling LFI and permitting link re-ordering on the bundle) but the quality still degrades under load when we add another member. Interestingly, when we create a multilink virtual interface (int mu1) and do straight unauthenticated mlpppoa with the same LLQ policy, it works great. David Freedman Group Network Engineering Claranet Limited http://www.clara.net -Original Message- From: Ben Steele [mailto:[EMAIL PROTECTED] Sent: Thu 8/28/2008 01:26 To: David Freedman; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] LLQ + MLPPPoE - ? That example is using a virtual-template, not a dialer, there used to be an issue some time ago where if you didn't run MLPPP on your dialer your QoS(CBWFQ) wouldn't work properly as it required an MLP Bundle to attach to, a work around for this was using virtual-template and ATM int for QoS. If you are using MLPPP as it appears you are by your config, then all that's needed in your ATM is to specify the correct service class (ie cbr/ubr/vbr) and speed, the tx-ring-limit will make sure you don't buffer up any packets in the ATM interface then all your magic should be done on the dialer with your service-policy. Make sure you set the bandwidth appropriately (ie subtract 15% for atm cell tax overhead) and you should see it all come to life through your MLP Bundle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Freedman Sent: Thursday, 28 August 2008 12:13 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] LLQ + MLPPPoE - ? Remove the service policy from your ATM int's and just leave it on your Dialer, then do a sh users and you should see an interface listed as the MLP Bundle, this is the one you want to be watching, if for example it is Vi4 then do a sh policy-map int vi4 I was following the advice at http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094ad2.shtml which states: . When you use a combination of Class-based Marking or Class- based Policing and Class-based Queuing, the order of operations is this: 1. The service-policy command configured on the Virtual-Template interface marks or polices the packets. 2. The service-policy command on the ATM PVC queues the packets Is this not correct? David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LLQ + MLPPPoE - ?
I believe in the setup we are testing with we have a 1500 mtu either end so the pppoe overhead shouldn't be an issue, but will double check. Dialer will default to interface mtu of 1500 bytes unless you specify something else. The config we are using is in the original post (https://puck.nether.net/pipermail/cisco-nsp/2008-August/053632.html) That doesn't have any of the previous recommendations i've made in it. This I will try, just out of interest, do you have such a setup in production? if so , what version are you using on the CPE? Haven't really played with the QoS on 12.4.20T much yet, but if you look back for the post with the subject [Improved queuing in 12.4(20)T?] from Per Carlson you can ask him what he was using J Let us all know if 12.4.20T does magic for you. Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RS CCIE Lab wait times - Sydney
Does anyone have any idea on the current wait times for the Lab? I'm about to sit the written in a couple of weeks and someone mentioned to me the current wait is around a year and a half?? Is there a specific wait for each stream or is that in general, only interested in Sydney Lab dates, a year and a half seems pretty steep, i'm hoping it's not right, although I have heard of time frames like that for the Security Lab in Europe. Cheers Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LLQ + MLPPPoE - ?
Remove the service policy from your ATM int's and just leave it on your Dialer, then do a sh users and you should see an interface listed as the MLP Bundle, this is the one you want to be watching, if for example it is Vi4 then do a sh policy-map int vi4 Also given you are running pppoe, you should be setting your MTU correctly (ip mtu 1492, if it's a 1500 byte path) and an ip tcp-adjust mss 1452 wouldn't do any harm either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Freedman Sent: Tuesday, 26 August 2008 11:20 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] LLQ + MLPPPoE - ? Have a scenario whereby I've an LLQ policy applied to a CE router doing MLPPPoE with following configuration: ! class-map match-any REALTIME match ip dscp ef class-map match-any CRITICAL-DATA match ip dscp cs6 ! ! policy-map LLQ class REALTIME priority percent 35 class CRITICAL-DATA bandwidth percent 40 random-detect dscp-based class class-default fair-queue random-detect dscp-based ! ! interface ATM0/0/0.132 point-to-point pvc 1/32 vbr-nrt 2304 2304 tx-ring-limit 3 encapsulation aal5snap service-policy output LLQ pppoe-client dial-pool-number 1 ! ! interface ATM0/1/0.132 point-to-point pvc 1/32 vbr-nrt 2304 2304 tx-ring-limit 3 encapsulation aal5snap service-policy output LLQ pppoe-client dial-pool-number 1 ! interface Dialer0 bandwidth 4608 ip address negotiated encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xx ppp chap password yy ppp ipcp route default ppp link reorders ppp multilink ppp multilink fragment disable max-reserved-bandwidth 100 service-policy output LLQ end So, the LLQ policy is only required to be applied to the VC and not the dialer, since I'm only queuing , but it is applied to both here. The ATM interface did indeed move to WFQ: #show queueing int atm0/0/0.132 Interface ATM0/0/0.132 VC 1/32 Queueing strategy: weighted fair Output queue: 0/512/64/0 (size/max total/threshold/drops) Conversations 0/6/128 (active/max active/max total) Reserved Conversations 1/1 (allocated/max allocated) Available Bandwidth 1 kilobits/sec But, the output of show policy-map int a0/0/0.132 does not show anything being pushed into the PQ at all #show policy-map int a0/0/0.132 | in Class-map|matched|default Class-map: REALTIME (match-any) (pkts matched/bytes matched) 0/0 Class-map: CRITICAL-DATA (match-any) (pkts matched/bytes matched) 0/0 default 0/0 0/0 0/0 20 40 1/10 Class-map: class-default (match-any) default 268/19832 0/0 0/0 20 40 1/10 #show policy-map int a0/1/0.132 | in Class-map|matched|default Class-map: REALTIME (match-any) (pkts matched/bytes matched) 0/0 Class-map: CRITICAL-DATA (match-any) (pkts matched/bytes matched) 0/0 default 0/0 0/0 0/0 20 40 1/10 Class-map: class-default (match-any) default 270/19980 0/0 0/0 20 40 1/10 ( I do see class matches, omitted here, but they do not appear to be queued) What is actually observed, is that the LLQ appears to work well until more than one member joins the bundle, then the latency + jitter becomes variable, but I'm not sure that it is even working at all since the queue counters do not increment, I could just be seeing the results of the WFQ. From the PE side, ppp multilink fragment disable and ppp link reorders are applied via RADIUS but I do not really believe they are having an effect since I'm still seeing re-order counters. (vtemplate clone applies the attributes, but assume they are being ignored) CE is 12.4(15)T7 and PE is 12.4(19) Am assuming that I'm doing this correctly as there should be no need for a shaper (not that it is accepted anyway) since we can create ATM backpressure from the ATM interfaces when I reduce the TX ring size. Any suggestions appreciated. Regards, David Freedman Group Network Engineering Claranet Limited http://www.clara.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACE Regex filtering for url match trouble with %
Apologies but both my emails yesterday were via a webmail client that kept deleting special characters, including \'s I did get this to work by \'ing a rather than \'ing % So the string that worked for me was: .*select\ .* to achieve filtering of select%20 in a url. On a side note I still had to log a TAC as I have an unusual issue where if a ? is in the url before the match it will let the url slip through, however if it is after the match it will still catch it. Ie www.bla.com/test?=select%20.asp will make it through, www.bla.com/test=select%20bla?.asp will get caught. And on top of that there is reaaallly poor use of regexp memory when using a prefixed wildcard on your regex .*, it causes regexp memory to fill up with only 5 regex's and the 6th one will blow the 1MB regexp over the limit and start blocking everything, not ideal behaviour! Cheers Ben -Original Message- From: Lincoln Dale [mailto:[EMAIL PROTECTED] Sent: Monday, 25 August 2008 5:23 PM To: [EMAIL PROTECTED] Cc: Christian Koch; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ACE Regex filtering for url match trouble with % [EMAIL PROTECTED] wrote: FWIW I did manage to get this to match by telling it to match an ASCII space instead ie .*selectx20.* however this is more of a hack for my original request so I will still chase up with TAC. i haven't looked at the ACE source code / firmware, but it may well be that it does a first-pass of converting %(something) to a non-encoded value first (in this case, a ), because otherwise it would be trivial for a hacker to bypass said filter(s). you could see if regex .*select\s.* works too. cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ACE Regex filtering for url match trouble with %
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Hi,
Has anyone had any issues with filtering anything with a % sign in
the url when trying to match for url filtering.
Example:
class-map type http inspect match-any SQL_FILTER
2 match url [EMAIL PROTECTED]
3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.*
The first string will match no problem, but the second one won't,
i've tried all different methods of matching the % sign like 'ing it,
putting it in [] etc. in theory the above should just work with
something like http://www.bla.com/SELECT%20test.html [1] as it does
with EXEC@ but it doesn't, anyone got any ideas or had similar issues,
just want to check here before I raise a TAC.
Cheers
Ben
Links:
--
[1] http://www.bla.com/SELECT%20test.html
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACE Regex filtering for url match trouble with %
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Yes I have, I did mention that in my first post but this stupid
webmail client removed it and just put 'ing instead of 'ing :)
FWIW I did manage to get this to match by telling it to match an
ASCII space instead ie .*selectx20.* however this is more of a hack
for my original request so I will still chase up with TAC.
Cheers
On Mon 25/08/08 12:32 PM , Christian Koch [EMAIL PROTECTED]
sent:
have you tried addingin front of the % character?
On Sun, Aug 24, 2008 at 10:32 PM, wrote:
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Hi,
Has anyone had any issues with filtering anything with a % sign in
the url when trying to match for url filtering.
Example:
class-map type http inspect match-any SQL_FILTER
2 match url [EMAIL PROTECTED]
3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.*
The first string will match no problem, but the second one won't,
i've tried all different methods of matching the % sign like 'ing
it,
putting it in [] etc. in theory the above should just work with
something like http://www.bla.com/SELECT%20test.html [2] [1] as it
does
with EXEC@ but it doesn't, anyone got any ideas or had similar
issues,
just want to check here before I raise a TAC.
Cheers
Ben
Links:
--
[1] http://www.bla.com/SELECT%20test.html [3]
___
cisco-nsp mailing list
https://puck.nether.net/mailman/listinfo/cisco-nsp [5]
archive at http://puck.nether.net/pipermail/cisco-nsp/ [6]
Links:
--
[2]
https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fwww.bla.com%2FSELECT%2520test.html
[3]
https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fwww.bla.com%2FSELECT%2520test.html
[5]
https://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp
[6]
https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoffload balancing/failover setup
omg terrible formatting, apologies everyone! damn webmail client...
- Original Message -
From: [EMAIL PROTECTED]
To: cisco-nsp@puck.nether.net; Scott Lambert [EMAIL PROTECTED]
Sent: Tuesday, August 19, 2008 1:25 PM
Subject: Re: [c-nsp] Need some guidance for T1 / wireless ethernet
handoffload balancing/failover setup
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Hi Scott,
Try this:
Seeing as you are working statics over your wireless cloud to
simplify things a little setup a GRE tunnel from your 7200 over the
wireless to the 1841 (don’t forget to subtract 24 bytes off the MTU,
ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and
also add keepalives so it will actually go down if it is down), and I
assume your T1 is point to point from the other 1841 to the 7200.
Now assuming this is going to be a redundant configuration as well
as load-balanced you need to have a subnet that can float between the
2 links that your customer can NAT against (which by the way will
happen on the ASA they got sold), there are 2 ways you can achieve
this, 1 is by using ip sla to monitor the next hop of each of the
customer links from your 7200 with statics, the other is private BGP,
you sure as hell don't want to start running an IGP to your
customers(unless it's MPLS VPN).
Lets say you assign your customer 1.0.0.0/27 as their usable
floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE
tunnel(wireless) is 2.0.0.5/30 at your end.
Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their
own rtr group of course, say 1 and 2 respectively).
Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0
255.255.255.224 2.0.0.6 track 2
Hope that makes sense, essentially traffic will only route to your
customer if your 7200 can ping their respective 1841, the other
private BGP option I am going to assume you are already familiar with
being in an ISP.
Now for the customer to you.
AFAIK the ASA cannot load balance it can only forward out 1
interface at a time.
So what you need to do is put the ASA and the 2 1841 interfaces into
a switch so they can all see each other at layer2, now setup hsrp on
your 1841 interfaces for redundant gateways lets say you use
1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a
little trickier, I am going to assume your T1 is your primary link for
this example but you can switch it around if you want.
On your T1 1841 add a static route for the wireless /30 to go via
the LAN interface of the Wireless 1841(ip route 2.0.0.4
255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of
the wireless link from your T1 1841, you want to setup ip sla to
monitor the ISP end of the wireless link from your T1 router(ie the T1
router is monitoring 2.0.0.5) and you also want to monitor its end of
the T1 link aswell 2.0.0.1
What this does is let your primary gateway know that it has a
complete and valid path for both gateways for redundancy.
Now you add 2 static routes with tracking on your primary 1841
Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0
1.0.0.2 track 2
Your wireless 1841 need only have the 1 gateway via its wireless
tunnel as it should only ever fall over to that router if there is a
serious problem on the primary side so you don't want it routing back
that way anyway, however make sure you enable pre-empt so it fails
back to the primary once it is back up.
You can optimise this a little further with the global command ip
cef load-sharing algorithm include-ports destination source or if
your game you can even do per-packet load sharing however i wouldn't
recommend it as your 2 paths are going to have different
characteristics, id probably just try the method i listed first.
As mentioned previously the ASA config will just be straightforward,
NAT/PAT against some pool in 1.0.0.0/27 with a default route to
1.0.0.3(hsrp), nothing more to it, the 1841's will do all the
redundancy and load balancing.
Hope at least some of that made sense, if you need clarification on
anything let me know.
Cheers
Ben
On Tue 19/08/08 9:06 AM , Scott Lambert [EMAIL PROTECTED] sent:
I have a customer who went directly to cisco to ask about how to
load
balance two WAN connections to their Cisco PIX 515E. Cisco sold them
an
ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with
the
ASA and 1841s. Apparantly, the customer didn't even mention that the
two connections were to the same ISP, me. The customer just ordered
the
equipment and said Make it work.
The WANs are T1 (existing) and 4Mbps ethernet delivered via a
wireless
network.
Cisco sales tech guy said:
What we discussed was the ASA having a default route to the
virtual
IP address of the routers and they would be running either VRRP or
GLBP (whatever they decided they wanted to do) going out to the
service provider. Then the routers would simply have a default
route
going out to the service provider to hit the 'Net.
The network design is
Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Hi Scott,
Try this:
Seeing as you are working statics over your wireless cloud to
simplify things a little setup a GRE tunnel from your 7200 over the
wireless to the 1841 (don’t forget to subtract 24 bytes off the MTU,
ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and
also add keepalives so it will actually go down if it is down), and I
assume your T1 is point to point from the other 1841 to the 7200.
Now assuming this is going to be a redundant configuration as well
as load-balanced you need to have a subnet that can float between the
2 links that your customer can NAT against (which by the way will
happen on the ASA they got sold), there are 2 ways you can achieve
this, 1 is by using ip sla to monitor the next hop of each of the
customer links from your 7200 with statics, the other is private BGP,
you sure as hell don't want to start running an IGP to your
customers(unless it's MPLS VPN).
Lets say you assign your customer 1.0.0.0/27 as their usable
floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE
tunnel(wireless) is 2.0.0.5/30 at your end.
Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their
own rtr group of course, say 1 and 2 respectively).
Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0
255.255.255.224 2.0.0.6 track 2
Hope that makes sense, essentially traffic will only route to your
customer if your 7200 can ping their respective 1841, the other
private BGP option I am going to assume you are already familiar with
being in an ISP.
Now for the customer to you.
AFAIK the ASA cannot load balance it can only forward out 1
interface at a time.
So what you need to do is put the ASA and the 2 1841 interfaces into
a switch so they can all see each other at layer2, now setup hsrp on
your 1841 interfaces for redundant gateways lets say you use
1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a
little trickier, I am going to assume your T1 is your primary link for
this example but you can switch it around if you want.
On your T1 1841 add a static route for the wireless /30 to go via
the LAN interface of the Wireless 1841(ip route 2.0.0.4
255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of
the wireless link from your T1 1841, you want to setup ip sla to
monitor the ISP end of the wireless link from your T1 router(ie the T1
router is monitoring 2.0.0.5) and you also want to monitor its end of
the T1 link aswell 2.0.0.1
What this does is let your primary gateway know that it has a
complete and valid path for both gateways for redundancy.
Now you add 2 static routes with tracking on your primary 1841
Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0
1.0.0.2 track 2
Your wireless 1841 need only have the 1 gateway via its wireless
tunnel as it should only ever fall over to that router if there is a
serious problem on the primary side so you don't want it routing back
that way anyway, however make sure you enable pre-empt so it fails
back to the primary once it is back up.
You can optimise this a little further with the global command ip
cef load-sharing algorithm include-ports destination source or if
your game you can even do per-packet load sharing however i wouldn't
recommend it as your 2 paths are going to have different
characteristics, id probably just try the method i listed first.
As mentioned previously the ASA config will just be straightforward,
NAT/PAT against some pool in 1.0.0.0/27 with a default route to
1.0.0.3(hsrp), nothing more to it, the 1841's will do all the
redundancy and load balancing.
Hope at least some of that made sense, if you need clarification on
anything let me know.
Cheers
Ben
On Tue 19/08/08 9:06 AM , Scott Lambert [EMAIL PROTECTED] sent:
I have a customer who went directly to cisco to ask about how to
load
balance two WAN connections to their Cisco PIX 515E. Cisco sold them
an
ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with
the
ASA and 1841s. Apparantly, the customer didn't even mention that the
two connections were to the same ISP, me. The customer just ordered
the
equipment and said Make it work.
The WANs are T1 (existing) and 4Mbps ethernet delivered via a
wireless
network.
Cisco sales tech guy said:
What we discussed was the ASA having a default route to the
virtual
IP address of the routers and they would be running either VRRP or
GLBP (whatever they decided they wanted to do) going out to the
service provider. Then the routers would simply have a default
route
going out to the service provider to hit the 'Net.
The network design is supposed to be something like :
Cisco 7204VXR NPE G1 (ISP)
| |
T1 Wireless network cloud
| |
Cisco 1841 Cisco 1841
Re: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Hi Scott,
Try this:
Seeing as you are working statics over your wireless cloud to
simplify things a little setup a GRE tunnel from your 7200 over the
wireless to the 1841 (don’t forget to subtract 24 bytes off the MTU,
ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and
also add keepalives so it will actually go down if it is down), and I
assume your T1 is point to point from the other 1841 to the 7200.
Now assuming this is going to be a redundant configuration as well
as load-balanced you need to have a subnet that can float between the
2 links that your customer can NAT against (which by the way will
happen on the ASA they got sold), there are 2 ways you can achieve
this, 1 is by using ip sla to monitor the next hop of each of the
customer links from your 7200 with statics, the other is private BGP,
you sure as hell don't want to start running an IGP to your
customers(unless it's MPLS VPN).
Lets say you assign your customer 1.0.0.0/27 as their usable
floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE
tunnel(wireless) is 2.0.0.5/30 at your end.
Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their
own rtr group of course, say 1 and 2 respectively).
Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0
255.255.255.224 2.0.0.6 track 2
Hope that makes sense, essentially traffic will only route to your
customer if your 7200 can ping their respective 1841, the other
private BGP option I am going to assume you are already familiar with
being in an ISP.
Now for the customer to you.
AFAIK the ASA cannot load balance it can only forward out 1
interface at a time.
So what you need to do is put the ASA and the 2 1841 interfaces into
a switch so they can all see each other at layer2, now setup hsrp on
your 1841 interfaces for redundant gateways lets say you use
1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a
little trickier, I am going to assume your T1 is your primary link for
this example but you can switch it around if you want.
On your T1 1841 add a static route for the wireless /30 to go via
the LAN interface of the Wireless 1841(ip route 2.0.0.4
255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of
the wireless link from your T1 1841, you want to setup ip sla to
monitor the ISP end of the wireless link from your T1 router(ie the T1
router is monitoring 2.0.0.5) and you also want to monitor its end of
the T1 link aswell 2.0.0.1
What this does is let your primary gateway know that it has a
complete and valid path for both gateways for redundancy.
Now you add 2 static routes with tracking on your primary 1841
Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0
1.0.0.2 track 2
Your wireless 1841 need only have the 1 gateway via its wireless
tunnel as it should only ever fall over to that router if there is a
serious problem on the primary side so you don't want it routing back
that way anyway, however make sure you enable pre-empt so it fails
back to the primary once it is back up.
You can optimise this a little further with the global command ip
cef load-sharing algorithm include-ports destination source or if
your game you can even do per-packet load sharing however i wouldn't
recommend it as your 2 paths are going to have different
characteristics, id probably just try the method i listed first.
As mentioned previously the ASA config will just be straightforward,
NAT/PAT against some pool in 1.0.0.0/27 with a default route to
1.0.0.3(hsrp), nothing more to it, the 1841's will do all the
redundancy and load balancing.
Hope at least some of that made sense, if you need clarification on
anything let me know.
Cheers
Ben
On Tue 19/08/08 9:06 AM , Scott Lambert [EMAIL PROTECTED] sent:
I have a customer who went directly to cisco to ask about how to
load
balance two WAN connections to their Cisco PIX 515E. Cisco sold them
an
ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with
the
ASA and 1841s. Apparantly, the customer didn't even mention that the
two connections were to the same ISP, me. The customer just ordered
the
equipment and said Make it work.
The WANs are T1 (existing) and 4Mbps ethernet delivered via a
wireless
network.
Cisco sales tech guy said:
What we discussed was the ASA having a default route to the
virtual
IP address of the routers and they would be running either VRRP or
GLBP (whatever they decided they wanted to do) going out to the
service provider. Then the routers would simply have a default
route
going out to the service provider to hit the 'Net.
The network design is supposed to be something like :
Cisco 7204VXR NPE G1 (ISP)
| |
T1 Wireless network cloud
| |
Cisco 1841 Cisco 1841
Re: [c-nsp] ip cef load sharing
Dan the reason your having issues is not MTU related, it's NAT related, because you have 3 ADSL lines each doing NAT against a different outside IP when you turn on per-packet load sharing you end up with flows to the same destination having different source IP addresses. Your only option is per-destination load balancing (ie the default), one way you can tweak this a little without breaking to much is to change the standard algorithm to include ports. Try adding ip cef load-sharing algorithm include-ports destination into your global config once you've removed your per-packet load sharing and see how you go. You are never going to get perfect load balancing in your scenario but if you have enough hosts on your LAN it should be sufficient enough, one way you can do per-packet is if you get another IP routed down all 3 adsl lines and put it on a loopback and NAT everything against that. Ben - Original Message - From: Dan Letkeman [EMAIL PROTECTED] To: Rodney Dunn [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Sent: Saturday, August 16, 2008 3:29 AM Subject: Re: [c-nsp] ip cef load sharing Still seem to have the same problem even with this: interface FastEthernet0/0 ip address 10.1.10.1 255.255.255.0 ip tcp adjust-mss 1300 duplex auto speed auto interface FastEthernet0/1 ip address 192.168.10.1 255.255.255.0 ip load-sharing per-packet duplex auto speed auto Dan. On Fri, Aug 15, 2008 at 12:49 PM, Rodney Dunn [EMAIL PROTECTED] wrote: On Fri, Aug 15, 2008 at 12:35:01PM -0500, Dan Letkeman wrote: ip load-sharing per-packet I tried adding this to F0/1 and the trace route works now(it randomly picks either line), but there seems to be issues with maybe the MTU? If I try to browse websites i get page errors and some of the pictures and pages don't load. Yep...try configuring ip tcp adjust-mss 1300 or so on the ingress interface from the LAN. Any ideas? Thanks, Dan. On Fri, Aug 15, 2008 at 12:12 PM, Rodney Dunn [EMAIL PROTECTED] wrote: Try ip load-sharing per-packet on both egress interfaces. On Fri, Aug 15, 2008 at 12:00:46PM -0500, Dan Letkeman wrote: Hello, I have a 2621 router running 12.3(26) and I would like to setup load sharing to multiple adsl lines. When I do a traceroute on the router it randomly picks a dsl line and seems to work fine. But when I do traceroute tests from a workstation it always seems to take the same adsl line. Is there something else I need to add to the configuration to make it pick random lines, or is there a timeout of some sorts before it will select the next ip route Here is my config: ! interface FastEthernet0/0 ip address 10.1.10.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.10.1 255.255.255.0 duplex auto speed auto ! ip http server ip classless ip route 0.0.0.0 0.0.0.0 192.168.10.10 ip route 0.0.0.0 0.0.0.0 192.168.10.11 ! The two adsl modem/routers I have are 192.168.10.10, and 192.168.10.11 Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
I like the answer from Iassen, while it does leave some question as to where the source packet comes from though as he has assumed local broadcast segment, I guess you could add to your answer should the packet be from beyond a layer 3 boundary then the 2 hosts can be requested to mark traffic (or even a different router along the path mark it) to match in your class map on this router, that way you still avoid ACL's but meet the question requirements, that is a stupid way of doing it though as it's not very secure should someone learn the magic tos bit to use to get telnet access :) - Original Message - From: Iassen Anadoliev [EMAIL PROTECTED] To: Joost greene [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Saturday, August 02, 2008 12:08 AM Subject: Re: [c-nsp] Filtering telnet without ACL On Fri, August 1, 2008 4:14 pm, Joost greene wrote: Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Well if we assume that this is an ethernet network and the hosts are within our broadcast domain I think you can use MQC = NBAR something like: class-map match-all PERMIT_TELNET match protocol telnet match class-map PERMIT_TELNET_HOSTS exit class-map match-any PERMIT_TELNET_HOSTS match source-address mac xxx.xxx.xxx match source-address mac yyy.yyy.yyy exit class-map DENY_TELNET match protocol telnet exit policy-map IN_FE0/0 class PERMIT_TELNET bandwidth remaining percent 100 class DENY_TELNET drop int fastether0/0 service-policy input IN_FE0/0 -- WWell by Iassen Anadoliev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Filtering telnet without ACL
I like the answer from Iassen, while it does leave some question as to where the source packet comes from though as he has assumed local broadcast segment, I guess you could add to your answer should the packet be from beyond a layer 3 boundary then the 2 hosts can be requested to mark traffic (or even a different router along the path mark it) to match in your class map on this router, that way you still avoid ACL's but meet the question requirements, that is a stupid way of doing it though as it's not very secure should someone learn the magic tos bit to use to get telnet access :) - Original Message - From: Iassen Anadoliev [EMAIL PROTECTED] To: Joost greene [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Saturday, August 02, 2008 12:08 AM Subject: Re: [c-nsp] Filtering telnet without ACL On Fri, August 1, 2008 4:14 pm, Joost greene wrote: Hello, Someone challenged me with a question on how i can filter telnet access to one router from all hosts except two of them WITHOUT using access-lists or access-line under the VTY? any ideas? Regards, Joost ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Well if we assume that this is an ethernet network and the hosts are within our broadcast domain I think you can use MQC = NBAR something like: class-map match-all PERMIT_TELNET match protocol telnet match class-map PERMIT_TELNET_HOSTS exit class-map match-any PERMIT_TELNET_HOSTS match source-address mac xxx.xxx.xxx match source-address mac yyy.yyy.yyy exit class-map DENY_TELNET match protocol telnet exit policy-map IN_FE0/0 class PERMIT_TELNET bandwidth remaining percent 100 class DENY_TELNET drop int fastether0/0 service-policy input IN_FE0/0 -- WWell by Iassen Anadoliev ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] combining multiple dsl lines
If you really want to use route-maps to force your traffic down a certain interface at least use it with verify-availability incase your hop goes down so you have a back up path, no point forcing traffic down a dsl line that has died. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html - Original Message - From: Dan Letkeman [EMAIL PROTECTED] To: Ben Steele [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Sent: Thursday, July 24, 2008 7:42 AM Subject: Re: [c-nsp] combining multiple dsl lines The adsl connections are PPPoE and they do not support multilink. I am using nat on the router as well. I guess I will stick with route-map's for now as I know how to configure it and it works well in this configuration. Thanks for the info! Dan. On Tue, Jul 22, 2008 at 11:18 PM, Ben Steele [EMAIL PROTECTED] wrote: Depends a lot on the adsl connections, are they ppp ? does the remote end support multilink? if so then multilink ppp is a good option providing all 4 lines are the same characteristics. Otherwise other options are cef load balancing, what type will depend on whether you are using NAT or not as you want to make sure the packet flow takes the right path, load balancing using the source/dest port algorithm works quite well though, probably wouldn't reccomend per packet over adsl. The route-map way is ok but wouldn't utilise the links as well as cef load balancing or ppp multlink could. Another option worth throwing in is the use of ip sla on your routes so as to remove them from the equation should one link go down, can also be done with the route-map using verify-availability on the next-hop option. Ben On 23/07/2008, at 1:39 PM, Dan Letkeman wrote: I have a customer that is wanting to combine 4 adsl connection through one router. In the past I have setup systems where I have taken groups of ip's from the internal network and have route-map'd them to different adsl connections. Is there a way to combine the dsl connections or is using route-map's still the better way to go? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] combining multiple dsl lines
You're still going to need something on the CPE side to detect a failed route unless you plan on running a routing protocol to your customers, I won't bother going into the Linux side of things seeing as this is a Cisco list but in my experience per-packet is only good if the lines are really well matched or you don't plan on running any/much real-time traffic over it, ie voip, unfortunately with the nature of dsl and its vulnerability to weather and various other nasties in your last mile copper run things just have to many variables for me to consider it a reliable inplementation for someone planning to use it with per-packet and real time traffic where out of order packets can become a problem. Good to hear you are having success with it though. We have used cef per packet with great success on PPPoA DSL links here in the UK, we use radius to add/remove the extra routes when a connection bounces. The CPE is a linux box which is not running any NAT. Works for us Wayne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] combining multiple dsl lines
Depends a lot on the adsl connections, are they ppp ? does the remote end support multilink? if so then multilink ppp is a good option providing all 4 lines are the same characteristics. Otherwise other options are cef load balancing, what type will depend on whether you are using NAT or not as you want to make sure the packet flow takes the right path, load balancing using the source/dest port algorithm works quite well though, probably wouldn't reccomend per packet over adsl. The route-map way is ok but wouldn't utilise the links as well as cef load balancing or ppp multlink could. Another option worth throwing in is the use of ip sla on your routes so as to remove them from the equation should one link go down, can also be done with the route-map using verify-availability on the next- hop option. Ben On 23/07/2008, at 1:39 PM, Dan Letkeman wrote: I have a customer that is wanting to combine 4 adsl connection through one router. In the past I have setup systems where I have taken groups of ip's from the internal network and have route-map'd them to different adsl connections. Is there a way to combine the dsl connections or is using route-map's still the better way to go? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS for VoIP to specific proxy
Hi Nick, You want something like this: class-map match-all VoIP-Control match protocol sip match access-group 101 class-map match-all VoIP-Data match dscp ef/match precedence 5/match protocol rtp ** match access-group 101 access-list 101 permit ip any host 202.x.VOIP.PROXY policy-map QOS-OUT class VoIP-Control bandwidth 60 class VoIP-Data priority percent 50 class class-default fair-queue 2048 then apply the policy-map to your interface like so service-policy output QOS-OUT Make sure you have a bandwidth statement set on your interface bandwidth x where x is in kilobits. The value in the classes under the policy-map: bandwidth 60 is saying guarentee this much bandwidth in kilobits to this particular class. The value in the classes under the policy-map: priority percent 50 is saying give 50 percent of the bandwidth you specified in your bandwidth statement on your interface LLQ(low latency queuing) to this class, you want to use priority for your real time traffic (ie the rtp stream), bandwidth is fine for the normal control traffic and other traffic ie www etc. if you were wanting to prioritise that. You would modify these bandwidth and priority values to your needs based on the number of simultaneous calls you plan to offer. ** pick one that best suits you, if your voip equipment is marking a tos bit then great, otherwise match protocol rtp should work unless you are on an old IOS. You can't QoS inbound so to speak, best you can do is police traffic, I suggest you not worry about this for now as for VoIP to be effective the QoS has to be bi-directional so the other end should be matching you aswell. Ben - Original Message - From: Nick Voth [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Tuesday, July 22, 2008 5:39 AM Subject: [c-nsp] QoS for VoIP to specific proxy Hello folks, Please pardon me asking what I'm sure has been answered before. I've looked through the archives and the Cisco site, but I'm still confused about what I need to do. I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP traffic to and from a specific VoIP proxy. Let's say the VoIP proxy is 209.120.xxx.xxx The customer's current config on their 1841 is below. Can someone give me an idea of how I can accomplish this? Remember, I just basically need priority queuing of any traffic to and from that VoIP proxy listed above Thanks very much for any help! -Nick Voth -Customer's CPE config interface FastEthernet0/0 ip address 67.101.xxx.xxx 255.255.255.248 duplex auto speed auto no keepalive ! ! interface Serial0/0/0 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 timeslots 1-24 service-module t1 fdl both frame-relay lmi-type ansi ! interface Serial0/0/0.1 point-to-point frame-relay interface-dlci 16 ppp Virtual-Template1 ! interface Virtual-Template1 ip address negotiated ppp chap hostname x ppp chap password 7 01465656080E535773 ppp ipcp dns request ppp ipcp route default ppp ipcp address accept -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS for VoIP to specific proxy
Hi Nick, You want something like this: class-map match-all VoIP-Control match protocol sip match access-group 101 class-map match-all VoIP-Data match dscp ef/match precedence 5/match protocol rtp ** match access-group 101 access-list 101 permit ip any host 202.x.VOIP.PROXY policy-map QOS-OUT class VoIP-Control bandwidth 60 class VoIP-Data priority percent 50 class class-default fair-queue 2048 then apply the policy-map to your interface like so service-policy output QOS-OUT Make sure you have a bandwidth statement set on your interface bandwidth x where x is in kilobits. The value in the classes under the policy-map: bandwidth 60 is saying guarentee this much bandwidth in kilobits to this particular class. The value in the classes under the policy-map: priority percent 50 is saying give 50 percent of the bandwidth you specified in your bandwidth statement on your interface LLQ(low latency queuing) to this class, you want to use priority for your real time traffic (ie the rtp stream), bandwidth is fine for the normal control traffic and other traffic ie www etc. if you were wanting to prioritise that. You would modify these bandwidth and priority values to your needs based on the number of simultaneous calls you plan to offer. ** pick one that best suits you, if your voip equipment is marking a tos bit then great, otherwise match protocol rtp should work unless you are on an old IOS. You can't QoS inbound so to speak, best you can do is police traffic, I suggest you not worry about this for now as for VoIP to be effective the QoS has to be bi-directional so the other end should be matching you aswell. Ben - Original Message - From: Nick Voth [EMAIL PROTECTED] To: cisco-nsp@puck.nether.net Sent: Tuesday, July 22, 2008 5:39 AM Subject: [c-nsp] QoS for VoIP to specific proxy Hello folks, Please pardon me asking what I'm sure has been answered before. I've looked through the archives and the Cisco site, but I'm still confused about what I need to do. I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP traffic to and from a specific VoIP proxy. Let's say the VoIP proxy is 209.120.xxx.xxx The customer's current config on their 1841 is below. Can someone give me an idea of how I can accomplish this? Remember, I just basically need priority queuing of any traffic to and from that VoIP proxy listed above Thanks very much for any help! -Nick Voth -Customer's CPE config interface FastEthernet0/0 ip address 67.101.xxx.xxx 255.255.255.248 duplex auto speed auto no keepalive ! ! interface Serial0/0/0 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 timeslots 1-24 service-module t1 fdl both frame-relay lmi-type ansi ! interface Serial0/0/0.1 point-to-point frame-relay interface-dlci 16 ppp Virtual-Template1 ! interface Virtual-Template1 ip address negotiated ppp chap hostname x ppp chap password 7 01465656080E535773 ppp ipcp dns request ppp ipcp route default ppp ipcp address accept -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco MMPPP
i'm talking strictly between your LNS and your CPE here, if you find your MMPPP is giving poor performance due to physical differences between the 2 sessions (ie speed and latency), then try doing something a little more creative like multihopping both ppp sessions onto the one router and using (as you mentioned) cef per-destination load sharing over the 2 unique ppp sessions, or alternatively let a routing protocol handle the work and advertise part of your subnet out one link and part out the other with redundancy, or even GRE tunnels etc etc.. there are quite a few ways you can achieve the desired outcome, this is of course only if your mmppp fails. Cheers Ben On 16/07/2008, at 4:11 PM, Edi Guntoro wrote: Thanks Ben, however what do you mean by better off load balancing with a routing protocol and/or cef ? is it disabling the load balancing? as I know this feature enable by default on routing protocol as long as they are equal admin distances. And is it for traffic out to the internet or traffic coming to the customer ? regards. Edi - Original Message From: Ben Steele [EMAIL PROTECTED] To: Edi Guntoro [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Wednesday, July 16, 2008 12:12:12 PM Subject: Re: [c-nsp] Cisco MMPPP the LAC is pretty irrelevant, you need to configure MMPPP capabilities on your LNS's, which means an sgbp group on your LNS's for the multichassis and ppp multilink under your virtual template for the MPPP side of things. I noticed your topology is using 2 seperate wireless services to provide the bundle, one word of warning is if the bundles are out of sync (speed and latency wise) you will see very poor performance and you are better off load balancing with a routing protocol and/or cef. Ben On 16/07/2008, at 2:13 PM, Edi Guntoro wrote: Dear ciscoers, Let's say we have a scenario to bring up multiple ppp for our customer to increase bandwidth to the internet. At the moment we only have access to the LNS, is it possible to have MMPPP for our customer, or is there something to do with the LAC? any reference? here is the layout: regards Igun u /-3.5g service---PPP---LAC---LNS1--| s/| ___internet e\| r \-cdma service--PPP---LAC---LNS2--| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco MMPPP
Yes it's possible to have say windows do multilink ppp through 2 seperate network devices, never tried it though so not sure how reliable their implementation of it is. Ben On 16/07/2008, at 5:12 PM, Edi Guntoro wrote: Thanks Ben, I understand now. Coz previously, regarding the user I though this is a single user with PC/notebook/windows dialing using two different wireless service... is it possible? regards - Original Message From: Ben Steele [EMAIL PROTECTED] To: Edi Guntoro [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Wednesday, July 16, 2008 2:21:27 PM Subject: Re: [c-nsp] Cisco MMPPP i'm talking strictly between your LNS and your CPE here, if you find your MMPPP is giving poor performance due to physical differences between the 2 sessions (ie speed and latency), then try doing something a little more creative like multihopping both ppp sessions onto the one router and using (as you mentioned) cef per-destination load sharing over the 2 unique ppp sessions, or alternatively let a routing protocol handle the work and advertise part of your subnet out one link and part out the other with redundancy, or even GRE tunnels etc etc.. there are quite a few ways you can achieve the desired outcome, this is of course only if your mmppp fails. Cheers Ben On 16/07/2008, at 4:11 PM, Edi Guntoro wrote: Thanks Ben, however what do you mean by better off load balancing with a routing protocol and/or cef ? is it disabling the load balancing? as I know this feature enable by default on routing protocol as long as they are equal admin distances. And is it for traffic out to the internet or traffic coming to the customer ? regards. Edi - Original Message From: Ben Steele [EMAIL PROTECTED] To: Edi Guntoro [EMAIL PROTECTED] Cc: cisco-nsp@puck.nether.net Sent: Wednesday, July 16, 2008 12:12:12 PM Subject: Re: [c-nsp] Cisco MMPPP the LAC is pretty irrelevant, you need to configure MMPPP capabilities on your LNS's, which means an sgbp group on your LNS's for the multichassis and ppp multilink under your virtual template for the MPPP side of things. I noticed your topology is using 2 seperate wireless services to provide the bundle, one word of warning is if the bundles are out of sync (speed and latency wise) you will see very poor performance and you are better off load balancing with a routing protocol and/or cef. Ben On 16/07/2008, at 2:13 PM, Edi Guntoro wrote: Dear ciscoers, Let's say we have a scenario to bring up multiple ppp for our customer to increase bandwidth to the internet. At the moment we only have access to the LNS, is it possible to have MMPPP for our customer, or is there something to do with the LAC? any reference? here is the layout: regards Igun u /-3.5g service---PPP---LAC---LNS1--| s/| ___internet e\| r \-cdma service--PPP---LAC---LNS2--| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT and hairpin's
This is where dns doctoring on the asa/pix really comes in handy! Split dns is usually the way to go but I had another thought, can you put the public 203 address as an alias on the server and then setup a policy route-map on your lan interface to match packets with a destination of your server and port say something like permit tcp LAN host 203.1.2.3 eq 80 then put a set ip next-hop SERVER LAN IP On 17/07/2008, at 2:46 PM, Geyer, Nick wrote: Hi Everyone, Just wondering if anyone has come up with a way to hairpin traffic using a Cisco router? The problem is as follows; Say for example I have a router connecting to the Internet and an internal LAN doing normal NA, e.g; 203.1.2.3 - ROUTER - 192.168.1.0/24 (203.1.2.3 being the public IP on the outside interface) I have an application that talks from clients on the Internet to an internal server (192.168.1.1), with the appropriate static NAT's setup on the router to forward the traffic. The problem is the internal clients also need to talk to the server but on the public IP address (203.1.2.3). The traffic from the internal clients will hit the router but it wont translate and forward the traffic because its coming from the inside interface (and the static NAT only works for requests from the outside interface). I don't believe it can be done but just thought I would ask in case anyone has come up with a weird and wonderful way. Cheers, Nick Geyer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco MMPPP
the LAC is pretty irrelevant, you need to configure MMPPP capabilities on your LNS's, which means an sgbp group on your LNS's for the multichassis and ppp multilink under your virtual template for the MPPP side of things. I noticed your topology is using 2 seperate wireless services to provide the bundle, one word of warning is if the bundles are out of sync (speed and latency wise) you will see very poor performance and you are better off load balancing with a routing protocol and/or cef. Ben On 16/07/2008, at 2:13 PM, Edi Guntoro wrote: Dear ciscoers, Let's say we have a scenario to bring up multiple ppp for our customer to increase bandwidth to the internet. At the moment we only have access to the LNS, is it possible to have MMPPP for our customer, or is there something to do with the LAC? any reference? here is the layout: regards Igun u /-3.5g service---PPP---LAC---LNS1--| s/ | ___internet e\ | r \-cdma service--PPP---LAC---LNS2--| ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPFv3 down every 34 minutes
Does a sh standby 1 show any hsrp state changes? might also be worth setting up an ip sla probe to your neighbor for the 34 minutes to probe every second and just see if it fails at all when you lose your OSPF neighbor, that way you can discard OSPF from the problem and look into what is causing your dataflow issue. Ben On 13/04/2008, at 11:10 PM, Eric Van Tol wrote: Hi Brad, Thanks for the response. I saw those drops, but they don't come close to the amount of times this is occurring. This happens literally, every 34 minutes (okay, 33 minutes and some seconds :-) ): Apr 13 06:13:03 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.10 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 06:13:03 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.9 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 06:13:07 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.11 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 06:46:52 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.10 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 06:46:53 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.9 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 06:46:57 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.11 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 07:20:35 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.10 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 07:20:36 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.11 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 07:20:40 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.9 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 07:53:48 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.10 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 07:53:49 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.11 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 07:53:52 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.9 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 08:27:36 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.11 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 08:27:37 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.10 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 08:27:42 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.9 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 09:01:31 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.10 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 09:01:31 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.11 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits Apr 13 09:01:35 EDT: %OSPFv3-5-ADJCHG: Process 600, Nbr x.x.x.9 on Vlan2 from FULL to DOWN, Neighbor Down: Too many retransmits The interfaces all show the same info: Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 On the Vlan2 interface, I show one more drop since I sent the original message on Friday: Input queue: 0/75/17/17 (size/max/drops/flushes); Total output drops: 0 I'm baffled at this point. I'll likely be moving to IS-IS soon, but this is one of those problems that really makes you wonder. From: Brad Henshaw [EMAIL PROTECTED] Sent: Sunday, April 13, 2008 9:13 AM To: Eric Van Tol; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] OSPFv3 down every 34 minutes Eric Van Tol wrote: In any case, the question now is, what would cause so many neighbors to retransmit and why on only one router? Packet loss or congestion on the physical links/interfaces connecting to this router? Not sure why it'd be every 34 minutes though. If it were every /30/ minutes, the OSPF refresh would be a real suspect. I notice input drops are shown for int vl2. Check these for the relevant physical interface(s) also. ~Brad ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco PIX snmp filter
On a PIX, no, version 7 snmp-map will let you filter with version only, you may be able to do what you are after on an ASA with an SSM- AIP module, but I haven't ever looked or tried. Ben On 09/04/2008, at 10:22 PM, Bagosi Rómeó wrote: Hello Experts! Can the Cisco PIX v6 or v7 filter the SNMP request going through the firewall for a specific OID only? Thank you, BR ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Tunneling through NAT
If it's a 1:1 NAT ie a true NAT'd IP and not PAT, then GRE will work, the NAT problem with GRE is when you are running PAT as you can't forward that protocol by itself on a Cisco via PAT, which is where IPSEC is often used instead. Having said all that I would highly recommend you run your GRE encapsulated in IPSEC anyway seeing as you are doing this over the Internet, unless you are not concerned about the privacy of your data. Ben On 08/04/2008, at 4:25 PM, TT wrote: Hello all, It seems all the material on the subject of tunneling through NAT I can find don't have two IOS boxes with the NAT between them, so now I'm asking for guidance on this. As said, I've got two IOS routers. The first one (let's call it R1) is in the internet, with public IP's and all. The other one, R2, is behind a 1:1 NAT, so one public IP mapped staticly to a single RFC 1918 address. Now what I need, is to route the IP subnet behind R2 to the internet via R1. That subnet has public IP's, so there's no need for NAT or anything like that. Apparently I'll need some kind of a tunnel between the routers, perhaps IPSec, and then static routes over that. GRE would be nice as there's no need for encryption, but if I remember correctly, it doesn't have NAT-traversal capabilities. The problem with example material is that all I can find assumes both ends of the tunnel have public IP's and no NAT between them. Naturally if this scenario has been discussed before, any pointers to example configs etc will be appreciated. Yours, Tero ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR performance
ISG and SBC both have embedded support on the ASR, look forward to seeing some test results :) Ben On 08/04/2008, at 9:23 AM, Brad Gould wrote: As a p.s. to this post - does anyone know if the ASR has ISG on the roadmap? I've found zero mention of ISG with regards to the ASR (which does limit its use in DSL aggregation). Brad MKS wrote: Hi list I was wondering if somebody has had the chance to play with the new ASR? From the introduction of ESP it's suppose to terminate 8000 subscribers on ESP5 and 16000 on ESP10, (32000 on ESP20)? Has somebody had the chance to actually test PPPoE termination performance on this box? e.g. number_of_subscribers vs. throughput vs. load ? Thanks in advance MKS http://www.cisco.com/en/US/prod/collateral/routers/ps9343/qa_c67-449980.html Q. Where are the 5- and 10-Gbps ESPs positioned in a service provider's broadband network? A. The Cisco ASR 1000 Series Router serves as a broadband aggregation router that terminates 8,000 to 16,000 subscriber sessions; supports features such as Cisco Session Border Controller (SBC) for voice over IP (VoIP), video Telepresence services, and hardware-assisted Firewall for security; and requires Gigabit Ethernet or 10 Gigabit Ethernet uplink capability. The Cisco ASR 1000 Series Router is ideally suited for deployment as a Point-to-Point Termination and Aggregation (PTA) device, L2TP Access Concentrator (LAC), or L2TP Network Server (LNS). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Brad Gould, Network Engineer Internode Level 5, 150 Grenfell Street, Adelaide 5000 P: 08 8228 2999 F: 08 8235 6999 [EMAIL PROTECTED]; http://www.internode.on.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SIP VoIP Config
If you haven't already, try posting this in the cisco-voip mailing list, they are very active, [EMAIL PROTECTED] Ben On 08/04/2008, at 6:38 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi There, Trying to make calls from a POTS do VOIP in SIP setup in attach, calls from POTS are not beeing forwarded to VoIP port. Can any one help Pedro Wiliamo Matusse Telecomunicações de Moçambique (TDM) DSI Tel. +258 21 482820 Cell. +258 82 3080780 Fax: +258 21 487812 config HJ3825 07 04 2008 23 00h.TXT___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Limits of VRF-lite
The Sup720 is good for 1024 vrf's, the limitation is in the number of routes it can hold, which will vary on memory. On 08/04/2008, at 12:21 PM, Colin McNamara wrote: I have configured 31 vrf's on 6500's (sup720's) with no problem before. The 26 vrf limitation maybe specific to other hardware though. -- Colin McNamara (858)208-8105 CCIE #18233,RHCE,GCIH http://www.colinmcnamara.com http://www.linkedin.com/in/colinmcnamara The difficult we do immediately, the impossible just takes a little longer Gary Roberton wrote: Thanks. Is there a martrix available anywhere showing limitations ? On Mon, Apr 7, 2008 at 12:56 PM, Eugene Vedistchev [EMAIL PROTECTED] wrote: This is for 3750ME. 1 vrf per port, 24 FE and 2 Enhanced GE. Eugene Vedistchev Gary Roberton wrote: Hi I am sure I have read somewhere that there is a limit of 26 VRFs per router when configuring VRF-lite (multi-VRF). Has anyone else seen this? Regards Gary ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] changing from ospf to eigrp
What you are doing is known as ships in the night routing where you run multiple protocols that are unaware of each other, I would go ahead and deploy your EIGRP config while keeping your OSPF running and as someone else has mentioned the default admin distance for EIGRP is 90 which will take precedence over your 110 OSPF, bare in mind if you use redistributed routes in EIGRP they will show up as admin distance of 170 though. Either way just go from router to router deploying your EIGRP and then when your happy you've done all your devices go and check your route tables to see what OSPF routes are still showing up and then determine why, and if they are needed, as EIGRP obviously isn't seeing them (at least from a non redistributed PoV). OSPF will pick up your slack while you deploy this in the above method, the only real danger I see is if you a) miss a router or b) fail to check the route tables for remaining OSPF routes after full EIGRP migration before turning OSPF off. Ben On 05/04/2008, at 12:30 PM, Whisper wrote: So long as the OSPF network remains intact until the EIGRP network is up and running, OSPF should effectively operate as a backup route in the cases where EIGRP has no route, correct? It'd it be like running a floating static route, except your using a dynamic routing protocol, wouldn't it? On Sat, Apr 5, 2008 at 10:52 AM, Jeremy Stretch [EMAIL PROTECTED] wrote: Can I run both at the same time? If you do, you may want to consider tweaking the administrative distances until EIGRP has been fully implemented across the network. Remember, by default EIGRP has an AD of 90 (internal) and OSPF of 110, so EIGRP-learned routes will be preferred. This has the potential to cause problems if EIGRP is misconfigured or only partially enabled during migration. stretch http://www.packetlife.net/ Dan Letkeman wrote: Hello, I would like to change our layer 3 switches from ospf to eirgrp. Is there a way I can accomplish this on a live system without causing problems? Can I run both at the same time? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] changing from ospf to eigrp
Actually just to correct myself before anyone else decides to, I think ships in the night refers to using a different network protocol aswell as a different routing protocol working independently of each other, ie ipv6 with OSPF and ipv4 with EIGRP, either way you get my drift :) On 05/04/2008, at 1:39 PM, Ben Steele wrote: What you are doing is known as ships in the night routing where you run multiple protocols that are unaware of each other, I would go ahead and deploy your EIGRP config while keeping your OSPF running and as someone else has mentioned the default admin distance for EIGRP is 90 which will take precedence over your 110 OSPF, bare in mind if you use redistributed routes in EIGRP they will show up as admin distance of 170 though. Either way just go from router to router deploying your EIGRP and then when your happy you've done all your devices go and check your route tables to see what OSPF routes are still showing up and then determine why, and if they are needed, as EIGRP obviously isn't seeing them (at least from a non redistributed PoV). OSPF will pick up your slack while you deploy this in the above method, the only real danger I see is if you a) miss a router or b) fail to check the route tables for remaining OSPF routes after full EIGRP migration before turning OSPF off. Ben On 05/04/2008, at 12:30 PM, Whisper wrote: So long as the OSPF network remains intact until the EIGRP network is up and running, OSPF should effectively operate as a backup route in the cases where EIGRP has no route, correct? It'd it be like running a floating static route, except your using a dynamic routing protocol, wouldn't it? On Sat, Apr 5, 2008 at 10:52 AM, Jeremy Stretch [EMAIL PROTECTED] wrote: Can I run both at the same time? If you do, you may want to consider tweaking the administrative distances until EIGRP has been fully implemented across the network. Remember, by default EIGRP has an AD of 90 (internal) and OSPF of 110, so EIGRP-learned routes will be preferred. This has the potential to cause problems if EIGRP is misconfigured or only partially enabled during migration. stretch http://www.packetlife.net/ Dan Letkeman wrote: Hello, I would like to change our layer 3 switches from ospf to eirgrp. Is there a way I can accomplish this on a live system without causing problems? Can I run both at the same time? Thanks, Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EasyVPN IOS-ASA55xx
Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EasyVPN IOS-ASA55xx
So do you have the route for 22.22.22.0/24 to go via the outside? is it caught by the default route or is there something else in place? hence why I asked for output of sh route On 01/04/2008, at 9:31 PM, William wrote: Network behind the 800 is 22.22.22.0/24 W On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Ok just to save me any confusion here, is the network behind the 800 11.11.11.0/24 or 22.22.22.0/24? Either way you need to have your network behind the 800 being routed to the outside interface via your outside gateway as thats where the crypto terminates, if the network behind the 800 happens to be 11.11.11.0/24 then your split tunnel is the wrong way around also, if it's 22.22.22.0/24 then try adding route outside 22.22.22.0 255.255.255.0 OUTSIDE GATEWAY 1 Ben On 01/04/2008, at 9:16 PM, William wrote: Hi Ben, The VPN is establishing, show crypto isakmp sa displays it, the logs on the ASA show P12 and I'm able to communicate only if I originate the connection from the 800 series router. Routing seems fine from the box also, there are no routes on the ASA for destinations it reaches via VPN. Routing to the net on my core network: S11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: I thought I saw earlier a mention of the traffic hair-pinning, yet your crypto map is bound to the outside interface. Is the IPSEC tunnel being established on the outside or the inside interface? can you sh the output of a sh route also. On 01/04/2008, at 9:00 PM, William wrote: Can't paste the whole thing, but here are the bits: access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside group-policy 800vpn internal group-policy 800vpn attributes password-storage enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel nem enable crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 100 set pfs crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES- MD5 crypto dynamic-map outside_dyn_map 120 set pfs crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES- MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group Uname type ipsec-ra tunnel-group Uname general-attributes default-group-policy 800vpn tunnel-group Uname ipsec-attributes pre-shared-key * isakmp ikev1-user-authentication none On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua Regards, Peter
Re: [c-nsp] EasyVPN IOS-ASA55xx
I thought I saw earlier a mention of the traffic hair-pinning, yet your crypto map is bound to the outside interface. Is the IPSEC tunnel being established on the outside or the inside interface? can you sh the output of a sh route also. On 01/04/2008, at 9:00 PM, William wrote: Can't paste the whole thing, but here are the bits: access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside group-policy 800vpn internal group-policy 800vpn attributes password-storage enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel nem enable crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 100 set pfs crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5 crypto dynamic-map outside_dyn_map 120 set pfs crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group Uname type ipsec-ra tunnel-group Uname general-attributes default-group-policy 800vpn tunnel-group Uname ipsec-attributes pre-shared-key * isakmp ikev1-user-authentication none On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EasyVPN IOS-ASA55xx
Ok just to save me any confusion here, is the network behind the 800 11.11.11.0/24 or 22.22.22.0/24? Either way you need to have your network behind the 800 being routed to the outside interface via your outside gateway as thats where the crypto terminates, if the network behind the 800 happens to be 11.11.11.0/24 then your split tunnel is the wrong way around also, if it's 22.22.22.0/24 then try adding route outside 22.22.22.0 255.255.255.0 OUTSIDE GATEWAY 1 Ben On 01/04/2008, at 9:16 PM, William wrote: Hi Ben, The VPN is establishing, show crypto isakmp sa displays it, the logs on the ASA show P12 and I'm able to communicate only if I originate the connection from the 800 series router. Routing seems fine from the box also, there are no routes on the ASA for destinations it reaches via VPN. Routing to the net on my core network: S11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: I thought I saw earlier a mention of the traffic hair-pinning, yet your crypto map is bound to the outside interface. Is the IPSEC tunnel being established on the outside or the inside interface? can you sh the output of a sh route also. On 01/04/2008, at 9:00 PM, William wrote: Can't paste the whole thing, but here are the bits: access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside group-policy 800vpn internal group-policy 800vpn attributes password-storage enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel nem enable crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 100 set pfs crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5 crypto dynamic-map outside_dyn_map 120 set pfs crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES- MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group Uname type ipsec-ra tunnel-group Uname general-attributes default-group-policy 800vpn tunnel-group Uname ipsec-attributes pre-shared-key * isakmp ikev1-user-authentication none On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security-traffic permit intra-interface is not in the config but am I likely to break anything if I use it? Well, you're likely to break the security that is there from the beginning, without this command. You could compare it to local proxy arp. It will not stop any traffic flows that already work, just allow some more ones. Reference for the command: http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 http://tinyurl.com/2ateua Regards, Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco
Re: [c-nsp] EasyVPN IOS-ASA55xx
Hmm %ASA-3-106014: Deny inbound icmp src inside:11.11.11.1 dst inside:22.22.22.2 (type 8, code 0) Seems to contradict that, any chance of getting more of the config? just change the passwords and IP's Also reply off list, I think this one has congested it enough :) On 01/04/2008, at 9:43 PM, William wrote: Hi Ben, There is a default route to go via the outside, sorry about the confusion. Regards, On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: So do you have the route for 22.22.22.0/24 to go via the outside? is it caught by the default route or is there something else in place? hence why I asked for output of sh route On 01/04/2008, at 9:31 PM, William wrote: Network behind the 800 is 22.22.22.0/24 W On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Ok just to save me any confusion here, is the network behind the 800 11.11.11.0/24 or 22.22.22.0/24? Either way you need to have your network behind the 800 being routed to the outside interface via your outside gateway as thats where the crypto terminates, if the network behind the 800 happens to be 11.11.11.0/24 then your split tunnel is the wrong way around also, if it's 22.22.22.0/24 then try adding route outside 22.22.22.0 255.255.255.0 OUTSIDE GATEWAY 1 Ben On 01/04/2008, at 9:16 PM, William wrote: Hi Ben, The VPN is establishing, show crypto isakmp sa displays it, the logs on the ASA show P12 and I'm able to communicate only if I originate the connection from the 800 series router. Routing seems fine from the box also, there are no routes on the ASA for destinations it reaches via VPN. Routing to the net on my core network: S11.11.11.0 255.255.255.0 [1/0] via 192.168.0.254, inside On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: I thought I saw earlier a mention of the traffic hair-pinning, yet your crypto map is bound to the outside interface. Is the IPSEC tunnel being established on the outside or the inside interface? can you sh the output of a sh route also. On 01/04/2008, at 9:00 PM, William wrote: Can't paste the whole thing, but here are the bits: access-list inside_nat0_outbound extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound access-group inside_access_in in interface inside group-policy 800vpn internal group-policy 800vpn attributes password-storage enable pfs enable split-tunnel-policy tunnelspecified split-tunnel-network-list value Split-Tunnel nem enable crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 60 set pfs crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 80 set pfs crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES- SHA crypto dynamic-map outside_dyn_map 100 set pfs crypto dynamic-map outside_dyn_map 100 set transform-set ESP- DES- MD5 crypto dynamic-map outside_dyn_map 120 set pfs crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES- MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group Uname type ipsec-ra tunnel-group Uname general-attributes default-group-policy 800vpn tunnel-group Uname ipsec-attributes pre-shared-key * isakmp ikev1-user-authentication none On 01/04/2008, Ben Steele [EMAIL PROTECTED] wrote: Maybe it would be easier if you just pasted your config in rather than us keep guessing, but I can add to the guess list.. :) do you have nat-control turned on? if so have you got your nat 0 statement setup for the IPSEC traffic? Ben On 01/04/2008, at 8:08 PM, William wrote: Hi Peter, I went ahead and enabled it in the end, it stopped the error messages (denys) coming up in the logs but my data still isnt passing through. I'm still abit lost as to whats causing my issue, do you think it could be to with my ISAKMP/IPSEC settings? I'm not so sure because the logs show PHASE12 completed without any problems. :( Regards, On 01/04/2008, Peter Rathlev [EMAIL PROTECTED] wrote: On Tue, 2008-04-01 at 09:05 +0100, William wrote: The command same-security
Re: [c-nsp] mlppp performance
One bit of advice I can offer to this is make sure all 4 lines are exactly the same speed, shape them if you have to, mis-matched speed on mlppp can result is sub optimal performance for the entire bundle. Ben On 01/04/2008, at 4:13 AM, Adam Greene wrote: Hi, I'm bonding (4) aDSL lines at a customer location and am only seeing about 66 - 75% of the performance I was expecting. Is this normal? I wonder if an IOS upgrade will help things. I actually have two customer locations experiencing the same issue. The client routers are 2811's with 512MB RAM running IOS 12.3(8)T6. They are plain vanilla configs, running at ~2% CPU with lots of memory to spare. The head end is a 7205 / NPE200 w/ 128MB RAM and IOS 12.3(15b), terminating about 100 ATM aDSL lines. CPU is at about 14% and memory utilization is low. The head end reports: Multilink3, Bundle up for 11:29:07, 1/255 load Receive buffer limit 48768 bytes, frag timeout 1000 ms 0/0 fragments/bytes in reassembly list 5 lost fragments, 1046793 reordered 0/0 discarded fragments/bytes, 0 lost received 0x30FA03 received sequence, 0x4C98A7 sent sequence Member links: 4 active, 1 inactive (max not set, min not set) Vi7, since 11:29:07 Vi8, since 11:29:05 Vi4, since 11:28:59 Vi9, since 11:27:50 Vt3 (inactive) Customer end: Multilink1, Endpoint discriminator is xxx Bundle up for 11:28:50, 7/255 load Receive buffer limit 48768 bytes, frag timeout 1000 ms 0/0 fragments/bytes in reassembly list 137 lost fragments, 1453838 reordered 86/57363 discarded fragments/bytes, 0 lost received 0x4C7B86 received sequence, 0x30F120 sent sequence Member links: 4 active, 1 inactive (max not set, min not set) Vi4, since 11:28:48 PPPoATM link, ATM PVC 0/35 on ATM0/3/0 Packets in ATM PVC Holdq: 0 , Particles in ATM PVC Tx Ring: 0 Vi5, since 11:28:42 PPPoATM link, ATM PVC 0/35 on ATM0/0/0 Packets in ATM PVC Holdq: 0 , Particles in ATM PVC Tx Ring: 0 Vi6, since 11:27:33 PPPoATM link, ATM PVC 0/35 on ATM0/2/0 Packets in ATM PVC Holdq: 0 , Particles in ATM PVC Tx Ring: 0 Vi3, since 11:28:50 PPPoATM link, ATM PVC 0/35 on ATM0/1/0 Packets in ATM PVC Holdq: 0 , Particles in ATM PVC Tx Ring: 0 Vt1 (inactive) Thanks for any insight. Adam ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] specifying next-hop via interface while still getting cefswitched
Ah that's the ticket, thanks oli. On 27/03/2008, at 5:20 PM, Oliver Boehmer (oboehmer) wrote: Ben Steele wrote on Thursday, March 27, 2008 6:41 AM: I seem to recall there was a command that allowed a router to still cef switch packets when the next hop was an interface rather than an ip address, ie an ADSL client dialer interface with ip route 0.0.0.0 0.0.0.0 d0 Am I dreaming or was there a command which still allowed this to be cef switched as by default that is unsupported via cef, platform is 877 advip. which release are you using? This problem was fixed in the code via CSCsb44912.. oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QoS problems on ATM pvc - IOS bug?
Before applying the policy under your pvc specify the bandwidth in your ATM subint and make sure it's within the reserved range, otherwise use max-reserved-bandwidth x to accommodate it, I feel your pain as i've experienced the whole apply the policy it takes it then when you go to view it it's gone thing on the 7200's with ATM subint's, I found the give and take for me was due to it trying to reserve more than the default amount of bandwidth (75%), it just wouldn't error when applying the policy. Also doesn't like LLQ using the percent command (slightly annoying but dealt with it via multiple policies) Ben On 27/03/2008, at 3:04 AM, neal rauhauser wrote: This one is a real head scratcher for me. I've got two 7206s, both running c7200-p-mz.123-22.bin, both with identical PAs. One is in production, the other is a hot spare. I got frustrated enough with trying to get QoS set up that I pulled this config line for line from an example on CCO: class-map match-all VoIP-Control match ip precedence 3 class-map match-all Video match ip precedence 4 policy-map WAN class VoIP-Control bandwidth 64 class Video bandwidth 2000 class class-default fair-queue And I'm applying it here: !test box PVC - this one works fine interface ATM2/0.666 point-to-point description Irritated Customer, LLC ip address 192.168.209.253 255.255.255.252 pvc 5/54 protocol ip 192.168.209.254 broadcast encapsulation aal5snap service-policy output WAN !production box - will have nothing to do with a policy being placed on the PVC interface ATM2/0.98004 point-to-point description Irritated Customer, LLC ip address 192.168.209.253 255.255.255.252 pvc 5/54 protocol ip 192.168.209.254 broadcast encapsulation aal5snap !many attempts to get the service policy right here, ain't put on an appearance yet I've wrestled with this one quite a bit and even went so far as getting a maintenance window and rebooting the darned thing - someone else had been fooling with QoS stuff before they called me in and I was starting to think maybe they'd managed to aggravate some seldom touched bits of the MQC. The production machine has 32 subinterfaces which correspond to frame T1 endpoints on the far side. There are 600+ DSL PPPoA sessions terminating on this machine as well. The processor runs at a consistent 32%, there are only a few hundred routes via OSPF. The engine is an NPE400 with 512 meg. The machine has been in production for quite some time and is stable and trustworthy. There is no Smartnet on it. So ... anyone have any ideas here? -- mailto:[EMAIL PROTECTED] // GoogleTalk: [EMAIL PROTECTED] IM: nealrauhauser ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] System MTU on trunks for Q in Q
1504 is the system mtu you want, however i'd find a higher common value between your switches incase you choose to run mpls down the track, or anything else that is going to add to your frame size. Ben On 27/03/2008, at 9:31 AM, Dan Armstrong wrote: I've been bashing my head against the wall all day for a definitive answer on this: On a Cisco switch that supports QinQ (3550, 3750, ME3400, 3560 etc) What is the _minimum_ value I need to set the system MTU to, to do QinQ? 1504? 1522? 1526? 1546? I can't seem to find one concise answer... Thanks!! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
