from:"Holemans Wim"

Re: [c-nsp] blackholed traffic on ether-channel

2016-04-07 Thread Holemans Wim

Just bought several C6880-X to replace some 6500 with Sup32. They will have a 
lot of LACP channels...
Tried to search for the bug numbers mentioned below, the first one came back as 
not cisco inside only, the second one comes with an information page with the 
title :
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy25743
C6880-X-LE: Contiguous 4 10G ports goes down and cannot be brought up

As an solution the page points to 3 new software releases :
Known Fixed Releases:   (3)
15.2(1)SY1.118
15.3(1)IE101.312
15.4(1)IA1.22
Of these 3 releases none is available for download ? There is even no 15.3 
of 15.4 train available in the download software page...
Anyone has an idea where I can find a software release in which this problem is 
fixed so I can install this before activating these switches on our network ?

Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp

-Oorspronkelijk bericht-
Van: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Namens Aaron DuShey
Verzonden: woensdag 6 april 2016 20:40
Aan: selamat pagi 
CC: cisco-nsp 
Onderwerp: Re: [c-nsp] blackholed traffic on ether-channel

Sorry for the earlier misfire.

On Wed, Apr 6, 2016 at 10:55 AM, selamat pagi  wrote:

> Setup:
> 4 port LACP channel, C6880 <->  Nexus 7k
>
> Recently we had the issue that most (not all) traffic was black-holed 
> on a C6880.
> No interface counters, nor the port-channel status, nor an NMS pointed 
> to any abnormal behavior.
>
> Finally, the problem was resolved by shutting down a specific  
> interface on C6880.
> It seems that one defect port affected the function of the entire 
> port-channel !!
>

FWIW We recently ran into a somewhat similar port-channel issue on 6880 
15.2(1)SY1a. BU told us symptoms were possibly related to CSCuw08272/CSCuy25743.
That issue is slated to be fixed in 15.2(1)SY2.
-Aaron
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] nexus 5548 versus C4900M

2012-11-21 Thread Holemans Wim

We have a service cluster build around a C4900M : it concentrates a mix of 10G 
(intercampus) connections and 1G connections (some backup lines and central 
services such as DNS, VPN servers,...)
This works fine but to be able to connect all these, I had to add the 20 port 
10/100/1000 UTP card and the extra 8x 10G card (with X2 convertor to provide 
for fiber SFPs). At the time that seemed a good and reasonable priced solution. 
This C4900M only does L2 traffic for the moment but will do some minor static 
(500Mb) IPv4 L3 routing in the near future.

Now I have to create a new, similar  service cluster. The first idea was to 
copy the setup but as we are also looking at Nexus for our datacenter, I 
noticed the Nexus 5548UP. This gives you out-of-the-box 32 1G/10G ports and 
costs (based on the prices I have seen) 25% less than the above C4900M 
configuration.
Anyone has a reason why we should stick to the C4900M (or maybe similar C4500 
solution) and not put a Nexus in place, apart from the obvious differences 
between IOS and NXOS for management ?
I think, when adding the L3 card to the Nexus, the 25% price difference will 
disappear but are there any limits you see (arp table, mac address table size, 
buffering, IPv6 support..) that would take the Nexus out of the picture ?

Greetings,

Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] nexus material and coloured CWDM 10G SFP+

2011-09-09 Thread Holemans Wim

Recently we started using CWDM coloured 10G SFP+ interfaces (smartoptics) on 
our campus network (in 4900M with OneX convertors). This works just fine 
although Cisco probably will tell us that is not supported...
I'm wondering if someone already did the same thing on nexus 5xxx switches, 
especially 5010 and 5548. We are planning to build a new backbone between 
different datacenters based on nexus material (5010 in 2 remote datacenters, 
5548 in the central datacenter). We could use the transponders of our CWDM 
vendor and use local SR SFP+ interfaces but these transponders cost about 3x 
times more than coloured SFP+ interfaces (and these don't com cheap). Using 
coloured SFP+ interfaces moves control/monitoring of the fiber losses  to the 
end device but we can live with that.
Second question : can you read out fiber losses on a nexus ? (cfr show int 
transc in IOS)

Greetings,

Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] changing buffer size on 4900M - discards

2011-07-27 Thread Holemans Wim

We are seeing discards on a newly installed 4900M, probably coming from the 
fact that most input to the C4900M is coming from routers connected to it on 
10G lines and is going out on a 2G etherchannel, although the total load on the 
2G channel is just about 250-300 Mb/s. The 2G connection goes to an IPS that 
will be replaced before the end of the year but until then I have to find a way 
around the discards.
Based on the fact that the 4900M is normally mentioned as a switch with a good 
buffer capacity (compared to 37xx switches, see also threads of begin this 
week), I wonder if  there is a way to change buffer size on the gigabit 
interfaces so that there will be less discards ? Anyone has a reference to a 
good document on buffer tuning (on 4900M) ? I know the 'buffers' command exists 
but for the moment I'm still trying to find out what buffers I should change 
(and into which values) to get rid of these discards.

Greetings,

Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 3750E cluster replacement

2011-07-26 Thread Holemans Wim

We have a network based on a VSS with 20G channels to 3750E-24 clusters 
top-of-rack.
We are seeing  a lot of discards on the cluster which connects to our NetApp 
SANs. I suspect this is because of the small buffers in the 3750E switches and 
the growth of our traffic to the SAN, especially ISCI traffic.
I'm considering replacing this cluster with something else, but I'm not sure 
what to put there. I read that 4900M have larger buffer and this would  offer 
the needed mix of 1G en 10G ports but you can't cluster these switches and seen 
the importance of the connected devices, this is not really an option.
Buffering on nexus 55xx seems also better and there you have the vPc 
possibility. Do you consider this the way to go or has anyone else a suggestion 
for a (clustered) device to replace this 3750E cluster ?

Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750E cluster replacement

2011-07-26 Thread Holemans Wim

We use clusters to protect us from hardware failures ; all servers and SAN are 
dual connected to both switches.
We have plans to install nexus in another server room, we could install 5500s 
in both and use them as interconnect (replacing the interconnects now made with 
3750E).

Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp

From: chandler.bass...@gmail.com [mailto:chandler.bass...@gmail.com] On Behalf 
Of Chandler Bassett
Sent: dinsdag 26 juli 2011 13:14
To: Holemans Wim
Cc: cisco-nsp
Subject: Re: [c-nsp] 3750E cluster replacement

Why's it important you maintain a cluster?

You're absolutely correct, 3750's are weak ToR switches.  I would go with the 
5500 if you find yourself looking toward a wider nexus deployment in the next 
18-36 months.
On Tue, Jul 26, 2011 at 7:03 AM, Holemans Wim 
wim.holem...@ua.ac.bemailto:wim.holem...@ua.ac.be wrote:
We have a network based on a VSS with 20G channels to 3750E-24 clusters 
top-of-rack.
We are seeing  a lot of discards on the cluster which connects to our NetApp 
SANs. I suspect this is because of the small buffers in the 3750E switches and 
the growth of our traffic to the SAN, especially ISCI traffic.
I'm considering replacing this cluster with something else, but I'm not sure 
what to put there. I read that 4900M have larger buffer and this would  offer 
the needed mix of 1G en 10G ports but you can't cluster these switches and seen 
the importance of the connected devices, this is not really an option.
Buffering on nexus 55xx seems also better and there you have the vPc 
possibility. Do you consider this the way to go or has anyone else a suggestion 
for a (clustered) device to replace this 3750E cluster ?

Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp

___
cisco-nsp mailing list  
cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750E cluster replacement

2011-07-26 Thread Holemans Wim

We do run lacp on most of our server, nas,  connections. We also need these 
2G channels towards our SAN to accommodate for the accumulated ISCI traffic 
coming from different servers. 3750E also have only one power supply, so we 
cluster them and use port-channels to protect against hw/power failures. Even 
when replacing the 3750E with nexus 55xx (if needed combined with FEX) we 
intend to double them and have portchannels on both.
 

Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Martin Barry
Sent: dinsdag 26 juli 2011 14:12
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 3750E cluster replacement

$quoted_author = Holemans Wim ;
 
 We use clusters to protect us from hardware failures ; all servers and SAN
 are dual connected to both switches.

You don't need the clustering if you run active-backup. It's only LACP that
requires a stack or virtual chassis.

cheers
Marty
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: Console cables on new platforms

2011-06-28 Thread Holemans Wim

Nothing comes free with Cisco (unless this changed since we got our latest copy 
of the GPL in feb) :

CAB-CONSOLE-USB=Console Cable 6 ft with USB Type A and mini-B   30,00$
CAB-CONSOLE-RJ45Console Cable 6ft with RJ45 and DB9F  30,00$
CAB-CONSOLE-USB Console Cable 6 ft with USB Type A and mini-B   30,00$

Wim Holemans
Netwerkdienst Universiteit Antwerpen
Network Services University of Antwerp


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tim Franklin
Sent: dinsdag 28 juni 2011 13:02
To: cisco-nsp
Subject: Re: [c-nsp] OT: Console cables on new platforms

 So you basically need add another part-number(which on btw?) to your
 order and this cost you 0$.

CAB-CONSOLE-RJ45 (RJ45 - DB9F)
CAB-CONSOLE-USB

Also CAB-AUX-RJ45 (RJ45-DB25M) if you want to hook up a modem.

Regards,
Tim.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] cpu spike every minute

2011-01-11 Thread Holemans Wim

We are seeing a cpu spike (and corresponding icmp respons latency) every minute 
on one of our 65XX.
It is a   6506-E with Sup32-8G running IOS version ipbasek9-vz.122-18.SXF6.
I checked al our mgmt processes (snmp requests, arp table copies,...) but found 
nothing that could lead to this behavior.
Normal icmp respons times (seen from our mgmt station) are a couple msec but 
every minute this rises till 1000 ms and more.

We also see a spike in cpu usage at the same time and I tried to determine what 
process uses all this cpu and got the following result :
Normal : cpu around 11%
ldus220#sh proc cpu | excl 0.0
CPU utilization for five seconds: 11%; one minute: 13%; five minutes: 14%
PID   5Sec1Min 5Min Process
1 0.1%2.7% 3.7% kernel
12312 7.6%7.0% 7.4% ios-base
12329 1.8%1.6% 1.2% tcp.proc
12330 0.6%0.5% 0.5% udp.proc
12331 0.1%0.2% 0.2% iprouting.iosproc
12332 0.1%0.1% 0.1% cdp2.iosproc

Hit : cpu above 40%, caused by kernel process
ldus220#sh proc cpu | excl 0.0
CPU utilization for five seconds: 46%; one minute: 16%; five minutes: 14%
PID   5Sec1Min 5Min Process
135.6%6.3% 4.5% kernel
12312 7.1%7.1% 7.4% ios-base
12329 1.0%1.5% 1.2% tcp.proc
12330 0.3%0.5% 0.5% udp.proc
12331 0.1%0.2% 0.2% iprouting.iosproc
12332 0.1%0.1% 0.1% cdp2.iosproc

Using cpu detail, I can see it is process id 17 that is hit but I don't have a 
clue what this process does. How can I find what this process does and if it is 
internal kernel housekeeping that is causing this or an external cause ?
ldus220#sh proc cpu detail | excl 0.0
CPU utilization for five seconds: 46%; one minute: 21%; five minutes: 18%
PID/TID   5Sec1Min 5Min Process Prio  STATECPU
133.9%5.7% 4.3% kernel26d20h
   1  54.2%   79.5%81.6% [idle thread]  0  Ready   1355d
 17  33.9%5.7% 4.2%   10  Running  6d07h
12312 7.3%9.8% 9.1% ios-base106d

Any info or pointer to info would be appreciated.

Wim Holemans
Network Services
University of Antwerp

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 10G for 6506-E with Sup32-8Gb or replace with 4900M

2010-12-23 Thread Holemans Wim

We have 3 campus with on each campus a 6506-E/Sup720-10G as 'master router' and 
a 6506/E-Sup32-8gbit as backup router, in a HSRP config. In each router we also 
have GBIC boards to connect the different buildings. These Sup32 routers also 
act as  L2 concentrator for part of each campus.

Now we are thinking about connecting both routers to each other on each campus 
with a 10G connection. As the Sup32 don't have a 10G yet, we have multiple 
options to do so.
We can add a 10G board to the chassis, replace the supervisor with a Sup720 or 
replace the whole router with a 4900M.
If I take a look at listprices, I get 28000$ for Sup720, 2$ for 6704 (but 
these are Xenpacks), 37500$ for 6708 and 22000$ for 4900M (base + 10/100/1000 
card, dual power).
We have  65XX as routers because we had FWSM boards in them  but these are not 
used anymore.
Based on the price, it seems we best opt to replace the 6506-E/Sup32 with the 
4900M option (there is also a difference in maintenance cost). With Twingig 
convertors this offers us  a good combination of 10G and 1G SFP ports. For 
7500$ we can add a second 8 port X2 board that gives us extra 10G/SFP-ports if 
needed.

Has anyone had bad/good experience with using a 4900M as router, given the 
following environment :

-  Router acts as backup router, so in 99.xxx% of the time it only has 
to forward L2 traffic

-  Only static routes, no active routing protocol.

-  40 vlans, 40 SVI's with ACLs on it

-  No IPv6 for the moment, but according to the specs, the 4900M should 
handle IPv6 in hardware just fine.

-  No Qos yet, but we are planning to implement that in 2011


I know we lose the netflow capability if the primary router fails, but we can 
live with that.

All comments are welcome.

Wim Holemans
Network Services
University of Antwerp
Belgium

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Strange problem with Cat6500 freeze

2010-12-14 Thread Holemans Wim

Not exactly the same but we had an 'automatic' reboot on a Sup720 and Sup32 
during a broadcast storm after upgrading tot SXI4a. Before the upgrade the 
machine kept running (unresponsive but running) until the cause of the 
broadcast storm was removed.
Something seems to have changed in SXI4a 

Wim Holemans
  

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jens S Andersen
Sent: maandag 13 december 2010 19:49
To: Robert Hass
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Strange problem with Cat6500 freeze

Hi

We har the exact same problem with 2 6503E/Sup32 routers  after upgrading to 
SXI4a.
We downgraded to SXI3, and the problem went away.
Maybe it's a SXI4a 'feature'.

-Jens


Hi

I have network where core-devices are Cisco Catalyst 6506-E with
Sup32/PFC3B. I last month We had two times problem. One time first 6500
'freezes' and second time second 6500 'freezes' Freezes means machine was
powered up, alarm was present (diode on supervisor), console wasn't
responding at all, freeze 6500 created a lot of loops on all VLANs inside
network (%SW_MATM-4-MACFLAP_NOTIF: Host .. in vlan XX is
flapping between port XX and port XX), all ports connected to 'freeze' 6500
was UP, LACP for PortChannels went down. Hard reboot (power off + power on)
helps both times. There wasn.t any crashdump in
flash/bootflash/sup-bootdisk/disk. Most problem was caused by loop created
by freeze 6500 - as all network was overloaded. How I could prevent these
issue in future ? Maybe storm-control for broadcasts ? Did anybody
occurred similar problem with 6500 ? After investigate both freezes was
probably caused by radom disabled/enabled NetFlow ('ip flow ingress') on few
SVIs.

Some facts more about both 6500 configurations:
- Both running 12.2(33)SXI4a IOS. Upgrade was done 1 month ago.
- Before machines was running 12.2(33)SXH4 never occurred similar problem
- eBGP (230k prefixes), 3-4 full table BGP peers + iBGP (20 peers rr-clients)
- IS-IS
- A little MLS QOS (policing) - 1-2 service-polcies on SVIs
- Control Plane Policing implemented
- Sometimes netflow v5 exporting from SVI
- Load around 40% (show catalyst6000) + 1.5Mpps (sh platf hardw capa pfc)
- Dual PSs
- Only ports GE on Sup-32 heavy used
- WS-X6408A-GBIC linecards but used only 1-2 ports with a little load
(~50-200Mb)
- ~300 VLANs
- ~50 SVIs

Robert
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Jens S Andersen Email:  j...@adm.aau.dk
Aalborg University  Telf:   9940 9464
Selma Lagerlöfs Vej 300, 4.2.59 Fax:9940 7593
9220 Aalborg
Denmark
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 6506-E module provisioning

2010-06-17 Thread Holemans Wim

I've been searching the cisco website for this but didn't find an answer. We 
have a new 6506-E to replace an old one, and I'll have to move some modules 
between them as we don't have spare ones. Is there a way to 'provision' these 
modules in the config of the new router so I can just copy the old config to 
the new one and won't have to add the config for these modules after the cards 
have been switched ? The modules will move to the same slot in the new router.

Greetings,

Wim Holemans
Network Services

University of Antwerp


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750-E + CVR-X2-SFP10G + SFP-10G-SR = disappearing media

2010-05-11 Thread Holemans Wim

We have a similar setup but with X2 interfaces, so no X2 to SFP+ convertors and 
that works just fine. Have you checked the transceiver parameters ?
Maybe they are not within limit causing a shutdown of the interface ? 
(temperature, input power, output power). The first batch of (non-cisco) X2 
transceivers we got, all gave wrong information about thresholds e.d. After 
replacing them, everything was fine.
sh int te1/0/1 transc detail
should give you this info. We are running version 122-50.SE2.

Wim Holemans
Network/Security Manager
University of Antwerp

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew White (MAWHI)
Sent: dinsdag 11 mei 2010 0:03
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] 3750-E + CVR-X2-SFP10G + SFP-10G-SR = disappearing media

Greetings,

I have an open TAC case about this but I figured I'd ask here as well.

I recently installed 10 3750-Es in 5 2-member stacks. Each stack has 2 uplinks 
to a 6509-VSS. I'm using X2 to SFP+ converters and 10G SFP+ modules on both 
ends of the links between the stacks and the VSS. In each stack I'm using 
interface Ten1/0/1 and Ten2/0/1. There is currently no real traffic on any of 
the links. The plan is to do a forklift upgrade of our existing production 
network and I've set the 3750/VSS up in a test environment. With the exception 
of two hosts talking iperf to each other, the network is quiet.

The problem I'm seeing is this: after about 6 to 8 hours a 10G interface on the 
3750 side will go down. Saying 'show int Ten2/0/1' will show the media type as 
Not Present:

Full-duplex, 10Gb/s, link type is auto, media type is Not Present

as opposed to:

Full-duplex, 10Gb/s, link type is auto, media type is SFP-10GBase-SR

I am seeing this behavior on three individual switches and in each case it is 
ten2/0/1 that fails. I've replaced the X2 converter, the SFP+ module and moved 
the converter to Ten2/0/2 but the symptoms persist. I RMA'd one of the switches 
and just installed the replacement, hopefully this will solve the problem.

I also checked software compatibilty and the switches are running 
(C3750E-UNIVERSALK9-M), Version 12.2(53)SE2

Has anyone seen this before?

-mtw
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] best ios version for VSS

2010-01-27 Thread Holemans Wim

We have a VSS running, L2 only for the moment. We plan to enable L3
(static routing only for the moment) next week (along with a FWSM board
in each chassis).

We are running version s72033-advipservicesk9_wan-mz.122-33.SXI1.bin for
the moment (I know this version has too much features for what we need
for the moment)

The problems we had with this version until now :

-  One of the supervisors rebooted spontaneously leaving no
traces on why it restarted

-  ISSU (I don't remember what the version was we started the
upgrade) didn't work, so I had to boot both chassis manually, giving a
much higher downtime than expected

-  The activation of the first FWSM (inserted with power down
for that specific module, followed by power up of the module), caused a
crash and reboot of the supervisor of the chassis in with the FWSM was
inserted.

 

So anyone has comments on to which version we eventually should upgrade
to before going to L3 ? (downtime will have a much larger impact from
that moment on).

I found on the cisco website there is a version 12.2.33-SXH6(ED) and a
version 12.2.33-SXI3(ED) available.

 

Greetings,

 

Wim Holemans

Network Services

University of Antwerp

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FWSM logging problem

2009-12-17 Thread Holemans Wim

To answer all questions about versions e.d.
We are running 3.1(4), not the latest I know, but people here are
'allergic' to network downtime and with semester exams coming up, I
won't be able to upgrade before February. 
I removed the log option from the rule which should have given me 106023
messages in my logs but they don't show up ; the ACE is being hit
however :

access-list Internet-out line 24 extended deny ip any host x.x.x.x
(hitcnt=13) 0x6e051e8c

As far as I can tell, there is no queue problem :
Logging Queue length limit : 1024 msg(s), 30947037 msg(s)
discarded.
Current 502 msg on queue, 512 msgs most on queue
I raised the limit to 1024 yesterday and the number of discards stayed
the same since then.

There doesn't seem to be a caching problem either :
fwcdep/fwcdep1# sh access-list | incl cache
access-list cached ACL log flows: total 5, denied 3 (deny-flow-max 4096)

I'll have to live with this until I can upgrade.

Wim


-Original Message-
From: Andrew Yourtchenko [mailto:ayour...@cisco.com] 
Sent: woensdag 16 december 2009 19:35
To: Holemans Wim
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] FWSM logging problem

On Wed, 16 Dec 2009, Holemans Wim wrote:

 It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
 on our FWSM and wanted to see whomever on campus is trying to access
 this address (Botnet CC).

 I added the following line in the ACL (even raised priority), you can
 see that the rules triggers when I tried to telnet the address :

 access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
 log critical interval 30 (hitcnt=9) 0x6e051e8c



 There is however no corresponding syslog message on our syslog server
or
 in the buffered logs on the FWSM.

Any chances you'd have %FWSM-1-106101: Number of cached deny-flows for 
ACL log has reached limit  somewhere ?

Check on show access-list output:

FWSM(config)# sh access-list | inc flows
access-list cached ACL log flows: total 1, denied 1 (deny-flow-max 1)

Here I've configured 1 flow. Once you reach the flow limit, the further 
logs are suppressed (AFAIK, with the logic being, that since the whole 
idea behind the log is to decrease the amount of logging messages, if 
we get a lot of hits, we are probably already under stress, so would not

want to stress further by downgrading the logs to sending them
per-packet).

If you have a lot of ACEs that are marked with log keyword, this might

be what you see. Decreasing the interval should help to keep the # of
logs 
under max.


 These are our logging settings  : already raised queue size, some
 messages moved to another log level so they don't get send to our
syslog
 server. ACL log messages are normally of ID 106100 level debugging, I
 can find several of them on the syslog server but not for the
specifiec
 ACE.

For the specific ACE, you can remove the log keyword. Bit
counter-intuitive as this might seem, it would not stop the logging for 
the denied sessions - just the messages will be different
(firewall-style):

%FWSM-4-106023: Deny icmp src outside:X.1.1.1 dst inside:Y.1.1.1 (type 
8, code 0) by access-group foo [0x17a38302, 0x0]

instead of:

%FWSM-6-106100: access-list foo denied icmp outside/X.1.1.1(0) - 
inside/Y.1.1.3(8) hit-cnt 1 (first hit) [0xe6aea397, 0x0]

That 106023 will be sent one-message-per-hit.

So I think it should precisely fit what you are looking for.

cheers,
andrew
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] FWSM logging problem

2009-12-16 Thread Holemans Wim

It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
on our FWSM and wanted to see whomever on campus is trying to access
this address (Botnet CC).

I added the following line in the ACL (even raised priority), you can
see that the rules triggers when I tried to telnet the address :

access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
log critical interval 30 (hitcnt=9) 0x6e051e8c

 

There is however no corresponding syslog message on our syslog server or
in the buffered logs on the FWSM.

These are our logging settings  : already raised queue size, some
messages moved to another log level so they don't get send to our syslog
server. ACL log messages are normally of ID 106100 level debugging, I
can find several of them on the syslog server but not for the specifiec
ACE. 

 

 

logging enable

logging timestamp

logging emblem

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap informational

logging asdm informational

logging queue 1024

logging host DA-rt x.x.x.x

logging message 305010 level debugging

logging message 305009 level debugging

logging message 302015 level debugging

logging message 302014 level debugging

logging message 302013 level debugging

logging message 302016 level debugging

logging message 302021 level debugging

 

Anyone has a clue on how to get all syslog messages for the ACE's that
have a log part ?

 

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750G vs. Nexus for a SAN

2009-11-12 Thread Holemans Wim

What version of IOS does it run ? Base version or lite version ? 

Wim Holemans
Network Services
University of Antwerp


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jim McBurnett
Sent: vrijdag 13 november 2009 5:17
To: Asbjorn Hojmark - Lists; Brian Landers
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN

It is on the price list. $5300..
I have on in production and one on order for a customer..
Nice switch...


Jim

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Asbjorn Hojmark
- Lists
Sent: Monday, November 09, 2009 9:31 AM
To: Brian Landers
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 3750G vs. Nexus for a SAN

On Mon, 9 Nov 2009 09:05:34 -0500, you wrote:

 [Cat 2350G] Doesn't appear to be in the pricing tool yet, though?

Every order goes on NPH and needs to go through the BU for approval.
Pricing is 'known, but not public'.

-A
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] STP and RSTP interaction

2009-09-24 Thread Holemans Wim

Until now we used standard STP in our network with changed diameter
parameters (diameters of 10,11,..)

We plan to migrate to RSTP and as far as I tell from reading about it,
this should be no problem if we start changing from the outside into the
core.

I now have to add a new part to our network and in this part I already
enabled RSTP. I'm still hesitating to couple both networks as I don't
have an idea how the RSTP part will interfere with the diameter of the
existing network. If I'm right the 'coupling' interface of the new
network will work in STP mode and the rest of the new network in RSTP.
How does do I count this new network when calculating the new diameter ?
Just as 1 switch ? Or do I count the full topology ? Anyone has done
this before and can comment on this ? Other suggestions, experiences
with the migration from STP to RSTP that may help ?

 

Greeting,  

 

Wim Holemans

Network Services University of  Antwerp

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 2801 as console server

2009-09-16 Thread Holemans Wim

I've been looking through the Cisco doc but didn't found what I was
looking for, therefor this question :

 

I transformed a 2801 router which we used as a dialin server to a
console server. The config seems to work, I can do a 

telnet xxx 2018  to get access to serial port 0/1/1, also ssh -l
user:portnumber works. But I still have 2 problems :

-The escape character doesn't work when using ssh, also e.g.
defining CTRL-Z as disconnect character doesn't work. The only way to
stop the connection, is by killing it at the ssh client side. Is there
another way to stop the ssh connection, just like the telnet escape
character ?

-Is there a way to access the async line from within the router
itself ? So just a telnet/ssh to the router and then something like
'connect line XXX'  ? The connect command on the router seems an
equivalent of telnet for outgoing tcp sessions and I don't see another
command that could do this.

 

I'm running c2801-ipbasek9-mz.124-25a on the router.

Thanks,

 

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 5505 stops servicing inbound connections

2009-08-11 Thread Holemans Wim

Look in the log files for the following error :
160Aug 01 2009 15:29:49: %ASA-0-716528: Unexpected fiber scheduler error; 
possible out-of-memory condition

This kills our asa's (running version 8) on a regular basis (once a month), 
reload is the only way to resolve this. We have a case open for this, but 
without any good respons from cisco yet.

Wim Holemans
Network Services
University of Antwerp


-Oorspronkelijk bericht-
Van: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] Namens Meenoo Shivdasani
Verzonden: dinsdag 11 augustus 2009 22:07
Aan: Tillinger, Steve
CC: cisco-nsp@puck.nether.net
Onderwerp: Re: [c-nsp] ASA 5505 stops servicing inbound connections

On Tue, Aug 11, 2009 at 2:44 PM, Tillinger,
Stevesteve.tillin...@sourcemedia.com wrote:
 Have you tried sh local ?   That should tell you if you're hitting the
 10 user limit.


Detected interface 'outside' as the Internet interface. Host limit
applies to all other interfaces.
Current host count: 2, towards licensed host limit of: 10

Interface dmz: 2 active, 2 maximum active, 0 denied

The connections that get dropped are hitting the outside interface.
Also, the firewall is non-responsive to remote login via SSH or ASDM
when this happens.

M
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VSS out-of-band mgmt

2009-07-14 Thread Holemans Wim

Just implemented it based on an example I received yesterday ; we don't
deploy tacacs, so no problem there. Syslog doesn't work anymore for the
moment but I didn't check yet if it is vrf aware. 

Thanks for everyone who answered my question. If I tried out the syslog
config, I'll share the result on this list.

Wim Holemans


-Original Message-
From: Alasdair McWilliam [mailto:alasda...@gmail.com] 
Sent: dinsdag 14 juli 2009 19:33
To: Buhrmaster, Gary
Cc: Holemans Wim; Cisco NSP
Subject: Re: [c-nsp] VSS out-of-band mgmt

We have VSS deployed and it's management interface is on a mgmt-vrf.  
So far everything that needs a source interface seems to work,  
although I've not actually configured syslog yet, TACACS is now vrf  
aware. You have to define a specific AAA server group. Eg:

tacacs-server host 1.1.1.1 key myacskey
tacacs-server directed-broadcast
ip tacacs source-interface VlanXYZ

Then:

aaa group server tacacs+ ACS-GROUP-NAME
   server 1.1.1.1
   ip vrf forwarding mgmt-vrf
!

aaa authentication login default group ACS-GROUP-NAME local-case

I will note that you have to define each server with the tacacs-server  
command before you add it to the group otherwise it throws an error.


Al


On 13 Jul 2009, at 18:47, Buhrmaster, Gary wrote:

 Yes, a management VRF will do exactly what you want :-)

 Perhaps things have improved, but at one time for the 6500
 platform certain functions could only be performed in the
 native(? is that the right word) context, and you needed
 to place all the rest of your traffic/interfaces in a VRF
 leaving the native context for management (sort of the
 reverse of your proposal, instead have a Internet VRF
 for everything except for management).

 Have the latest IOS versions eliminated those challenges
 on the 6500?

 Gary

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VSS out-of-band mgmt

2009-07-14 Thread Holemans Wim

Tried syslog vrf awareness and yes :
logging host 143.169.x.y vrf management
did the trick

we are running 122-33.SXI1  on this VSS cluster.

Wim Holemans


-Original Message-
From: Alasdair McWilliam [mailto:alasda...@gmail.com] 
Sent: dinsdag 14 juli 2009 19:33
To: Buhrmaster, Gary
Cc: Holemans Wim; Cisco NSP
Subject: Re: [c-nsp] VSS out-of-band mgmt

We have VSS deployed and it's management interface is on a mgmt-vrf.  
So far everything that needs a source interface seems to work,  
although I've not actually configured syslog yet, TACACS is now vrf  
aware. You have to define a specific AAA server group. Eg:

tacacs-server host 1.1.1.1 key myacskey
tacacs-server directed-broadcast
ip tacacs source-interface VlanXYZ

Then:

aaa group server tacacs+ ACS-GROUP-NAME
   server 1.1.1.1
   ip vrf forwarding mgmt-vrf
!

aaa authentication login default group ACS-GROUP-NAME local-case

I will note that you have to define each server with the tacacs-server  
command before you add it to the group otherwise it throws an error.


Al


On 13 Jul 2009, at 18:47, Buhrmaster, Gary wrote:

 Yes, a management VRF will do exactly what you want :-)

 Perhaps things have improved, but at one time for the 6500
 platform certain functions could only be performed in the
 native(? is that the right word) context, and you needed
 to place all the rest of your traffic/interfaces in a VRF
 leaving the native context for management (sort of the
 reverse of your proposal, instead have a Internet VRF
 for everything except for management).

 Have the latest IOS versions eliminated those challenges
 on the 6500?

 Gary

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VSS out-of-band mgmt

2009-07-13 Thread Holemans Wim

I have a VSS router that I want to do some out-of-band mgmt with. Is
this possible with VRF-lite ? I would like to build a channel with the
UTP ports on the sup720, give the VSS an address on this trunk but keep
this interface out of the standard routing table. Can this be done with
VRF-lite ? Or is there another way to do out-of-band mgmt of a VSS
cluster? 

 

Greetings,

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] network simulator

2009-05-18 Thread Holemans Wim

I'm looking for a (free) network simulator that allows me to simulate a
small network (20 switches) with different vlans on it. I want to test
different scenario's : what happens if this switch goes down or that
link goes down, how do the packets flow in each scenario for the
different vlans...

 

Anyone has a good reference to such a product ? Free would be nice but
is no absolute condition.

 

Thanks,

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] network simulator

2009-05-18 Thread Holemans Wim

Just found out through google, will give it a try tomorrow.

 

Thanks,

 

Wim Holemans

 

 



From: Michal Prazenka [mailto:michal.praze...@gtsce.com] 
Sent: maandag 18 mei 2009 19:35
To: Holemans Wim
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] network simulator

 

Have you tried GNS3?

Michal

Holemans Wim  wrote / napísal(a): 

I'm looking for a (free) network simulator that allows me to simulate a
small network (20 switches) with different vlans on it. I want to test
different scenario's : what happens if this switch goes down or that
link goes down, how do the packets flow in each scenario for the
different vlans...
 
 
 
Anyone has a good reference to such a product ? Free would be nice but
is no absolute condition.
 
 
 
Thanks,
 
 
 
Wim Holemans
 
Netwerkdienst Universiteit Antwerpen
 
 
 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VSS upgrade problems

2009-02-04 Thread Holemans Wim

I'm testing a VSS solution for our campus network, most things seem to
work as expected. I ran however into problems when testing the eFSU
upgrade procedure. 

The system came with ip base 12.33SXH4 on, I created the cluster with
this version without problem (although the notes state that you should
use at least ip services). I upgraded the system the traditional way to
ip base 12.33 SXI without problem. The I decided to test the eFSU
upgrade procedure (available from 12.33SXI) which should give no
downtime at all (if all your connections are trunks to both chassis). I
tried to upgrade from ip base 12.33SXI to ip services 12.33SXI. This
however failed and kept my standby chassis continuously booting until I
removed the VSS connection between both (I forgot to activate the issu
rollback timer...)

 

This were the messages i got

1)  On the master :

 

01:01:47: %PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH: Asymmetrical redundant
configuration: Active SP has (1048576/8192K) memory, Standby has
(1048576/65536K).

01:01:47: %PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH: Asymmetrical redundant
configuration: Active RP has (1048576/8192K) memory, Standby has
(1048576/65536K).

01:01:48: %PFREDUN-SW2_SP-6-ACTIVE: Standby initializing for RPR mode

01:01:50: %ISSU-SW2_SP-4-FSM_INCOMP: Version of local ISSU client ISSU
ifs client(110) in session 327962 is incompatible with remote side.

01:01:50: %RFS-SW2_SP-3-START_NEGO_SESSION: RFS nego (327962:262609) to
[issu:rfs:Secondary RFS Server Port:0x305] failed:
[ISSU_RC_NEGO_ERROR]

01:02:21: %RF-SW2_SP-5-RF_RELOAD: Peer reload. Reason: RF Client RFS
RF(520) notification timeout

01:02:22: %VSLP-SW2_SP-3-VSLP_LMP_FAIL_REASON: Te2/5/4: Disabled by Peer
Reload Request

01:02:22: %VSLP-SW2_SP-2-VSL_DOWN:   Last VSL interface Te2/5/4 went
down

 

01:02:22: %VSLP-SW2_SP-2-VSL_DOWN:   All VSL links went down while
switch is in ACTIVE role

 

01:02:23: %PFREDUN-SW2_SP-6-ACTIVE: Standby processor removed or
reloaded, changing to Simplex mode

01:02:23: %RF-SW2_SP-3-NOTIF_TMO: Notification timer Expired for RF
Client: RFS RF(520)

01:02:24: %RF-SW2_SP-5-RF_RELOAD: Peer reload. Reason: Proxy request to
reload peer

 

2)  On the slave :

 

 

*Feb  3 10:48:12.695: %ISSU-SW1_SPSTBY-3-FSM_MISMATCH_MTU: ISSU nego
failed for client ISSU ifs client(110) entity_id 113 session 65694 due
to mismatch of mtu size 36  72.

-Traceback= 40252F70 4025350C 40969458 417A050C 417A0578 40966980
40966BE0 40966FD8 409A8FFC 4042FD60 40447984 4088E6C0 4088E6AC

*Feb  3 10:48:12.735: %ISSU-SW1_SPSTBY-4-FSM_INCOMP: Version of local
ISSU client ISSU ifs client(110) in session 65694 is incompatible with
remote side.

*Feb  3 10:48:12.735: %RFS-SW1_SPSTBY-3-START_NEGO_SESSION: RFS nego
(65694:65693) to [issu:rfs:65536:0x1] failed: [ISSU_RC_NEGO_ERROR]

*Feb  3 10:48:43.551: %SYS-SW1_SPSTBY-5-RELOAD: Reload requested - From
Active Switch (Reload peer unit).

*Feb  3 10:48:45.071: %VSLP-SW1_SPSTBY-3-VSLP_LMP_FAIL_REASON:  5/4 :
Link down

*Feb  3 10:48:45.071: %VSLP-SW1_SPSTBY-2-VSL_DOWN:   Last VSL interface
5/4  went down

 

*Feb  3 10:48:45.075: %VSLP-SW1_SPSTBY-2-VSL_DOWN:   All VSL links went
down while switch is in Standby role

 

*Feb  3 10:48:45.083: %SATVS_IBC-SW1_SPSTBY-5-VSL_DOWN_SCP_DROP: VSL
inactive - dropping cached SCP packet: (SA/DA:0x4/0x4,
SSAP/DSAP:0x2/0x1, OP/SEQ:0x1E/0x13, SIG/INFO:0x1/0x501,
eSA:.0500.)

 

*Feb  3 10:48:46.127: %SYS-SW1_SPSTBY-5-RELOAD: Reload requested by
Delayed Reload. Reload Reason: Admin requested reload of the Standby
during ISSU.

*Feb  3 10:48:46.127: %OIR-SW1_SPSTBY-6-CONSOLE: Changing console
ownership to switch processor

 

 

Two things are strange : the message about the
PFREDUN-SW2_SP-4-PHYSMEM_MISMATCH because these are 2 identical
supervisor boards, secondly the mtu mismatch error. I tried to find some
info about the MTU error but neither the Cisco website neither google
gave any info about this errors.

 

Anyone has an idea or just a pointer to more detailed technical detail ?
There is not that much documentation on the Cisco website about VSS...

 

Any help would be appreciated,

 

Greetings,

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] upgrading stack of 3750E's

2009-01-27 Thread Holemans Wim

(I'm the one who posted the original question).
Just tested it again with a second stack of 3750E's ; this gave the same
result :
Upgrading from 12.2.2(35) to 12.2.(46) and reload of second switch gave
a Version Mismatch with left the second switch hanging. Only a reload of
the master restored full functionality.
After that, I replaced the ip base image with the one with encryption
(k9 version), however same versionnumber 12.2(46). This went as
described below, second one came back online and became again member of
the stack without problem allowing reload of first one.
 
So my conclusion is that the possibility to upgrade a stack without
losing full connectivity is different for each upgrade and you can't
tell in advance if it will result in a version mismatch or not. 

Feel free to comment if you have different experiences.

Wim Holemans

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter Rathlev
Sent: maandag 26 januari 2009 19:38
To: Tony Varriale
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] upgrading stack of 3750E's

On Mon, 2009-01-26 at 08:45 -0600, Tony Varriale wrote:
 This is how I normally do it.
 
 1) archive software to first switch /overwrite (from TFTP) without
reload.
 2) archive software to second switch /overwrite without reload.
 3) reload slot 1
 4) wait until switch 1 is operational and you are happy
 5) reload slot 2

Will this work? Wouldn't Stackwise see the two switches as incompatible?
We've started using pairs of 3750E with a CX4 link between them and just
plain rapid PVST+. Then we have some guarantees as to how the system
functions during upgrades.

Regards,
Peter


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] upgrading stack of 3750E's

2009-01-26 Thread Holemans Wim

We are testing the following setup :

65XX-VSS - etherchannel - 3750E stack (2 switches) - teaming enabled
servers

 

This should give maximal uptime, overriding defects on the router or
3750E switches. We intend to use these switches in L2 mode only,
managing them via the mgmt fa0 interface.

 

I'm now looking into the upgrading procedure for the stack, but I can't
seem to find a way to do an upgrade in which at least of the 3750E's
stays operational, thus minimalizing down time. As far as I can tell
from the doc, there is no way to upgrade e.g. the master switch, have it
reload (keeping the second switch operational), and after the master
becomes operational, (auto-)upgrade the second switch. Am I missing
something or is this scenario really not possible ?

 

Another scenario would be removing the switch from the stack (after
bringing down all ports first via console), changing the ip address of
the switch, bringing the mgmt port back online, do the upgrade, bring
the power down, reconnect it to the stack and the power up it again.
Given the fact that the stack cables are rather fragile, this doesn't
seem the right way to do, unless it is possible to shut down the stack
ports by a CLI command ?

 

Anyone suggestions, pointers to alternative upgrade procedures,...

 

Thanks,

 

Wim Holemans

 

Network Services University of Antwerp

Netwerkdienst Universiteit Antwerpen

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Virtual Routers

2008-11-17 Thread Holemans Wim

Is there a way to divide a 6500 into multiple 'Virtual Routers' with
different routing tables ? I've read about VRF-Lite but it is always
mentioned in a VPN environment with remote and central devices. I need
to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and
back into the same 6500. Maybe PBR would do the trick but I'm still
looking for some good and clear info on virtual routing in a LAN
environment (if existing).

 

Thanks,

 

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Catalyst 3750 stacks with many members

2008-11-17 Thread Holemans Wim

Got some personal mails all in support of the stacking, saw only
negative mails on the list, interesting...
Price difference between 2x 3750 and a 6504 is not so small and a 6504
with one supervisor is still a single point of failure where a cluster
of 2 switches would give me redundancy.

Everyone thanks for the answer, still not sure what we are going to do.

Wim Holemans

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Tinka
Sent: maandag 17 november 2008 2:10
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Catalyst 3750 stacks with many members

On Monday 17 November 2008 05:20:25 Pshem Kowalczyk wrote:

 As a result of that we do not put stacks any more. If we need more 
 ports we simply join them using ethernet cables (and etherchannels) 
 and manage independently of each other.

It has always been my personal opinion that inter-switch trunking or
migrating to a small, single-chassis, multi-line-card based platform
(e.g., 6504-E) would offer far less headache than Stacking, and keep
things simple.

Given the feedback from folk on this thread so far, I think we did well
to avoid stacks.

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Catalyst 3750 stacks with many members

2008-11-16 Thread Holemans Wim

Could you/someone elaborate on  'failure of one part is a failure of the
stack' ?

I thought Cisco just pushed this construction to get more
redundancy/uptime in the network ?

We were planning to replace some single switches with a lot of dual-line
channels with a cluster of 2 of these 36xx or 37xx switches so we could
split the channels over 2 switches and have still connection when one of
the switches failed. Reading the recent negative comments on switch
stacking I start wondering if this is a wise decision...

Wim Holemans
Network Services
University of Antwerp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of jamie rishaw
Sent: vrijdag 14 november 2008 20:55
To: Dale Shaw
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Catalyst 3750 stacks with many members

Yeah..

  Replace them. With Chassis(es).

  Stacks are just a bad idea.

  Failure of one part of the stack is a failure of the stack.

  A 65xx serves just as well, better even; cheaper, more reliably, and
with
less BS..

  I'm in the middle of tossing (however many letters are, inclusive,
between
a and s) stacks, moving to 65xx chassis(es) with 10/100 //  triplespeed
blades... moving to paired '09's.  Cue the happy singing birds and obama
'yes we chassis' glory in 3.. 2.. 1..

-j

On Fri, Nov 14, 2008 at 12:19 PM, Dale Shaw
[EMAIL PROTECTED][EMAIL PROTECTED]
 wrote:

 Hi all,

 We have a few large (6 member) cat3750 stacks in our environment,
 most in L2 edge/access roles, and most providing PoE to cisco IP

phones.




-- 
..!google!arpa.com!j
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] rtr responder on 6500

2008-10-20 Thread Holemans Wim

We are setting up a testbed for IP SLA monitoring and I wanted to
include our core 6500 switches into the test. For 2 of them this went
without problem, on two others this doesn't work : I get the following
error (after putting on debug) :

RTR unable to set SO_STRICT_ADDR_BIND option

 

I searched the Cisco website and also did a google search but this
didn't give any results. Anyone an idea of what is going wrong here ?

Both not-working routers have a SUP32, the working ones a SUP2
supervisor.

Router1 s3223_rp-IPBASEK9-VM   Version 12.2(18)SXF6
WS-SUP32-GE-3B  : rtr responder not working

Router2 s222_rp-IPSERVICESK9-M Version 12.2(18)SXF6
WS-X6K-SUP2-2GE : rtr responder working

Router3 s3223_rp-IPBASEK9-VM   Version 12.2(18)SXF6
WS-SUP32-GE-3B  : rtr responder not working

Router4 s222_rp-IPSERVICESK9-M Version 12.2(18)SXF6
WS-X6K-SUP2-2GE : rtr responder working

 

Is it possible I need the ipservices version to do this ? Anyone a clue
on what the error means ? The rtr responder command is accepted in all
versions.

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] FWSM convertion

2008-10-01 Thread Holemans Wim

Anyone has a good reference on the steps to take to convert a standalone
FWSM to the primary of a FAILOVER FWSM pair. Current FWSM is running
3.2.8 and has 2 transparent contexts. Are there any steps that will
influence the current running FWSM (take it down or so) ?

 

Thanks,

 

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] FWSM failover transparent mode

2008-09-05 Thread Holemans Wim

Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a
month. Now we are thinking about buying a second FWSM to do failover in
order to limit downtime and facilitate upgrades : most of our servers
are connected to the 6513 carrying this FWSM.

We use the 2 standard virtual contexts of the FWSM, both in transparent
mode, 8 bridged vlans on one, 2 bridged vlans on the second.

 

In the release notes of 3.1.11 I however read under Open Caveats 

CSCm73157 : Failover is not working in transparent mode... 

 

Anyone has experience with FWSM failover in transparent mode ? Does this
really doesn't work ?

Does it work under 3.2 or 4.0 ?

 

Any info would be appreciated before we invest more than 15K Euros...

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FWSM failover transparent mode

2008-09-05 Thread Holemans Wim

48 port 10/100/1000mb EtherModule  WS-X6148-GE-TX

Bought them without knowing about the 8port 1Gig limit ;
We plan to replace this construction next year with a VSS solution, type
of 65XX not yet chosen.

Wim Holemans

-Original Message-
From: Eric Cables [mailto:[EMAIL PROTECTED] 
Sent: vrijdag 5 september 2008 18:59
To: Holemans Wim
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] FWSM failover transparent mode

Not to hijack this thread, but what modules are you using for server
connectivity in your 6513?  We deployed some 6513s as SF switches long
ago (bad decision), and are now swapping them out with the 6509-E
chassis due to the need for additional performance (6748s in all
slots).

--
Eric Cables



On Fri, Sep 5, 2008 at 1:35 AM, Holemans Wim [EMAIL PROTECTED]
wrote:
 Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a
 month. Now we are thinking about buying a second FWSM to do failover
in
 order to limit downtime and facilitate upgrades : most of our servers
 are connected to the 6513 carrying this FWSM.

 We use the 2 standard virtual contexts of the FWSM, both in
transparent
 mode, 8 bridged vlans on one, 2 bridged vlans on the second.



 In the release notes of 3.1.11 I however read under Open Caveats

 CSCm73157 : Failover is not working in transparent mode...



 Anyone has experience with FWSM failover in transparent mode ? Does
this
 really doesn't work ?

 Does it work under 3.2 or 4.0 ?



 Any info would be appreciated before we invest more than 15K Euros...



 Wim Holemans

 Netwerkdienst Universiteit Antwerpen



 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6509 ACE/FWSM Modules??????????

2008-07-31 Thread Holemans Wim

Can someone clarify the PAGP problem ? I had a discussion with someone
of Cisco for a new design in one of our datarooms and we had chosen a
VSS solution with dual 3750E stacks and 20Gig uplinks in each rack to
the VSS chassis for max redundantie. According to our Cisco contact,
this was a working solution. If however it is impossible to make
channels between a 3750E cluster and both switches in a VSS, the
complete design has to be redone...

Wim Holemans
Network Services 
University of Antwerp



-Original Message-
From: Mike Louis [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 6:19 PM
To: Teller, Robert; Tony Varriale; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??

Last time I checked the 3750 did not support the pagp extensions for
vss. You would get an stp loop if you tried. Has this support changed?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco vulnerabilities

2008-05-12 Thread Holemans Wim

I got this via Qualys but haven't seen it on this list (hope I didn't
miss it). So to be sure :

 

The following vulnerabilities were added to the Vulnerability
KnowledgeBase of the QualysGuard Web service between May 05, 2008 and
May 11, 2008.

 

QIDSev. Title

...

43134  P 3  Cisco IOS OSPF, MPLS VPN, and Supervisor 32, ...
(CVE-2008-0537)

43135  P 3  Cisco IOS Multicast Virtual Private Network (...
(CVE-2008-1156)

 

 

Legend:

V: Vulnerability

P: Potential Vulnerability

 

 

To view the Vulnerability KnowledgeBase, use the following URL:

 

https://qualysguard.qualys.de/fo/tools/kbase.php

 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Port down 6500 warning via syslog

2008-04-29 Thread Holemans Wim

I know I have seen this before, but I can't find the article.
On most cisco IOS switches, you get syslog messages if a port goes down
or up. On a 6500 this is not the case.
But I remember seeing an article in which a way was shown how to enable
this feature on 65XX IOS.
Anyone has a pointer to this article or a short description on how to
enable port down/up syslog messages ?

Thanks,


Wim Holemans
Netwerkdienst Universiteit Antwerpen 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Port down 6500 warning via syslog

2008-04-29 Thread Holemans Wim

Thanks for all who answered to my question.

The command is :
logging event link-status default

Wim Holemans

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Holemans Wim
Sent: dinsdag 29 april 2008 10:38
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Port down 6500 warning via syslog

I know I have seen this before, but I can't find the article.
On most cisco IOS switches, you get syslog messages if a port goes down
or up. On a 6500 this is not the case.
But I remember seeing an article in which a way was shown how to enable
this feature on 65XX IOS.
Anyone has a pointer to this article or a short description on how to
enable port down/up syslog messages ?

Thanks,


Wim Holemans
Netwerkdienst Universiteit Antwerpen
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] etherchannel problems

2007-11-19 Thread Holemans Wim

We just got bitten by a serious etherchannel problem : we have an 2 gig
etherchannel link between 2 campus.
Someone on the other end misconfigured an interface (typed 6/1 instead
of 1/6)  and had overwritten the allowed vlans on one of the interfaces.
As a result of this, the interface was thrown out of the bundle (at that
side only) BUT the interface stayed UP. On the other campus, both
interfaces 
stayed in the bundle with very big problems as a result : the 6500 at
that side considered both lines as valid and distributed the packets
over both interfaces, sending half of the traffic in 'space'. 

If the interface had gone down as a result of the unbundling, there
would have been no problem. We only use static channel settings, so not
etherchannel negotiations between switches. Can this be solved with
dynamic etherchannel bundling ? Or someone has another solution for this
problem ?

Wim Holemans
Networkservices University of Antwerp
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Max performance 6148(A--GE-TX boards

2007-10-25 Thread Holemans Wim

We have a bunch of 65XX with 6148-GE-TX or 6148A-GE-TX boards to connect
a large number of servers and different etherchannels between them.
When i checked the release notes for 12.2SX, i found the following lines
:

...
WS-X6148A-GE-TX
*Number of ports: 48
Number of port groups: 6
Port ranges per port group: 1-8, 9-16, 17-24, 25-32, 33-40, 41-48 *The
aggregate bandwidth of each port group is 1 Gbps.

WS-X6148-GE-TX
*Number of ports: 48
Number of port groups: 2
Port ranges per port group: 1-24, 25-48
Note WS-X6148-GE-TX, WS-X6148V-GE-TX, and WS-X6148-GE-45AF do not
support these features:
*More than 1 Gbps of traffic per EtherChannel 
...

Can anyone comment on this ? Does this mean we can get a max of 6 Gig
throughput on a 6148A card and max 2 Gbit on a 6148 ? Or do these
numbers only apply to etherchannels ? I don't seem to find the right
performance figures for these cards.

Thanks for you comments,

Wim Holemans
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Temp sensors on 6500 48 10/100/1000 module

2007-07-18 Thread Holemans Wim

Can anyone tell me where the temp sensors on a WS-X6148-GE-TX board are
physically located ?

This is part of the env info :

  module 2 outlet temperature: 27C
  module 2 inlet temperature: 24C
  module 2 device-1 temperature: 25C
  module 2 device-2 temperature: 27C
  module 3 outlet temperature: 27C
  module 3 inlet temperature: 25C
  module 3 device-1 temperature: 25C
  module 3 device-2 temperature: 30C
  module 4 outlet temperature: 27C
  module 4 inlet temperature: 25C
  module 4 device-1 temperature: 25C
  module 4 device-2 temperature: 28C

Module 2-4 are the same modules and all temp seem to be within limits
but module 3 device-2 temp is rather high compared to the other
temperatures. Can anyone tell me where this sensor is physical located
on the board ? Front ? Back ? Left ? Right ?

I also have a question about the fans : there is a command to show the
fan status but what is the output if one of the fans fails ? 
Does it signal single fan failure or only full-fan failure ?

Greetings,

Wim Holemans
Network Services
University of Antwerp
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

42 matches

Mail list logo