Re: [c-nsp] Question about 9410R interface naming

[Nick Cutting]

Nexus has it right - everything is "E"


From: cisco-nsp  On Behalf Of aar...@gvtc.com
Sent: Thursday, September 10, 2020 5:58 PM
To: 'Nick Hilliard' 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Question about 9410R interface naming

This message originates from outside of your organisation.

Juniper was good with port id's until the MX204 :)

Now XE doesn't always mean 10 gig

set interfaces xe-0/1/4 gigether-options speed 1g

agould@dallas-204-1> show interfaces xe-0/1/4 | grep speed
Link-level type: Flexible-Ethernet, MTU: 9216, MRU: 9224, LAN-PHY mode, Speed: 
10Gbps, BPDU Error: None,
Speed Configuration: 1G

-aaron


___
cisco-nsp mailing list 
cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at 
http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cli auto-complete on configured names

[Nick Cutting]

There is a little bit of this on NXOS now - just a bit more each release, like 
tabbing out man-made prefix lists

From: cisco-nsp  On Behalf Of aar...@gvtc.com
Sent: Wednesday, September 2, 2020 5:44 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] cli auto-complete on configured names

This message originates from outside of your organisation.

RP/0/0/CPU0:r22#sh mpls traffic-eng tunnels name ?

r22--->r20 Tunnel name (if contains space, enclose name with " ")

r20--->r22 Tunnel name (if contains space, enclose name with " ")

r25_t101 Tunnel name (if contains space, enclose name with " ")

WORD Tunnel name (if contains space, enclose name with " ")



RP/0/0/CPU0:r22#sh mpls traffic-eng tunnels name r22--->r20





Beautiful. Whoever coded this must've spent some time working with Juniper
on Junos.



I rarely ever see IOS/XE/XR have an auto-complete (tab key) on configured
names of items.



Thanks!





Aaron

aar...@gvtc.com



___
cisco-nsp mailing list 
cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at 
http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] [External Email] Re: big uptime - what you got ?

[Nick Cutting]

Nice,  my  VSS is only-

sh ver
Cisco IOS Software, s2t54 Software (s2t54-ADVIPSERVICESK9-M), Version 
15.2(1)SY1a, RELEASE SOFTWARE (fc6)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 29-Sep-15 15:57 by prod_rel_team

ROM: System Bootstrap, Version 12.2(50r)SYS3, RELEASE SOFTWARE (fc1)

CSW-01 uptime is 4 years, 47 weeks, 2 hours, 9 minutes
Switch mode  : Virtual Switch
Virtual switch domain number : 100
Local switch number  : 1
Local switch operational role: Virtual Switch Active
Peer switch number   : 2
Peer switch operational role : Virtual Switch Standby

but in my opinion, VSS can take a bigger punch than a stack


From: cisco-nsp  On Behalf Of Alan D Wang
Sent: Monday, February 10, 2020 1:58 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] [External Email] Re: big uptime - what you got ?

This message originates from outside of your organisation.

I see your switch stack entry and raise you my 4500x VSS entry
ens-dist#sh ver | i IOS-XE
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software
(cat4500e-UNIVERSALK9-M), Version 03.04.05.SG RELEASE SOFTWARE (fc1)
Cisco IOS-XE software, Copyright (c) 2005-2010, 2012 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE

ens-dist uptime is 6 years, 2 weeks, 5 days, 22 hours, 52 minutes



On Mon, Feb 10, 2020 at 1:35 PM Nick Cutting 
mailto:ncutt...@edgetg.com>> wrote:

> My switch-stack entry:
>
> DSW-01#sh ver
> Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version
> 12.2(53)SE2, RELEASE SOFTWARE (fc3)
> Technical Support: 
> http://www.cisco.com/techsupport<https://protect-eu.mimecast.com/s/ZYXYCZ4jDiW85iyUBcQ?domain=cisco.com>
> Copyright (c) 1986-2010 by Cisco Systems, Inc.
> Compiled Wed 21-Apr-10 05:11 by prod_rel_team
> Image text-base: 0x3000, data-base: 0x0240
>
> ROM: Bootstrap program is C3750E boot loader
> BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE1, RELEASE
> SOFTWARE (fc1)
>
> DSW-01 uptime is 3 years, 27 weeks, 3 days, 17 hours, 12 minutes
> System returned to ROM by power-on
> System restarted at 04:10:28 bst Tue Aug 2 2016
> System image file is
> "flash:/c3750e-universalk9-mz.122-53.SE2/c3750e-universalk9-mz.122-53.SE2.bin"
>
> Switch Ports Model SW Version SW Image
> -- - - -- --
> * 1 54 WS-C3750X-48 12.2(53)SE2 C3750E-UNIVERSALK9-M
> 2 54 WS-C3750X-48 12.2(53)SE2 C3750E-UNIVERSALK9-M
>
> From: cisco-nsp 
> mailto:cisco-nsp-boun...@puck.nether.net>> 
> On Behalf Of Nick
> Cutting
> Sent: Monday, February 10, 2020 1:27 PM
> To: Aaron Gould mailto:aar...@gvtc.com>>; 
> cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
> Subject: Re: [c-nsp] big uptime - what you got ?
>
> This message originates from outside of your organisation.
>
> Interested to see longest uptime on a switchstack. Cannot imagine it being
> more than 4 years.
> Stack disease always comes at you before long.
>
> From: cisco-nsp mailto:cisco-nsp-boun...@puck.nether.net%3cmailto:%0b>> 
cisco-nsp-boun...@puck.nether.net<mailto:cisco-nsp-boun...@puck.nether.net>>> 
On Behalf Of Aaron Gould
> Sent: Monday, February 10, 2020 10:35 AM
> To: 
> cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net%3cmailto:cisco-nsp@puck.nether.net>>
> Subject: [c-nsp] big uptime - what you got ?
>
> This message originates from outside of your organisation.
>
> Holy cow! Beat that
>
>
>
> dsw2-4503#sh ver | in uptime
>
> dsw2-4503 uptime is 11 years, 2 weeks, 1 day, 23 hours, 3 minutes
>
>
>
> dsw2-4503#sh ver | in IOS
>
> Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M),
> Version 12.2(31)SGA1, RELEASE SOFTWARE (fc3)
>
>
>
> -Aaron
>
> ___
> cisco-nsp mailing list 
> cisco-nsp@puck.nether.netmailto:cisco-nsp@puck.nether.net%3cmailto>:
> cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>>
> https://puck.nether.net/mailman/listinfo/cisco-nsp<https://protect-eu.mimecast.com/s/4WcnC1jRziQBMSY6Czp?domain=puck.nether.net><
> https://protect-eu.mimecast.com/s/ciF-CzmZNsj4XHgvnRG?domain=puck.nether.net<https://protect-eu.mimecast.com/s/4WcnC1jRziQBMSY6Czp?domain=puck.nether.net>
> ><
> https://protect-eu.mimecast.com/s/9DH8CnZKVCRGETNXCpQ?domain=puck.nether.net<https://protect-eu.mimecast.com/s/4WcnC1jRziQBMSY6Czp?domain=puck.nether.net>
> <
> https://protect-eu.mi

Re: [c-nsp] big uptime - what you got ?

[Nick Cutting]

My switch-stack entry:

DSW-01#sh ver
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 
12.2(53)SE2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 21-Apr-10 05:11 by prod_rel_team
Image text-base: 0x3000, data-base: 0x0240

ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE1, RELEASE 
SOFTWARE (fc1)

DSW-01 uptime is 3 years, 27 weeks, 3 days, 17 hours, 12 minutes
System returned to ROM by power-on
System restarted at 04:10:28 bst Tue Aug 2 2016
System image file is 
"flash:/c3750e-universalk9-mz.122-53.SE2/c3750e-universalk9-mz.122-53.SE2.bin"

Switch Ports Model  SW VersionSW Image
-- - -  ----
*1 54WS-C3750X-48   12.2(53)SE2   C3750E-UNIVERSALK9-M
  2 54WS-C3750X-48   12.2(53)SE2   C3750E-UNIVERSALK9-M

From: cisco-nsp  On Behalf Of Nick Cutting
Sent: Monday, February 10, 2020 1:27 PM
To: Aaron Gould ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] big uptime - what you got ?

This message originates from outside of your organisation.

Interested to see longest uptime on a switchstack. Cannot imagine it being more 
than 4 years.
Stack disease always comes at you before long.

From: cisco-nsp 
mailto:cisco-nsp-boun...@puck.nether.net>> 
On Behalf Of Aaron Gould
Sent: Monday, February 10, 2020 10:35 AM
To: cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
Subject: [c-nsp] big uptime - what you got ?

This message originates from outside of your organisation.

Holy cow! Beat that



dsw2-4503#sh ver | in uptime

dsw2-4503 uptime is 11 years, 2 weeks, 1 day, 23 hours, 3 minutes



dsw2-4503#sh ver | in IOS

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M),
Version 12.2(31)SGA1, RELEASE SOFTWARE (fc3)



-Aaron

___
cisco-nsp mailing list 
cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp<https://protect-eu.mimecast.com/s/ciF-CzmZNsj4XHgvnRG?domain=puck.nether.net><https://protect-eu.mimecast.com/s/9DH8CnZKVCRGETNXCpQ?domain=puck.nether.net<https://protect-eu.mimecast.com/s/ciF-CzmZNsj4XHgvnRG?domain=puck.nether.net>>
archive at 
http://puck.nether.net/pipermail/cisco-nsp/<https://protect-eu.mimecast.com/s/gg5wCAn47HDExCYWqzz?domain=puck.nether.net><https://protect-eu.mimecast.com/s/CZn6CoYL9tyXns6CTXu?domain=puck.nether.net<https://protect-eu.mimecast.com/s/gg5wCAn47HDExCYWqzz?domain=puck.nether.net>>
___
cisco-nsp mailing list 
cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp<https://protect-eu.mimecast.com/s/ciF-CzmZNsj4XHgvnRG?domain=puck.nether.net>
archive at 
http://puck.nether.net/pipermail/cisco-nsp/<https://protect-eu.mimecast.com/s/gg5wCAn47HDExCYWqzz?domain=puck.nether.net>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] big uptime - what you got ?

[Nick Cutting]

Interested to see longest uptime on a switchstack.  Cannot imagine it being 
more than 4 years.
Stack disease always comes at you before long.

From: cisco-nsp  On Behalf Of Aaron Gould
Sent: Monday, February 10, 2020 10:35 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] big uptime - what you got ?

This message originates from outside of your organisation.

Holy cow! Beat that



dsw2-4503#sh ver | in uptime

dsw2-4503 uptime is 11 years, 2 weeks, 1 day, 23 hours, 3 minutes



dsw2-4503#sh ver | in IOS

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M),
Version 12.2(31)SGA1, RELEASE SOFTWARE (fc3)



-Aaron

___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at 
http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 10/25 interface behavior

[Nick Cutting]

Or the way nexus does it - E for everything, best of all.

From: cisco-nsp  On Behalf Of Gehring Kai
Sent: Thursday, January 30, 2020 6:41 AM
To: Tom Hill ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 10/25 interface behavior

This message originates from outside of your organisation.

At least on the Catalyst 9000 series it looks like they switched to always 
using the highest bandwidth that would potentially be available on that 
interface... just checked on a 9200L and a 9500-16X: The interface name is 
always TenGigabitEthernet, even if you use 1Gbit SFPs in them.

Much better imho, different interface names with different transceivers is just 
such a pain..


___
cisco-nsp mailing list 
cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at 
http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3800 layer 2 Switch

[Nick Cutting]

No, but you might need to use the "force" and or the new  command I got stuck 
on my first upgrade between these versions for hours before finding some 
obscure message board post about the force command.

Something like this:

Switch# software install file flash:cat3k_caa-universalk9.16.06.01.SPA.bin new 
force
Preparing install operation...

Ive upgrade many stacks from 3.6 or 3.7 to 16.x.x code
From: cisco-nsp  On Behalf Of Harry Hambi - 
Atos
Sent: Monday, November 11, 2019 10:06 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] 3800 layer 2 Switch

This message originates from outside of your organisation.

Hi All, have some 3800 running 03.07.04E code, want to upgrade to 16.06.05. 
Seems like a big jump, do I need to upgrade to some intermediate code first?


Thanks
Broadcast Networks
BBC Operations
Harry Hambi BEng(Hons) MIET Rsgb

___
cisco-nsp mailing list 
cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at 
http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Can ASR920 handle ip vrf forwarding X combined with tunnel vrf Y on a tunnel interface?

[Nick Cutting]

Is the tunnel source and destination IP addresses in  vrf TEST, with routes? - 
Like a F-VRF.
If this operates like an ASR/ISR4k - Then you can put the tunnel IP in whatever 
table you choose.

-Original Message-
From: cisco-nsp  On Behalf Of Peter Olsson
Sent: Tuesday, August 20, 2019 3:47 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Can ASR920 handle ip vrf forwarding X combined with tunnel vrf 
Y on a tunnel interface?

This message originates from outside of your organisation.

Hello!

I have this configuration on a tunnel interface in an ASR920:

interface Tunnel0
 ip address 192.168.154.2 255.255.255.0
 keepalive 10 3
 tunnel source 10.50.3.2
 tunnel destination 10.50.3.1

Works fine, the tunnel between the ASR920 and the other router is connected.

Then I add both vrf lines with the same vrf, like this:

interface Tunnel0
 ip address 192.168.154.2 255.255.255.0
 ip vrf forwarding TEST
 keepalive 10 3
 tunnel source 10.50.3.2
 tunnel destination 10.50.3.1
 tunnel vrf TEST

And add vrf TEST to the 10.50.3.2 interface:
interface BDI653
 ip vrf forwarding TEST
 ip address 10.50.3.2 255.255.255.0

This also works fine, the tunnel is connected.

But what we want to do is this:

interface Tunnel0
 ip address 192.168.154.2 255.255.255.0
 ip vrf forwarding OTHER_VRF
 keepalive 10 3
 tunnel source 10.50.3.2
 tunnel destination 10.50.3.1
 tunnel vrf TEST

This configuration doesn't work.
What happens is that the tunnel in the ASR920 is up/line up, but the tunnel in 
the other router is up/line down.
Both tunnels increase their packets input and packets output, probably because 
of keepalive, but there is no connection.
Strange that the other routers both counters are increasing even though the 
tunnel in that router has line down?
Maybe the traffic flows, but something is missing for activation?

It doesn't help if I remove either of the vrf lines, that also fails in the 
same way.

I don't know if network sniff could show something interesting, I will try that 
tomorrow when I'm at site.

But does anyone know if our wanted configuration is possible in ASR920?

The ASR920 is an ASR-920-24SZ-IM running asr920-universalk9_npe.16.12.01.SPA.bin

debug tunnel and debug tunnel events doesn't help, they look about the same to 
me in either configuration.

This is debug output with both vrf lines removed from the tunnel:
*Aug 20 11:42:46.245: Tunnel0: GRE/IP (PS) to decaps 10.50.3.1->10.50.3.2 
(tbl=0,"default" len=48 ttl=254) *Aug 20 11:42:46.245: Tunnel0: Pak 
Decapsulated on BDI653, ptype 0x800, nw start 0x784BD67E, mac start 0x784BD658, 
datagram size 24 link type 0x7 *Aug 20 11:42:46.245: Tunnel0: GRE decapsulated 
IP packet (linktype=7, len=24) *Aug 20 11:42:46.245: Tunnel0: GRE decapsulated 
IP packet (linktype=7, len=24) *Aug 20 11:42:52.614: Tunnel0: GRE/IP (PS) to 
decaps 10.50.3.1->10.50.3.2 (tbl=0,"default" len=68 ttl=254) *Aug 20 
11:42:52.614: Tunnel0: Pak Decapsulated on BDI653, ptype 0x800, nw start 
0x784C90BE, mac start 0x784C9098, datagram size 44 link type 0x7 *Aug 20 
11:42:52.614: Tunnel0: GRE decapsulated IP packet (linktype=7, len=44) *Aug 20 
11:42:52.614: Tunnel0: GRE decapsulated IP packet (linktype=7, len=44) *Aug 20 
11:42:52.615: Tunnel0: GRE/IP encapsulated 10.50.3.2->10.50.3.1 (linktype=7, 
len=64)

This is debug output with "tunnel vrf TEST" in the tunnel:
*Aug 20 11:48:36.957: Tunnel0: GRE/IP (PS) to decaps 10.50.3.1->10.50.3.2 
(tbl=6,"TEST" len=48 ttl=254) *Aug 20 11:48:36.957: Tunnel0: Pak Decapsulated 
on BDI653, ptype 0x800, nw start 0x784927B2, mac start 0x7849278C, datagram 
size 24 link type 0x7 *Aug 20 11:48:36.957: Tunnel0: GRE decapsulated IP packet 
(linktype=7, len=24) *Aug 20 11:48:36.957: Tunnel0: GRE decapsulated IP packet 
(linktype=7, len=24) *Aug 20 11:48:44.084: Tunnel0: GRE/IP encapsulated 
10.50.3.2->10.50.3.1 (linktype=7, len=48) *Aug 20 11:48:44.087: Tunnel0: GRE/IP 
(PS) to decaps 10.50.3.1->10.50.3.2 (tbl=6,"TEST" len=24 ttl=252) *Aug 20 
11:48:46.955: Tunnel0: GRE/IP (PS) to decaps 10.50.3.1->10.50.3.2 (tbl=6,"TEST" 
len=48 ttl=254) *Aug 20 11:48:46.955: Tunnel0: Pak Decapsulated on BDI653, 
ptype 0x800, nw start 0x784A908E, mac start 0x784A9068, datagram size 24 link 
type 0x7 *Aug 20 11:48:46.956: Tunnel0: GRE decapsulated IP packet (linktype=7, 
len=24) *Aug 20 11:48:46.956: Tunnel0: GRE decapsulated IP packet (linkt
 ype=7, len=24)

Thanks!

--
Peter Olsson
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF flapping between Nexus 7000 and ASR 1001x

[Nick Cutting]

Is that a dark fiber P2P or a an ISP provided "L2 over L3 P2P"?  
If it's the latter like an eLine link - could they be re-routing traffic on 
their underlay where the mtu changes maybe?

-Original Message-
From: cisco-nsp  On Behalf Of Richard Mikisa
Sent: Tuesday, July 9, 2019 11:58 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] OSPF flapping between Nexus 7000 and ASR 1001x

This message originates from outside of your organisation.

Hi All,

I am running OSPF across a point to point link between a Nexus 7000 and an 
ASR1000x.

The OSPF works fine but every couple of hours, it breaks and neighbor state 
goes into EXCHANGE and remains there for another 40 minutes or so. It then goes 
into full, OSPF comes up and all is well for another couple of hours or so and 
then the cycle starts again. All the time, IP connectivity between the two 
point to point IPs is up.

Configuration as below..

ASR1001x#sh run int g0/0/1
interface GigabitEthernet0/0/1
 description ** MPLS London -  SO031732 **  mtu 9216  ip address 10.32.250.17 
255.255.255.252  ip ospf network point-to-point  ip ospf mtu-ignore  
negotiation auto  cdp enable end

ASR1000x#sh ip ospf neighbor

Neighbor ID Pri   State   Dead Time   Address Interface
40.1.1.1  0   EXCHANGE/  -00:00:3310.32.250.18
GigabitEtherne
t0/0/1
10.32.8.253   1   FULL/DR 00:00:3210.32.250.1
GigabitEtherne
t0/0/0


On the Nexus
N7K1-LON-AGG# sh run int vlan 3960

interface Vlan3960
  no shutdown
  mtu 9216
  ip address 10.32.250.18/30
  ip ospf cost 1
  ip ospf network point-to-point
  no ip ospf passive-interface
  ip ospf mtu-ignore
  ip router ospf 100 area 0.0.0.32

N7K1-LON-AGG# sh ip ospf neighbors 10.32.250.2  OSPF Process ID 100 VRF default 
 Total number of neighbors: 15
 Neighbor ID Pri StateUp Time  Address Interface
 10.32.250.2   1 EXCHANGE/ -  00:05:06 10.32.250.17Vlan3960
N7K1-LON-AGG#

And the logs on the ASR

Jul  9 14:33:00.682: %OSPF-5-ADJCHG: Process 100, Nbr 40.1.1.1 on
GigabitEthernet0/0/1 from FULL to DOWN, Neighbor Down: Too many retransmissions 
Jul  9 14:34:00.683: %OSPF-5-ADJCHG: Process 100, Nbr 40.1.1.1 on
GigabitEthernet0/0/1 from DOWN to DOWN, Neighbor Down: Ignore timer expired Jul 
 9 14:34:46.962: %CLNS-5-ADJCHANGE: ISIS (Overlay1): Adjacency to N7K1-LON-OTV 
(Overlay1) Down, hold time expired Jul  9 14:39:56.543: %OSPF-5-ADJCHG: Process 
100, Nbr 40.1.1.1 on
GigabitEthernet0/0/1 from EXCHANGE to DOWN, Neighbor Down: Interface down or 
detached Jul  9 14:55:20.865: %OSPF-5-ADJCHG: Process 100, Nbr 40.1.1.1 on
GigabitEthernet0/0/1 from EXCHANGE to DOWN, Neighbor Down: Interface down or 
detached .Jul  9 15:06:25.955: %OSPF-5-ADJCHG: Process 100, Nbr 40.1.1.1 on
GigabitEthernet0/0/1 from EXCHANGE to DOWN, Neighbor Down: Too many 
retransmissions .Jul  9 15:07:25.955: %OSPF-5-ADJCHG: Process 100, Nbr 40.1.1.1 
on
GigabitEthernet0/0/1 from DOWN to DOWN, Neighbor Down: Ignore timer expired 
.Jul  9 15:37:57.514: %OSPF-5-ADJCHG: Process 100, Nbr 40.1.1.1 on
GigabitEthernet0/0/1 from LOADING to FULL, Loading Done .Jul  9 15:38:03.296: 
%CLNS-5-ADJCHANGE: ISIS (Overlay1): Adjacency to
8478.AC22.FEC3 (Overlay1) Up, new adjacency .Jul  9 15:42:25.399: 
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user:
richard.mikisa] [Source: 10.0.1.2] [localport: 22] at 15:42:25 UTC Tue Jul 9 
2019


Can someone advise on where to look?
--
cheers
Richard
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR 920 Replacement

[Nick Cutting]

Don't forget the PHD in rocket surgery required for smartnet

-Original Message-
From: cisco-nsp  On Behalf Of Gert Doering
Sent: Thursday, June 27, 2019 12:05 PM
To: ??ukasz Bromirski 
Cc: Gert Doering ; Cisco-nsp (cisco-nsp@puck.nether.net) 

Subject: Re: [c-nsp] ASR 920 Replacement

This message originated from outside your organization.

Hi,

On Thu, Jun 27, 2019 at 06:02:15PM +0200, ??ukasz Bromirski wrote:
> > The table on software licensing looks like the usual Cisco 
> > nightmare, just more of it.
> 
> Oh c???mon, what would happen if we???d nail down *both* product and 
> licensing? Hell would freeze ;)

*sigh*.  Well said.

(And, if you get the list price / discount thingie in order, *and* fix the web 
site, then you might just squash the competition out there... :-) )

gert
--
"If was one thing all people took for granted, was conviction that if you  feed 
honest figures into a computer, honest figures come out. Never doubted  it 
myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 3548 No Traffic on a Port

[Nick Cutting]

What is the port?

There is a certain port on that code that stops passing traffic like 17 or 
something

-Original Message-
From: cisco-nsp  On Behalf Of Mike Hammett
Sent: Tuesday, June 18, 2019 3:01 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Nexus 3548 No Traffic on a Port

This message originates from outside of your organisation.

Have any of you seen this behavior with Nexus 3500s or any Nexus? The port just 
stops passing transmitting after some unknown time. It receives, but no 
transmit. This appears to migrate to other ports after awhile. A reboot fixes 
it for a month or so. It's running Cisco NX-OS 7.0(3)I7(3). 




-
Mike Hammett
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Migrating a LACP bond on Catalyst to a vPC on Nexus

[Nick Cutting]

Just run a trunk between the two with all the VLANs you need while you are 
migrating.  
It will not be hitless when moving the port-channels, as the LACP ID's will not 
match between the 3850 and the VPC member switches.  
Be conscious of your gateways, and check spanning tree is forwarding on all the 
correct vlans on  uplinks/downlinks.

Setup your VPC domain first, with a bunch of test bonded links before the 
migration.  VPC will allow each nexus to send the same LACP ID so that the 
downstream device thinks it's the same switch.
Then add the VLANs to be migrated.

VPC - you should spend some serious time investigating, as there are a lot more 
scenarios that will stop forwarding traffic than a simple LACP aggregation.

-Original Message-
From: cisco-nsp  On Behalf Of Giles Coochey
Sent: Wednesday, May 1, 2019 4:53 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Migrating a LACP bond on Catalyst to a vPC on Nexus

This message originates from outside of your organisation.

Hi All,

Working for a client, they have a need to migrate a LACP bond from a Catalyst 
3850 stack to a vPC bond on a Nexus pair (93180 TOR type)

There is an existing trunk bond between the Catalyst 3850s and the Nexus so the 
Layer-2 is present across these and VLANs in the bond are the same on both 
switches. The endpoints on the bonds are hosts, and configured for LACP 
(channel-group x mode active), 2 ports per channel.

What advice is there to migrate hosts on the 3850 stack to the Nexus, can it be 
performed in a hitless manner?

Many Thanks!

Giles

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Nexus 9K tcam carving question

[Nick Cutting]

And - yes that message is super confusing. Given that it is a 40g interface I'm 
guessing Gen1, so you cannot use netflow.


This is from a live 9300-EX(GEN2):

SPAN not running, with 8 ports running SFLOW.

sh run all | in "tcam region s"
hardware access-list tcam region span 0
hardware access-list tcam region svi 0
hardware access-list tcam region sflow 0
hardware access-list tcam region span 512
hardware access-list tcam region span-sflow 0

Here is the same output on a 9300 (GEN 1)
This device is not running Sflow - and Is running SPAN
sh run all | in "tcam region s"

hardware access-list tcam region span 256
hardware access-list tcam region svi 0
hardware access-list tcam region sFlow Northstar 0
hardware access-list tcam region span 0


-Original Message-
From: cisco-nsp  On Behalf Of Nick Cutting
Sent: Friday, April 5, 2019 3:25 PM
To: Satish Patel ; Cisco Network Service Providers 

Subject: Re: [c-nsp] Cisco Nexus 9K tcam carving question

This message originates from outside of your organisation.

Are you using a span session?

If so - then you cannot run SFLOW at the same time.

Is this a GEN1 or GEN2 9300? EX or FX?

-Original Message-
From: cisco-nsp  On Behalf Of Satish Patel
Sent: Friday, April 5, 2019 3:15 PM
To: Cisco Network Service Providers 
Subject: [c-nsp] Cisco Nexus 9K tcam carving question

This message originates from outside of your organisation.

Folks,

I want to enable sFlow on Cisco nexus 9300 switch on 40G interface
(GEM) module. but getting following error.

(config)# sflow data-source interface e2/5 In order to enable sFlow sampling on 
North star front panel port(Ethernet2/5), please either carve both span and 
sflow tcam regions with non-zero sizes using the commands 'hardware access-list 
tcam region span '
'hardware access-list tcam region sflow '
or remove both span and sflow tcam regions and carve a span-sflow tcam region 
with a non-zero size using the commands


When i am doing following, got error that means i don't have space in my tcam 
table so what is the best approve here?

(config)# hardware access-list tcam region sflow 256
ERROR: Aggregate TCAM region configuration exceeded the available Ingress TCAM 
slices. Please re-configure.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Nexus 9K tcam carving question

[Nick Cutting]

Are you using a span session?

If so - then you cannot run SFLOW at the same time.

Is this a GEN1 or GEN2 9300? EX or FX?

-Original Message-
From: cisco-nsp  On Behalf Of Satish Patel
Sent: Friday, April 5, 2019 3:15 PM
To: Cisco Network Service Providers 
Subject: [c-nsp] Cisco Nexus 9K tcam carving question

This message originates from outside of your organisation.

Folks,

I want to enable sFlow on Cisco nexus 9300 switch on 40G interface
(GEM) module. but getting following error.

(config)# sflow data-source interface e2/5 In order to enable sFlow sampling on 
North star front panel port(Ethernet2/5), please either carve both span and 
sflow tcam regions with non-zero sizes using the commands 'hardware access-list 
tcam region span '
'hardware access-list tcam region sflow '
or remove both span and sflow tcam regions and carve a span-sflow tcam region 
with a non-zero size using the commands


When i am doing following, got error that means i don't have space in my tcam 
table so what is the best approve here?

(config)# hardware access-list tcam region sflow 256
ERROR: Aggregate TCAM region configuration exceeded the available Ingress TCAM 
slices. Please re-configure.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IS-IS as PE-CE protocol

[Nick Cutting]

But I think the discussion is not the CE-PE IGP relationship that gets put into 
a L3VPN, then tunneled via MPLS, but connecting the CE to his internal IS-IS 
(possibly not in a VRF) that is used to connect his BGP loopbacks in his SP 
network?

I may have the wrong end of the stick

-Original Message-
From: cisco-nsp  On Behalf Of Nathan Lannine
Sent: Thursday, March 21, 2019 9:11 AM
To: Aaron Gould 
Cc: Cisco-nsp 
Subject: Re: [c-nsp] IS-IS as PE-CE protocol

This message originates from outside of your organisation.

On Thu, Mar 21, 2019 at 9:02 AM Aaron Gould  wrote:

> Which reminds me... I recall if pe-ce is bgp, then redis into l3vpn is 
> natural and automatic true ?
>
> -Aaron
>
>
As an implementer of MPLS/L3VPN in the enterprise, this is very interesting to 
me because I am all IGP internally.  I sort of assumed that in the provider 
space that L3VPNs would be accomplished the same way, with an IGP as PE-CE 
protocol for L3VPN, but here we are.  So, in the case of BGP as PE-CE protocol 
and a small client AS, do you all in the provider space require multiple 
private ASNs per VPN?  I mean (blatant free training request here) how does 
this get handled by the VPN customer?

Just navel gazing here, but I am wondering if there would be any benefit to me 
running BGP as my own PE-CE protocol.

Thank you,
Nathan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 9300 sflow performance

[Nick Cutting]

We use the below, and I measured the reported traffic a few times, sending 
exactly 1g / 10g files between a known source and destination; it was pretty 
accurate.
You must use routed ports, SVI’s require netflow – which is not an option for 
you.

feature sflow
sflow counter-poll-interval 30
sflow collector-ip 10.x.x.x vrf default source 10.x.x.x.x
sflow collector-port 6344 (match the NFSEN listening port)
sflow agent-ip x.x.x.x (this switch’s loopback match the source/vrf above)
sflow data-source interface Ethernet1/51
sflow data-source interface Ethernet1/52

its Bi-directional so we only do north facing ports in leaf/spine

then the matching entry on NFSEN’s conf file is:

%sources = (
‘HOSTNAME’   => { 'port' => '6344', 'IP' => '10.x.x.x, 'col' => '#ff', 
'type' => 'sflow' }
);
From: Satish Patel 
Sent: Wednesday, March 20, 2019 1:23 PM
To: Tim Stevenson (tstevens) 
Cc: Nick Cutting ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Nexus 9300 sflow performance

This message originated from outside your organization.

Thanks Tim,

Here is the output of show hardware rate-limiter. ( i believe it's 40k)

This is my first time dealing with SFLOW, Can you share some
configuration parameter i should use for best practice would be great,
What is 1-in-N sample actually?

I am planning to use mgmt0 interface for SFLOW and its 1G so i assume
it will handle all the flow. do you seeing any concern there?


# show hardware rate-limiter

Units for Config: packets per second
Allowed, Dropped & Total: aggregated since last clear counters


Module: 1
R-L Class Config Allowed Dropped Total
+--++---+---+-+
L3 glean 100 0 0 0
L3 mcast loc-grp 3000 0 0 0
access-list-log 100 0 0 0
bfd 1 0 0 0
exception 50 0 0 0
fex 3000 0 0 0
span 50 0 0 0
dpss 6400 0 0 0
sflow 4 25134089890 0 25134089890

On Wed, Mar 20, 2019 at 12:07 PM Tim Stevenson (tstevens)
mailto:tstev...@cisco.com>> wrote:
>
> Yes, this is 1st gen. The SFLOW/SPAN restriction should not apply there.
>
> Re: 60Gbps/24Mpps and SFLOW, SFLOW does not do aggregation of stats for flows 
> in the switch like netflow does - it's just 1-in-n packet sampling. As such, 
> the value of "n" should be high enough that both the switch & the collector 
> are not overburdened. Note that we will rate limit SFLOW copies to the CPU so 
> that's the first 'bottleneck'. If you end up tail-dropping samples, the 
> statistical validity of your sampled set goes out the window, so you want to 
> ensure that 1-in-n is a number that does not hit that rate limiter.
>
> I don't have a 1st gen switch handy to see what the defaults are for that 
> value. It should show up in 'sh hardware rate-limiter'. In 9300-EX with 9.2.2 
> it's 40Kpps.
>
> Beyond that, you also want to make sure the collector is able to consume 
> everything coming from all sflow enabled switches without dropping, for the 
> same reason mentioned above.
>
> Hope that helps,
> Tim
>
>
> -Original Message-
> From: Satish Patel mailto:satish@gmail.com>>
> Sent: Wednesday, March 20, 2019 8:40 AM
> To: Nick Cutting mailto:ncutt...@edgetg.com>>
> Cc: Tim Stevenson (tstevens) mailto:tstev...@cisco.com>>; 
> cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
> Subject: Re: [c-nsp] Nexus 9300 sflow performance
>
> We have cisco Nexus9000 C9396PX
>
> 60 Gbs is data traffic, and 24Mpps ( packet per second ) not sure how
> to convert it into flows. Could you please share your sflow
> configuration if you don't mind?
>
> I had nfsen in past with 8CPU / 4GB memory but it was damn slow :(
> but it could be me.. i will set up again and see if it worth it or
> not.
>
> On Wed, Mar 20, 2019 at 11:34 AM Nick Cutting 
> mailto:ncutt...@edgetg.com>> wrote:
> >
> > Good point. We waited for the second Gen
> >
> > Regarding 60 Gbs, isn’t that is the data traffic, not the flows or sampled 
> > flows levels?
> >
> > Our NFSEn box is centos
> >
> > 4 vCPU and 4 GBrams
> >
> > Collecting flows from maybe only 30 devices, about 20Gbs and 3k flows per 
> > sec.
> >
> > -Original Message-
> > From: Tim Stevenson (tstevens) 
> > mailto:tstev...@cisco.com>>
> > Sent: Wednesday, March 20, 2019 11:20 AM
> > To: Nick Cutting mailto:ncutt...@edgetg.com>>; Satish 
> > Patel mailto:satish@gmail.com>>; 
> > cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
> > Subject: RE: [c-nsp] Nexus 9300 sflow performance
> >
> > This message originated from outside your organization.
> >
> > Make sure you distinguish between N9300 (1st generation) and 
> > N9300-EX/FX/FX2 (2nd gen

Re: [c-nsp] Nexus 9300 sflow performance

[Nick Cutting]

Good point.  We waited for the second Gen

Regarding 60 Gbs, isn’t that is the data traffic, not the flows or sampled 
flows levels? 

Our NFSEn box is centos

4 vCPU and 4 GBrams

Collecting flows from maybe only 30 devices, about 20Gbs and 3k flows per sec.

-Original Message-
From: Tim Stevenson (tstevens)  
Sent: Wednesday, March 20, 2019 11:20 AM
To: Nick Cutting ; Satish Patel ; 
cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] Nexus 9300 sflow performance

This message originated from outside your organization.

Make sure you distinguish between N9300 (1st generation) and N9300-EX/FX/FX2 
(2nd generation). The SFLOW + SPAN limitation applies only to the latter. It's 
also on the latter that Netflow is supported, which can run concurrently with 
SPAN sessions.

Tim

-Original Message-
From: cisco-nsp  On Behalf Of Nick Cutting
Sent: Wednesday, March 20, 2019 6:19 AM
To: Satish Patel ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Nexus 9300 sflow performance

We use sflow on 9300's, no performance hit - but you cannot use span sessions 
at the same time.

Newer code revisions support netflow, without the SPAN session limitation, 
although we have not tried netflow on the 9300 yet.

For a collector We use NFSEN - opensource, and quite a big install base, and it 
seems to handle a lot of flows.

It supports sflow and netflow as we have a mix, just make sure you add the 
sflow option at build time as it’s a bit funky old linux to add it after.



-Original Message-
From: cisco-nsp  On Behalf Of Satish Patel
Sent: Wednesday, March 20, 2019 8:21 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Nexus 9300 sflow performance

This message originates from outside of your organisation.

Folks,

I have L3 Nexus 9300 switch which is running 60Gbps traffic on ISP interface so 
I’m planning to run sflow on that specific interference to get flow. 

Does it going to create any performances issue on switch? 

Can I run sflow on Layer 3 LACP interface?

Can anyone suggest free open source sflow collector? 

Sent from my iPhone
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 9300 sflow performance

[Nick Cutting]

We use sflow on 9300's, no performance hit - but you cannot use span sessions 
at the same time.

Newer code revisions support netflow, without the SPAN session limitation, 
although we have not tried netflow on the 9300 yet.

For a collector We use NFSEN - opensource, and quite a big install base, and it 
seems to handle a lot of flows.

It supports sflow and netflow as we have a mix, just make sure you add the 
sflow option at build time as it’s a bit funky old linux to add it after.



-Original Message-
From: cisco-nsp  On Behalf Of Satish Patel
Sent: Wednesday, March 20, 2019 8:21 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Nexus 9300 sflow performance

This message originates from outside of your organisation.

Folks,

I have L3 Nexus 9300 switch which is running 60Gbps traffic on ISP interface so 
I’m planning to run sflow on that specific interference to get flow. 

Does it going to create any performances issue on switch? 

Can I run sflow on Layer 3 LACP interface?

Can anyone suggest free open source sflow collector? 

Sent from my iPhone
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] DFZ on Nexus 9300EX/FX

[Nick Cutting]

Newer versions of NXOS for these platforms support "internet peering mode"

Up to 1,000,000 routes.

Is anyone using this hardware / routing template and taking in the full table?

Table 3. LPM Routing Modes for Cisco Nexus 9300-EX Series Switches LPM Routing 
Mode

CLI Command:
system routing template-internet-peering


Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] DFZ on Nexus 9300EX/FX

[Nick Cutting]

Newer versions of NXOS for these platforms support "internet peering mode"

Up to 1,000,000 routes.

Is anyone using this hardware / routing template and taking in the full table?

Table 3. LPM Routing Modes for Cisco Nexus 9300-EX Series Switches
LPM Routing Mode

CLI Command:
system routing template-internet-peering


Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Console connections

[Nick Cutting]

We use lots of opengear.
Expensive - but awesome

I did just roll out a cisco 4431 with 3 octal cables for a client though, but 
opengear has way more features and supports 2 people at once on the lines etc

-Original Message-
From: cisco-nsp  On Behalf Of Robert Raszuk
Sent: Thursday, January 31, 2019 4:28 PM
To: Cisco NSPs 
Subject: [c-nsp] Console connections

This message originates from outside of your organisation.

Hello,

What would you all recommend these days for min 8-12 port rack mounted terminal 
servers  to talk to various vendor's router and switches console ports ?

For years I used cisco 2511 but now it is history .. so what's the best cisco 
or not cisco successor for it ?

It would be awesome if it would also have few KVM switch ports for video 
to get them over IP, but this is just "nice to have" - primary I need to get 10 
async terminal servers.

Any proven in action hints ?

Many thx,
Robert.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Connect "normal" Service instance to Vlan on Switch module

[Nick Cutting]

Thank you - I didn't even notice that. The command completed

I still doesn't populate the mac address table for Vlan901, I don't think this 
can be done without a physical cable.

-Original Message-
From: cisco-nsp  On Behalf Of Aaron1
Sent: Friday, November 16, 2018 5:20 PM
To: Nick Cutting 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Connect "normal" Service instance to Vlan on Switch module

This message originates from outside of your organisation.

Ambiguous because dot1 could be dot1ad or dot1q ?

Aaron

> On Nov 16, 2018, at 3:14 PM, Nick Cutting  wrote:
> 
> I am not sure if this is possible.
> 
> I have an ISR (IOS XE, 16.8)
> 
> And I have a working service instance bridging the two WAN ports
> 
> interface GigabitEthernet0/0/0
> no ip address
> negotiation auto
> service instance 901 ethernet
>  encapsulation untagged
>  bridge-domain 901
> 
> interface GigabitEthernet0/0/0
> no ip address
> negotiation auto
> service instance 901 ethernet
>  encapsulation untagged
>  bridge-domain 901
> 
> I want to connect these two WAN ports to the switching module / WLAN 
> module Which has a switchport config, not a routed port config
> 
> interface Wlan-GigabitEthernet0/1/4
> switchport trunk native vlan 600
> switchport trunk allowed vlan 600,692,901 switchport mode trunk
> 
> or:
> 
> interface GigabitEthernet0/1/1
> switchport access vlan 901
> switchport mode access
> spanning-tree portfast
> 
> I cannot seem to connect the L3 BDI 901, or use a traditional SVI to 
> "tap into" the L2 vlan 901
> 
> I was hoping to use:
> 
> interface GigabitEthernet0/0/0
> service instance 901 ethernet
> encapsulation untagged
>  rewrite ingress tag push dot1 901
> 
> but the command will not complete, even though it question marks to a 
> 
> 
> % Ambiguous command:  "rewrite ingress tag push dot1 901 "
> ROUTER(config-if-srv)#rewrite ingress tag push dot1 901 ?
>
> 
> 
> Anyone else have any ideas?
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Connect "normal" Service instance to Vlan on Switch module

[Nick Cutting]

I am not sure if this is possible.

I have an ISR (IOS XE, 16.8)

And I have a working service instance bridging the two WAN ports

interface GigabitEthernet0/0/0
 no ip address
 negotiation auto
 service instance 901 ethernet
  encapsulation untagged
  bridge-domain 901

interface GigabitEthernet0/0/0
 no ip address
 negotiation auto
 service instance 901 ethernet
  encapsulation untagged
  bridge-domain 901

I want to connect these two WAN ports to the switching module / WLAN module
Which has a switchport config, not a routed port config

interface Wlan-GigabitEthernet0/1/4
 switchport trunk native vlan 600
 switchport trunk allowed vlan 600,692,901
 switchport mode trunk

or:

interface GigabitEthernet0/1/1
 switchport access vlan 901
 switchport mode access
 spanning-tree portfast

I cannot seem to connect the L3 BDI 901, or use a traditional SVI to "tap into" 
the L2 vlan 901

I was hoping to use:

interface GigabitEthernet0/0/0
 service instance 901 ethernet
 encapsulation untagged
  rewrite ingress tag push dot1 901

but the command will not complete, even though it question marks to a 

% Ambiguous command:  "rewrite ingress tag push dot1 901 "
ROUTER(config-if-srv)#rewrite ingress tag push dot1 901 ?



Anyone else have any ideas?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Has there been a Cisco network device with GE management port while other ports are FE or lower?

[Nick Cutting]

Hmm I seem to remember on some older version of the CSR code (cloud services 
router) they had a G0 interface.

Also - the only other place you might see it is on a 8xx series router.

-Original Message-
From: cisco-nsp  On Behalf Of Martin T
Sent: Wednesday, October 24, 2018 12:27 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Has there been a Cisco network device with GE management port 
while other ports are FE or lower?

This message originates from outside of your organisation.

Hi,

I need to know, if GigabitEthernet0(returned by SNMP ifDescr)/Gi0(returned by 
ifName) is a Management Ethernet interface or not. My assumption is that Cisco 
has never made a network device, where Management Ethernet is a 1GigE port 
while non-management port(s) are Ethernet or Fast Ethernet ports. In other 
words, if device has any other Gi ports besides GigabitEthernet0, then 
GigabitEthernet0 is always a Management Ethernet port?


thanks,
Martin
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] What causes mac table relearning?

[Nick Cutting]

If it is a trunk to a server - enable "portfast trunk" so it is unaffected by 
TCN's.

When you say you do not run spanning tree - what do you mean by that? 

You disabled it for certain VLAN's or the whole switch?

-Original Message-
From: cisco-nsp  On Behalf Of Garrett 
Skjelstad
Sent: Monday, October 22, 2018 12:56 PM
To: Mike 
Cc: cisco-nsp NSP 
Subject: Re: [c-nsp] What causes mac table relearning?

This message originates from outside of your organisation.

Yes, TCN is where I would start, MST is famous for this as well.

On Wed, Oct 17, 2018, 14:32 Mike 
wrote:

> Hi,
>
>
>  I have a network consisting of 3560g switches and I do not run 
> spanning tree in this network. I have noticed a symptom when a vlan 
> trunk interface goes down/up,  all mac addresses in the vlans carried 
> by that trunk also seem to be cleared at the same time. Im not just 
> talking the mac addresses on the port itself; rather, across the other 
> switches themselves , even for mac addresses that have no connection 
> to the port itself they just happen to be in one of the vlans. If I 
> have missed something fundamental I'd love to know but I am not aware 
> of any lan switching rules that would require this behavior.
>
>
> Mike-
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Idiot checking LC compatibility across different 7600 chassis.

[Nick Cutting]

The 6148's are so bad - I think they share 1g of bandwidth  per 8 ports.  I saw 
a client dropping TB's a day with these linecards. 

-Original Message-
From: cisco-nsp  On Behalf Of Tom Hill
Sent: Friday, September 28, 2018 10:08 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Idiot checking LC compatibility across different 7600 
chassis.

This message originates from outside of your organisation.

On 28/09/18 14:57, Jason Lixfeld wrote:
> To that end, I’ve got a bunch of WS-X6148A-GE-45AF cards and a pair of 
> SUP720-3BXLs in a 7606 chassis (PID: CISCO7606) and it works fine despite the 
> WS-X6148A-GE-45AF data sheet making no reference to 7600 support, only 6500 
> support.
> 
> I need to forklift the 7606 for a 7613 (which is already equipped with a FAN2 
> and a pair of PWR-6000-DC PSUs).
> 
> Should all just work, ya?

Most likely, yes. Though the 6148s are 'classic bus' cards, which do not use 
the chassis fabric. They're hideous and slow down the whole router, due to 
taking up bandwidth on the classic bus that is also used for lookup signalling 
between CFCs and the supervisor (no use of classic bus cards, and the use of 
DFCs, is required to overcome those limitations).

If you're intending to add more, please add 6548s as a minimum. Better yet, 
please put all of your 7600 gear into the sea and use more power-efficient 
devices. :)

Regards,

--
Tom
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN 1 troubles?

[Nick Cutting]

Sorry my 12.2 code is:

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(55)SE, 
RELEASE SOFTWARE (fc2)
I pasted in the bootloader earlier

-Original Message-
From: cisco-nsp  On Behalf Of Nick Cutting
Sent: Tuesday, August 28, 2018 9:07 AM
To: John Osmon ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] VLAN 1 troubles?

This message originates from outside of your organisation.

Well the big change that I seemed to care about was they added local routes to 
the route table, the /32 of configured interfaces.
I can't say I've ever seen anything different with the way tagged and untagged 
traffic was treated.
We have a Vmware lab environment on 3560G's, running both 12.2 and 15.x - but 
as other said we avoid vlan1 , not for "best practice, or security" but because 
of voodoo on the vlan, weirdness.

BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE 
SOFTWARE (fc1)
C   10.180.6.6/31 is directly connected, GigabitEthernet0/21

v.s.

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(2)SE4, 
RELEASE SOFTWARE (fc1)
C10.180.6.0/31 is directly connected, GigabitEthernet0/21
L10.180.6.1/32 is directly connected, GigabitEthernet0/21

It is more likely you ran into a bug on 12.2 that allowed you to pass tagged 
traffic on Vlan1 than a problem with 15.x If you change the native Vlan on the 
port to another vlan - does it then pass traffic tagged on vlan1?

Compare the output of show int gi0/15 switchport on both versions. The command 
should be exactly the same between versions.

Nick

-Original Message-
From: cisco-nsp  On Behalf Of John Osmon
Sent: Sunday, August 26, 2018 12:48 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VLAN 1 troubles?

This message originates from outside of your organisation.

I've got a 3560 switch in a lab situation that I'm looking for insight.

I have a virtualization host hung off of a trunking port.  VMs on this platform 
are able to communicate over any VLAN if I'm running a 12.2 image.

As soon as I change to a 15.0 image, packets for VLAN1 no longer pass the 
switch port -- but all other VLANs do.  This is true whether the packets are 
explicitly tagged as VLAN 1, or if I leave them "native."

I have means to work around the issue, but it's bugging me...

Is there some esoteric change between IOS 12 and IOS 15?
Is there something I've been doing wrong for years with IOS switches?
Am I hitting a bug?
Do I just need to get rid of this test switch and get something more modern for 
a lab switch?


Switch details:
 model: WS-C3560G-24TS
 working image: c3560-advipservicesk9-mz.122-25.SEE2.bin
 failing image: c3560-ipservicesk9-mz.150-2.SE10.bin
 port config:
   interface GigabitEthernet0/15
switchport trunk encapsulation dot1q
switchport mode trunk


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VLAN 1 troubles?

[Nick Cutting]

Well the big change that I seemed to care about was they added local routes to 
the route table, the /32 of configured interfaces.
I can't say I've ever seen anything different with the way tagged and untagged 
traffic was treated.
We have a Vmware lab environment on 3560G's, running both 12.2 and 15.x - but 
as other said we avoid vlan1 , not for "best practice, or security" but because 
of voodoo on the vlan, weirdness.

BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(44)SE5, RELEASE 
SOFTWARE (fc1)
C   10.180.6.6/31 is directly connected, GigabitEthernet0/21

v.s.

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(2)SE4, 
RELEASE SOFTWARE (fc1)
C10.180.6.0/31 is directly connected, GigabitEthernet0/21
L10.180.6.1/32 is directly connected, GigabitEthernet0/21

It is more likely you ran into a bug on 12.2 that allowed you to pass tagged 
traffic on Vlan1 than a problem with 15.x
If you change the native Vlan on the port to another vlan - does it then pass 
traffic tagged on vlan1?

Compare the output of show int gi0/15 switchport on both versions. The command 
should be exactly the same between versions.

Nick

-Original Message-
From: cisco-nsp  On Behalf Of John Osmon
Sent: Sunday, August 26, 2018 12:48 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VLAN 1 troubles?

This message originates from outside of your organisation.

I've got a 3560 switch in a lab situation that I'm looking for insight.

I have a virtualization host hung off of a trunking port.  VMs on this platform 
are able to communicate over any VLAN if I'm running a 12.2 image.

As soon as I change to a 15.0 image, packets for VLAN1 no longer pass the 
switch port -- but all other VLANs do.  This is true whether the packets are 
explicitly tagged as VLAN 1, or if I leave them "native."

I have means to work around the issue, but it's bugging me...

Is there some esoteric change between IOS 12 and IOS 15?
Is there something I've been doing wrong for years with IOS switches?
Am I hitting a bug?
Do I just need to get rid of this test switch and get something more modern for 
a lab switch?


Switch details:
 model: WS-C3560G-24TS
 working image: c3560-advipservicesk9-mz.122-25.SEE2.bin
 failing image: c3560-ipservicesk9-mz.150-2.SE10.bin
 port config:
   interface GigabitEthernet0/15
switchport trunk encapsulation dot1q
switchport mode trunk


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VTI support in ASA multiple contexts

[Nick Cutting]

Any plans to support this in the future? Maybe with the mighty mystical 10.0 
ASA code release.

We are getting more and more requests for this, (AZURE / AWS) to connect back 
to our datacenter - of which we have hundreds of contexts.

When the client has already built a VPN-gateway in route-mode on the Azure 
side, AND they are using the "basic SKU" - RouteBased -> policy based is not 
possible, as you cannot add the trafficSelector, nor can you add a second 
VPN-Gateway running in policy-based mode.

Guidelines for Virtual Tunnel Interfaces (9.9)
Context Mode

Supported in single mode only.

Regards,
Nick Cutting

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 10Gb for VSAN

[Nick Cutting]

Nexus 93xx are also suitable for this task. We have tested VSAN on these.
They talk about buffers in the VSAN Docs?

-Original Message-
From: cisco-nsp  On Behalf Of Tom Hill
Sent: Tuesday, July 24, 2018 8:20 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 10Gb for VSAN

This message originates from outside of your organisation.

On 24/07/18 23:02, Michael Malitsky wrote:
> I have a Cat 4506 (Sup7L-E) serving a medium-sized business.  We are 
> looking to overhaul the server side and add VSAN on 4-5 hosts, for 
> which we'll need a handful (8-10) 10Gb ports.  I see the only option 
> for the 4506 chassis is the 4712-SFP module, and the combination seems 
> underwhelming, even before I look up the pricing. As I understand it, 
> the TOR option from Cisco would be a Nexus, which seems overkill for 
> the application?

There are suitably-reliable 20-port Nexus 5010s you can pick-up for peanuts. I 
don't believe you can still get support, but maybe you can get the latest 
software via PSIRT.

Lots of noise made and power utilised with those, so someone with more money 
would obviously punt you towards the [actually white-box] N3k line for Cisco 
hardware that does the same thing "in support".

Certainly, that Cat 4500 wasn't made for it with a 48Gbit/sec backplane.
Amazingly, the Cat 4500-X seems to have better density, as well as being from 
the same gen of supervisor.


> For those who have invented this wheel already, please share the 
> wisdom. For now, I am seriously considering putting in a 10Gb Ubiquity 
> switch...

If that's all you need to do this 'VSAN' thing, then why not. See-also:

 Cisco 3650/3850
 Cisco 4500-X
 Extreme X620/X670/X690
 Various Quantas, EdgeCores, Mellanox, ad infinitum.
 Netgear? lol

Have fun!

--
Tom
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASA VTI tunnel OSPF Support

[Nick Cutting]

Cisco peoples,

Any plans to implement VTI OSPF support?
Or is this a limitation because of ASA Multicast support.

I ask because ASA multiple contexts share a single BGP process, but not OSPF 
processes.


Thank you
Nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF+BGP and MPLS Q's

[Nick Cutting]

Quick question as I am clueless on large SP networks (I'm a MSP guy not an ISP 
guy )- why not area 0.0.0.0 ?


-Original Message-
From: cisco-nsp  On Behalf Of Aaron Gould
Sent: Thursday, July 19, 2018 6:08 PM
To: ring...@mail.com
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] OSPF+BGP and MPLS Q's

This message originates from outside of your organisation.

If you think your network is going to continue to grow , dual route reflector 
cluster is a huge must have in my mind, I love how you can add address families 
to one neighbor and let it bounce while the other neighbor stays up with all 
your routes still there

I have ran a 100 node single area OSPF (area 0.0.0.1) MPLS/LDP network for 
several years, I believe simplicity and only as much complexity as is required 
for the job


Aaron

> On Jul 19, 2018, at 2:32 PM, ring...@mail.com wrote:
> 
> Hi all,
> 
> I have some practical design questions.
> 
> 1. Is there a better way of doing the HA than having adjacencies to the 
> router (can be 3 hops away) over two different VLANs and different OSPF cost 
> over trunk links with BFD enabled? 
> 2. Do you find less practical a MPLS network on a multi-area design vs a 
> single-area design?
> 4. At what point would you introduce RouteReflectors in the network 
> (e.g. when 5, 10, 20 IBGP connections?)
> 
> Can come up with some more in the meantime ;)
> 
> Thanks!
> Ton
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Leaked Video or Not (Linux and Cisco for internal Sales folks)

[Nick Cutting]

I like Cisco - feels good when I type commands into the CLI. 

 I have faith in my fingers

Having too strong an opinion is bad for your internal chill zone, do not be 
mean to cisco man, not on this list !


-Original Message-
From: cisco-nsp  On Behalf Of Tails Pipes
Sent: Friday, June 22, 2018 10:21 AM
To: Sami Joseph 
Cc: cisco-nsp NSP 
Subject: Re: [c-nsp] Leaked Video or Not (Linux and Cisco for internal Sales 
folks)

This message originates from outside of your organisation.

Copied from smart people :


Welcome to the world of coopetition. Microsoft has SQL Server running on Linux. 
They also sell Windows Server licenses. Some customers want one or the other, 
so they give them what they want. Other customers want a solution, and they can 
get it.


I think enough customers (not all of them, but an increasing number) have said 
that open is where it's at. Cisco has been preparing but holding to its 
proprietary line to capture as much revenue as possible before they are forced 
to change. At the same time, they have to turn around the ship and change their 
products.


Its not easy changing a big, fat company after 20 years of doing the same thing 
over and over while making huge profits for little effort.


Thats the problem they are engaging with. Nearly everyone is doing better, 
faster, easier, more reliable networking that Cisco. Most often, at a cheaper 
price too. Its taking time for customers to make the switch but its a slow and 
steady migration.


Cisco knows this at least. And the moves to subscription licenses are an 
attempt to extract more money from fewer customers. I think they have chosen to 
move up market, charge more and walk away from the customers who are willing to 
go whitebox/disagg/unbundled/open/DIY. They can't win so they won't compete. 
Its a obvious strategy.


That means bigger enterprise customers who don't care how much money they spend 
will pay extra.

https://www.reddit.com/r/networking/comments/8r0afq/is_
their_any_truth_to_the_trend_of_putting/



On Fri, Jun 22, 2018 at 7:06 AM, Sami Joseph  wrote:

> Packets will be pushed in Linux when Broadcom releases SDKs, Mellanox 
> already did...i guess
>
> https://netdevconf.org/0x12/session.html?building-a-
> better-nos-with-linux-and-switchdev
>
> Description
>
> Whitebox switches, disaggregation, and open networking are all the 
> rage today. While the choice in white box switches and "open" 
> networking operating systems (NOS) has proliferated in recent years, 
> switching ASICs are still predominantly programmed using SDKs and 
> those SDKs are primarily driven by userspace controllers. The 
> adherence to SDKs imposes a design constraint that has a huge impact 
> on the architecture of a NOS, its choices for user APIs (how the 
> switch is configured, debugged and
> monitored) and the performance of the control plane.
>
> Over the past few years a lot of effort has been put into a new 
> approach for Linux - i.e., switchdev and related in-kernel APIs. The 
> result allows for a simpler, cleaner NOS that fully leverages the 
> Linux kernel with the ASIC managed like any other hardware in the 
> system -- by a driver running in the kernel. However, adoption of 
> switchdev by ASIC vendors has been lacking, with only one ASIC vendor 
> at this point writing a driver that works with switchdev.
>
> This talk discusses typical software architectures for network 
> operating systems and introduces a path for transitioning SDK based 
> solutions to the switchdev model.
>
>
> On Fri, Jun 22, 2018 at 7:00 AM, Tails Pipes 
> wrote:
>
>> Mojatau, Big switch, cumulus, arista and even juniper are trying to 
>> move networking to a better place, but not cisco. they do contribute 
>> to it, there is xdp, ebpf, quagga, vrfs in linux...etc < do you want 
>> to deny those ? just because you have a ccie and you are comfortable 
>> being a cisco network guy, well you dont live alone in the world, 
>> others also need to be able to run networks without having to work on 
>> it for 10 years.
>>
>> What do you mean that no one is pushing packets in linux ? Isnt that 
>> the point of all the linux networking ? are you saying that the 
>> vendors mentioned are closing their work ? can you give an educated 
>> opinion who exactly is not allowing packets to be pushed in linux ? 
>> is it Linus trovalds and the NetDev folks or is it the community of 
>> people like you that are so comfortable in their own skin that they 
>> dont allow innovation to take course.
>>
>> Linux and BSD are both operating systems that are well documented and 
>> many people can understand and work with but if you are so 
>> comfortable with IOS variants, that doesnt mean that every one 
>> iscan i operate networks without having years of experience and 
>> implicitly forced support by cisco, I am sick of having to learn all 
>> the cisco specific terms to all sorts of different boxes and 
>> technologies, all their tools and super expensive AS 

Re: [c-nsp] DHCP server

[Nick Cutting]

I agree with Mark - why not do this on a server?

-Original Message-
From: cisco-nsp  On Behalf Of james list
Sent: Saturday, June 16, 2018 8:24 AM
To: c...@marenda.net
Cc: cisco-nsp NSP 
Subject: Re: [c-nsp] DHCP server

This message originates from outside of your organisation.

Just one but hundreds of dhcp scopes.

Cheers

Il Sab 16 Giu 2018, 10:55  ha scritto:

> How many physical interfaces/ports?
>
> A c891f could be sufficient...
>
> Jürgen.
> -Original Message-
> Dear experts,
> a customer of mine as an old C7200 acting as DHCP server and wants to 
> replace it with an IOS device in order to port configuration 1:1.
>
> He asked for a solution which is not so expensive, I'm thinking to 
> ASR1k or CAT9k, do you have any other suggestion ?
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DHCP server

[Nick Cutting]

ISR-44k is much cheaper than ASR 1k for forwarding in hardware

But DHCP server is all done on CPU - so you could get away with a much cheaper 
software router like a ISR43xx
Do you mean the catylyst 9300 series?

-Original Message-
From: cisco-nsp  On Behalf Of james list
Sent: Friday, June 15, 2018 1:19 PM
To: cisco-nsp NSP 
Subject: [c-nsp] DHCP server

This message originates from outside of your organisation.

Dear experts,
a customer of mine as an old C7200 acting as DHCP server and wants to replace 
it with an IOS device in order to port configuration 1:1.

He asked for a solution which is not so expensive, I'm thinking to ASR1k or 
CAT9k, do you have any other suggestion ?

Thanks for any advice

Cheers,
James
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Looking for PoE switch with low depth, preferred stackable

[Nick Cutting]

Does it need routing protocols?

If not, the new fanless 2960-L series (the white ones) seem to be quite a bit 
thinner.
The 48 port is 11.5 inches. The 24 port is 10.45 inches

NIckC
-Original Message-
From: cisco-nsp  On Behalf Of chiel
Sent: Thursday, June 7, 2018 7:39 AM
To: 'NSP - Cisco' 
Subject: [c-nsp] Looking for PoE switch with low depth, preferred stackable

This message originates from outside of your organisation.

Hello,

I'm looking for a Cisco Poe switch that has a low depth profile. This because 
of a small patch cabinet that I need to deal with. Replacing the cabinet is not 
possible.

Normally we're using Cisco 3750 switches. We like them because of price, gig 
options and are stackable. But these, and the 2960 series, have a depth of 37cm 
/ 14 inch.

Anybody knows of a low depth switch?

Chiel
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Back on this list? How? cisco-nsp balancing on portchan (4500X->ASR1006)

[Nick Cutting]

https://puck.nether.net/mailman/listinfo/cisco-nsp

-Original Message-
From: cisco-nsp  On Behalf Of Alisha Valente
Sent: Saturday, May 19, 2018 12:11 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Back on this list? How? cisco-nsp balancing on portchan 
(4500X->ASR1006)

This message originates from outside of your organisation.


How do I continue to receive these emails, or is there a website/forum for me 
to check into?

Thank you,

Alisha valente



From: cisco-nsp  on behalf of CiscoNSP List 

Sent: Sunday, June 4, 2017 3:06 AM
To: "Rolf Hanßen"
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Load balancing on portchan (4500X->ASR1006)

Hi mate - 4500X(Primary) it is egress usage on both ports, 4500X(Secondary), it 
is the opposite)ingressI only tried mac balancing for testinglol, it 
seems to get the best balance.cant use ip/porton src/dst ip, or src/dst 
port.4500X only does layer 2 (Trunking vlans up to ASR1000, which does L3 
(dot1q subints on portchan).an old legacy setup from many years ago, that 
is goign to be retirred adap 


Thanks



From: "Rolf Hanßen" 
Sent: Sunday, 4 June 2017 12:49 AM
To: CiscoNSP List
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Load balancing on portchan (4500X->ASR1006)

Hello,

I read your mail twice and still don't know which direction is affected (4500X 
tp ASR or ASR to 4500X or both).
Please be aware that the balancing hash method only affects outbound traffic, 
so changing the method on the 4500X only affects traffic towards the ASR.
Using mac adresses for balancing is a bad idea. Years ago we had the great idea 
to connect several servers with dual nic to a router with a 2 port channel 
switching between.
MAC on the router was always the same, MACs on the servers were all even 
because we used the same port on all servers.
Result: no balaning at all.

Is the switch able to use IP / Port for all frames or do you have packts it 
maybe does not understand (like MPLS Packets)?

kind regards
Rolf

> Hi Everyone - Have a 4 port etherchan between ASR1006/4500X(In VSS) - 
> Tried virtually all the load-balancing options on the 4500X, but port "1"
> in the portchan group always gets majority of traffic share.
>
>
> Links are:
>
>
> ASR1006  4500X (2)
>
> 0/0/31/1/4
>
> 1/0/01/1/16
>
> 1/0/32/1/4
>
> 2/0/02/1/16
>
>
> src/dst ip - I get both ports on "primary" 4500X being primarily used
> (1/1/4 getting the most)
>
> src/dst mac - I get a bit of a better load spread, but 2/1/4 gets very 
> little traffic, and again 1/1/4 gets the most
>
> src/dst port - 1/1/4 gets the most, 2/1/16 gets a lot more (ingress), 
> 2/1/4, very little
>
>
> The portchan peak usage is 2 to 2.5Gb/sec, but would do more, as it is 
> being limited by the load-balancingi.e 1/1/4 will max out at 
> 1G/sec (We have a very bursty traffic.SP - So mix of 
> Inet/L3VPN/backup/replication etc)
>
>
> If anyone has some suggestions on how to achieve a better(more even) 
> traffic spread, it would be greatly appreciatedMigrating to 10Gb 
> is what we plan to do, but am interested in anyones comments on why 
> 1/1/4 is used so heavily regardless of the load-balancing algorithm 
> used (Assuming it is because it is the "first" portspanning tree  
> probably preferring this port?)the ASR1006 only has 2 
> load-balancing options flow-based or vlan-manual..lol and I dont 
> have any interest in setting up manual vlan load-balancing 😉)
>
>
> Thanks
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
cisco-nsp Info Page - 
puck.nether.net
puck.nether.net
To see the collection of prior postings to the list, visit the cisco-nsp 
Archives.. Using cisco-nsp: To post a message to all the list members, send 
email to cisco-nsp@puck.nether.net.


cisco-nsp Info Page - 
puck.nether.net
puck.nether.net
To see the collection of prior postings to the list, visit the cisco-nsp 
Archives. Using cisco-nsp: To post a message to all the list members, send ...



> archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net

Re: [c-nsp] Cisco Nexus 93240YC-FX2 Switch

[Nick Cutting]

One more question - I see the FX series supports up to 1.7 million routes, but 
is slightly slower at pure pps forwarding.
Are these positioned as more of a "router" than the EX series?


-Original Message-
From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of Nick Cutting
Sent: Wednesday, May 16, 2018 9:53 PM
To: Jeremy Bresley <b...@brezworks.com>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco Nexus 93240YC-FX2 Switch

This message originates from outside of your organisation.

Thank you.  This is good news.

Hoping it is similarly priced to the 9396PX

-Original Message-
From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of Jeremy Bresley
Sent: Monday, May 14, 2018 6:55 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco Nexus 93240YC-FX2 Switch

This message originates from outside of your organisation.

On 5/14/2018 09:22, Nick Cutting wrote:
> This is an interesting looking switch.
>
> There does not seem to be any specific documentation outside of the hardware 
> install and the generic nexus guide.
> I imagine there will be a little show on these and its buddies at cisco live.
>
> Does anyone know if like it's generation 1 brother the Nexus 9396PX Switch - 
> doesit supports 1Gig Copper SFP?
> We did a few rollouts of that switch last year, and it did work with GLC-T's.
>
> This would be a great core switch for a small data center deployment - 
> but 1 gig north border devices would often be copper. (ASA etc)
>
> mail/cisco-nsp/

According to the 1G Transceiver Compatibility Matrix, yes it supports 1G in 
NX-OS mode.  GLC-SX-MM, GLC-T (1G only), GLC-TE (1G only), SFP-GE-T, GLC-LH-SM, 
GLC-ZX-SMD, GLC-SX-MMD, GLC-LH-SMD, and GLC-EX-SMD.

https://www.cisco.com/c/en/us/td/docs/interfaces_modules/transceiver_modules/compatibility/matrix/GE_Tx_Matrix.html#_Toc513557472

(Disclaimer, I work for Cisco as an SE, but this is a public resource I give 
out to customers which is maintained by BU folks, so can be taken as official 
confirmation of support.)

Jeremy

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Nexus 93240YC-FX2 Switch

[Nick Cutting]

Thank you.  This is good news.

Hoping it is similarly priced to the 9396PX

-Original Message-
From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of Jeremy Bresley
Sent: Monday, May 14, 2018 6:55 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco Nexus 93240YC-FX2 Switch

This message originates from outside of your organisation.

On 5/14/2018 09:22, Nick Cutting wrote:
> This is an interesting looking switch.
>
> There does not seem to be any specific documentation outside of the hardware 
> install and the generic nexus guide.
> I imagine there will be a little show on these and its buddies at cisco live.
>
> Does anyone know if like it's generation 1 brother the Nexus 9396PX Switch - 
> doesit supports 1Gig Copper SFP?
> We did a few rollouts of that switch last year, and it did work with GLC-T's.
>
> This would be a great core switch for a small data center deployment - 
> but 1 gig north border devices would often be copper. (ASA etc)
>
> mail/cisco-nsp/

According to the 1G Transceiver Compatibility Matrix, yes it supports 1G in 
NX-OS mode.  GLC-SX-MM, GLC-T (1G only), GLC-TE (1G only), SFP-GE-T, GLC-LH-SM, 
GLC-ZX-SMD, GLC-SX-MMD, GLC-LH-SMD, and GLC-EX-SMD.

https://www.cisco.com/c/en/us/td/docs/interfaces_modules/transceiver_modules/compatibility/matrix/GE_Tx_Matrix.html#_Toc513557472

(Disclaimer, I work for Cisco as an SE, but this is a public resource I give 
out to customers which is maintained by BU folks, so can be taken as official 
confirmation of support.)

Jeremy

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco Nexus 93240YC-FX2 Switch

[Nick Cutting]

This is an interesting looking switch.

There does not seem to be any specific documentation outside of the hardware 
install and the generic nexus guide. 
I imagine there will be a little show on these and its buddies at cisco live.

Does anyone know if like it's generation 1 brother the Nexus 9396PX Switch - 
doesit supports 1Gig Copper SFP?
We did a few rollouts of that switch last year, and it did work with GLC-T's.

This would be a great core switch for a small data center deployment - but 1 
gig north border devices would often be copper. (ASA etc)

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPN tunnel between two Cisco 3825's

[Nick Cutting]

This license should be fine the SEC-K9 was a requirement for 29xx, 39xx and 
4xxx - but 28xx and 38xx just needed the right IOS.

As other have said - you should debug, while sourcing pings from the 
interesting source traffic.
Maybe open IP on the ACL to the peer address while you are troubleshooting this 
to make sure it is an Ipsec issue, not an ACL issue.

-Original Message-
From: cisco-nsp  On Behalf Of Scott Miller
Sent: Tuesday, May 1, 2018 2:40 PM
To: Randy 
Cc: cisco-nsp 
Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's

This message originates from outside of your organisation.

Cisco 3825 (revision 1.2) with 487424K/36864K bytes of memory.
Processor board ID FTX1422AH5E
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
500472K bytes of ATA System CompactFlash (Read/Write)

System image file is "flash:c3825-adventerprisek9-mz.151-4.M10.bin"

show license
Index 1 Feature: ios-ips-update







On Tue, May 1, 2018 at 11:57 AM, Randy  wrote:

> outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable?
>
>
>
>
> 
> From: Emille Blanc 
> To: Scott Miller 
> Cc: cisco-nsp 
> Sent: Tuesday, May 1, 2018 10:51 AM
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
>
>
> Forgive the obvious question;
> Are your 3800's licensed for IPSEC, and or the grace period hasn't 
> been exhausted if not?
> They require the SECK9 license.
>
> I'd maybe specify the local source-address in your crypto maps. 
> Otherwise, nothing stands out as erroneous to me.
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf 
> Of Scott Miller
> Sent: Tuesday, May 01, 2018 10:28 AM
> To: Alex K.
> Cc: cisco-nsp
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
> Both sides show the same.
> cpe-rpa-kal-gw-01#show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state  conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> cpe-rpa-kal-gw-01#
>
>
> wtc-mar-gw-01#   show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state  conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> wtc-mar-gw-01#
>
>
>
> Debug of RPA side shows this when crypto map VPNMAP removed and added 
> back to gi0/0:
>
> *May  1 17:05:57.559:  IPSEC(rte_mgr): ID: 3 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.559:  IPSEC(rte_mgr): 
> Delete Route found ID 3 *May  1 17:05:57.559: IPSEC(rte_mgr): VPN 
> Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 3 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.563:  IPSEC(rte_mgr): 
> Delete Route found ID 3 *May  1 17:05:57.563: IPSEC(rte_mgr): VPN 
> Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.563:  IPSEC(rte_mgr): 
> Delete Route found ID 4 *May  1 17:05:57.563: IPSEC(rte_mgr): VPN 
> Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.563:  IPSEC(rte_mgr): 
> Delete Route found ID 4 *May  1 17:05:57.563: IPSEC(rte_mgr): VPN 
> Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF *May  1 
> 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - 
> create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): Route 
> add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 0.0.0.0, RT 
> type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 
> 192.168.1.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 
> 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static 
> event - create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): 
> Route add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 
> 0.0.0.0, RT type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route 
> Added 192.168.2.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 
> 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static 
> event - create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): 
> Route add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 
> 0.0.0.0, RT type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route 
> Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event 
> - create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): Route 
> add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 0.0.0.0, RT 
> type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 
> 66.135.65.98 

Re: [c-nsp] MACSec Stages

[Nick Cutting]

I agree - I spent weeks with TAC cases open etc. and Cisco has no idea how this 
works either.

I gave up and built a L3 routed VPN.

I am waiting for the How-to article by Jeremey Stretch!
-Original Message-
From: cisco-nsp  On Behalf Of Alex K.
Sent: Tuesday, April 17, 2018 4:13 AM
To: Alan Buxey 
Cc: cisco-nsp 
Subject: Re: [c-nsp] MACSec Stages

This message originates from outside of your organisation.

Hello Alan and thank you for answering.

That's the point - all one can find by searching the standard ID, is a bunch of 
unrelated documents, some from IEEE, some from independent sources
- none display any coherent picture whatsoever.

Not to mention none provide any overview of the protocol. Just some not 
connected points.

Such lack of the documentation by all major vendors (white paper stating MACSEC 
is an encryption protocol, doesn't count as a documentation) hit the hardest 
when it comes to troubleshooting. No explanation for debugs, no known steps for 
endpoints to pass through, you're pretty much on your own trying to figure out 
what's going on.

Alex.

בתאריך יום ג׳, 10 באפר' 2018, 16:06, מאת Alan Buxey ‏:

> 802.1AE
>
> Look that up for how it works
>
> alan
>
> On Wed, 4 Apr 2018, 00:32 Alex K.,  wrote:
>
>> Hello everyone,
>>
>> After a few implementations of MACSec, I began wondering is there a 
>> complete documentation of that technology out there?
>>
>> For example, I have quite an experience with L2TP. Now, SCCRP may 
>> sound like a bad language to some, but as we all know, it's an 
>> important step in tunnel setup. The internet is literally brimming 
>> with information about L2TP. As for MACSec, maybe it's only me - but 
>> I'm having a hard time finding information on MACSec internal 
>> workings (beyond packets formats) especially - when it comes to protocols 
>> stages and related cisco debugs.
>>
>> All I was able to find this far, are some really general sketches of 
>> MACSec exchanges and seemingly unrelated debug commands.
>>
>> Am I missing something? Any help, such as linking to proper 
>> documentation, successful and unsuccessful debug outputs and such, on 
>> and off-list, will be gladly appreciated.
>>
>>
>> Thank you,
>> Alex.
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Open Networking Switches feedback

[Nick Cutting]

I am also interested in hearing about success or horror stories relating to 
this.
We have some many complex connections between clients and public clouds and old 
/ new datacenters, with MacGyver solutions and spaghetti everywhere - I 
sometimes think I need those 271.5 features in my top of rack switches just so 
I am ready for the next ridiculous client request.

All the marketecture around the whitebox switches is a bunch of linux guys 
living a perfect world with a very simple network.
It might work for a single enterprise network, but not in the dirty cloudy 
world I have to live in.  We have a lot of grumpy old network engineers and not 
enough developers.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Sami 
Joseph
Sent: Monday, March 26, 2018 12:31 AM
To: Cisco-nsp 
Subject: [c-nsp] Open Networking Switches feedback

This message originates from outside of your organisation.

Hello,

Has any one here tried Big Switch, Pica8, Cumulus or any of those open 
networking prdoducts? I’d appreciate feedback from someone that actually used 
them.

Thanks
Sam
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multicast in VRF

[Nick Cutting]

Like Aaron said - sounds like it is switching from receiver -> RP receiver -> 
source tree, it usually does after one packet.
Where is the RP if you are using spare mode? 10.0.0.1 - did you have the config 
for that?
Are you testing from a host on the source VLAN of just from the 6500 ?

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron 
Gould
Sent: Wednesday, March 21, 2018 2:42 PM
To: 'Jan Gregor' ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Multicast in VRF

This message originates from outside of your organisation.

I wonder if it gets pruned right after the first packet maybe you have to 
do some igmp config for the underlying vlan804 receiver segment's L2 interfaces

I'm guessing as it's been a while since I did much with mcast

-Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jan 
Gregor
Sent: Monday, March 19, 2018 2:23 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Multicast in VRF

Hi guys,

I am stumped by a multicast issue on one of my 6500 switches running 
s72033-adventerprisek9-mz.151-2.SY11.bin code. Actually it is two 6500s in VSS, 
but it should not matter, correct me if I am wrong.

The topology is fairly simple, a source is connected to one VLAN on 6500, then 
the receiver is on another VLAN on the same 6500. Both VLANs are in the same 
VRF. Both VLANs are configured for PIM Sparse mode. 
Multicast routing is enabled for the VRF. Relevant config:
vrf definition TEST
  rd 65000:803
  !
  address-family ipv4
  exit-address-family
!
ip multicast-routing
ip multicast-routing vrf TEST
!
ip pim vrf TEST rp-address 10.0.0.1
!
interface Vlan803
  description SOURCE
  vrf forwarding TEST
  ip address 10.0.0.1 255.255.255.0
  ip pim sparse-mode
  arp timeout 300
!
interface Vlan804
  description RECEIVER
  vrf forwarding TEST
  ip address 192.168.2.1 255.255.255.0
  ip pim sparse-mode
  load-interval 30
  arp timeout 300

I see multicast routing entries in the mroute table for the VRF increasing:
sh ip mroute vrf TEST
...
Outgoing interface flags: H - Hardware switched, A - Assert winner
  Timers: Uptime/Expires
  Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.192.2.196), 00:24:57/stopped, RP 10.0.0.1, flags: SJC
   Incoming interface: Null, RPF nbr 0.0.0.0
   Outgoing interface list:
 Vlan804, Forward/Sparse, 00:24:57/00:02:40

(10.0.0.11, 239.192.2.196), 00:24:57/00:02:57, flags: T
   Incoming interface: Vlan803, RPF nbr 0.0.0.0, RPF-MFD
   Outgoing interface list:
 Vlan804, Forward/Sparse, 00:24:57/00:02:40, H

sh ip mroute vrf TEST count
IP Multicast Statistics
2 routes using 1102 bytes of memory
1 groups, 1.00 average sources per group Forwarding Counts: Pkt Count/Pkts per 
second/Avg Pkt Size/Kilobits per second Other counts: Total/RPF failed/Other 
drops(OIF-null, rate-limit etc)

Group: 239.192.2.196, Source count: 1, Packets forwarded: 1503, Packets
received: 1503
   RP-tree: Forwarding: 0/0/0/0, Other: 0/0/0
   Source: 10.0.0.11/32, Forwarding: 1503/1/84/0, Other: 1503/0/0

sh ip mroute vrf TEST count
IP Multicast Statistics
2 routes using 1102 bytes of memory
1 groups, 1.00 average sources per group Forwarding Counts: Pkt Count/Pkts per 
second/Avg Pkt Size/Kilobits per second Other counts: Total/RPF failed/Other 
drops(OIF-null, rate-limit etc)

Group: 239.192.2.196, Source count: 1, Packets forwarded: 1510, Packets
received: 1510
   RP-tree: Forwarding: 0/0/0/0, Other: 0/0/0
   Source: 10.0.0.11/32, Forwarding: 1510/1/84/0, Other: 1510/0/0

I am testing it by running ping on the source "ping -t 64 239.192.2.196". I see 
packets leaving the source as verified by tcpdump. 
However packets are not making it to the receiver as verified by tcpdump.

Funny thing is that when I clear the mroute table on the switch by issuing 
"clear ip mroute vrf TEST *" I receive EXACTLY ONE ping packet on the receiver, 
then again nothing:
20:17:02.576050 IP 10.0.0.11 > 239.192.2.196: ICMP echo request, id 11724, seq 
625, length 64

Any pointers would be greatly appreciated.

Best regards,

Jan Gregor



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] many 2960-X rebooting today

[Nick Cutting]

I'm reasonably certain it was exploited - the last MSG is related to the bug.

"Stack for process SMI IBC server process running low"


-Original Message-
From: Brandon Applegate [mailto:bran...@burn.net] 
Sent: Friday, March 16, 2018 2:28 PM
To: Nick Cutting <ncutt...@edgetg.com>
Cc: cisco-nsp mailing list <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] many 2960-X rebooting today

This message originated from outside your organization.


> On Mar 16, 2018, at 2:08 PM, Nick Cutting <ncutt...@edgetg.com> wrote:
> 
> Thanks we have disabled this now - It is in our new build script, these were 
> rolled out a few months ago.
> 
> I guess there is no way of seeing if this exploit was executed, perhaps in 
> the crashdump somewhere?

I’m struggling to remember.  I want to say you will see a %SYS-5-CONFIG - 
Configured from XXX by YYY message.

The questions become:

-   Are you syslogging out to a server that would have caught this ?
-   Is there any IP in there of where it was originated from ?
- If so - other than an abuse report to the respective ISP and blocking 
the IP - what can be done ?

I guess the other thing I’d add - is if there’s any weak crypto (type 7, or 
even a weak type 5 etc.) passwords or keys in your config, you might want to 
change these.  In other words, assume they have a copy of your config and act 
accordingly.

PS: This is all assuming it was an exploit like this in the first place.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A "For thousands of years men 
dreamed of pacts with demons.
Only now are such things possible."

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] many 2960-X rebooting today

[Nick Cutting]

Thanks we have disabled this now - It is in our new build script, these were 
rolled out a few months ago.

I guess there is no way of seeing if this exploit was executed, perhaps in the 
crashdump somewhere?

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Brandon 
Applegate
Sent: Friday, March 16, 2018 1:19 PM
To: cisco-nsp mailing list <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] many 2960-X rebooting today

This message originates from outside of your organisation.



> On Mar 16, 2018, at 12:49 PM, Nick Cutting <ncutt...@edgetg.com> wrote:
> 
> Anyone seen a number of internet facing 2960-X switches restart today?
> 
> We have had 3 different clients, 6 different switches all reboot today.
> 
> No uptime in common, no code version in common.
> 
> One of them has WS-C2960X-24TS-L - Version 15.2(2)E6
> 
> The only thing they do have in common is that they have internet IP addresses 
> for MGT - with SSH allowed, locked down to certain public IP's.
> 
> Just wondering if this may be the execution of an exploit by a baddie.
> 
> Nick

I haven’t - but the first thing that popped into my head was:

https://github.com/Sab0tag3d/SIET

You might want to scan/nmap your switches.  I know some folks that got hit with 
this last year.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A "For thousands of years men 
dreamed of pacts with demons.
Only now are such things possible."

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] many 2960-X rebooting today

[Nick Cutting]

Anyone seen a number of internet facing 2960-X switches restart today?

We have had 3 different clients, 6 different switches all reboot today.

No uptime in common, no code version in common.

One of them has WS-C2960X-24TS-L - Version 15.2(2)E6 

The only thing they do have in common is that they have internet IP addresses 
for MGT - with SSH allowed, locked down to certain public IP's.

Just wondering if this may be the execution of an exploit by a baddie.

Nick







___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] spanning-tree for local switching on ASR920

[Nick Cutting]

Thank you

In the output of show spanning tree - is the port with the untagged service 
instance forwarding on vlan 4093?
Unless something changed from 16.6 -> 16.7 I imagine that it is only forwarding 
and processing BPDU's on vlans 2 and 10.

If a bridging loop came in on Vlan 4093, because BPDU's were not processed on 
this VLan it may be bad.
 
NIck
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Peter 
Rathlev
Sent: Thursday, March 15, 2018 7:06 AM
To: Nick Cutting <ncutt...@edgetg.com>
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] spanning-tree for local switching on ASR920

This message originates from outside of your organisation.

For what it's worth I have working Rapid PVST+ on ARS 920 IOS 16.7.1 with the 
following configuration:

spanning-tree mode rapid-pvst
spanning-tree vlan 2,10,2302 priority 24576 !
interface TenGigabitEthernet0/0/25
 description => Towards HP 5700FF
 mtu 9216
 no ip address
 load-interval 30
 service instance 1 ethernet
  encapsulation untagged
  l2protocol peer cdp stp lldp
  bridge-domain 4093
 !
 service instance trunk 25 ethernet
  encapsulation dot1q 2,10
  rewrite ingress tag pop 1 symmetric
  bridge-domain from-encapsulation
 !
!
interface TenGigabitEthernet0/0/26
 description => Towards neighbor ASR 920  mtu 9216  no ip address  service 
instance 1 ethernet
  encapsulation untagged
  l2protocol peer cdp stp lldp
  bridge-domain 4094
 !
 service instance trunk 26 ethernet
  encapsulation dot1q 2,10,2302
  rewrite ingress tag pop 1 symmetric
  bridge-domain from-encapsulation
 !
!

This is of course not directly related to your question about untagged ports. I 
don't have setup where I can test that right now. But at least the ASR 920 
seems to support RPVST fine in IOS 16.7.

--
Peter

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] spanning-tree for local switching on ASR920

[Nick Cutting]

Well in some of the earlier guides (16.5 and below) it is explicitly stated 
that MST only supported on EVC tagged ports:

"Untagged EVCs do not participate in MST loop detection"

16.6 and 16.7 Documentation, doesn't mention this restriction.

So I guess to run STP with the client facing ports - the EVC ports need to be 
trunks, OR normal dot1q service instanaces - they need to tag their traffic. 
(this works and RSTP works in 16.6 as other have stated)

Trying to do it under an normal EVC fails when I try and pop the tag towards 
the client.

ASR920(config-if-srv)#rewrite ingress tag pop 1
ASR920(config-if-srv)#rewrite egress tag pop 1 
Warning: Egress filtering rule fails due to encap set on SrvInst 900 (Gi0/0/0)

OR:
rewrite ingress tag pop 1 symmetric
rewrite egress tag pop 1
 Rewrite egress is not allowed with symmetric option on ServInst 1(Gi0/0/1)

If the encapsulation is set to untagged, or default, it is immediately removed 
as a candidate for STP.
Of the encapsulation is set to dot1q all - Watch out! It sets up a spanning 
tree instance all the way to the box limit (128 VLans)

This does work, with a tagged client frame and lets you run STP:

interface GigabitEthernet0/0/1
 no ip address
 media-type rj45
 negotiation auto
 cdp enable
 spanning-tree portfast
 spanning-tree link-type point-to-point
 service instance 1 ethernet
  encapsulation dot1q 900
  rewrite ingress tag pop 1 symmetric
  l2protocol peer cdp stp
  bridge-domain 900


So I just don't think this is possible with an untagged frame on the client 
side - unless anyone else has any ideas?




-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick 
Cutting
Sent: Monday, March 12, 2018 5:07 PM
To: Mark Tinka <mark.ti...@seacom.mu>; Gert Doering <g...@greenie.muc.de>; 
cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] spanning-tree for local switching on ASR920

This message originates from outside of your organisation.

I actually just got this kind of working, but had to use MST.
Cisco IOS XE Software, Version 03.18.00.SP.156-2.SP-ext

I'm going to introduce a L2 loop if I can.


This is the primary Internet Facing ASR920, and the southbound switching 
configuration, and the client gateway BDI.

interface TenGigabitEthernet0/0/15
 description Trunk to ASR-920-02
 no ip address
 cdp enable
 service instance trunk 1 ethernet
  encapsulation dot1q 900,901
  rewrite ingress tag pop 1 symmetric
  l2protocol peer cdp stp
  bridge-domain from-encapsulation
  
interface GigabitEthernet0/0/0
 description to downstream client Firewall  no ip address  negotiation auto  
service instance 900 ethernet  encapsulation untagged  bridge-domain 900

interface BDI900
 ip address xx.xx.xx.2 255.255.255.0
 standby 1 ip xx.xx.xx.1
 standby 1 priority 105

I can ping across the service instance trunk between the BDI's - but I cannot 
get normal STP to start an instance.

sh spanning-tree
No spanning tree instance exists.

What is strange is that only mst is listed as a supported mode.
#spanning-tree mode ?
  mst  Multiple spanning tree mode

Once changing to MST - my instance works !

(config)#spanning-tree mode mst
#sh spanning-tree 

MST0
  Spanning tree enabled protocol mstp
  Root IDPriority0
 Address 00be.7515.7dbd
 This bridge is the root
 Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority0  (priority 0 sys-id-ext 0)
 Address 00be.7515.7dbd
 Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface   Role Sts Cost  Prio.Nbr Type
---  --- -  
Te0/0/15Desg FWD 2000  128.22   P2p

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark 
Tinka
Sent: Monday, March 12, 2018 5:04 PM
To: Nick Cutting <ncutt...@edgetg.com>; Gert Doering <g...@greenie.muc.de>; 
cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] spanning-tree for local switching on ASR920

This message originates from outside of your organisation.



On 12/Mar/18 22:21, Nick Cutting wrote:

> Sorry to drag this one up - Gert did you ever get a working config for this?
>
> I plan on using a pair of 920's with a layer 2 broadcast domain on the 12 
> gigabit Ethernet ports, and using the 10g ports to connect to separate 
> carriers, bust also use 1 10g port to carry the HSRP for the /24 customer 
> address space.
> The 1 gig ports will all need to be in the customer's /24 that they will 
> advertise to the independent carriers, I would like run STP in case of a 
> cabling error, but the routers are entirely owned by them, in their data 
> center, and only to be used for ipv4 BGP internet services and a default 
> route from each carrier.
>
> Usually we set this up with a pair of routers and 2 switches - i

Re: [c-nsp] spanning-tree for local switching on ASR920

[Nick Cutting]

I actually just got this kind of working, but had to use MST.
Cisco IOS XE Software, Version 03.18.00.SP.156-2.SP-ext

I'm going to introduce a L2 loop if I can.


This is the primary Internet Facing ASR920, and the southbound switching 
configuration, and the client gateway BDI.

interface TenGigabitEthernet0/0/15
 description Trunk to ASR-920-02
 no ip address
 cdp enable
 service instance trunk 1 ethernet
  encapsulation dot1q 900,901
  rewrite ingress tag pop 1 symmetric
  l2protocol peer cdp stp
  bridge-domain from-encapsulation
  
interface GigabitEthernet0/0/0
 description to downstream client Firewall
 no ip address
 negotiation auto
 service instance 900 ethernet
 encapsulation untagged
 bridge-domain 900

interface BDI900
 ip address xx.xx.xx.2 255.255.255.0
 standby 1 ip xx.xx.xx.1
 standby 1 priority 105

I can ping across the service instance trunk between the BDI's - but I cannot 
get normal STP to start an instance.

sh spanning-tree 
No spanning tree instance exists.

What is strange is that only mst is listed as a supported mode.
#spanning-tree mode ?
  mst  Multiple spanning tree mode

Once changing to MST - my instance works !

(config)#spanning-tree mode mst 
#sh spanning-tree 

MST0
  Spanning tree enabled protocol mstp
  Root IDPriority0
 Address 00be.7515.7dbd
 This bridge is the root
 Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority0  (priority 0 sys-id-ext 0)
 Address 00be.7515.7dbd
 Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

Interface   Role Sts Cost  Prio.Nbr Type
---  --- -  
Te0/0/15Desg FWD 2000  128.22   P2p

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark 
Tinka
Sent: Monday, March 12, 2018 5:04 PM
To: Nick Cutting <ncutt...@edgetg.com>; Gert Doering <g...@greenie.muc.de>; 
cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] spanning-tree for local switching on ASR920

This message originates from outside of your organisation.



On 12/Mar/18 22:21, Nick Cutting wrote:

> Sorry to drag this one up - Gert did you ever get a working config for this?
>
> I plan on using a pair of 920's with a layer 2 broadcast domain on the 12 
> gigabit Ethernet ports, and using the 10g ports to connect to separate 
> carriers, bust also use 1 10g port to carry the HSRP for the /24 customer 
> address space.
> The 1 gig ports will all need to be in the customer's /24 that they will 
> advertise to the independent carriers, I would like run STP in case of a 
> cabling error, but the routers are entirely owned by them, in their data 
> center, and only to be used for ipv4 BGP internet services and a default 
> route from each carrier.
>
> Usually we set this up with a pair of routers and 2 switches - in this 
> case I need to do it all on a ASR-920-12SZ-IM (cheap 10g router) Is this 
> possible?

The ASR920 has not generally supported STP.

I think since 16.6(1), PVST+/RPVST+ is now supported.

I'd be naturally inclined to use BD's to solve this, but you should test this 
with the relevant code and let us know if it works.

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] spanning-tree for local switching on ASR920

[Nick Cutting]

Sorry to drag this one up - Gert did you ever get a working config for this?

I plan on using a pair of 920's with a layer 2 broadcast domain on the 12 
gigabit Ethernet ports, and using the 10g ports to connect to separate 
carriers, bust also use 1 10g port to carry the HSRP for the /24 customer 
address space.
The 1 gig ports will all need to be in the customer's /24 that they will 
advertise to the independent carriers, I would like run STP in case of a 
cabling error, but the routers are entirely owned by them, in their data 
center, and only to be used for ipv4 BGP internet services and a default route 
from each carrier.

Usually we set this up with a pair of routers and 2 switches - in this case I 
need to do it all on a ASR-920-12SZ-IM (cheap 10g router)
Is this possible?

Nick

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gert 
Doering
Sent: Thursday, October 19, 2017 2:46 AM
To: Peter Rathlev 
Cc: Gert Doering ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] spanning-tree for local switching on ASR920

This Message originated outside your organization.

Hi,

On Thu, Oct 19, 2017 at 06:05:47AM +0200, Peter Rathlev wrote:
> On Wed, 2017-10-18 at 15:39 +0200, Gert Doering wrote:
> > I have an ASR920 that is supposed to have gi0/0/10 and gi0/0/11 in 
> > the same bridge group, with a routed IP:
> > 
> > interface GigabitEthernet0/0/10
> >  no ip address
> >  media-type auto-select
> >  negotiation auto
> >  cdp enable
> >  service instance 10 ethernet
> >   encapsulation untagged
> >   l2protocol peer stp
> >   bridge-domain 10
> >  !
> 
> We don't use STP on ASR920, but my guess is that you need "bridge- 
> domain from-encapsulation" in the service instance configuration.

So where would untagged packets land, then?  "tag 10 -> bridge 10" I could 
understand, but this is just plain untagged...

> https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/gui
> de/lanswitch/lanswitch-xe-3s-asr920-book/lanswitch-xe-3s-asr920-book_c
> hapter_0101.html#task_130
> 
> Then configure STP for VLAN "10". It doesn't seem like there is any 
> way to map to an arbitrary PVST instance, VLAN ID and bridge domain ID 
> has to match.

I need to test this :-) - though it feels... weird.

gert


--
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SSH through ASA to switch inside

[Nick Cutting]

A quick note -  I didn't understand your original question 

The NAT method as others mentioned also works, but I prefer using the VPN for 
the management. 

What I meant by my statement was this is the only way to have traffic cross 
firewall interfaces that is destined to the firewall, not through the firewall 
- which the NAT method would have worked. (as it is not destined TO the 
firewall)
I thought you were trying to manage the ASA on the inside, through the outside 
interface.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott 
Miller
Sent: Tuesday, March 6, 2018 3:38 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] SSH through ASA to switch inside

This message originates from outside of your organisation.

Just to update, I went the VPN route, worked great.  Thank you all.

On Fri, Mar 2, 2018 at 10:54 PM, Nick Cutting <ncutt...@edgetg.com> wrote:

> This only works through a VPN, and only with "management access inside"
> enabled on the inside interface.
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf 
> Of Scott Miller
> Sent: Saturday, March 3, 2018 12:47 AM
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] SSH through ASA to switch inside
>
> This message originates from outside of your organisation.
>
> Good day all, not sure if this is the right list for a question such 
> as this, but my google searching has hit a dead end.
>
> What I'm try to accomplish is ssh from the outside world, through an 
> ASA, to a switch for remote access to the switch for maintenance and 
> such
>
> SSH is enable don the switch.  and that works fin independently while 
> inside.
> SSH is enabled on the ASA, locked down to a few source IP's, and that 
> works fine independently.
>
> What I have configured in on the ASA is:
>
> Outside interface =  outside
> Inside interface =  OWNER-INSIDE
>
> !
> interface GigabitEthernet1/1
>  nameif outside
>  security-level 0
>  ip address xx.xx.xx.xx 255.255.255.252 !
> interface GigabitEthernet1/2
>  description INSIDE OWNER UNRESTRICTED ACCESS  nameif OWNER-INSIDE 
> security-level 100  ip address 10.255.255.253 255.255.255.248 !
>
> object network SW1
>  host 10.255.255.252
> object network SW2
>  host 10.255.255.251
> object network SW3
>  host 10.255.255.250
>
> object-group network SSH_CLIENTS
>  network-object object SW1
>  network-object object SW2
>  network-object object SW3
>
> object network SW1
>  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 
> object network SW2  nat (outside,OWNER-INSIDE) static interface 
> service tcp ssh
> 22002 object network SW3  nat (outside,OWNER-INSIDE) static interface 
> service tcp ssh 22003
>
> access-list ACL_Outside_to_Inside remark SSH Connections to specific 
> network objects access-list ACL_Outside_to_Inside extended permit tcp 
> any object-group SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside 
> extended deny ip any any
>
> access-group ACL_Outside_to_Inside in interface outside
>
> access-list inside_access_out extended permit ip any any
>
> When I use the ASDM Packet Tracer to test, using the settings, it 
> shows the packet traversing successfully.  however, when I ssh to IP 
> port 22001, it times out.
>
> Hit counters on the access-list do not increase (the did once, but not 
> sure where that was in my "testing") access-list ACL_Outside_to_Inside 
> line
> 2 extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3)
> 0xa4d89883
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any 
> host
> 10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any 
> host
> 10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
>   access-list ACL_Outside_to_Inside line 2 extended permit tcp any 
> host
> 10.255.255.250 eq ssh (hitcnt=0) 0x30601a85
>
> Hit counters on the nat policies do not increase.
> 1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp 
> ssh
> 22003
> translate_hits = 0, untranslate_hits = 0
> 2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp 
> ssh
> 22002
> translate_hits = 0, untranslate_hits = 0
> 3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp 
> ssh
> 22001
> translate_hits = 0, untranslate_hits = 0
>
> Might be a bit over my head, trying to config the ASA for a new customer.
>
> Any ideas as to what I might be doing wrong?  or need the entire config?
>
> Thanks,
> Scott
> ___
> cisco-nsp mailing list 

Re: [c-nsp] ASr-920 CONSOLE USB - USB

[Nick Cutting]

Thanks ! I have the newest driver to try tomorrow.

I have not tried windows on the 12SZ yet

From: George Giannousopoulos [mailto:ggian...@gmail.com]
Sent: Monday, March 5, 2018 2:40 PM
To: Nick Cutting <ncutt...@edgetg.com>
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASr-920 CONSOLE USB - USB

This message originated from outside your organization.

Hi,

We also had some issues lately with the ASR900 family..

The ASR920-24SZ was working ok with the included USB cable, both on Windows and 
Linux
The ASR903 refused to work with Linux-USB, but was working ok with Linux-RJ45, 
Windows-RJ45 and Windows-USB
The ASR920-12SZ refused to work with Linux-USB, but was working ok Windows-USB

It seems the Windows driver Cisco provides makes some difference..
Did you try to download the latest driver BTW?

--
George

On Mon, Mar 5, 2018 at 7:44 PM, Nick Cutting 
<ncutt...@edgetg.com<mailto:ncutt...@edgetg.com>> wrote:
I cannot for the life of me get the USB - USB console port to work on the 12 
port ASR920
It is running 3.18 - I see this because I can see text at boot time, but it 
will not let me type anything at all.

The lead time at the moment on the EIA/232 converter is 75 days.  This is what 
I used to configure my 4 port 920 and it worked fine.
I no longer have access to the converter.

Here is the strange thing - The USBA - USBA works on the AS920 with 4 ports 
running 3.18.1, but noton the 12 port one?
I am using the exact same terminal emulation settings on the non-working 12 
port 920.


Ive tried Linux / Windows / macOS and all the stop bits flow control etc.

Anyone got any secret tips for me - or I'll have to get my old converter sent 
out from Chicago.

Thanks!

Nick

___
cisco-nsp mailing list  
cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp>
archive at 
http://puck.nether.net/pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/>

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASr-920 CONSOLE USB - USB

[Nick Cutting]

Fair enough!

Yes I understand the difference between the USB-A port and the EIA USB port.
I also would copy what I did physically and logically on the working one, to 
the non-working one.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tim 
Cooper
Sent: Monday, March 5, 2018 2:30 PM
To: cisco-nsp (cisco-nsp@puck.nether.net) <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] ASr-920 CONSOLE USB - USB

This message originates from outside of your organisation.



> On 5 Mar 2018, at 19:20, Nick Cutting <ncutt...@edgetg.com> wrote:
> 
> I don’t think it cares what end is plugged in.
> But I left it plugged in to my laptop when I moved it from , to 920-4 
> (working) to the 920-12 not working so that shouldn’t matter.
> 
> It only shows up once it is connected to the router, as a USBModem 
> device in unix style systems

At the risk of being ‘that guy’, you have it in the correct USB port? The A-A 
goes in a different port than the USB-RJ45 adaptor. IIRC it goes in the one on 
the right hand side of the device, and the USB-RJ45 on the USB port on the left 
hand side.

Even if you know this already, which is quite possible if moving the cable from 
a working device, I am sure this will benefit someone who hasn’t experienced 
this fun fact yet!
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASr-920 CONSOLE USB - USB

[Nick Cutting]

I don’t think it cares what end is plugged in.
But I left it plugged in to my laptop when I moved it from , to 920-4 (working) 
to the 920-12 not working so that shouldn’t matter.

It only shows up once it is connected to the router, as a USBModem device in 
unix style systems

From: Chris Marget [mailto:ch...@marget.com]
Sent: Monday, March 5, 2018 1:54 PM
To: Nick Cutting <ncutt...@edgetg.com>
Subject: Re: [c-nsp] ASr-920 CONSOLE USB - USB

This message originated from outside your organization.

Hi Nick,

I can't help, but never having seen one, I'm curious to hear more about the 
cable...

Does the cable care which end goes to the router vs. the PC?

What vendor / product IDs does it report to the PC?

Does the vendor/product ID show up when *only* the PC end is connected, or does 
it require the router before it comes to life?

Thanks.

/chris

On Mon, Mar 5, 2018 at 12:44 PM, Nick Cutting 
<ncutt...@edgetg.com<mailto:ncutt...@edgetg.com>> wrote:
I cannot for the life of me get the USB - USB console port to work on the 12 
port ASR920
It is running 3.18 - I see this because I can see text at boot time, but it 
will not let me type anything at all.

The lead time at the moment on the EIA/232 converter is 75 days.  This is what 
I used to configure my 4 port 920 and it worked fine.
I no longer have access to the converter.

Here is the strange thing - The USBA - USBA works on the AS920 with 4 ports 
running 3.18.1, but noton the 12 port one?
I am using the exact same terminal emulation settings on the non-working 12 
port 920.


Ive tried Linux / Windows / macOS and all the stop bits flow control etc.

Anyone got any secret tips for me - or I'll have to get my old converter sent 
out from Chicago.

Thanks!

Nick

___
cisco-nsp mailing list  
cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp>
archive at 
http://puck.nether.net/pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/>

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASr-920 CONSOLE USB - USB

[Nick Cutting]

I cannot for the life of me get the USB - USB console port to work on the 12 
port ASR920
It is running 3.18 - I see this because I can see text at boot time, but it 
will not let me type anything at all.

The lead time at the moment on the EIA/232 converter is 75 days.  This is what 
I used to configure my 4 port 920 and it worked fine.
I no longer have access to the converter.

Here is the strange thing - The USBA - USBA works on the AS920 with 4 ports 
running 3.18.1, but noton the 12 port one?
I am using the exact same terminal emulation settings on the non-working 12 
port 920.


Ive tried Linux / Windows / macOS and all the stop bits flow control etc.

Anyone got any secret tips for me - or I'll have to get my old converter sent 
out from Chicago.

Thanks!

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] SSH through ASA to switch inside

[Nick Cutting]

This only works through a VPN, and only with "management access inside" enabled 
on the inside interface.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott 
Miller
Sent: Saturday, March 3, 2018 12:47 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] SSH through ASA to switch inside

This message originates from outside of your organisation.

Good day all, not sure if this is the right list for a question such as this, 
but my google searching has hit a dead end.

What I'm try to accomplish is ssh from the outside world, through an ASA, to a 
switch for remote access to the switch for maintenance and such

SSH is enable don the switch.  and that works fin independently while inside.
SSH is enabled on the ASA, locked down to a few source IP's, and that works 
fine independently.

What I have configured in on the ASA is:

Outside interface =  outside
Inside interface =  OWNER-INSIDE

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.252
!
interface GigabitEthernet1/2
 description INSIDE OWNER UNRESTRICTED ACCESS  nameif OWNER-INSIDE  
security-level 100  ip address 10.255.255.253 255.255.255.248 !

object network SW1
 host 10.255.255.252
object network SW2
 host 10.255.255.251
object network SW3
 host 10.255.255.250

object-group network SSH_CLIENTS
 network-object object SW1
 network-object object SW2
 network-object object SW3

object network SW1
 nat (outside,OWNER-INSIDE) static interface service tcp ssh 22001 object 
network SW2  nat (outside,OWNER-INSIDE) static interface service tcp ssh 22002 
object network SW3  nat (outside,OWNER-INSIDE) static interface service tcp ssh 
22003

access-list ACL_Outside_to_Inside remark SSH Connections to specific network 
objects access-list ACL_Outside_to_Inside extended permit tcp any object-group 
SSH_CLIENTS eq ssh access-list ACL_Outside_to_Inside extended deny ip any any

access-group ACL_Outside_to_Inside in interface outside

access-list inside_access_out extended permit ip any any

When I use the ASDM Packet Tracer to test, using the settings, it shows the 
packet traversing successfully.  however, when I ssh to IP port 22001, it times 
out.

Hit counters on the access-list do not increase (the did once, but not sure 
where that was in my "testing") access-list ACL_Outside_to_Inside line 2 
extended permit tcp any object-group SSH_CLIENTS eq ssh (hitcnt=3) 0xa4d89883
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.252 eq ssh (hitcnt=3) 0xf72fc547
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.251 eq ssh (hitcnt=0) 0x4dd3ba5f
  access-list ACL_Outside_to_Inside line 2 extended permit tcp any host
10.255.255.250 eq ssh (hitcnt=0) 0x30601a85

Hit counters on the nat policies do not increase.
1 (outside) to (OWNER-INSIDE) source static SW3 interface  service tcp ssh
22003
translate_hits = 0, untranslate_hits = 0
2 (outside) to (OWNER-INSIDE) source static SW2 interface  service tcp ssh
22002
translate_hits = 0, untranslate_hits = 0
3 (outside) to (OWNER-INSIDE) source static SW1 interface  service tcp ssh
22001
translate_hits = 0, untranslate_hits = 0

Might be a bit over my head, trying to config the ASA for a new customer.

Any ideas as to what I might be doing wrong?  or need the entire config?

Thanks,
Scott
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] highly available ipsec vpn

[Nick Cutting]

What devices? ISR / ASR ? 
static VTI tunnels or DMVPN?

Try not to mix HSRP and routing - HSRP is just for gateways. If you need two 
tunnels you will need a routing protocol.

Send us the design you need to accomplish 

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
harbor235
Sent: Thursday, February 8, 2018 5:34 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] highly available ipsec vpn

This message originates from outside of your organisation.

I am looking to implement a highly available IPSEC route based VPN.
Traditionally I would bring up multiple tunnels with multiple BGP peers in a 
dual router setup.

IPSEC HSRP design appears to be the flavor of the day, failover times appear to 
be lengthy compared to failover times via BGP. IS anyone using the HSRP HA 
setup? Are your experiences good or bad? Has the BGP route based IPSEC VPN 
design fallen from grace?


Mike
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Core layer device n7004 vs n9396px

[Nick Cutting]

I have use both of these as campus core's before(years apart), simple setups.  
I believe the 9396PX is far cheaper for the speeds you get. Just remember what 
is missing - such as OTV / VDC.  Done many nexus 9k deployments in the last 
year, no complaints. 

All the BGP I have done on the 9k has been IPv4 for leaf / spine.  I still use 
routers on the WAN side when taking in the full tables.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Satish 
Patel
Sent: Thursday, February 1, 2018 10:44 AM
To: Garrett Skjelstad 
Cc: cisco-nsp NSP 
Subject: Re: [c-nsp] Core layer device n7004 vs n9396px

This message originates from outside of your organisation.

Reason we are planning to terminating ISP link on Nexus switch because we have 
very flat setup we don't have any MPLS or any complex scenario all our data is 
north-south  and since last few year we are using ISP on link on switches but 
this time planning to get big switches.

As you mentioned N9300 are not good for BGP but we have very very simple BGP 
setup, we don't have plan to do any kind of complex routing its going to be 
default route.

All i want to know which switch i should use in core N7004 or N9396px if i need 
to pick one of them?


On Wed, Jan 17, 2018 at 4:37 PM, Garrett Skjelstad  
wrote:
> +1 to your comment about not using ACI-designed switches with NX-OS. I 
> +too,
> was burned by this during a migratory period.
>
> On Jan 16, 2018 15:59, "Igor Sukhomlinov"  wrote:
>
> +1 to question about routing.
> Terminating uplinks from an ISP on a switch is generally not the best 
> approach. Not that it will not do the job - just you wil loose a fair 
> bit of flexibility for your internet uplink/s.
> The best option imo is to go with ASR9k/NCS5k/NCS5500 series. If 
> you're actually planning to add flexibility for you Internet 
> connection, e.g add extra uplinks, either of these platforms will do the job 
> easily.
>
> I had experience 2 years ago with Nexus9300 terminating some BGP and 
> would not recommend it. Too many limitations and inconsistencies. This 
> is a leaf switch tailored for ACI deplyments.
>
> Rgds,
> Igor
>
> On Wed, Jan 17, 2018 at 9:00 AM, Gustav Ulander < 
> gustav.ulan...@telecomputing.se> wrote:
>
>> How much routing are you going to do?
>> Nexus platform is still a switch so it really depends on what 
>> features you need and not just the number of 10Gbit ports.
>> NCS 5k platform could also be a contender perhaps?
>>
>> //Gustav
>>
>> -Ursprungligt meddelande-
>> Från: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] För Satish 
>> Patel
>> Skickat: den 16 januari 2018 14:44
>> Till: cisco-nsp@puck.nether.net
>> Ämne: [c-nsp] Core layer device n7004 vs n9396px
>>
>>
>> We are planing to get 40gbps (4x10G) bonded link from ISP and I’m 
>> looking for any good device to terminate.
>>
>> Should I use n7004 or n9396px for core?
>>
>> We have very basic network no MPLS, no cloud etc. all I need good 
>> performance and reliable hardware.
>>
>> Let’s say after couple year I get new 40gbps link on same hardware in 
>> that case how I will set default gw for two ISP uplink? Should I use 
>> VDC or VRF for that senario?
>>
>>
>> Sent from my iPhone
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>> https://puck.nether.net/ mailman/listinfo/cisco-nsp archive at 
>> http://puck.nether.net/pipermail/cisco-nsp/
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ISR 4331

[Nick Cutting]

Speed or features?

These devices have feature parity with the previous generations of ISR. 2900 / 
2800 etc


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Harry 
Hambi - Atos
Sent: Wednesday, January 31, 2018 8:34 AM
To: 'cisco-nsp@puck.nether.net' 
Subject: [c-nsp] Cisco ISR 4331

This message originates from outside of your organisation.

Hi All,
I would like to find details on the multicast support capabilities of the ISR 
4331 ISR’s- as we need to enable multicast on these routers- and need to have 
confidence that we understand their capabilities  - so that we don’t cause an 
unplanned outage.  I have had limited success on finding performance data on 
the internet. Any help appreciated.


Rgds
Harry

Harry Hambi BEng(Hons)  MIET  Rsgb






http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and may contain personal 
views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on 
it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

-
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Upgrading from 3.0.6 to Denali-16.3.5b

[Nick Cutting]

Big dog mpls multiprocol bgp etc but the fancy stuff is missing

Nick Cutting

> On Jan 18, 2018, at 5:13 PM, Radu-Adrian FEURDEAN 
> <cisco-...@radu-adrian.feurdean.net> wrote:
> 
> This message originates from outside of your organisation.
> 
> Hi,
> 
>> On Wed, Jan 17, 2018, at 22:55, Nick Cutting wrote:
>> 
>> Denali is where they added MPLS, which is a major overhaul in this "slow 
>> part of the upgrade" - the ASIC programming
> 
> Is that MPLS like "Label Switching" (in which case it looks like a big WOW on 
> Cat3K) or MPLS like "VRF-Lite" ?
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Upgrading from 3.0.6 to Denali-16.3.5b

[Nick Cutting]

Like Tristan - we have not made the Jump to Denali yet either.
Most of our 3850's and 3850 stacks are on client sites that do not need the 
MPLS functionality. 

I have also no used the rollback command switch at upgrade time

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tristan 
Gulyas
Sent: Thursday, January 18, 2018 8:44 AM
To: Christina Klam 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Upgrading from 3.0.6 to Denali-16.3.5b

This message originates from outside of your organisation.

Hi,

On 3850 multigigabit switches (12X48U, 24XS or 24XU), I'm seeing around 20 
minutes from reboot to restoration of service, even on stacks.  I seem to 
recall the 24U models run quicker as they have less ASIC resources for 
programming.  This seems fairly consistent.  Are you using TFTP/SCP to transfer 
files? I've found that some transfers go at a glacial speed (at the point where 
they will time out occasionally); Cisco's recommendation to copy to local flash 
first improves the situation, but makes this a three step process (copy, 
reboot, clean).

We upgraded a test/QAT model last week that caused every switch in that layer 2 
domain (~30 building distribution stacks) to learn EVERY MAC address on the 
network, which exceeded the 3750X MAC address table limits...

Downgrading the code made the issue disappear. 

We're still on a 3.7.x engineering release and targeting 16.3.5b for 
improvements in stacking stability and auto-upgrade features we specifically 
requested.

Cheers,
Tristan

> On 18 Jan 2018, at 7:59 am, Christina Klam  wrote:
> 
> All,
> 
> This is the second Cat3850 that I have tried to upgrade to Denali-16.3.5b.  
> Both take hours to go from expanding the files to finishing.  I am on hour 
> two for the second switch.  Except for interface status messages about my 
> management port (Gig 0/0), there is nothing going over the console.  I am 
> just assuming that the upgrading is indeed happening.  When I did the first 
> switch, it took hours as well, so I will be patient.  But I am not happy.
> 
> Fortunately, I have the luxury that these two switches were/are not in 
> production at the time of their upgrades.  However, I will not have the 
> luxury for the other 3850s.
> 
> What is your experience with upgrading to Denali or Everest?   This is beyond 
> ridiculous.  
> 
> Regards,
> Christina
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Upgrading from 3.0.6 to Denali-16.3.5b

[Nick Cutting]

What did you upgrade from? It is the microcode (asic programming) that takes 
the longest time.
I have never waited longer than 45 minutes - but that is on 3.x -> 3.x

Denali is where they added MPLS, which is a major overhaul in this "slow part 
of the upgrade" - the ASIC programming

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
Christina Klam
Sent: Wednesday, January 17, 2018 3:59 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Upgrading from 3.0.6 to Denali-16.3.5b

This message originates from outside of your organisation.

All,

This is the second Cat3850 that I have tried to upgrade to Denali-16.3.5b.  
Both take hours to go from expanding the files to finishing.  I am on hour two 
for the second switch.  Except for interface status messages about my 
management port (Gig 0/0), there is nothing going over the console.  I am just 
assuming that the upgrading is indeed happening.  When I did the first switch, 
it took hours as well, so I will be patient.  But I am not happy.

Fortunately, I have the luxury that these two switches were/are not in 
production at the time of their upgrades.  However, I will not have the luxury 
for the other 3850s.

What is your experience with upgrading to Denali or Everest?   This is beyond 
ridiculous.  

Regards,
Christina
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] RAM for 4431 with full BGP table?

[Nick Cutting]

I would also like to know the answer to this.

I always get scared and buy 16 gig if I'm taking in the full routing table. 
(4431/4451/4351 so far)

 I'm sure I could get away with 8. Not sure about 4, would love to know

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Adam 
Greene
Sent: Thursday, December 28, 2017 10:30 AM
To: 'Cisco-nsp List' 
Subject: [c-nsp] RAM for 4431 with full BGP table?

This message originates from outside of your organisation.

Hi all,

 

I am trying to figure out if a 4431 can accommodate a full BGP routing table 
with its default 4GB RAM or if it needs 8GB.

 

Our current benchmark is a 2921 router with 2.5GB RAM:

 

Cisco CISCO2921/K9 (revision 1.0) with 2506752K/114688K bytes of memory

 

With a full routing table, it is only using about 839MB of RAM:

 

ROUTER#sh mem

HeadTotal(b) Used(b) Free(b)   Lowest(b)
Largest(b)

Processor   3D52CDE0   2350969276   839257740   1511711536   1237731724
643241260

  I/O900   117440512183827129905780098987952
98649340

 

(By the way, I would not recommend running a 2921 with a full BGP routing table 
since the CPU starts to buckle when throughput also approaches 100M, in my 
experience).

 

By default, the 4431 comes with 2 GB for the data-plane and 4 GB for the 
control-plane. I would think this would be sufficient for a full BGP table, but 
the opinions I've seen out there appear to be conflicting. For example:

 

https://supportforums.cisco.com/t5/wan-routing-and-switching/maximum-bgp-tab
le-size-in-isr-4551-4331-with-standard-data-plane/td-p/2816329

 

Cisco itself states
(https://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integ
rated-services-routers-isr/white-paper-c11-734550.html#_Toc424889858) that "All 
Cisco 4000 platforms support a full Internet routing table (500,000
prefixes) @ 8-GB DRAM."

 

It's sounding to me like 8GB would be advisable.

 

Wondering if anyone out there has real-world experience to share.

 

BTW, in our case, we have limited ACLs and no NAT, but do have about 80 QoS 
policies also consuming resources (though I think that would impact CPU more 
than RAM).

 

Thanks,

Adam

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 Opinions

[Nick Cutting]

Netflow - 

Requires an extra license
Only works at 1gig
So we did not bother.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jason 
Lixfeld
Sent: Tuesday, December 19, 2017 1:31 PM
To: Cisco-nsp 
Subject: [c-nsp] ASR920 Opinions

This message originates from outside of your organisation.

Hey all,

With the ME3600 EOL, we’re looking to start deploying ASR920s.  These boxes 
would run 100% L3 on the core facing sides (at 10 or 20Gbps), and aside from 
the odd corner case, 100% L3 on the customer facing side.

Some of the more major features they’d run would be:
ISIS
LDP
BFD
BGP-VPNv4
BGP-VPNv6 (6VPE)
BGP Selective Route Download
IPv6*
ACL (ingress and egress)*
Per-VRF label mode
EoMPLS
FAT-PW
VRF aware DHCP Relay w/option 82 stamping (device, port (EFP?), VLAN) VRF aware 
DHCP Server

Corner cases would include BGP signalled VPLS w/BGP-AD, and l2protocol support 
for peer/forward/tunnel primarily on CDP and STP-type frames, as required.

*ME3600s cannot support simultaneous configuration of egress ACLs and IPv6.  
I’ve heard that the ASR920 resources are carved up differently, where this is 
no longer a problem.

My understanding is that the ASR920 behaves more like an ASR1000 than an ME3600 
in terms of how L2 is implemented (ie: no more global vlan table, vlan 
database, etc and all EFP/bridge-domain based).  Also, I understand that these 
boxes have Netflow to some degree, but a cursory look at the documentation 
seems to suggest that you need to set the SDM profile to video (which affects 
the device scale as it re-configured the TCAM) if you want to enable Netflow?

I know this isn't the first time a “what are your experiences with these boxes 
like?” thread has made the rounds, but I wanted to throw it out again to see 
how much has changed since the last time it circulated.  So, while we wait for 
some of these guys for the lab, I’m looking for some feedback on what to expect 
from these boxes in terms of reliability (hardware and software), feature 
limitations/gotchas, a good, reliable code version, and anything else someone 
might want to share about these guys, good, bad or indifferent.

Thanks again, in advance.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 3750G backplane throughput

[Nick Cutting]

Nice work – The generation 1 and 2 3560 and 3750’s had 2/4 ASICS.

I was wrong earlier, (switch replaced on me!) the E and the X have 1 per 24 
ports.

I did dig one up – and got the same results as below

Each SFP is on ONE of the ASICs shared by the copper ports.

From: ckn...@savage.za.org [mailto:ckn...@savage.za.org] On Behalf Of Chris 
Knipe
Sent: Friday, December 15, 2017 7:38 AM
To: Nick Cutting <ncutt...@edgetg.com>
Cc: cisco-nsp (cisco-nsp@puck.nether.net) <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] Cisco 3750G backplane throughput

This message originated from outside your organization.

3750G-48-TS:

Switch   Ports  Model  SW Version  SW Image
--   -  -  --  --
*1   52 WS-C3750G-48TS 12.2(40)SE  C3750-ADVIPSERVICESK


# sh platform pm platform-block

interface gid gpn lpn asic hw-i flags sp dp bundle vlan mvid mac so_di i_vlan
-
Gi1/0/1   1   1   1   63   U  2  2  no 000   61441  0
Gi1/0/2   2   2   2   60   D  0  0  no 000   61442  0
Gi1/0/3   3   3   3   61   D  0  0  no 000   61443  0
Gi1/0/4   4   4   4   62   U  3  2  no 000   61444  0
Gi1/0/5   5   5   5   52   D  0  0  no 000   61445  0
Gi1/0/6   6   6   6   53   D  0  0  no 000   61446  0
Gi1/0/7   7   7   7   50   D  0  0  no 000   61447  0
Gi1/0/8   8   8   8   51   D  0  0  no 000   61448  0
Gi1/0/9   9   9   9   83   D  0  0  no 000   61449  0
Gi1/0/10  10  10  10  80   D  0  0  no 000   61450  0
Gi1/0/11  11  11  11  81   D  0  0  no 000   61451  0
Gi1/0/12  12  12  12  82   D  0  0  no 000   61452  0
Gi1/0/13  13  13  13  72   D  0  0  no 000   61453  0
Gi1/0/14  14  14  14  73   D  0  0  no 000   61454  0
Gi1/0/15  15  15  15  70   D  0  0  no 000   61455  0
Gi1/0/16  16  16  16  71   D  0  0  no 000   61456  0
Gi1/0/17  17  17  17  43   D  0  0  no 000   61457  0
Gi1/0/18  18  18  18  40   D  0  0  no 000   61458  0
Gi1/0/19  19  19  19  41   D  0  0  no 000   61459  0
Gi1/0/20  20  20  20  42   D  0  0  no 000   61460  0
Gi1/0/21  21  21  21  32   D  0  0  no 000   61461  0
Gi1/0/22  22  22  22  33   D  0  0  no 000   61462  0
Gi1/0/23  23  23  23  30   D  0  0  no 000   61463  0
Gi1/0/24  24  24  24  31   D  0  0  no 000   61464  0
Gi1/0/25  25  25  25  10   3   D  0  0  no 000   61465  0
Gi1/0/26  26  26  26  10   0   U  2  2  no 000   61466  0
Gi1/0/27  27  27  27  10   1   D  0  0  no 000   61467  0
Gi1/0/28  28  28  28  10   2   U  3  2  no 000   61468  0
Gi1/0/29  29  29  29  92   D  0  0  no 000   61469  0
Gi1/0/30  30  30  30  93   D  0  0  no 000   61470  0
Gi1/0/31  31  31  31  90   U  2  2  no 000   61471  0
Gi1/0/32  32  32  32  91   D  0  0  no 000   61472  0
Gi1/0/33  33  33  33  23   U  3  2  no 000   61473  0
Gi1/0/34  34  34  34  20   D  0  0  no 000   61474  0
Gi1/0/35  35  35  35  21   D  0  0  no 000   61475  0
Gi1/0/36  36  36  36  22   U  3  2  no 000   61476  0
Gi1/0/37  37  37  37  12   U  2  2  no 000   61477  0
Gi1/0/38  38  38  38  13   U  3  2  no 000   61478  0
Gi1/0/39  39  39  39  10   U  3  2  no 000   61479  0
Gi1/0/40  40  40  40  11   U  3  2  no 000   61480  0
Gi1/0/41  41  41  41  12   3   U  1  1  no 000   61481  0
Gi1/0/42  42  42  42  12   0   U  2  2  no 000   61482  0
Gi1/0/43  43  43  43  12   1   D  0  0  no 000   61483  0
Gi1/0/44  44  44  44  12   2   D  0  0  no 000   61484  0
Gi1/0/45  45  45  45  11   2   D  3  2  no 000   61485  0
Gi1/0/46  46  46  46  11   3   D  0  0  no 000   61486  0
Gi1/0/47  47  47  47  11   0   D  3  2  no 000   61487  0
Gi1/0/48  48  48  48  11   1   U  3  2  no 000   61488  0
Gi1/0/49  49  49  49  03   D  0  0  no 000   61489  0
Gi1/0/50  50  50  50  02   D  0  0  no 000   61490  0
Gi1/0/51  51  51  51  01   D  0  0  no 000   61491  0
Gi1/0/52  52  52  52  00   U  3  2  no 000   61492  0



On Fri, Dec 15, 2017 at 2:33 PM, Nick Cutting 
<ncutt...@edgetg.c

Re: [c-nsp] Cisco 3750G backplane throughput

[Nick Cutting]

I just realized that switch output I pasted was a 2960X - the 3560G was swapped 
out by a colleague on Tuesday night !
It was a 3650G 48TS on Monday.

The command should still work for you though

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick 
Cutting
Sent: Friday, December 15, 2017 7:29 AM
To: Bryan Holloway <br...@shout.net>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco 3750G backplane throughput

This message originates from outside of your organisation.

Use this command:

sh platform pm platform-block

Should be one ASIC per 24 ports, so a TS should have 1 asic for the normal 
ports and one for the SFP's.
On a my 48portTS, the SFP's are shared across the two normal ASIC's (48 copper 
ports)

I just removed my lab 3560g-24TS so I can't be 100 percent sure on the ASIC 
distribution.  I think it had 1 asic for the 24 copper and one for the sfp's.

How is your LAG traffic distribution?  You need many different flows to get 
much out of a LAG.
It is harder to get bandwidth out of the LAG than be outputted dropped by the 
ASIC, what I mean is one port in the LAG may hit line rate before the others 
are even using 50 percent of bandwidth.

*1 52WS-C2960X-48LPS-L 15.2(2)E6
sh platform pm platform-block
interface gid gpn lpn asic
--
Gi1/0/1   1   1   1   0   
Gi1/0/2   2   2   2   0   
Gi1/0/3   3   3   3   0   
Gi1/0/4   4   4   4   0   
Gi1/0/5   5   5   5   0   
Gi1/0/6   6   6   6   0   
Gi1/0/7   7   7   7   0   
Gi1/0/8   8   8   8   0   
Gi1/0/9   9   9   9   0   
Gi1/0/10  10  10  10  0   
Gi1/0/11  11  11  11  0   
Gi1/0/12  12  12  12  0   
Gi1/0/13  13  13  13  0   
Gi1/0/14  14  14  14  0   
Gi1/0/15  15  15  15  0   
Gi1/0/16  16  16  16  0   
Gi1/0/17  17  17  17  0   
Gi1/0/18  18  18  18  0   
Gi1/0/19  19  19  19  0   
Gi1/0/20  20  20  20  0   
Gi1/0/21  21  21  21  0   
Gi1/0/22  22  22  22  0   
Gi1/0/23  23  23  23  0   
Gi1/0/24  24  24  24  0   
Gi1/0/25  25  25  25  1   
Gi1/0/26  26  26  26  1   
Gi1/0/27  27  27  27  1   
Gi1/0/28  28  28  28  1   
Gi1/0/29  29  29  29  1   
Gi1/0/30  30  30  30  1   
Gi1/0/31  31  31  31  1   
Gi1/0/32  32  32  32  1   
Gi1/0/33  33  33  33  1   
Gi1/0/34  34  34  34  1   
Gi1/0/35  35  35  35  1   
Gi1/0/36  36  36  36  1   
Gi1/0/37  37  37  37  1   
Gi1/0/38  38  38  38  1   
Gi1/0/39  39  39  39  1   
Gi1/0/40  40  40  40  1   
Gi1/0/41  41  41  41  1   
Gi1/0/42  42  42  42  1   
Gi1/0/43  43  43  43  1   
Gi1/0/44  44  44  44  1   
Gi1/0/45  45  464 45  1   
Gi1/0/46  46  465 46  1   
Gi1/0/47  47  457 47  1   
Gi1/0/48  48  456 48  1   
Gi1/0/49  49  49  49  0   
Gi1/0/50  50  50  50  0   
Gi1/0/51  51  51  51  1   
Gi1/0/52  52  52  52  1   

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Bryan 
Holloway
Sent: Thursday, December 14, 2017 7:55 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco 3750G backplane throughput

This message originates from outside of your organisation.

Hello community,

I'm curious if someone is in the know or can point me to a document that 
describes how the backplane is carved up on a 3750G. I.e., ports per ASIC, 
etc., if applicable. I've dug around the Cisco docs to no avail.

I'm particularly interested to know how the four-port SFP section is handled 
on, for example, a WS-C3750G-24TS. Does it have its own ASIC for all four SFP 
ports? Or is that also carved up amongst other ports? If one were to LAG all 
four SFP ports together, should one expect to be able to reach a full 4 Gbps 
(assuming no taxation from other switch ports?)

We're running into an odd issue where we're unable to achieve more than
2 Gbps of bandwidth, but I have a hard time believing this is a switch 
limitation.

Any input would be most appreciated, thanks!

- bryan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 3750G backplane throughput

[Nick Cutting]

Use this command:

sh platform pm platform-block

Should be one ASIC per 24 ports, so a TS should have 1 asic for the normal 
ports and one for the SFP's.
On a my 48portTS, the SFP's are shared across the two normal ASIC's (48 copper 
ports)

I just removed my lab 3560g-24TS so I can't be 100 percent sure on the ASIC 
distribution.  I think it had 1 asic for the 24 copper and one for the sfp's.

How is your LAG traffic distribution?  You need many different flows to get 
much out of a LAG.
It is harder to get bandwidth out of the LAG than be outputted dropped by the 
ASIC, what I mean is one port in the LAG may hit line rate before the others 
are even using 50 percent of bandwidth.

*1 52WS-C2960X-48LPS-L 15.2(2)E6
sh platform pm platform-block
interface gid gpn lpn asic
--
Gi1/0/1   1   1   1   0   
Gi1/0/2   2   2   2   0   
Gi1/0/3   3   3   3   0   
Gi1/0/4   4   4   4   0   
Gi1/0/5   5   5   5   0   
Gi1/0/6   6   6   6   0   
Gi1/0/7   7   7   7   0   
Gi1/0/8   8   8   8   0   
Gi1/0/9   9   9   9   0   
Gi1/0/10  10  10  10  0   
Gi1/0/11  11  11  11  0   
Gi1/0/12  12  12  12  0   
Gi1/0/13  13  13  13  0   
Gi1/0/14  14  14  14  0   
Gi1/0/15  15  15  15  0   
Gi1/0/16  16  16  16  0   
Gi1/0/17  17  17  17  0   
Gi1/0/18  18  18  18  0   
Gi1/0/19  19  19  19  0   
Gi1/0/20  20  20  20  0   
Gi1/0/21  21  21  21  0   
Gi1/0/22  22  22  22  0   
Gi1/0/23  23  23  23  0   
Gi1/0/24  24  24  24  0   
Gi1/0/25  25  25  25  1   
Gi1/0/26  26  26  26  1   
Gi1/0/27  27  27  27  1   
Gi1/0/28  28  28  28  1   
Gi1/0/29  29  29  29  1   
Gi1/0/30  30  30  30  1   
Gi1/0/31  31  31  31  1   
Gi1/0/32  32  32  32  1   
Gi1/0/33  33  33  33  1   
Gi1/0/34  34  34  34  1   
Gi1/0/35  35  35  35  1   
Gi1/0/36  36  36  36  1   
Gi1/0/37  37  37  37  1   
Gi1/0/38  38  38  38  1   
Gi1/0/39  39  39  39  1   
Gi1/0/40  40  40  40  1   
Gi1/0/41  41  41  41  1   
Gi1/0/42  42  42  42  1   
Gi1/0/43  43  43  43  1   
Gi1/0/44  44  44  44  1   
Gi1/0/45  45  464 45  1   
Gi1/0/46  46  465 46  1   
Gi1/0/47  47  457 47  1   
Gi1/0/48  48  456 48  1   
Gi1/0/49  49  49  49  0   
Gi1/0/50  50  50  50  0   
Gi1/0/51  51  51  51  1   
Gi1/0/52  52  52  52  1   

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Bryan 
Holloway
Sent: Thursday, December 14, 2017 7:55 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Cisco 3750G backplane throughput

This message originates from outside of your organisation.

Hello community,

I'm curious if someone is in the know or can point me to a document that 
describes how the backplane is carved up on a 3750G. I.e., ports per ASIC, 
etc., if applicable. I've dug around the Cisco docs to no avail.

I'm particularly interested to know how the four-port SFP section is handled 
on, for example, a WS-C3750G-24TS. Does it have its own ASIC for all four SFP 
ports? Or is that also carved up amongst other ports? If one were to LAG all 
four SFP ports together, should one expect to be able to reach a full 4 Gbps 
(assuming no taxation from other switch ports?)

We're running into an odd issue where we're unable to achieve more than
2 Gbps of bandwidth, but I have a hard time believing this is a switch 
limitation.

Any input would be most appreciated, thanks!

- bryan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] multiple GRE on the same gear

[Nick Cutting]

I'm am 99 percent certain this does not happen on anything but the 6500, it is 
something to do with the hardware forwarding not able to handle an extra field 
to index something.

One of Ivan Pepelnjak's webinars talked more about it (the 6500 having the 
issue) - and he mentioned ISR / ASR did not have the issue.

Sorry I could not provide more detail.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of james 
list
Sent: Monday, November 27, 2017 11:45 AM
To: cisco-nsp NSP 
Subject: [c-nsp] multiple GRE on the same gear

This message originates from outside of your organisation.

Dear experts,
the bug CSCdy72539 states that on Cisco 6500 with SUP720 if are created 
multiple GRE interfaces using the same source address traffic is switched in 
CPU instead of hardware, it seems the issue is solved with SUP2T.
The question: can ASR1001X suffer of the same issue ?
I’m not able to find any info on the web.

Can anyone help ?

Cheers
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Inter-area Summarization problem on Nexus 9508

[Nick Cutting]

What code are you running? On my N9k it accepts both:

Software
  BIOS: version 07.61
  NXOS: version 7.0(3)I6(2)
  BIOS compile time:  04/06/2017
  NXOS image file is: bootflash:///nxos.7.0.3.I6.2.bin
  NXOS compile time:  10/17/2017 19:00:00 [10/17/2017 21:48:10]

SW-01(config)# router ospf CH-L02
SW-01(config-router)#   vrf ClientA
SW-01(config-router-vrf)# area 1 stub no-summary 
SW-01(config-router-vrf)# area 1 range 10.203.165.80/28
SW-01(config-router-vrf)#

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
t...@pelican.org
Sent: Thursday, November 16, 2017 9:43 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Inter-area Summarization problem on Nexus 9508

This message originates from outside of your organisation.

On Thursday, 16 November, 2017 13:24, "Brian Turnbow"  said:

>>  Anyone know what is wrong with the below range ?
>>
> 
> Yep, host bits are set
> You need to put in the network
> 
>> router ospf 386
>>   vrf AAA
>> area 0.0.0.1 stub no-summary
>>
>> NX9KB9002(config-router-vrf)# area 1 range 10.203.165.80/28
>> Invalid range, host bits are set

10.203.165.80 is a valid network address for a /28, but doesn't "area range" 
take an address and dotted-quad netmask rather than a CIDR prefix?  So:

area 1 range 10.203.165.80 255.255.255.240

Regards,
Tim.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cisco ip nat question

[Nick Cutting]

There is more to it.

What is the model and code version of the router? - we need these to help you 
with the configuration.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mike
Sent: Thursday, November 9, 2017 6:50 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] cisco ip nat question

This message originated outside of your organisation.

Hi,


     I have a bunch of dumb devices that don't know how to deal with a default 
gateway. They all live in a subnet 172.16.144.0/20.

     A router lives here @ 172.16.144.1, and my device management station lives 
on another network, say 10.0.1.0/24.

     What I think I want, is for packets going from my management station to 
the dumb devices to be source ip natted so that they appear to come from the 
router itself 172.16.144.1, so that any devices on the
172.16.144.0/20 network that can't understand default gateway, can at least 
respond since the source address they will see will be the router itself and 
within their same subnet.

     How would this be accomplished? Is it as simple as putting 'ip nat inside' 
on the interface facing the dumb devices? Or is there more to it?

Mike-
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CISCO-AVAGO CISCO-FINISAR etc SFPs

[Nick Cutting]

Well, a bunch of vendors now sell optics that do not require the secret command 
on IOS to ignore the non cisco coding.

  I guess buy a few – the 10g SR’s are about $16 -

However, we got burned in 2015 when a client with non cisco parts using the 
“service unsupported-transceiver” would NOT be supported by TAC.

If you can get a third party optic to work without the command – are they 
supported by TAC?  It is a grey area for sure.


From: CiscoNSP List [mailto:cisconsp_l...@hotmail.com]
Sent: Tuesday, October 31, 2017 9:24 AM
To: Nick Cutting <ncutt...@edgetg.com>; Doug McIntyre <mer...@geeks.org>
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] CISCO-AVAGO CISCO-FINISAR etc SFPs

This message originated from outside your organization.


Thanks Nick - So they sell competing Optics? i.e They have a "cisco-avago" 
SFP-10G-AOC and "cisco" SFP-10G-AOC?-  The cisco-avago being cheap, and 
cisco being 000's? (They couldnt(wouldnt) be doing this?) - lol, No one in 
there right mind would purchase the "cisco" optics ever again?



Cheers

________
From: Nick Cutting <ncutt...@edgetg.com<mailto:ncutt...@edgetg.com>>
Sent: Wednesday, 1 November 2017 12:12 AM
To: CiscoNSP List; Doug McIntyre
Cc: cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
Subject: RE: [c-nsp] CISCO-AVAGO CISCO-FINISAR etc SFPs

No, they still rip you off big time.
Just got quoted on a 10g SFP+ singlemode SFP for roughly 70 times more 
expensive than the equivalent component in fiberstore.
I gave the client the option for both -

$40

$2,847.76

And they went with the genuine cisco part, because of our scary disclaimer 
about TAC.

Imagine they needed 10 of these - that’s $400 vs 28,.

Do you chaps just keep a couple of "genuine parts" lying around to quickly 
shove in if you need TAC assistance for a bug?

No one in their right mind can be buying a lot of "genuine" optics in 2017?

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
CiscoNSP List
Sent: Tuesday, October 31, 2017 8:52 AM
To: Doug McIntyre <mer...@geeks.org<mailto:mer...@geeks.org>>
Cc: cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] CISCO-AVAGO CISCO-FINISAR etc SFPs

This Message originated outside your organization.

Thanks - Yes I realize Cisco dont manufacture their own optics (They use 
finisar etc), but all "genuine" Cisco optics Ive seen previously have never had 
the manufacturers name in bold writing on the optic? (Havent purchased genuine 
Cisco optics for a long time - Probably the reason why )


They still sell "cisco" only branded optics for 10 times the price of others?  
Or do they now sell (only) these cheaper co-branded ones to compete?

Thanks


From: Doug McIntyre <mer...@geeks.org<mailto:mer...@geeks.org>>
Sent: Tuesday, 31 October 2017 11:38 PM
To: CiscoNSP List
Cc: cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] CISCO-AVAGO CISCO-FINISAR etc SFPs

On Tue, Oct 31, 2017 at 11:05:10AM +, CiscoNSP List wrote:
> Are the cisco-avago, cisco-finisar "genuine" Cisco optics? i.e TAC
> will provide support if you are using them? Ours were purchased
> through a Cisco disty (As a Cisco part)We are hitting multiple
> issues with them (10G Optic will not initialize in ASR920, 100G give
> no light/power readings in NCS5500)

Cisco OEMs optics from everybody under the sun. If you can show that you bought 
them as Cisco parts, then TAC should be fine dealing with them.
They do use Avago/Finisar parts frequently, and they are labelled as you see 
them.

All hardware is finicky dealing with optics at some point in time. They may 
need to send you another "brand" to deal with your hardware, or they are bad.
TAC should be fine talking to you about it.


___
cisco-nsp mailing list  
cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net> 
https://puck.nether.net/mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp>
archive at 
http://puck.nether.net/pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CISCO-AVAGO CISCO-FINISAR etc SFPs

[Nick Cutting]

No, they still rip you off big time.  
Just got quoted on a 10g SFP+ singlemode SFP for roughly 70 times more 
expensive than the equivalent component in fiberstore.
I gave the client the option for both - 

$40

$2,847.76

And they went with the genuine cisco part, because of our scary disclaimer 
about TAC.

Imagine they needed 10 of these - that’s $400 vs 28,. 

Do you chaps just keep a couple of "genuine parts" lying around to quickly 
shove in if you need TAC assistance for a bug?

No one in their right mind can be buying a lot of "genuine" optics in 2017?

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
CiscoNSP List
Sent: Tuesday, October 31, 2017 8:52 AM
To: Doug McIntyre 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] CISCO-AVAGO CISCO-FINISAR etc SFPs

This Message originated outside your organization.

Thanks - Yes I realize Cisco dont manufacture their own optics (They use 
finisar etc), but all "genuine" Cisco optics Ive seen previously have never had 
the manufacturers name in bold writing on the optic? (Havent purchased genuine 
Cisco optics for a long time - Probably the reason why )


They still sell "cisco" only branded optics for 10 times the price of others?  
Or do they now sell (only) these cheaper co-branded ones to compete?

Thanks


From: Doug McIntyre 
Sent: Tuesday, 31 October 2017 11:38 PM
To: CiscoNSP List
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] CISCO-AVAGO CISCO-FINISAR etc SFPs

On Tue, Oct 31, 2017 at 11:05:10AM +, CiscoNSP List wrote:
> Are the cisco-avago, cisco-finisar "genuine" Cisco optics? i.e TAC 
> will provide support if you are using them? Ours were purchased 
> through a Cisco disty (As a Cisco part)We are hitting multiple 
> issues with them (10G Optic will not initialize in ASR920, 100G give 
> no light/power readings in NCS5500)

Cisco OEMs optics from everybody under the sun. If you can show that you bought 
them as Cisco parts, then TAC should be fine dealing with them.
They do use Avago/Finisar parts frequently, and they are labelled as you see 
them.

All hardware is finicky dealing with optics at some point in time. They may 
need to send you another "brand" to deal with your hardware, or they are bad.
TAC should be fine talking to you about it.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco Catalyst 9300

[Nick Cutting]

Given that these are running 16.5 (Everest) and it is very new - is anyone 
running these in production yet?
I feel the 3850/3650 will be EOL in the next year or so - and these are 
reasonably priced.

I think if these are production ready we could begin to buy these for our 
clients and be more competitive rather than quoting our standard 3850 for a 
client office spec

Nick C

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

[Nick Cutting]

Thank you for your help.

The main SFlow collection point(s) are 36 port 100g nexus 9236c, so I think it 
is based on different chipsets – ASE2

I can see the sampling rate with the show run all command, I was using the 
default of 4096.
I tried various values – but the traffic is always almost exactly double what I 
get when using snmp statistics.

So unless we have a way to disable sFlow in both directions – I will need to 
divide by 2 for non-netflow sources.
Now I just need a big linux fella to rebuild the kernel and stick the /2 into 
the sfcapd daemon

From: Nick Hilliard [mailto:n...@foobar.org]
Sent: Monday, August 28, 2017 5:26 PM
To: Nick Cutting <ncutt...@edgetg.com>
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

This message originated from outside your organization

Nick Cutting wrote:
> I didn’t seem to be able to use that command on a Nexus 9200 - the
> guide for the shell seems for the 9500 and the 3k?

N9K access instructions here:

> https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/programmability/guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide_chapter_0101.html#concept_F5C3B0413B80410FBBDCC79F81BF086F<https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/programmability/guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide_chapter_0101.html#concept_F5C3B0413B80410FBBDCC79F81BF086F>

Nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

[Nick Cutting]

Thank you for your reply.

Yes, I have a very similar config to yours below.

Looks like I'll need to tell the noc to halve their findings.
I didn’t seem to be able to use that command on a Nexus 9200 - the guide for 
the shell seems for the 9500 and the 3k?

Thank you

-Original Message-
From: Nick Hilliard [mailto:n...@foobar.org] 
Sent: Monday, August 28, 2017 5:13 PM
To: Nick Cutting <ncutt...@edgetg.com>
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

This message originated from outside your organization

Nick Cutting wrote:
> Doesn't look like sflow daemon supports the -s sampling tag.
> 
> %sources = (
> 'myRouter'  => { 'port' => '9901', 'col' => '#00ff00', 'type' => 
> 'netflow', 'optarg' => ' -s -1000 '}, );

yes, that's correct.  The sflow sampling rate is specified in each sflow 
packet, so there is no need to specify it on the collector - it's automatically 
detected on a per-packet basis.

This is a working config on a small site (albeit a different sflow agent 
platform, but that won't make any difference):

> %sources = (
> 'rtr01' => { 'port' => '2055', 'col' => '#ff', 'type' => 'sflow' 
> },
> 'rtr02' => { 'port' => '2056', 'col' => '#00ff00', 'type' => 
> 'sflow' }, );

nfsen will then start up sfcapd instead of nfcapd.

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

[Nick Cutting]

This was an example I took from the nfsen forums - it is a negative value.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin 
M. Streiner
Sent: Monday, August 28, 2017 3:32 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

Wouldn't the syntax be "-s 1000", rather than "-s -1000"?

jms

On Mon, 28 Aug 2017, Nick Cutting wrote:

> So as usual -  my netflow routers are coming up with the correct size data in 
> nfsen, but sFlow is about 2.5 times as much traffic.
>
> Does anyone have a cisco sflow config that works with nfsen - sampling rate 
> etc?
>
> sflow sampling-rate 4096 <-- this is 512?
> sflow max-sampled-size 128
> sflow counter-poll-interval 30
> sflow  max-datagram-size 1400
> sflow collector-ip xx.xx.xx.xx vrf default source xx.xx.xx.xx sflow 
> collector-port 6343 sflow agent-ip xx.xx.xx.xx no sflow extended 
> switch
>
> Then in nfsen - here:
>
> Doesn't look like sflow daemon supports the -s sampling tag.
>
> %sources = (
>'myRouter'  => { 'port' => '9901', 'col' => '#00ff00', 'type' => 
> 'netflow', 'optarg' => ' -s -1000 '}, );
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf 
> Of Aaron Gould
> Sent: Sunday, August 6, 2017 1:46 AM
> To: 'Phil Mayers' <p.may...@imperial.ac.uk>; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] nfSen / nfDump
>
> netflow
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf 
> Of Phil Mayers
> Sent: Friday, August 4, 2017 3:08 AM
> To: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] nfSen / nfDump
>
> On 03/08/17 22:53, Aaron Gould wrote:
>> I do 1/512 sample rate on my asr9k's and usually multiple numbers 
>> gathered in nfsen by 512 to normalize
>
> sflow? Or netflow?
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

[Nick Cutting]

So as usual -  my netflow routers are coming up with the correct size data in 
nfsen, but sFlow is about 2.5 times as much traffic.

Does anyone have a cisco sflow config that works with nfsen - sampling rate etc?

sflow sampling-rate 4096 <-- this is 512?
sflow max-sampled-size 128
sflow counter-poll-interval 30
sflow  max-datagram-size 1400
sflow collector-ip xx.xx.xx.xx vrf default source xx.xx.xx.xx
sflow collector-port 6343
sflow agent-ip xx.xx.xx.xx
no sflow extended switch

Then in nfsen - here:

Doesn't look like sflow daemon supports the -s sampling tag.

%sources = (
'myRouter'  => { 'port' => '9901', 'col' => '#00ff00', 'type' => 'netflow', 
'optarg' => ' -s -1000 '},
);

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron 
Gould
Sent: Sunday, August 6, 2017 1:46 AM
To: 'Phil Mayers' ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

netflow

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil 
Mayers
Sent: Friday, August 4, 2017 3:08 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

On 03/08/17 22:53, Aaron Gould wrote:
> I do 1/512 sample rate on my asr9k's and usually multiple numbers 
> gathered in nfsen by 512 to normalize

sflow? Or netflow?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cisco 3850 eigrp - sending goodbye - can't ping any 224.0.0.10

[Nick Cutting]

Ahh sounds like one of many bugs in the early release of the 3850 series.  Do 
you know what code they are on?

-Original Message-
From: Aaron Gould [mailto:aar...@gvtc.com] 
Sent: Thursday, August 24, 2017 8:37 PM
To: Nick Cutting <ncutt...@edgetg.com>; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] cisco 3850 eigrp - sending goodbye - can't ping any 
224.0.0.10

This message originated from outside your organization

Thanks Nick, to begin with please keep in mind, this was fine for a year or 
more, until last night when they replaced a 3750, with a 3850.

They have 6840's, 6509's, 3750's, and 3850's... they are all eigrp neighbors 
fully meshed.

I'm the SP.  I provide this customer a mpls vpls rfc4762 (bgp ad w/ldp sig).
(I have a mix of cisco me3600's and juniper acx5048's providing that vpls
elan) All those cisco devices mentioned above are the customer edge.

On all those ce's is an untagged L3 interface.  All those ce interfaces eigrp 
neighbor with all others.

I tried on 2 other ce devices and COULD ping 224.0.0.10 and get responses from 
all other ce's.

BUT, on that one 3850-24 port, when I pinged 224.0.0.10, it died immediately 
with "." one failure, and that's it.  Strange.

Yes, I did do a static eigrp neighbor between the 3850-48port and the 
3850-24port and the neighbor stayed stable for over 3 minutes (previously, the 
goodbye eigrp teardown was happening every 80 seconds)

I don't have access at the moment, it's the customer gear and they allow me 
remote access only when they need my help.  I told them to take my findings and 
call the cisco tac

-Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cisco 3850 eigrp - sending goodbye - can't ping any 224.0.0.10

[Nick Cutting]

What is the type of link between the devices - does it support multicast?

What happens is you use the neighbor command to force unicast?

Please provide configrations and run "sh eigrp plugins" on both to check 
versions.

Also check "sh ip eigrp events"

And then turn on debugs
debug ip eigrp neighbor

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron 
Gould
Sent: Thursday, August 24, 2017 11:48 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] cisco 3850 eigrp - sending goodbye - can't ping any 224.0.0.10

I was just working with a customer that has a 3850 - 24 port that continually 
sends goodbye tlv every 80 seconds

 

He also has a 3850 48 port that works fine

 

The 3850 24 port can NOT ping 224.0.0.10 at all

The 3850 48 port can ping 224.0.0.10 and gets responses from all the eigrp 
neighbors on the vlan

 

Router eigrp 1 configs are same

 

- Aaron Gould

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] RSPAN and IP phones

[Nick Cutting]

So it is a combination of SPAN and RSPAN 
because of the local RSPAN as a source on "same switch destination back to diff 
session not see traffic issue"  I have seen this on 3560 / 3850 / 6500.


SWITCH 1
monitor session 1 source interface Gi1/0/1 - 24 
monitor session 1 destination Gi1/0/48
monitor session 2 source remote vlan 880 
monitor session 2 destination interface Gi1/0/XX (can't use same port)
 
SWITCH 2
 
monitor session 1 source interface Gi1/0/1 - 6 
monitor session 1 destination remote vlan 880


This will work - but you need two destination ports.
The only way I can think of to do it will one destination port and RSPAN is use 
a third switch as the destination.


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick 
Cutting
Sent: Friday, August 18, 2017 4:05 PM
To: Steven Pfister <spfis...@dps.k12.oh.us>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] RSPAN and IP phones

It has been a while since I have done this - but I have battled this exact 
setup a few times.

I seem to remember that the local switch needs to have a physical span 
destination, i.e not the rspan vlan - needs to be a port, and only the remote 
switch needs the rspan destination.
The second monitor session picks up the RSPAN as the source and then the port 
as the destination, but on the first switch.

Traffic that is captured on the source and dumped into the rspan vlan, cannot 
be seen on the SAME switch for some reason was the limitation I think. 

 I hope that made some kind of sense.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steven 
Pfister
Sent: Friday, August 18, 2017 2:56 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] RSPAN and IP phones

I've got a setup at one of our sites where I've got several IP phones and a 
SPAN session copying traffic to them to a port on the same switch which is a 
call recorder. This works fine.
 
We're recently added a second switch to this location which also serves IP 
phones. I'm trying to change from SPAN to RSPAN. For some reason, I either get 
no calls recorded, or the calls are nothing but silence.
 
I've got vlan 880 configured as a remote-span vlan, and I'm just
doing:
 
monitor session 1 source interface Gi1/0/1 - 24 monitor session 1 destination 
remote vlan 880 monitor session 2 source remote vlan 880 monitor session 2 
destination interface Gi1/0/48
 
on the first switch, and 
 
monitor session 1 source interface Gi1/0/1 - 6 monitor session 1 destination 
remote vlan 880
 
vlan 880 is configured as a remote span vlan on both switches and the vlan is 
allowed on the trunks going to the switches.

Please try our new DPS mobile app!   Available in the Google Playstore
(android) or Apple iTunes store.  Android:
https://play.google.com/store/apps/details?id=com.relianceco.cma.daytonpshl=en
 Apple:
https://itunes.apple.com/us/app/dayton-public-schools/id1143389548?mt=8


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] RSPAN and IP phones

[Nick Cutting]

It has been a while since I have done this - but I have battled this exact 
setup a few times.

I seem to remember that the local switch needs to have a physical span 
destination, i.e not the rspan vlan - needs to be a port, and only the remote 
switch needs the rspan destination.
The second monitor session picks up the RSPAN as the source and then the port 
as the destination, but on the first switch.

Traffic that is captured on the source and dumped into the rspan vlan, cannot 
be seen on the SAME switch for some reason was the limitation I think. 

 I hope that made some kind of sense.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Steven 
Pfister
Sent: Friday, August 18, 2017 2:56 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] RSPAN and IP phones

I've got a setup at one of our sites where I've got several IP phones and a 
SPAN session copying traffic to them to a port on the same switch which is a 
call recorder. This works fine.
 
We're recently added a second switch to this location which also serves IP 
phones. I'm trying to change from SPAN to RSPAN. For some reason, I either get 
no calls recorded, or the calls are nothing but silence.
 
I've got vlan 880 configured as a remote-span vlan, and I'm just
doing:
 
monitor session 1 source interface Gi1/0/1 - 24 monitor session 1 destination 
remote vlan 880 monitor session 2 source remote vlan 880 monitor session 2 
destination interface Gi1/0/48
 
on the first switch, and 
 
monitor session 1 source interface Gi1/0/1 - 6 monitor session 1 destination 
remote vlan 880
 
vlan 880 is configured as a remote span vlan on both switches and the vlan is 
allowed on the trunks going to the switches.

Please try our new DPS mobile app!   Available in the Google Playstore
(android) or Apple iTunes store.  Android:
https://play.google.com/store/apps/details?id=com.relianceco.cma.daytonpshl=en
 Apple:
https://itunes.apple.com/us/app/dayton-public-schools/id1143389548?mt=8


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] nfSen / nfDump

[Nick Cutting]

Slightly off topic, however related to the solarwinds talks of last week.

Just wondering what versions of nfSen and nfdump you fine people are running - 
and on what operating system, e.g debian / red hat etc.

I understand Nfsen has not been updated since 2011 - is this a problem - or is 
it just that rocksteady?

How comprehensive is the sFlow support - this is one reason we are moving away 
from solarwinds. (and we got rid of all our CaatOS gear - solarwinds was great 
at CatoS!)

Any input greatly appreciated

Nick Cutting
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 7707 as Internet Edge Router?

[Nick Cutting]

Coming from the MSP (managed service provider)  world where I am - EIGRP is 
great - I can summarize anywhere - and our cheap clients will only ever buy IP 
base licensed 3xxx switches.  

Even though they are on the 42nd floor of a 10 million dollar office with a 
giant  leather rhinoceros...

 So my choices are, if I want to summarize, multi area OSPF limited to 200 
routes or EIGRP which is simple and clean.



-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick 
Hilliard
Sent: Friday, July 28, 2017 5:39 AM
To: Gert Doering 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Nexus 7707 as Internet Edge Router?

Gert Doering wrote:
> And then, what features it gets - the first list on cisco.com was 
> amazingly thin on details, but one of the interesting bits was "no 
> support for EIGRP", which I find highly astonishing - you have a 
> vendor that has a nice customer-lock-in feature, purely control-plane 
> (so, no need to do hardware-specific coding), and they... forget to enable it?

But no-one in the SP world uses EIGRP anyway so this is a moot point, right?

Right??

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Physical Network TAP devices

[Nick Cutting]

Good afternoon,

We have a use case now to capture traffic at one of our egress points, and we 
need to use network taps.  We need at least 2 sources and two destinations, in 
a pair of devices. - Copper 1 gig at this point.  Is anyone using Copper/ Fiber 
Taps at 10g?

Can I please get some feedback on some of the brands of taps that you fine 
people use?

We were looking at gigamon, but I have not used TAPs in a very long time.  We 
have a need to move to a physical device because of limitations in the hardware 
in where we need to capture the traffic.  

Any feedback is greatly appreciated.



Thank you,
Nick Cutting 




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GRE tunnels on 9k

[Nick Cutting]

It works all the time now nexus 93108-EX
– I think we just disabled the “feature tunnel “then re-enabled it.

I was testing with an ISR on the same links with no issues.

What I am missing is Traceroute hops from the tunnel interfaces.  This is for 
both UDP and ICMP traceroutes.
Both the ICMP TTL messages and the port unreachable messages are enabled 
everywhere in the transit path – as well as under the tunnel interfaces.

Any ideas?

Simple tunnel:

interface Tunnel172
  ip address 10.17.0.1/30
  ip unreachables
  ip ospf network point-to-point
  no ip ospf passive-interface
  ip router ospf 200 area 0.0.0.0
  tunnel source xx.xx.xx.xx
  tunnel destination xx.xx.xx.xx
  mtu 9000
  bandwidth 10
  no shutdown

From: Arie Vayner [mailto:ar...@vayner.net]
Sent: Monday, June 26, 2017 10:42 AM
To: Nick Cutting <ncutt...@edgetg.com>; cisco-nsp (cisco-nsp@puck.nether.net) 
<cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] GRE tunnels on 9k


Can you try and define what was different during the 10% of the tests that 
worked?
When it doesn't work, what exactly doesn't work?
Maybe share a few config examples and how you test if it works or doesn't 
work...

On Tue, Jun 20, 2017, 06:27 Nick Cutting 
<ncutt...@edgetg.com<mailto:ncutt...@edgetg.com>> wrote:
Sorry - I mean nexus 9k, rather than ASR9000
And the ASr920 tunnels were ASR - ASR, not ASR -> nexus

-Original Message-
From: cisco-nsp 
[mailto:cisco-nsp-boun...@puck.nether.net<mailto:cisco-nsp-boun...@puck.nether.net>]
 On Behalf Of Nick Cutting
Sent: Tuesday, June 20, 2017 9:25 AM
To: cisco-nsp (cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>) 
<cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>>
Subject: [c-nsp] GRE tunnels on 9k

Good morning,

I am having some really crazy results when testing GRE tunnels on nexus 9k's.

They seem to work about 10 percent of the time.
I am going a little mad thinking about where the stars and planets were when 
these tunnels worked.

This is with the source and destination in the global table, and testing the 
tunnel IP, both in a VRF and in the global table.
This has been tested using both loopbacks as a source, and the outgoing 
interfaces.  Although I want to use loopbacks as we are using L3 multi-path.
I have searched the bug database I don't see anything strange . going to hit up 
TAC.  Tunnels over the same links on a terminated on ASR920 work fine.

Has anyone had any good / bad experiences with tunnels on the 9k?

Thank you,
nick
___
cisco-nsp mailing list  
cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net> 
https://puck.nether.net/mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp>
archive at 
http://puck.nether.net/pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/>

___
cisco-nsp mailing list  
cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp>
archive at 
http://puck.nether.net/pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Embedded Packet Capture on ASR-920

[Nick Cutting]

That is the exact config I used also, from the same webpage 

I tried both CEF and process - although the traffic I wanted to see was through 
the router and not to the router.  I didn't even see a single packet.
I ended up spanning the traffic from the switch.

The ASR1k supports the" easy style" one line embedded capture also, and just 
works

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James 
Bensley
Sent: Friday, June 23, 2017 10:10 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Embedded Packet Capture on ASR-920

On 21 Jun 2017 22:55, "Nick Cutting" <ncutt...@edgetg.com> wrote:

Has anyone used this?
I have used it on other IOS-XE routers 44xx/3xxx with no issues.

My captures are empty on the ASR-920


Code running is:

03.18.01.SP.156-2.SP1-ext

Any experiences greatly welcomed.

Nick


Hi Nick,

What traffic are you trying to capture? I got this working as per these notes 
(I had done something similar on ASR1000s but it turns out the syntax is 
slightly different on the ASR920):
https://null.53bits.co.uk/index.php?page=embedded-packet-capture-epc

However that was a while ago, if I recall correctly I had was PPPoE traffic 
tagged in a specific VLAN that I wanted to inspect and this wasn't showing up 
in the traffic capture so I ended up having to SPAN the port on the 
neighbouring device. So I think it's not perfect and possibly not even sure its 
supported. I didn't bother with TAC as the SPAN worked fine and I haven't 
needed it since.

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Embedded Packet Capture on ASR-920

[Nick Cutting]

Has anyone used this?
I have used it on other IOS-XE routers 44xx/3xxx with no issues.

My captures are empty on the ASR-920


Code running is:

03.18.01.SP.156-2.SP1-ext

Any experiences greatly welcomed.

Nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GRE tunnels on 9k

[Nick Cutting]

Sorry - I mean nexus 9k, rather than ASR9000
And the ASr920 tunnels were ASR - ASR, not ASR -> nexus

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick 
Cutting
Sent: Tuesday, June 20, 2017 9:25 AM
To: cisco-nsp (cisco-nsp@puck.nether.net) <cisco-nsp@puck.nether.net>
Subject: [c-nsp] GRE tunnels on 9k

Good morning,

I am having some really crazy results when testing GRE tunnels on nexus 9k's.

They seem to work about 10 percent of the time.
I am going a little mad thinking about where the stars and planets were when 
these tunnels worked.

This is with the source and destination in the global table, and testing the 
tunnel IP, both in a VRF and in the global table.
This has been tested using both loopbacks as a source, and the outgoing 
interfaces.  Although I want to use loopbacks as we are using L3 multi-path.
I have searched the bug database I don't see anything strange . going to hit up 
TAC.  Tunnels over the same links on a terminated on ASR920 work fine.

Has anyone had any good / bad experiences with tunnels on the 9k?

Thank you,
nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] GRE tunnels on 9k

[Nick Cutting]

Good morning,

I am having some really crazy results when testing GRE tunnels on nexus 9k's.

They seem to work about 10 percent of the time.
I am going a little mad thinking about where the stars and planets were when 
these tunnels worked.

This is with the source and destination in the global table, and testing the 
tunnel IP, both in a VRF and in the global table.
This has been tested using both loopbacks as a source, and the outgoing 
interfaces.  Although I want to use loopbacks as we are using L3 multi-path.
I have searched the bug database I don't see anything strange . going to hit up 
TAC.  Tunnels over the same links on a terminated on ASR920 work fine.

Has anyone had any good / bad experiences with tunnels on the 9k?

Thank you,
nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Migrating multi 1Gb port-chan member ints to 10G .....possible withot having to create a new portchan?

[Nick Cutting]

I think this is possible, but with a little bit of downtime when you change the 
new links from 1000 to ten gig.
You should be able to lab this up with 1000Mbit and 100Mbit on an old switch, 
nothing laying around?

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
CiscoNSP List
Sent: Monday, June 12, 2017 1:37 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Migrating multi 1Gb port-chan member ints to 10G .possible 
withot having to create a new portchan?

Hi Everyone,


Ive researched this, and the info Ive read s not entirely definitive (I dont 
have an opportunity to test  the migration in a lab unfortunately_


We have an existing port-chan on an asr1006, with 4 x 1Gb portsegress from 
ASR1006 on the member ports is very balanced, but unfortunately, ingress, we 
are always seeing 2 links basically maxing out (Other end of portchan is 
4500x(VSS stack, with "primary" switch, being the one with the 2 over active 
ports.) we've resigned to the fact that we will need to go 10G to fix the 
"issue"Now the problem is that the existing portchan has 100's of 
subunterfaces, so we dont want to have to create a "new" portchan with the 2 x 
10G links, and migrate all the subinterfacesfrom what Ive read, the member 
interfaces of the etherchan need to be of the same "Speed + Duplex"some go 
even further and say the same "physical" ty;e (i.e. 1Gb SM -> 1Gb SM)but I 
have also read where people have added a 10G int to an existing portchan (That 
only has 1Gb members), and it "worked".Can anyone please confirm if this is 
possible?  i.e. set the 10G interfaces to 1000/Full, then add them to
  the existing portchan, delete the "old" 1Gb member ints, then change the 10Gb 
interfaces to auto?  I really hope there is someway that this can be achieved 
without having to migrate all the subints to a new portchanant 
suggestions/experiences are greatly appreciated.


Cheers
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR-920 10g License question

[Nick Cutting]

I have 4 x 10g ports on one of our ASR-920-4SZ-A's

I am using 2 of them, but want to use the other 2.
Does the 10g license do all 4 - or pairs of two ports?

Index 5 Feature: 10GEupgradelicense
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: 1/1/0  (Active/In-use/Violation)
License Priority: Medium
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Intelligent Bandwidth Management

[Nick Cutting]

I would also like to know these things.  

My boss is constantly talking about some kind of magical SD-WAN and how we need 
it.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark 
Mason
Sent: Friday, June 2, 2017 2:46 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Intelligent Bandwidth Management

#bump

From: Mark Mason
Sent: Thursday, June 1, 2017 9:27 AM
To: cisco-nsp@puck.nether.net
Subject: Intelligent Bandwidth Management

APIC-EM, Noction, FatPipe Networks, LiveAction, Cisco OER (legacy), Cisco PfR, 
advanced BGP parameters, home grown DevOps Open Source network probes to a 
collector (thinking CloudFlare Salt NAPALM automation examples I've seen), etc.?

What is the industry using for identification of latency increases, ISP 
congestion, ISP congestion one transit removed, etc.?

Quite some time ago OER->to initial PFRv1 I deployed with success but it had 
massive change logs and zero GUI with a failed Cisco Fluke Networks graphical 
representation. Also lacked some maintenance mode knobs and additional tweaks I 
needed. Time has come back around to make the internet edge more intelligent 
again!

Mark Mason

NOTICE: This electronic mail message and any files transmitted with it are 
intended exclusively for the individual or entity to which it is addressed. The 
message, together with any attachment, may contain confidential and/or 
privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution is strictly prohibited. If you have received this message in 
error, please immediately advise the sender by reply email and delete all 
copies.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 10g Copper Transceivers for SPF+

[Nick Cutting]

I brought this up in 2015  - and they were new to market then.
I got a couple of greedy replies from traseiver vendors, but nothing from the 
wise old network wizards.

The GLC-10G-T - which seems to fool the switch into thinking it is SR , so yes 
I agree with the naysayers it sounds like a bad idea from the get go.

Is anyone using them, or has been using them? 

Reason being it would be a great way to uplink our old switches with SPF+ 
modules to our 10g copper nexus Borders, without using a breakout cable on the 
100g ports.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NCS4200 - re-badged ASR920 / ASR900 ?

[Nick Cutting]

Haha Gert your comments are the best.

Probably so that a sales guy in a room crafting an expensive solution can use 
the NCS branding for more of the design he/she is proposing.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gert 
Doering
Sent: Tuesday, April 25, 2017 2:46 AM
To: Ted Johansson 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] NCS4200 - re-badged ASR920 / ASR900 ?

Hi,

On Tue, Apr 25, 2017 at 06:07:11AM +, Ted Johansson wrote:
> The ASR900 series will not be replaced by NCS4200, both series will co-exist.

Sounds like the BUs suddenly remembered how much the customers appreciated the 
6500/7600 split, and wanted to re-enact that great success again.

Oh, wait.

gert
--
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] STP and PVST..

[Nick Cutting]

On cisco switches - the next spanning tree instance after you hit the limit, is 
NOT created.

I worked at a place that had cisco HP blade 3120's that had a hard limit of 128 
instances, and we had 180 vlans.
50 or so of the vlans were NOT running spanning tree - but were blocked 
upstream on the 6500 - which has a limit of 1800 instances per chassis which is 
multiplied out by the line cards.
We got close to that limit, but did not hit it, so the loops were avoided.

If I can remember - the last vlans to be created did not run the STP instances 
- but after a reboot, it went up in order.



-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gert 
Doering
Sent: Thursday, April 20, 2017 10:19 AM
To: Scott Granados 
Cc: Sebastian Wiesinger ; cisco-nsp 

Subject: Re: [c-nsp] STP and PVST..

Hi,

On Thu, Apr 20, 2017 at 12:10:21PM +, Scott Granados wrote:
> Oh boy, I???ve seen that 253 VLAN thing bite a big customer in the 
> back side.  You add number 254 and whammo!

What exactly happens then?  (We currently only use juniper at the edge, where 
no single switch has more than ~40-50 VLANs, so the risk has been small :-) )

gert
--
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] STP and PVST..

[Nick Cutting]

Once you get all devices to agree on the root bridge for RPVST+ (make sure 
vlan1 is allowed on the inter-vendor trunks) , 

You will also need for fast failover, to configure the downstream ports 
(servers / esx hosts etc) must be running portfast / portfast trunk. This stops 
them from re-converging when there is an upstream failure (which should be 
sub-second failover for R(PV)STP)

What is the other vendor and model number? 
Rapid should work for almost every vendor Except those old HP 5900's, which you 
must use MST.


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Catalin 
Dominte
Sent: Wednesday, April 19, 2017 7:21 AM
To: Nicolas KARP ; Ambedkar 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] STP and PVST..

Yes, until you realise that Cisco MSTP does not talk to Juniper MSTP for some 
odd reason! :)


*Catalin Dominte | Senior Network Consultant*

Nocsult Ltd  | 11 Castle Hill  |  Maidenhead  |  Berkshire  |  SL6 4AA  |
 Phone:  +44 (0)1628 302 007

VAT registration number: GB 180957674  |  Company registration number:
08886349
P Please consider the environment - Do you really need to print this email?

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the email and its 
attachments from all computers.

On 19 April 2017 at 08:25:21, Nicolas KARP (li...@karp.fr) wrote:

Hello Ambedkar,

Are you able to use MSTP ? That's the standard between Cisco and Non Cisco 
switches :
http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24248-147.html

Best Regards,

Nick



2017-04-19 5:53 GMT+02:00 Ambedkar :

> Namaskaram,
> I am having a problem of inter-operability of Cisco switches and
Non-Cisco
> switches.
>
> The configuration as follows
>
> Cisco Switches:
> PVST and RPVST (Proprietary protocols)
>
> Non-Cisco Switches:
> STP and RSTP (Open Standard)
>
> In STP/RSTP, both the Cisco and Non-Cisco switches are becoming Root 
> bridges, and when failover has to take place, the time to converge is
more.
> I guess BPDU packets are not exchanged properly.
>
> Any help how to resolve this issue..
>
> Thanks
> P Ambedkar
> ___
> cisco-nsp mailing list cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] C3850 and NAT

[Nick Cutting]

I am 99 percent sure it is not supported, or if it is will be sent to the CPU.

Look at nexus 3k or 9k for a $12000 line rate NAT switch.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of james 
list
Sent: Wednesday, February 8, 2017 4:17 PM
To: cisco-nsp NSP 
Subject: [c-nsp] C3850 and NAT

Dear experts,
I'm wondering if anybody can give detailed or experienced info about NAT 
support on c3850.

I m not able to find any info on feature set but on the web is not so clear... 
I'm looking a cheapest, in respect to 6500 or 68xx, switch able to support NAT 
(not a router).

Thank you in advance

Cheers
James
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] OTV on ASR1001-x

[Nick Cutting]

Are there any throughput documents for OTV enabled ASR1k's ?

In the design guide it only talks about not worrying about fragmentation for 
traffic under 1Gbs.

I am specifically wondering about OTV throughput on a 10 gig Link.  For maybe 
1400 byte packets.

Is anyone using this technology on a 10 gig connection?

Any field stories greatly appreciated.

Nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Nexus 93108TC-EX Breakout Support

[Nick Cutting]

This is the second generation 10 gig copper leaf switch with 100 gig uplinks.
The first generation did not support 40 gig x 10 SFP+ breakouts on the uplinks.

I believe this Generation 2 version does - (you can run the 100's at 40, and 
the 40's should support breakouts)

I have looked at the switch documentation - which points to the 9k breakout 
document - which DOES not include the generation 2 EX switches.
So I cannot find any doc that says it is supported - including the cisco live 
PDF's.

Any insight would be greatly appreciated.

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/