from:"Pavel Skovajsa"

Re: [c-nsp] Nexus 7k Upgrade Path

2018-02-22 Thread Pavel Skovajsa

Definitely not a stupid question. While the double ISSU would work we
generally would not do it for big jumps like that.

The problem is that the whole procedure tended to be buggy so we are too
afraid. Not speaking about crazy bugs we ran into half year later because
"triggered by previous issu upgrade" and we needed to reload anyway.

So - our recomendation for jumps like this - load the system a kickstart
files and reload the box? Ideally power cyclethere were fw bugs that
needed hard reboot to fix...

-pavel

Dňa 23. 2. 2018 7:34 používateľ "Justin M. Streiner" <
strei...@cluebyfour.org> napísal:

On Fri, 23 Feb 2018, Bradley Ordner wrote:

We have a Nexus 7K with two SUP2Es. We need to get to software version
> 8.1(2). It says that you can't double hop to a software version without an
> outage. Although I have found the following -
> ISSU from 7.2(0)D1(1) to 7.3(1)D1(1) then to 8.1(2).
> We currently are on 7.2(0)D1(1) according to the doco I should be able to
> upgrade as each version can ISSU to the next?
> Has anyone performed this before?
> I have posted this on Cisco Support Community, with no response so either
> it is a stupid question or no one has done it before.
>

I haven't had to do a double-hop upgrade in a while, but my past experience
with ISSUs on the Nexus 7K has been mixed. Sometimes the 7K ecosystem
benefits from a full reboot.  Also, keep in mind that if any of the EPLDs
on your linecards need to be upgraded, the affected linecards will have to
take some amount of outage.  How much of an impact such an outage would
have depends entirely on your network design.

jms

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] BGP not advertising supernet to RR's

2017-12-01 Thread Pavel Skovajsa

Its strange, you can try some other methods of creating the summary - maybe
via "aggregate" way.

Also instead of redist static you can also try "network" command.

-pavel

Dňa 3. 10. 2017 9:20 AM používateľ  napísal:

> Just  stab in a dark,
> Aren't you learning that /20 from RRs and your node thinks that path
> offered
> by RRs is the best path?
> In that case the node would not advertise this route to RRs.
>
> adam
>
> netconsultings.com
> ::carrier-class solutions for the telecommunications industry::
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Tabo Topic? Third party Maintenance

2017-02-06 Thread Pavel Skovajsa

Turns out this information is "kinda" hidden in various pdfs see for
example Cisco TAC time presentations or cisco live about "what does sw
version X bring over version Y to the table"

-pavel

Dňa 27.1.2017 11:24 používateľ "James Bensley" 
napísal:

On 24 January 2017 at 17:54, Lee  wrote:
> On 1/24/17, James Bensley  wrote:
>> Also a month or two after our bug scrub was completed the new major
>> milestone/stable versions of code for the devices we had tested was
>> released (our scrub was finished when "X" was the stable recommend
>> version) so we said to our AS engineer "now that X+1 is out, and you
>> recommended X, do you think we should go for X" and they obviously
>> said "yes".
>
> Interesting..  I'd get an offer for a bug scrub on the new version.

Sorry that was a typo, should have been "X+1":

so we said to our AS engineer "now that X+1 is out, and you
recommended X, do you think we should go for X+1" and they obviously
said "yes".

So I'm implying here the bug scrub was a waste of time.

>> If you have the resources then I'm not such a fan of this service.
>
> On the other hand, when Cisco does a bug scrub they see _all_ the
> bugs, not just the publicly visible ones.  There's been a couple of
> times I've gone back & forth with our AS engineer about the details of
> some bug that had no public description & a time or two when he
> suggested we hold off on an upgrade until after the psirt
> announcement.

So something that Cisco don't do which is very annoying is show all
their bugs and bug stats. I have clicked on a bug countless times that
affects us on cisco.com and then I get the page "this is an internal
bug, how did you hear about this?" and I have to ask TAC to tell me
about the bug. They should also be releasing bug stats: how many
people filed bugs for feature X with firmware Y on device Z. What is
the bug fix rate for X, Y and X etc. Is the rate of bug reports for
new-ish-platform P starting to decresae now? Has the fix rate for
old-ish-platform O tailed off now?

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FabricPath on Nexus Switches

2017-01-23 Thread Pavel Skovajsa

One interesting thing we ran into with FabricPath couple years ago is that
you have to forget about the notion of "set of special vlans just for this
switch" . In other words your list of vlans needs to be consistent and
always the same in whole FabricPath. This is due to the fact that by
default there is only one multidestination tree for broadcasts.

One of the beautiful side effects of this is that if misconfigured it WILL
work just fine, until the next power failure when you failover into a
multidestination tree that has one vlan missing. Good luck troubleshooting
that

For the rest of suggestions read Cisco FabricPath Best Practices Whitepaper

-pavel


2017-01-23 11:41 GMT+01:00 Nikolai Nespor :

> Neither supports FabricPath. EVPN+VXLAN is only supported on the 9300.
>
> Regards,
>
> Nikolai
> --
> Ich verwalte sie. Ich zähle sie und zähle sie wieder.
> Das ist nicht leicht. Aber ich bin ein ernsthafter Mann.
> \
>  ---> Antoine de Saint-Exupery, "Der kleine Prinz"
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR Firmware 15.5(3)S4a

2016-10-26 Thread Pavel Skovajsa

I also noticed that going through the proxies makes things worse - weird,
have to sniff it one day. Btw ever since the ftp access to cisco ios file
went away, what are you doing to get the ios image files in "mass" way?

The only thing I figured out is to use Firefox cliget plug-in for the Cisco
portal, which generates nice curl cli commands that I can then use to
download all those files directly from the internal FTP server. Still, I
have to do it one by one.

-pavel

On Wed, Oct 26, 2016 at 8:15 PM, Nick Cutting <ncutt...@edgetg.com> wrote:

> This happens to me on chrome - but not firefox
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
> Mark Tinka
> Sent: Wednesday, October 26, 2016 9:22 AM
> To: Pavel Skovajsa <pavel.skova...@gmail.com>; Harry Hambi - Atos <
> harry.ha...@bbc.co.uk>
> Cc: cisco-nsp NSP <cisco-nsp@puck.nether.net>
> Subject: Re: [c-nsp] ASR Firmware 15.5(3)S4a
>
>
>
> On 26/Oct/16 12:42, Pavel Skovajsa wrote:
>
> > On a similar topic of the software download portal. Does it happen to
> > you that when you navigate those software download selections nothing
> > happens after you click on them?
> > I drives me mad sometimes as it comes and goes.
>
> It takes a while, but it loads, eventually.
>
> Mark.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net https://puck.nether.net/
> mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR Firmware 15.5(3)S4a

2016-10-26 Thread Pavel Skovajsa

On a similar topic of the software download portal. Does it happen to you
that when you navigate those software download selections nothing happens
after you click on them?
I drives me mad sometimes as it comes and goes.

-pavel

Dňa 26.10.2016 11:30 používateľ "Harry Hambi - Atos" 
napísal:

> Hi Ted,
> Manage to find eventually, thanks for your help.
>
>
> Rgds
> Harry
>
> Harry Hambi BEng(Hons)  MIET  Rsgb
>
>
> -Original Message-
> From: Ted Johansson [mailto:ted.johans...@tele2.com]
> Sent: 26 October 2016 10:13
> To: Harry Hambi - Atos
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] ASR Firmware 15.5(3)S4a
>
> Hi Harry,
>
> Go to software.cisco.com
> Software Download
> Find: ASR 1001-X
> IOS XE Software
>
> And you should be able to select your requested software there.
>
> Best Regards
> Ted
>
> Sent from my Phone
>
> > On 26 Oct 2016, at 11:09, Harry Hambi - Atos 
> wrote:
> >
> > Thanks Ted,
> > The hardware platforms are 1001 & 1001-X
> > 1002 & 1002-X. I find the Cisco site time consuming to get to where you
> want.
> >
> >
> > Rgds
> > Harry
> >
> > Harry Hambi BEng(Hons)  MIET  Rsgb
> >
> > -Original Message-
> > From: Ted Johansson [mailto:ted.johans...@tele2.com]
> > Sent: 26 October 2016 10:02
> > To: Harry Hambi - Atos
> > Cc: cisco-nsp@puck.nether.net
> > Subject: Re: [c-nsp] ASR Firmware 15.5(3)S4a
> >
> > Hi Harry,
> >
> > You will need to look at that specific device that you wish to download
> the software for since it's different images for different platforms and
> models.
> >
> > Best Regards
> > Ted
> >
> > Sent from my Phone
> >
> >> On 26 Oct 2016, at 10:50, Harry Hambi - Atos 
> wrote:
> >>
> >> Hi All,
> >> Looking to download above firmware for ASR, the nearest I can find is
> iosxe-remote-mgmt03.16.04a S 155.3.S4a-ext.ova. This don't look right, any
> ideas appreciated.
> >>
> >>
> >> Rgds
> >> Harry
> >>
> >> Harry Hambi BEng(Hons)  MIET  Rsgb
> >>
> >> ___
> >> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >  IMPORTANT NOTICE 
> > The content of this e-mail is intended for the addressee(s) only and may
> contain information that is confidential and/or otherwise protected from
> disclosure. If you are not the intended recipient, please note that any
> copying, distribution or any other use or dissemination of the information
> contained in this e-mail (and its attachments) is strictly prohibited. If
> you have received this e-mail in error, kindly notify the sender
> immediately by replying to this e-mail and delete the e-mail and any copies
> thereof.
> >
> > Tele2 AB (publ) and its subsidiaries ("Tele2 Group") accepts no
> responsibility for the consequences of any viruses, corruption or other
> interference transmitted by e-mail.
> >
> >
> > -
> > http://www.bbc.co.uk
> > This e-mail (and any attachments) is confidential and
> > may contain personal views which are not the views of the BBC unless
> specifically stated.
> > If you have received it in
> > error, please delete it from your system.
> > Do not use, copy or disclose the
> > information in any way nor act in reliance on it and notify the sender
> > immediately.
> > Please note that the BBC monitors e-mails
> > sent or received.
> > Further communication will signify your consent to
> > this.
> > -
>
>  IMPORTANT NOTICE 
> The content of this e-mail is intended for the addressee(s) only and may
> contain information that is confidential and/or otherwise protected from
> disclosure. If you are not the intended recipient, please note that any
> copying, distribution or any other use or dissemination of the information
> contained in this e-mail (and its attachments) is strictly prohibited. If
> you have received this e-mail in error, kindly notify the sender
> immediately by replying to this e-mail and delete the e-mail and any copies
> thereof.
>
> Tele2 AB (publ) and its subsidiaries ("Tele2 Group") accepts no
> responsibility for the consequences of any viruses, corruption or other
> interference transmitted by e-mail.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] huge amount of mcast traffic

2016-10-17 Thread Pavel Skovajsa

James,
So all your customers are on 6708?

Why thing you can try is check the internal architecture of the 6708 cards
especially the egress replication asic.Probably also depends on which ports
you have the customers connected...

-pavel

Dňa 13.10.2016 18:44 používateľ "Matthew Huff"  napísal:

> A sustained 6Gps on a 10GB pipe is hard to do already, but with
> multicast…. Typically that large of multicast is broken up into different
> multicast addresses can be split on multiple lines. The burst nature of the
> feed is going to be an issue. Will it work, yes. Will it work well, I doubt
> it.
>
> 
> Matthew Huff | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC   | Phone: 914-460-4039
> aim: matthewbhuff| Fax:   914-694-5669
>
> From: james list [mailto:jameslis...@gmail.com]
> Sent: Thursday, October 13, 2016 12:34 PM
> To: Matthew Huff 
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] huge amount of mcast traffic
>
> well we'll connect to 10 Gbs interface a traffic up to 6 Gbs, not on 6748
> 1 Gbs blades... no other issue you see ?
>
> 2016-10-13 18:31 GMT+02:00 Matthew Huff  >>:
> The 6748 blades are going to be an issue with buffer overruns. Whether
> this will be a minor or major issue depends on the application that uses
> the multicast data.
>
> 
> Matthew Huff | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC   | Phone: 914-460-4039
> aim: matthewbhuff| Fax:   914-694-5669
>
> From: james list [mailto:jameslis...@gmail.com jameslis...@gmail.com>]
> Sent: Thursday, October 13, 2016 12:25 PM
> To: Matthew Huff >
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] huge amount of mcast traffic
>
>
> Hi
>
>
>
> I’m not able to find the multicast replication mode on ASR..
>
>
>
> On core routers:
>
>
>
> C6807 has  Supervisor Engine 2T 10GE and IOS 15.1(2)SY4
>
>
>
> xxx>sh module
> Mod Ports Card Type  Model  Serial
> No.
>  --- - -- --
> ---
>1   20  DCEF2T 4 port 40GE / 16 port 10GE  WS-X6904-40G   xx
>2   20  DCEF2T 4 port 40GE / 16 port 10GE  WS-X6904-40G   xx
>35  Supervisor Engine 2T 10GE w/ CTS (Acti VS-SUP2T-10G   xx
>5   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6848-GE-TX xx
>
>
>
> Mod  Sub-Module  Model  Serial   Hw
>  Status
>
>
>
>  --- -- --- ---
> ---
>
>
>
>   1  Distributed Forwarding Card WS-F6K-DFC4-E  xxx  1.2Ok
>
>
>
>   2  Distributed Forwarding Card WS-F6K-DFC4-E  xxx  1.2Ok
>
>
>
>   3  Policy Feature Card 4   VS-F6K-PFC4xxx  3.0Ok
>
>
>
>   3  CPU Daughterboard   VS-F6K-MSFC5   xxx  3.0Ok
>
>
>
>   5  Distributed Forwarding Card WS-F6K-DFC4-A  xxx  1.4Ok
>
>
>
> xxx#sh platform multicast routing replication
>
>
>
> Current mode of replication is Egress
>
>
>
> Configured mode of replication is Egress
>
>
>
>
>
> Switch  SlotMulticast replication capability
>
>
>
>  1   1  Egress
>
>
>
>  1   2  Egress
>
>
>
>  1   3  Egress
>
>
>
>  1   5  Egress
>
>
>
>  2   1  Egress
>
>
>
>  2   2  Egress
>
>
>
>  2   3  Egress
>
>
>
>  2   5  Egress
>
>
>
>  4   1  Ingress
>
>
>
>  3   1  Ingress
>
>
>
>  5   1  Ingress
>
>
>
>
>
> C6500 has Supervisor Engine 720 10GE and IOS 12.2(33)SXI5
>
>
>
>
>
> xxx>sh module
>
>
>
> Mod Ports Card Type  Model  Serial
> No.
>
>
>
> --- - -- --
> ---
>
>
>
>   1   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX xxx
>
>
>
>   28  CEF720 8 port 10GE with DFCWS-X6708-10GE  xxx
>
>
>
>   3   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX xxx
>
>
>
>   4   48  CEF720 48 port 1000mb SFP  WS-X6748-SFP   xxx
>
>
>
>   55  Supervisor Engine 720 10GE (Active)VS-S720-10Gxxx
>
>
>
>
>
> Mod  Sub-Module  Model  Serial   Hw
>  Status
>
>
>
>  --- -- --- ---
> ---
>
>
>
>   1  Distributed Forwarding Card WS-F6700-DFC3C xxx  1.6Ok
>
>
>
>   2  Distributed Forwarding Card WS-F6700-DFC3C xxx 1.8Ok
>
>
>
>   3  Distributed Forwarding Card WS-F6700-DFC3C xxx  1.6Ok
>
>
>
>   4  Centralized Forwarding Card WS-F6700-CFC   xxx  4.2

Re: [c-nsp] Adventures while upgrading a dual sup-8 WS-C4510R+E

2016-10-17 Thread Pavel Skovajsa

Not that i recognize the error but with with the early sup8s i learned to
always upgrade the rommon first. Also upgrade using REAL power cycle not
a reload.

I know - sounds like nonsense, unfortunatelly backed by number of TAC
cases...

-pavel

On Tuesday, 11 October 2016, Sebastian Beutel <
sebastian.beu...@rus.uni-stuttgart.de> wrote:

> Dear List,
>
> i don't want to hold back the experience i made today while trying to
> upgrade a 4510 shelf. Clearly the jump from 03.03.02 to 03.06.05 was too
> far. What i didn't expected was this message that showed up on the console
> of the second sup when the new ios booted there:
>
> ---
>
> #####   #####   
> ##   #  #   ##  ##   ####   #  ##
> ##  ##  ##  # #  ### #  #  #
> # ## #  ##  #   #  # ###  # #  #  ###
> ##  ##  ##  #   #   #   ####   ##  ##
> ##  ##  ##  #####   
>
> The following environment variable(s) are set.  Setting these
> environment variables may cause the system to behave unpredictably.
> "DontShipDisableThermalShutdown"
> Use 'clear platform environment variable unsupported' to clear these
> variables.
>
> ---
>
> Never heard of such a thing. And I definitely don't want my chassis to melt
> should our air condition refuse to work some day. So when i finaly finished
> the update i tried the suggested command and guess what:
>
> ---
>
> dno19-y1-s1#clear platform environment variable unsupported
> No unsupported environment variables found
>
> ---
>
> Even though i like beautifull ascii art and also variable names that start
> with "DontShip" i feel slightly scared having such a thing running on our
> production Switches. Has anyone ever seen something like that and knows how
> that is to be appraised?
>
> Best,
>Sebastian.
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco Advisor Tools

2016-10-07 Thread Pavel Skovajsa

Ziad,

there is really no need for advisor tools since it is very simple. Cisco is
selling only two metallic looking boxes with holes in them - something
called a "router" and some other thing called a "switch". The difference is
mainly just in color - "router" is black, and "switch" is silver.
Just ask your customer which one of these two they want and order them from
Cisco. Do not forget to add at least 200% margin on top for your value-add
service.

-pavel

On Wed, Oct 5, 2016 at 9:00 AM, zaid via cisco-nsp <
cisco-nsp@puck.nether.net> wrote:

> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> -- Forwarded message --
> From: zaid 
> To: "cisco-nsp@puck.nether.net" 
> Cc:
> Date: Wed, 5 Oct 2016 06:57:19 + (UTC)
> Subject: Cisco Advisor Tools
> Hello
>
> I'm new Cisco partner and looking for tools that can advice me Cisco
> products, or any tools that can I put my technical spec then recommend me
> product ID ?
> Appreciate your support.
> Regards
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cat6500 VLAN cannot be assigned to a routed port sub-if?

2016-09-19 Thread Pavel Skovajsa

It's a switch!
-pavel

On Mon, Sep 19, 2016 at 11:39 AM, Anders Löwinger  wrote:

> On 2016-09-19 10:19, Gert Doering wrote:
>
>> Things like that makes one wonder if Sup2T is intentionally trying to
>> kill the platform...  "too late, too limited, too stupid design decisions"
>> (like, the new netflow implementation "with MAC addresses").
>>
>
> Sup2t has support in HW for using same VLAN-id on different L3 interfaces.
> Cisco has no SW to support it :(
>
>
> /Anders
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ip device tracking on IOS-XE

2016-08-09 Thread Pavel Skovajsa

In case it helps: TAC engineer advised us that a global command "no nmsp
enable" disables the IPDT on all the Cisco switches.

-pavel

On Tue, Aug 9, 2016 at 6:50 PM, Sebastian Beutel <
sebastian.beu...@rus.uni-stuttgart.de> wrote:

> Hi Antoine,
>
> On Tue, Aug 09, 2016 at 09:24:55AM +0200, Antoine Monnier wrote:
> > try this under every interface:
> >  nmsp attachment suppress
> > (yeah I know... does not seem related in anyway to IP device tracking but
> > it does turn it off for us)
> >
> Even after reading the sparse documentation i can't figure out what this
> does. May i aks where did you get the suggestion to this?
>
> >
> > or better, upgrade do a more recent release? it seems 3.6.2aE has it
> > disabled by default (Cat 3850)
> >
> On the particular switch i had 03.07.03E running. Because 03.06.05E is
> currently the suggested release i rolled back to this version and what
> happend? A "no ip device tracking" i global config mode seems to succeed
> but actually does nothing at all: A "sho ip device tracking" makes clear,
> that it's still running.
>
> Best,
>Sebastian.
>
> > On Mon, Aug 8, 2016 at 7:28 PM, Sebastian Beutel <
> > sebastian.beu...@rus.uni-stuttgart.de> wrote:
> >
> > > Dear list,
> > >
> > > we ran into trouble with the ip device tracking feature that seems
> to
> > > be
> > > enabled by default on devices running ios-xe. There's allready a
> trouble
> > > shooting guide:
> > >
> > > http://www.cisco.com/c/en/us/support/docs/ios-nx-os-
> software/8021x/116529-
> > > problemsolution-product-00.html
> > >
> > > As ip device tracking is disabled by default on most of our devices
> anyway
> > > (those running ios) my first idea was to just disable it globaly. But
> even
> > > though command line completion and online help knows about "no ip
> device
> > > tracking " and a global line "ip device tracking" shows up in sho
> run
> > > all, i get an error message saying: "IP device tracking is disabled at
> the
> > > interface level by removing the relevant configs".
> > >
> > > Next thing is, that no "relevant config" appears in "sho run all" on an
> > > interface level. There are only globaly lines. And if i try to do a
> > > "no ip device tracking" on a single interface i get the exact same
> error
> > >  message.
> > >
> > > But it get's wilder: If i use one of the suggestions of the above link
> and
> > > type a "ip device tracking probe delay 10" on just a single interface,
> the
> > > command goes through without an error. The result is, that again no
> > > corresponding configuration shows up on the interface but the global
> line
> > > is
> > > now changed and a "show ip device tracking all" reveals:
> > >
> > > Global IP Device Tracking Probe Delay Interval = 10
> > >
> > > Any ideas how that makes sense? How to disable device tracking
> globaly? For
> > > what use device tracking could be beneficial anyway?
> > >
> > > Best,
> > >Sebastian.
> > > ___
> > > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
>
> --
> Dipl.-Ing. Sebastian Beutel  tel:
> +49-711-685-64538
> Rechenzentrum Universitaet Stuttgarthttp://www.rus.uni-stuttgart.
> de/nks
> Netze und Kommunikationssysteme  Allmandring 30A, D-70550
> Stuttgart
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 40G options for 6807

2016-07-13 Thread Pavel Skovajsa

Supposedly there will be new 40G, 10G and 100G modules in the coming
months. See Sales Connect.

-pavel

On Wed, Jul 13, 2016 at 2:29 PM, Nick Cutting  wrote:

> Any new 40g modules coming out/been released for the 6807?
>
> Or still just
>
> WS-X6904-40G-2T
>
> Where is the love for this golden chassis monster
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco and microbursts

2016-05-19 Thread Pavel Skovajsa

Maybe they are just trying to uncover the fact that for example old 2621
router has slow clock on its ASIC (in this case mips cpu) but it actually
is capable of having multiple of  FastEthernet interfaces. They do not work
really great, but possible :)

If you speed up that 'asic' things are suddenly great! Who would have
though? So easy...

-pavel
Dňa 18.5.2016 19:05 používateľ "Saku Ytti"  napísal:

> On 18 May 2016 at 19:44, Adam Vitkovsky 
> wrote:
>
> > I'm not that familiar with these small ASICs -or actually FPGAs (as a
> crossover between ASIC and NPU).
> > But since in FPGAs not everything is programed in HW (I'm guessing),
> wouldn't the execution time be partly dependent on what features are
> enabled? So then higher clock-rate would mean that you can execute more
> instructions per given Tc. That is to be able to do more advanced stuff
> while sustaining the nominal pps rate?
> > Just thinking out loud.
>
> If I understood you right, you're saying 'maybe we were lookup
> starved, ended up buffering due to waiting for lookup engine'.
>
> But that is not microburst, microburst is egress interface being
> congested, lookup engine being congested is just box being
> oversubscribed with traffic.
>
>
> What Cisco is trying to explain on the PDF is that somehow to handle
> microburst, you need less memory, when you make clock rate higher,
> which is completely non-sensical (unless it's the clock of the egress
> interfaces, unfortunately there is only 100ppm room for creativity).
>
> Essentially they removed memory and now are trying to make it look
> like it's not a problem. I don't think they are trying to lie, I think
> their testing just tested completely wrong things. I'm pretty sure
> they were pacing packets, instead of bursting. Which of course means
> you never need buffers to hit egress rate.
>
> --
>   ++ytti
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS XE Denali release date

2016-03-31 Thread Pavel Skovajsa

sorry, nothing for ASR and N1k - yet.

-pavel

On Thu, Mar 31, 2016 at 5:26 PM, Pavel Skovajsa <pavel.skova...@gmail.com>
wrote:

> It has been available for a 2 months now for download, for example for
> Catalyst 3650/3850 you can download the 16.1.2 image -
> cat3k_caa-universalk9.16.01.02.SPA.bin
>
> The upgrade procedure is little complicated, I suggest you read here:
>
> http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-1/release_notes/ol-16-1-3650.html
>
> -pavel
>
> On Thu, Mar 31, 2016 at 10:03 AM, Robert Hass <robh...@gmail.com> wrote:
>
>> Hi
>> I'm looking for some dates regarding IOS XE release called 'Denali' for
>> ASR
>> 1K and CSR 1000V platforms. Cisco show on presentations March 2016, but
>> tomorrow we will have 1st of April.
>> Is it delayed ?
>>
>> Rob
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IOS XE Denali release date

2016-03-31 Thread Pavel Skovajsa

It has been available for a 2 months now for download, for example for
Catalyst 3650/3850 you can download the 16.1.2 image -
cat3k_caa-universalk9.16.01.02.SPA.bin

The upgrade procedure is little complicated, I suggest you read here:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-1/release_notes/ol-16-1-3650.html

-pavel

On Thu, Mar 31, 2016 at 10:03 AM, Robert Hass  wrote:

> Hi
> I'm looking for some dates regarding IOS XE release called 'Denali' for ASR
> 1K and CSR 1000V platforms. Cisco show on presentations March 2016, but
> tomorrow we will have 1st of April.
> Is it delayed ?
>
> Rob
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TX low alarm warning

2016-02-15 Thread Pavel Skovajsa

For some reason especially on 4500X 3.7 code we have also seen this message
on ports which are left no shut, and they have an SFP in it. It was
seriously polluting our logs so we wrote this:

logging discriminator LOGFILTER mnemonics drops
SFF8472-5-THRESHOLD_VIOLATION
logging host x.y.z.w discriminator LOGFILTE
logging host x.y.z.q discriminator LOGFILTE
logging console discriminator LOGFILTER

-pavel

On Mon, Feb 15, 2016 at 1:33 PM, Jim Glassford  wrote:

> Hi,
>
> The few I've had were fiber strand related, a poorly seated or dirty patch
> cord connection.
>
> best!
> jim
>
>
> On 2/15/2016 6:43 AM, Harry Hambi - Atos wrote:
>
>> Hi all,
>> Getting the following error Jan 27 04:06:25.811 GMT:
>> %SFF8472-5-THRESHOLD_VIOLATION: Te4/1: Tx power low alarm; Operating value:
>> -40.0 dBm, Threshold value: -12.2 dBm. Does this point to a fibre or gbic
>> error?. Any suggestions appreciated. Other end of link not alarming.
>>
>>
>> Rgds
>> Harry
>>
>> Harry Hambi BEng(Hons)  MIET  Rsgb
>>
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco iWAN Solution

2015-05-02 Thread Pavel Skovajsa

Hello Ranjith,

The IWAN solution is relatively new, so you will not find a lot of people
with experience with it.

I do not have any practical experience running an IWAN network, but I spent
quite some time looking at the IWAN architecture and design. My opinion is
that on one side the IWAN solution lowers the cost of branch site circuits,
but significantly increases the technical and operational complexity of the
WAN CE routers. This is a perfect move from Cisco since just by principle
their routers with more complexity inside can be more expensive. Hence the
solution moves the cost around from circuits (non cisco business) to
routers (cisco business) and strengthens Cisco position.

Obviously this depends on your definition of what is complex and what is
not complex. You can argue can that various IWAN single pane of glass
mgmt tools make this solution less complex by presenting a nice clean
GUI,  but all those tools do is hide complexity for casual user. All I know
is that IWAN is not a simple feature that you turn on and forget about -
it completely changes how routing works.

Also there are interesting operational issues that are probably much harder
to fix in IWAN world. For example the customer calls you and tells you that
yesterday at 9:35AM their application did not work in SiteA. How would you
know which path the traffic took? It is dynamic, so how would you
troubleshoot?

Now to your questions:
How good is the PFR feature for load balancing effectively among multiple 
internet
links
PFR is traditionally excellent in this, without configuration it actually
loadbalances almost precisely 50/50.

How good is the Cisco WAAS and akamai connect for the WAN acceleration
As good as any WAAS box or proxy solution:)

all the traffic from remote site should make use of the local internet
links to reach the proxy server on cloud Although various cisco documents
states PFR will work for Direct internet access
If I understand correctly what you are asking is whether PFR works for
Direct Internet Access. No, it does not, my understanding is that PFR only
works inside the DMVPN cloud inside the Enterprise. The reason is simple -
PFR not only changes the forward path, but also the return path, hence you
need full control of both sides.

My 2 cents, comments or corrections welcome, I would be interested in
others opinion and experience as well,

-pavel skovajsa






On Sat, May 2, 2015 at 6:34 PM, Ranjith R ranjithrn...@gmail.com wrote:

 Hi .

 Can anyone please provide inputs on the Cisco iWAN solution .

 Thanks,
 Ranjith

 On Fri, May 1, 2015 at 12:11 AM, Ranjith R ranjithrn...@gmail.com wrote:

  Hello Folks ,
 
  We are in the process of evaluating Cisco iWAN solution , would like to
  gather opinions about the solution with the below requirement
 
  How good is the PFR feature for load balancing effectively among multiple
  internet links
 
  How good is the Cisco WAAS and akamai connect for the WAN acceleration
 
  We have a cloud based proxy solution and all the traffic from remote site
  should make use of the local internet links to reach the proxy server on
  cloud Although various cisco documents states PFR will work for Direct
  internet access , there has been contradictory information on the same .
 
  Could you guys share your valuable inputs if any ?
 
 
  Thanks in Advance ,
 
  Regards,
  Ranjith
 
 
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WLC5700 and Unparalleled scalable wireless solution

2014-09-29 Thread Pavel Skovajsa

Well,

I guess they are just trying to say 2 things:
- one 5760-1000 will support 1000 aps, and maybe you can (maybe) peer 72 of
them into one big managed mobility domain
- due to MA/MC split, majority of the traffic does not hairpin through the
5760

You can find much more technical details by searching for the Converged
Access on Cisco Live pages.

Cheers,
-pavel skovajsa

On Mon, Sep 29, 2014 at 9:39 AM, Matti Saarinen mjsaa...@cc.helsinki.fi
wrote:


 Hello,

 I just noticed that Cisco has a new wireles LAN controller namely 5700.
 Its documentation tells that the system will support up to 72,000 APs
 when using Unparalleled scalable wireless solution. I tried looking
 for information of this Unparalleled scalable wireless solution but I
 was not able to find any. I would like know what that so called solution
 actually is. How many controller boxes does it require, how expensive
 are the licences etc? If anyone here could tell me where I could find
 more information it would be very very nice. I would like to avoid a
 meeting with Cisco sales people and their 100s of powerpoint slides.

 Cheers,

 Matti

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] TAC hits a new record level of aggravation...

2014-02-01 Thread Pavel Skovajsa

Resurrecting this thread,

Is any of you having issues uploading file attachments to TAC cases using
the http java page? Somehow nobody in our org can upload anything - we have
latest Firefox, latest Java from Sun, still after clicking the Submit
button in the file upload window nothing happens.

Regards,
-pavel skovajsa


On Thu, Nov 7, 2013 at 12:13 PM, Antonio Soares amsoa...@netcabo.pt wrote:

 Another tool that is a nightmare. The new bug search tool: it hangs my IE
 9,
 my FF 25, ...

 This is what FF tells me:

 A script on this page may be busy, or it may have stopped responding. You
 can stop the script now, or you can continue to see if the script will
 complete.

 Script:
 https://tools.cisco.com/bugsearch/resources-2.0.5/js/jquery-1.8.2.js:624;


 Java, JavaScript, etc, why do we need that ?


 Regards,

 Antonio Soares, CCIE #18473 (RS/SP)
 amsoa...@netcabo.pt
 http://www.ccie18473.net


 -Original Message-
 From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
 Justin M. Streiner
 Sent: domingo, 3 de Novembro de 2013 14:35
 To: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] TAC hits a new record level of aggravation...

 On Sun, 3 Nov 2013, Jeff Kell wrote:

  Customer support died a decade ago.

 For the front-end stuff, sure.

 To be fair, and to give credit where credit is due, I have dealt with some
 TAC engineers who have been incredibly helpful, professional, and
 responsive.  For the things I generally reach out to TAC for, it seems like
 the level of response I've gotten recently has improved a bit from, say,
 two
 years ago.

 jms
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] switching of monitored traffic

2013-09-28 Thread Pavel Skovajsa

It will switch it as any other incoming traffic.
-pavel

On Saturday, September 28, 2013, Ben Hammadi, Kayssar (NSN - TN/Tunis)
wrote:

 Dears,

 We are monitoring traffic from Switch A to Switch B with monitor
 session  , Switch B receive now all traffic handled by Switch A .
 Does Switch B treat this traffic as normal traffic and continue to
 switch it according to configured Vlans or it has a way to know that it
 come from a monitor session not from a regular switching ?

 Br.

 BEN HAMMADI Kayssar

 NOKIA SIEMENS NETWORKS
 Lead Engineer -BroadBand Connectivity
 JNCIE-M (#471), JNCIE-SP (#1147), CCIP
 Mobile : +216 29 349 952  /  +216 98 349 952
 FIX  : +216 71 108 173
 Skype : kayssar ben hammadi
 kayssar.ben_hamm...@nsn.com javascript:;



 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net javascript:;
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3400E - Shaping vlans?

2013-09-26 Thread Pavel Skovajsa

Per Vlan Egress Shaping and Per vlan Ingress policing is definitely
possible but not straightforward to configure since there are many
limitations.For example you can't have a match vlan in output policy-map
and you need to match against DCSP. For example:

class-map match-any Video
match ip dscp af41
match ip dscp cs4
class-map match-any Voice
match ip dscp ef
match ip dscp cs5
class-map match-any Mng
match ip dscp af21
match ip dscp cs2

policy-map 33Mps
  class Voice
shape average 1024000
queue-limit 150
  class Video
shape average 2000
queue-limit 150
  class Mng
shape average 1024000
queue-limit 150
  class class-default
shape average 
queue-limit 272
So you would need an input policy map that allows match vlan and set dscp
on that one. There are many more combinations that work, and many that
don't (priority,bandwidth,shape).

The best is to study the QoS guidelines for this platform. below are some
resources for ME3400:
http://www.cisco.com/web/DK/assets/docs/sp_me3400_IPTV.pdf
http://www.cisco.com/en/US/docs/switches/metro/me3400e/software/release/12.2_50_se/configuration/guide/ME3400eCG.pdf

Regards,
Pavel


On Thu, Sep 26, 2013 at 3:36 AM, Jeff Kell jeff-k...@utc.edu wrote:

 On 9/25/2013 9:32 PM, CiscoNSP List wrote:
  Hi,
 
  Is it possible to shape vlans on the ME3400E? (i.e. Multiple vlans on a
 trunk port, shaping them at different speeds)?

 And to hop someone else's thread...  isn't there some simple way of
 prioritizing a vlan over the others via CoS?  It's certainly in the
 dot1q protocol but havent seen any practical examples/applications...

 Jeff

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME-3400EG - Shaping

2013-05-11 Thread Pavel Skovajsa

Hello,

see https://puck.nether.net/pipermail/cisco-nsp/2010-March/069379.html

-pavel


On Fri, May 10, 2013 at 1:09 AM, John Elliot johnellio...@hotmail.comwrote:

 Hi,

 Ive read that the older version of the ME3400 (The non E) had limited
 granularity with shaping - Can anyone please confirm if the E version can
 do shaping on a per-port/per-vlan level (And at what granularity)?

 Thanks.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Stability of NX-OS with FCoE/10GB

2013-01-28 Thread Pavel Skovajsa

We are running something very very similar (8x2232 FEX) per pair of 5596UP
and so far they are doing fine. Just for fun, you might want to uprade to
N1(3):

  kickstart image file is: bootflash:///n5000-uk9-kickstart.5.2.1.N1.3.bin
  kickstart compile time:  12/4/2012 1:00:00 [12/04/2012 09:53:21]
  system image file is:bootflash:///n5000-uk9.5.2.1.N1.3.bin
  system compile time: 12/4/2012 1:00:00 [12/04/2012 11:40:13]

-pavel

On Sun, Jan 27, 2013 at 8:53 PM, Deny IP Any Any denyipany...@gmail.comwrote:

 I have a pair of 5596UPs with 6 2K FEXes; I'm doing converged 10GB/FCoE to
 a dozen big Dell VMWare boxes, and native FC to a SAN.

 I'm experiencing frequent crashes, which TAC diagnoses as known-issues and
 promises a fix will come in a future release (notice my once-every-6-months
 crash got upgraded to a 'once-every-2-months-crash).  Is anybody running a
 setup similar to mine that could comment on what I can do to increase the
 stability of this unit, or am just living too close to the bleeding edge to
 expect stability?


 5596UP# show system reset-reason
 - reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
 1) At 407317 usecs after Sat Jan 19 00:03:59 2013
 Reason: Reset triggered due to HA policy of Reset
 Service: port-profile hap reset
 Version: 5.2(1)N1(2a)

 2) At 104796 usecs after Thu Nov 15 04:53:25 2012
 Reason: Reset due to upgrade
 Service:
 Version: 5.0(3)N2(2)

 3) At 410380 usecs after Fri Sep 28 19:03:46 2012
 Reason: Reset triggered due to HA policy of Reset
 Service: fcpc hap reset
 Version: 5.0(3)N2(2)

 4) At 951524 usecs after Fri Mar 30 00:12:39 2012
 Reason: Reset triggered due to HA policy of Reset
 Service: fcpc hap reset
 Version: 5.0(3)N2(2)


 --
 deny ip any any (4393649193 matches)
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] New Cisco ME3400 IOS?

2012-04-19 Thread Pavel Skovajsa

The new 12.2(58)EX is out there, can somebody please share experience with
it?
Also would be great if someone can shed some light on what is actually
considered an 'Enhanced QoS buffer management' since from the release
notes
http://www.cisco.com/en/US/docs/switches/metro/me3400e/software/release/12.2_58_ex/release/notes/ol24334.html
it
seems like the queue size has magically gone up:

Option to configure the queue size threshold in percentage terms. You can
now specify different queue sizes in absolute (number of packets) or
percentage terms for different classes of traffic in the same queue. The
upper limit of the number of packets you can specify when configuring a
queue limit is increased from 544 to 4272.
/

Is there a DOC describing how these queue size thresholds actually work on
ME3400?

-pavel

On Fri, Mar 23, 2012 at 11:36 AM, Aled Morris al...@qix.co.uk wrote:

 On 23 March 2012 07:59, Tassos Chatzithomaoglou ach...@forthnetgroup.gr
 wrote:

  Can you please provide more details about Enhanced QoS buffer
 management?
 
 
 Sometimes this is marketing speak for now works (more) like the
 documentation claims it always did i.e. fixed wiithout admitting that the
 code was broken before.

 Aled
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Trunking Private VLANs on 6509

2012-03-04 Thread Pavel Skovajsa

Hi,

indeed there is no option for 'Private Vlan Trunk' on a 6500 nowdays. Some
time ago this was possible with CatOS but somehow the support for this did
not get into Native IOS. The only real 'solution' is to use some loopback
cables that 'translate' the incoming dot1q tag. Obviously you would need
twice as many ports as there are vlans for this this, so I would not call
it a solution.

Alternatively if you have the possibility to configure private vlans on the
other switches, you can simply trunk the private vlans using a normal
'switchport mode trunk' on 6500 and allowing both primary and secondary
over the trunk.

Hope it helps.
-pavel



On Fri, Mar 2, 2012 at 1:21 AM, Justin Krejci jkre...@usinternet.comwrote:

 I am trying to trunk private vlans from a Cisco 6509 to some other
 switches. There does not appear to be a way to do this but it works
 great on a Cisco 4948. Does the 6509 not support doing this or is there
 something else needed to make this work?

 Here is some sample config.

 
 Cisco 4948
 

 vlan 850
  private-vlan isolated
 vlan 851
  private-vlan primary
  private-vlan association 850

 interface GigabitEthernet1/34
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 850,900,910,911
  switchport private-vlan trunk allowed vlan 850,900,910,911
  switchport private-vlan association trunk 851 850
  switchport private-vlan association trunk 901 900
  switchport private-vlan association trunk 909 910
  switchport private-vlan association trunk 912 911
  switchport private-vlan association trunk 853 852
  switchport mode private-vlan trunk

 interface Vlan851
  ip address x.x.x.1 255.255.255.0
  private-vlan mapping 850



 
 Cisco 6509
 Sup720-3BXL
 WS-X6748-GE-TX or WS-X6548-GE-TX
 IOS Version 12.2(33)SXI6 Advanced Enterprise
 

 vlan 850
  private-vlan isolated
 vlan 851
  private-vlan primary
  private-vlan association 850

 interface GigabitEthernet1/1
 switchport trunk encapsulation dot1q
 (everything after this point errors out because trunk is not an option
 for any of these)
 switchport private-vlan trunk allowed vlan 850,900,910,911
 switchport private-vlan association trunk 851 850
 switchport private-vlan association trunk 901 900
 switchport private-vlan association trunk 909 910
 switchport private-vlan association trunk 912 911
 switchport private-vlan association trunk 853 852
 switchport mode private-vlan trunk



 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VPLS/Layer2 Egress Policing

2011-10-27 Thread Pavel Skovajsa

This is by design since the WS-6748 cards are for LAN environment. You
would need to use either a SPA module, or better the ES cards:
http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-49152.html

-pavel

On Tue, Oct 25, 2011 at 10:14 AM, ar ar_...@yahoo.com wrote:
 Hi Guys.

 I am searching for a good docs for Layer2 or VPLS Egress Policing (PE-to-CE). 
 Any one knows how to do this? I'm using 7600 with WS-6748 line card. Egress 
 policing facing is not allowed.


 thanks
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PVLAN Promiscuous Trunk on 6500

2011-09-09 Thread Pavel Skovajsa

AFAIK this was only on CatOS for 6500 so not much useful right now.

The private host feature  applies vlan tag to the ingress traffic of the
access port (not trunk), the private trunk does ingress traffic tag swap of
multiple vlans coming in via trunk. So, if you have lot of free ports you
might be able to cable-loop 2 ports per each vlan and use private host
feature to swap the tags. Not saying I would do this

-pavel

On Fri, Sep 9, 2011 at 3:10 PM, Persio Pucci per...@gmail.com wrote:

 Hi,

 can anybody confirm if PVLAN Promiscuous Trunk Port is supported on
 the 6500 platform? I know it is supported on the 4500, and that it is
 NOT supported on the 3750, but I had the impression it was supported
 on the 6500, but it does not accept the command switchport mode
 private-vlan trunk promiscuous.

 Also, if it does not support, would I be able to use Private Host instead?

 Regards,

 Persio
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PBR on traffic originating from the router

2011-07-28 Thread Pavel Skovajsa

Hello Jay,

you can a apply a route-map that would do PBR on the traffic generated by
the router like this:


route-map LocalPolicy permit 10

 match ip address PingISP_A

 set interface Serial0/0/0


ip local policy route-map LocalPolicy

Seems like your scenario perfectly matches the one described by Ivan on
http://www.nil.com/ipcorner/RedundantMultiHoming/

-pavel

On Thu, Jul 28, 2011 at 8:29 AM, Jay Nakamura zeusda...@gmail.com wrote:

 Let's say a router is setup with connection to ISP 1 and ISP 2, which
 are both non-BGP connection and traffic coming in from ISP 1 can't go
 out ISP 2 and visa versa.   Default route is set on ISP 1, with IP
 SLA, failover to ISP 2.

 I can configure NAT so it will NAT on the correct IP for each egress
 connection.  This is not the issue.

 Is there a way, for example, a ping to the router coming into ISP2 can
 be sent back out ISP2 when ISP2 is not the default route?  Normal PBR
 applied to ingress traffic on the interface so I wasn't sure what
 could be done with traffic originating on the router.

 Thanks!
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ME3400 12.2(58)SE1 input CIR bug?

2011-05-16 Thread Pavel Skovajsa

Hello,

After upgrading to 12.2(58)SE1 on a ME3400 seems like all the input CIR with
BC configured like this stopped working:
policy-map CIR_4096
 class class-default
police cir 4096000 bc 256000
  conform-action transmit
  exceed-action drop

When trying to apply the following to an interface it produces this:
switch(config)#int fa0/1
switch(config-if)#service-policy input CIR_4096
extended burst (be) cannot be configured for this interface
Configuration failed!
switch(config-if)#

Interesting enough this worked fine on anything before 12.2(58)SE1. Does
somebody know whether this is a bug or a newly discovered hw limitation
that is never going to be fixed?

BTW it works fine when I remove the BC from the policy map, but I do not
want to reconfigure ton of switches:
policy-map CIR_4096
 class class-default
police cir 4096000
  conform-action transmit
  exceed-action drop

-pavel skovajsa
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Private VLANs for customer isolation on sup720/12.2(33)

2011-04-19 Thread Pavel Skovajsa

In order to make use of this design the downstream switches (where you
connect the customer devices), would need to understand private-vlans in
order to join the primary (downstream) and secondary (upstream) traffic. For
that to work you would need to allow also the primary vlan on the Te1/1
trunk. You would not really need the private-vlan trunk feature, you can
transport them on a normal trunk port (and join them on the access switch).

The private-vlan trunk feature is useful in a scenario where one port
(Te1/x) belongs to one customer and you are handing over multiple secondary
vlans over that port. This seems like is not your case. BTW I believe it is
supported on latest CatOS...:)

-pavel skovajsa

On Tue, Apr 19, 2011 at 3:38 PM, Phil Mayers p.may...@imperial.ac.ukwrote:

 All,

 We've got a pair of Cisco 6500/sup720 serving as our datacentre collapsed
 routing/distribution.

 Servers are attached to downstream Foundry/Brocade devices, and possibly
 other dumb/cheap devices in future.

 Can I use private VLANs in this case to isolate customers and avoid burning
 5 IPs (network, broadcast, HSRP master, slave  vip) per-customer? I do
 *not* want to stop customers talking to each other at layer3 - just get some
 degree of isolation (including the sticky arp).

 I think I can't, because 12.2(33)SXI seems to lack switchport mode
 private-vlan trunk. Is this correct?

 What I want to do is:

 vlan 600
  name customer-1
  private-vlan community
 vlan 601
  name customer-2
  private-vlan community
 vlan 60
  name all-customers
  private-vlan primary
  private-vlan assoc 600,601

 int Te1/1
  switchport mode trunk
  switchport trunk allowed vlan 600,601

 int Vl60
  ip address ...
  private-vlan mapping ... 600,601
  ip local-proxy-arp


 Cheers,
 Phil
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Private VLANs for customer isolation on sup720/12.2(33)

2011-04-19 Thread Pavel Skovajsa

On Tue, Apr 19, 2011 at 4:38 PM, Phil Mayers p.may...@imperial.ac.ukwrote:

 On 19/04/11 15:09, Pavel Skovajsa wrote:

 In order to make use of this design the downstream switches (where you
 connect the customer devices), would need to understand private-vlans in


 Well, they don't understand private vlans.


  order to join the primary (downstream) and secondary (upstream) traffic.
 For that to work you would need to allow also the primary vlan on the
 Te1/1 trunk. You would not really need the private-vlan trunk feature,
 you can transport them on a normal trunk port (and join them on the
 access switch).





 The private-vlan trunk feature is useful in a scenario where one port
 (Te1/x) belongs to one customer and you are handing over multiple
 secondary vlans over that port. This seems like is not your case. BTW I
 believe it is supported on latest CatOS...:)


 Really? Because the IOS docs for Cat4500 imply that it is used when the
 downstream switch does not support private vlans:


 http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/pvlans.html#wp1181903

 Yes, you are right, the isolated private-vlan trunk would help in this case
as well. Try to look into the latest CatOS 8, I vaguely remember seeing this
feature there.

Otherwise it seems like the option you are left with is either do a SVI per
customer or doing the loopack cable trick (described above by shilling) on
the edge devices.

-pavel
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Multiple VRFs over site-to-site VPN? Possible?

2011-02-03 Thread Pavel Skovajsa

I have seen a similar idea,  using MPLS inside DMVPN - see Ivan's blog
http://blog.ioshints.info/2011/02/end-to-end-qos-marking-in-mplsvpn-over.html

http://blog.ioshints.info/2011/02/end-to-end-qos-marking-in-mplsvpn-over.htmlBut
you would need ISR for this, DMVPN (and MPLS) is not possible on ASA.

-pavel

On Wed, Feb 2, 2011 at 12:20 AM, Jeff Kell jeff-k...@utc.edu wrote:

 Ran across a new requirement where we would like to extend our campus
 standard multi-VRF
 routed building out to a remote site over the public Internet.

 Absent the ideal MPLS or multiple-vlan Metro-E, can you do this
 site-to-site over a pair
 of ASAs?

 Ideally it would be something along the lines of:

 VRF A vlan 123--
 VRF B vlan 456--(terminating on --- Site ASA  Campus ASA 
 Campus PE (VRF A/B/C)
 VRF C vlan 789--  3560/3750 CE)

 Perhaps in simpler terms, bringing the 3 VRF vlans across the wire onto
 similar VRF
 vlans on the campus side.

 On-campus we just run a dot1Q trunk with a vlan for each VRF from CE to PE.

 Can you trunk them into the ASA and do separate tunnels over the public IP
 endpoints,
 dropping them on separate vlans on the other end?

 Without meshing the routing / crossing the streams with respect to the
 VRFs?

 Jeff

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 7401 - Buy/Get a specific IOS ?

2011-01-30 Thread Pavel Skovajsa

Seems like the images you are looking for are not the on Download Area since
the box is EOL and nobody actually cares. They have been EOL'd long time so
you cannot officially buy a service contract for them. Your only official
path is trying to ask your cisco account rep.

This document details the 12.2S release, there are more rebuilts going from
12.2(14) which was the first release up to 12.2(30).
http://www.ciscosystemsverified.biz/en/US/docs/ios/12_2s/release/notes/122Srn.pdf

-pavel


On Sat, Jan 29, 2011 at 6:28 AM, Stephane MAGAND
stmagconsult...@gmail.comwrote:

 Hi

 i am search a specific version of IOS for Cisco 7401:
 12.2(14)Sxx

 (xx= 1 to 16)


 sample file name:
 12.2(14)S16 ENTERPRISE  c7400-js-mz.122-14.S16.bin
 12.2(14)S16 SERVICE PROVIDERc7400-p-mz.122-14.S16.bin


 I don't have cisco contract on this equipment, anyone know the procedure
 for buy/get this ios ?

 thanks
 Stephane
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PVLAN Question

2011-01-12 Thread Pavel Skovajsa

Actually there is a feature for this - switchport private-vlan trunk , but
as far as I know it is only working on the C4500-ME sup

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/configuration/guide/pvlans.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/configuration/guide/pvlans.html

I am waiting and waiting for this to be available on ME3400...and still
nothing

-pavel

On Wed, Jan 12, 2011 at 2:32 AM, schilling schilling2...@gmail.com wrote:

 promisc port has to be access port. So you need a loopback cable on
 your access switch with two vlan numbers for your primary vlan. For
 example vlan 140 and vlan 141, then your link to distribution will
 still be vlan 140, 252 trunk, but one end of loopback cable would be
 access vlan 140, the other end of the loopback cable will be access
 vlan 141. You can then set vlan 141 to be your primary vlan, and the
 end with access vlan 141 to be promisc port. So you have to use a
 loopback cable and two ports. Foundry/Brocade is the same way too.

 Schilling

 On Tue, Jan 11, 2011 at 7:57 PM, Sam Evans wintr...@gmail.com wrote:
  All,
 
  I am trying to do a PVLAN implementation on one switch in a distribution
 /
  access switch environment.  Ideally, I'd like to just be able to use the
  'isolated' command but we have a few devices that will need to talk to
 port
  neighbors, so the PVLAN community would work well.
 
  My challenge here is that the uplink port on the access switch is an
 802.1q
  trunk to the distribution.  In reading the documentation and not really
  fully understanding pvlans, if I set the uplink port to a promisc port I
  lose connectivity to the distribution switch.
 
  My config looks something like this (access switch):
 
  vlan 101
   private-vlan isolated
  !
  vlan 102
   private-vlan community
  !
  vlan 140
   private-vlan primary
   private-vlan association 101-102
  !
  vlan 252
   name mgmt-net
 
  interface Vlan252
   ip address 10.0.0.200 255.255.255.0
   no ip route-cache
   no ip mroute-cache
 
  interface GigabitEthernet0/4
   description Uplink to distribution switch
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 140,252
   switchport mode trunk
   no logging event link-status
   no snmp trap link-status
   spanning-tree guard loop
  !
 
  Configuration for distribution switch:
 
  interface GigabitEthernet0/9
   description Trunk port to PVLAN switch
   switchport trunk allowed vlan 140,252
   switchport mode trunk
   spanning-tree guard loop
 
  In the normal environment, vlan 140 works fine and servers can talk back
 to
  the gateway (just that they can also talk to each other on the access
  switch).
 
  Any suggestions?
  ___
  cisco-nsp mailing list  cisco-nsp@puck.nether.net
  https://puck.nether.net/mailman/listinfo/cisco-nsp
  archive at http://puck.nether.net/pipermail/cisco-nsp/
 

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 10G for 6506-E with Sup32-8Gb or replace with 4900M

2010-12-23 Thread Pavel Skovajsa

It is very interesting that a 2:1 8 port 10G X2 card is $37500 for
C6509 and $7500 for 4900M (+ has the ability to use Twingig). So I
would say if don't need the extension capacity of C6506-E go for
something smaller like 4900M.
Also if you will only need 2x10G in the future you also might explore
the SP BU -  ME 3800X-24FS seems like exactly what you need right now.

-pavel



On Thu, Dec 23, 2010 at 3:32 PM, Gert Doering g...@greenie.muc.de wrote:
 Hi,

 On Thu, Dec 23, 2010 at 02:05:25PM +, Holemans Wim wrote:
 Now we are thinking about connecting both routers to each other on each 
 campus with a 10G connection. As the Sup32 don't have a 10G yet, we have 
 multiple options to do so.
 We can add a 10G board to the chassis, replace the supervisor with a Sup720 
 or replace the whole router with a 4900M.

 JFTR: you can *not* add a 10G board to the chassis.  The Sup32 has no
 fabric, and the 10G boards are fabric-only (67xx).

 You could do Sup720-10G or Sup32-10G, though.  Or Sup720 + 6704/6708.

 If you only need 2 or 4 10G ports, and can live with the slow CPU and
 limited routing table, Sup32-10G sounds like the best plan forward.

 gert
 --
 USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
 Gert Doering - Munich, Germany                             g...@greenie.muc.de
 fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FTTH access switch

2010-12-03 Thread Pavel Skovajsa

I second this, very elegant solution.

Currently the only issue we have with PVLANs is that they cannot be
handed over as a dot1q trunk on our access layer - something like
switchport mode private-vlan trunk does not exist.

-pavel

On Fri, Dec 3, 2010 at 8:01 AM, Mikael Abrahamsson swm...@swm.pp.se wrote:
On Thu, 2 Dec 2010, Dan Armstrong wrote:

... And while were on the topic of ftth, are people tunneling from the cpe
to an lns, or statically allocating a vlan per customer?

Neither.

What you do is L2 isolation (and have L3 device to local-proxy-arp) or have
the L2 switches do L2.5 filtering based on DHCP snooping.

For instance:

http://www.cisco.com/en/US/tech/tk389/tk814/tk841/tsd_technology_support_sub-protocol_home.html
http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html

This also means you don't need a CPE, the customer can hook up their PC
directly to the media converter (or in the ETTH+CAT6 case, directly to the
CAT6 cable).

This has been done for 10 years in some markets. Remember people, every time
you say LNS or BRAS when you basically just need decent L3 switch (because
you don't need to tunnel), god kills a kitten.

--
Mikael Abrahamsson email: swm...@swm.pp.se
___
cisco-nsp mailing list cisco-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FTTH access switch

2010-12-02 Thread Pavel Skovajsa

Hello,

Cisco is pretty expensive on one side, but they somehow know what they
are doing, compared to other cheap switch vendors
By talking to your cisco account rep you can find that you can get
nice discount when ordering large quantities of switches, which can
sometimes get you to prices somehow comparable to the cheap switches.
For the SFPs, the cisco branded ones are exactly the same as the ones
that you could get for 1/20th of the price.try to get ones with
DOM support.

Traditionally the Metro line of switch from cisco ME3400, ME3400-E,
ME3750 and newer ME3600X and ME3800X are meant for the access
deployement.

Hope it helps,
-pavel

On Thu, Dec 2, 2010 at 9:41 PM, Pavel Dimow paveldi...@gmail.com wrote:
 Hello,

 I would like to know what you guys are using as FTTH access switches?
 I guess Juniper and Cisco are a bit pricey considering per port cost,
 so many ISPs are using cheap switches with
 lots of (cheap again) optical sfp.
 Any recommendations for ftth access sw? I think that we can also use
 Juniper or Cisco if I have enough arguments to use those, for a small
 deployment and speeds no more then 100Mbits internet per customer and
 maybe iptv.


 Thank you.
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASR 9K Vs 7600

2010-12-01 Thread Pavel Skovajsa

On a lighter note,
Not sure why you want to aproach the problem logically and from
technology viewpoint, the people you are going to speak to are not
going to understand your argumentation anyway :)

I suggest you use some slides from this link I found on google
(http://www.slideshare.net/CiscoSP360/virtual-viral-visual-cisco-asr-9000-launch-strategy).

-pavel


2010/12/1 Andris Zariņš andris.zar...@smn.lv:
 Hi folks,

 Would You consider an ASR 9K as a reasonable (money and tech-wise) upgrade to 
 Cat7600? I understand that ASR9K scales way better than c7600, and there 
 should be lots of other reasons why ASR9K would be more appropriate for SP 
 core network... but I just can not gather enough arguments to initiate an 
 upgrade project so far. Box will be used as SP backbone router, MPLS-P 
 functionality, aggregating lots of 10G feeds of data/voice/video (yes, VidMon 
 should help here)

 I'm wondering if I'm the only one who's got into the same situation or maybe 
 its a popular challenge these days? If anybody has faced such choice at some 
 point - it would be great if You could share your pros/cons and if its not a 
 secret - your conclusion as well - is ASR9K worth a shot and if yes/no - why?


 Cheers,
 Andris

 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Software Download Enhancements

2010-11-15 Thread Pavel Skovajsa

Hello all,
I have just received notification below.

-pavel


Get Ready for Software Download Enhancements on Cisco Website

To improve your experience with Cisco and protect your investment in
Cisco Products, we’re pleased to announce the improvement of Software
download entitlement controls effective December 13, 2010.

In preparation for this change, we ask partners and customers to
complete the following actions before December 13, 2010.

Verify all applicable Cisco Products are covered under Cisco Service
contracts, and that you have a valid license for Cisco Software.
Verify your Services contracts are accurate and make necessary
corrections – serial numbers, part ID’s and locations must be accurate
on each Services contract.
Associate all Services contracts to applicable Cisco.com user ID’s
Verify all Cisco.com user IDs for your company are valid and properly
assigned to individuals in your company.

Starting December 13, 2010, software downloads on Cisco.com will be
verified against Products registered on your Services contract.
Attempts to download Software for Products not registered on your
Services contract will not be permitted.

In an effort to minimize entitlement issues, we encourage partners and
customers to directly manage Services contract associations to
Cisco.com user ID’s via the Service Access Management Tool (SAMT).
This tool enables administrators to manage which individuals are
allowed to request Service from Cisco (e.g. technical support/TAC,
hardware replacement/RMA).

Cisco.com users can use the Cisco.com Profile Manager to view which
Services contracts are associated to their profiles.

For additional information, please contact your Cisco account team or partner.
/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unexplainable packet loss

2010-09-19 Thread Pavel Skovajsa

On Sun, Sep 19, 2010 at 2:36 AM, ML m...@kenweb.org wrote:
  On 9/18/2010 6:28 AM, Heath Jones wrote:

 Hi
 Firstly, when you say packet loss, what are you referring to? Is it just
 the icmp traffic, or are customers reporting faults with non icmp traffic
 or...?
 Is the 'internet gateway' the 7609 pictured on the diagram?
 Its pretty unlikely, but worth checking that there are no duplicate mac
 addresses on the network. A duplicate (of 7609 on mdf side) could cause
 these symptoms.
 You could swap out the RAD with your own device for testing..
 I don't think that standard icmp tests will identify the problem though.
 If what the engineer said is true, then you really need to be pushing some
 traffic down to see it. (load related issue)
 'Another engineer tells me that when our customers traffic is removed from
 the picture the packet loss goes away'
 The first thing though - what is the packet loss?

 The customer is reporting a problem. They have an outside IT service that
 monitors a firewall/VPN solution for them.
 We never went into detail about what kind of packetloss they are seeing
 since the problem appears to be on our side/our upstream.

 Yes the 'internet gateway' is the 7609.  The 7609 is the device with the L3
 interface we use as a default route.
 ICMP packetloss anywhere from 1-5% when a set of 1000 pings are sent from
 MDF to 7609 L3 interface.

What happens when they stop pinging your 7609 and start pinging their
own device (on the other side) of the link? It can easily happen that
somebody else is pinging the 7609 too, resoluting in some CPU MLS
rate-limiter (show mls rate-limit, show mls rate-limit usage) kicking
into action, dropping your ICMP reply packets.

-pavel

 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASIC to switch port mapping

2010-09-13 Thread Pavel Skovajsa

Interesting enough, yesterday James Ventre posted a note where he
found at least some minimal info about the 2960/3560/3750 buffer
amount: 
http://networking.ventrefamily.com/2010/09/3560ge-and-3750ge-buffers.html

Also, I have to say I have exactly the same experience as Gert - IPTV
streaming box connected via 1Gbps, generating about 65Mbps, that no
Cisco Enterprise level switch (aka 2960/3560/3750 or even ME3400)
was able to forward to a 100Mbps port without output drops. When we
sniffed it we found that in a given discrete period of 1 second, the
streaming box is absolutely idle for the first 900 ms, and then
quickly pushes 80Megs in the last 100 ms.

My guess is that due to the functionality of the MPEG box, it needs to
gather some uncompressed picture frames first, and only after that it
is able to produce the MPEG outputwhich makes it hurry too much :)

-pavel

On Mon, Sep 13, 2010 at 12:55 PM, Gert Doering g...@greenie.muc.de wrote:
 Hi,

 On Mon, Sep 13, 2010 at 11:06:48AM +0100, Nick Hilliard wrote:
 On 13/09/2010 10:44, Gert Doering wrote:
 (spreading out the packets), while most other streaming software creates
 somewhat massive wirespeed bursts, and then waits some milliseconds, and
 then generates a new wirespeed burst.

 ew, that is pretty horrible :-(

 Trade-off between server load (send out as many packets as can be
 stuffed into the hardware in one go) and network load (smooth out
 stuff, but have more context switches, interrupts, ... etc. in the
 server).

 Now if I had more time :-) it might be worth investigating the (Linux)
 streaming server software used, whether it can be changed to invest a bit
 more CPU to better smooth out the packets...  OTOH, the kernel might
 just wreck this, and smear it all togehter again.  (*Now* we really get
 even more off-topic for c-nsp than usual)

 gert
 --
 USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
 Gert Doering - Munich, Germany                             g...@greenie.muc.de
 fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] full duplex mismatch speed - dynamips

2010-08-19 Thread Pavel Skovajsa

Hello,

Actually it looks like a dynamips/IOS bug in the emulation of
GT96100-FE - see http://7200emu.hacki.at/viewtopic.php?t=4484 or
alternatively this one
http://7200emu.hacki.at/viewtopic.php?t=121postdays=0postorder=ascstart=30

On the other side Gert is correct this is more a cosmetic issue, as
there is no signalling emulation in dynamips, the L1 frames are
simply moved between the router instances through UDP tunnels and fed
directly to the interface driver of the destination driver on L1.

Therefore - having duplex or even speed mismatch is totally irrelevant
on dynamips as these issues only affect signalling...Also (as a
corollary) there is no auto-speed negotiation when connecting 10Mb/s
card to a 100Mb/s card

-pavel



On Wed, Aug 18, 2010 at 11:03 AM, Gert Doering g...@greenie.muc.de wrote:
 Hi,

 On Wed, Aug 18, 2010 at 10:44:37AM +0200, Andreas Sikkema wrote:
 Since Dynamips is an emulator (and from the looks of it, quite an old one)
 it could also be a bug in the emulator itself. Or even a bug in the IOS
 version you're using, or a combination of both.

 The bug in dynamips would be that it works even though there is a
 perceived duplex mismatch (I'd assume that it doesn't even try to
 implement half-duplex mode on FE).

 Just telling both sides to configure the interface to duplex full
 should be enough to silence the IOSes involved.

 gert
 --
 USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
 Gert Doering - Munich, Germany                             g...@greenie.muc.de
 fax: +49-89-35655025                        g...@net.informatik.tu-muenchen.de

 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] H323 and ASA (over my head...)

2010-08-15 Thread Pavel Skovajsa

Another alternative,
as a quick fix you can try to turn off H.323 inspection and see
whether it solved the issue. Welcome to the world of L7

-pavel

On Sat, Aug 14, 2010 at 11:58 PM, Pete Lumbis alum...@gmail.com wrote:
 This could be anything from a non-standard H.323 stack to a bug in ASA code.


 Closed by inspection is when the h.323 inspection engine that is responsible
 for opening the high ports that are negotiated in the h.323 setup as well as
 NATing any addresses inside the h.323 packet closes the connection it is
 monitoring. Normally if an inspection engine closes down any part of a flow
 it will tear don any child flows (that is, flows opened by or opened for
 some setup type message).

 It's hard to tell exactly what caused the tear down, but I'd suggest you run
 the latest version of code for your ASA train (a number of voice/video
 related bugs have been fixed over the years). For more information I believe
 there is a debug h323 command. I'd also suggest doing inside and outside
 captures on a circular buffer to try and see what is the last packet to make
 it through and if there is something fishy about it.

 Finally you can always call TAC they are pretty good about identifying why
 things like this happens, but you will probably need to be able to recreate
 the problem somehow so they can collect data.

 Hope this helps.

 -Pete

 On Sat, Aug 14, 2010 at 3:36 PM, Jeff Kell jeff-k...@utc.edu wrote:

  I have had several intermittent reports over time from one of our
 distance learning customers concerning network issues during some of
 their classes (appears to be just one classroom, with one particular
 peer location, but I'm still looking to point the finger).
 I'm way over my head with H.323 (do well to spell it)... other that
 setting it up with default inspection.

 The classroom is setup on static NAT, and has a permit ip any any
 policy on it with the peer addresses, as do our other codecs.

 The call was done outbound, and the ASA associated setup appears to
 have succeeded:

 Original setup 323:
  Aug 14 08:01:47 ASA %ASA-6-302013: Built outbound TCP connection
  100295465 for outside:remote-site/1720 (remote-site/1720) to
  legacy:inside-codec/ (EX-inside-codec/)

 And associated:
  Aug 14 08:01:51 %ASA-6-302003: Built H245 connection for faddr
  inside-codec laddr remote-site/11014
  Aug 14 08:01:51 %ASA-6-302003: Built H245 connection for faddr
  inside-codec laddr remote-site/11014
  Aug 14 08:01:52 %ASA-6-302004: Pre-allocate H323 UDP backconnection
  for faddr remote-site to laddr inside-codec/2326
  Aug 14 08:01:52 %ASA-6-302004: Pre-allocate H323 UDP backconnection
  for faddr remote-site to laddr inside-codec/2327
  Aug 14 08:01:53 %ASA-6-302004: Pre-allocate H323 UDP backconnection
  for faddr remote-site to laddr inside-codec/2328
  Aug 14 08:01:53 %ASA-6-302004: Pre-allocate H323 UDP backconnection
  for faddr remote-site to laddr inside-codec/2329
  Aug 14 08:01:53 %ASA-6-302004: Pre-allocate H323 UDP backconnection
  for faddr remote-site to laddr inside-codec/2330
  Aug 14 08:01:53 %ASA-6-302004: Pre-allocate H323 UDP backconnection
  for faddr remote-site to laddr inside-codec/2331

  Aug 14 08:01:52 %ASA-6-302013: Built outbound TCP connection 100295645
  for outside:remote-site/11014 (remote-site/11014) to
  legacy:inside-codec/5556 (EX-inside-codec/5556)

 But about an hour into the call, there was this odd sequence of events
 (particularly the closed by inspection bit):

  Aug 14 09:02:36 %ASA-6-302014: Teardown TCP connection 100295645 for
  outside:remote-site/11014 to legacy:inside-codec/5556 duration 1:00:45
  bytes 6223 Flow closed by inspection
  Aug 14 09:02:36 %ASA-6-302016: Teardown UDP connection 100295706 for
  outside:remote-site/2445 to legacy:inside-codec/2331 duration 1:00:40
  bytes 94208
  Aug 14 09:02:36 %ASA-6-302016: Teardown UDP connection 100295703 for
  outside:remote-site/2444 to legacy:inside-codec/2330 duration 1:00:44
  bytes 402
  Aug 14 09:02:36 %ASA-6-302016: Teardown UDP connection 100295695 for
  outside:remote-site/2441 to legacy:inside-codec/2329 duration 1:00:42
  bytes 68
  Aug 14 09:02:36 %ASA-6-302016: Teardown UDP connection 100295693 for
  outside:remote-site/2440 to legacy:inside-codec/2336 duration 1:00:44
  bytes 158138102
  Aug 14 09:02:36 %ASA-6-302016: Teardown UDP connection 100295692 for
  outside:remote-site/2440 to legacy:inside-codec/2328 duration 1:00:44
  bytes 198963714
  Aug 14 09:02:36 %ASA-6-302016: Teardown UDP connection 100295688 for
  outside:remote-site/2439 to legacy:inside-codec/2327 duration 1:00:41
  bytes 112048
  Aug 14 09:02:36 %ASA-6-302016: Teardown UDP connection 100295686 for
  outside:remote-site/2438 to legacy:inside-codec/2334 duration 1:00:44
  bytes 30243540
  Aug 14 09:02:36 %ASA-6-302016: Teardown UDP connection 100295685 for
  outside:remote-site/2438 to legacy:inside-codec/2326 duration 1:00:44
  bytes 31335820
  Aug 14 09:02:36 %ASA-6-302015: Built inbound UDP

Re: [c-nsp] CAT6509 module position in chassis

2010-08-11 Thread Pavel Skovajsa

We ran into one issue when the 10G 6708 module in slot 1 of C6509-E
was shutting down due to high temperature. The Cisco suggestion was to
put it into a free slot somewhere in the middle between the Sup
(module 5) and module 1 as it supposedly has a better air flow. We
replugged it into slot3 which magically solved the issue.

I created these C6509-E rules for myself:
- if possible always make at least one slot free space between modules
for better air flow
- put the higher throughput cards having  60 degrees Celsius (like
6708) more in the middle part
- in case of issues the air flow is left to right so try to find out
whether there is nothing blocking/circulating the air flow

-pavel

 On Wed, Aug 11, 2010 at 4:03 PM, Pavel Dimow paveldi...@gmail.com wrote:
 Hi,

 is there any recommended/best practices for module placement in
 CAT6509 chassis?  For example, FWSM in slot 3, ACE in slot 2 etc etc..
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] routing between VRF and global

2010-07-16 Thread Pavel Skovajsa

Hello Jeff,
Yes, sound strange, but everybody does this.
From my experience it seems like the only purpose to split the network into
VRFs is to subsequently join these VRF due to various business requirements
:)

I learned most of the stuff from the MPLS Architectures Volume 2 book. Their
solution is to inject the routes into MP-BPG and import them in your VRF
config. If you search the archives you may be able to find some examples as
well.

-pavel skovajsa

On Fri, Jul 16, 2010 at 3:17 PM, Jeff Bacon ba...@walleyesoftware.comwrote:

 I have a mesh of 6500s connected via various gig fiber links. The 6500s
 have multiple VRFs defined, but of course most things interesting live
 in the global zone.

 I want a host on a VRF on a 6500 to be able to connect to another
 destination that is reachable through the global zone. Most likely it
 will be on the same 6500, but ideally it would be the same one way or
 the other.

 Basically, how do you leak routes between VRF and global? Between VRF
 and VRF I get. VRFglobal, not so clear; MPLS fundamentals provides a
 couple of examples but it's aimed more at a how to connect VRF to
 internet so you have one static global route entry... ick.

 I can see the possible solution of creating a GRE tunnel within the
 switch itself, with one end in the VRF and the other end in the global
 and using tun vrf to get them to link, but this seems just a shade
 ugly (though it also happens to provide a nice fixed point in space for
 applying ACLs, etc.)

 Or of course there's the hairpin solution. I might be able to live
 with that, probably better than the GRE answer... but that doesn't mean
 I have to like it, does it? :)

 Thanks,
 -bacon

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Speed problem and router seems to sluggish

2010-06-27 Thread Pavel Skovajsa

Hi Rudi,
Just to expand on Gert's answer.

Your guess is correct - it has everything to do with the fact you have a
DFC3B in a 3BXL system. The moment you installed this card and booted up the
box it failed back to common denominator of the size of the TCAM - nonXL
system. If you have a lot of prefixes - you have full TCAMs - rate limiter
towards RP - CPU switched traffic = low throughput.
In order to fix this, probably the easiest way is to upgrade your DFC on the
10G modules with WS-F6700-DFC3BXL.

One thing that is weird is that you did not notice this is in the logs as
usally when this happens the switch logs interesting messages about TCAM
overflow over and over.

There is a lot of info about the XL vs. non-XL in the C6500 architecture
document over here:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html
-pavel

On Sun, Jun 27, 2010 at 7:52 PM, Gert Doering g...@greenie.muc.de wrote:

 Hi,

 On Mon, Jun 28, 2010 at 12:41:46AM +0700, Rudy Setiawan wrote:
  Would the low TCAM of 239k (due to DFC3B daughter card) have something to
 do
  with this weird traffic?

 If your router is carrying full Internet routing tables (330k), most
 definitely.

 gert
 --
 USENET is *not* the non-clickable part of WWW!
   //
 www.muc.de/~gert/
 Gert Doering - Munich, Germany
 g...@greenie.muc.de
 fax: +49-89-35655025
 g...@net.informatik.tu-muenchen.de

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Speed problem and router seems to sluggish

2010-06-26 Thread Pavel Skovajsa

My initial thought is that the old WS-X6704-10GE card is about 6/7 years
old, has ridiculously low buffers and generally is a pain to work with. On
the other side it should definitively do more than 150Mbps - so it is
probably something else.

One clue what might be wrong is the fact that Catalyst 6500 starts
responding slowly - this is hardware platform the amount of traffic
forwarded (whether it is 150 Mbps, or 200 Gbps) should not make difference
in the way the MSFC responds. Therefore I would suspect that you have
probably something punted to the CPU which causes high CPU and low bandwidth
due to the CPU busy forwarding traffic in software instead of hardware.

Try doing show proc cpu history , show proc cpu sorted, during the peak
150Mbps load and after.

-pavel

On Fri, Jun 25, 2010 at 11:34 PM, Rudy Setiawan r...@rudal.com wrote:

 Hi all,

 I need some light on this problem that I'm having.

 We implemented 2 new routers with the following devices/modules:

 core2::
 Mod Ports Card Type  Model  Serial
 No.
 --- - -- --
 ---
  24  CEF720 4 port 10-Gigabit Ethernet  WS-X6704-10GE
  38  8 port 1000mb ethernet WS-X6408-GBIC
  48  8 port 1000mb GBIC Enhanced QoSWS-X6408A-GBIC
  52  Supervisor Engine 720 (Active) WS-SUP720-3B
  78  8 port 1000mb GBIC Enhanced QoSWS-X6408A-GBIC
  88  8 port 1000mb ethernet WS-X6408-GBIC
  9   48  48 port 10/100 mb RJ45 WS-X6348-RJ-45

 Mod  Sub-Module  Model  Serial   Hw
 Status
  --- -- --- ---
 ---
  2  Distributed Forwarding Card WS-F6700-DFC3B SAL1222S11H  4.6Ok
  5  Policy Feature Card 3   WS-F6K-PFC3B   SAL1012GLH0  2.2Ok
  5  MSFC3 Daughterboard WS-SUP720  SAL1012GG2H  2.4Ok


 border2::
 border2#sh mod
 Mod Ports Card Type  Model  Serial
 No.
 --- - -- --
 ---
  24  CEF720 4 port 10-Gigabit Ethernet  WS-X6704-10GE
  38  8 port 1000mb GBIC Enhanced QoSWS-X6408A-GBIC
  48  8 port 1000mb GBIC Enhanced QoSWS-X6408A-GBIC
  52  Supervisor Engine 720 (Active) WS-SUP720-3BXL

 Mod  Sub-Module  Model  Serial   Hw
 Status
  --- -- --- ---
 ---
  2  Distributed Forwarding Card WS-F6700-DFC3B SAL10489CQ0  4.4Ok
  5  Policy Feature Card 3   WS-F6K-PFC3BXL SAD111706XS  1.8Ok
  5  MSFC3 Daughterboard WS-SUP720  SAD111608DE  2.6Ok


 Border2 interface Te2/1 is connected to an Internet Provider (Using
 XENPAK-10GB-ER)
 Border2 interface Te2/2 is connected to Core2 interface Te2/1 (Using
 XENPAK-10GB-LX4)

 In Core2, we have a customer who is connected via a Port-Channel (interface
 Gi 3/7 and Gi 3/8) who is usually pulling 1.2Gbps inbound of traffic from
 the Internet.
 This customer is having an issue where it can not pull more than 150Mbps
 inbound. But from our existing network (2Gbps uplinks), he can pull 1.2
 Gbps
 of inbound no problem.

 The two networks have the same Internet Provider.

 There are no QOS enabled on both border2 or core2::
 border2#sh mls qos
  QoS is disabled globally
 border2#

 Routing Protocol: BGP on the provider peer.
 Border2 and Core2: OSPF a simple one both have redistribute static and
 connected

 Then we tried to move the port-channel for the customer to border2, the
 router seems to respond very slowly to keyboard input (due to high traffic
 of 150Mbps) but after shutting down the port-channel, the keyboard input
 seems fine (no more sluggish). Network seems good.

 Please let me know what I did wrong. If you need additional info, please
 let
 me know.

 Thank you

 Regards,
 Rudy
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Transfer speed issues on 3560G

2010-06-25 Thread Pavel Skovajsa

Check whether you are not running into high CPU issues due to IRQ, due to
wrong SDM profile used.See
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00801e7bb9.shtml

-pavel

On Fri, Jun 25, 2010 at 5:52 PM, Brandon Ewing nicot...@warningg.comwrote:

 Thanks to all the replies, on and off list.

 There is no QoS configured on the switch currently.  mls qos isn't in the
 config.  Adding srr-queue bandwidth commands to the ports did not improve
 the situation.

 The servers in question are not on the same vLAN, we're routing between
 SVIs.  I also tested with UDP, and got the same results as before.

 If anyone has any additional ideas as to what to check, it would be
 appreciated.

 --
 Brandon Ewing(
 nicot...@warningg.com)


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] mst over etherchannel + QoS

2010-06-16 Thread Pavel Skovajsa

Hello Ivan,

no currently it is not possible to simulate (proper term is actually
emulate) anything else above PVST+, as the only switch oriented card
in dynamips is NM-16ESW - which only supports PVST+.

Due to the proprietary hardware used in switches, I don't think you
will find any other emulator that does this (not speaking about the
fact that AFAIK there is no other cisco emulator then dynamips).

-pavel


On Wed, Jun 16, 2010 at 2:44 PM, Ivan Šimko ivan.si...@gmail.com wrote:
 Hi all

 I'd like to ask You if is possible simulate network in GNS for etherchannel
 with mst and QoS. If not please can You recommned any simulator for?

 Thanks a lot

 Ivan
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] mst over etherchannel + QoS

2010-06-16 Thread Pavel Skovajsa

BTW, this morning Jeremy released new version of GNS3 0.7.2:

Here is a list of the changes in this version:
*  Lot of small fixes (relative paths, link removal, .net loading,
Ethernet switch connection to a Cloud etc.)
* Qemuwrapper: random MAC address for devices
* NPE-G2 option for c7200 routers (need a specific and
uncompressed IOS image and C7200-IO-2FE, C7200-IO-GE-E, PA-2FE-TX and
PA-GE are unlikely to work)
* Simulated switches: daisy chaining support
* Improved directory selection for new projects
* New translations: Bulgarian, Italian and Ukrainian
* Frame Relay capture option for all serial links
* Dialog to display an Ethernet switch MAC address table

See - http://www.gns3.net/content/gns3-072

-pavel

On Wed, Jun 16, 2010 at 3:35 PM, Pavel Skovajsa
pavel.skova...@gmail.com wrote:
 Hello Ivan,

 no currently it is not possible to simulate (proper term is actually
 emulate) anything else above PVST+, as the only switch oriented card
 in dynamips is NM-16ESW - which only supports PVST+.

 Due to the proprietary hardware used in switches, I don't think you
 will find any other emulator that does this (not speaking about the
 fact that AFAIK there is no other cisco emulator then dynamips).

 -pavel


 On Wed, Jun 16, 2010 at 2:44 PM, Ivan Šimko ivan.si...@gmail.com wrote:
 Hi all

 I'd like to ask You if is possible simulate network in GNS for etherchannel
 with mst and QoS. If not please can You recommned any simulator for?

 Thanks a lot

 Ivan
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3400 Output Drops

2010-05-14 Thread Pavel Skovajsa

Hello,

All I can say is that this is normal in case of rapid traffic like
video flow. FE ports of ME3400 with default configuration have output
queue
limited to 48 packets. It's not enough for burstable traffic,
especially when the uplink of your ME3400 runs at 1Gb/s. If you don't
need any QoS, just attach a service-policy like:

policy-map max-queue
class class-default
queue-limit 544

If you need QoS the best way is to change the default queue size for
the classes on which you expect to have the largest bandwidth.

Also not sure what is the effect of using bandwidth CBWFQ in Egress
QoS on ME3400, I only use shape/policy which IMHO is better suited for
switching hardware. There are too many limitations on these boxes, you
can very easily run into one, so designing proper policy-maps is tough
engineering. Make sure you read the ME3400 QoS config guide:
http://www.cisco.com/en/US/docs/switches/metro/me3400/software/release/12.2_50_se/configuration/guide/swqos.html

There were various discussions about this before - see
http://www.gossamer-threads.com/lists/cisco/nsp/80758 for example.

-pavel

On Fri, May 14, 2010 at 5:43 AM, Rin rint...@gmail.com wrote:
 Hi group,



 We are facing output drops problem on interface f0/2 of ME3400. Our topology
 as below:

 Metro---(G0/1)ME3400(f0/2)---CPE-STB--TV

                                                            |PC



 We try to watch a HD movie on TV and download file on PC at the same time.
 The download rate is at 50Mbps, movie data transfer rate at 10Mbps. Due to
 the output drop, the HD movie quality is not good. The output below shows
 the drop:

 C3400# sho int f0/2

 FastEthernet0/2 is up, line protocol is up (connected)

  Hardware is Fast Ethernet, address is 0026.52a8.4a04 (bia 0026.52a8.4a04)

  Description: DUCMINH-modem-test

  MTU 1998 bytes, BW 10 Kbit, DLY 100 usec,

     reliability 255/255, txload 119/255, rxload 75/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, link type is auto, media type is 100BaseLX-FE SFP

  input flow-control is off, output flow-control is unsupported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 00:00:00, output hang never

  Last clearing of show interface counters 00:02:25

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5034

  Queueing strategy: fifo

  Output queue: 0/4096 (size/max)

  5 minute input rate 29711000 bits/sec, 3500 packets/sec

  5 minute output rate 46934000 bits/sec, 5307 packets/sec

     881702 packets input, 941885538 bytes, 0 no buffer

     Received 8 broadcasts (8 multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 8 multicast, 0 pause input

     0 input packets with dribble condition detected

     1164876 packets output, 1238627577 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier, 0 PAUSE output

     0 output buffer failures, 0 output buffers swapped out



 I try to apply egress QoS on interface f0/2 that reserve 23% bandwidth for
 HD movie traffic (COS=4), the HD movie quality is good but there is still
 packet drop for download traffic. Check below output:

 C3400#sho policy-map int f0/2

  FastEthernet0/2



  Service-policy output: EGRESS_QOS



    Class-map: COS45 (match-any)

      237435 packets

      Match: cos  4  5

        Bandwidth percent 23 (2300 bps)

      Output Queue:

        Max queue-limit default threshold: 160

        Tail Packets Drop: 0



    Class-map: class-default (match-any)

      972306 packets

      Match: any

        Output Queue:

          Max queue-limit default threshold: 160

          Tail Packets Drop: 5266

        Bandwidth percent 77 (7700 bps)

      Output Queue:

        Max queue-limit default threshold: 160

        Tail Packets Drop: 5266



 I try to change the queue size for default class to maximum value 544. The
 output drops reduce but there's still drop.

 C3400(config)#do sho policy-map int f0/2

  FastEthernet0/2



  Service-policy output: EGRESS_QOS



    Class-map: COS45 (match-any)

      219146 packets

      Match: cos  4  5

        Bandwidth percent 23 (2300 bps)

      Output Queue:

        Max queue-limit default threshold: 160

        Tail Packets Drop: 0



    Class-map: class-default (match-any)

      882062 packets

      Match: any

          Tail Packets Drop: 181

        Bandwidth percent 77 (7700 bps)

      Queue Limit

        queue-limit 544 (packets)

      Output Queue:

        Max queue-limit default threshold: 544

        Tail Packets Drop: 181



 My question is why ME3400 drop packet even the data rate is much less than
 the interface capability (60Mbps/100Mbps). Anyone has other solution for
 this issue?

 Below is the show version output

 C3400#sho ver

 Cisco IOS

Re: [c-nsp] Lead time abating?

2010-05-09 Thread Pavel Skovajsa

Hello Jason,

That is actually quite good. Depending on the model my experience is
100 and more days on C4500 or C6500, and 60 days on other stuff. There
has been discussion about this recently, see:

http://markmail.org/search/?q=Cisco+out+of+stock#query:Cisco%20out%20of%20stock+page:1+mid:ad32mqr34zbazbze+state:results

-pavel

On Fri, May 7, 2010 at 10:33 PM, Jason Gurtz jasongu...@npumail.com wrote:
 We recently placed an order for an ASA 5520.  Vendor reports lead time of
 3 weeks.

 Seems good :)

 ~JasonG


 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Purely Academic: Router swap and EIGRP doesn't work

2010-05-07 Thread Pavel Skovajsa

strange things happen all the time. Same IOS version as the one on
3662? Maybe a bug on that version that affects only 3620, which would
be strange as 3620 and 3662 have same vendor of RISC processor, just
different clocking.

Basically, from the programmers viewpoint reinserting the network
statement causes a logical restart of some EIGRP subroutines on
specific interfaces (those that are matching the network statement),
in other words, the router forgets totally about the presence of EIGRP
on them and then learn them from scatch again.
Generaly speaking logic dictates that something must have changed,
that changed the EIGRP behavior on this interface. The problem is is
that it does not have to be a config change, it can be any state
change ranging from:
1) The interfaces (or int drivers) were originally not up while the
network statement was parsed
.
.
.
100) Bad position of Jupiter and Venus

-pavel

On Fri, May 7, 2010 at 1:08 AM, Rick Kunkel kun...@w-link.net wrote:
 Ran in to an issue yesterday and today and got it resolved, but I'm
 wondering the why...

 We had a 3662 configured with EIGRP and everything working fine.  We wanted
 to put in a 3620 for a few days to use the 3662 in our lab, so we
 identically configured it (with a few interface references changed), and
 mounted it in the rack.  When ready, we quickly moved the WAN and LAN cables
 to the newer 3620.

 But stuff didn't work.  The router could access anywhere through it's
 default route.  It's upstream EIGRP neighbor was listed.  But equipment on
 the LAN side couldn't access the WAN side. I logged into the upstream
 router, and saw the same neighbor relationship.  However, the topology was
 missing.  The upstream wasn't hearing the routes from the 3620.

 We'd spent quite a bit of time getting to this point, but now that I knew
 that, I went into the 3620, removed a network statement and put it back, and
 -- viola! -- that block routed now.  I did the same for the rest, and all
 was fixed.

 My question is, what causes this?  The neighbor relationship was working,
 but the upstream didn't see the routes from the 3620.  Did it have to do
 with changing the cables quickly?  I'd chalk it up to a one-time fluke, but
 we did it over and over yesterday, and it never worked.  Furthermore,
 whenever we switched it BACK to the 3662 that we were trying to pull out, it
 worked instantly

 Purely academic at this point...

 Thanks,

 Rick
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6500 line card mounted cable management bars (??)

2010-04-20 Thread Pavel Skovajsa

Maybe a picture will help.
There is a Cisco original cabling management for C6509E-V chassis,
that can be ordered as WS-C6509-V-E-CM.

-pavel

On Tue, Apr 20, 2010 at 9:01 PM, Brandon Applegate bran...@burn.net wrote:
 We have some of these in the data center.  They fit the screws on the Cat
 6500 line cards, and they slide on.  So they a) can be installed/removed
 without taking line card out and b) do NOT go in front of the dreaded fan
 card.  They are very simple, and flat, and have a row of slits for velcro /
 tie downs.

 The funny thing, and my question, is that we don't know where we got them
 from :)  Anyone know where these come from ?  I tried several google
 searches and looked around on cisco.com.  The bar does have a Foxconn stamp.

 Thanks in advance for any info.

 --
 Brandon Applegate - CCIE 10273
 PGP Key fingerprint:
 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
 SH1-0151.  This is the serial number, of our orbital gun.

 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6500s SXI and EoMPLS

2010-03-17 Thread Pavel Skovajsa

Correct,

the WS-X67xx are LAN based cards, and are not supposed to be used in
SP environment. There are cards especially targeted for that -
especially ES40/ES20+ with their EVC stuff. Of course they only work
on C7600, and of course they are expensive as hell.

For more info see [1]

-pavel skovajsa

[1] 
http://markmail.org/message/otbacj6qrpmxzndj#query:cisco%20ES40+page:1+mid:gdg6e4vca27whplb+state:results

On Wed, Mar 17, 2010 at 3:00 PM, Michael Robson
michael.rob...@manchester.ac.uk wrote:

 On 10 Mar 2010, at 18:56, Arie Vayner (avayner) wrote:

 Michael,

 For QOS:
 http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con
 figuration/guide/mplsqos.html

 For TE (and MPLS in general) check:
 http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/con
 figuration/guide/pfc3mpls.html


 These documents mention no reference to TE for EoMPLS: is it safe to assume
 therefore that the 650 doesn't support tE for EoMPLS?

 Am I also correct in saying that, since outgoing policies are not support on
 6500s for LAN-based cards, there is no real way to give shape or restrict
 EoMPLS pseudowire bandwidths by EXP/TC field?


 Thanks,


 Michael.
 --
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WS-F6K-PFC3CXL= Cisco Catalyst 6500 Series Supervisor Engine 720 PFC-3CXL on Sup720-3B

2010-03-08 Thread Pavel Skovajsa

Yep it is, see 
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.pdf
page 44,

or
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Config_Notes/78_16220.html

-pavel



On Mon, Mar 8, 2010 at 8:12 PM, Tim Durack tdur...@gmail.com wrote:
 Anyone know if:

 WS-F6K-PFC3CXL=, Cisco Catalyst 6500 Series Supervisor Engine 720 PFC-3CXL

 Is a supported upgrade on a regular Sup720-3B?

 --
 Tim:
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Tunnel*** temporarily disabled due to recursive routing

2010-03-03 Thread Pavel Skovajsa

Hello Vijay,

Hope you are doing great!

My name is Pavel and I will be assisting you with your Service Dequest
999666999. I am sending this e-mail as an initial point of contact and
so that you can contact me if you need to.

Problem Description

As I have understood it till now, the issue is that you have issues
with too much logging into your network system.

I would like to tell you that the command you configured is used for
tunneling purposes in your routing tables. Here is the actual meaning
and purpose of the same:

Tunneling tunnels the packets into a tunnel.

Now, for the issue that you are experiencing, there can be
inconsitency between what you are seeing and what is actually
happening in reality - hence the tunnel logging issue.


To help isolate the issue, send me details of the following:

1. Please provide me with the output of “show beep session”.
2. Please provide me with the output of show idb bits
3. Please provide me with the output of show arap console 0
4. Please let me know the purpose for enabling this command.

Action Plan:

 1. *You* will gather various random information and *I* will try to
understand the issue
 2. Research and provide information.
 3. Goto 1 until fixed.

Don't hesitate to contact me anytime for any issue and concern, but
only if non-relevant to this matter. I have read/accepted your service
dequest and would like to retain ownership to avoid any delays in
resolving your issue. If you do not respond within 3 days I will
simply close your case due to your ignorance.

-pavel skovajsa
Senior Junior Troubleshooting Architect/Manager

p.s. alternatively you can ignore everything above and take a look at
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.shtml

On Tue, Mar 2, 2010 at 7:53 AM, vijay gore vijaygor...@gmail.com wrote:
 Dear Tem,

 provide the solution, line protocol frequently up  Down,


 *Mar  1 06:18:16.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 FastEthernet6, changed state to down
 *Mar  1 06:18:16.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 FastEthernet5, changed state to down
 *Mar  1 06:18:16.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 FastEthernet4, changed state to down
 *Mar  1 06:18:16.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 FastEthernet3, changed state to down
 *Mar  1 06:18:16.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 FastEthernet2, changed state to down
 *Mar  1 06:18:24.119: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 Tunnel***, changed state to up
 *Mar  2 05:17:21.210: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 FastEthernet0, changed state to down
 *Mar  2 05:17:23.634: %TUN-5-RECURDOWN: Tunnel*** temporarily disabled due
 to recursive routing
 *Mar  2 05:17:24.634: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 Tunnel***, changed state to down
 *Mar  2 05:17:31.210: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 FastEthernet0, changed state to up
 *Mar  2 05:18:24.634: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 Tunnel***, changed state to upCMD:
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6500 SVI Question

2010-02-23 Thread Pavel Skovajsa

Hi Paul,

All virtual interfaces have bandwidth that has nothing to do with
real number of bytes per second that can flow through the link, For
example:

- all VSI interfaces have by default bandwidth of: MTU 1500 bytes, BW
100 Kbit, DLY 10 usec,, even tough the real interfaces behind
are 10/half One way to explain this is that 10 years ago, in the
time of hybrid Catalysts, the switching part of Catalyst (SP) was
autonomous and consisted of real interfaces, and the routing MSFC part
(RP) consisted of only SVIs.

- all  tunnel interface have default bandwidth of 8000kb, which is
tricky way of saying to the routing protocol to not to prefer the
route over the tunnel and use it only as last resort

Also, all serial interface have default bandwidth of 1024kb, eventough
they might be fractional T1's or anything else.

-pavel skovajsa

On Tue, Feb 23, 2010 at 2:30 AM, Paul Stewart p...@paulstewart.org wrote:
 Thanks Tim whew! ;)

 Actually, I was misreading the bandwidth statement itself  - missed a zero
 earlier so thought you could only set it to 1 Gig, now I realized you can
 set it up to 10GE.  Updated it to 2Gig and everything good now..

 Much appreciated,

 Paul


 -Original Message-
 From: Tim Stevenson [mailto:tstev...@cisco.com]
 Sent: February-22-10 8:12 PM
 To: Paul Stewart; cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] 6500 SVI Question

 Hi Paul,

 The bandwidth does not affect the throughput etc and doesn't take
 into account the underlying L2 interfaces bandwidth. It strictly for
 use by the routing protocols to determine metrics (and can be
 modified using the bandwidth interface command). Also you can
 change the reference b/w using ospf auto-cost reference-bandwidth
 under the router ospf process.

 Hope that helps,
 Tim


 At 04:56 PM 2/22/2010, Paul Stewart mumbled:

Hi there...



Typically when we require higher bandwidth, we upgrade the interface to
something larger ... recently though we were faced with having to do 2XGE
 on
a LAG until our new 10GE ports arrive.  The SVI interface shows a bandwidth
of 1 Gig even though there are two physical GigE interfaces connected to
it will there be any issues doing more than a Gig on this SVI
 interface?
This is the first time amazingly that I've run across this ;)



The card where the two GigE's come into is a 6148A-GE-TX and the ports are
at opposite ends of the physical card...



Thanks, appreciate it as always...



Paul







___
cisco-nsp mailing list  cisco-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsphttps://puck.nether.net
 /mailman/listinfo/cisco-nsp
archive at
http://puck.nether.net/pipermail/cisco-nsp/http://puck.nether.net/piperma
 il/cisco-nsp/




 Tim Stevenson, tstev...@cisco.com
 Routing  Switching CCIE #5561
 Technical Marketing Engineer, Cisco Nexus 7000
 Cisco - http://www.cisco.com
 IP Phone: 408-526-6759
 
 The contents of this message may be *Cisco Confidential*
 and are intended for the specified recipients only.


 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ISSU on SXF - SXI

2010-02-11 Thread Pavel Skovajsa

Hello Randy,

as far as I am aware the ISSU works only for SXI train onward. See
http://www.cisco.com/web/DK/assets/docs/presentations/12233sxi_0109.pdf

-pavel

On Thu, Feb 11, 2010 at 5:15 PM, Randy McAnally r...@fast-serv.com wrote:
 Anyone successfull with ISSU (SSO mode) with SXF - SXI on a 6500 w/dual
 sup720-3bxl?

 --
 Randy


 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QoS for MetroEthernet

2010-01-31 Thread Pavel Skovajsa

Hi Omar,

No you definively should not take any special considerations for Metro
link - you are the end customer the service is transparent to you - it
moves packets back and forth.

Therefore it is hard to tell what is the actual problem. It is easy to
troubleshoot though - sniff it:
a) sniff the SQL activity with Serial link
b) sniff the SQL activity with Metro link
c) compare and find out what types of packets do not get on the other side.

There could be number of things that can go wrong - like service
provider maximum MTU, certain TOS values being dropped etc. etc.

-pavel

p.s. For sniffing we usually use Wireshark.



On Sun, Jan 31, 2010 at 5:31 PM, omar parihuana
omar.parihu...@gmail.com wrote:
 Hello,

 I'm facing a strange problem I think that is a QoS configuration, I've tried
 some conf without success. The situation is as follows:

 Actually I have a 1Mbps Serial link between two remote branchs and one
 application in particular: a SQL client/server application that works fine.
 (there are other apps but is not relevant now). We've contracted a
 MetroEthernet Link at 1Mbps between the same branchs (in order to replace
 the current serial link) In each site I put a router after migrate the SQL
 app didn't work (it got suck for  a long time). Therefore I decided raise a
 GRE tunnel between both sites, applied QoS conf, adjust the tcp mss without
 success, all working well (additional apps and voice traffic) but SQL app
 didn't work.  I don't know what's happenning with this app, but if you have
 faced the same problem, or I need take special considerations for
 MetroEthernel Link please your comments will be appreciated.

 I paste my conf:

 !
 !
 policy-map child13
  class VOIP-TRAFFIC
  priority 200
  class DATA-IMPORTANT
  bandwidth percent 60
  class class-default
  fair-queue
 policy-map tunnel13
  class class-default
  shape average 1024000
  service-policy child13
 !
 !
 !
 interface Tunnel13
  bandwidth 1000
  ip address 10.1.13.1 255.255.255.0
  ip tcp adjust-mss 1440
  load-interval 30
  qos pre-classify
  tunnel source 172.21.1.17
  tunnel destination 172.21.1.19
  service-policy output tunnel13
 !
 interface FastEthernet0/0
  description LAN interface
  ip address 172.16.96.6 255.255.252.0
  no ip unreachables
  no ip proxy-arp
  load-interval 30
  speed 100
  full-duplex
 !
 interface FastEthernet0/1
  description MAN interface
  bandwidth 3000
  ip address 172.21.1.17 255.255.255.248
  no ip proxy-arp
  load-interval 30
  speed 100
  full-duplex


 --
 Omar E.P.T
 -
 Certified Networking Professionals make better Connections!
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 10GE WAN options for 7606 for market data / micro-bursting

2010-01-30 Thread Pavel Skovajsa

The WS-X6704-10GE has:
- Xenpacks
- only 16MB buffers per port compared to 200MB on WS-X6708
- is about 5 years old. I remember this was the first 10G card we used
in 6500 back in 2005/6
- traditionally targeted for LAN and DC segment with simple/none QoS
- hence the QoS implementation is simple based on WRR - see
http://www.cisco.com/en/US/docs/solutions/Enterprise/Video/tpqoscampus.html#wp1072698
- needs a DFC card for ingress 8q8t - see
http://www.cisco.com/en/US/docs/solutions/Enterprise/Video/tpqoscampus.html#wp1072698

Therefore a much better alternative is WS-X6708 or even WS-X6716.
However bare in mind that these are also LAN cards therefore might
not suite your QoS needs. For general QoS architecture on C6500 see
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd803e5269.html.

Cisco quickly found out that you cannot do much sophisticated stuff
with cards above and came with ES product line for service provider
segment - which is the ES20 and newer ES+
(http://www.cisco.com/en/US/docs/solutions/Enterprise/Video/tpqoscampus.html#wp1072698).

Hope it helps,
-Pavel

On Fri, Jan 29, 2010 at 11:04 PM, Phil Bedard phil...@gmail.com wrote:
The ES20 cards have 512MB, the SIP-600 has 256MB, but I think they both say
100ms unidirectional buffering... Is there a chance of congesting the egress
interfaces where you would need the larger buffers? They all support LLQ for
priority traffic.

Phil

On Jan 29, 2010, at 12:22 PM, Matthew Huff wrote:

We are planning on moving a large portion of our data center to a colo
facility at an financial exchange. We will be using redundant 10-GE
connections from our existing pair of 7604 to a new pair of 7606 with
Sup720-3B. We won't be doing MPLS/VPN, etc... Just normal L3 routing
including PIM sparse mode multicast. Since a significant amount of the
traffic will be market data, the line rate will be very bursty including
micro-bursts. We will be setting up a series of LLQ queues with Modular QoS
CLI and are interested in H-QOS, so I have some questions regarding which
10GB interface.

The choices are:

1) WS-X6704-10GE. The standard linecard. TX queue of 1p7q8t. 16MB per port
buffer
2) 7600-ES20-10G3C. TX queue ??? (configurable ???), buffer size ???
3) 7600-SIP-600 with SPA-10X1GE. TX queue ???, buffer size ???

The SIP and ES20 may be overkill, maybe not. We aren't doing MPLS or VRF, or
QinQ or any other tunneling, but we need the most flexible, best 10GB WAN
interface that can help us deal with bursting/QOS.

Any experiences, suggestions, warnings...?

Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139

___
cisco-nsp mailing list cisco-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7600 Rate Limiting Output

2010-01-30 Thread Pavel Skovajsa

Hi,

It looks like you are trying to configure this on the WS-X67xy cards,
which are basically the LAN/DC cards taken from 6500. These cards have
very limited QoS capabilities as they are targetted for LAN/DC
segment, not for service provider. Hence you cannot expect MUCH.

If you need sophisticated QoS you should buy ES20 or ES+
(http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-549419.html).

To give you some hope, many people have fallen into this trap (me
for example, there are much much more things the WS-X67xy cards cannot
do), and it is simply due to not reading the documentation before
buying. There is a nice explanation of the 6500/7600 hardware based
QoS on http://www.networkworld.com/community/node/43764

-pavel







On Thu, Jan 28, 2010 at 11:10 PM, Kevin Warwashana kev...@telnetww.com wrote:
 Anyone have a suggestion/comment?

 Thanks,
 Kevin


 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Kevin Warwashana
 Sent: Saturday, January 23, 2010 10:47 PM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] 7600 Rate Limiting Output

 I was curious what is the best way to limit bandwidth in/out with policy
 maps.  I can apply this inbound on a subinterface:



 policy-map 26MB-INPUT

  class class-default

   police rate 2600 bps

     conform-action transmit

     exceed-action drop



 but the below won't apply in the outbound direction:



 policy-map 26MB-OUTPUT

  class class-default

   police rate 2600 bps

     conform-action transmit

     exceed-action drop



 Gives me:



 int gig4/0/0.8

 service-policy output 26MB-OUTPUT

 Police and strict priority must be configured together for egress QOS.

 Invalid feature combination for the class class-default

 Configuration failed



 Any help would be appreciated!  I miss the rate-limiting command from 7200
 routers :).



 Kevin

 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7600 Rate Limiting Output

2010-01-30 Thread Pavel Skovajsa

well, that kind of makes my earlier post not relevant.

Anyway, noticed that you are trying to police egress. I don't know
about SIP-600 but normally this is not possible - you need to SHAPE.
So change police to shape.

-pavel

On Sat, Jan 30, 2010 at 7:29 PM, Kevin Warwashana kev...@telnetww.com wrote:
 Actually I am using a SIP-600 with a SPA-5X1GE.

 Kevin


 -Original Message-
 From: Pavel Skovajsa [mailto:pavel.skova...@gmail.com]
 Sent: Saturday, January 30, 2010 1:08 PM
 To: Kevin Warwashana
 Cc: cisco-nsp@puck.nether.net
 Subject: Re: [c-nsp] 7600 Rate Limiting Output

 Hi,

 It looks like you are trying to configure this on the WS-X67xy cards,
 which are basically the LAN/DC cards taken from 6500. These cards have
 very limited QoS capabilities as they are targetted for LAN/DC
 segment, not for service provider. Hence you cannot expect MUCH.

 If you need sophisticated QoS you should buy ES20 or ES+
 (http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-549
 419.html).

 To give you some hope, many people have fallen into this trap (me
 for example, there are much much more things the WS-X67xy cards cannot
 do), and it is simply due to not reading the documentation before
 buying. There is a nice explanation of the 6500/7600 hardware based
 QoS on http://www.networkworld.com/community/node/43764

 -pavel







 On Thu, Jan 28, 2010 at 11:10 PM, Kevin Warwashana kev...@telnetww.com
 wrote:
 Anyone have a suggestion/comment?

 Thanks,
 Kevin


 -Original Message-
 From: cisco-nsp-boun...@puck.nether.net
 [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Kevin Warwashana
 Sent: Saturday, January 23, 2010 10:47 PM
 To: cisco-nsp@puck.nether.net
 Subject: [c-nsp] 7600 Rate Limiting Output

 I was curious what is the best way to limit bandwidth in/out with policy
 maps.  I can apply this inbound on a subinterface:



 policy-map 26MB-INPUT

  class class-default

   police rate 2600 bps

     conform-action transmit

     exceed-action drop



 but the below won't apply in the outbound direction:



 policy-map 26MB-OUTPUT

  class class-default

   police rate 2600 bps

     conform-action transmit

     exceed-action drop



 Gives me:



 int gig4/0/0.8

 service-policy output 26MB-OUTPUT

 Police and strict priority must be configured together for egress QOS.

 Invalid feature combination for the class class-default

 Configuration failed



 Any help would be appreciated!  I miss the rate-limiting command from 7200
 routers :).



 Kevin

 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/



 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea?

2010-01-26 Thread Pavel Skovajsa

Hi Sven,

I had not exactly the same but similar issues but with 7606 - see
http://www.mail-archive.com/cisco-nsp@puck.nether.net/msg26651.html. I
learned from TAC that the issue was with the fact that I used it in
combination with VRFs and the traffic got incorrectly punted into 7606
MSFC CPU where there are hardware rate limiters (show mls rate-limit).

Anyway, try upgrading the 6509 I am sure some old SXD code has number
of bugs around this.

-pavel


On Tue, Jan 26, 2010 at 2:06 PM, Sven 'Darkman' Michels s...@darkman.de wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Hi Pavel, rest,

 sorry for coming back on the topic. I had now the time to play with the setup
 a bit more and run into a problem: pvlans are not working well.

 The config:
 having a core router 6509 with a port channel on two gigE Ports (Gi3/13 and 
 15)
 configured as follow:
 interface Port-channel1
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 330-349
  switchport mode trunk
  no ip address
  flowcontrol receive on
  flowcontrol send on
 end

 both ports have the following config:
 interface GigabitEthernet3/13
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 330-349
  switchport mode trunk
  no ip address
  flowcontrol receive on
  flowcontrol send on
  no cdp enable
  channel-group 1 mode on

 The PVLAN is 334,335:
 interface Vlan334
  ip address xx.xx.xx.1 255.255.255.0
  ip verify unicast source reachable-via rx
  no ip redirects
  ip sticky-arp ignore
  no ip proxy-arp
  no ip mroute-cache
  private-vlan mapping 335
 end

 VLan config:
 vlan 334
  name ISOLATOR-FOR-335
  private-vlan primary
  private-vlan association 335
 end

 vlan 335
  name ISOLATED-BY-334
  private-vlan isolated
 end

 VLAN335 has no interface, of course.

 Po1 is connected to a 3560G switch, Ports 49 and 50 configured as Po1 on the
 Switch:

 interface Port-channel1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 330-336
  switchport mode trunk
  ip arp inspection trust
  ip dhcp snooping trust
 end

 interface GigabitEthernet0/49
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 330-336
  switchport mode trunk
  ip arp inspection trust
  udld port
  channel-group 1 mode on
  ip dhcp snooping trust
 end

 (same for 50).

 and the vlan config:
 vlan 334
  name transport-335
  private-vlan primary
  private-vlan association 335
 end

 vlan 335
  name lan
  private-vlan isolated
 end

 And the lan port:
 interface GigabitEthernet0/41
  switchport private-vlan host-association 334 335
  switchport mode private-vlan host
  switchport nonegotiate
  speed auto 10 100
  no cdp enable
  spanning-tree bpduguard enable
  ip dhcp snooping limit rate 10
 end

 its just a small device connected to check if ping works fine so far.

 Now the problem: ping from 6509:

 c6509#ping ip xx.xx.xx.13 repeat 5

 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds:
 ..!.!
 Success rate is 40 percent (2/5), round-trip min/avg/max = 1/1/1 ms
 c6509#ping ip xx.xx.xx.13 repeat 5

 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to xx.xx.xx.13, timeout is 2 seconds:
 !
 Success rate is 20 percent (1/5), round-trip min/avg/max = 1/1/1 ms

 This is far away from beeing good :(

 The interesting thing: I have vlan336 on the same setup as normal vlan,
 where a small dmz is located. This one works perfectly: no loss, ping
 is okay... So it seems to be a problem related to the pvlan itself, not
 to the setup, right?
 I also shutted one port for the channel to see if that helps, but no luck :(

 I've no more ideas, beside removing the Portchannel and try again, which would
 be sad...

 Thanks and regards,
 Sven

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.9 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 iEYEARECAAYFAkte6MUACgkQQoCguWUBzBye5gCfSslgfNCokmM2Qizd5wpoiHvE
 AKEAoJZluXFPj7CpI/k8sube4R4s5des
 =urBf
 -END PGP SIGNATURE-
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea?

2010-01-26 Thread Pavel Skovajsa

On Tue, Jan 26, 2010 at 3:15 PM, Sven 'Darkman' Michels s...@darkman.de wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Hi Pavel,

 Pavel Skovajsa schrieb:
 Hi Sven,

 I had not exactly the same but similar issues but with 7606 - see
 http://www.mail-archive.com/cisco-nsp@puck.nether.net/msg26651.html. I
 learned from TAC that the issue was with the fact that I used it in
 combination with VRFs and the traffic got incorrectly punted into 7606
 MSFC CPU where there are hardware rate limiters (show mls rate-limit).

 But since i don't use VRFs, this might be something similar?

 i checked the rate limit, but i'm not familar with the output... maybe you
 can see something:
 #show mls rate-limit
  Sharing Codes: S - static, D - dynamic
  Codes dynamic sharing: H - owner (head) of the group, g - guest of the group

   Rate Limiter Type       Status     Packets/s   Burst  Sharing
  -   --   -   -  ---
         MCAST NON RPF   Off                  -       -     -
        MCAST DFLT ADJ   On              10     100  Not sharing
      MCAST DIRECT CON   Off                  -       -     -
        ACL BRIDGED IN   Off                  -       -     -
       ACL BRIDGED OUT   Off                  -       -     -
           IP FEATURES   Off                  -       -     -
          ACL VACL LOG   On                2000       1  Not sharing
           CEF RECEIVE   Off                  -       -     -
             CEF GLEAN   Off                  -       -     -
      MCAST PARTIAL SC   On              10     100  Not sharing
        IP RPF FAILURE   On                 100      10  Group:0 S
           TTL FAILURE   Off                  -       -     -
  ICMP UNREAC. NO-ROUTE   On                 100      10  Group:0 S
  ICMP UNREAC. ACL-DROP   On                 100      10  Group:0 S
         ICMP REDIRECT   Off                  -       -     -
           MTU FAILURE   Off                  -       -     -
       MCAST IP OPTION   Off                  -       -     -
       UCAST IP OPTION   Off                  -       -     -
           LAYER_2 PDU   Off                  -       -     -
            LAYER_2 PT   Off                  -       -     -
       LAYER_2 PORTSEC   Off                  -       -     -
             IP ERRORS   On                 100      10  Group:0 S
           CAPTURE PKT   Off                  -       -     -
            MCAST IGMP   Off                  -       -     -
  MCAST IPv6 DIRECT CON   Off                  -       -     -
  MCAST IPv6 ROUTE CNTL   Off                  -       -     -
  MCAST IPv6 *G M BRIDG   Off                  -       -     -
  MCAST IPv6 SG BRIDGE   Off                  -       -     -
  MCAST IPv6 DFLT DROP   Off                  -       -     -
  MCAST IPv6 SECOND. DR   Off                  -       -     -
  MCAST IPv6 *G BRIDGE   Off                  -       -     -
        MCAST IPv6 MLD   Off                  -       -     -
  IP ADMIS. ON L2 PORT   Off                  -       -     -


Actually the correct command is show mls rate-limit usage.
The easiest way to find out whether this is something connected to CPU
punt is to configure  no mls rate-limit unicast ip icmp unreachable
no-route, however this may have some impact on production device, if
you have any situation where traffic matches no-route situation in
hardware and gets punted to CPU and overwhelming it..

As another idea you can try to localize the issue to the 6509 only
simply by taking a free port on 6509 and testing PVLAN end-user port
on that one.



 Anyway, try upgrading the 6509 I am sure some old SXD code has number
 of bugs around this.

 By upgrading you mean a newer software release, i hope? ;)

Exactly
also forgot to mention that for PVLANs to work you need to use
golden RJ45 connectors :) ... joking

-pavel


 Thanks again!

 Regards,
 Sven
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.9 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 iEYEARECAAYFAkte+P4ACgkQQoCguWUBzBxVwACdF8AE7fZcd/pWnTEylqhrOPAZ
 TLEAnAx1xOXWx5hS4akjsWKAj6OktlMO
 =o1at
 -END PGP SIGNATURE-
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF Campus Design : Excessive SPF Runs

2010-01-15 Thread Pavel Skovajsa

Hi Jason,

see below

-pavel skovajsa

On Fri, Jan 15, 2010 at 4:57 AM, Jason LeBlanc jasonlebl...@gmail.com wrote:
 Hello,

 We currently have Layer 3 Routed Access configured at all of our Metro Campus 
 locations.  There are a few obvious deviations from the best practice design 
 guides.   The current setup is:

 Core --        Datacenter Distribution -- | (fiber connect) | --     
 Building Distribution --       Access
 (backbone)      (ABR)                                                         
                   (ASBR)                                  (OSPF enabled 
 access switch)

 The Cisco best practice is:

 Core --        Distribution --        Access
 (backbone)      (ABR)                   (OSPF enabled access switch)


The best practices are exactly what it says - best practices - in real
practice everybody finds hard to actually achieve that, due to
geopolitical/other reasons. In other words the following implication
is NOT true:  not following best practices - bad design - network
melts

 We are running NSSA with no-summary and the range command on the Datacenter 
 Distribution routers.  Each floor has 2 access switches (w/ OSPF running) 
 which each have a link back to the Building Distribution router.  Vlans on 
 each box on each floor are mutually exclusive.

 Symptoms:
 Lots of SPF re-calculations, NTP failing from Datacenter Distro - Building 
 Distro, and users reporting loss of their shared drives.

 router-a#sh ip ospf stat
  Area 0.0.0.0: SPF algorithm executed 7865 times
  Area 192.8.208.0: SPF algorithm executed 386 times
  Area 192.70.0.0: SPF algorithm executed 563 times
  Area 192.100.0.0: SPF algorithm executed 93076 times

Well, that last area 192.100.0.0 seems to be the culprit - what about
troubleshooting it for a while, instead of redesigning whole network?
Use commands like above show ip ospf stat and looks for Seq# and LSA
Age to find the flapping LSA. Also stuff like Debug ip ospf monitor
and show ip ospf database database-sum will help you.




 Questions:
 Should we be advertising (passively or non-passively) L3 Vlans into OSPF?

Passively. Why would somebody do that in non-passive way and have
miriads of neighbors per each vlan?

 Should we be doing Totally NSSA's instead of NSSA's?

Totally stubby (or totally not-so-stubby if you need ASBR) should be
default design, only configure no-summary if you have specific reason.
Also I don't understand the need for ASBR in your NSSA - but you
probably have a reason for that.

        If not is there a way to get the DR in NSSA to advertise a single 
 route back as default route?
 Should we be sending each campus distribution router directly to the Core so 
 that its the 3 hops?

As written above, if you have the funding to do this it will certainly
make your network design nicer, but I don't see how doing this would
actually massively decrement your SFP runs

 Do you suggest tuning the OSPF dead interval to achieve subsecond convergence?

Scale and speed are contradictory goals. Fast reaction to changes in
network topology, tends to end up in a network that never converges
and is unstable.



 Any help advise is greatly appreciated!

 Regards,

 //LeBlanc
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea?

2010-01-14 Thread Pavel Skovajsa

Hi,

Glad it helped.

by suboptimal I meant the fact it is possible (simply by sending to
..) to flood the traffic from one isolated access switch
port through distribution layer, into the rest of the switching fabric
infra simply due to the fact that all uplink/downlink ports are
switchport mode trunks. Obviously the traffic does not get into the
end-user ports, but still the trunk are utilized - hence the
functionality is little different then the expected pseudowire
functionality.

One would expect to have some kind of feature configured on the
distribution layer that would not forward the traffic to the rest of
the switching fabric, just to the uplink port into the core layer -
this is probably what the private-vlan trunk is trying to do.

-pavel skovajsa

On Wed, Jan 13, 2010 at 8:41 PM, Sven 'Darkman' Michels s...@darkman.de wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Hello Pavel,

 first of all, thanks for your fast response!

 Pavel Skovajsa schrieb:
 If I understood you correctly you can get around these limitations by
 using the PVLAN feature on the end-user ports only and not on the
 internal switch-to-switch links. On those links you can use normal
 trunk ports and spread the PVLAN to your 6509 and terminate it on L3
 VLAN int.

 Ah, okay, i thought i need the private-vlan trunk mode, and when i enabled
 it, it just crashed my port channel (as in removed the port from it, which
 was not what i wanted..).


 On your distribution (6509) you configure:

 interface Vlan10
  ip sticky-arp ignore --- this is important as PVLAN VLAN interface
 gets sticky arp by default (for some unknown reason)
  no ip proxy-arp
  private-vlan mapping 100

 and normal trunk port towards the switch fabric:
 interface GigabitEthernet6/1
  switchport mode trunk

 Ah okay, then i'll try that one, i just limited the vlans a bit, of course ;)


 Yes this is probably suboptimal to what you would like to accoplish
 however the end effect is that the end-user ports cannot communicate
 with each other - which is probably what you want.

 Why is that suboptimal? From what you described and what i unterstood, it
 works like i want: having a etherchannel to my core and protected ports on
 my edge. If the SVI is reachable from my edge, and other hosts are not, than
 i have what i want. But maybe i missed something...?


 Another alternative is the private-vlan trunk feature which is
 described over here
 http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html#wp1166138
 - the trouble is that AFAIK currently it works only on C4500.

 That was what i thought i need, its available on the 3560 but it killed the
 etherchannel... and pvlan documentation says you cannot enable pvlans on
 an etherchannel, which is right as if you enable any of the pvlan commands
 on a etherchannel port, it gets removed from the etherchannel... but it seems
 that normal trunks just work for that - great ;)

 So, from what i know now, it should work like i want... just need to test if
 it works with more than one switches etc. but at the moment it think it will
 do so far.

 Thanks again for your help :)

 Regards,
 Sven
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.9 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 iEYEARECAAYFAktOIc8ACgkQQoCguWUBzBz48ACgjX54FYRh9fpzRmobTElDvXvv
 8S8An1fyaboYKoWPuZErysZ6c9OH5Kyi
 =O52n
 -END PGP SIGNATURE-
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PVLAN and trunks (for redundancy and more bandwidth), any idea?

2010-01-13 Thread Pavel Skovajsa

Hello Sven,

If I understood you correctly you can get around these limitations by
using the PVLAN feature on the end-user ports only and not on the
internal switch-to-switch links. On those links you can use normal
trunk ports and spread the PVLAN to your 6509 and terminate it on L3
VLAN int.

Access layer example for end-user port somewhere in the deeps of the
switched fabric:
interface FastEthernet0/1
 switchport mode private-vlan host
 switchport private-vlan host-association 10 100

Access layer trunk port:
interface GigabitEthernet0/1
 switchport mode trunk

On your distribution (6509) you configure:

interface Vlan10
 ip sticky-arp ignore --- this is important as PVLAN VLAN interface
gets sticky arp by default (for some unknown reason)
 no ip proxy-arp
 private-vlan mapping 100

and normal trunk port towards the switch fabric:
interface GigabitEthernet6/1
 switchport mode trunk

Yes this is probably suboptimal to what you would like to accoplish
however the end effect is that the end-user ports cannot communicate
with each other - which is probably what you want.

Another alternative is the private-vlan trunk feature which is
described over here
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html#wp1166138
- the trouble is that AFAIK currently it works only on C4500.

-pavel skovajsa

On Wed, Jan 13, 2010 at 7:03 AM, Sven 'Darkman' Michels s...@darkman.de wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Hi there,

 i'd like to use the pvlan feature from Cisco for two networks. I already read
 a lot of documentation on the pvlan feature on ciscos page and mayn other blog
 posts etc. and already know, that it seems not to be possible to use the pvlan
 feature with etherchannel/port groups on any device. A part from no 
 information
 *why* this is not possible, i have no idea, how to complete the following 
 setup:

 I'd like to have my PVLAN connected to my core network in a kind of 
 redundancy
 and more bandwidth. The PVLAN has GBIT enabled devices, the uplink to the 
 core
 should be more than one GBIT (to ensure that no single device is able to fill
 the uplink, but also able to use max of avaiable bandwidth). Sadly, a TGigE 
 Uplink
 is not yet possble. As switches we have 3560G and the core is currently a 
 6509.
 At least the redundancy is important, so i could try it with 
 backup-interface on
 the 6509, but this would limit the pvlan to 1GigE, which is not exactly what i
 want.
 Another problem is, that i currently plan to deploy two isolated pvlans on the
 3560 switches, which should be no problem if i use two different primary 
 vlans
 (a primary may only carry one isolated pvlan at a time), but it seems to be 
 not
 possible to use one uplink/trunk port for two different isolated pvlan setups?
 If thats true, i would need at least four ports (two for each isolated pvlan) 
 just
 to get the redundancy and would not have any uplink 1GigE...

 Did i miss anything? is there a way to get the redundancy and the bandwidth? 
 may
 i use two isolated pvlans on the same uplink? Is there some way to use 
 something
 like etherchannel with pvlans? Or is there a way to change the setup in a 
 way
 i would get pvlan + more bandwidth + redundancy without all of these problems 
 or
 limitations? ;)

 Thanks and regards,
 Sven

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.9 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 iEYEARECAAYFAktNYjQACgkQQoCguWUBzByRRgCgqzWhNR6O/GNSjQZUhjAMw/+z
 rrAAoK4X2X5ti4MibH7r1dUUCDpf/S05
 =3btI
 -END PGP SIGNATURE-
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Unicast flooding?

2010-01-13 Thread Pavel Skovajsa

Hello Frank,

Does not sound really healthy - if you have gathered good evidence
this is a good candidate for TAC. Anyway - you should probably upgrade
to something other then SRB4 as TAC will tell you probably the same
thing

-pavel skovajsa

On Wed, Jan 13, 2010 at 7:02 AM, Frank Bulk frnk...@iname.com wrote:
 We've been seeing some strange behavior on our 7609-S running 12.2(33r)SRB4.
 We have a VLAN (with four /24s) configured on three ports across two
 10/100/1000 blades facing some FTTH transport equipment.

 Customers hanging off the FTTH equipment on the third port are complaining
 that several times per day they lose internet access.  We've been able to
 correlate their complaints with failed ping attempts from our workstations
 and the 7609-S to their public IPs.  What's interesting is that it's not all
 the traffic, and of the 4 IPs we are tracking, two of which are on separate
 /24s, the outages happen within the same /24.  At the same time, while using
 Wireshark, I can see one of the Cisco interfaces sending out 1 to 2 Mbps of
 traffic that should be going to one of the other two Ethernet interfaces.
 This is happening about a dozen times per day for 4 to 6 minutes at a time.


 While the event is occurring I have verified the ARP and CAM entry.  The CAM
 entry is associated with one of the first two Ethernet interfaces, not the
 third.  I can clear the ARP and CAM entry from the CLI and they are
 re-learned with the same information, yet the traffic continues to egress
 the wrong Ethernet port.

 I've set the ARP timeout to 4 minutes so that it's less than the CAM table's
 default configuration of 5 minutes, but there was no improvement.  One more
 observation -- the errant port is the root of the bridge.

 Any ideas why the 7609 would be sending traffic out an Ethernet port to a
 device that the CAM table says is on a different Ethernet port?

 Frank


 interface Vlan10
  description FTTH network
  ip dhcp relay information trusted
  ip dhcp relay information option-insert none
  ip dhcp relay information policy-action keep
  ip address 67.22.a.1 255.255.255.0 secondary
  ip address 67.22.b.1 255.255.255.0 secondary
  ip address 67.22.c.1 255.255.255.0 secondary
  ip address 67.22.d.1 255.255.255.0
  ip helper-address e.f.g.h
  no ip redirects
  arp timeout 300
 end

 interface GigabitEthernet1/29 (and 3/39 and 3/45)
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10
  switchport mode trunk
  switchport nonegotiate
  load-interval 30
  spanning-tree portfast trunk
 end

 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Data Center switch replacement

2009-12-18 Thread Pavel Skovajsa

I second that,
as a rule of thumb in all migrations in production environments it is always
much better to go with the step-by-step aproach (if possible), and don't do
the tempting big bang implementation.

Yes it is true this will be more costly - more cabling, more rack space,
more management around it, more man hour workmore spreadsheets - but it is
quite easy to built a businness case around it, as some servers just NEED to
be up and you cannot risk too much.

Also in case you have tight change process it provides an easy way to
explain to management that the backout procedure is straightforward - replug
the server NIC to the previous port.

While doing migrations of servers it is always better to have a
server/application personell checking each server as some
applications/OS/drivers might not like the replugging (especially when in
the middle of something) and might decide to crash/kill/destroy.for
example we had experience with teaming NIC drivers that decided to shut the
whole Team as soon as something happened to one of the NICs - and found
this out only during the replugging.
Also - nobody is perfect, especially in the inter-tower field where the
server people think that the network guys are responsible for their NIC
settings, so we usually find misconfigured NICs - no teaming setup,
incorrect teaming modes etc. etc. - so going with step-by-step is always
better.

Hope it helps,
-pavel skovajsa







On Fri, Dec 18, 2009 at 3:42 AM, Randy McAnally r...@fast-serv.com wrote:


  How about you individually move each connection over to the secondary
  switch one at a time.  This should only be a 30 second downtime
  window per port, I'd think?  Once you've migrated everybody off of
  the primary switch, pull it, upgrade it and then move everybody back
  one-by-one?  This would minimize everybody's downtime and I think
  would go over better with your clients.  Plus, you can drag out the
  upgrade over time rather than an all or none scenario.

 Agreed.  What if something goes wrong or takes longer than expected --
 wouldn't you like to know by the time you've moved the first cable and not
 after the original switch is completely offline and de-racked?
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6509 OIR logging for transceivers

2009-12-15 Thread Pavel Skovajsa

Hi Brian,

I have never seen any event (OIR or any other kind) generated when
plugging/unplugging the SFPs on any Cisco switches. The way I check this is
with usual 'show int status' or simply 'show int x/y' after making the
physical change.

Of course if the interface is up, then you will get normal
LINEPROTO-5-UPDOWN and LINK-3-UPDOWN message provided you have the 'logging
event link-status' command under interface config. This is specific to 6500
though, all other switch models log LINK UP/DOWN by default.

-pavel skovajsa

On Tue, Dec 15, 2009 at 3:00 AM, Brian Spade bitkr...@gmail.com wrote:

 Hi,

 I am doing some testing and can't seem to get the Catalyst 6509 to log an
 insertion or removal of a SFP.  Is this supported?  I have 'logging
 buffered
 2' configured but don't get a log when I insert/remove an SFP on a
 SUP-720-3B.

 Thanks,
 /bs
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7200 for BGP

2009-12-15 Thread Pavel Skovajsa

hi R.

The G2 will certainly handle it, but I would look into the reason for having
75%, that sounds really bad.

For the G1 and NPE400, I'd say you definitely need more memory - 512 MB or
1G to be fine.

This is what Cisco says:
The amount of memory required to store BGP routes depends on many factors,
such as the router, the number of alternate paths available, route
dampening, community, the number of maximum paths configured, BGP
attributes, and VPN configurations. Without knowledge of these parameters it
is difficult to calculate the amount of memory required to store a certain
number of BGP routes. Cisco typically recommends a minimum of 512 MB of RAM
in the router to store a complete global BGP routing table from one BGP
peer. However, it is important to understand ways to reduce memory
consumption and achieve optimal routing without the need to receive the
complete Internet routing table.

See this document for the details about the memory consumpsion -
http://www.cisco.com/en/US/customer/tech/tk365/technologies_tech_note09186a0080094a83.shtml

The rule of thumb is 1k of prefixes = 1M of RAM, but this is too generic and
little conservative.

On Tue, Dec 15, 2009 at 1:19 PM, RAZAFINDRATSIFA Rivo Tahina
r.tah...@moov.mg wrote:

Hi all,

I use the 3 7200 to connect to upstreams

Cisco 7206VXR (NPE-G1) processor (revision B) with 229376K/32768K bytes of
memory.

Max CPU usage:28%

Cisco 7204VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of
memory.
Max CPU usage: 75%

Cisco 7206VXR (NPE400) processor (revision A) with 229376K/32768K bytes of
memory.
Max CPU usage: 45%

BGP is used with upstreams but I don't receive full BGP table.

Do these boxes have enough resources to handle the full BGP table?

Regards.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 4948-10GE

2009-12-07 Thread Pavel Skovajsa

Hi Renelson,

do a show log after shutting/unshutting the ports it will most probably tell
you the reason. Usual reason is UDLD, Loopguard, BPDUguard, Etherchannel
misconfig etc. etc.

When the port is already disabled you can see the reason why it got into
that state using command 'show errdisable recovery'.


-pavel

On Mon, Dec 7, 2009 at 4:30 PM, Renelson Panosky panocisc...@gmail.comwrote:

 I am trying to configure this trunk ports  between two Cisco 4948-10GE, the
 ports would not come up here is an example of the error i got in one of the
 ports


 Take a look at port gi1/11 on each switch tell me what you think this error
 mean:



 On switch 1 it said not connect but on switch 2 it said (err-disabled)



 Switch_1#sho int gi1/11

 GigabitEthernet1/11 is down, line protocol is down (notconnect)

  Hardware is Gigabit Ethernet Port, address is 0027.0df3.0c8a (bia
 0027.0df3.0c8a)

  MTU 9198 bytes, BW 100 Kbit, DLY 10 usec,

 reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Auto-duplex, Auto-speed, link type is auto, media type is 10/100/1000-TX

  input flow-control is off, output flow-control is off

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 4d00h, output never, output hang never

  Last clearing of show interface counters never

  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

 1 packets input, 64 bytes, 0 no buffer

 Received 1 broadcasts (1 multicasts)

 0 runts, 0 giants, 0 throttles

 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

 0 input packets with dribble condition detected

 1 packets output, 64 bytes, 0 underruns

 0 output errors, 0 collisions, 2 interface resets

 0 babbles, 0 late collision, 0 deferred

 0 lost carrier, 0 no carrier

 0 output buffer failures, 0 output buffers swapped out





 Switch_2#sho int gi1/11

 GigabitEthernet1/11 is down, line protocol is down (err-disabled)

  Hardware is Gigabit Ethernet Port, address is 0027.0db3.67ca (bia
 0027.0db3.67ca)

  MTU 9198 bytes, BW 100 Kbit, DLY 10 usec,

 reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Auto-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000-TX

  input flow-control is off, output flow-control is off

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 4d00h, output never, output hang never

  Last clearing of show interface counters never

  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

 0 packets input, 0 bytes, 0 no buffer

 Received 0 broadcasts (0 multicasts)

 0 runts, 0 giants, 0 throttles

 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

 0 input packets with dribble condition detected

 0 packets output, 0 bytes, 0 underruns

 0 output errors, 0 collisions, 0 interface resets

 0 babbles, 0 late collision, 0 deferred

 0 lost carrier, 0 no carrier

 0 output buffer failures, 0 output buffers swapped out



 I tried shut and no shut on the interface





 Please help
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] [j-nsp] Network Liberation Movement???

2009-11-27 Thread Pavel Skovajsa

In my opinion HP bought 3com in order to get its market share in China and
Asia, I doubt they will dump their product lines of the Provision ASIC
switches.


The acquisition of 3Com will dramatically expand HP’s Ethernet switching
offerings, add routing solutions and significantly strengthen the company’s
position in China – one of the world’s fastest-growing markets – via the H3C
offerings. In addition, the combination will add a large and talented
research and development team in China that will drive the acceleration of
innovations to HP’s networking solutions.



-pavel skovajsa

On Wed, Nov 25, 2009 at 10:07 PM, ch...@lavin-llc.com wrote:

 Snippet:

 The university I worked at as a student did a
  whole campus replacement of Cisco for ProCurve.
 
  ~Seth

 I'm involved in an 'alternative switch vendor' discussion and lab testing.
 ProCurve and Juniper switches are in our lab and undergoing some poking
 and proding.

 I am not at all familiar with HP ProCurve. The recent announcement
 concerns me. What happens if during the overlap analysis HP dumps some of
 their product line? Did we lose time making an effort to learn new
 products, configurations and vendor-suggested best practices? Knowing
 almost everyone's shop runs too thin and too fast, losing ground to
 incorporate something that may no longer be sold seems like a possible
 mistake in judgement and a blow to morale.

 -chris

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Secondary VLAN deployment on Metro ETTH

2009-11-25 Thread Pavel Skovajsa

Hello,

Probably I do not have luck for proper audience for the questions below,
whatever the case I have began to test the Private VLAN deployment, and ran
into strange packet drop issue.

The test topology is simple:  C7606 Gi1/22 -fiber- Gi0/1
ME3400-24TS-A - Fa0/3 client PC

The PVLAN is simple enough to post.

7606 running 12.2(33)SRC4:

vlan 14
name test
 private-vlan primary
 private-vlan association 140

vlan 140
name test_secondary
 private-vlan isolated

interface Vlan14
description test
ip vrf forwarding ext
ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
private-vlan mapping 140

interface GigabitEthernet1/22
description To_testing_ME3400-24-TS
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-61,63-4094
switchport mode trunk
switchport nonegotiate
logging event link-status
load-interval 30
no snmp trap link-status


ME3400-24-TS-A running 12.2(52)SE:

vlan 14
name test
 private-vlan primary
 private-vlan association 140

vlan 140
name test_secondary
 private-vlan isolated

interface GigabitEthernet0/1
port-type nni
switchport mode trunk
ip dhcp snooping trust

interface FastEthernet0/3
 description test_secondary_vlan
 switchport private-vlan host-association 14 140
 switchport mode private-vlan host
 load-interval 30
 storm-control broadcast level pps 30
 storm-control multicast level pps 30
 ip dhcp snooping limit rate 100


Before the PVLAN is configured I have nice connectivity from the 7606 to the
client PC:
7606#ping vrf ext 1.1.1.2 repeat 1000 size 1400

Type escape sequence to abort.
Sending 1000, 1400-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!
!!
!!
!!
!!
!!
!!
!!
!!
!!
!!
!!
!!
!!

Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/2/12 ms

However the moment I configure PVLAN (see above) I get this:
7606#ping vrf ext 1.1.1.2 repeat 1000 size 1400

Type escape sequence to abort.
Sending 1000, 1400-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
.....!
.!....
!.!....!!!
!.!....!!!
!.!...!..!
!!!.!...!.
!.!....!!!
!.!.!.!.!.
!.!.!.!.!.
....!.
..!.!.!.!.
....!.
!!....!.!!
!!..!....!
!!!.
Success rate is 92 percent (926/1000), round-trip min/avg/max = 1/2/28 ms

Which is a very interesting output (besides nice ASCII art) because the
packet drop is regular - 12 pings work, 13th does not, 12 pings work, 13th
does not ...Thinking about it now, maybe it has to do something with the
number 13 :)

-pavel skovajsa

On Mon, Nov 23, 2009 at 3:47 PM, Pavel Skovajsa pavel.skova...@gmail.com
wrote:
 Hi all,

 I am planning to implement Secondary VLANs feature on a Metro ETTH
 based on ME3400+76k. I have read various docs about the best I found
 is on
http://blog.internetworkexpert.com/2008/07/14/private-vlans-revisited/

 I have couple questions/scenarios I want to doublecheck with you:
 1. Anybody using VPTv3 do disseminate the PVLAN info?
 2. What if there are 3rd party switches in the environment placed
 randomly between the ME3400?

 Here is my train of thought:
- From the explanations in the various docs I understood that the
 MAC address table for *downstream traffic* is stored

Re: [c-nsp] Secondary VLAN deployment on Metro ETTH

2009-11-25 Thread Pavel Skovajsa

Hi,

yes that is right UNI ports can't talk to each other but only within one
ME3400 switch. If you have more switches and want exactly the same
switchport protected functionality on all of them, one solution is to
implement PVLANs.

See
http://www.rfc-editor.org/internet-drafts/draft-sanjib-private-vlan-10.txt for
example.

In my opinion this is a nice feature, but its implementation details are too
hidden from the engineer (similar as CBWFQ for example), so you can only
trust that it works and don't have too much options for troubleshooting.

We are forced to separate the end customers on our Metro ISP network due to
an incident where one customer decided it is a good idea to start flooding
nonsense into our L2 segment. PVLAN sounded like a nice solution, but given
to issues below I am open to suggestions how to separatate customer on L2.

-pavel

On Wed, Nov 25, 2009 at 11:43 AM, Asbjorn Hojmark - Lists li...@hojmark.org
 wrote:

 On Wed, 25 Nov 2009 11:09:12 +0100, you wrote:

  Probably I do not have luck for proper audience for the questions below,
  whatever the case I have began to test the Private VLAN deployment, and
 ran
  into strange packet drop issue.
 
  The test topology is simple:  C7606 Gi1/22 -fiber- Gi0/1
  ME3400-24TS-A - Fa0/3 client PC

 Why do you want to run PVLAN on the 3400? UNI ports already can't talk
 to each other.

 -A

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] is a DWDM SFP a DWDM SFP?

2009-11-25 Thread Pavel Skovajsa

+1 - there is a part of Cisco called Transceiver Module Group that should
take care of this.

Also there is great matrix for which module goes where on:
http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.pdf

http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.pdf-pavel
skovajsa

On Wed, Nov 25, 2009 at 11:07 AM, Nick Hilliard n...@inex.ie wrote:

 On 25/11/2009 03:53, Justin Shore wrote:

 rant
 I REALLY wish all Cisco BUs would pick a set of optics and make them
 universal across ALL Cisco product lines. This crap of some products
 supporting only GLC- or some only support SFP- or some only supporting
 ONS- optics is a damn joke. Yes I know that ONSs use optics with DOM
 support but now so are most other things too. Create an internal
 standards group, define what's needed, create 1 set of optics and make
 all BUs use those optics!
 /rant


 +1

 Nick

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] delay eBGP sessions on startup?

2009-11-23 Thread Pavel Skovajsa

Hi all,

The situation is due to the fact that the upstream solution
architecture is not symetric + the fact that BGP is not designed for
milisecond convergence.

Hence are my silly ideas in the order they appear in memory:

1. One of the solutions would be to make the architecture symetric -
make Upstream 1 --- ISP-Router 1 send 200k routes between
themselves.

2. Try to get the situation symetric as much as possible with
Advanced Complicated BGP tweaking
a. As default MTU for BGP session is 536, use ip tcp
path-mtu-discovery on neighboars or neighbor x.x.x.x transport
path-mtu-discovery. This should get the 200k on the other side
faster.
b. Bind the advertizing of the big 200.1.0.0/16 to RTR tracker
that tracks the availability of certain route
c. BGP scanner tweaking
d. etc. etc. see Networkers presentations:
BRKIPM-3005 - Advances in BGP
BRKIPM-3004 - IOS-XR IGP, BGP and PIM Convergence

3. Shutdown the BGP with Upstream_1 in startup, and unshut it manually. :))
4. Shutdown the BGP with Upstream_1 in startup, and unshut it
automatically with clever EEM. :))

I my opinion asking Cisco for a knob is a last resort, should be used
only when all the ideas fail.

-pavel skovajsa

On Mon, Nov 23, 2009 at 10:30 AM, mas...@nexlinx.net.pk wrote:
probably Cisco needs a knob very similar to vendor Juniper out-delay. you
can delay the time between when BGP and the routing table exchange route
information.

http://www.juniper.net/techpubs/software/junos/junos73/swconfig73-routing/html/bgp-config58.html#1016387

Regards,
Masood

On Mon, Nov 23, 2009 at 09:10:25AM +0100, Gert Doering wrote:
bgp update-delay n

the bgp update-delay command is used to tune the maximum time the
software will wait after the first neighbor is established until it
starts calculating best paths and sending out advertisements.

Now, what does maximum time mean? Will it wait, or will it not?

The documentation that I found claims that the default value is 120,
which would certainly not agree with the observed behaviour. OTOH,
Marco claims that he has seen 0 as a default...

The docs make it look like more of a graceful-restart specific timer,
not like advertisement-interval (intentionally delaying the propagation
of new updates to try and consolidate them) or the on-startup delay
behaviors available in the IGPs.

http://www.cisco.com/en/US/products/ps6550/products_white_paper09186a008016317c.shtml

The bgp update-delay n command may be entered on the Cisco NSF-capable
router. The update-delay specifies the time interval- after the first
peer has reconnected during which the restarting router expects to
receive all BGP updates and the EOR marker from all of its configured
peers. The default value of n is 120 seconds, and n is always measured
in seconds. If the restarting router has a large number of peers, each
with a large number of updates to be sent, this value may need to be
increased from its default value.

--
Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
___
cisco-nsp mailing list cisco-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list cisco-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] difference between WS-F6700-DFC3BXL and WS-F6700-DFC3CXL

2009-11-23 Thread Pavel Skovajsa

HI Ilya,

Not sure where you pricing came from but this is in GPL:
RSP720-3CXL-GE= Cisco 7600 Route Switch Processor 720Gbps
fabric,PFC3CXL, GE  B   $40,000

WS-F6700-DFC3BXLCatalyst 6500 Dist Fwd Card- 3BXL, for WS-X67xx B   
$15,000
vs.
WS-F6700-DFC3CXLCatalyst 6500 Dist Fwd Card- 3CXL, for WS-X67xx B   
$15,000

For the information about the difference between the DFC cards read this:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html
and this:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns224/ns668/net_qanda0900aecd80534905.html

Hope it helps

-pavel skovajsa

On Mon, Nov 23, 2009 at 2:55 AM, Mark Tinka mti...@globaltransit.net wrote:
 On Monday 23 November 2009 08:34:32 am Ilya Balashov wrote:

 I'm looking for upgrade my 7606 filled with X6704-GE and
  X6748-SFP (all with CFC right now) My first phase will
  be swap SUP720-3BXL for RSP720-3CXL. but i'm in doubt
  about second phase!
 i can't find any information about WS-F6700-DFC3BXL vs
  WS-F6700-DFC3CXL, but price is different in 2-2.5 times!

 Odd - we upgraded from the DFC-3BXL to the DFC-3CXL for the
 same price.

 In terms of differences, search the archives for details on
 this, it has been discussed a few times. Bottom line, one of
 the key differences, in terms of features, is that the -3CXL
 supports several more MAC addresses. Apart from that, not so
 much difference.

 Note, though, that the -3CXL benefits only kick in when you
 have a -3CXL supervisor module. If you have a -3BXL
 supervisor module, the -3CXL DFC benefits will not be
 enjoyed.

 Advice, go with the -3CXL anyway.

 Cheers,

 Mark.

 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Ethernet autonegotiation issue between Cat3560 and Cat2960

2009-11-23 Thread Pavel Skovajsa

Hi,

I would approach this the indirect way - try shuffling the switches
around to see which combinations work  which not. This is the
universal engineer approach :)

-pavel skovajsa

On Sun, Nov 22, 2009 at 11:17 PM, Daniele Orlandi dani...@orlandi.com wrote:
 On Sunday 22 November 2009 18:28:07 Nick Hilliard wrote:

 If you disable autonegotiation, you will need to use a GE cross-over cable,

 I don't think so, because with GE there are no RX and TX pairs to be crossed
 as all four pairs are both for transmission and reception.

 --
  Daniele Vihai Orlandi
  Bieco Illuminista #184213
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Secondary VLAN deployment on Metro ETTH

2009-11-23 Thread Pavel Skovajsa

Hi all,

I am planning to implement Secondary VLANs feature on a Metro ETTH
based on ME3400+76k. I have read various docs about the best I found
is on http://blog.internetworkexpert.com/2008/07/14/private-vlans-revisited/

I have couple questions/scenarios I want to doublecheck with you:
1. Anybody using VPTv3 do disseminate the PVLAN info?
2. What if there are 3rd party switches in the environment placed
randomly between the ME3400?

Here is my train of thought:
- From the explanations in the various docs I understood that the
MAC address table for *downstream traffic* is stored in primary VLAN
table
- The reverse upstream traffic is stored in secondary VLAN MAC table
- hence it follows (not written anywhere) that in order to
properly switch the traffic and not flood it, the PVLAN implementation
must do lookups in JOINED primary+secondary mac address table.

Now the problem might lie in having 3rd party switches placed
*between* ME3400 - they have no idea about the PVLANs hence forward it
according to their VLAN tables - which are are NOT joined - hence
the traffic is flooded on them.


-pavel skovajsa
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco 3400 port shaping message limitation

2009-10-07 Thread Pavel Skovajsa

Hello all,

I was in the middle of the configuration of ME-3400-24TS-A
(12.2(50)SE1) for port-shaping and run into interesting message:

censw(config-if)#!
censw(config-if)#!
censw(config-if)#interface FastEthernet0/12
censw(config-if)#service-policy output UNI-out-internet-1024kbps
censw(config-if)#service-policy input UNI-in-internet-1024kbps
censw(config-if)#!
censw(config-if)#!
censw(config-if)#interface FastEthernet0/22
censw(config-if)#service-policy output UNI-out-internet-1024kbps
censw(config-if)#service-policy input UNI-in-internet-1024kbps
censw(config-if)#!
censw(config-if)#!
censw(config-if)#interface FastEthernet0/5
censw(config-if)#service-policy output UNI-out-internet-1024kbps
QoS: Configuration failed.  The configured rate 1024000 bps is not
achievable in hw within 1% of configuration.
Closest value(s) are: 111 bps, 100 bps
censw(config-if)#service-policy input UNI-in-internet-1024kbps
censw(config-if)#
censw(config-if)#service-policy output UNI-out-internet-1024kbps
QoS: Configuration failed.  The configured rate 1024000 bps is not
achievable in hw within 1% of configuration.
Closest value(s) are: 111 bps, 100 bps
censw(config-if)#service-policy output UNI-out-internet-1024kbps
QoS: Configuration failed.  The configured rate 1024000 bps is not
achievable in hw within 1% of configuration.
Closest value(s) are: 111 bps, 100 bps


The configuration of the policy-map is straightforward:
policy-map UNI-out-internet-1024kbps
 class class-default
shape average 1024000
queue-limit 272

The setting of the queue-limit is configured according to the
recommendation over here:
http://www.cisco.com/en/US/docs/switches/metro/me3400/software/release/12.2_52_se/configuration/guide/swqos.html#wp1497063

After little experimenting I figured out that when I change the
policy-map to this:
policy-map UNI-out-internet-1024kbps
 class class-default
shape average 100
queue-limit 272

It starts to work fine. The question still remains, what does this
error message actually mean, and why it got triggered when I applied
the policy to the 3rd interface in a row

Can somebody shed some light into this?

Regards,
Pavel Skovajsa
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OT: Network documentation tool

2009-07-18 Thread Pavel Skovajsa

Hi,

I believe the way the networks you manage is documented is one of the
main factors of the quality of everyday delivery. The reason for that
is that the network is supported/operated by different people that
actually built it, at least on the early levels of support.

The corrolary is, that as network-builder you need to perform a
knowledge tranfer to the support organization, therefore you need to
provide some kind of meaningful documentation. After that all you need
to do, is to find an efficient way for the support organization to
orientate in the vasts amount of documented information, to be able to
find the necessary info in timely fashion.

Having said this, it is obvious that no documenting system that allows
free unstructured placement of information is the correct answer.
Therefore I believe that no free unstructured documenting system
like Sharepoint, Wiki or CIFS is ideal for this job.

The need is for strictstructured documenting system that holds that
information about the entities on your network and their relationship.
The nature of network information that we want to document is indeed
structured therefore easily modeled by traditional decomposition
techniques. To give you an example:

1. basic entity is a device that has number of attributes - name, IP,
serial number, location etc.
2. devices have number of interfaces, each with attributes like name,
technology, speed etc. Interfaces link devices together and can be
monitored or not via our monitoring system.
3. devices belong to sites, which have subnets, visual maps, real post
addresses and people contacts
4. sites are connected by WAN links (on device interfaces) into
regions that have management contacts etc.

etc. etc.

This information can be then used more that for documentation
purposes, for example, billing, reporting etc. etc. whatever you think
about - for example devices can be linked with CVSView output from
RANCID.

No I do not know any open-source system that would have all of this,
that is why most big companies usually find some budget in order to
get something like above written from scratch.


-Pavel



On Sat, Jul 18, 2009 at 6:18 PM, a.l.m.bu...@lboro.ac.uk wrote:
 Hi,

 I'm looking for the perfect documentation tool for network

 the obvious answer is the one that works for you and
 your organisation. you say you've got a CIFS share right
 now - but, used correctly, that might be the best way.
 certainly easy to backup ;-)

 we used some basic WIKI - qwikiwiki and then moved onto Drupal
 which is currently in place. whilst good at providing content
 it still suffers the curse of any written stuff (elec or print)
 and that is that the network can quite easily make the docs look
 outdated - I would be very careful about what gets documented
 and detailed - something like configs are (or should be!) already
 being stored in usually a much better way - eg RANCID or another
 RCS/SVN repository.  when things go wrong you dont want
 to be digging through docs and a changelog system to try to map what
 is and what was - you want to query your configs for anything
 changed in the last eg 3 hours - thats what a proper config
 store can tell you.  the docs should be higher level like
 how the system is architectured...why you have what options
 on VLANs and links etc.  thats my $0.01

 (we also try to self-document as much as we can in places -
 eg config files for DHCP and DNS can be veyr verbose...likewise
 ACLs on routers/switches - use those remark commands! :-)

 alan
 ___
 cisco-nsp mailing list  cisco-...@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Dot1x stuck in guest-vlan

2009-06-02 Thread Pavel Skovajsa

Hello all,

I am struggling with the way the Guest Vlan is handled in dot1x.
All the port states work just fine, except during workstation boot-up
the switch does not receive dot1x packets from workstation dot1x
client hence forcing the port to fall into Guest Vlan, as below:

=
C3560#sh authentication sessions interface fa0/38
Interface:  FastEthernet0/38
  MAC Address:  Unknown
   IP Address:  Unknown
User-Name:  UNRESPONSIVE
   Status:  Authz Success
   Domain:  DATA
   Oper host mode:  multi-host
 Oper control dir:  both
Authorized By:  Guest Vlan
  Vlan Policy:  330
  Session timeout:  N/A
 Idle timeout:  N/A
Common Session ID:  0A821A5C3727DE21D3A1
  Acct Session ID:  0x45A8
   Handle:  0x63000727

Runnable methods list:
   Method   State
   dot1xFailed over
==

Once PC and its dot1x client or supplicant is up and running the port
status does not change as I would expect - to production Vlan.
The only remedy here is to shut / no shut the port.

port config:

interface FastEthernet0/38
 switchport access vlan 100
 switchport mode access
 switchport voice vlan 500
 priority-queue out
 authentication event fail action authorize vlan 330
 authentication event server dead action authorize vlan 100
 authentication event no-response action authorize vlan 330 =
it works without this command for compliant users, however
non-compliant guest machines would not be allowed any network
connectivity at all
 authentication event server alive action reinitialize
 authentication port-control auto
 authentication periodic
 authentication timer restart 20
 authentication timer reauthenticate 20
 authentication timer inactivity 120
 mls qos trust device cisco-phone
 mls qos trust cos
 dot1x pae authenticator
 dot1x timeout server-timeout 100
 dot1x timeout tx-period 2
 dot1x timeout supp-timeout 10
 spanning-tree portfast
end
===

Many thanks for any hints,

Pavel Skovajsa
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Simple Application performance assesment tool

2009-05-26 Thread Pavel Skovajsa

Hello all,

Does somebody know of a good application performance assesment tool
that would help me understand what is the current bandwidth per given
application, something similar to simple Netflow collector but
preferably end-user capture based that can be installed on end-user
machine.
I have spend some time searching for something like this and always
ran into 'rocket-science appliances' that do a lots of stuff more then
that. I just need simple evaluation of what/where/how fast/how much.

Regards,
Pavel
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] DHCP server suited for option 82

2009-04-27 Thread Pavel Skovajsa

Hello all,

I am trying to setup linux dhcpd ISC server to act according to
certain circuit-id values in the Option 82, and I find the whole
configuration very poorly documented, and quite complex. This is quite
surprising to me that for such a market pushy technology as IPoE there
are no 'easily' configurable DHCP servers.

Maybe I am looking wrong direction, can somebody tell me what DHCP
server are you using if you need to hand out specific IPs for specific
switch ports?

Thanks,
Pavel Skovajsa
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Twingig part of 3560E delivery?

2009-01-26 Thread Pavel Skovajsa

Hello all,

does somebody know whether the CVR-X2-SFP are part of the delivery of
3650E say Cisco Catalyst 3560E-48TD or should I order them separately?

Regards,
Pavel Skovajsa
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Twingig part of 3560E delivery?

2009-01-26 Thread Pavel Skovajsa

Uff,

so if I didn't *order* FREE CVR-X2-SFP-2, CVR-X2-SFP-1 Cisco won't
deliver it as part of 3560E, right?
Really bad.

Pavel

On Mon, Jan 26, 2009 at 1:05 PM, Marek Tyban m...@vol.cz wrote:

 Hi Pavel,

 when we first purchased 3560E one of Cisco partner here recommended us to
 order TwinGig separately, even if it's for free. Configuration Tool offers
 three options CVR-X2-SFP-2, CVR-X2-SFP-1 or CVR-X2-SFP-NONE.

 Regards,
 Marek


 On Mon, 26 Jan 2009, Pavel Skovajsa wrote:

 Hello all,

 does somebody know whether the CVR-X2-SFP are part of the delivery of
 3650E say Cisco Catalyst 3560E-48TD or should I order them separately?

 Regards,
 Pavel Skovajsa
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] What to do with old Cisco kit

2009-01-14 Thread Pavel Skovajsa

Hello all,

Can you please recommend a process by which one should properly
dispose old Cisco kit, preferably by selling to refurbishing vendors
etc. South Africa or EMEA preffered.

Regards,
Pavel Skovajsa
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] SM SFP over MM cable

2008-11-26 Thread Pavel Skovajsa

Hello,

I have heard stories that normal LX single mode SFP works fine over
any MM fiber. Is that true? Does it have any distance limitation? Is
there any doc I can read so that I understand what are the various
possibilities to mix/match various SM/MM SFPs etc.

Regards,
Pavel Skovajsa
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] To VSS or not to VSS

2008-11-23 Thread Pavel Skovajsa

Hi Eric,

We use it as a core and distribution switches in our campus, have
about 5 VSS pairs, and so far it runs very fine and stable, have not
had any issues with it.

But we have fairly easy setup, no blades (FWSM, ACE) in the box, which
makes things simple.


Best Regards,
Pavel Skovajsa

On Sat, Nov 22, 2008 at 9:13 PM, Thomas Dupas [EMAIL PROTECTED] wrote:
 Hi Eric,

 The FWSM (or any service module) wasn't supported in a VSS setup until SXI.
 And I don't think that many people made the step yet to SXI on a production 
 VSS system, but you never know.

 Overall I have had fairly good results with VSS in terms of throughput and 
 stability, they were mostly used as distribution switches in the campus or 
 bookshelf switches in the DC. The biggest flaw so far is the downtime when 
 performing an upgrade, you fall back from SSO to RPR due to the IOS 
 mismatches, and that means around 5 minutes downtime on failover. Same as you 
 would have with supervisor redundancy in a single chassis
 They now have an eFSU (semi-ISSU?) in the SXI release, which should improve 
 upgrade procedures (RPR+ in stead of RPR), but it's not really ISSU according 
 to the specs. But I certainly want to try that (but then I need a next 
 release to upgrade to :-))

 Best Regards,

 Thomas Dupas


 On 22/11/08 21:01, Eric Cables [EMAIL PROTECTED] wrote:

 I'm working on a design which includes 2 pairs of 6509s w/ VS-S720-10G
 (one in each chassis).  The VSS capable supervisor engines were chosen
 mainly for the 10G interfaces, but the more VSS documentation I read
 the more it seems like a great solution for added
 redundancy/bandwidth, while reducing complexity.  As far as modules,
 all will be 6748s or 6724s, and the only service modules in the mix
 will be a pair of FWSMs in one of the VSS pairs.

 Can anyone provide any feedback on your VSS experiences?  How have the
 FWSMs played with VSS?  Any design considerations I should be aware
 of?

 Thanks,

 -- Eric Cables
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VSS SRND

2008-11-17 Thread Pavel Skovajsa

Hello all,

does anybody have a clue when the VSS Block SRND is going to be
published on Design Zone? The Enterprise Campus 3.0 Architecture
(http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html)
states that:


Most campus environments will gain the greatest advantages of a
virtual switch in the distribution layer. For details on the design of
the virtual switching distribution block see the upcoming virtual
switch distribution block design, http://www.cisco.com/go/srnd.


This has been there for almost 6 months now, and still no VSS SRND

Thanks,
Pavel Skovajsa
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Slave Supervisor for Sup 720 10G Crashing on 6500's

2008-11-06 Thread Pavel Skovajsa

I will at least give it a try and upgrade to SXH3a or wait couple
weeks for SXH4. SXH2 is really buggy.

pavel

On Thu, Nov 6, 2008 at 6:11 PM, Richard Chew [EMAIL PROTECTED] wrote:
 Hi All,

  We have recently deployed 17, 6500's on campus, and about two months in we
 have already had 5 supervisors fail for no apparent reason.  When we call
 TAC they just RMA us a new Sup, but I suspect (cannot prove) that something
 else is causing this problem.  At first I thought it was SXH2, but we have
 recently seen the problem on SXH3, so any help would be appreciated.
  Thanks.

 BTW :

 Nov  5 14:38:55.405 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC
 #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD
 Nov  5 14:39:55.437 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC
 #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD
 Nov  5 14:40:55.533 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC
 #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD
 Nov  5 14:41:55.633 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC
 #0: Dbus Hdr. Error occurred. Ctrl1 0xB080EBD
 Nov  5 14:42:39.425 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6
 TestSPRPInbandPing consecutive failure count:10
 Nov  5 14:42:39.425 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec):
 SP=8% RP=3% Traffic=0%
 netint_thr_active[0], Tx_Rate[56], Rx_Rate[0], dev=1[IPv4, fail=10], 2[IPv4,
 fail=10], 3[IPv4, fail=10], 4[IPv6, fail=10]
 Nov  5 14:42:39.757 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6
 TestSPRPInbandPing consecutive failure count:10
 Nov  5 14:42:39.757 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec):
 SP=8% RP=3% Traffic=0%
 netint_thr_active[0], Tx_Rate[56], Rx_Rate[0], dev=1[IPv4, fail=10], 2[IPv4,
 fail=10], 3[IPv4, fail=10], 4[IPv6, fail=10]
 Nov  5 14:42:55.765 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC
 #0: Dbus Hdr. Error occurred. Ctrl1 0xB080EBD
 Nov  5 14:43:55.837 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC
 #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD
 Nov  5 14:44:55.925 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC
 #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD
 Nov  5 14:45:55.965 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC
 #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD
 Nov  5 14:46:37.882 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6
 TestSPRPInbandPing consecutive failure count:20
 Nov  5 14:46:37.882 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec):
 SP=2% RP=0% Traffic=0%
 netint_thr_active[0], Tx_Rate[49], Rx_Rate[0], dev=1[IPv4, fail=20], 2[IPv4,
 fail=20], 3[IPv4, fail=20], 4[IPv6, fail=20]
 Nov  5 14:46:38.218 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6
 TestSPRPInbandPing consecutive failure count:20
 Nov  5 14:46:38.218 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec):
 SP=14% RP=0% Traffic=0%
 netint_thr_active[0], Tx_Rate[49], Rx_Rate[0], dev=1[IPv4, fail=20], 2[IPv4,
 fail=20], 3[IPv4, fail=20], 4[IPv6, fai=20]
 Nov  5 14:46:56.077 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC
 #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD
 Nov  5 14:47:03.241 PST: %PFREDUN-SP-6-ACTIVE: Standby supervisor removed or
 reloaded, changing to Simplex mode
 Nov  5 14:47:03.261 PST: %OIR-SP-3-PWRCYCLE: Card in module 6, is being
 power-cycled (RF request)
 Nov  5 14:47:13.470 PST: %LINK-3-UPDOWN: Interface GigabitEthernet6/1,
 changed state to down
 Nov  5 14:47:13.470 PST: %OSPF-5-ADJCHG: Process 5739, Nbr 128.114.0.4 on
 GigabitEthernet6/1 from FULL to DOWN, Neighbor Down: Interface down or
 detached
 Nov  5 14:47:13.494 PST: %PIM-5-NBRCHG: neighbor 128.114.1.157 DOWN on
 interface GigabitEthernet6/1 non DR
 Nov  5 14:47:13.494 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface
 GigabitEthernet6/1, changed state to down
 Nov  5 14:47:13.606 PST: %SNMP-5-MODULETRAP: Module 6 [Down] Trap
 Nov  5 14:47:13.461 PST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet6/1,
 changed state to down
 Nov  5 14:47:13.593 PST: %OIR-SP-3-PWRCYCLE: Card in module 6, is being
 power-cycled (Slot disabled)
 Nov  5 14:47:13.597 PST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface
 GigabitEthernet6/1, changed state to down

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 2851 bug ?

2008-07-15 Thread Pavel Skovajsa

Hi,
IP Input spike is usually caused by abnormal 'IP input' traffic that
gets punted into the RP from CEF for whatever reason.
A very common cause is broadcast storm. You can see what what packet
is holding the CPU with 'show buffers input interface fa0/1'. However
you need to do this command during a real spike...

Pavel

On Fri, Jul 11, 2008 at 10:47 PM, Teller, Robert
[EMAIL PROTECTED] wrote:
 Is anyone aware of a bug or configuration that could cause a sudden
 spike in IP input?

 uptime is 26 weeks, 3 days, 10 hours, 54 minutes
 System returned to ROM by reload at 01:40:08 PST Tue Jan 8 2008
 System restarted at 01:41:34 PST Tue Jan 8 2008
 System image file is flash:c2800nm-ipbasek9-mz.124-17a.bin
 Cisco 2851 (revision 53.51) with 251904K/10240K bytes of memory.

 PID Runtime(ms)   Invoked  uSecs   5Sec   1Min   5Min TTY Process
  66  125056   2917547 42  0.00%  0.00%  0.00%   0 CDP
 Protocol
  6728872876 373263867 77  0.08% 51.78% 47.36%   0 IP Input

 Seattle-WAN   01:00:26 PM Friday Jul 11 2008 DST


   58988
555446598432
 100
  90 **  
  80 
  70 
  60*
  50*
  40*
  30*
  20*
  10 ***  ***
   0511223344556
 05050505050
   CPU% per second (last 60 seconds)


999 1
566333443445333434346534453335336645645556354344
 100 ***
  90 #***
  80 ##**
  70 ##**
  60 ##**
  50 ##**
  40 ##**
  30 ##**
  20 ### *  #
  10 ###***   *   *  ** **  *   #
   0511223344556
 05050505050
   CPU% per minute (last 60 minutes)
  * = maximum CPU%   # = average CPU%


1 1 11 1   111   11 11 1 712 1112  111
 11211

 691760977743309128787415602150180091972430809462896712922076244160072513
 100
  90
  80  *
  70  *
  60  *
  50  *
  40  *
  30  *  *
  20 *   *  * * **   ** *  *   * * **   * *  *  *
 *
  10
 

 051122334455667.
 .
 050505050505
 0
   CPU% per hour (last 72 hours)
  * = maximum CPU%   # = average CPU%


 #
 The information contained in this e-mail and subsequent attachments may be 
 privileged,
 confidential and protected from disclosure.  This transmission is intended 
 for the sole
 use of the individual and entity to whom it is addressed.  If you are not the 
 intended
 recipient, any dissemination, distribution or copying is strictly prohibited. 
  If you
 think that you have received this message in error, please e-mail the sender 
 at the above
 e-mail address.
 #
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] giant packets troubleshooting

2008-07-15 Thread Pavel Skovajsa

Just to be aware, there has been a cosmetic bug on many cisco
platforms two years ago that clasified all dot1q trunked frame as
giants. The way to see verify this is by looking whether you don't see
giants on all trunk ports.

Pavel

On Tue, Jul 15, 2008 at 7:56 AM, Michalis Palis [EMAIL PROTECTED] wrote:
 Hello all

 I have some interfaces on my networks (gigabit / ethernet) which report a 
 huge amount of giant packets. What is the cause of giant packets?  Is their 
 any methodology or any good document which details the way to troubleshoot 
 giant packets?

 All responses will be appreciated.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] C6509-E air flow

2008-07-08 Thread Pavel Skovajsa

Hello,
we have a C6509-E with interesting temperature issue. The EARL chip on
module 1 detects temperature over 65C and the whole module shuts down.
We have swapped the chassis, fan, module and sup and still have the
same issue. The interesting part is when we moved the card in module 1
into module 2 - no temperature issue.
From this I deduce that we have some kind of air flow issues, as
module 1 has worse air flow than module 2. Does somebody have some
nice doc that describes the C6509-E air flow? Or maybe a recomendation
about the room air conditioning, or air flow in the room.

Thanks,
Pavel
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASA or FRSW in transparent mode over qinq

2008-07-08 Thread Pavel Skovajsa

Hello,
does anybody know whether ASA or FWSW is able to firewall qinq packets
in transparent mode? Does anybody have some configs of this?
In short we are a service provider who wants to offer firewall
protection to various customer qinq tunnels.

Pavel
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Switch cluster with 2950 and 3750 stack

2008-07-07 Thread Pavel Skovajsa

Hi,
no this is not possible. Etherchannel is always one logical device to
another logical device.

For example two 2950 to each other.
Or stack of 3750 to one 2950
or stack of 3750 to stack of 3750
or the newest edge bleeding etherchannel setup (google up MEC) is: VSS
1440 (2x650x) to 2950

pavel



On Mon, Jul 7, 2008 at 11:16 AM, luismi [EMAIL PROTECTED] wrote:
 Hi all,

 I need to redesign an smaill network here.
 It is working with now with just a 2950 but I would like to improve the
 availability.

 I have some dudes that they will be probably answered in some place in
 Internet but I didn't find that place yet.

 The actual scenario is:
 1 x 2950 connected to a 3750 stack

 The future scensario I would like to have is:
 2 x 2950 connected to a 3750 stack

 Well, the reason to use 2950 is that we have several 2950 switches here
 and there is no reason to make a new invesment since they are enough for
 our requirements, they load is also quite small.

 I would like to do a cluster with the 2950 switches probably using some
 GigaStack Gbics.

 The question is...
 As soon as I create the cluster in the 2950 switches, is it possible to
 create a port-channel (one port from one 2950 and one port from the
 other 2950) against a port-channel at the 3750 stack side?

 I hope someone in this list can answer that.

 Thanks in advance.

 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] RANCID Spiking CPUs

2008-06-10 Thread Pavel Skovajsa

Hey,
The reason why show run consumes high cpu is that it polls all IOS
modules/componets to get their configs
I remember there is a command on newest IOS that uses some ram to
cache show run output and speed the show run output process, but I
cannot remember the exact command.

Pavel

On Tue, Jun 10, 2008 at 9:36 AM, Saku Ytti [EMAIL PROTECTED] wrote:
 On (2008-06-09 15:56 -0400), Nick Davey wrote:

 Hey Nick,

 I've deployed rancid on a fairly large metro network, and am seeing some
 pretty high CPU averages. When RANCID runs the CPU's on a large number of
 our boxes spike to about 95% for several seconds. Although they have never
 hit 100%, or caused any issues (dropped OSPF hello's, stp bpdu's) I'm
 concerned that this could happen under the right combination of events this
 could result is dropped OSPF neighbor adjacency's or other badness.

  As other already pointed out, you shouldn't worry there is (sucky)
 scheduler in IOS that'll make sure that your OSPF/STP etc. keeps rocking
 while doing lower priority stuff, such as what rancid does.
  However, if you're running software platform (you prolly aren't, if
 you have STP) some commands do compete with CEF, such as 'show run'
 (but not 'show conf' and 'dir'.). And if you have accurate enough
 monitoring, you can observe slightly increased jitter/latency
 for few packets transiting eg. VXR when 'show run' or 'dir'
 is issued.

 --
  ++ytti
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] RANCID Spiking CPUs

2008-06-10 Thread Pavel Skovajsa

found it:
see 
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/config_cache.html

On Tue, Jun 10, 2008 at 1:15 PM, Pavel Skovajsa
[EMAIL PROTECTED] wrote:
 Hey,
 The reason why show run consumes high cpu is that it polls all IOS
 modules/componets to get their configs
 I remember there is a command on newest IOS that uses some ram to
 cache show run output and speed the show run output process, but I
 cannot remember the exact command.

 Pavel

 On Tue, Jun 10, 2008 at 9:36 AM, Saku Ytti [EMAIL PROTECTED] wrote:
 On (2008-06-09 15:56 -0400), Nick Davey wrote:

 Hey Nick,

 I've deployed rancid on a fairly large metro network, and am seeing some
 pretty high CPU averages. When RANCID runs the CPU's on a large number of
 our boxes spike to about 95% for several seconds. Although they have never
 hit 100%, or caused any issues (dropped OSPF hello's, stp bpdu's) I'm
 concerned that this could happen under the right combination of events this
 could result is dropped OSPF neighbor adjacency's or other badness.

  As other already pointed out, you shouldn't worry there is (sucky)
 scheduler in IOS that'll make sure that your OSPF/STP etc. keeps rocking
 while doing lower priority stuff, such as what rancid does.
  However, if you're running software platform (you prolly aren't, if
 you have STP) some commands do compete with CEF, such as 'show run'
 (but not 'show conf' and 'dir'.). And if you have accurate enough
 monitoring, you can observe slightly increased jitter/latency
 for few packets transiting eg. VXR when 'show run' or 'dir'
 is issued.

 --
  ++ytti
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

1 2 >

1 - 100 of 101 matches

Mail list logo