Re: [c-nsp] ASR 1000 series replacement
hey, We have a somewhat unusual scenario with thousands of CPE devices each using cellular interface and gre tunnel to connect to hub router, currently ASR 1001x. The hub router deploys NHRP map multicast with GRE tunnels and bgp session to each cpe device, each tunnel different customer vrf connected to mpls core network. There are hundreds of GRE tunnels. Not really so unusual in SP environment. What would be logical replacement for hub router considering expansion and redundancy. We tried a pair of stacked Cisco 9500, and it performed worse than expected. cat8500 family (non-L models). Forget the stupid naming, this is actually next-gen QFP and should be called asr1k+ One solution we have is another router with same addressing scheme, and to rely on routing to migrate tunnels to this new router in the event of failure of original hub. Anycast works and this is what we did for exactly the scenario your described earlier. But we found that we'd like it to be more hitless so we are now deploying dual tunnels from every CPE to C8500-12X headends. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS IOS-XR rant (was:Re: Internet border router recommendations and experiences)
hey, "ztp initiate dataport" We were discussing iPXE and not normal ZTP. iPXE is only possible via OOB management port and allows software install via DHCP options, normal ZTP will work inband but does not allow software install via DHCP options. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS IOS-XR rant (was:Re: Internet border router recommendations and experiences)
hey, With XR7 the idea was to mimic how things are done with Linux repos by having a specific RPM repo for the routers and the patches which is managed similar to Linux and that’s how all software is packaged now. I'd argue you'd want your devices to be cattle and not pets. When doing upgrades you want all your devices end up in same state and GISO provides that. When doing investigation you don't have to go and compare specific RPM versions that someone might have installed etc. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS IOS-XR rant (was:Re: Internet border router recommendations and experiences)
hey, You can, at least in later versions use install replace with http, at least with GISO. You also do not need the apply command, and you can include “commit” in the replace command so it’s not required after the device reboots. Not sure all those improvements have been delivered for NCS540 for example. But thats not the point. The problem is, when doing deployment, you need to work with whatever software is on the devices from factory. You might have hundreds of devices in stock with XR 7.2 so you have to work with that. Unfortunately XR ZTP doesn't allow for automatic GISO upgrades either (before anyone mentions, yes it's possible with iPXE via OOB management but thats unusable on the field). Some other vendors allow sending device config *and* software images in the ZTP process so you don't have to automate that part yourself, only the upgrades that follow and these you can then baseline from whatever version you are deploying. ZTP is such a low hanging fruit and vendors constantly get it wrong (little details matter). Sure, they deliver fixes and improvements but this may be after you already have thousand devices delivered that don't behave. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS IOS-XR rant (was:Re: Internet border router recommendations and experiences)
hey, My long-term solution to this problem is to install with iPXE. That lets you do it via HTTP and without all the nonsense :) Unfortunately this is only possible via OOB ethernet management port. So this cannot be used for thousands of devices on the field where you only have inband management. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NCS IOS-XR rant (was:Re: Internet border router recommendations and experiences)
hey, XR for a number of years now has had the concept of a “golden ISO”. It’s a single image either built by Cisco or customers can build their own that include the base software and the SMUs in a single image. You just issue a single “install replace myiso.iso” and that’s it. Well, not so in practice. You can't issue install from http:// or any other remote URL. You have to sit around and issue "install apply" after "install replace" is finished. Replace is async so you have to sit around and poll the process. After reboot you have to reconnect to device and issue "install commit". In some cases direct upgrades from version X to Y fail so you have to go through this whole process twice (X to Z to Y) that takes around 2 hours on NCS540. In some other X to Y cases there is not sufficient diskspace to complete "install replace". We personally have automated the whole install process via netconf and can workaround the quirks relevant for our platforms and versions. Many people can't do that or can't justify the expense (when they have small number of devices). Some other issues have been solved by Cisco in latest releases, I belive install replace can now be sync operation, maybe not on NCS540 but on larger platforms (IOS-XR consistency between platforms is an issue itself). So I totally get what Mark and Gert are saying. IOS-XR is currently worst NOS operational experience from all large NOSes out there. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS-5501 - EVPN L2VPN BVI mac-address weirdness
hey, But I've already had to dump Nokia because they say they won't support a chip-restricted feature which Juniper claim they will. Which feature? Vendors, including Nokia, have worked around BCM limitations before by playing tricks like recirculating packet twice (disabling some of the frontplate) for e-tree, some multicast stuff, packet mirroring, OAM loopback etc. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [External Email] Re: big uptime - what you got ?
hey, cisco LS1010 (R4600) processor with 65536K bytes of memory. It was just matter of time until someone shows up with LS1010 :) (Un)fortunately our LS1010s are long gone but the uptimes were 12+ years on many of them. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS via SVI on Sup720-PFC3b
hey, If you don't want to spend any money on this, loop the related vlan with external cable to physical port? Not pretty but you can get it done with zero cost if you have two ports to spare. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] asr9k dhcp relay + ipv4 verify unicast
hey, interface BVI60004 ipv4 address 10.4.5.1 255.255.255.0 ipv4 verify unicast source reachable-via rx allow-self-ping Is this actual config or simplified? If simplified, is there VRRP/HSRP involved? If there is, it can be explained by DHCP return packet hitting other router (because it's sent to GIADDR but you only announce your connected prefix). Other router then fails to send packet to original router via connected interface because from other routers POV it fails RPF (saddr: dhcp-server, daddr: giaddr). -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Media converters - experiences?
hey, If you have the right amount of scale to command a good discount, the Cisco ME1200 is a nice little NID that can do all of this and more. Do you have actual experience with the ME1200? Documentation is scarce and from the little documentation it doesn't look like IOS device. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NCS5K?
hey, Anyone eyeing up the NCS5K range? I could do a lot of damage with a pair of NCS 5011 and 5001 "linecards". Chassis-free core? Probably not the intended use case. Check out this recent Nanog thread: http://www.gossamer-threads.com/lists/nanog/users/186918?do=post_view_threaded LSR core - yes, full table IP core - no. See PTX1000 if you are interested in similar box with 2M FIB. Very appealing boxes nevertheless. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Trunked VLANs over FTTC VDSL2
hey, Anyone out there trunking multiple VLANs to a Cisco CPE over FTTC, in a similar position? I'm actually testing this as we speak. Not with BT but it doesn't really matter. See below for the config that should theoretically work, in reality it does not. The packets are correctly double tagged in LAN>VDSL direction but in VDSL>LAN direction packets are lost after they reach Vlan100 interface (by looking at packet counters). This is probably because Vlan100 interface is not really expecting packets with dot1Q ethertype. I haven't opened the case with Cisco yet but I don't have high hopes. Having dot1q-tunnel on this platform is most likely mistake. Do you know any other devices/vendors that could theoretically do this? I only know about RAD ETX-2i at this point. interface Ethernet0 mtu 1600 no ip address ! interface Ethernet0.100 encapsulation dot1Q 100 bridge-group 1 ! interface FastEthernet0 switchport access vlan 100 switchport mode dot1q-tunnel no ip address ! interface Vlan100 mtu 1600 no ip address bridge-group 1 ! bridge 1 protocol ieee ! -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Trunked VLANs over FTTC VDSL2
hey, It is disappointing that Cisco do not seem to have implemented q-in-q support on the Ethernet0 interface, on the 887 or 897. At least the commands for specifying second dot1q are missing so it's very clear the functionality is not there. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cache DNS servers
hey, Any suggestions? Unbound works great. You also need to do proper testing and tuning for your environment. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IOS SLB performance under Supervisor 2T
hey, Right now it’s either F5 or Citrix for large-scale load balancing. Or our beloved L3/L4 which you mentioned in previous post. Intelligent Traffic Director (ITD) was just released on nexus platforms. Might be worth it to check it out. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] dai / dhcp snooping bug
hey, Another idea would be to see if I could configure the dhcp server to just ignore unicast requests (easier than putting ACL's on the the switches). You can configure ACL on the server as well (read: iptables or so). All relayed packets will use router interface IP as source address (at least cisco relay does that, some other platforms use egress interface IP but it's usually configurable). This way you can permit your actualy interface IPs and deny rest thus blocking unicast renewals directly from DHCP clients. It's not ideal, as you have to keep list of /32s or so in the ACL but at least you can keep the ACL in few places and not distribute it to all network devices. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vs ip device tracking on cisco3850
hey, I have been troubleshooting a similar problem with IP device tracking on a CAT4500 with SUP8. IDT was enabled by default and there was really no way to properly disable it. AFAIR it was possible to disable it per interface, and thats not really a solution. There was no global no ip device tracking knob. It was indeed fixed later by code upgrade. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP relay still forwarding to old helper even if it's removed or changed
hey, I tried to change the helper address, but after making the change, the box was still routing broadcasts to the old helper. Are you 100% sure it's actually relayed traffic and not DHCP client that remembers DHCP server address and unicasts the request? -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Configure 802.1Q on HWIC-4SHDSL-E
hey, As a background: there's carriers that require you to tag the traffic on the carrier side. Stupid idea? dunno. Breaking all sort of CPEs? betcha! He requested config for EFM (bonding). EFM and VDSL2 both have ethernet encapsulation and use vlan tags instead ATM PVCs. Stupid? Don't think so. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] replace Huawei HG863 GPON terminal with Cisco gear
hey, This is not so true no more, there are multiple ISP's rolling out 3Play services with automatic remote provisioning of devices so you can't connect your CPE easily. Sure, but it's not DSL protocol related. If you choose to, you can always block BYOCPE. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] replace Huawei HG863 GPON terminal with Cisco gear
hey, so even once Huawei releases its GPON ONT in SFP form-factor which is compatible with their GPON OLT in OMCI protocol wise, it wont help as long as service profile in OLT operated by ISP is not updated? Correct. As I already wrote, GPON is not like, for example, DSL, where you can easily bring your own CPE. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] replace Huawei HG863 GPON terminal with Cisco gear
hey, All those messages seem to be driven by OLT. I guess that those requests/instructions from OLT to ONT are defined in service profile in OLT? Correct. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] replace Huawei HG863 GPON terminal with Cisco gear
hey, So I guess this Huawei GPON ONT in SFP form-factor will be something like RAD MIRICi-155(http://www.radproductsonline.com/support/cs11c01/radcnt/mediaserver/18805_MIRICI-155.pdf) which supports management over web-interface(or maybe even CLI is available) SFP form-factor is SFP :) one could change the serial-number of this ONT? Is the 16 Why do you insist changing this? If you have compatible ONT just let ISP change the serial in their end (*). hex characters some sort of industry-standard or is this vendor-specific as well? To my best knowledge, it's standard. (*) In real life, it's not that easy. ONT is provisioned using service profiles that are defined in OLT. Profile defines things like number of expected ethernet ports in ONT, number of POTS ports, IP/routing capabilities, vlan mappings from GEM to ONT ports etc. When you have mismatch between profile and real life (ie. you replace 4-port ONT with SFP that says 1 ethernet port in it's capabilities in OMCI), ONT will not be provisioned. (G)PON is not like DSL, don't expect to bring your own ONT. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] replace Huawei HG863 GPON terminal with Cisco gear
hey, In summary, is it even technically possible to replace ONT installed by my ISP with a Cisco gear? I'd say no. Problem lies in missing OMCI interopability between vendors. Every vendor is using proprietary extensions to OMCI, I've tried mixing vendors and some ONTs get further in bootup process than others. So it's not only authentication you have to worry about, but OMCI as well. PS! Huawei will soon have GPON ONT in SFP form-factor available, that would solve the interopability issue and would allow you to use it in any SFP compliant device. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] wisdom of switchport block ...
hey, I am looking at tightening up my subscriber access network and, if I understand the documentation correctly, 'switchport block unicast' will prevent a cisco switch (3560g in this case) from flooding unicast frames out any port so configured, unless the destination mac address was learned from that port. Blocking unknown unicast is very typical for access networks using service-vlans (or N:1, whatever you like to call it). MAC aging and DHCP lease timers will have to be tuned accordingly, make sure DHCP aging. This way DHCP renewals will keep active addresses in the MAC table. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] wisdom of switchport block ...
hey, Let's not forget STP topology change notifications (TCNs) because they'll cause the MAC address entries to age out in forward-delay (15 sec) or even immediately with Rapid-STP. TCN will also screw up IGMP snooping and will cause multicast flooding for N * general-query-timeout. As a best practice, run all customer facing ports with portfast and BPDU guard. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
hey, If you are using a private MPLS (I.e. Not over Internet) have Cisco CE routers consider GETVPN. There is no reason why you can't use GETVPN inside L3VPN. This is exactly one use case for GETVPN and many people are using it successfully. If you don't trust your provider at all, encrypting in CPE doesn't fly and you need separate routers. It's still good protection against traffic interception by 3rd party. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCPv6
hey, *Please* keep is DHCPv6 or RA the loonie camp?*off* cisco-nsp. While it's not correct place for political discussions, it's good to see this in vendor specific lists where people deal with actual networks and actual deployments. This, in my mind, is another example why default route in DHCPv6 should happen - people expect it to be there. Same for extended options in RA. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6PE FIB usage on 6500/7600
hey, I'll keep everything native, and will continue to carry BGPv6 in my core until I can safely remove it a la BGPv4 with an IPv6-signaled MPLS. What about QOS? MPLS EXP is a great way to carry QOS markings without overriding TOS/DSCP/TC sent, seen and used by customers. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS down to the CPE
hey, We kept them in the IS-IS level (i.e., L2-only), as Inter- Area MPLS-TE is not supported without resorting to deploying expanded loose hops for RSVP-TE sessions (p2p and p2mp). FYI, starting from R11, ALU supports automatic ABR selection for inter-area RSVP LSPs. You don't need to manually specify loose hops any more. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TDMOP solution
hey, Does this warning extend to MiTOP[0]. Yes it does, they run the same software. But as MiTOP is for single E1, you curse and configure it once and then forget so I'd say management issues are not that important for it. I pointed it out because it's really annoying on bigger boxes where you might make a mistake while configuring new service and then would need to reboot whole box to restore management which will also disturb all existing services. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TDMOP solution
hey, I did some research and came across a non-Cisco product RAD Data Communications GMUX-2000 which can supposedly perform the TDMOP functions but I have never worked with their gear before so have no previous experience w/ this company and their product. Stay away from RAD - horrible software quality. Pressing back button in web interface (because CLI is even more horrible) at the wrong time locks up whole management and is resolvable only by box reboot, just as an example. They also don't have full TDMoMPLS implementation for most devices, only static labels. Also I am curious if anyone has any recommendations from the Cisco side (as that is where my experience lies). I would think an MPLS enabled core would be prerequisite in order to tunnel TDM traffic across an IP infrastructure with appropriate translation devices. From Cisco ASR901/903 but I suggest you to consider Alcatel 7705 SAR (which we are using very successfully). Technically MPLS is not needed, there is also pure IP or GRE encapsulation available for some vendors but YMMV regarding interop, MPLS is really the safest way. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Basic understanding of 6PE and 6VPE
hey, If the intermediary routers are ipv6 capable don't omit placing an ipv6 address on interfaces. 6pe should only be a stopgap until the devices can do native. Doesn't make any sense before we have IPv6 MPLS implementation. We MPLS switch all IPv4 packets (QOS based on EXP, so we don't have to reset DSCP, being one of the reasons), for example. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 3750
hey, 1000 for 3750 series. Plus *,G and S,G will be counted separate, so in reality it's 500 PIM ASM routes. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Preventing host with lower ip to become IGMP querier
hey, Forgot to say, it's Cisco 3560. What you are looking for is called multicast router guard http://www.cisco.com/web/about/security/intelligence/multicast_toolkit.html I've pushed cisco to make it available on platforms smaller than 6500 but no success so far. Their general reasoning is that if you deal with insecure endpoints, use MVR. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Shared vs Independent VLAN learning with Q-in-Q
hey, All Catalyst switches have per-VLAN FIBs, if that's what you're asking. Aren't all switches like that these days? With QinQ you need to look at inner vlan aswell. I don't think any cisco switch can do it. And yes, it's actually a problem, consider 2 different inner vlans with vrrp routers on two sites connected by QinQ. You'll get constant vrrp mac flapping between endpoints. If it's only 2 endpoints you could always turn off mac learning completely. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPTV Switch Recommendation
hey, We have a customer that does lots of IPTV - they have a new deployment currently going into an MDU (condos). They have asked for a recommended switch that is IPTV friendly - I'm presuming they mean multicast aware etc. I have been down this road - don't waste your time with cheaper vendors, you will end up replacing the gear anyway. Which Cisco switches would be recommended to handoff approximately 20 Cat5 drops fed by fiber coming in? 2960 does fine job. You now get all the security features that were available on 3750 only, on 2960 too. ME2400 used to be an alternative but it always looked like a box made for one customer and it's EOS now anyway. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 Netflow
hey, This is not how per interface works. Flows are only created in the netflow table for interfaces it is enabled on. this is good news. what about egress netflow? it's configurable today but it only gets software switched packets. is this something thats doable or is there just no hardware support? -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Logging remote access logins
hey, Is there an easy way to log remote access login attempts on the cisco kit? I see there is a way to enable configuration change logs but I don't see an option to log accepted logins / failed logins etc. login (on-failure|on-success) log with recent enough (12.2S, 12.4T) software -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2TPv3 for simple static ethernet xconnect on small platform
hey, Is someone on this list using L2TPv3 in a simple, static setup, plain ethernet Xconnect, running on c1841? I have one 1812 7200 and it works just fine -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RSP720 WS-X6704-10GE
hey, Do these cards work together? RSP720 + WS-X6704-10GE works fine -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Equal cost load balancing between geographically dispersed sites
hey, At each distribution switch (dist1 and dist2), I need to be able to load balance traffic out to the WAN. At this stage I'm only concerned with outbound (LAN to WAN) load balancing. This is the only key requirement - effective use of both (expensive) WAN links is my goal. Assuming you use 2 DMVPN tunnels today (main and backup set with igp metrics), you could split it up to 4 tunnels and tune metrics so half (or whatever % you need) of the wan offices use wan1 as primary, another half wan2. If you tune backup metrics high enough, the primary paths will always be preferred, no matter how long the path through the network is - unless there is an outage. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Crypto and CEF
hey, Can anyone verify a SRB image? #sh ver | i ^Cisco Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVENTERPRISEK9-M), Version 12.2(33)SRB1, RELEASE SOFTWARE (fc3) #sh ip int gi2/1 | i Proxy ARP Proxy ARP is enabled Local Proxy ARP is disabled #sh run int gi2/1 | i arp # -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP and HSRP
hey, We get a new location with 2 internet upstreams and I'd like to run HSRP for fail-over. There is a bit of a strange topology though... My carriers gave me 2x2 /30 for two BGP sessions so I can run on both routers a full table BGP session to each of them. The problem(?) is that behind those two routers, there is one router who wants to announce some iBGP stuff to them. If I run HSRP on the LAN side, is it possible to make a peering to the virtual HSRP IP? How would BGP handle this or wouldn't this work at all? Don't peer with HSRP virtual address. Just use loopbacks and make 2 iBGP sessions from the 3rd router into first two. -- tarko ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/