Re: [c-nsp] [j-nsp] Stange issue on 100 Gbs interconnection Juniper - Cisco
hi I'd like to test with LACP slow, then can see if physical interface still flaps... Thanks for your support Il giorno dom 11 feb 2024 alle ore 18:02 Saku Ytti ha scritto: > On Sun, 11 Feb 2024 at 17:52, james list wrote: > > > - why physical interface flaps in DC1 if it is related to lacp ? > > 16:39:35.813 Juniper reports LACP timeout (so problem started at > 16:39:32, (was traffic passing at 32, 33, 34 seconds?)) > 16:39:36.xxx Cisco reports interface down, long after problem has > already started > > Why Cisco reports physical interface down, I'm not sure. But clearly > the problem was already happening before interface down, and first log > entry is LACP timeout, which occurs 3s after the problem starts. > Perhaps Juniper asserts for some reason RFI? Perhaps Cisco resets the > physical interface once removed from LACP? > > > - why the same setup in DC2 do not report issues ? > > If this is is LACP related software issue, could be difference not > identified. You need to gather more information, like how does ping > look throughout this event, particularly before syslog entries. And if > ping still works up-until syslog, you almost certainly have software > issue with LACP inject at Cisco, or more likely LACP punt at Juniper. > > -- > ++ytti > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [j-nsp] Stange issue on 100 Gbs interconnection Juniper - Cisco
Hi I have a couple of points to ask related to your idea: - why physical interface flaps in DC1 if it is related to lacp ? - why the same setup in DC2 do not report issues ? NEXUS01# sh logging | in Initia | last 15 2024 Jan 17 22:37:49 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Jan 18 23:54:25 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Jan 19 00:58:13 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Jan 19 07:15:04 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Jan 22 16:03:13 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Jan 25 21:32:29 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Jan 26 18:41:12 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Jan 28 05:07:20 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Jan 29 04:06:52 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Jan 30 03:09:44 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Feb 5 18:13:20 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Feb 6 02:17:25 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Feb 6 22:00:24 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Feb 9 09:29:36 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Feb 9 16:39:36 NEXUS01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) Il giorno dom 11 feb 2024 alle ore 14:36 Saku Ytti ha scritto: > On Sun, 11 Feb 2024 at 15:24, james list wrote: > > > While on Juniper when the issue happens I always see: > > > > show log messages | last 440 | match LACPD_TIMEOUT > > Jan 25 21:32:27.948 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: > lacp current while timer expired current Receive State: CURRENT > > > Feb 9 16:39:35.813 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: > lacp current while timer expired current Receive State: CURRENT > > Ok so problem always starts by Juniper seeing 3seconds without LACP > PDU, i.e. missing 3 consecutive LACP PDU. It would be good to ping > while this problem is happening, to see if ping stops at 3s before the > syslog lines, or at the same time as syslog lines. > If ping stops 3s before, it's link problem from cisco to juniper. > If ping stops at syslog time (my guess), it's software problem. > > There is unfortunately log of bug surface here, both on inject and on > punt path. You could be hitting PR1541056 on the Juniper end. You > could test for this by removing distributed LACP handling with 'set > routing-options ppm no-delegate-processing' > You could also do packet capture for LACP on both ends, to try to see > if LACP was sent by Cisco and received by capture, but not by system. > > > -- > ++ytti > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [j-nsp] Stange issue on 100 Gbs interconnection Juniper - Cisco
On Cisco I see physical goes down (initializing), what does that mean? While on Juniper when the issue happens I always see: show log messages | last 440 | match LACPD_TIMEOUT Jan 25 21:32:27.948 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: lacp current while timer expired current Receive State: CURRENT Jan 26 18:41:12.514 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: lacp current while timer expired current Receive State: CURRENT Jan 28 05:07:20.283 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: lacp current while timer expired current Receive State: CURRENT Jan 29 04:06:51.768 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: lacp current while timer expired current Receive State: CURRENT Jan 30 03:09:43.923 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: lacp current while timer expired current Receive State: CURRENT Feb 5 18:13:20.158 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: lacp current while timer expired current Receive State: CURRENT Feb 6 02:17:23.703 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: lacp current while timer expired current Receive State: CURRENT Feb 6 22:00:23.758 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: lacp current while timer expired current Receive State: CURRENT Feb 9 09:29:35.728 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: lacp current while timer expired current Receive State: CURRENT Feb 9 16:39:35.813 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: lacp current while timer expired current Receive State: CURRENT Il giorno dom 11 feb 2024 alle ore 14:10 Saku Ytti ha scritto: > Hey James, > > You shared this off-list, I think it's sufficiently material to share. > > 2024 Feb 9 16:39:36 NEXUS1 > %ETHPORT-5-IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN: Interface > port-channel101 is down (No operational members) > 2024 Feb 9 16:39:36 NEXUS1 %ETH_PORT_CHANNEL-5-PORT_DOWN: > port-channel101: Ethernet1/44 is down > Feb 9 16:39:35.813 2024 MX1 lacpd[31632]: LACPD_TIMEOUT: et-0/1/5: > lacp current while timer expired current Receive State: CURRENT > Feb 9 16:39:35.813 2024 MX1 lacpd[31632]: LACP_INTF_DOWN: ae49: > Interface marked down due to lacp timeout on member et-0/1/5 > > We can't know the order of events here, due to no subsecond precision > enabled on Cisco end. > > But if failure would start from interface down, it would take 3seconds > for Juniper to realise LACP failure. However we can see that it > happens in less than 1s, so we can determine the interface was not > down first, the first problem was Juniper not receiving 3 consecutive > LACP PDUs, 1s apart, prior to noticing any type of interface state > related problems. > > Is this always the order of events? Does it always happen with Juniper > noticing problems receiving LACP PDU first? > > > On Sun, 11 Feb 2024 at 14:55, james list via juniper-nsp > wrote: > > > > Hi > > > > 1) cable has been replaced with a brand new one, they said that to check > an > > MPO 100 Gbs cable is not that easy > > > > 3) no errors reported on both side > > > > 2) here the output of cisco and juniper > > > > NEXUS1# sh interface eth1/44 transceiver details > > Ethernet1/44 > > transceiver is present > > type is QSFP-100G-SR4 > > name is CISCO-INNOLIGHT > > part number is TR-FC85S-NC3 > > revision is 2C > > serial number is INL27050TVT > > nominal bitrate is 25500 MBit/sec > > Link length supported for 50/125um OM3 fiber is 70 m > > cisco id is 17 > > cisco extended id number is 220 > > cisco part number is 10-3142-03 > > cisco product id is QSFP-100G-SR4-S > > cisco version id is V03 > > > > Lane Number:1 Network Lane > >SFP Detail Diagnostics Information (internal calibration) > > > > > > > Current Alarms Warnings > > Measurement HighLow High Low > > > > > > > Temperature 30.51 C75.00 C -5.00 C 70.00 C > 0.00 C > > Voltage3.28 V 3.63 V 2.97 V 3.46 V > 3.13 V > > Current6.40 mA 12.45 mA 3.25 mA12.45 mA > 3.25 > > mA > > Tx Power 0.98 dBm 5.39 dBm -12.44 dBm2.39 dBm > -8.41 > > dBm > > Rx Power -1.60 dBm 5.39 dBm -14.31 dBm2.39 dBm > -10.31 > > dBm > > Transmit Fault Count = 0 > > > > > > > Note: ++ high-alarm;
Re: [c-nsp] [j-nsp] Stange issue on 100 Gbs interconnection Juniper - Cisco
Hi 1) cable has been replaced with a brand new one, they said that to check an MPO 100 Gbs cable is not that easy 3) no errors reported on both side 2) here the output of cisco and juniper NEXUS1# sh interface eth1/44 transceiver details Ethernet1/44 transceiver is present type is QSFP-100G-SR4 name is CISCO-INNOLIGHT part number is TR-FC85S-NC3 revision is 2C serial number is INL27050TVT nominal bitrate is 25500 MBit/sec Link length supported for 50/125um OM3 fiber is 70 m cisco id is 17 cisco extended id number is 220 cisco part number is 10-3142-03 cisco product id is QSFP-100G-SR4-S cisco version id is V03 Lane Number:1 Network Lane SFP Detail Diagnostics Information (internal calibration) Current Alarms Warnings Measurement HighLow High Low Temperature 30.51 C75.00 C -5.00 C 70.00 C0.00 C Voltage3.28 V 3.63 V 2.97 V 3.46 V3.13 V Current6.40 mA 12.45 mA 3.25 mA12.45 mA 3.25 mA Tx Power 0.98 dBm 5.39 dBm -12.44 dBm2.39 dBm -8.41 dBm Rx Power -1.60 dBm 5.39 dBm -14.31 dBm2.39 dBm-10.31 dBm Transmit Fault Count = 0 Note: ++ high-alarm; + high-warning; -- low-alarm; - low-warning Lane Number:2 Network Lane SFP Detail Diagnostics Information (internal calibration) Current Alarms Warnings Measurement HighLow High Low Temperature 30.51 C75.00 C -5.00 C 70.00 C0.00 C Voltage3.28 V 3.63 V 2.97 V 3.46 V3.13 V Current6.40 mA 12.45 mA 3.25 mA12.45 mA 3.25 mA Tx Power 0.62 dBm 5.39 dBm -12.44 dBm2.39 dBm -8.41 dBm Rx Power -1.18 dBm 5.39 dBm -14.31 dBm2.39 dBm-10.31 dBm Transmit Fault Count = 0 Note: ++ high-alarm; + high-warning; -- low-alarm; - low-warning Lane Number:3 Network Lane SFP Detail Diagnostics Information (internal calibration) Current Alarms Warnings Measurement HighLow High Low Temperature 30.51 C75.00 C -5.00 C 70.00 C0.00 C Voltage3.28 V 3.63 V 2.97 V 3.46 V3.13 V Current6.40 mA 12.45 mA 3.25 mA12.45 mA 3.25 mA Tx Power 0.87 dBm 5.39 dBm -12.44 dBm2.39 dBm -8.41 dBm Rx Power 0.01 dBm 5.39 dBm -14.31 dBm2.39 dBm-10.31 dBm Transmit Fault Count = 0 Note: ++ high-alarm; + high-warning; -- low-alarm; - low-warning Lane Number:4 Network Lane SFP Detail Diagnostics Information (internal calibration) Current Alarms Warnings Measurement HighLow High Low Temperature 30.51 C75.00 C -5.00 C 70.00 C0.00 C Voltage3.28 V 3.63 V 2.97 V 3.46 V3.13 V Current6.40 mA 12.45 mA 3.25 mA12.45 mA 3.25 mA Tx Power 0.67 dBm 5.39 dBm -12.44 dBm2.39 dBm -8.41 dBm Rx Power 0.11 dBm 5.39 dBm -14.31 dBm2.39 dBm-10.31 dBm Transmit Fault Count = 0 Note: ++ high-alarm; + high-warning; -- low-alarm; - low-warning MX1> show interfaces diagnostics optics et-1/0/5 Physical interface: et-1/0/5 Module temperature: 38 degrees C / 100 degrees F Module voltage: 3.2740 V Module temperature high alarm : Off Module temperature low alarm : Off Module temperature high warning : Off Module temperature low warning: Off Module voltage high alarm
Re: [c-nsp] Stange issue on 100 Gbs interconnection Juniper - Cisco
un int port-channel 101 interface port-channel101 description <[To MX1|Et-0/1/5]> mtu 9216 no ip redirects NEXUS01# sh run int port-channel 101.2303 interface port-channel101.2303 description <[To MX1|Et-0/1/5]> mtu 9216 encapsulation dot1q 2303 vrf member SIA bfd ipv4 interval 250 min_rx 250 multiplier 3 no ip redirects ip address 172.16.6.18/30 no shutdown JUNIPER MX1> show configuration interfaces ae49 description "link to NEXUS01"; flexible-vlan-tagging; mtu 9192; encapsulation flexible-ethernet-services; aggregated-ether-options { lacp { active; periodic fast; } } unit 2303 { vlan-id 2303; family inet { mtu 1500; address 172.16.6.17/30; } } LACP counters: CISCO NEXUS01# sh lacp counters NOTE: Clear lacp counters to get accurate statistics -- LACPDUs Markers/Resp LACPDUs Port SentRecv Recv Sent Pkts Err -- port-channel101 Ethernet1/44 6123011 61189810 0 0 NEXUS1# sh lacp interface eth1/44 Interface Ethernet1/44 is up Channel group is 101 port channel is Po101 PDUs sent: 6123014 PDUs rcvd: 6118984 Markers sent: 0 Markers rcvd: 0 Marker response sent: 0 Marker response rcvd: 0 Unknown packets rcvd: 0 Illegal packets rcvd: 0 Lag Id: [ [(7f, c4-9-b7-64-30-38, 32, 7f, 18), (8000, b0-8b-cf-83-49-5b, 64, 8000, 1ad)] ] Operational as aggregated link since Fri Feb 9 16:39:39 2024 Local Port: Eth1/44 MAC Address= b0-8b-cf-83-49-5b System Identifier=0x8000, Port Identifier=0x8000,0x1ad Operational key=100 LACP_Activity=active LACP_Timeout=Short Timeout (1s) Synchronization=IN_SYNC Collecting=true Distributing=true Partner information refresh timeout=Short Timeout (3s) Actor Admin State=63 Actor Oper State=63 Neighbor: 0x18 MAC Address= c4-9-b7-64-30-38 System Identifier=0x7f, Port Identifier=0x7f,0x18 Operational key=50 LACP_Activity=active LACP_Timeout=short Timeout (1s) Synchronization=IN_SYNC Collecting=true Distributing=true Partner Admin State=63 Partner Oper State=63 Aggregate or Individual(True=1)= 1 JUNIPER MX1> show lacp interfaces ae49 extensive Aggregated interface: ae49 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity et-0/1/5 ActorNoNo Yes Yes Yes Yes Fast Active et-0/1/5 PartnerNoNo Yes Yes Yes Yes Fast Active LACP protocol:Receive State Transmit State Mux State et-0/1/5 Current Fast periodic Collecting distributing LACP info:Role System System Port PortPort priority identifier priority number key et-0/1/5 Actor127 c4:09:b7:64:30:38127 24 50 et-0/1/5 Partner 32768 b0:8b:cf:83:49:5b 32768 429 100 Il giorno dom 11 feb 2024 alle ore 13:07 Gert Doering ha scritto: > HI, > > On Sun, Feb 11, 2024 at 12:50:32PM +0100, james list wrote: > > 2024 Feb 9 16:39:36 NEXUS1 %ETHPORT-5-IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN: > > Interface port-channel101 is down (No operational members) > > So there is no *BGP* problem here, but a lower layer issue. > > Let me repeat that part about "error counters on the interface"... > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stange issue on 100 Gbs interconnection Juniper - Cisco
DC technicians states cable are the same in both DCs and direct, no patch panel Cheers Il giorno dom 11 feb 2024 alle ore 11:20 nivalMcNd d ha scritto: > Can it be DC1 is connecting links over an intermediary patch panel and you > face fibre disturbance? That may be eliminated if your interfaces on DC1 > links do not go down > > On Sun, Feb 11, 2024, 21:16 Igor Sukhomlinov via cisco-nsp < > cisco-nsp@puck.nether.net> wrote: > >> Hi James, >> >> Do you happen to run the same software on all nexuses and all MXes? >> Do the DC1 and DC2 bgp session exchange the same amount of routing updates >> across the links? >> >> >> On Sun, Feb 11, 2024, 21:09 james list via cisco-nsp < >> cisco-nsp@puck.nether.net> wrote: >> >> > Dear experts >> > we have a couple of BGP peers over a 100 Gbs interconnection between >> > Juniper (MX10003) and Cisco (Nexus N9K-C9364C) in two different >> datacenters >> > like this: >> > >> > DC1 >> > MX1 -- bgp -- NEXUS1 >> > MX2 -- bgp -- NEXUS2 >> > >> > DC2 >> > MX3 -- bgp -- NEXUS3 >> > MX4 -- bgp -- NEXUS4 >> > >> > The issue we see is that sporadically (ie every 1 to 3 days) we notice >> BGP >> > flaps only in DC1 on both interconnections (not at the same time), >> there is >> > still no traffic since once noticed the flaps we have blocked deploy on >> > production. >> > >> > We've already changed SPF (we moved the ones from DC2 to DC1 and >> viceversa) >> > and cables on both the interconnetion at DC1 without any solution. >> > >> > SFP we use in both DCs: >> > >> > Juniper - QSFP-100G-SR4-T2 >> > Cisco - QSFP-100G-SR4 >> > >> > over MPO cable OM4. >> > >> > Distance is DC1 70 mt and DC2 80 mt, hence is less where we see the >> issue. >> > >> > Any idea or suggestion what to check or to do ? >> > >> > Thanks in advance >> > Cheers >> > James >> > ___ >> > cisco-nsp mailing list cisco-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stange issue on 100 Gbs interconnection Juniper - Cisco
yes same version currently no traffic exchange is in place, just BGP peer setup no traffic Il giorno dom 11 feb 2024 alle ore 11:16 Igor Sukhomlinov < dvalinsw...@gmail.com> ha scritto: > Hi James, > > Do you happen to run the same software on all nexuses and all MXes? > Do the DC1 and DC2 bgp session exchange the same amount of routing updates > across the links? > > > On Sun, Feb 11, 2024, 21:09 james list via cisco-nsp < > cisco-nsp@puck.nether.net> wrote: > >> Dear experts >> we have a couple of BGP peers over a 100 Gbs interconnection between >> Juniper (MX10003) and Cisco (Nexus N9K-C9364C) in two different >> datacenters >> like this: >> >> DC1 >> MX1 -- bgp -- NEXUS1 >> MX2 -- bgp -- NEXUS2 >> >> DC2 >> MX3 -- bgp -- NEXUS3 >> MX4 -- bgp -- NEXUS4 >> >> The issue we see is that sporadically (ie every 1 to 3 days) we notice BGP >> flaps only in DC1 on both interconnections (not at the same time), there >> is >> still no traffic since once noticed the flaps we have blocked deploy on >> production. >> >> We've already changed SPF (we moved the ones from DC2 to DC1 and >> viceversa) >> and cables on both the interconnetion at DC1 without any solution. >> >> SFP we use in both DCs: >> >> Juniper - QSFP-100G-SR4-T2 >> Cisco - QSFP-100G-SR4 >> >> over MPO cable OM4. >> >> Distance is DC1 70 mt and DC2 80 mt, hence is less where we see the issue. >> >> Any idea or suggestion what to check or to do ? >> >> Thanks in advance >> Cheers >> James >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Stange issue on 100 Gbs interconnection Juniper - Cisco
Hi One think I've omit to say is that BGP is over a LACP with currently just one interface 100 Gbs. I see that the issue is triggered on Cisco when eth interface seems to go in Initializing state: 2024 Feb 9 16:39:36 NEXUS1 %ETHPORT-5-IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN: Interface port-channel101 is down (No operational members) 2024 Feb 9 16:39:36 NEXUS1 %ETHPORT-5-IF_DOWN_PARENT_DOWN: Interface port-channel101.2303 is down (Parent interface is down) 2024 Feb 9 16:39:36 NEXUS1 %BGP-5-ADJCHANGE: bgp- [xxx] (xxx) neighbor 172.16.6.17 Down - sent: other configuration change 2024 Feb 9 16:39:36 NEXUS1 %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel101: first operational port changed from Ethernet1/44 to none 2024 Feb 9 16:39:36 NEXUS1 %ETH_PORT_CHANNEL-5-PORT_DOWN: port-channel101: Ethernet1/44 is down 2024 Feb 9 16:39:36 NEXUS1 %ETHPORT-5-IF_BANDWIDTH_CHANGE: Interface port-channel101,bandwidth changed to 10 Kbit 2024 Feb 9 16:39:36 NEXUS1 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/44 is down (Initializing) 2024 Feb 9 16:39:36 NEXUS1 %ETHPORT-5-IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN: Interface port-channel101 is down (No operational members) 2024 Feb 9 16:39:36 NEXUS1 %ETHPORT-5-SPEED: Interface port-channel101, operational speed changed to 100 Gbps 2024 Feb 9 16:39:36 NEXUS1 %ETHPORT-5-IF_DUPLEX: Interface port-channel101, operational duplex mode changed to Full 2024 Feb 9 16:39:36 NEXUS1 %ETHPORT-5-IF_RX_FLOW_CONTROL: Interface port-channel101, operational Receive Flow Control state changed to off 2024 Feb 9 16:39:36 NEXUS1 %ETHPORT-5-IF_TX_FLOW_CONTROL: Interface port-channel101, operational Transmit Flow Control state changed to off 2024 Feb 9 16:39:39 NEXUS1 %ETH_PORT_CHANNEL-5-PORT_UP: port-channel101: Ethernet1/44 is up 2024 Feb 9 16:39:39 NEXUS1 %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel101: first operational port changed from none to Ethernet1/44 2024 Feb 9 16:39:39 NEXUS1 %ETHPORT-5-IF_BANDWIDTH_CHANGE: Interface port-channel101,bandwidth changed to 1 Kbit 2024 Feb 9 16:39:39 NEXUS1 %ETHPORT-5-IF_UP: Interface Ethernet1/44 is up in Layer3 2024 Feb 9 16:39:39 NEXUS1 %ETHPORT-5-IF_UP: Interface port-channel101 is up in Layer3 2024 Feb 9 16:39:39 NEXUS1 %ETHPORT-5-IF_UP: Interface port-channel101.2303 is up in Layer3 2024 Feb 9 16:39:43 NEXUS1 %BGP-5-ADJCHANGE: bgp- [xxx] (xxx) neighbor 172.16.6.17 Up Cheers James Il giorno dom 11 feb 2024 alle ore 11:12 Gert Doering ha scritto: > Hi, > > On Sun, Feb 11, 2024 at 11:08:29AM +0100, james list via cisco-nsp wrote: > > we notice BGP flaps > > Any particular error message? BGP flaps can happen due to many different > reasons, and usually $C is fairly good at logging the reason. > > Any interface errors, packet errors, ping packets lost? > > "BGP flaps" *can* be related to lower layer issues (so: interface counters, > error counters, extended pings) or to something unrelated, like "MaxPfx > exceeded"... > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Stange issue on 100 Gbs interconnection Juniper - Cisco
Dear experts we have a couple of BGP peers over a 100 Gbs interconnection between Juniper (MX10003) and Cisco (Nexus N9K-C9364C) in two different datacenters like this: DC1 MX1 -- bgp -- NEXUS1 MX2 -- bgp -- NEXUS2 DC2 MX3 -- bgp -- NEXUS3 MX4 -- bgp -- NEXUS4 The issue we see is that sporadically (ie every 1 to 3 days) we notice BGP flaps only in DC1 on both interconnections (not at the same time), there is still no traffic since once noticed the flaps we have blocked deploy on production. We've already changed SPF (we moved the ones from DC2 to DC1 and viceversa) and cables on both the interconnetion at DC1 without any solution. SFP we use in both DCs: Juniper - QSFP-100G-SR4-T2 Cisco - QSFP-100G-SR4 over MPO cable OM4. Distance is DC1 70 mt and DC2 80 mt, hence is less where we see the issue. Any idea or suggestion what to check or to do ? Thanks in advance Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Port-channel not working Juniper vs Cisco
, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3 Jun 11 12:18:20.621 2023 mib2d[9005]: SNMP_TRAP_LINK_UP: ifIndex 585, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3.0 Jun 11 12:18:25.221 2023 mib2d[9005]: SNMP_TRAP_LINK_DOWN: ifIndex 745, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/2/3 Jun 11 12:18:26.621 2023 mib2d[9005]: SNMP_TRAP_LINK_UP: ifIndex 745, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3 Jun 11 12:18:26.621 2023 mib2d[9005]: SNMP_TRAP_LINK_UP: ifIndex 585, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3.0 Jun 11 12:18:31.221 2023 mib2d[9005]: SNMP_TRAP_LINK_DOWN: ifIndex 745, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/2/3 Jun 11 12:18:32.621 2023 mib2d[9005]: SNMP_TRAP_LINK_UP: ifIndex 745, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3 Jun 11 12:18:32.621 2023 mib2d[9005]: SNMP_TRAP_LINK_UP: ifIndex 585, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3.0 Jun 11 12:18:36.721 2023 mib2d[9005]: SNMP_TRAP_LINK_DOWN: ifIndex 745, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/2/3 Jun 11 12:18:37.721 2023 mib2d[9005]: SNMP_TRAP_LINK_UP: ifIndex 745, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3 Jun 11 12:18:37.721 2023 mib2d[9005]: SNMP_TRAP_LINK_UP: ifIndex 585, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3.0 Jun 11 12:18:42.221 2023 mib2d[9005]: SNMP_TRAP_LINK_DOWN: ifIndex 745, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/2/3 Jun 11 12:18:42.721 2023 mib2d[9005]: SNMP_TRAP_LINK_UP: ifIndex 745, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3 Jun 11 12:18:42.721 2023 mib2d[9005]: SNMP_TRAP_LINK_UP: ifIndex 585, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3.0 Jun 11 12:18:47.721 2023 mib2d[9005]: SNMP_TRAP_LINK_DOWN: ifIndex 745, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/2/3 Jun 11 12:18:48.721 2023 mib2d[9005]: SNMP_TRAP_LINK_UP: ifIndex 745, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3 Jun 11 12:18:48.721 2023 mib2d[9005]: SNMP_TRAP_LINK_UP: ifIndex 585, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-0/2/3.0 Jun 11 12:18:53.221 2023 mib2d[9005]: SNMP_TRAP_LINK_DOWN: ifIndex 745, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/2/3 CISCO #sh int eth1/41 transceiver calibrations Ethernet1/41 transceiver is present type is 1000base-SX name is CISCO-FINISAR part number is FTLF8519P2BCL-CS revision is serial number is FNS11150LN8 nominal bitrate is 1300 MBit/sec cisco id is 3 cisco extended id number is 4 cisco part number is 30-1301-02 SFP is internally calibrated # sh int eth1/41 Ethernet1/41 is down (Link not connected) admin state is up, Dedicated Interface Belongs to Po41 Hardware: 100/1000/1/25000 Ethernet, address: 502f.a8ea.bbb0 (bia 502f.a8ea.bbb0) Description: <[To EX4400]> MTU 1500 bytes, BW 2500 Kbit, DLY 10 usec reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, medium is broadcast Port mode is trunk auto-duplex, auto-speed, media type is 1G Beacon is turned off Auto-Negotiation is turned on FEC mode is Auto Input flow-control is off, output flow-control is off Auto-mdix is turned off Rate mode is dedicated Switchport monitor is off EtherType is 0x8100 EEE (efficient-ethernet) : n/a Last link flapped never Last clearing of "show interface" counters 3d20h 0 interface resets Load-Interval #1: 30 seconds 30 seconds input rate 0 bits/sec, 0 packets/sec 30 seconds output rate 0 bits/sec, 0 packets/sec input rate 0 bps, 0 pps; output rate 0 bps, 0 pps Load-Interval #2: 5 minute (300 seconds) 300 seconds input rate 0 bits/sec, 0 packets/sec 300 seconds output rate 0 bits/sec, 0 packets/sec input rate 0 bps, 0 pps; output rate 0 bps, 0 pps RX 0 unicast packets 0 multicast packets 0 broadcast packets 0 input packets 0 bytes 0 jumbo packets 0 storm suppression bytes 0 runts 0 giants 0 CRC 0 no buffer 0 input error 0 short frame 0 overrun 0 underrun 0 ignored 0 watchdog 0 bad etype drop 0 bad proto drop 0 if down drop 0 input with dribble 0 input discard 0 Rx pause TX 0 unicast packets 0 multicast packets 0 broadcast packets 0 output packets 0 bytes 0 jumbo packets 0 output error 0 collision 0 deferred 0 late collision 0 lost carrier 0 no carrier 0 babble 0 output discard 0 Tx pause Il giorno dom 11 giu 2023 alle ore 09:59 Saku Ytti ha scritto: > You've changed JNPR from 30s to 1s, but not CSCO. I'm not sure if this > is the only problem, as insufficient data is shown about the state and > LACP PDUs. > > I believe the command is 'lacp rate fast' or 'lacp period short', to > reduce risk of operators getting bored, In your case, the former. > > On Sun, 11 Jun 2023 at 10:38, james list via cisco-nsp > wrote: > > > > Dear expert
[c-nsp] Port-channel not working Juniper vs Cisco
Dear expert we've an issue in setting up a port-channel between a Juniper EX4400 and a Cisco Nexus N9K-C93180YC-EX over an SX 1 Gbs link. We've implemented the following configuration but on Juniper side it is interface flapping while on Cisco side it remains down. Light levels seem ok. Has anyone ever experienced the same ? Any suggestions ? Thanks in advance for any hint Kind regards James JUNIPER * > show configuration interfaces ae10 | display set set interfaces ae10 description "to Cisco leaf" set interfaces ae10 aggregated-ether-options lacp active set interfaces ae10 aggregated-ether-options lacp periodic fast set interfaces ae10 unit 0 family ethernet-switching interface-mode trunk set interfaces ae10 unit 0 family ethernet-switching vlan members 301 > show configuration interfaces ge-0/2/3 | display set set interfaces ge-0/2/3 description "to Cisco leaf" set interfaces ge-0/2/3 ether-options 802.3ad ae10 > show vlans VLAN_301 Routing instanceVLAN name Tag Interfaces default-switch VLAN_301 301 ae10.0 CISCO *** interface Ethernet1/41 description <[To EX4400]> switchport switchport mode trunk switchport trunk allowed vlan 301 channel-group 41 mode active no shutdown interface port-channel41 description <[To EX4400]> switchport switchport mode trunk switchport trunk allowed vlan 301 # sh vlan id 301 VLAN Name StatusPorts - --- 301 P2P_xxx activePo1, Po41, Eth1/1, Eth1/41 VLAN Type Vlan-mode --- 301 enet CE Remote SPAN VLAN Disabled Primary Secondary Type Ports --- - --- --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCP MSS CLAMPING issue
hi > It's "the Internet". Pointing at clients as being "non compliant" is > not going to fix your server's operation - otherwise, all this fiddling > with TCP/MSS would not even be necessary in the first place. > (Another option would be, of course, to fix your network :-) - so 1500 > byte packets can get through, and no need to reduce the client's MSS) I guess that nowadays almost all the companies (with a name) rely upon antiDDOS systems using GRE hence I'm wondering why you say we need to fix something on our side. If there are RFC (=law) I'd expect those are followed, otherwise you cannot complain, am I wrong ? James Il giorno dom 23 gen 2022 alle ore 18:37 Gert Doering ha scritto: > Hi, > > On Sun, Jan 23, 2022 at 06:31:40PM +0100, james list wrote: > > thanks for the feedback. > > > > Firewall vendor reports this: > > > > " When > > SYN Cookies > > is activated, the firewall does not honor the TCP options that the > server > > sends because it does not know these values at the time that it proxies > the > > SYN/ACK. Therefore, values such as the TCP server???s window size and MSS > > values cannot be negotiated during the TCP handshake and the firewall > will > > use its own default values. In the scenario where the MSS of the path to > > the server is smaller than the firewall???s default MSS value, the packet > > will need to be fragmented. " > > It does not have to know what the server would send to always put in an > MSS option of its own... (but of course the vendor would tell you > "this is not our fault"). > > > Here we see the client seems not RFC compliant, since in RFC6691 ( > > https://datatracker.ietf.org/doc/html/rfc6691#appendix-A) is written: > > > > "If an MSS option is not received at connection setup, TCP MUST assume a > > default send MSS of 536 (576-40) [TCP:4]." > > > > As recap: > > > > 1) during no attack client send MSS 1460 with DF=1, server respond > through > > MSS 1436 (due to GRE), client uses 1436, connection is established > > correctly with TLS exchange > > 2) during attack client send MSS 1460 with DF = 1, server (=firewall in > > this phase due to syn-challenge) respond without MSS, client uses 1460, > TLS > > exchange is broken > > > > From my point of view, since RFC6691 state "MUST use 536", the customer > is > > not compliant. > > It's "the Internet". Pointing at clients as being "non compliant" is > not going to fix your server's operation - otherwise, all this fiddling > with TCP/MSS would not even be necessary in the first place. > > (Another option would be, of course, to fix your network :-) - so 1500 > byte packets can get through, and no need to reduce the client's MSS) > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TCP MSS CLAMPING issue
Hi Gert thanks for the feedback. Firewall vendor reports this: " When SYN Cookies is activated, the firewall does not honor the TCP options that the server sends because it does not know these values at the time that it proxies the SYN/ACK. Therefore, values such as the TCP server’s window size and MSS values cannot be negotiated during the TCP handshake and the firewall will use its own default values. In the scenario where the MSS of the path to the server is smaller than the firewall’s default MSS value, the packet will need to be fragmented. " Here we see the client seems not RFC compliant, since in RFC6691 ( https://datatracker.ietf.org/doc/html/rfc6691#appendix-A) is written: "If an MSS option is not received at connection setup, TCP MUST assume a default send MSS of 536 (576-40) [TCP:4]." As recap: 1) during no attack client send MSS 1460 with DF=1, server respond through MSS 1436 (due to GRE), client uses 1436, connection is established correctly with TLS exchange 2) during attack client send MSS 1460 with DF = 1, server (=firewall in this phase due to syn-challenge) respond without MSS, client uses 1460, TLS exchange is broken From my point of view, since RFC6691 state "MUST use 536", the customer is not compliant. What do you think ? Cheers Il giorno dom 23 gen 2022 alle ore 17:40 Gert Doering ha scritto: > Hi, > > On Sun, Jan 23, 2022 at 05:10:42PM +0100, james list wrote: > > I suspect the current Cisco implementation does not change MSS because > the > > syn-ack does not contain the MSS option. > > If there is no MSS option, nothing can be adjusted - one would need extra > code to *add* such an option, which is more complex than "change one > number and adjust the checksum". > > So, get your firewall vendor to fix their SYN-ACK-spoofing code. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] TCP MSS CLAMPING issue
Dear experts, I have tcp adjust-mss configured on an internet link with an ISP like following: interface GigabitEthernet0/0/0 description internet WAN link ip address x.x.x.x 255.255.255.252 ip tcp adjust-mss 1436 During DDOS attacks our firewall starts SYN challenge (acting as a proxy) and I see sniffing traffic over the WAN link that MSS is not adjusted accordingly from the router. I suspect the current Cisco implementation does not change MSS because the syn-ack does not contain the MSS option. Questions: 1) do you know if this is the correct behavior ? I do not find anything official (ASR1k IOS 16.3.7) on www.cisco.com... in case please share the URL 2) any suggestion if there is a way to set the MSS on ASR1k when not received in the syn-ack from the server... The impact is that then the client do not reduce the segment and at the end the issue come once certificate is being exchanged in the TLS session... Thanks in advance Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] policer on ASR1001X
Hi just tested and police rate x pps is only applicable to control plane Cheers Il giorno mer 8 set 2021 alle ore 15:51 Lukasz Bromirski < luk...@bromirski.net> ha scritto: > Saku is always on point ;) > > > On 8 Sep 2021, at 15:31, Saku Ytti wrote: > > > > On Wed, 8 Sept 2021 at 16:30, Lukasz Bromirski > wrote: > > > >>> 3) is there any mode to limit pps and not only bandwidth > >> > >> I no longer remember this from top of my mind, but there’s bunch of > good QoS/HQoS presentations about ASR 1000 in particular on ciscolive.com > that you can use as reference. > > > > police rate x pps > > Just checked this on 17.x based release (3k = 3000 for this example): > > rtr-edge(config-pmap-c)#police rate 3k ? > account Overhead Accounting > bps Treat 'rate' value in bits-per-second > burst Specify 'burst' parameter > conform-action action when rate is less than conform burst > cps Treat 'rate' value in cells-per-second > peak-rate Specify peak rate or PCR for single-level ATM 4.0 > policer policies > pps Treat 'rate' value in packets-per-second > > > -- > ./ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] policer on ASR1001X
Thanks I would try to apply both Bps OR pps if possible Cheers Il Mer 8 Set 2021, 15:51 Lukasz Bromirski ha scritto: > Saku is always on point ;) > > > On 8 Sep 2021, at 15:31, Saku Ytti wrote: > > > > On Wed, 8 Sept 2021 at 16:30, Lukasz Bromirski > wrote: > > > >>> 3) is there any mode to limit pps and not only bandwidth > >> > >> I no longer remember this from top of my mind, but there’s bunch of > good QoS/HQoS presentations about ASR 1000 in particular on ciscolive.com > that you can use as reference. > > > > police rate x pps > > Just checked this on 17.x based release (3k = 3000 for this example): > > rtr-edge(config-pmap-c)#police rate 3k ? > account Overhead Accounting > bps Treat 'rate' value in bits-per-second > burst Specify 'burst' parameter > conform-action action when rate is less than conform burst > cps Treat 'rate' value in cells-per-second > peak-rate Specify peak rate or PCR for single-level ATM 4.0 > policer policies > pps Treat 'rate' value in packets-per-second > > > -- > ./ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] policer on ASR1001X
Dear experts, I'd like to rate limit some ingress traffic coming from untrusted source to 10Mbs. I've an ASR1001X (16.3.7) and this is the config I'd place: * ip access-list extended ACL_10_203_231_129 permit ip any host 10.203.231.129 class-map match-all CM_LIMIT_INGRESS match access-group name ACL_10_203_231_129 policy-map PM_LIMIT_INGRESS class CM_LIMIT_INGRESS police 1000 500 500 conform-action transmit exceed-action drop violate-action drop class class-default The PM is attached to tunnel interface: TUNNEL0 service-policy input PM_LIMIT_INGRESS * Can you please confirm: 1) I'll not drop/limit other traffic 2) ASR1001X applies rate limit in hardware and not in software (in order to avoid CPU overload) 3) is there any mode to limit pps and not only bandwidth Thanks in advance Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] strange issue
Hi I've to ask for the VM routing table and then I will share. VM gateway is load balancer. Cheers James Il giorno gio 29 lug 2021 alle ore 18:17 Ryan Rawdon ha scritto: > > > On Jul 29, 2021, at 11:55 AM, james list wrote: > > > > > > Internet - Firewall – Lan - Load balancer – Lan – hypervisor- VM > > > > > > > > It happens sometime that the VM do not respond anymore to Load balancer > for > > external ip addresses until on the Load balancer it is setted to source > NAT > > (SNAT) the internet traffic and then SNAT it’s removed. > > > > Can you share the routing table of the VM in question? Specifically/most > importantly - Is the load balancer being used as the VM’s default gateway, > or does the VM use the firewall as its default gateway? In the latter > case, I would expect the load balancer to SNAT traffic or act as a full > layer 7 proxy where a new TCP connection is established from the load > balancer to the upstream servers. > > With a misconfiguration or misaligned design intention here, I could see > the intended behavior depending on ARP or firewall/connection state > tracking behavior in the devices. > > > > Something like an action that solicit the VM to refresh the arp. > > > > > > > > While health check from Loadbalancer to VM in the same LAN subnet never > > stops to work. > > > > > > > > Does anybody ever encountered the same problem on VM environments ? > > In the absence of evidence otherwise, I suspect your issue is not > VM-specific. Do you have examples of physical hosts in the same LAN that > do not exhibit this problem? If so, has the routing table (default gateway > and possibly other persistent static routes) been compared? > > > > > Any idea ? > > > > > > > > Thanks in advance > > > > James > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] strange issue
Dear experts My customer has the following very simple infrastructure: Internet - Firewall – Lan - Load balancer – Lan – hypervisor- VM It happens sometime that the VM do not respond anymore to Load balancer for external ip addresses until on the Load balancer it is setted to source NAT (SNAT) the internet traffic and then SNAT it’s removed. Something like an action that solicit the VM to refresh the arp. While health check from Loadbalancer to VM in the same LAN subnet never stops to work. Does anybody ever encountered the same problem on VM environments ? Any idea ? Thanks in advance James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] netflow not having stats
Dear experts I've a netflow configured on ASR1001X which is sending indeed udp packet to collector but not displaying anything on the statistics, any idea why ? Config: flow exporter EXP_LOGS destination 10.101.11.119 source Port-channel5.99 (this is the ip address used to send netflow packets) transport udp 2055 export-protocol netflow-v5 flow monitor MON_LOGS exporter EXP_LOGS record netflow ipv4 original-output interface Port-channel5.7 (this is the interface where Netflow works) ip flow monitor MON_LOGS sampler SAMPLER_1 output sampler SAMPLER_1 mode random 1 out-of 1024 Here the statistics at zero, but indeed traffic is arriving to the Netflow collector: Flow Exporter EXP_LOGS: Packet send statistics (last cleared 2d16h ago): Successfully sent: 0 (0 bytes) Client send statistics: Client: Flow Monitor MON_LOG Records added: 0 Bytes added: 0 Thanks in advance for any hint. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Integrate different DC technology over VXLAN
Dear experts, do you have any suggestion where I can find useful information over www in order to provide DC interconnection of my two merging customers where one is running MPLS/VPLS with Juniper technology and the other one EVPN/VXLAN with Cisco ? The customer would like to explore the possibility to use VXLAN to extend L2... Also any recommendation/hint/experience can be shared is appreciated. Thanks in advance for your help Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Micro-segmentation
Dear all, Many times my security team requires to have in place layer2 segregation in order to create dmz on the firewall as security measure to prevent lateral movement in case of different vlan management or to respect standards (pci, nist, etc). The result is in having hundreds or thousands vlans also if in each vlan there are very few systems ( 3 o 4 servers, etc). My question is: how did you manage the issue in case you faced it? Private vlans? Keep in mind we need to have a non stop environment and hence any possible way forward must forecast it. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6800 Sup2T buffering ?
Thanks ytti indeed we've PFC4 here: Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 1 Distributed Forwarding Card WS-F6K-DFC4-E SAL 1.2Ok 2 Distributed Forwarding Card WS-F6K-DFC4-E SALxxx 1.2Ok 3 Policy Feature Card 4 VS-F6K-PFC4SALxxx 3.0Ok 3 CPU Daughterboard VS-F6K-MSFC5 SALxxx 3.0Ok 5 Distributed Forwarding Card WS-F6K-DFC4-A SALxxx 1.4Ok yes it's a long trip the path around 1k km Cheers Il giorno gio 21 mag 2020 alle ore 06:41 Saku Ytti ha scritto: > On Wed, 20 May 2020 at 23:45, james list wrote: > > Hey, > > > Dear experts > > my customer have some multicast flows which are detected sometime with > > peaks/latency. > > > They report 10-15 ms average latency and sometimes they detect 500-600 > ms. > > I wouldn't put it past measuring error. Is 10-15ms expected? I.e. this > is like 1000km? > > However based on just information available, perhaps flows timeout > periodically and hit the control-plane. I think SUP2T like PFC3 before > it punts all mcast, then programs flow in HW, then subsequently > hardware format it. If so, perhaps you can tune with multicast flow > timers. > > > - what I can use to try to decode pcap taken on Arista switch to check if > > the latency is really obtained checking protocol market timestamp ? > > Several samples, coffee and time. > > -- > ++ytti > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] C6800 Sup2T buffering ?
Dear experts my customer have some multicast flows which are detected sometime with peaks/latency. They measure this latency based on protocol financial feed timestamp which I'm not able to decode (I guess they use stuff like Corvil). The path from the market datafeed source to the customer is: Financial market --1Gb -- C6807 VSS SUP2T -- 10 G port-channel WAN -- C6807 VSS SUP2T -- 1 Gbs -- Arista 7150S --1 Gbs -- customer They report 10-15 ms average latency and sometimes they detect 500-600 ms. Following the path I do not find anything telling me there are spikes (I have no drops) and also the customer states no packet loss is detected, but we suspect buffering/queuing somewhere on C6807 or Arista 7150S. Since Arista 7150S is low latency I suspect Cisco. Some questions: - what do you suggest to check here ? buffers ? qos ? other... - what I can use to try to decode pcap taken on Arista switch to check if the latency is really obtained checking protocol market timestamp ? Thanks in advance for any hint or help. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Internet monitoring in case of general issues
Many times we recognize issues on internet, customer asking why additional delays are experienced, why it takes so long to access services, why "this afternoon is slow", we notice fresh bgp updates, etc etc... Everybody should know internet is cheap but unrealiable, customers many times would like to save money with an ipsec vpn but then ask for penalities if the service is not reachable, there is ddos opportunity etc etc The question: once you notice issues on internet and your upstreams are fine, what instrument or service or commands or web site do you use to try to find out where is the problem and who is experiencing the problem (ie a tier1 carrier)? Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1001X additional EBGP peer
Mark, Saku, Thanks for your help. If you see the output provided we run one ebgp (full routing) and then we have three ibpg (full routing). We need to add one egbp due to high bandwidth needed and since we want to use ibgp only in case of wan faults. Can I run bgp multipath only on ebgp session? We decided to add a link with the same carrier and we are aware we will not reach 50/50 balancing. What about RAM memory? Don t you see any issue? Cheers Il Dom 8 Mar 2020, 08:48 james list ha scritto: > Dear all > I'd like to have your recommandation. > > Our customer runs on ASR1001X an EBGP peering (full routing) with one ISP > and some internal IBGP peering (full routing) with other sites of the > customer. > > ASR1001xxx#sh ip bgp summary > BGP router identifier 185.x.xxx, local AS number 12111 > BGP table version is 165259260, main routing table version 165259260 > 791972 network entries using 196409056 bytes of memory > 2581993 path entries using 330495104 bytes of memory > 458319/118958 BGP path/bestpath attribute entries using 120996216 bytes of > memory > 233298 BGP AS-PATH entries using 11620238 bytes of memory > 84 BGP community entries using 2704 bytes of memory > 0 BGP route-map cache entries using 0 bytes of memory > 0 BGP filter-list cache entries using 0 bytes of memory > BGP using 659523318 total bytes of memory > BGP activity 5705457/4913485 prefixes, 122354684/119772691 paths, scan > interval 60 secs > > Neighbor V AS MsgRcvd MsgSent TblVerInQ OutQ Up/Down > State/PfxRcd > 80.14.x.14 32x 2702998 53942 165259167 00 1w4d > 791619 > 185.71.x.1 4121xx 28908450 37253524 16525926000 31w0d >756795 > 185.71.x.2 4121xx 36083442 31272759 16525926000 26w0d >276292 > 185.71.x.3 4121xx 28549167 37251270 16525926000 31w0d >757279 > > We'd like to add a new EBGP peering on the same router (with full routing > received from a second carrier) in order to load balance traffic (mainly in > output). > The question is: do you see any issue in terms of > performance/memory/whatelse in adding a new EBGP peering ? > Which is the best way to try to load balance in output ? > > From output following I am not sure if going to upgrade the RAM or not... > > Thanks in advance for your help! > Cheers > James > > > ASR1001xxx#sh ver > Cisco IOS XE Software, Version 16.03.07 > Cisco IOS Software [Denali], ASR1000 Software > (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.3.7, RELEASE SOFTWARE (fc4) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2018 by Cisco Systems, Inc. > Compiled Sat 04-Aug-18 00:51 by mcpre > > > Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc. > All rights reserved. Certain components of Cisco IOS-XE software are > licensed under the GNU General Public License ("GPL") Version 2.0. The > software code licensed under GPL Version 2.0 is free software that comes > with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such > GPL code under the terms of GPL Version 2.0. For more details, see the > documentation or "License Notice" file accompanying the IOS-XE software, > or the applicable URL provided on the flyer accompanying the IOS-XE > software. > > > ROM: IOS-XE ROMMON > > ASR1001xxx uptime is 31 weeks, 47 minutes > Uptime for this control processor is 31 weeks, 49 minutes > System returned to ROM by reload at 08:25:36 CET Sun Aug 4 2019 > System restarted at 08:29:12 CET Sun Aug 4 2019 > System image file is "bootflash:asr1001x-universalk9.16.03.07.SPA.bin" > Last reload reason: Reload Command > > > > This product contains cryptographic features and is subject to United > States and local country laws governing import, export, transfer and > use. Delivery of Cisco cryptographic products does not imply > third-party authority to import, export, distribute or use encryption. > Importers, exporters, distributors and users are responsible for > compliance with U.S. and local country laws. By using this product you > agree to comply with applicable laws and regulations. If you are unable > to comply with U.S. and local laws, return this product immediately. > > A summary of U.S. laws governing Cisco cryptographic products may be found > at: > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html > > If you require further assistance please contact us by sending email to > exp...@cisco.com. > > License Type: Permanent > License Level: ipbase > Next reload license Level: ipbase > > cisco ASR1001-X (1NG) processor (revision 1NG) with 3728595K/6147K bytes > of memory. > Processor board ID FXSrr > 6 Giga
[c-nsp] ASR1001X additional EBGP peer
Dear all I'd like to have your recommandation. Our customer runs on ASR1001X an EBGP peering (full routing) with one ISP and some internal IBGP peering (full routing) with other sites of the customer. ASR1001xxx#sh ip bgp summary BGP router identifier 185.x.xxx, local AS number 12111 BGP table version is 165259260, main routing table version 165259260 791972 network entries using 196409056 bytes of memory 2581993 path entries using 330495104 bytes of memory 458319/118958 BGP path/bestpath attribute entries using 120996216 bytes of memory 233298 BGP AS-PATH entries using 11620238 bytes of memory 84 BGP community entries using 2704 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 659523318 total bytes of memory BGP activity 5705457/4913485 prefixes, 122354684/119772691 paths, scan interval 60 secs Neighbor V AS MsgRcvd MsgSent TblVerInQ OutQ Up/Down State/PfxRcd 80.14.x.14 32x 2702998 53942 165259167 00 1w4d 791619 185.71.x.1 4121xx 28908450 37253524 16525926000 31w0d 756795 185.71.x.2 4121xx 36083442 31272759 16525926000 26w0d 276292 185.71.x.3 4121xx 28549167 37251270 16525926000 31w0d 757279 We'd like to add a new EBGP peering on the same router (with full routing received from a second carrier) in order to load balance traffic (mainly in output). The question is: do you see any issue in terms of performance/memory/whatelse in adding a new EBGP peering ? Which is the best way to try to load balance in output ? >From output following I am not sure if going to upgrade the RAM or not... Thanks in advance for your help! Cheers James ASR1001xxx#sh ver Cisco IOS XE Software, Version 16.03.07 Cisco IOS Software [Denali], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.3.7, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Sat 04-Aug-18 00:51 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON ASR1001xxx uptime is 31 weeks, 47 minutes Uptime for this control processor is 31 weeks, 49 minutes System returned to ROM by reload at 08:25:36 CET Sun Aug 4 2019 System restarted at 08:29:12 CET Sun Aug 4 2019 System image file is "bootflash:asr1001x-universalk9.16.03.07.SPA.bin" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to exp...@cisco.com. License Type: Permanent License Level: ipbase Next reload license Level: ipbase cisco ASR1001-X (1NG) processor (revision 1NG) with 3728595K/6147K bytes of memory. Processor board ID FXSrr 6 Gigabit Ethernet interfaces 2 Ten Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 8388608K bytes of physical memory. 6594559K bytes of eUSB flash at bootflash:. 0K bytes of at harddisk:. 0K bytes of at webui:. Configuration register is 0x2102 ASR1001xxx#sh cef fib 792336 allocated IPv4 entries, 0 failed allocations 1 allocated IPv6 entry, 0 failed allocations ASR1001xxx#show platform software status control-processor brief Load Average Slot Status 1-Min 5-Min 15-Min RP0 Healthy 0.19 0.17 0.14 Memory (kB) Slot StatusTotal Used (Pct) Free (Pct) Committed (Pct) RP0 Healthy 8058752 5470576 (68%) 2588176 (32%) 6986084 (87%) CPU Utilization Slot CPU User System Nice IdleIRQ SIRQ IOwait RP00 1.10 2.50 0.00 96.20 0.00 0.20 0.00 1 1.20 0.90 0.00 97.90 0.00 0.00 0.00 2 0.50 0.50 0.00 99.00 0.00 0.00 0.00 3 0.49 0.79 0.00 98.70 0.00 0.00 0.00 4 0.89
Re: [c-nsp] [j-nsp] Traffic delayed
it's unicast, we're checking it. Thanks Il giorno mar 2 ott 2018 alle ore 23:54 NK NSP ha scritto: > What kind of traffic is delayed? Unicast or multicast? Usually Mac tables > have Mac timeouts driven by traffic and flooding may occur on timeouts. You > can check if any ARPs are expring and needed to be refreshed every 30 mins > interval. For multicast, check if any prune or joins are happening around > the time. Any IGMP joins or prunes around the same time. > > On Tue, Oct 2, 2018 at 9:38 AM james list wrote: > >> Dear experts >> >> I’ve a strange issue. >> >> Our customer replaced two L2/3 switches (C6500) where a pure L2 and L3 >> (hsrp) environment was set-up with a couple of new MX9k running the same >> L2 >> and L3 services but those two MX are running MPLS/VPLS to transport L3/L2 >> frames. Access switches are QFX5k connected to MX MPLS PE. >> >> Now the main issue: the customer every almost 30 minutes (sometimes 28 >> sometimes 33 minutes sometimes 30) detect some frames received with a >> delay >> of 3-600 milliseconds. The customer is a trading venue.. >> >> It seems like something slow down the forwarding processing, now I know >> Juniper separate forwarding and control, but I was thinking to OSPF LSA >> refresh or something like that since the frequency is around 30 minutes.. >> >> Can anybody help me in sorting out which can be the main point here ? >> >> Thanks in advance >> >> Cheers, >> >> James >> ___ >> juniper-nsp mailing list juniper-...@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [j-nsp] Traffic delayed
Can you elaborate? Why just every 30 minutes the issue? Il Mar 2 Ott 2018, 20:34 Tom Beecher ha scritto: > You have switches with completely different buffer depths than you used > to. You prob want to look into that. > > On Tue, Oct 2, 2018 at 9:39 AM james list wrote: > >> Dear experts >> >> I’ve a strange issue. >> >> Our customer replaced two L2/3 switches (C6500) where a pure L2 and L3 >> (hsrp) environment was set-up with a couple of new MX9k running the same >> L2 >> and L3 services but those two MX are running MPLS/VPLS to transport L3/L2 >> frames. Access switches are QFX5k connected to MX MPLS PE. >> >> Now the main issue: the customer every almost 30 minutes (sometimes 28 >> sometimes 33 minutes sometimes 30) detect some frames received with a >> delay >> of 3-600 milliseconds. The customer is a trading venue.. >> >> It seems like something slow down the forwarding processing, now I know >> Juniper separate forwarding and control, but I was thinking to OSPF LSA >> refresh or something like that since the frequency is around 30 minutes.. >> >> Can anybody help me in sorting out which can be the main point here ? >> >> Thanks in advance >> >> Cheers, >> >> James >> ___ >> juniper-nsp mailing list juniper-...@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Traffic delayed
Dear experts I’ve a strange issue. Our customer replaced two L2/3 switches (C6500) where a pure L2 and L3 (hsrp) environment was set-up with a couple of new MX9k running the same L2 and L3 services but those two MX are running MPLS/VPLS to transport L3/L2 frames. Access switches are QFX5k connected to MX MPLS PE. Now the main issue: the customer every almost 30 minutes (sometimes 28 sometimes 33 minutes sometimes 30) detect some frames received with a delay of 3-600 milliseconds. The customer is a trading venue.. It seems like something slow down the forwarding processing, now I know Juniper separate forwarding and control, but I was thinking to OSPF LSA refresh or something like that since the frequency is around 30 minutes.. Can anybody help me in sorting out which can be the main point here ? Thanks in advance Cheers, James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [j-nsp] Strange issue
Thanks Saku/Lukas Investigation still on going I will let you know if something is found. Cheers Il Mar 11 Set 2018, 00:20 Saku Ytti ha scritto: > Oh I think I misunderstood OP. Yes, sounds like larger packets were > impacted smaller were not. > > On Tue, 11 Sep 2018 at 01:16, Saku Ytti wrote: > > > > On Tue, 11 Sep 2018 at 00:21, Lukas Tribus wrote: > > > > > > We experienced a strange issue in reaching the remote devices > (servers) and > > > > perforiming bulk snmp walk, instead direct object query was working > fine. > > > > > > Sounds like a temporary MTU problem to me ... > > > > Please elaborate. Bulk walk does bulk get 'OID X and next Y OIDs'. > > Specific get is 'OID X'. So what OP is proposing sounds like smaller > > UDP datagrams didn't pass, but larger did. My doge coins would be on > > edge policer limiting small UDP packets. > > > > -- > > ++ytti > > > > -- > ++ytti > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Strange issue
Dear experts I'm wondering if you can provide any hints/help on this problem. We experienced a strange issue in reaching the remote devices (servers) and perforiming bulk snmp walk, instead direct object query was working fine. After an entire nigth of issues (22pm to 6am), the problem disappeared alone... During this problem we've experienced also others isses, but we was not able to find the root cause nor any issues on our firewall. We asked to the carrier (which has also firewall in the middle since it provides services) but it seems also it didn't detect any issue. I think the carrier had some problem but I'm not able to prove it. Have you never seen this kind of issue ? What can be realated to ? Thanks in advance for any suggestion. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP server
Just one but hundreds of dhcp scopes. Cheers Il Sab 16 Giu 2018, 10:55 ha scritto: > How many physical interfaces/ports? > > A c891f could be sufficient... > > Jürgen. > -Original Message- > Dear experts, > a customer of mine as an old C7200 acting as DHCP server and wants to > replace it with an IOS device in order to port configuration 1:1. > > He asked for a solution which is not so expensive, I'm thinking to ASR1k or > CAT9k, do you have any other suggestion ? > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DHCP server
Hi Nick Yes I was thinking to cat9300 Good point ISR44x, is that IOS or IOS.XE? Thanks Cheers Il Ven 15 Giu 2018, 22:13 Nick Cutting ha scritto: > ISR-44k is much cheaper than ASR 1k for forwarding in hardware > > But DHCP server is all done on CPU - so you could get away with a much > cheaper software router like a ISR43xx > Do you mean the catylyst 9300 series? > > -Original Message- > From: cisco-nsp On Behalf Of james > list > Sent: Friday, June 15, 2018 1:19 PM > To: cisco-nsp NSP > Subject: [c-nsp] DHCP server > > This message originates from outside of your organisation. > > Dear experts, > a customer of mine as an old C7200 acting as DHCP server and wants to > replace it with an IOS device in order to port configuration 1:1. > > He asked for a solution which is not so expensive, I'm thinking to ASR1k > or CAT9k, do you have any other suggestion ? > > Thanks for any advice > > Cheers, > James > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] DHCP server
Dear experts, a customer of mine as an old C7200 acting as DHCP server and wants to replace it with an IOS device in order to port configuration 1:1. He asked for a solution which is not so expensive, I'm thinking to ASR1k or CAT9k, do you have any other suggestion ? Thanks for any advice Cheers, James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] C4500x VSS convergence
Dear experts I have a strange behaviour to share. I am testing ISSU and failover of a couple of 4500x configured in VSS. Basically what I see is that during the failover the active supervisor (or switc) takes more than 100 seconds to forward ip packets, making routing convergence is very slow. SSO and NSF are enabled and if I connect in console to the switch that becomes active it seems that ip routing table appears only after 100 seconds. Has anyone experienced the same issue? Thanks Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IOS ip-base to advanced-ip-services upgrade
Dear experts, I am wondering if anybody has clear the process to upgrade an ASR1001X from ip base to advanced ip. I need to enable BFD on BGP and seems that an upgrade is needed. I'd like to know if it's right to use or we need to buy a new license. Thanks for a feedback Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] macsec
Dear experts, I’m trying to get working macsec between Cisco 3850 and Juniper EX4300 without success. Here the config: Cisco 3850 key chain test macsec key 123ABC cryptographic-algorithm aes-128-cmac ! interface TenGigabitEthernet1/0/21 switchport access vlan 10 switchport mode access cts manual policy static sgt 4 sap pmk 00123ABC mode-list gcm-encrypt end EX4300 set security macsec connectivity-association test1 security-mode static-cak set security macsec connectivity-association test1 mka key-server-priority 0 set security macsec connectivity-association test1 replay-protect replay-window-size 5 set security macsec connectivity-association test1 pre-shared-key ckn 123ABC set security macsec connectivity-association test1 pre-shared-key cak "$9$-mVb2oAUHkP4oz11Cu0" set security macsec interfaces ge-0/0/21 connectivity-association test1 It remains UP on Juniper side and “not connected” on Cisco side, if the macsec is removed everything is UP. Anyone has already tried and can provide any hint/example config ? Thanks in advance, cheers, James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Huge SP CPU usage spikes 100%
: 140160704868 @ 9682 pps Total packets L3 Switched : 34932368706 @ 1232 pps Total Packets Bridged : 656016702 Total Packets FIB Switched: 34932368705 Total Packets ACL Routed : 0 Total Packets Netflow Switched: 1 Total Mcast Packets Switched/Routed : 484819408 Total ip packets with TOS changed : 2 Total ip packets with COS changed : 2 Total non ip packets COS changed : 0 Total packets dropped by ACL : 0 Total packets dropped by Policing : 0 Total packets exceeding CIR : 0 Total packets exceeding PIR : 0 Errors MAC/IP length inconsistencies : 0 Short IP packets received : 0 IP header checksum errors : 0 TTL failures : 31737163 MTU failures : 0 Statistics for Earl in Module 3 L2 Forwarding Engine Total packets Switched: 16262339592 L3 Forwarding Engine Total packets Processed : 6051808557 @ 283 pps Total packets L3 Switched : 3336113840 @ 133 pps Total Packets Bridged : 18844001 Total Packets FIB Switched: 3336113839 Total Packets ACL Routed : 0 Total Packets Netflow Switched: 1 Total Mcast Packets Switched/Routed : 2696745262 Total ip packets with TOS changed : 2 Total ip packets with COS changed : 2 Total non ip packets COS changed : 0 Total packets dropped by ACL : 0 Total packets dropped by Policing : 0 Total packets exceeding CIR : 0 Total packets exceeding PIR : 0 Errors MAC/IP length inconsistencies : 0 Short IP packets received : 0 IP header checksum errors : 0 TTL failures : 0 MTU failures : 0 Statistics for Earl in Module 5 L2 Forwarding Engine Total packets Switched: 2610069540467 L3 Forwarding Engine Total packets Processed : 1142797974401 @ 30466 pps Total packets L3 Switched : 508644771724 @ 18373 pps Total Packets Bridged : 17347786423 Total Packets FIB Switched: 508644771723 Total Packets ACL Routed : 0 Total Packets Netflow Switched: 1 Total Mcast Packets Switched/Routed : 181041389292 Total ip packets with TOS changed : 2 Total ip packets with COS changed : 2 Total non ip packets COS changed : 0 Total packets dropped by ACL : 2276418 Total packets dropped by Policing : 0 Total packets exceeding CIR : 0 Total packets exceeding PIR : 0 Errors MAC/IP length inconsistencies : 1881 Short IP packets received : 0 IP header checksum errors : 0 TTL failures : 8688776 MTU failures : 0 Total packets L3 Processed by all Modules: 1710516850594 @ 57716 pps 2018-03-02 11:22 GMT+01:00 James Bensley <jwbens...@gmail.com>: > On 1 March 2018 at 09:53, james list <jameslis...@gmail.com> wrote: > > xxx#show ibc > > Interface information: > > 5 minute rx rate 944000 bits/sec, 793 packets/sec > > 5 minute tx rate 25000 bits/sec, 37 packets/sec > ... > > 2467023087 Packets out of 554699386 CEF Switched, 0 Packets out > of 0 > > Tag CEF Switched > > 3916625157 Packets Fast Switched > ... > > Potential/Actual paks copied to process level 228808364/225833216 > > (2975148 dropped, 265 spd drops) > ... > > MISTRAL ERROR COUNTERS > ... > > 2974883 total packets dropped on throttled interfaces (2954630 > low, > > 16704 medium, 3549 high) > > > >> On 1 March 2018 at 08:29, james list <jameslis...@gmail.com> wrote: > >> > Dear experts, > >> > has anybody experienced a 100% SP CPU usage on C6500-Sup720 > >> > (12.2(33)SXI5) > >> > with a lot of interrupts ? > >> > The main process is Heartbeat. > >> > > >> > Cisco TAC is struggling in having an idea to sorting out the issue, > they > >> > are working since 3 days on it.. > >> > > >> > STP is stable, no mac moving, no real issue found… maybe somebody > >> > experienced the same due to something in particular? > > I've compared to a similar box I have, it has less control-plane > traffic than yours it would seem. You have a decent amount of dropped > packets which I guess to be expected if you have sustained 100% SP CPU > utilisation. > > Do you have a lot of spanning-tree instances, HSRP/VRRP, multicast > (various other control-plane stuff) running on
Re: [c-nsp] Huge SP CPU usage spikes 100%
ing entries = 0x200 tx_head= 400tx_tail = 400 outputs= 23315837396 tx_cumbytes = 1742852038156 hw outputs = 0 hw tx_cumbytes= 0 tx rate (bits/sec) = 93000 tx rate (packets/sec) = 156 tx_retry_error = 72 tx_retry_count= 6325477 tx_process_stopped = 17 tx total drops= 0 Mistral Registers soft_reset_cfg = 0x04 dma_buffer_size_reg = 0x00 int_mask_hi= 0x7E int_mask_lo = 0xE7001A58 rxdscp_cnt = 512txdscp_cnt= 0 rxwork_dscp= 0xF2C0 txwork_dscp = 0x600 mistral_eobc_ds= 0x509CD908 mistral_dma_register = 0x3000 mistral_glbl_reg = 0x1002 Misc. Global Registers: global_cfg = 0x20 mis_init_sts = 0xF dimm_parm_cfg_hi = 0x0576 dimm_parm_cfg_lo = 0x42040F5A tm_init_size_cfg = 0x8000 xxx# 2018-03-01 10:02 GMT+01:00 James Bensley <jwbens...@gmail.com>: > On 1 March 2018 at 08:29, james list <jameslis...@gmail.com> wrote: > > Dear experts, > > has anybody experienced a 100% SP CPU usage on C6500-Sup720 > (12.2(33)SXI5) > > with a lot of interrupts ? > > The main process is Heartbeat. > > > > Cisco TAC is struggling in having an idea to sorting out the issue, they > > are working since 3 days on it.. > > > > STP is stable, no mac moving, no real issue found… maybe somebody > > experienced the same due to something in particular? > > > > Thanks for any hints. > > > > Cheers, > > James > > > > > > xxx#remote command switch show process cpu sorted > > > > CPU utilization for five seconds: 91%/83%; one minute: 96%; five minutes: > > 97% > > When you say a lot of interrupts, what do you get from: > > show platform netint > remote command switch show platform hardware earl status > show ibc > show eobc > > I don't know what that Heartbeat process is for, e.g. between SP and > RP, or SP and DFCs, or SP and line cards etc. In terms of fixing the > issue, perhaps reboot the RSP or line card? That obviously doesn't > give you a root cause though :) > > It seems like the process is stuck in a loop if you are saying that > forwarding is working without issue. > > You could run a NetDR capture to see if that is control-plane traffic > and maybe where its coming from or going to: > https://null.53bits.co.uk/index.php?page=netdr-captures > > Cheers, > James. > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Huge SP CPU usage spikes 100%
Hi the mentioned command are not present: xxx#show platform ? aclDisplay CWAN ACL commands bridge Distributed/Hardware-based bridging information buffersShow buffer allocation cfmShow CFM Commands eeprom Show CPU eeprom etherchannel Platform EtherChannel information fault Show fault data hardware Show platform hardware information internal-vlan Show internal vlan netint Show platform net interrupt information redundancy Display bias and CWAN platform redundancy software Show platform software information stats Display CWAN statistics supervisor Show supervisor info tech-support Show system information for Tech-Support tlbShow processor TLB registers vfiDisplay CWAN VFI commands vlans Display hidden VLAN to WAN interface mapping 2018-03-01 9:41 GMT+01:00 Saku Ytti <s...@ytti.fi>: > Hey, > > Anything in punts? > > show plat cap buffer asic pinnacle slot 5 port 4 direction out priority lo > show plat cap buffer collect for 5 > show plat cap buffer data filt > show plat cap buffer data sample > > > Replace 'slot 5' with your port SUP port number. > > > On 1 March 2018 at 10:29, james list <jameslis...@gmail.com> wrote: > > Dear experts, > > has anybody experienced a 100% SP CPU usage on C6500-Sup720 > (12.2(33)SXI5) > > with a lot of interrupts ? > > The main process is Heartbeat. > > > > Cisco TAC is struggling in having an idea to sorting out the issue, they > > are working since 3 days on it.. > > > > STP is stable, no mac moving, no real issue found… maybe somebody > > experienced the same due to something in particular? > > > > Thanks for any hints. > > > > Cheers, > > James > > > > > > xxx#remote command switch show process cpu sorted > > > > CPU utilization for five seconds: 91%/83%; one minute: 96%; five minutes: > > 97% > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > > 10212118224 387324287 31 100.00% 38.16% 32.07% 0 Heartbeat > > Proces > > 258 4104910748 127607878 32168 2.23% 2.01% 2.03% 0 Vlan > > Statistics > > 117 7497040242279235756 0 1.19% 0.60% 0.56% 0 > > DiagCard2/-1 > > 114 9372052522290556905 0 1.11% 1.05% 1.06% 0 slcp > > process > > 500 384748832 761210720505 0.47% 0.49% 0.47% 0 > > DiagCard3/-1 > >3 8458075601628030520519 0.47% 0.45% 0.46% 0 > > DiagCard1/-1 > > 124 540996344 628393475860 0.39% 0.40% 0.39% 0 > > DiagCard4/-1 > > 75 6645542122968378193 0 0.31% 0.20% 0.19% 0 SCP > Download > > Lis > > > > xxx#remote command switch show proc cpu his > > > > 99 > > 76687678666777 > > 100 ** > > 90 ** > > 80 ** > > 70 ** > > 60 ** > > 50 ** > > 40 ** > > 30 ** > > 20 ** > > 10 ** > >051122334455 > > 0505050505 > >CPU% per second (last 60 seconds) > > > > 99 > > 8987889787889888999878 > > 100 ## > > 90 ## > > 80 ## > > 70 ## > > 60 ## > > 50 ## > > 40 ## > > 30 ## > > 20 ## > > 10 ##
[c-nsp] Huge SP CPU usage spikes 100%
Dear experts, has anybody experienced a 100% SP CPU usage on C6500-Sup720 (12.2(33)SXI5) with a lot of interrupts ? The main process is Heartbeat. Cisco TAC is struggling in having an idea to sorting out the issue, they are working since 3 days on it.. STP is stable, no mac moving, no real issue found… maybe somebody experienced the same due to something in particular? Thanks for any hints. Cheers, James xxx#remote command switch show process cpu sorted CPU utilization for five seconds: 91%/83%; one minute: 96%; five minutes: 97% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 10212118224 387324287 31 100.00% 38.16% 32.07% 0 Heartbeat Proces 258 4104910748 127607878 32168 2.23% 2.01% 2.03% 0 Vlan Statistics 117 7497040242279235756 0 1.19% 0.60% 0.56% 0 DiagCard2/-1 114 9372052522290556905 0 1.11% 1.05% 1.06% 0 slcp process 500 384748832 761210720505 0.47% 0.49% 0.47% 0 DiagCard3/-1 3 8458075601628030520519 0.47% 0.45% 0.46% 0 DiagCard1/-1 124 540996344 628393475860 0.39% 0.40% 0.39% 0 DiagCard4/-1 75 6645542122968378193 0 0.31% 0.20% 0.19% 0 SCP Download Lis xxx#remote command switch show proc cpu his 99 76687678666777 100 ** 90 ** 80 ** 70 ** 60 ** 50 ** 40 ** 30 ** 20 ** 10 ** 051122334455 0505050505 CPU% per second (last 60 seconds) 99 8987889787889888999878 100 ## 90 ## 80 ## 70 ## 60 ## 50 ## 40 ## 30 ## 20 ## 10 ## 051122334455 0505050505 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% 1 90 90 100 #***## 90 ## 80 ## 70 ## 60 ## 50 ## 40 ## 30 ## 20 ## 10 ## 051122334455667. 0505050505050 CPU% per hour (last 72 hours) * = maximum CPU% # = average CPU% ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Meltdown and Spectre
Dear all, For cve related to Meltdown and Spectre I'm wondering to know what are you doing or going to do on your networking gears? I'm struggling to understand something from vendors but I'd like to hear from people in the pitch. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Supply Chain issues in Amsterdam?
Can only confirm to be in delay by two weeks now and still not got a delivery date by Cisco Big issues with end of year invoicing. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Traceroute not working as expected
Dear expert I ve the following strange issue. In the same broadcast domain (10.1.0.0/24) I have four devices: 1) carrier router .1 2) firewallA .2 3) firewallB .3 4) firewallC .4 Carrier router has a default route to .2 (firewall A). 2-3-4) has gateway to .1 If I made traceroute to a wan location 10.2.0.1 from 3) I get: 10.1.0.1 then wan mpls If I made traceroute to a wan location 10.2.0.1 from 4) I get: 10.1.0.2 10.1.0.1 Then wan carrier mpls What can cause the issue only to firewallC? This is why I guess I cannot establish ipsec vpn from remote to firewallC. Thanks in advance Cheers ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] multiple GRE on the same gear
Dear experts, the bug CSCdy72539 states that on Cisco 6500 with SUP720 if are created multiple GRE interfaces using the same source address traffic is switched in CPU instead of hardware, it seems the issue is solved with SUP2T. The question: can ASR1001X suffer of the same issue ? I’m not able to find any info on the web. Can anyone help ? Cheers ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] multiple GRE on the same gear
Dear experts, the bug CSCdy72539 states that on Cisco 6500 with SUP720 if are created multiple GRE interfaces using the same source address traffic is switched in CPU instead of hardware, it seems the issue is solved with SUP2T. The question: can ASR1001X suffer of the same issue ? I’m not able to find any info on the web. Can anyone help ? Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PTP: what kind of monitoring is requested by MIFID 2 ?
Dear experts, Has anybody already approached the PTP monitoring requested by MIDIF 2 ? --- Article 4 of RTS 25 states : Compliance with the maximum divergence requirements Operators of trading venues and their members or participants shall establish a system of traceability to UTC. They shall be able to demonstrate traceability to UTC by documenting the system design, functioning and specifications. They shall be able to identify the exact point at which a timestamp is applied and demonstrate that the point within the system where the timestamp is applied remains consistent. Reviews of the compliance with this Regulation of the traceability system shall be conducted at least once a year. --- My question is: what is requested to monitor from Mifid 2 perspective ? What do you suggest to put in place ? Any idea/shared experience is appreciated! Cheers, James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mac filter on switch
I tried the port-security feature with a fake mac address to see what happens, port got "not connect" and I'm not able to recover. Could it be the device connected went in the same status ? It's an old server... Any idea is appreciated. Cheers James 2017-05-23 17:01 GMT+02:00 Peter Rathlev <pe...@rathlev.dk>: > On Tue, 2017-05-23 at 15:22 +0200, james list wrote: > > I’ve a customer switch C3750 (12.2(35)), is there a way to permit on > > a specific port only a group of mac address which could generate > > traffic towards the switch ? > > > > I’ve tried mac acl but I do not get the expected result. > > MAC ACL only filters non-IP traffic, if I recall correctly. > > Maybe "switchport port-security" with static addresses will do what you > want? > > -- > Peter > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mac filter on switch
Hi it seems fine, do you have an idea if it's possible to use the mask for the mac ? Something like: mac access-list extended secure-mac permit 40aa.zz00. .00ff. any It seems I've to list all the mac address and is not possible to use a mask. Cheers 2017-05-23 17:01 GMT+02:00 Peter Rathlev <pe...@rathlev.dk>: > On Tue, 2017-05-23 at 15:22 +0200, james list wrote: > > I’ve a customer switch C3750 (12.2(35)), is there a way to permit on > > a specific port only a group of mac address which could generate > > traffic towards the switch ? > > > > I’ve tried mac acl but I do not get the expected result. > > MAC ACL only filters non-IP traffic, if I recall correctly. > > Maybe "switchport port-security" with static addresses will do what you > want? > > -- > Peter > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] mac filter on switch
Dear experts, I’ve a customer switch C3750 (12.2(35)), is there a way to permit on a specific port only a group of mac address which could generate traffic towards the switch ? I’ve tried mac acl but I do not get the expected result. Any idea, example or www reference is appreciated. Thanks in advance Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] traffic stuck firewall assymetry
Hi Ted you are correct, firewall nodes form a cluster (active/passive) and c6500A and B have a port-channel in between in both sites. There are no vrf in the network. By the way, I still do not understand if you have experienced something similar and why this could cause rdp stucking/frozen. kind regards James Il 29 Mar 2017 22:58, "Ted Johansson" <ted.johans...@tele2.com> ha scritto: I guess both firewall clusters at both sites has links in-between the nodes, e.g. Firewall A<->Firewall B, as well as C6500A<->C6500B. If you do have some route leaking between VRFs, that could cause issues as well if the traffic is flowing asymmetrically. Best Regards Ted -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of james list Sent: den 29 mars 2017 17:31 To: cisco-nsp NSP <cisco-nsp@puck.nether.net>; Juniper List < juniper-...@puck.nether.net> Subject: [c-nsp] traffic stuck firewall assymetry Hi experts I’ve a couple active-passive firewall clusters (both with two member-A and member-B) in two different localtions connected with two different WAN links (WAN-A and WAN-B). One cluster in site A has firewall member-A as active and the router/switch (C6500 not in VSS) with WAN link A as HSRP active and the opposite has firewall member-B as active and the router/switch with WAN link A as HSRP active. Everything works properly but sometimes the virtual machine (behind the firewall) got frozen. Here a draft of the design: VDI - Firewall-A(Active) – C6500A (active HSRP) --– WAN link –-- C6500A (active HSRP) – Firewall-A (passive) - VDI || || VDI - Firewall-B (passive)– C6500B (secondary HSRP) --– WAN link –-- C6500B (secondary HSRP) – Firewall-B (Active) - VDI Can the assymmetry in site B be the cause ? I suspect yes, but I cannot figure out why ? Any hint or experience is appreciated. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/ mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ IMPORTANT NOTICE The content of this e-mail is intended for the addressee(s) only and may contain information that is confidential and/or otherwise protected from disclosure. If you are not the intended recipient, please note that any copying, distribution or any other use or dissemination of the information contained in this e-mail (and its attachments) is strictly prohibited. If you have received this e-mail in error, kindly notify the sender immediately by replying to this e-mail and delete the e-mail and any copies thereof. Tele2 AB (publ) and its subsidiaries (“Tele2 Group”) accepts no responsibility for the consequences of any viruses, corruption or other interference transmitted by e-mail. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] traffic stuck firewall assymetry
Hi experts I’ve a couple active-passive firewall clusters (both with two member-A and member-B) in two different localtions connected with two different WAN links (WAN-A and WAN-B). One cluster in site A has firewall member-A as active and the router/switch (C6500 not in VSS) with WAN link A as HSRP active and the opposite has firewall member-B as active and the router/switch with WAN link A as HSRP active. Everything works properly but sometimes the virtual machine (behind the firewall) got frozen. Here a draft of the design: VDI - Firewall-A(Active) – C6500A (active HSRP) --– WAN link –-- C6500A (active HSRP) – Firewall-A (passive) - VDI || || VDI - Firewall-B (passive)– C6500B (secondary HSRP) --– WAN link –-- C6500B (secondary HSRP) – Firewall-B (Active) - VDI Can the assymmetry in site B be the cause ? I suspect yes, but I cannot figure out why ? Any hint or experience is appreciated. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PVST+ with arista box
Dear experts, I'm looking for hands on experience in interconnecting a huge cisco network (>400 vlan) running PVST+ with some arista boxes which in principle as default uses MST but in theory could interact with Cisco proprietary PVST+. Despite the arista document which confirm the interop, has anybody ever done something similar? If yes any outcome? Thanks in advance Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] How to protect the firewall
Hi experts, I've a customer which experienced a big trouble since one of the server system engineer in the company has assigned to a test server the same ip address of the firewall cluster. They do not have networking resources and got time to understand the issue. My question: is there a way to protect the firewall ip addressing from other machines in lan which could send gratuitous arp with these addresses ? The ip addressing is static, no dhcp assignment on the server. Any idea/help is appreciated. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C3850 and NAT
Hi Nick What about support of pim sparse, bgp and bfd as well on nexus 12 k$? Cheers · Il 08 Feb 2017 22:50, "Nick Cutting" <ncutt...@edgetg.com> ha scritto: I am 99 percent sure it is not supported, or if it is will be sent to the CPU. Look at nexus 3k or 9k for a $12000 line rate NAT switch. -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of james list Sent: Wednesday, February 8, 2017 4:17 PM To: cisco-nsp NSP <cisco-nsp@puck.nether.net> Subject: [c-nsp] C3850 and NAT Dear experts, I'm wondering if anybody can give detailed or experienced info about NAT support on c3850. I m not able to find any info on feature set but on the web is not so clear... I'm looking a cheapest, in respect to 6500 or 68xx, switch able to support NAT (not a router). Thank you in advance Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/ mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] C3850 and NAT
Dear experts, I'm wondering if anybody can give detailed or experienced info about NAT support on c3850. I m not able to find any info on feature set but on the web is not so clear... I'm looking a cheapest, in respect to 6500 or 68xx, switch able to support NAT (not a router). Thank you in advance Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] looking to find the best cisco device
Dear expert I’m having a look to a scenario in order to find the best matching (and cheapest) device. I need at least 3 x 10 Gbs interface (one in ingress and 2 in egress port-channel) and to support functionalities such as: - BGP - Mcast PIM - Mcast proxy register - NAT - 10 Gbs throughput line rate I’m looking an 1001-X but it seems support only 2 x 10 Gbs interface and 1001-HX is too much expensive. I was looking for different solutions (ie 3850) but not all the functionalities are supported (ie NAT). Any other idea can you suggest to me ? Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] huge amount of mcast traffic
Hi Pavel obviously not, as you see from previous email market is connected to an ASR. then there is a C6807 and the only customer currently requesting this huge mcast feed is connected to C6500 with a WAN link... I've attached my hw configuration, facing my cisco knowledge it shouldn't be an issue, but I was asking for hints... Matt has pretty confirmed it should work, but he is not sure about the overall quality if I get it well, if you have another view please let me know. Cheers James 2016-10-17 13:02 GMT+02:00 Pavel Skovajsa <pavel.skova...@gmail.com>: > James, > So all your customers are on 6708? > > Why thing you can try is check the internal architecture of the 6708 cards > especially the egress replication asic.Probably also depends on which ports > you have the customers connected... > > -pavel > > Dňa 13.10.2016 18:44 používateľ "Matthew Huff" <mh...@ox.com> napísal: > >> A sustained 6Gps on a 10GB pipe is hard to do already, but with >> multicast…. Typically that large of multicast is broken up into different >> multicast addresses can be split on multiple lines. The burst nature of the >> feed is going to be an issue. Will it work, yes. Will it work well, I doubt >> it. >> >> >> Matthew Huff | 1 Manhattanville Rd >> Director of Operations | Purchase, NY 10577 >> OTA Management LLC | Phone: 914-460-4039 >> aim: matthewbhuff| Fax: 914-694-5669 >> >> From: james list [mailto:jameslis...@gmail.com] >> Sent: Thursday, October 13, 2016 12:34 PM >> To: Matthew Huff <mh...@ox.com> >> Cc: cisco-nsp@puck.nether.net >> Subject: Re: [c-nsp] huge amount of mcast traffic >> >> well we'll connect to 10 Gbs interface a traffic up to 6 Gbs, not on 6748 >> 1 Gbs blades... no other issue you see ? >> >> 2016-10-13 18:31 GMT+02:00 Matthew Huff <mh...@ox.com<mailto:mh...@ox.com >> >>: >> The 6748 blades are going to be an issue with buffer overruns. Whether >> this will be a minor or major issue depends on the application that uses >> the multicast data. >> >> >> Matthew Huff | 1 Manhattanville Rd >> Director of Operations | Purchase, NY 10577 >> OTA Management LLC | Phone: 914-460-4039 >> aim: matthewbhuff| Fax: 914-694-5669 >> >> From: james list [mailto:jameslis...@gmail.com> jameslis...@gmail.com>] >> Sent: Thursday, October 13, 2016 12:25 PM >> To: Matthew Huff <mh...@ox.com<mailto:mh...@ox.com>> >> Cc: cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net> >> Subject: Re: [c-nsp] huge amount of mcast traffic >> >> >> Hi >> >> >> >> I’m not able to find the multicast replication mode on ASR.. >> >> >> >> On core routers: >> >> >> >> C6807 has Supervisor Engine 2T 10GE and IOS 15.1(2)SY4 >> >> >> >> xxx>sh module >> Mod Ports Card Type Model >> Serial No. >> --- - -- -- >> --- >>1 20 DCEF2T 4 port 40GE / 16 port 10GE WS-X6904-40G xx >>2 20 DCEF2T 4 port 40GE / 16 port 10GE WS-X6904-40G xx >>35 Supervisor Engine 2T 10GE w/ CTS (Acti VS-SUP2T-10G xx >>5 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6848-GE-TX xx >> >> >> >> Mod Sub-Module Model Serial Hw >> Status >> >> >> >> --- -- --- --- >> --- >> >> >> >> 1 Distributed Forwarding Card WS-F6K-DFC4-E xxx 1.2Ok >> >> >> >> 2 Distributed Forwarding Card WS-F6K-DFC4-E xxx 1.2Ok >> >> >> >> 3 Policy Feature Card 4 VS-F6K-PFC4xxx 3.0Ok >> >> >> >> 3 CPU Daughterboard VS-F6K-MSFC5 xxx 3.0Ok >> >> >> >> 5 Distributed Forwarding Card WS-F6K-DFC4-A xxx 1.4Ok >> >> >> >> xxx#sh platform multicast routing replication >> >> >> >> Current mode of replication is Egress >> >> >> >> Configured mode of replication is Egress >> >> >> >> >> >> Switch SlotMulticast replication capability >> >> >> >> 1 1 Egress >> >> >> >> 1 2 Egress >> >> >> >> 1
Re: [c-nsp] huge amount of mcast traffic
well we'll connect to 10 Gbs interface a traffic up to 6 Gbs, not on 6748 1 Gbs blades... no other issue you see ? 2016-10-13 18:31 GMT+02:00 Matthew Huff <mh...@ox.com>: > The 6748 blades are going to be an issue with buffer overruns. Whether > this will be a minor or major issue depends on the application that uses > the multicast data. > > > > > > Matthew Huff | 1 Manhattanville Rd > > Director of Operations | Purchase, NY 10577 > > OTA Management LLC | Phone: 914-460-4039 > > aim: matthewbhuff | Fax: 914-694-5669 > > > > *From:* james list [mailto:jameslis...@gmail.com] > *Sent:* Thursday, October 13, 2016 12:25 PM > *To:* Matthew Huff <mh...@ox.com> > *Cc:* cisco-nsp@puck.nether.net > *Subject:* Re: [c-nsp] huge amount of mcast traffic > > > > Hi > > > > I’m not able to find the multicast replication mode on ASR.. > > > > On core routers: > > > > C6807 has Supervisor Engine 2T 10GE and IOS 15.1(2)SY4 > > > > xxx>sh module > Mod Ports Card Type Model > Serial No. > --- - -- -- > --- >1 20 DCEF2T 4 port 40GE / 16 port 10GE WS-X6904-40G xx >2 20 DCEF2T 4 port 40GE / 16 port 10GE WS-X6904-40G xx >35 Supervisor Engine 2T 10GE w/ CTS (Acti VS-SUP2T-10G xx >5 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6848-GE-TX xx > > > > Mod Sub-Module Model Serial Hw > Status > > > > --- -- --- --- > --- > > > > 1 Distributed Forwarding Card WS-F6K-DFC4-E xxx 1.2Ok > > > > 2 Distributed Forwarding Card WS-F6K-DFC4-E xxx 1.2Ok > > > > 3 Policy Feature Card 4 VS-F6K-PFC4xxx 3.0Ok > > > > 3 CPU Daughterboard VS-F6K-MSFC5 xxx 3.0Ok > > > > 5 Distributed Forwarding Card WS-F6K-DFC4-A xxx 1.4Ok > > > > > > xxx#sh platform multicast routing replication > > > > Current mode of replication is Egress > > > > Configured mode of replication is Egress > > > > > > Switch SlotMulticast replication capability > > > > 1 1 Egress > > > > 1 2 Egress > > > > 1 3 Egress > > > > 1 5 Egress > > > > 2 1 Egress > > > > 2 2 Egress > > > > 2 3 Egress > > > > 2 5 Egress > > > > 4 1 Ingress > > > > 3 1 Ingress > > > > 5 1 Ingress > > > > > > C6500 has Supervisor Engine 720 10GE and IOS 12.2(33)SXI5 > > > > > > xxx>sh module > > > > Mod Ports Card Type Model > Serial No. > > > > --- - -- -- > --- > > > > 1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX xxx > > > > 28 CEF720 8 port 10GE with DFCWS-X6708-10GE xxx > > > > 3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX xxx > > > > 4 48 CEF720 48 port 1000mb SFP WS-X6748-SFP xxx > > > > 55 Supervisor Engine 720 10GE (Active)VS-S720-10Gxxx > > > > > > Mod Sub-Module Model Serial Hw > Status > > > > --- -- --- --- > --- > > > > 1 Distributed Forwarding Card WS-F6700-DFC3C xxx 1.6Ok > > > > 2 Distributed Forwarding Card WS-F6700-DFC3C xxx 1.8Ok > > > > 3 Distributed Forwarding Card WS-F6700-DFC3C xxx 1.6Ok > > > > 4 Centralized Forwarding Card WS-F6700-CFC xxx 4.2Ok > > > > 5 Policy Feature Card 3 VS-F6K-PFC3C xxx 1.1Ok > > > > 5 MSFC3 Daughterboard VS-F6K-MSFC3 xxx 1.0Ok > > > > > > xxx>show mls ip multicast capability > > > > Current mode of replication is Egress > > > > Configured replication mode is Auto > > > > > > Slot Multicast replication capability > > > > 1
Re: [c-nsp] huge amount of mcast traffic
Hi I’m not able to find the multicast replication mode on ASR.. On core routers: C6807 has Supervisor Engine 2T 10GE and IOS 15.1(2)SY4 xxx>sh module Mod Ports Card Type Model Serial No. --- - -- -- --- 1 20 DCEF2T 4 port 40GE / 16 port 10GE WS-X6904-40G xx 2 20 DCEF2T 4 port 40GE / 16 port 10GE WS-X6904-40G xx 35 Supervisor Engine 2T 10GE w/ CTS (Acti VS-SUP2T-10G xx 5 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6848-GE-TX xx Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 1 Distributed Forwarding Card WS-F6K-DFC4-E xxx 1.2Ok 2 Distributed Forwarding Card WS-F6K-DFC4-E xxx 1.2Ok 3 Policy Feature Card 4 VS-F6K-PFC4xxx 3.0Ok 3 CPU Daughterboard VS-F6K-MSFC5 xxx 3.0Ok 5 Distributed Forwarding Card WS-F6K-DFC4-A xxx 1.4Ok xxx#sh platform multicast routing replication Current mode of replication is Egress Configured mode of replication is Egress Switch SlotMulticast replication capability 1 1 Egress 1 2 Egress 1 3 Egress 1 5 Egress 2 1 Egress 2 2 Egress 2 3 Egress 2 5 Egress 4 1 Ingress 3 1 Ingress 5 1 Ingress C6500 has Supervisor Engine 720 10GE and IOS 12.2(33)SXI5 xxx>sh module Mod Ports Card Type Model Serial No. --- - -- -- --- 1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX xxx 28 CEF720 8 port 10GE with DFCWS-X6708-10GE xxx 3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX xxx 4 48 CEF720 48 port 1000mb SFP WS-X6748-SFP xxx 55 Supervisor Engine 720 10GE (Active)VS-S720-10Gxxx Mod Sub-Module Model Serial Hw Status --- -- --- --- --- 1 Distributed Forwarding Card WS-F6700-DFC3C xxx 1.6Ok 2 Distributed Forwarding Card WS-F6700-DFC3C xxx 1.8Ok 3 Distributed Forwarding Card WS-F6700-DFC3C xxx 1.6Ok 4 Centralized Forwarding Card WS-F6700-CFC xxx 4.2Ok 5 Policy Feature Card 3 VS-F6K-PFC3C xxx 1.1Ok 5 MSFC3 Daughterboard VS-F6K-MSFC3 xxx 1.0Ok xxx>show mls ip multicast capability Current mode of replication is Egress Configured replication mode is Auto Slot Multicast replication capability 1Egress 2Egress 3Egress 4Egress 5Egress Cheers 2016-10-13 17:59 GMT+02:00 Matthew Huff <mh...@ox.com>: > Even with fabric enable blades in the c6500, you are going to get massive > output buffer overflows. Market data has very uneven traffic patterns > causing microburst effects. What sup-engines/blades are on the boxes? What > type of multicast replication is being used (ingress/egress). QoS policies > typically make matters worse. What type of interfaces are on the 6500? > > > > Matthew Huff | 1 Manhattanville Rd > Director of Operations | Purchase, NY 10577 > OTA Management LLC | Phone: 914-460-4039 > aim: matthewbhuff| Fax: 914-694-5669 > > > -Original Message- > > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > > james list > > Sent: Thursday, October 13, 2016 10:45 AM > > To: cisco-nsp@puck.nether.net > > Subject: [c-nsp] huge amount of mcast traffic > > > > Dear experts, > > > > I’ve a multicast financial market connected to my infrastructure, I’ve > > been > > informed that a new data multicast flow could reach up to 6 Gbs, so an > > huge > > amount of traffic needs to be replicated. > > > > Market is connected to an ASR 1001, than to a C6807-XL and customers > > are > > connected to C6500. > > > > ASR1001 is running 15.3(3)S1 and currently has a license for 2.5Gbs (to > > be > > upgrade) > > > > C6807 has Supervisor Engine 2T 10GE and IOS 15.1(2)SY4 > > > > C6500 has Supervisor Engine 720 10GE and IOS 12.2
[c-nsp] huge amount of mcast traffic
Dear experts, I’ve a multicast financial market connected to my infrastructure, I’ve been informed that a new data multicast flow could reach up to 6 Gbs, so an huge amount of traffic needs to be replicated. Market is connected to an ASR 1001, than to a C6807-XL and customers are connected to C6500. ASR1001 is running 15.3(3)S1 and currently has a license for 2.5Gbs (to be upgrade) C6807 has Supervisor Engine 2T 10GE and IOS 15.1(2)SY4 C6500 has Supervisor Engine 720 10GE and IOS 12.2(33)SXI5 I’d like to understand in your experience if the mentioned infrastructure could suffer in performance or throughput or other, having to replicate the mentioned amount of traffic. Thanks in advance for any feedback Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] stange vlan 1 output
Does it cause interface flapping? Il 07/Ott/2016 21:02, "Nick Cutting" <ncutt...@edgetg.com> ha scritto: > You could add switchport nonnegotiate to force it to trunk. Kill the dtp > But usually it is not needed > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > james list > Sent: Friday, October 7, 2016 1:44 PM > To: Pete Templin <peteli...@templin.org> > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] stange vlan 1 output > > There is firewall on the other side... > > Thanks all for the hints! > > Il 07/Ott/2016 19:41, "Pete Templin" <peteli...@templin.org> ha scritto: > > > DTP faulted on the port in question, causing it to not trunk even > > though the mode is trunk. > > > > Any chance the adjacent device is a 4948? I've seen that platform do > > this a lot where the 4948 participates in DTP enough for the other > > side to drop to access but the 4948 forgets to match it. > > > > > > On 10/7/2016 9:17 AM, james list wrote: > > > >> Hi experts, > >> > >> an issue on my c6500 sup720 12.2(33)SXI5. > >> > >> > >> > >> I have two equal trunk configuration ports: > >> > >> > >> > >> xxx#sh run int g8/45 > >> > >> interface GigabitEthernet8/45 > >> > >> switchport > >> > >> switchport trunk encapsulation dot1q > >> > >> switchport trunk allowed vlan 269 > >> > >> switchport mode trunk > >> > >> logging event link-status > >> > >> logging event trunk-status > >> > >> load-interval 30 > >> > >> spanning-tree portfast edge trunk > >> > >> > >> > >> xxx#sh run int g9/27 > >> > >> interface GigabitEthernet9/27 > >> > >> switchport > >> > >> switchport trunk encapsulation dot1q > >> > >> switchport trunk allowed vlan 48 > >> > >> switchport mode trunk > >> > >> logging event link-status > >> > >> logging event trunk-status > >> > >> load-interval 30 > >> > >> udld port > >> > >> spanning-tree portfast edge trunk > >> > >> > >> > >> Do you see any reason why using "show interface status" I see vlan 1 > >> associated to g9/27 instead of trunk as for example of interface g8/45 ? > >> > >> > >> > >> xxx#sh interface status > >> > >> PortName Status Vlan > >> Duplex Speed Type > >> > >> Gi8/45 connectedtrunk > >> full 1000 1000BaseT > >> > >> Gi9/27 connected1 > >>full 1000 1000BaseT > >> > >> > >> > >> I see as well native vlan is not associated to gi9/27 > >> > >> > >> > >> xxx#sh interfaces trunk > >> > >> > >> > >> PortMode Encapsulation StatusNative > vlan > >> > >> Te1/1 on 802.1q trunking 1 > >> > >> Te1/2 on 802.1q trunking 1 > >> > >> Te1/3 on 802.1q trunking 1 > >> > >> Te1/4 on 802.1q trunking 1 > >> > >> Te2/1 on 802.1q trunking 1 > >> > >> Te2/2 on 802.1q trunking 1 > >> > >> Te2/3 on 802.1q trunking 1 > >> > >> Te3/4 on 802.1q trunking 1 > >> > >> Te3/6 on 802.1q trunking 1 > >> > >> Te3/7 on 802.1q trunking 1 > >> > >> Te3/8 on 802.1q trunking 1 > >> > >> Te7/1 on 802.1q trunking 1 > >> > >> Te7/3 on 802.1q trunking 1 > >> > >> Te7/9 on 802.1q trunking 1 > >> > >> Te7/13 on 802.1q trunking 1 > >> > &g
Re: [c-nsp] stange vlan 1 output
There is firewall on the other side... Thanks all for the hints! Il 07/Ott/2016 19:41, "Pete Templin" <peteli...@templin.org> ha scritto: > DTP faulted on the port in question, causing it to not trunk even though > the mode is trunk. > > Any chance the adjacent device is a 4948? I've seen that platform do this > a lot where the 4948 participates in DTP enough for the other side to drop > to access but the 4948 forgets to match it. > > > On 10/7/2016 9:17 AM, james list wrote: > >> Hi experts, >> >> an issue on my c6500 sup720 12.2(33)SXI5. >> >> >> >> I have two equal trunk configuration ports: >> >> >> >> xxx#sh run int g8/45 >> >> interface GigabitEthernet8/45 >> >> switchport >> >> switchport trunk encapsulation dot1q >> >> switchport trunk allowed vlan 269 >> >> switchport mode trunk >> >> logging event link-status >> >> logging event trunk-status >> >> load-interval 30 >> >> spanning-tree portfast edge trunk >> >> >> >> xxx#sh run int g9/27 >> >> interface GigabitEthernet9/27 >> >> switchport >> >> switchport trunk encapsulation dot1q >> >> switchport trunk allowed vlan 48 >> >> switchport mode trunk >> >> logging event link-status >> >> logging event trunk-status >> >> load-interval 30 >> >> udld port >> >> spanning-tree portfast edge trunk >> >> >> >> Do you see any reason why using "show interface status" I see vlan 1 >> associated to g9/27 instead of trunk as for example of interface g8/45 ? >> >> >> >> xxx#sh interface status >> >> PortName Status Vlan >> Duplex Speed Type >> >> Gi8/45 connectedtrunk >> full 1000 1000BaseT >> >> Gi9/27 connected1 >>full 1000 1000BaseT >> >> >> >> I see as well native vlan is not associated to gi9/27 >> >> >> >> xxx#sh interfaces trunk >> >> >> >> PortMode Encapsulation StatusNative vlan >> >> Te1/1 on 802.1q trunking 1 >> >> Te1/2 on 802.1q trunking 1 >> >> Te1/3 on 802.1q trunking 1 >> >> Te1/4 on 802.1q trunking 1 >> >> Te2/1 on 802.1q trunking 1 >> >> Te2/2 on 802.1q trunking 1 >> >> Te2/3 on 802.1q trunking 1 >> >> Te3/4 on 802.1q trunking 1 >> >> Te3/6 on 802.1q trunking 1 >> >> Te3/7 on 802.1q trunking 1 >> >> Te3/8 on 802.1q trunking 1 >> >> Te7/1 on 802.1q trunking 1 >> >> Te7/3 on 802.1q trunking 1 >> >> Te7/9 on 802.1q trunking 1 >> >> Te7/13 on 802.1q trunking 1 >> >> Te7/14 on 802.1q trunking 1 >> >> Gi8/3 on 802.1q trunking 1 >> >> Gi8/9 on 802.1q trunking 1 >> >> Gi8/13 on 802.1q trunking 1 >> >> Gi8/29 on 802.1q trunking 1 >> >> Gi8/30 on 802.1q trunking 1 >> >> Gi8/43 on 802.1q trunking 1 >> >> Gi8/44 on 802.1q trunking 1 >> >> Gi8/45 on 802.1q trunking 1 >> >> Gi9/8 on 802.1q trunking 1 >> >> Gi9/9 on 802.1q trunking 1 >> >> Gi9/17 on 802.1q trunking 1 >> >> Gi9/18 on 802.1q trunking 1 >> >> Gi9/20 on 802.1q trunking 1 >> >> Gi9/21 on 802.1q trunking 1 >> &g
Re: [c-nsp] stange vlan 1 output
xxx#sh int gigabitEthernet 8/45 switchport Name: Gi8/45 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Operational Native VLAN tagging: disabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: 269 Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Unknown unicast blocked: disabled Unknown multicast blocked: disabled xxx#sh int gigabitEthernet 9/27 switchport Name: Gi9/27 Switchport: Enabled Administrative Mode: trunk Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Operational Native VLAN tagging: disabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: 48 Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Unknown unicast blocked: disabled Unknown multicast blocked: disabled 2016-10-07 18:20 GMT+02:00 Nick Cutting <ncutt...@edgetg.com>: > This is the perfect time to run > > sh int g8/45 switchport > sh int g9/27 switchport > > to get configured values VS negotiations > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > james list > Sent: Friday, October 7, 2016 12:18 PM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] stange vlan 1 output > > Hi experts, > > an issue on my c6500 sup720 12.2(33)SXI5. > > > > I have two equal trunk configuration ports: > > > > xxx#sh run int g8/45 > > interface GigabitEthernet8/45 > > switchport > > switchport trunk encapsulation dot1q > > switchport trunk allowed vlan 269 > > switchport mode trunk > > logging event link-status > > logging event trunk-status > > load-interval 30 > > spanning-tree portfast edge trunk > > > > xxx#sh run int g9/27 > > interface GigabitEthernet9/27 > > switchport > > switchport trunk encapsulation dot1q > > switchport trunk allowed vlan 48 > > switchport mode trunk > > logging event link-status > > logging event trunk-status > > load-interval 30 > > udld port > > spanning-tree portfast edge trunk > > > > Do you see any reason why using "show interface status" I see vlan 1 > associated to g9/27 instead of trunk as for example of interface g8/45 ? > > > > xxx#sh interface status > > PortName Status Vlan > Duplex Speed Type > > Gi8/45 connectedtrunk > full 1000 1000BaseT > > Gi9/27 connected1 > full 1000 1000BaseT > > > > I see as well native vlan is not associated to gi9/27 > > > > xxx#sh interfaces trunk > > > > PortMode Encapsulation StatusNative vlan > > Te1/1 on 802.1q trunking 1 > > Te1/2 on 802.1q trunking 1 > > Te1/3 on 802.1q trunking 1 > > Te1/4 on 802.1q trunking 1 > > Te2/1 on 802.1q trunking 1 > > Te2/2 on 802.1q trunking 1 > > Te2/3 on 802.1q trunking 1 > > Te3/4 on 802.1q trunking 1 > > Te3/6 on 802.1q trunking 1 > > Te3/7 on 802.1q trunking 1 > > Te3/8 on 802.1q trunking 1 > > Te7/1 on 802.1q trunking 1 > > Te7/3 on 802.1q trunking 1 > > Te7/9 on 802.1q trunking 1 > > Te7/13 on 802.1q trunking 1 > > Te7/14 on 802.1q trunking 1 > > Gi8/3 on 802.1q trunking 1 > > Gi8/9 on 802.1q trunking 1 > > Gi8/13 on 802.1q trunking
[c-nsp] stange vlan 1 output
Hi experts, an issue on my c6500 sup720 12.2(33)SXI5. I have two equal trunk configuration ports: xxx#sh run int g8/45 interface GigabitEthernet8/45 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 269 switchport mode trunk logging event link-status logging event trunk-status load-interval 30 spanning-tree portfast edge trunk xxx#sh run int g9/27 interface GigabitEthernet9/27 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 48 switchport mode trunk logging event link-status logging event trunk-status load-interval 30 udld port spanning-tree portfast edge trunk Do you see any reason why using "show interface status" I see vlan 1 associated to g9/27 instead of trunk as for example of interface g8/45 ? xxx#sh interface status PortName Status Vlan Duplex Speed Type Gi8/45 connectedtrunk full 1000 1000BaseT Gi9/27 connected1 full 1000 1000BaseT I see as well native vlan is not associated to gi9/27 xxx#sh interfaces trunk PortMode Encapsulation StatusNative vlan Te1/1 on 802.1q trunking 1 Te1/2 on 802.1q trunking 1 Te1/3 on 802.1q trunking 1 Te1/4 on 802.1q trunking 1 Te2/1 on 802.1q trunking 1 Te2/2 on 802.1q trunking 1 Te2/3 on 802.1q trunking 1 Te3/4 on 802.1q trunking 1 Te3/6 on 802.1q trunking 1 Te3/7 on 802.1q trunking 1 Te3/8 on 802.1q trunking 1 Te7/1 on 802.1q trunking 1 Te7/3 on 802.1q trunking 1 Te7/9 on 802.1q trunking 1 Te7/13 on 802.1q trunking 1 Te7/14 on 802.1q trunking 1 Gi8/3 on 802.1q trunking 1 Gi8/9 on 802.1q trunking 1 Gi8/13 on 802.1q trunking 1 Gi8/29 on 802.1q trunking 1 Gi8/30 on 802.1q trunking 1 Gi8/43 on 802.1q trunking 1 Gi8/44 on 802.1q trunking 1 Gi8/45 on 802.1q trunking 1 Gi9/8 on 802.1q trunking 1 Gi9/9 on 802.1q trunking 1 Gi9/17 on 802.1q trunking 1 Gi9/18 on 802.1q trunking 1 Gi9/20 on 802.1q trunking 1 Gi9/21 on 802.1q trunking 1 Gi9/29 on 802.1q trunking 1 Gi9/30 on 802.1q trunking 1 Gi9/33 on 802.1q trunking 1 Gi9/35 on 802.1q trunking 1 Gi9/40 on 802.1q trunking 1 Gi9/43 on 802.1q trunking 1 Gi9/45 on 802.1q trunking 1 Gi9/46 on 802.1q trunking 1 Thanks in advance for any feedback. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] C6500 dual supervisor redundancy to break
Hi experts, on my running C6500 in one of the PoP I've configured redundancy with dual Sup-2T. Now I'm going to add a new C6500 and want to remove one Sup from running C6500 and to insert in the new one. The questions: 1) do you suggest to keep redundancy enabled also with one Sup in the current running switch ? There is no plan to have again redundancy on this. 2) if I want remove redundancy, do I have just to eject the supervisor and remove redundancy configuration ? 3) when removing redundancy config do I have to expect traffic loss ? 4) or it's better to leave configured in recovery mode ? I'm not able to find this case on the cisco.com, I find only how to add redundancy but not how to break redundancy :-) Thanks in advance for any hint. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PTP design
Hi experts! More than a vendor related question I’m wondering to discuss or get hints regarding the upcoming mifid2 new PTP request (max divergence from UTC of 1 microsecond) implementation that will be requested since Jan 2018. I’d like to setup in my DC two fully redundant PTP source, for this reason I’m planning to use two different antennas, coax and supplier, but here the first doubts: - What is best design to provide redundancy ? - Do I have to use multicast or unicast (like NTP) ? - Is there any scalability issue ? - If I use multicast, which are the multicast group used by the PTP vendors ? Is there any ietf assigned group ? - Do I have to dedicate a single dedicated vlan where the server has to connect to get the multicast packets ? I’ve many doubts and maybe we can share some commons ideas if anybody else is going to setup the service… Thanks in advance for any feedback Regards James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Issue with port-channel hashing
Hi Matt where can I find the exact alghorithm for the load balancing decision ? I see two host on the same subnet (Storage replication) are using the same link. I read that the command "port-channel load-balance src-dst-mixed-ip-port" could cause from secs to mins of traffic loss... I cannot try it :-( Cheers 2016-07-23 0:53 GMT+02:00 Mack McBride <mack.mcbr...@viawest.com>: > With some traffic patterns there isn't much you can do. > If there are very few source and destination addresses then you may not be > able to > Distribute the traffic. Especially for long lived flows. > > Try 'port-channel load-balance src-dst-mixed-ip-port' if you are on code > that supports it. > Also ensure you have 'port-channel load-balance per-module'. > You already found the adaptive knob. > Adaptive is more difficult to troubleshoot when there are issues. > > You may also want to set 'mls ip cef load-sharing full'. > > Mack McBride | Senior Network Architect | ViaWest, Inc. > O: 720.891.2502 | C: 303.720.2711 | mack.mcbr...@viawest.com | > www.viawest.com > > > -Original Message- > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of > james list > Sent: Friday, July 22, 2016 1:45 AM > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] Issue with port-channel hashing > > Dear experts, > > I need help. > > > On my C6500 sup720 (12.2(33)SXI5) I’ve a port channel 4 x 1Gbs with 1 Gbs > full and hashing fixed. > > On the port-channel I’m trunking with few L2 vlans and on top of one of > those I’ve L3 (with OSPF). > > > Since hashing is fixed all the traffic that 6500 Asic has decided to send > on that link is experiencing problems. > > > My questions: > > > 1) Which is the faster and safer way to detect the “guilty” (src/des > tip) ? I see accounting seems not working > > 2) What if I would change hashing from fixed to adaptive ? any detail > on that ? I'm not able to find how it works in detail on cisco.com > > > An help is appreciated, > > > Cheers > > James > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > This message contains information that may be confidential, privileged or > otherwise protected by law from disclosure. It is intended for the > exclusive use of the addressee(s). Unless you are the addressee or > authorized agent of the addressee, you may not review, copy, distribute or > disclose to anyone the message or any information contained within. If you > have received this message in error, please contact the sender by > electronic reply and immediately delete all copies of the message. > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Issue with port-channel hashing
That is not unfortunately so adaptive to understand that a link is full and change for other sessions... :-( 2016-07-22 13:18 GMT+02:00 James Ventre <network...@ventrefamily.com>: > > On Fri, Jul 22, 2016 at 3:45 AM, james list <jameslis...@gmail.com> wrote: > >> 2) What if I would change hashing from fixed to adaptive ? any detail >> on that ? I'm not able to find how it works in detail on cisco.com >> >> > Whenever a port is added or removed from a fixed bundle, there's a brief > moment of packet loss because the hash result buckets are being > (re)assigned to the member ASICs. Adaptive bundles don't disrupt > existing/working members. > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Issue with port-channel hashing
Dear experts, I need help. On my C6500 sup720 (12.2(33)SXI5) I’ve a port channel 4 x 1Gbs with 1 Gbs full and hashing fixed. On the port-channel I’m trunking with few L2 vlans and on top of one of those I’ve L3 (with OSPF). Since hashing is fixed all the traffic that 6500 Asic has decided to send on that link is experiencing problems. My questions: 1) Which is the faster and safer way to detect the “guilty” (src/des tip) ? I see accounting seems not working 2) What if I would change hashing from fixed to adaptive ? any detail on that ? I'm not able to find how it works in detail on cisco.com An help is appreciated, Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] c6500 process memory
Correct, it's SUP720, in my idea I'd like to offload the bgp prefixes received by my upstream, in this way I expect BGP process should release some memory, right ? Cheers James 2016-07-01 0:47 GMT+02:00 Paul <p...@globo.tech>: > I assume it's a sup720, there's nothing you can do. Make sure you stay on > the old code train SXI or SXJ and that's about it. > > Eventually it will run out of ram before it runs out of tcam space (bad > design on their part i guess) > > Cisco could work around this by implementing compression or offloading > some more processes to the SP but I doubt they have interest in reviving > the old platform. > > 70% is nothing really, I wouldn't worry about it until it's over 95% > > On 6/30/2016 12:18 PM, james list wrote: > >> Dear experts, >> just to ask if there are any guidance or best practice about process >> memory >> utilization, currently on my C6500 I'm at 70% usage and would like to know >> if I need to be alterted or not... >> >> I use this box for full routing table (BGP process is the higher memory >> user)... >> >> Kind regards >> James >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > -- > GloboTech Communications > Phone: 1-514-907-0050 x 215 > Toll Free: 1-(888)-GTCOMM1 > Fax: 1-(514)-907-0750 > p...@gtcomm.net > http://www.gtcomm.net > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] c6500 process memory
Dear experts, just to ask if there are any guidance or best practice about process memory utilization, currently on my C6500 I'm at 70% usage and would like to know if I need to be alterted or not... I use this box for full routing table (BGP process is the higher memory user)... Kind regards James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VTP doubt
Hi I've two 6500 (6500-A and 6500-B) in production as VTP server, access switch are 3750 or 4500 as VTP clients. Today if I add manually a vlan on one of the two VTP server (ie on 6500-A) it's propagated to the other server (6500-B) and clients. The question is: do I've to add manually on both VTP servers or just one is enough to keep redundancy ? If VTP server (6500-A) is broken down for any reason, does 6500-B still know the vlan added before only on 6500-B and continue to propagate to clients ? Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] udld fail ?
yes, in general I see your points, I was wondering if there could be a reasonable reason for the mentioned behaviour 2016-05-31 16:33 GMT+02:00 Nick Hilliard <n...@foobar.org>: > james list wrote: > > Apparently the Cisco gear has disabled one out of the two ten giga > > interface after some flapping of the other one and due to UDLD that is > > currently non configured as aggressive nor bidirectional (not supported > by > > Juniper gear). > > > > Among the two gears LACP fast is running. > > > > I kindly ask any feedback if it's something already experienced by > somebody. > > udld is proprietary and non-interoperable technology. One vendor's > implementation will not work with another's. Sometimes, a vendor's > implementation will not interoperate with other equipment from the same > vendor. You need to disable udld on the c6500. > > Nick > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] udld fail ?
dear experts I've a Cisco 6500 (12.2(33)) connected to a juniper EX4200 with a 2 x 10Gb port channel. Apparently the Cisco gear has disabled one out of the two ten giga interface after some flapping of the other one and due to UDLD that is currently non configured as aggressive nor bidirectional (not supported by Juniper gear). Among the two gears LACP fast is running. I kindly ask any feedback if it's something already experienced by somebody. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] BGP query
Dear experts I've a BGP question. I've a router peering with a customer of mine, plain EBGP no MPLS, see following chain as example: myroutera --ebgp-- myrouterB --ebgp-- myrouterC --ebgp-- mycustomerA --ebgp-- mycustomer_BGP_worldwide_network Between myrouterX I use EBGP with private AS, now I've mycustomerA router that in its BGP path is injecting to me a private AS already present in my network and I'm getting routes discarded for that at the end of the chain. I tried to use: - remove_private_as on myrouterC towards my network in egress but it seems that it's able to remove only if there are private as in the path and at the first not private stop removing; - as_override but it works only under a vrf environment and it's not the case I'm wondering if you see another solution, I'm thinking to a route-map that "match" as-path or network and then a "set" of AS path in the egress session among myrouterC and myrouterB, but I do not see it very scalable and manageble... Any idea if I'm correct or other solutions you see ? Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LAN + Security solution hint
Hi Gert Despite all the technical details I really appreciated I have to thank you for the feedback. Unfortuantely it s a tender and i can not so much deal with questions or re-think to requirements... Regarding the firewall I need stateful feature, nat, Policy, ipsec.. quite standard despite load balancing and what else. Thorughput i'd say 2 Gbs not a problem that in my view. I ve see fortinet could apply (it does firewall and try to load balance) and maybe f5 (that is currently doing load balancing and trying to do firewall)... Thanks again James Il 03/Feb/2016 19:58, "Gert Doering" <g...@greenie.muc.de> ha scritto: > Hi, > > On Wed, Feb 03, 2016 at 07:34:16PM +0100, james list wrote: > > I'd use cisco 3850/3750 in stack but i m not sure this is the right > choice. > > The problem is that what you're asking for is nearly impossible, so > coming up with a "this will work with gear x, that will need y" is quite > a bit of hard work... > > The number of ports are easily fulfilled e.g. with an 6880x chassis > (scaling up to 80x10GE ports), or an 6840x scaled-down 6880, but neither > will give you 10G on Copper - just fiber, or twinax direct attach. > > There's 40x10GE copper on a number of Nexus 3xxx or 9xxx 1RU models, > so there might do or not, but these are more "access" type switches, > so, single supervisor, no "non-stop switching/routing" - if it's dead, > it's dead... > > The NCS5001 that we discussed these days is brand new and has all the > bandwidth that you'd ever need - but if its control plane fails (single > supervisor engine), it's dead. Again. > > So you might re-think the requirements for resiliency - if you attach > every machine to two of these boxes, and use fiber, I'd go for 2x 6840x > (possibly in a VSS config, or active/passive channels). > > Now, for the firewall - what throughput? Which features (besides > "load balancing" which isn't something firewalls usually do...)? > > Very complex requirements, price range from expensive to unbelievable, > and even then might not sing and dance well enough. > > gert > > -- > USENET is *not* the non-clickable part of WWW! >// > www.muc.de/~gert/ > Gert Doering - Munich, Germany > g...@greenie.muc.de > fax: +49-89-35655025 > g...@net.informatik.tu-muenchen.de > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] LAN + Security solution hint
Dear experts, I’d like to have an hint if possible… For a project I’ve to provide a LAN solution to my customer with a mix of 1 Gbs copper and 10 Gbs copper ports (let say 20 x 1 Gbs and 30 x 10 Gbs ports) plus a firewalling solution supporting feature like server load balancing and reverse-proxy. On the LAN solution I need also to provide the highest level of redundancy/resiliency, jumbo frames, L2/L3 non-stop switching/routing, ISSU, scalability both horizontal and vertical. Could you please help me to identify the best suggested solution with Cisco technology ? Thanks in advance.. Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LAN + Security solution hint
well indeed I've asked for network expert suggestion, not for my father suggestion... Thank you for helping so much Pete :-) 2016-02-03 17:48 GMT+01:00 Pete Templin <peteli...@templin.org>: > Years ago, my uncle was sailing to the Bahamas, and was navigating using > "dead reckoning" (triangulation using reference points on land, etc.). He > radioed a cargo ship to request his position. They politely declined, for > liability reasons, but offered to confirm or deny his guess. > > Let's play the same game here: how about you start doing your homework, > and come up with your best guess, and we'll confirm/deny whether you're on > the right track. > > On 2/3/2016 7:38 AM, james list wrote: > >> I’d like to have an hint if possible… >> >> For a project I’ve to provide a LAN solution to my customer with a mix of >> 1 >> Gbs copper and 10 Gbs copper ports (let say 20 x 1 Gbs and 30 x 10 Gbs >> ports) plus a firewalling solution supporting feature like server load >> balancing and reverse-proxy. >> >> On the LAN solution I need also to provide the highest level of >> redundancy/resiliency, jumbo frames, L2/L3 non-stop switching/routing, >> ISSU, scalability both horizontal and vertical. >> >> Could you please help me to identify the best suggested solution with >> Cisco >> technology ? >> >> > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] LAN + Security solution hint
Share your bank account and as soon as deal is got, i will send money... :-) Despite joking I'm not so familiar with cisco gears and this is why I was asking for hints and not proposing anything.. I'd use cisco 3850/3750 in stack but i m not sure this is the right choice. I'd choose something similar to juniper virtual chassis if available with cisco.. For firewall i guess that Asa can not provide what requested but i ve no real experience... Anyway forgot my request if not polite. Cheers and take it easy Il 03/Feb/2016 18:49, "Gert Doering" <g...@greenie.muc.de> ha scritto: > Hi, > > On Wed, Feb 03, 2016 at 06:25:29PM +0100, james list wrote: > > well indeed I've asked for network expert suggestion, not for my father > > suggestion... > > Where can I send my invoice? > > You get paid for your customer to do this design, so if you want us to > do the work, we'd like to get paid as well... > > gert > > -- > USENET is *not* the non-clickable part of WWW! >// > www.muc.de/~gert/ > Gert Doering - Munich, Germany > g...@greenie.muc.de > fax: +49-89-35655025 > g...@net.informatik.tu-muenchen.de > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2 over L3 scenario
Thanks guys 2015-10-23 10:37 GMT+02:00 james list <jameslis...@gmail.com>: > Dear experts, > > a customer of mine is looking for a solution to stretch L2 point2point > links over its L3 flat infrastructure, basically it has some L3 6500 > switches making its WAN networks and as routing protocol is using eBGP over > the wan links (no IGP at all... argh...). > > > On top of the requested L2 p2p link, a customer of my customer has to > setup/manage transparently BGP session + unicast + multicast traffic among > its DC and its CEs. > > > Basically I’ve identified L2TPv3 as possible target architecture including > additional devices as edge of the L3 infrastructure. > > > Which are current Cisco device supporting L2TPv3 ? > > > I’d like to share experience, receive suggestions if any, alternatives if > any, recommendations, scalability numbers if any, etc. > > > Thanks in advance > > > Cheers > > James > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L2 over L3 scenario
Dear experts, a customer of mine is looking for a solution to stretch L2 point2point links over its L3 flat infrastructure, basically it has some L3 6500 switches making its WAN networks and as routing protocol is using eBGP over the wan links (no IGP at all... argh...). On top of the requested L2 p2p link, a customer of my customer has to setup/manage transparently BGP session + unicast + multicast traffic among its DC and its CEs. Basically I’ve identified L2TPv3 as possible target architecture including additional devices as edge of the L3 infrastructure. Which are current Cisco device supporting L2TPv3 ? I’d like to share experience, receive suggestions if any, alternatives if any, recommendations, scalability numbers if any, etc. Thanks in advance Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp scalability C7600
Hi gert Good info. From customer requirements and pricing point of view the idea is to replace with a nexus. Regards Il 06/feb/2015 19:45 Gert Doering g...@greenie.muc.de ha scritto: Hi, On Fri, Feb 06, 2015 at 03:16:26PM +0100, james list wrote: do anybody have numbers in terms of BGP sessions scalability oin C7600 SUP-720 ? not that great... Ours at DE-CIX has a handful of iBGP sessions and about 150 eBGP sessions to IXP participants, and if that interface flaps, it will hickup for about *1 hour* until everything is stable again. Effectively it depends on - number of sessions - number of prefixes on each session (10 each or 50.000) - how complicated your inbound and outbout policy is (our policy is slightly too complicated, with as-path matches which are not exactly performance efficient) - whether peers can be grouped into update-groups (= same export policy) - keepalive timers your peers have configured (the main issue is CPU busy - keepalives not answered in time - session bouncing - more CPU busy, which is made worse by short keepalive timers) We're not deploying Sup720s for anything with lots of BGP anymore, and the box in question will be replaced with an ASR9001 any day now, which is just laughing its NPUs off on that BGP load... (BGP convergence in 30 seconds. done. anything more interesting to do? Any slow peer I could nuke with outgoing updates sent over too fast for it?). gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] bgp scalability C7600
Gents, do anybody have numbers in terms of BGP sessions scalability oin C7600 SUP-720 ? greetings ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/