Re: [c-nsp] Best Practice for ISP (Rebooting the switch)
On Tue, 17 Apr 2007, Affandi Indraji wrote: > I would like to know, is there any white paper or some written evidence > saying that half yearly/yearly/whatever it is maintenance is good for the > health of the equipment? If a network device is stable, not leaking memory or other resources, doesn't have any relevant security bugs that I can't get around with some combination of ACLs and disabling something, and it has all of the features I need, then I see no need to reboot it just for the sake of rebooting it. Customers like uptime :) If one or more of the conditions above isn't met, a reboot may be necessary, but they tend not to be on regular intervals. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PPS
Don't forget to divide by two as well. Packet in = packet out (mostly). Or just count all of the input packets. Hank Nussbacher wrote: > At 07:11 PM 16-04-07 -0700, Shaun R. wrote: > >> How can i figure out how many pps a 3750G is processing at a given time? >> > > Use a script to parse and add: > "sho int | incl packets/" > > -Hank > > > >> ~Shaun >> >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PPS
At 07:11 PM 16-04-07 -0700, Shaun R. wrote: >How can i figure out how many pps a 3750G is processing at a given time? Use a script to parse and add: "sho int | incl packets/" -Hank >~Shaun > >___ >cisco-nsp mailing list cisco-nsp@puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Best Practice for ISP (Rebooting the switch)
On Apr 16, 2007, at 6:46 PM, Affandi Indraji wrote: > I would like to know, is there any white paper or some written > evidence > saying that half yearly/yearly/whatever it is maintenance is good > for the > health of the equipment? Unless there're indications of memory fragmentation, there should be no need to reboot equipment outside of normal maintenance activities which require a reboot, such as upgrading software images. --- Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PPS
How can i figure out how many pps a 3750G is processing at a given time? ~Shaun ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Best Practice for ISP (Rebooting the switch)
Hi All, I would like to know, is there any white paper or some written evidence saying that half yearly/yearly/whatever it is maintenance is good for the health of the equipment? Regards, Affandi ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco load balancers with SSL offload
We use the CSS extensively (almost 1,000 deployed) and while we have some minor issues from time to time, they are pretty reliable, feature rich, support SSL, and are very cost competitive (especially if you are trying to compare to an F5). We've also tested the ACE, and have several in production. It's going to be a definite upgrade from the CSS when some of the little kinks are worked out. We are currently using their 6500 module, and have the actual appliance that is going to be released in testing. There are some nice features that are coming on them. -- Tom Sands Chief Network Engineer Rackspace Managed Hosting -- R.L. Nevot wrote: > IMHO, I'm not a big fan of cisco in this kind of questions. > You may take a look for F5 networks (6400) or maybe Juniper DX > > I have bad experiences with CSSs and CSMs, but not tested ACEs > > Regards. > > On 4/16/07, Gert Doering <[EMAIL PROTECTED]> wrote: >> Hi, >> >> thanks a lot to all who answered. >> >> Indeed, there is lots of different variants to choose from... >> >> (I assume that both the CSM and the ACE can do SSL "out of the box", and >> you just need to have the right license, that is, "don't buy extra >> doughter cards"?) >> >> To answer a few of your questions: >> >> >> On Mon, Apr 16, 2007 at 10:00:00AM -0500, James Slepicka wrote: >>> We're doing SSL termination on CSS11503s (available on the 11501S-C and >>> above). The 11503 is modular and price can vary greatly based on >>> config, so I won't toss out any numbers. >>> >>> After a few tweaks to solve poor performance issues (ssl-queue-delay, in >>> particular), I've been pretty happy with them. I'm curious to know, >>> aside from the fact that it's an aging platform, why you're not. >> Well, the customer setups that we maintain for them are only using older >> models, like the CSS11150 - which *is* an old box. >> >> My main gripes with it is: >> >> - not very powerful (read: they are maxing out the box's CPU at below >> 70-80 Mbit/s) >> >> - no SSL offloading (Cisco used to sell a separate box for that) >> >> - no useful way to figure out what the box is doing - like "*why* is >> your CPU at 100%? How many sessions/seconds? bits/sec? ..." >> >> - convoluted way to get outgoing NAT to work >> >> >>> p.s. -- Though I have limited experience with them, I'd recommend >>> staying away from the Radware boxes. We, and the Radware tech we had >>> installing them, ran into tons of problems. >> Haven't considered those :-) - but thanks for the warnings. >> >> (Regarding Citrix Netscalers: they *have* some icky corners, but most >> of their behaviour is fairly well documented, and what I love most is >> their tracing capabilities - like "monitor *this* interface for *x* >> seconds and then give me a pcap file with the packets in it") >> >> >> On Mon, Apr 16, 2007 at 04:53:34PM +0100, Phil Mayers wrote: >>> If you can talk about it, I'd be *very* interested to hear about the >>> Foundry problems - though I know you said don't ask! >> Our main problems with those (*different* customer) is that you can't >> do useful SSL offloading for multiple different domains without ending >> up with a very convoluted configuration both on the Foundries and on >> the server. >> >> That is: the customer has www..de, .at, .ch, .nl, ... and you >> have a different certificate + IP address for it. So far, no problem, but >> when trying to define backend servers (services) to balance the requests >> *to*, you can't use the same port number on the HTTP server. >> >> So you end up balancing .de to port 80, .at to port 1080, .ch to port >> 2080, >> ... on the backend machines - which makes "add a new TLD" a real nightmare >> (*and* you need to have health checks on every single port, otherwise >> there >> is no way to make the box stop balancing .at to a given backend server >> even when it already noticed that port 80 = .de is dead). >> >> The second issue we have is that cookie based persistance doesn't seem >> to work for SSL sessions (we received a configuration fragment for that >> from foundry last week, but it means "rewrite all our config", so we >> couldn't test that one yet). >> >> >> gert >> >> -- >> USENET is *not* the non-clickable part of WWW! >> >> //www.muc.de/~gert/ >> Gert Doering - Munich, Germany >> [EMAIL PROTECTED] >> fax: +49-89-35655025 >> [EMAIL PROTECTED] >> ___ >> cisco-nsp mailing list cisco-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.ne
Re: [c-nsp] Cisco 1811 DNS Server overload
Can you please tell me if there is a specific reason/bug for this? The router was running 12.4(6)Tyy and was still doing this, before I upgraded it to 12.4(11)Txx to try to fix it. ...Skeeve -Original Message- From: John Kougoulos [mailto:[EMAIL PROTECTED] Sent: Tuesday, 17 April 2007 2:19 AM To: [EMAIL PROTECTED] Cc: 'Cisco-nsp' Subject: Re: [c-nsp] Cisco 1811 DNS Server overload also if you are using 12.4(11)Txx, consider moving back to 12.4(6)Tyy. Skeeve Stevens wrote: > I have an 1811 temporarily doing NAT for about 200 clients and at the moment > and while it generally is working ok, the DNS facility of the router is > freaking out. > > Some show logging: > > *Apr 16 11:55:53.425: %SYS-3-CPUHOG: Task is running for (2000)msecs, more > than (2000)msecs (13/0),process = DNS Server. > -Traceback= 0x8099C694 0x80AB26B0 0x80AB5DB0 0x80AB6834 0x80AB7ACC > 0x800D7ACC 0x800DB410 > *Apr 16 11:59:59.721: %SYS-3-CPUHOG: Task is running for (2000)msecs, more > than (2000)msecs (30/0),process = DNS Server. > -Traceback= 0x822F21DC 0x8099C78C 0x80AB6508 0x80AB7ACC 0x800D7ACC > 0x800DB410 > > And yesterday it crashed: > > Router uptime is 1 day, 2 hours, 42 minutes > System returned to ROM by error - an Illegal Opcode exception, PC 0x83B1A8E4 > at 20:17:29 AEST Sun Apr 15 2007 > > I would like to actually stop the 1811 caching DNS queries but I can't > figure out how to. I would just prefer it relay every request or some other > solutions perhaps that could be suggested here. This would at least keep the > router up and running. > > Any help would be muchly appreciated. > > .Skeeve > > > ___ > Skeeve Stevens, RHCE Email: [EMAIL PROTECTED] > Website: www.skeeve.org - Telephone: (0414) 753 383 > skype://skeeve > Address: P.O Box 1035, Epping, NSW, 1710, Australia > > eIntellego - [EMAIL PROTECTED] - www.eintellego.net > ___ > I'm a groove licked love child king of the verse > Si vis pacem, para bellum > > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 1811 DNS Server overload
Dns spoofing is not on. Just in case I 'ip dns spoofing' and clear host * And it is still filling up with host entries. ...Skeeve -Original Message- From: Brian Turnbow [mailto:[EMAIL PROTECTED] Sent: Monday, 16 April 2007 11:53 PM To: [EMAIL PROTECTED]; Cisco-nsp Subject: RE: [c-nsp] Cisco 1811 DNS Server overload Do you have dns spoofing on ? If so turn it off. That is what causes "dns proxy" You can disable dns lookups completly with no ip domain lookup Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Skeeve Stevens Sent: lunedì 16 aprile 2007 15.07 To: 'Cisco-nsp' Subject: [c-nsp] Cisco 1811 DNS Server overload I have an 1811 temporarily doing NAT for about 200 clients and at the moment and while it generally is working ok, the DNS facility of the router is freaking out. Some show logging: *Apr 16 11:55:53.425: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (13/0),process = DNS Server. -Traceback= 0x8099C694 0x80AB26B0 0x80AB5DB0 0x80AB6834 0x80AB7ACC 0x800D7ACC 0x800DB410 *Apr 16 11:59:59.721: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (30/0),process = DNS Server. -Traceback= 0x822F21DC 0x8099C78C 0x80AB6508 0x80AB7ACC 0x800D7ACC 0x800DB410 And yesterday it crashed: Router uptime is 1 day, 2 hours, 42 minutes System returned to ROM by error - an Illegal Opcode exception, PC 0x83B1A8E4 at 20:17:29 AEST Sun Apr 15 2007 I would like to actually stop the 1811 caching DNS queries but I can't figure out how to. I would just prefer it relay every request or some other solutions perhaps that could be suggested here. This would at least keep the router up and running. Any help would be muchly appreciated. .Skeeve ___ Skeeve Stevens, RHCE Email: [EMAIL PROTECTED] Website: www.skeeve.org - Telephone: (0414) 753 383 skype://skeeve Address: P.O Box 1035, Epping, NSW, 1710, Australia eIntellego - [EMAIL PROTECTED] - www.eintellego.net ___ I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA AIP - Signature updates from Cisco?
Yes, this is the case, last I checked.. Cisco IPS sucks Websense (not an IPS , i know) updates every 5 min during the day. Chris Serafin Security Engineer [EMAIL PROTECTED] Garry wrote: > After some browsing through the ASA documents, trying to find > information on the automatic signature update, I came across this remark: > > "The sensor cannot automatically download service pack and signature > updates from Cisco.com. You must download the service pack and signature > updates from Cisco.com to your FTP or SCP server, and then configure the > sensor to download them from the FTP or SCP server." > > Is this true, or outdated? If it is true, why? I do understand there may > be concerns as to the security of the content of the data, but those > could be easily taken care of by MD5/PGP signatures. It pretty much > sucks having to do manual downloads of signatures in order to have the > ASA/AIP download it from the server and install it... > > Or is the signature .pkg available somewhere under a "hidden path" on > ftp.cisco.com? > > Tnx, -garry > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PAgP or LACP timers
Hi all, I have a scenario in which there are two 3750 switches for the IBM blade center. I'd like to implement etherchannel between the switches so that 8 GE ports will pass through 8 of the blade servers, while each blade is acting as a bridge. So far so good. Each of the blades is running an application, that when fails it also disrupts the bridging capabilities of the server, therefore not allowing frames from one side to the other. Now, the thing is that whenever a blade server is inserted in the chassis the ports on the switches become up, so in order to control whether a port is a member of a channel-group I must deploy PAgP or LACP. However, the inherent timers of the protocols are somewhat slow, 30 seconds between keepalives, which is too long in order to detect a failure. My question is divided to two: 1. Is it possible to somehow change the timers of PAgP or LACP? (we found an "lacp rate fast" command only on 6500). 2. Do you have a different suggestion for the above requirements? Many thanks, -- Ran. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco load balancers with SSL offload
Hi, On Mon, Apr 16, 2007 at 08:01:47PM +0200, Marcin Mazurek wrote: > > (I assume that both the CSM and the ACE can do SSL "out of the box", and > > you just need to have the right license, that is, "don't buy extra > > doughter cards"?) > > CSM dosn't support SSL offload, ACE does. With CSM You may use SSL > offload module, separate blade for cat6. Ah. Important information, thanks. > I would skip CSM as ACE is next generation product (contexts, TCP > offload, active-active also per context, many more). Given that ACE also seems to be a good deal less money, this is good advice :-) > You may want to take a look at F5 and Juniper products, nice feature are > rules that You can check You traffic in L7 without significant > performance decrease. Customer is explicitely asking for Cisco... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco load balancers with SSL offload
Hi, On Mon, Apr 16, 2007 at 08:40:17PM +0200, R.L. Nevot wrote: > I have bad experiences with CSSs and CSMs, [..] Could you elaborate on this? I'm always willing to learn more on the drawbacks of given products. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Layer 3 Switch Requirement and Advice
On Mon, 16 Apr 2007, Richard J. Sears wrote: > I am looking for a good Cisco L3 switch that can handle 3 iBGP sessions > and OSPF (two of the iBGP sessions to 7206VXR routers doing eBGP with a > backbone and pulling full tables). Not sure which of the lower end L3 > switches would be able to carry enough ram for the tables and was > looking for anyone actually running something like this: There is no lower end L3 switch in Cisco lineup that can actually forward packets using a full Internet BGP table. The current only lower end one is the Cisco 6500 Sup32 and that will run out of table space as the internet table grows beyond its 239k route FIB capability, which will happen probably around 2008Q1-2. If you want to be sure you can use it for a while you need the Sup720-3BXL, and that can not really be called "lower end L3 switch" in my book. -- Mikael Abrahamssonemail: [EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Layer 3 Switch Requirement and Advice
I am looking for a good Cisco L3 switch that can handle 3 iBGP sessions and OSPF (two of the iBGP sessions to 7206VXR routers doing eBGP with a backbone and pulling full tables). Not sure which of the lower end L3 switches would be able to carry enough ram for the tables and was looking for anyone actually running something like this: The idea would be: ISP A | eBGP | | |---RTR1 | |\ | | \ | |\ | | \ | SW1- SW2 | | / | | / | | / | | / |---RTR2 | | eBGP | ISPB RTR1 and RTR2 interconnected and running OSPF between them RTR1 and SW1 Connected and running iBGP RTR1 and SW2 Connected and running iBGP RTR2 and SW1 Connected and running iBGP RTR2 and SW2 Connected and running iBGP SW1 and SW2 Connected and running OSPF/iBGP Other downstream switches from SW1 and SW2 exist. Thanks !! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Richard J. Sears CCNP/CCDP/F5SE ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco load balancers with SSL offload
Gert Doering ([EMAIL PROTECTED]) napisał(a): > Hi, > > thanks a lot to all who answered. > > Indeed, there is lots of different variants to choose from... > > (I assume that both the CSM and the ACE can do SSL "out of the box", and > you just need to have the right license, that is, "don't buy extra > doughter cards"?) > CSM dosn't support SSL offload, ACE does. With CSM You may use SSL offload module, separate blade for cat6. I would skip CSM as ACE is next generation product (contexts, TCP offload, active-active also per context, many more). You may want to take a look at F5 and Juniper products, nice feature are rules that You can check You traffic in L7 without significant performance decrease. br -- Marcin Mazurek http://www.netsync.pl/ - - nic-hdl: MM3380-RIPE GnuPG 6687 E661 98B0 AEE6 DA8B 7F48 AEE4 776F 5688 DC89 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7201
[EMAIL PROTECTED] (Juan Angel Menendez) wrote: > Another interesting thing is how they called it .. 7201, > which has higher processor than 7301. > > 7201 > 7301 ? > > Confusing marketing names. Not confusing for those who remember (or have) 7401s. Elmi. -- "Hinken ist kein Mangel eines Vergleichs, sondern sollte als wesentliche Eigenschaft von Vergleichen angesehen werden." (Marius Fränzel in desd) --[ ELMI-RIPE ]--- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco load balancers with SSL offload
IMHO, I'm not a big fan of cisco in this kind of questions. You may take a look for F5 networks (6400) or maybe Juniper DX I have bad experiences with CSSs and CSMs, but not tested ACEs Regards. On 4/16/07, Gert Doering <[EMAIL PROTECTED]> wrote: > > Hi, > > thanks a lot to all who answered. > > Indeed, there is lots of different variants to choose from... > > (I assume that both the CSM and the ACE can do SSL "out of the box", and > you just need to have the right license, that is, "don't buy extra > doughter cards"?) > > To answer a few of your questions: > > > On Mon, Apr 16, 2007 at 10:00:00AM -0500, James Slepicka wrote: > > We're doing SSL termination on CSS11503s (available on the 11501S-C and > > above). The 11503 is modular and price can vary greatly based on > > config, so I won't toss out any numbers. > > > > After a few tweaks to solve poor performance issues (ssl-queue-delay, in > > particular), I've been pretty happy with them. I'm curious to know, > > aside from the fact that it's an aging platform, why you're not. > > Well, the customer setups that we maintain for them are only using older > models, like the CSS11150 - which *is* an old box. > > My main gripes with it is: > > - not very powerful (read: they are maxing out the box's CPU at below > 70-80 Mbit/s) > > - no SSL offloading (Cisco used to sell a separate box for that) > > - no useful way to figure out what the box is doing - like "*why* is > your CPU at 100%? How many sessions/seconds? bits/sec? ..." > > - convoluted way to get outgoing NAT to work > > > > p.s. -- Though I have limited experience with them, I'd recommend > > staying away from the Radware boxes. We, and the Radware tech we had > > installing them, ran into tons of problems. > > Haven't considered those :-) - but thanks for the warnings. > > (Regarding Citrix Netscalers: they *have* some icky corners, but most > of their behaviour is fairly well documented, and what I love most is > their tracing capabilities - like "monitor *this* interface for *x* > seconds and then give me a pcap file with the packets in it") > > > On Mon, Apr 16, 2007 at 04:53:34PM +0100, Phil Mayers wrote: > > If you can talk about it, I'd be *very* interested to hear about the > > Foundry problems - though I know you said don't ask! > > Our main problems with those (*different* customer) is that you can't > do useful SSL offloading for multiple different domains without ending > up with a very convoluted configuration both on the Foundries and on > the server. > > That is: the customer has www..de, .at, .ch, .nl, ... and you > have a different certificate + IP address for it. So far, no problem, but > when trying to define backend servers (services) to balance the requests > *to*, you can't use the same port number on the HTTP server. > > So you end up balancing .de to port 80, .at to port 1080, .ch to port > 2080, > ... on the backend machines - which makes "add a new TLD" a real nightmare > (*and* you need to have health checks on every single port, otherwise > there > is no way to make the box stop balancing .at to a given backend server > even when it already noticed that port 80 = .de is dead). > > The second issue we have is that cookie based persistance doesn't seem > to work for SSL sessions (we received a configuration fragment for that > from foundry last week, but it means "rewrite all our config", so we > couldn't test that one yet). > > > gert > > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > [EMAIL PROTECTED] > fax: +49-89-35655025 > [EMAIL PROTECTED] > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7201
Interesting, the 7201 has 4 GE cards + 1 FE management and the NPE-G2 has 3 GE cards + 1 FE Management. Looks like they both push the same pps though. Another interesting thing is how they called it .. 7201, which has higher processor than 7301. 7201 > 7301 ? Confusing marketing names. Regards Juan At 11:31 16/04/2007, Christophe Fillot wrote: >bill hulley wrote: > > >Just noticed various tech documents for the 7201 appear > >on www.cisco.com, no product info or data sheets yet. > > > >I assume this is the NPE-G2 refresh of the 7301, with a few > >interface tweeks and (at last) dual hot-swap PSUs. > > > > >The "sh ver" on >http://www.cisco.com/en/US/products/hw/routers/ps341/products_installation_and_configuration_guide_chapter09186a00807f8e73.html >shows a MPC7448 CPU at 1.6 Ghz, this is the same as NPE-G2. Moreover the >"sh interfaces" output shows a Marvell MV64460 system controller, still >as the NPE-G2.This tends to confirm your hypothesis. > > >Anyone had any info of when we'll be able to buy these new > >boxes? > > > > -- bill. > > > > >___ >cisco-nsp mailing list cisco-nsp@puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco load balancers with SSL offload
Hi, thanks a lot to all who answered. Indeed, there is lots of different variants to choose from... (I assume that both the CSM and the ACE can do SSL "out of the box", and you just need to have the right license, that is, "don't buy extra doughter cards"?) To answer a few of your questions: On Mon, Apr 16, 2007 at 10:00:00AM -0500, James Slepicka wrote: > We're doing SSL termination on CSS11503s (available on the 11501S-C and > above). The 11503 is modular and price can vary greatly based on > config, so I won't toss out any numbers. > > After a few tweaks to solve poor performance issues (ssl-queue-delay, in > particular), I've been pretty happy with them. I'm curious to know, > aside from the fact that it's an aging platform, why you're not. Well, the customer setups that we maintain for them are only using older models, like the CSS11150 - which *is* an old box. My main gripes with it is: - not very powerful (read: they are maxing out the box's CPU at below 70-80 Mbit/s) - no SSL offloading (Cisco used to sell a separate box for that) - no useful way to figure out what the box is doing - like "*why* is your CPU at 100%? How many sessions/seconds? bits/sec? ..." - convoluted way to get outgoing NAT to work > p.s. -- Though I have limited experience with them, I'd recommend > staying away from the Radware boxes. We, and the Radware tech we had > installing them, ran into tons of problems. Haven't considered those :-) - but thanks for the warnings. (Regarding Citrix Netscalers: they *have* some icky corners, but most of their behaviour is fairly well documented, and what I love most is their tracing capabilities - like "monitor *this* interface for *x* seconds and then give me a pcap file with the packets in it") On Mon, Apr 16, 2007 at 04:53:34PM +0100, Phil Mayers wrote: > If you can talk about it, I'd be *very* interested to hear about the > Foundry problems - though I know you said don't ask! Our main problems with those (*different* customer) is that you can't do useful SSL offloading for multiple different domains without ending up with a very convoluted configuration both on the Foundries and on the server. That is: the customer has www..de, .at, .ch, .nl, ... and you have a different certificate + IP address for it. So far, no problem, but when trying to define backend servers (services) to balance the requests *to*, you can't use the same port number on the HTTP server. So you end up balancing .de to port 80, .at to port 1080, .ch to port 2080, ... on the backend machines - which makes "add a new TLD" a real nightmare (*and* you need to have health checks on every single port, otherwise there is no way to make the box stop balancing .at to a given backend server even when it already noticed that port 80 = .de is dead). The second issue we have is that cookie based persistance doesn't seem to work for SSL sessions (we received a configuration fragment for that from foundry last week, but it means "rewrite all our config", so we couldn't test that one yet). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 / 7600 output drops
On Mon, Apr 16, 2007 at 05:09:34PM +0100, Phil Mayers wrote: > That traffic rate should be well within the reach of a PFC-only system. > Is that the only traffic going through the box? few hundred megs of other traffic at most. So yeah it really shouldn't be a big deal for the box. > What do the various "sh platform hardware capacity" report, including > "forwarding", "cpu", "multicast" and so forth? running SXE6 so that command does not exist. > sh mls ip multicast statistics #sh mls ip multicast statistics MLS Multicast configuration and state: Counters last cleared Never Router Mac000f.35ef.e400 MLS multicast operating state ACTIVE Layer 3 Switching H/W VersionPFC III Maximum number of allowed outstanding message 20 Maximum size reached from feQ 163 Maximum size reached from screq 0 Feature Notification sent (simple/rtr-mac)1/2 Feature Notification Ack received 3 Unsolicited Feature Notification received 2 MSM sent/Received 4759235/4759235 Delete notifications received 0 sgc oif delete notifications received 0 Flow Statistics messages received 1988517 Restart Notification messages received0 Cleanup Send/Resp-rx seq number 0/0 TLV statistics TLV TYPE SENTACK NACK TRANSIT == Flow Install 631563150 0 Flow Delete616361630 0 Flow update4495617 4495617 0 0 Complete Flow Install 236623660 0 Complete Flow Delete 1 1 0 0 Input Vlan Delete 0 0 0 0 Input Secondary Vlan Delete0 0 0 0 Output Vlan Delete 0 0 0 0 Group Delete 0 0 0 0 Global Delete 0 0 0 0 Subnet Install 3021060 71 3020989 0 Subnet Delete 49 49 0 0 RP Update 0 0 0 0 RPDF Update0 0 0 0 Cleanup1 2 0 -1 MVRF Create0 0 0 0 MVRF Delete0 0 0 0 Create mdt 0 0 0 0 Delete mdt 0 0 0 0 Add Tx mdt 0 0 0 0 Del Tx mdt 0 0 0 0 Add Rx mdt 0 0 0 0 Del Rx mdt 0 0 0 0 Purge Tx mdt 0 0 0 0 P2P tunnel Add 0 0 0 0 P2P tunnel Del 0 0 0 0 TLV Error statistics === L2 entry not found error 0 Generic error 0 LTL entry not found error 0 MET entry not found error 0 L3 entry exists error 0 Hash collision error 0 L3 entry not found error 0 Bidir-RP not found error 0 Unable to find RPF for PVLAN flows error 0 SG existed with wrong RPF 0 SG existed with RPF interface mismatch0 Other statistics === Maximum size sc_reqQ can reach40 Maximum size feQ can reach60 #of queued ACKs/#of queued statistics/#FN 0/0/0 Replication mode changed:2 > sh mls ip multicast summary #sh mls ip multicast summary 152 MMLS entries using 48288 bytes of memory Number of partial hardware-switched flows: 0 Number of complete hardware-switched flows: 152 Directly connected subnet entry install is enabled Hardware shortcuts for mvpn mroutes supported Current mode of replication is Ingress Consistency checker is enabled Bidir gm-scan-interval: 10 -- Colin Whittaker +353 (0)86 8211 965 http://colin.netech.ie colin@(magnet|netech).ie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.n
Re: [c-nsp] Cisco 1811 DNS Server overload
also if you are using 12.4(11)Txx, consider moving back to 12.4(6)Tyy. Skeeve Stevens wrote: > I have an 1811 temporarily doing NAT for about 200 clients and at the moment > and while it generally is working ok, the DNS facility of the router is > freaking out. > > Some show logging: > > *Apr 16 11:55:53.425: %SYS-3-CPUHOG: Task is running for (2000)msecs, more > than (2000)msecs (13/0),process = DNS Server. > -Traceback= 0x8099C694 0x80AB26B0 0x80AB5DB0 0x80AB6834 0x80AB7ACC > 0x800D7ACC 0x800DB410 > *Apr 16 11:59:59.721: %SYS-3-CPUHOG: Task is running for (2000)msecs, more > than (2000)msecs (30/0),process = DNS Server. > -Traceback= 0x822F21DC 0x8099C78C 0x80AB6508 0x80AB7ACC 0x800D7ACC > 0x800DB410 > > And yesterday it crashed: > > Router uptime is 1 day, 2 hours, 42 minutes > System returned to ROM by error - an Illegal Opcode exception, PC 0x83B1A8E4 > at 20:17:29 AEST Sun Apr 15 2007 > > I would like to actually stop the 1811 caching DNS queries but I can't > figure out how to. I would just prefer it relay every request or some other > solutions perhaps that could be suggested here. This would at least keep the > router up and running. > > Any help would be muchly appreciated. > > .Skeeve > > > ___ > Skeeve Stevens, RHCE Email: [EMAIL PROTECTED] > Website: www.skeeve.org - Telephone: (0414) 753 383 > skype://skeeve > Address: P.O Box 1035, Epping, NSW, 1710, Australia > > eIntellego - [EMAIL PROTECTED] - www.eintellego.net > ___ > I'm a groove licked love child king of the verse > Si vis pacem, para bellum > > > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 / 7600 output drops
Colin Whittaker wrote: > On Mon, Apr 16, 2007 at 11:13:18AM -0400, Phil Bedard wrote: >> Are the blades DFC-equipped? > > No. That traffic rate should be well within the reach of a PFC-only system. Is that the only traffic going through the box? What do the various "sh platform hardware capacity" report, including "forwarding", "cpu", "multicast" and so forth? sh mls ip multicast statistics sh mls ip multicast summary ...might also be illuminating. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 / 7600 output drops
On Mon, Apr 16, 2007 at 11:13:18AM -0400, Phil Bedard wrote: > Are the blades DFC-equipped? No. BTW the two 6748 cards are the only cards in the chassis. -- Colin Whittaker +353 (0)86 8211 965 http://colin.netech.ie colin@(magnet|netech).ie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] New bugtool
Take a look at this (all quoted verbatim) Old bugtool --- CSCeh62257 Description : Full virtual-access interfaces are leaking PPP handles Symptoms: PPP does not establish new sessions. Conditions: This symptom is observed on a Cisco router that is configured with full virtual-access interfaces when a PPP leak occurs. Workaround: Reload the router and configure virtual-access subinterfaces instead of full virtual-access interfaces. Fixed in: 12.3(14.14), 12.4(1.6), 12.3(7)XI04, 12.4(1.8)T, 12.3(14)T03, 12.3(7)T11, 12.3(11)T08, 12.4(01b) New Bugtool --- CSCeh62257 Description : Full virtual-access interfaces are leaking PPP handles Full virtual-access interfaces are leaking PPP handles when full virtual-access interfaces are used, and ppp sessions are churned we leak ppp handles due to a miss int eh free function of the virutal-access interface. workaround: use sub virtual-access interfaces (should be done anyways for scalability) Fixed In: 12.4(1b)M 12.4(1.8)T 12.4(1.6)M 12.3(11)T8 12.3(14)T3 12.3(14.14)M 12.3(7)XI4 12.3(7)T11 I'm guessing that the former is the customer facing description and in such case please tell us that PPP handles are leaking memory in the body as opposed to saying that something happens "when a PPP leak occurs". In such case the new explanation make me freak even more when it suggested that the fix is in versions completely unsuitable for running a production VPDN box on!! (where as at least the old bugtool paves the way for using a GD release) Dave. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7201
bill hulley wrote: >Just noticed various tech documents for the 7201 appear >on www.cisco.com, no product info or data sheets yet. > >I assume this is the NPE-G2 refresh of the 7301, with a few >interface tweeks and (at last) dual hot-swap PSUs. > > The "sh ver" on http://www.cisco.com/en/US/products/hw/routers/ps341/products_installation_and_configuration_guide_chapter09186a00807f8e73.html shows a MPC7448 CPU at 1.6 Ghz, this is the same as NPE-G2. Moreover the "sh interfaces" output shows a Marvell MV64460 system controller, still as the NPE-G2.This tends to confirm your hypothesis. >Anyone had any info of when we'll be able to buy these new >boxes? > > -- bill. > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip sla and c837?
>> hello, >> >> >> I have following problem, i want my cisco 837 to reload after it >> is not able to ping a certain device. I know that you can achieve this >> with "ip sla" and an "EEM applet". Well i spent hours of using the >> software advisor on the cisco side and it looks like that the ip sla >> command >> is not supported under the 800 platform. Does anybody know how to >> solve this "problem" without using ip sla or probably does anybody know >> an image that does support ip sla? >Which IOS version are you running? It's called "rtr" in earlier >versions, and the command syntax is subtly different. that's an interesting hint, I use C837 Software (C837-K9O3Y6-M), Version 12.3(11)YZ1 and the the "rtr" was replaced by "ip sla" in version 12.3(14)T. hopefully it works with rtr, does anybody know if i can realize the mentioned above? thx ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 / 7600 output drops
Are the blades DFC-equipped? Phil On Apr 16, 2007, at 9:59 AM, Colin Whittaker wrote: > Hi All, > > We are seeing some very serious with output drops on our 6500 / 7600 > platforms. We have sup720-3b with 6748 series lines cards, rj45 and > sfp. > > We have our IPTV headend connected via a single interface (int 1) > and is > producing 400 - 450 Mbit/sec of multicast traffic. > We have a downstream network connected to a second interface (int 2) > that is watching all the tv channels at the same time and so all > groups > are forwarded out int 2 > With just multicast traffic flowing between two interfaces > everthing works > fine but as soon as we add any unicast traffic to the downstream > network > which enters the 7600 via a different ingress interface we start to > see > output drops on interface 2 and the associated problems in the video. > > The unicast traffic is about 200Mbit/sec so the total traffic on the > link is 600Mbit/sec at 50kpps > > Disabling QOS / giving the video queue the highest priority don't seem > to make a difference. > > Is there anything else I should try. > > Colin > -- > Colin Whittaker +353 (0)86 8211 > 965 > http://colin.netech.ie > colin@(magnet|netech).ie > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco load balancers with SSL offload
We're doing SSL termination on CSS11503s (available on the 11501S-C and above). The 11503 is modular and price can vary greatly based on config, so I won't toss out any numbers. After a few tweaks to solve poor performance issues (ssl-queue-delay, in particular), I've been pretty happy with them. I'm curious to know, aside from the fact that it's an aging platform, why you're not. p.s. -- Though I have limited experience with them, I'd recommend staying away from the Radware boxes. We, and the Radware tech we had installing them, ran into tons of problems. James Gert Doering wrote: > Hi, > > what are folks using for "HTTP load balancing" with SSL offload (SSL > connection and all the crypto works is done on the load balancer, and > the server machines only do HTTP) today, in Cisco land? > > We're currently using Foundry (don't ask), Citrix Netscaler (very nice > boxes!), and Cisco/Arrowpoint CSS (no SSL, as far as I know, and somewhat > aged platform...). > > Now we have a customer that's unhappy with Foundry, and doesn't want > Netscalers - and is asking for "what Cisco products can you recommend?". > > I can't recommend CSSs, but I assume that there are more "recent" > products available... > > So - what are you using, how happy are you with that solution (and what's > the global list proce for it? :) ). > > Sorry to offload my research homework to the cisco-nsp list, but you just > can't get useful answers from looking at "yes, we can do all this!!!" > vendor pages... > > gert > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco load balancers with SSL offload
Monday, April 16, 2007, 3:45:27 PM, you wrote: > Hi, > what are folks using for "HTTP load balancing" with SSL offload (SSL > connection and all the crypto works is done on the load balancer, and > the server machines only do HTTP) today, in Cisco land? > We're currently using Foundry (don't ask), Citrix Netscaler (very nice > boxes!), and Cisco/Arrowpoint CSS (no SSL, as far as I know, and somewhat > aged platform...). > Now we have a customer that's unhappy with Foundry, and doesn't want > Netscalers - and is asking for "what Cisco products can you recommend?". > I can't recommend CSSs, but I assume that there are more "recent" > products available... firstly, I don't have experience with SSL offload, and I can talk only about load-balancing features. IMHO, old css (11800) is very useful platform for small config, that means, you can handle ~1Gbps of traffic, but only with not to complicated config. CSM, is very nice, it works great, until I try to failback (failover works fine :-) ) in high traffic enviroment. ACE - new product I don't have experience with this module. > So - what are you using, how happy are you with that solution (and what's > the global list proce for it? :) ). > Sorry to offload my research homework to the cisco-nsp list, but you just > can't get useful answers from looking at "yes, we can do all this!!!" > vendor pages... > gert -- - http://www.wp.pl - Tomasz BaczyńskiWirtualna Polska S.A. mailto:[EMAIL PROTECTED] tel. +48 58 5215614 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7201
Just noticed various tech documents for the 7201 appear on www.cisco.com, no product info or data sheets yet. I assume this is the NPE-G2 refresh of the 7301, with a few interface tweeks and (at last) dual hot-swap PSUs. Anyone had any info of when we'll be able to buy these new boxes? -- bill. -- Bill Hulley <[EMAIL PROTECTED]> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] New hardware choose help needed
Hi Dimitriy, Dmitriy Sirant wrote: > Hi, > > We want to buy new hardware and need your help in choose right hardware > configuration. > > First stage: > > Cisco 7204VXR > NPE-G1 > > What we need from it: > 1. Terminate about 50-150 VLANs > 2. Terminate about 2500-4000 PPPoE users (at 100Mb, not ADSL) > 3. Dynamic access lists and rate-limits for PPPoE users via Radius. > 4. 2 x 1000Mbit/s ports to clients with full load and 1 x 1000Mbit/s > port to ISP with load about 500Mbit/s > > Second stage: > Need make city wide LAN with possibility give for client 100Mbit/s > bandwidth between 2 any points. For it want to use at center such hardware: > > Catalyst 6509 > WS-C6509-NEB-A Catalyst 6500 9-slot chassis(NEBS),21RU,no PS,no Fan > Tray 1 > WS-CAC-6000W Cat6500 6000W AC Power Supply 1 > FR-C6FW Catalyst 6000 family IOS Firewall Feature Set 1 > WS-SUP720 Catalyst 6500 / Cisco 7600 Supervisor 720 Fabric MSFC3 > PFC3A 1 > MEM-C6K-CPTFL512M Catalyst 6500 Sup720/Sup32 Compact Flash Mem > 512MB 1 > CF-ADAPTER-SP SP adapter with compact flash for SUP720 1 > GLC-T 1000BASE-T SFP 1 > WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with > DFC3CXL (req. X2) 1 > X2-10GB-ER 10GBASE-ER X2 Module 8 > WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with > DFC3CXL (req. X2) 1 > X2-10GB-ER 10GBASE-ER X2 Module 8 > WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with > DFC3CXL (req. X2) 1 > X2-10GB-ER 10GBASE-ER X2 Module 8 > WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with > DFC3CXL (req. X2) 1 > X2-10GB-ER 10GBASE-ER X2 Module 8 > WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with > DFC3CXL (req. X2) 1 > X2-10GB-ER 10GBASE-ER X2 Module 8 > WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with > DFC3CXL (req. X2) 1 > X2-10GB-ER 10GBASE-ER X2 Module 8 > WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with > DFC3CXL (req. X2) 1 > X2-10GB-ER 10GBASE-ER X2 Module 8 > WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with > DFC3CXL (req. X2) 1 > X2-10GB-ER 10GBASE-ER X2 Module 8 > FAN-MOD-09 Fan Module for CISCO7609 and Catalyst WS-C6509-NEB-A 1 > SM3AEK9-12218SXF Cisco CAT6000-MSFC3 IOS ADVANCED ENTERPRISE > SERVICES SSH 1 > > What we need from it: > 1. Guaranteed bus speed for work 60-64 10Gb ports with full load. I'm not sure what you mean about "full load", but assuming you mean the ability to run all the ports at wire-rate ... then, you probably want to avoid the WS-X6708 linecards as they are 2:1 oversubscribed. Refer to the data sheet on the WS-X6704 and WS-X6708 for details: http://www.cisco.com/en/US/products/hw/switches/ps708/products_data_sheet09186a00801dce34.html If you need "wire-rate", then you should look at the WS-X6704, (4-port 10 GbE cards), which, in theory, will give you 32 x 10 GbE ports per chassis. However, you should look at your exact configuration in Cisco's Power Calculator: http://www.cisco.com/go/powercalculator ... because, certain power supplies may not be adequate for your load. > 2. Terminate about 100-400 VLANs Should be no problem. > 3. Terminate about 5000-8000 PPPoE sessions (at 100Mb, not ADSL) > 4. PPPoE users must authorize via RADIUS You're likely looking at the "MWAM" card to do that. I don't have any experience with that card, but as others have noted on the list (see archives), the 6500 is generally not a good PPP termination device. You're likely better off sticking with the 7200's for (dense) PPP termination. > 5. NetFlow Should be no problem. > 6. PPPoE access lists and rate-limits via RADIUS See previous comment for #3 and #4, re: MWAM card. > 7. Access list on every interfaces Again, should be no problem, as long as the ACL's are fairly modest. -shane > What you say about hardware we choose ? Is it suitable for that work ? > > Thank you > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6500 / 7600 output drops
Hi All, We are seeing some very serious with output drops on our 6500 / 7600 platforms. We have sup720-3b with 6748 series lines cards, rj45 and sfp. We have our IPTV headend connected via a single interface (int 1) and is producing 400 - 450 Mbit/sec of multicast traffic. We have a downstream network connected to a second interface (int 2) that is watching all the tv channels at the same time and so all groups are forwarded out int 2 With just multicast traffic flowing between two interfaces everthing works fine but as soon as we add any unicast traffic to the downstream network which enters the 7600 via a different ingress interface we start to see output drops on interface 2 and the associated problems in the video. The unicast traffic is about 200Mbit/sec so the total traffic on the link is 600Mbit/sec at 50kpps Disabling QOS / giving the video queue the highest priority don't seem to make a difference. Is there anything else I should try. Colin -- Colin Whittaker +353 (0)86 8211 965 http://colin.netech.ie colin@(magnet|netech).ie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 1811 DNS Server overload
Do you have dns spoofing on ? If so turn it off. That is what causes "dns proxy" You can disable dns lookups completly with no ip domain lookup Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Skeeve Stevens Sent: lunedì 16 aprile 2007 15.07 To: 'Cisco-nsp' Subject: [c-nsp] Cisco 1811 DNS Server overload I have an 1811 temporarily doing NAT for about 200 clients and at the moment and while it generally is working ok, the DNS facility of the router is freaking out. Some show logging: *Apr 16 11:55:53.425: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (13/0),process = DNS Server. -Traceback= 0x8099C694 0x80AB26B0 0x80AB5DB0 0x80AB6834 0x80AB7ACC 0x800D7ACC 0x800DB410 *Apr 16 11:59:59.721: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (30/0),process = DNS Server. -Traceback= 0x822F21DC 0x8099C78C 0x80AB6508 0x80AB7ACC 0x800D7ACC 0x800DB410 And yesterday it crashed: Router uptime is 1 day, 2 hours, 42 minutes System returned to ROM by error - an Illegal Opcode exception, PC 0x83B1A8E4 at 20:17:29 AEST Sun Apr 15 2007 I would like to actually stop the 1811 caching DNS queries but I can't figure out how to. I would just prefer it relay every request or some other solutions perhaps that could be suggested here. This would at least keep the router up and running. Any help would be muchly appreciated. .Skeeve ___ Skeeve Stevens, RHCE Email: [EMAIL PROTECTED] Website: www.skeeve.org - Telephone: (0414) 753 383 skype://skeeve Address: P.O Box 1035, Epping, NSW, 1710, Australia eIntellego - [EMAIL PROTECTED] - www.eintellego.net ___ I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco load balancers with SSL offload
Hi, what are folks using for "HTTP load balancing" with SSL offload (SSL connection and all the crypto works is done on the load balancer, and the server machines only do HTTP) today, in Cisco land? We're currently using Foundry (don't ask), Citrix Netscaler (very nice boxes!), and Cisco/Arrowpoint CSS (no SSL, as far as I know, and somewhat aged platform...). Now we have a customer that's unhappy with Foundry, and doesn't want Netscalers - and is asking for "what Cisco products can you recommend?". I can't recommend CSSs, but I assume that there are more "recent" products available... So - what are you using, how happy are you with that solution (and what's the global list proce for it? :) ). Sorry to offload my research homework to the cisco-nsp list, but you just can't get useful answers from looking at "yes, we can do all this!!!" vendor pages... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany [EMAIL PROTECTED] fax: +49-89-35655025[EMAIL PROTECTED] ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 1811 DNS Server overload
I have an 1811 temporarily doing NAT for about 200 clients and at the moment and while it generally is working ok, the DNS facility of the router is freaking out. Some show logging: *Apr 16 11:55:53.425: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (13/0),process = DNS Server. -Traceback= 0x8099C694 0x80AB26B0 0x80AB5DB0 0x80AB6834 0x80AB7ACC 0x800D7ACC 0x800DB410 *Apr 16 11:59:59.721: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (30/0),process = DNS Server. -Traceback= 0x822F21DC 0x8099C78C 0x80AB6508 0x80AB7ACC 0x800D7ACC 0x800DB410 And yesterday it crashed: Router uptime is 1 day, 2 hours, 42 minutes System returned to ROM by error - an Illegal Opcode exception, PC 0x83B1A8E4 at 20:17:29 AEST Sun Apr 15 2007 I would like to actually stop the 1811 caching DNS queries but I can't figure out how to. I would just prefer it relay every request or some other solutions perhaps that could be suggested here. This would at least keep the router up and running. Any help would be muchly appreciated. .Skeeve ___ Skeeve Stevens, RHCE Email: [EMAIL PROTECTED] Website: www.skeeve.org - Telephone: (0414) 753 383 skype://skeeve Address: P.O Box 1035, Epping, NSW, 1710, Australia eIntellego - [EMAIL PROTECTED] - www.eintellego.net ___ I'm a groove licked love child king of the verse Si vis pacem, para bellum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ip sla and c837?
Gernot Nusshall wrote: > hello, > > > I have following problem, i want my cisco 837 to reload after it > is not able to ping a certain device. I know that you can achieve this > with "ip sla" and an "EEM applet". Well i spent hours of using the > software advisor on the cisco side and it looks like that the ip sla > command > is not supported under the 800 platform. Does anybody know how to > solve this "problem" without using ip sla or probably does anybody know > an image that does support ip sla? Which IOS version are you running? It's called "rtr" in earlier versions, and the command syntax is subtly different. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ip sla and c837?
hello, I have following problem, i want my cisco 837 to reload after it is not able to ping a certain device. I know that you can achieve this with "ip sla" and an "EEM applet". Well i spent hours of using the software advisor on the cisco side and it looks like that the ip sla command is not supported under the 800 platform. Does anybody know how to solve this "problem" without using ip sla or probably does anybody know an image that does support ip sla? thx gernot Gernot Nusshall Internet Service Providing __ Elektronische Datenverarbeitung GmbH & Co KG Hofmühlgasse 3-5, 1060 Wien ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] %IPC-SP-5-WATERMARK on Sup720-3B
Hi all, I just want to ask about how my cat6500 behaves. It creates these logs messages every minutes or less : Apr 16 17:48:40.140: %IPC-SP-5-WATERMARK: 822 messages pending in rcv for the port Card6/0:Request(1.5) seat 1 Apr 16 17:49:12.508: %IPC-SP-5-WATERMARK: 822 messages pending in rcv for the port Card6/0:Request(1.5) seat 1 And this is the Sup720-3B that I have : cat6k#sh ver Cisco Internetwork Operating System Software IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF8, RELEASE SOFTWARE (fc2) I am looking forward some suggestion to limit those messages from my log. I've checked the list archive, but it only shows the problems exist in Sup2, not Sup720-3B. Thanks! -affan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SPD on C7300
Hi Oli When the router receive the following packet, will that packet be dropped by SPD(with mode aggressive) in the RANDOM DROP state? Prot:SrcPort:DstPort Src i/f :AdjPtr Pkts Bytes AgeLastSeen Attributes -- tcp :12586 :55744Gi3/13 :0x0 00 5 13:38:51 L3 - Dynamic Regards Oliver Boehmer (oboehmer) wrote: > hideki gamo <> wrote on Monday, April 16, 2007 8:28 AM: > > >> Does anyone know if SPD configured by mode aggressive on c7300, >> does that effect transit packet? >> and if it's so, Does the SPD process have negative effect on packet >> forwarding rate? >> > > I'm not aware of any impact SPD has on forwarding performance (well, > unless you're using process switching to forward packets ;-) > > oli > > > -- Hideki Gamo UCOM corp Network Operation Dept +81 3 5489 0477 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MD110 with Cisco VOIP
Hello, Assuming that you want to interface the cisco boxes with the pbxs via E1/T1 interfaces and convert to voip on ciscos, you may start with these: http://www.tek-tips.com/viewthread.cfm?qid=1143682 http://www.tek-tips.com/viewthread.cfm?qid=260037 http://www.cisco.com/application/pdf/en/us/guest/products/ps4830/c1237/ccmigration_09186a00803704f5.pdf Also search in cisco site with keywords: md110 pbx interoperability Also you may think of the option of using native MD110 voip trunks Best Regards, John Kougoulos Mad Unix wrote: > MD110 with Cisco VOIP > anyone got any documents regarding this? > i have to build VoIP communication between HQ and Branch which already has > established a working IP connection between them > Phone--PBX(Ericsson)--Router36xxLeasedLine---Router38xx---PBX(Ericsson)---Phone > > has anyone done this yet > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA AIP - Signature updates from Cisco?
After some browsing through the ASA documents, trying to find information on the automatic signature update, I came across this remark: "The sensor cannot automatically download service pack and signature updates from Cisco.com. You must download the service pack and signature updates from Cisco.com to your FTP or SCP server, and then configure the sensor to download them from the FTP or SCP server." Is this true, or outdated? If it is true, why? I do understand there may be concerns as to the security of the content of the data, but those could be easily taken care of by MD5/PGP signatures. It pretty much sucks having to do manual downloads of signatures in order to have the ASA/AIP download it from the server and install it... Or is the signature .pkg available somewhere under a "hidden path" on ftp.cisco.com? Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MD110 with Cisco VOIP
On Mon, Apr 16, 2007, Mad Unix wrote: > MD110 with Cisco VOIP > anyone got any documents regarding this? > i have to build VoIP communication between HQ and Branch which already has > established a working IP connection between them > Phone--PBX(Ericsson)--Router36xxLeasedLine---Router38xx---PBX(Ericsson)---Phone > > has anyone done this yet All I can say is "yes, I've seen people doing toll bypass using Ciscos to MD110." It was using Cisco 5300's in a configuration I honestly can't remember. Adrian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] New hardware choose help needed
Hi, We want to buy new hardware and need your help in choose right hardware configuration. First stage: Cisco 7204VXR NPE-G1 What we need from it: 1. Terminate about 50-150 VLANs 2. Terminate about 2500-4000 PPPoE users (at 100Mb, not ADSL) 3. Dynamic access lists and rate-limits for PPPoE users via Radius. 4. 2 x 1000Mbit/s ports to clients with full load and 1 x 1000Mbit/s port to ISP with load about 500Mbit/s Second stage: Need make city wide LAN with possibility give for client 100Mbit/s bandwidth between 2 any points. For it want to use at center such hardware: Catalyst 6509 WS-C6509-NEB-A Catalyst 6500 9-slot chassis(NEBS),21RU,no PS,no Fan Tray 1 WS-CAC-6000W Cat6500 6000W AC Power Supply 1 FR-C6FW Catalyst 6000 family IOS Firewall Feature Set 1 WS-SUP720 Catalyst 6500 / Cisco 7600 Supervisor 720 Fabric MSFC3 PFC3A 1 MEM-C6K-CPTFL512M Catalyst 6500 Sup720/Sup32 Compact Flash Mem 512MB 1 CF-ADAPTER-SP SP adapter with compact flash for SUP720 1 GLC-T 1000BASE-T SFP 1 WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with DFC3CXL (req. X2) 1 X2-10GB-ER 10GBASE-ER X2 Module 8 WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with DFC3CXL (req. X2) 1 X2-10GB-ER 10GBASE-ER X2 Module 8 WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with DFC3CXL (req. X2) 1 X2-10GB-ER 10GBASE-ER X2 Module 8 WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with DFC3CXL (req. X2) 1 X2-10GB-ER 10GBASE-ER X2 Module 8 WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with DFC3CXL (req. X2) 1 X2-10GB-ER 10GBASE-ER X2 Module 8 WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with DFC3CXL (req. X2) 1 X2-10GB-ER 10GBASE-ER X2 Module 8 WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with DFC3CXL (req. X2) 1 X2-10GB-ER 10GBASE-ER X2 Module 8 WS-X6708-10G-3CXL C6K 8 port 10 Gigabit Ethernet module with DFC3CXL (req. X2) 1 X2-10GB-ER 10GBASE-ER X2 Module 8 FAN-MOD-09 Fan Module for CISCO7609 and Catalyst WS-C6509-NEB-A 1 SM3AEK9-12218SXF Cisco CAT6000-MSFC3 IOS ADVANCED ENTERPRISE SERVICES SSH 1 What we need from it: 1. Guaranteed bus speed for work 60-64 10Gb ports with full load. 2. Terminate about 100-400 VLANs 3. Terminate about 5000-8000 PPPoE sessions (at 100Mb, not ADSL) 4. PPPoE users must authorize via RADIUS 5. NetFlow 6. PPPoE access lists and rate-limits via RADIUS 7. Access list on every interfaces What you say about hardware we choose ? Is it suitable for that work ? Thank you ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MD110 with Cisco VOIP
MD110 with Cisco VOIP anyone got any documents regarding this? i have to build VoIP communication between HQ and Branch which already has established a working IP connection between them Phone--PBX(Ericsson)--Router36xxLeasedLine---Router38xx---PBX(Ericsson)---Phone has anyone done this yet -- madunix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SPD on C7300
hideki gamo <> wrote on Monday, April 16, 2007 8:28 AM: > Does anyone know if SPD configured by mode aggressive on c7300, > does that effect transit packet? > and if it's so, Does the SPD process have negative effect on packet > forwarding rate? I'm not aware of any impact SPD has on forwarding performance (well, unless you're using process switching to forward packets ;-) oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SPD on C7300
Hello, Does anyone know if SPD configured by mode aggressive on c7300, does that effect transit packet? and if it's so, Does the SPD process have negative effect on packet forwarding rate? Regards -- Hideki Gamo ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/