Re: [c-nsp] Free NMS Tools
Hi Saku, On Fri, Jul 17, 2009 at 12:01 AM, Saku Ytti wrote: > On (2009-07-03 14:00 +0100), Mario Spinthiras wrote: > > Hey, > > > I would say Zenoss is looking good because of the inventory management > you > > can do and because of the logical structure it puts everything in. I > wrote > > > > Everything else just seems inadequate or poor. > > I recently spent few moments evaluating zenoss and was not impressed. To me > all OSS NMS solutions out seem like they are made by coder-in-server-admin > not coder-in-network-admin, and as such seem to have much more integration > with servers than with network, zenoss seems like no exception. > I strongly agree with you that the OSS tools seem geared towards servers and not network. Have you or anyone discovered a OSS solution that is more network oriented? Regards, Brian ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] clear platform hardware capacity fabric counters?
Hello Abidin, On Fri, Jul 24, 2009 at 10:06 PM, Abidin Kahraman wrote: > Hello Bas, > > Have you tried "clear fab peak" ? Thank you, that did the trick. I dont know how I missed that. Do you also know how to clear the peak-pps counters in : show platform hardware capacity forwarding Thanks, Bas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-aware Circuit emulation?
Hi Scott, To some degree, this would be rather odd to do as CES is a point-to-point solution and is used to transport TDM traffic. Please clarify why you would do this? __ Med venlig hilsen / Kind regards Lars Lystrup Christensen Director of Engineering, CCIE(tm) #20292 Danske Telecom A/S Sundkrogsgade 13, 4 2100 København Ø -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Hughes, Scott GRE/MG Sent: 24. juli 2009 22:06 To: cisco-nsp@puck.nether.net Subject: [c-nsp] VRF-aware Circuit emulation? Does anyone know if Circuit emulation using NM-CEM-4TE1 cards supports the xconnects inside a VRF? Scott NOTICE TO RECIPIENT: The information contained in this message from Great River Energy and any attachments are confidential and intended only for the named recipient(s). If you have received this message in error, you are prohibited from copying, distributing or using the information. Please contact the sender immediately by return email and delete the original message. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-aware Circuit emulation?
This is for an enterprise disaster-recovery scenario. The configuration is simplistic -- http://scotthughes.org/cem-failover To clarify, I'm talking about Circuit Emulation on ISR routers. I want to emulate analog circuits using a SONET-protected Ethernet VLAN as IP backhaul. The ISR routers are used for various other (different) purposes at all 3 sites (head-end, remote, disaster recovery) and intermixing the routing tables or using route-maps and access-lists would be inconvenient. Running a VRF on a dot1q-tagged interface into the SONET would be a nice way to keep layer-3 separation for the CEM services. I would also prioritize traffic on that VLAN at the SONET level to ensure QoS. I'm open to suggestions about alternate ways to approach this. Obviously, hanging a separate router on a VLAN solely for this purpose is inefficient (and what I'm trying to avoid) -Original Message- From: Lars Lystrup Christensen [mailto:l...@dansketelecom.com] Sent: Friday, July 24, 2009 3:36 PM To: Hughes, Scott GRE/MG; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] VRF-aware Circuit emulation? Hi Scott, To some degree, this would be rather odd to do as CES is a point-to-point solution and is used to transport TDM traffic. Please clarify why you would do this? __ Med venlig hilsen / Kind regards Lars Lystrup Christensen Director of Engineering, CCIE(tm) #20292 Danske Telecom A/S Sundkrogsgade 13, 4 2100 København Ø -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Hughes, Scott GRE/MG Sent: 24. juli 2009 22:06 To: cisco-nsp@puck.nether.net Subject: [c-nsp] VRF-aware Circuit emulation? Does anyone know if Circuit emulation using NM-CEM-4TE1 cards supports the xconnects inside a VRF? Scott NOTICE TO RECIPIENT: The information contained in this message from Great River Energy and any attachments are confidential and intended only for the named recipient(s). If you have received this message in error, you are prohibited from copying, distributing or using the information. Please contact the sender immediately by return email and delete the original message. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ NOTICE TO RECIPIENT: The information contained in this message from Great River Energy and any attachments are confidential and intended only for the named recipient(s). If you have received this message in error, you are prohibited from copying, distributing or using the information. Please contact the sender immediately by return email and delete the original message. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] High Memory Usage due to NAT
Those are still pretty long timeouts. Can you reduce those, a minute for ICMP should be plenty. 2 minutes should be good for the other two. Machines infected with stuff could certainly be opening sessions that could be killed off quickly. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Thursday, July 23, 2009 12:12 PM To: Cisco Mailing list Subject: [c-nsp] High Memory Usage due to NAT I m facing a strange issue regarding the NAT. The problem statement is as below NAT configured on 3845 with 12.4.24 T ADV ENT SERVICES - Have got 64 /25 inside subnets to do the nat with 64 Live IP's. one each for /25 inside subnet. - I checked the processes and memory on freshly loaded router which comes out to be 49 MB of free memory. - started the NAT on router with 8 of /25 inside ip pool with policy NAT to 8 live IP's. The router withing 3 hours hanged due to no availability of free memory. Rebooted it and removed the NAT. - Checked Cisco website for NAT it says 312 bytes per translation that gives us around 3 MB for 1 translations. Checked the logs and found peak translation only to be 15000. - Found that problem was NAT ACL with any statement in destination portion ( extended one). Changed it with standard ACL with no any statement. - Reviewed and resumed the NAT on router. it works now but it uses around 20 MB of memory for just 1 translation entries. - Checked the UDP, TCP and ICMP timeout Limited UDP to 4 Mins. TCP to 25 Mins and ICMP- 5 Mins. was able to free only 2 MB of so from 20 MB. - Changed the IOS from ADV ent services to IP base to get rid of unwanted processess and services as main AIM of this router is to run NAT. - Freshly loaded router gave me 120 MB of free space and was happy now to test out the things. - Againg started the NAT for 8 pools of /25 inside subnet with 8 live IP's ( Policy nat ). - At 25000 translations it eats up memory of around 24 MB. - Turned of Virtual Reassembly as it was reaching to thresold very often. - Migrated another 8 pools of /25 which comes to total of 16 /25 Inside subnets and free memory left to 64 MB. with the peak translation upto 42000 and active translation to 15000 on an average. - It often gives the I/O memory errors too ( with only 16 /25 Pools configured on it). - All this stuff works fine with Netscreen firewall overloaded with only 4 IP's for all 64 /25 pools. . ( Is netscreen had an edge over cisco when it comes to NAT _?? ) I wonder..! If Cisco says that only 312 bytes are required for storing a single translation Why i m not able to free my DRAM memory. Tried my luck with everything. Need some expert advice on this to figure out the High Memory usage of NAT NOTE : Only default router and no other services are used on router apart from Netflow Thanks in Advance Regards Ronnie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] L2TP pseudowire initiation from VRF
Greetings! I have a question if it is possible to initiate L2TP client (not true LAC in fact, see config below) to use other VRF than global for L2TP encapsulated packets? I have this lab scenario: LNS (Cisco 1721, c1700-advsecurityk9-mz.124-12.bin) vpdn enable ! vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname client l2tp tunnel password 7 ... ! ... interface Virtual-Template1 ip unnumbered Loopback0 ip mtu 1492 no ip mroute-cache peer default ip address pool l2tp-pool ppp authentication chap ! ... ip local pool l2tp-pool 192.168.98.10 192.168.98.254 And on client (Cisco 1841, c1841-advipservicesk9-mz.124-23.bin) I have: vpdn enable ! l2tp-class l2tpclass1 authentication hostname client password 7 ... ! pseudowire-class pwclass1 encapsulation l2tpv2 protocol l2tpv2 l2tpclass1 ip local interface FastEthernet0/0 ip pmtu ! interface Virtual-PPP1 ip address negotiated no cdp enable ppp authentication chap pseudowire 10 encapsulation l2tpv2 pw-class pwclass1 ! interface FastEthernet0/0 ip address dhcp duplex auto speed auto ! And that works fine so far. Now I would like to do this: ip vrf upstream1 rd 10:20 ! interface FastEthernet0/0 ip vrf forward upsetram1 ip address dhcp duplex auto speed auto ! The problem is, that VPDN can not establish L2TP session, debug says: *Jul 24 15:54:01.332: L2X: l2tun session [1665122560], event [client request], old state [open], new state [open] *Jul 24 15:54:01.332: L2X: L2TP: Received L2TUN message *Jul 24 15:54:01.332: Tnl/Sn 20429/454 L2TP: Session state change from idle to wait-for-tunnel *Jul 24 15:54:01.332: uid:281 Tnl/Sn 20429/454 L2TP: Create session *Jul 24 15:54:01.332: Tnl 20429 L2TP: SM State idle *Jul 24 15:54:01.332: L2X: Cannot use source-ip 80.219.148.183 of tableid 0 vrf which is not one of our addresses *Jul 24 15:54:01.332: Tnl 20429 L2TP: O SCCRQ *Jul 24 15:54:01.332: Tnl 20429 L2TP: Parse AVP 0, len 8, flag 0x8000 (M) *Jul 24 15:54:01.332: Tnl 20429 L2TP: Parse SCCRQ *Jul 24 15:54:01.332: Tnl 20429 L2TP: Parse AVP 2, len 8, flag 0x8000 (M) *Jul 24 15:54:01.332: Tnl 20429 L2TP: Protocol Version 1 *Jul 24 15:54:01.332: Tnl 20429 L2TP: Parse AVP 6, len 8, flag 0x0 *Jul 24 15:54:01.332: Tnl 20429 L2TP: Firmware Ver 0x1130 *Jul 24 15:54:01.336: Tnl 20429 L2TP: Parse AVP 7, len 19, flag 0x8000 (M) *Jul 24 15:54:01.336: Tnl 20429 L2TP: Hostname TRENKA-office *Jul 24 15:54:01.336: Tnl 20429 L2TP: Parse AVP 8, len 25, flag 0x0 *Jul 24 15:54:01.336: Tnl 20429 L2TP: Vendor Name Cisco Systems, Inc. *Jul 24 15:54:01.336: Tnl 20429 L2TP: Parse AVP 10, len 8, flag 0x8000 (M) *Jul 24 15:54:01.336: Tnl 20429 L2TP: Rx Window Size 1200 *Jul 24 15:54:01.336: Tnl 20429 L2TP: Parse AVP 11, len 22, flag 0x8000 (M) *Jul 24 15:54:01.336: Tnl 20429 L2TP: Chlng 54 BD 4A 71 8E A0 EB 7F 67 66 A5 CC 03 75 B0 87 *Jul 24 15:54:01.336: Tnl 20429 L2TP: Parse AVP 9, len 8, flag 0x8000 (M) *Jul 24 15:54:01.336: Tnl 20429 L2TP: Assigned Tunnel ID 20429 *Jul 24 15:54:01.336: Tnl 20429 L2TP: Parse AVP 3, len 10, flag 0x8000 (M) *Jul 24 15:54:01.336: Tnl 20429 L2TP: Framing Cap 0x3 *Jul 24 15:54:01.336: Tnl 20429 L2TP: Parse AVP 4, len 10, flag 0x8000 (M) *Jul 24 15:54:01.336: Tnl 20429 L2TP: Bearer Cap 0x3 *Jul 24 15:54:01.336: Tnl 20429 L2TP: Parse Cisco AVP 110, len 6, flag TRENKA-office#0x0 *Jul 24 15:54:01.336: Tnl 20429 L2TP: PPPoE Relay Forward Capable *Jul 24 15:54:01.336: Tnl 20429 L2TP: O SCCRQ, flg TLS, ver 2, len 144, tnl 0, ns 0, nr 0 C8 02 00 90 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 00 08 00 00 00 06 11 30 80 13 00 00 00 07 54 52 45 4E 4B 41 2D 6F 66 66 69 63 65 00 19 00 00 00 08 43 69 73 63 6F 20 53 79 73 74 ... *Jul 24 15:54:01.336: Tnl 20429 L2TP: Control channel retransmit delay set to 1 seconds *Jul 24 15:54:01.340: Tnl 20429 L2TP: Tunnel state change from idle to wait-ctl-reply *Jul 24 15:54:01.340: Tnl 20429 L2TP: SM State wait-ctl-reply *Jul 24 15:54:02.340: Tnl 20429 L2TP: O Resend SCCRQ, flg TLS, ver 2, len 144, tnl 0, ns 0, nr 0 *Jul 24 15:54:02.340: Tnl 20429 L2TP: Control channel retransmit delay set to 2 seconds Is there any possibility to setup L2TP tunnel via the Fa0/0 inside VRF? Any help would be appreciated. Thanks in advance, Tomas -- Tomáš Hlaváček ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] clear platform hardware capacity fabric counters?
Hello Bas, Have you tried "clear fab peak" ? Abidin On 24 Jul 2009, at 10:15, bas wrote: Hello, I haven't been able to find the command for clearing "platform hardware capacity fabric / forwarding" counters. Or isn't it possible? and should I reboot? Kind regards, Bas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VRF-aware Circuit emulation?
Does anyone know if Circuit emulation using NM-CEM-4TE1 cards supports the xconnects inside a VRF? Scott NOTICE TO RECIPIENT: The information contained in this message from Great River Energy and any attachments are confidential and intended only for the named recipient(s). If you have received this message in error, you are prohibited from copying, distributing or using the information. Please contact the sender immediately by return email and delete the original message. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PPTP devices
On Jul 20, 2009, at 5:06 PM, Arie Vayner (avayner) wrote: If your 3825 router is having a hard time taking care of the load, I would recommend you look at a 7201 (or at an older 7301). I appreciate the responses from all. I am testing Poptop, but am having some interoperability issues with my devices (even though it works fine when connecting to it from Windows, Linux, OS X, etc.). I actually happen to have a 7206 VXR with an NPE-G1 in it sitting on a shelf. I'm going to ship it out to the colo and see how it does. If anyone else has any pointers to some sanely laid out chart from Cisco that indicated actual CPU performance across devices, I'd greatly appreciate it. Thanks, Daryl ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP ENGINE consuming CPU
Hello, I remember cisco boxes having CPU problems with retrieving arp / route table entries via SNMP more than ten years ago. Maybe someone must create some kind of snmp proxy that retrieves those tables from cli Regards, John On Fri, 24 Jul 2009, Jeff Fitzwater wrote: Hello Bill, How large is the ARP table? "sho ip arp summ" If it is around 15k then the issue is the ARP or BRIDGE table conversion that the route processor must do to go from hashed format to lexigraphical format which SNMP queries require.SNMP queries the RIP table for these MIBS which are in HASHED format and the FIB table is in LEX format. There are ways around the issue if you don't need to query those MIBS. I have had this issue with our sup-720-CXL running SXI or any earlier version only on our 6500 that has a 15k arp table (not sure where the actual boundary that s causes the problem is). I currently have a case open with CISCO to see if there is a fix for this. For us there is no workaround since our NMS must pole the ARP and BRIGDE tables via SNMP in order to do its job. This is extremely frustrating for us since we rely on the NMS (HP NNMi ) to build our layer 2 topo based on those MIBS, and also TRAP correlation which uses the L2 topo to isolate the problem. Jeff Fitzwater OIT Network & Communications Systems Princeton University On Jul 24, 2009, at 9:49 AM, Bill Blackford wrote: You hit on the issue. I had a NMS client polling the route table. This box has two full feeds and 12 other bilateral peers. Apparently, the cat7.6k/rsp720 doesn't do well in this scenario. I would imagine the GSR's or perhaps even the shiny new ASR's implement this in hardware, but I am speculating since I have no stick time on those platforms. I know this wouldn't be an issue on J, but that's a topic for another list. Yes, my IOS version needs updating. I'm on 12.2(33)SRB1. Any recommendations? Thank you for your feedback. -b -Original Message- From: Paolo Lucente [mailto:pl+l...@pmacct.net] Sent: Friday, July 24, 2009 2:13 AM To: Bill Blackford Cc: cisco-nsp mailing list Subject: Re: [c-nsp] SNMP ENGINE consuming CPU Hi Bill, Often this is symptom that one or more NMS tools are freely walking through the MIBs. Also, if you are running a recent 12.2SR train image (not a recent SRD), you might be hitting the CSCsv80014 bug. Btw, which IOS version are you running? A good (not specific to the 7600 platform) Cisco document about SNMP causing high CPU load is at the following URL: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml It simply suggests to put in place a view to cut down some pieces of the available MIBs which can easily become rather big (ie. ARP table, routing table). If any of the suggested solutions work, it could be a good starting point to pin-point the issue. A more final solution, viable only if you are somehow in control of the SNMP pollers that regularly access your routers, is to double-check who is doing what and why. The tricky corner case is indeed that your SNMP poller(s) are intentionally making use of some large MIB for something. Cheers, Paolo On Thu, Jul 23, 2009 at 02:04:33PM -0700, Bill Blackford wrote: Currently I have a 7606 RSP720 hitting 94% CPU. A 'sh proc cpu sorted' indicates that SNMP ENGINE is the source. Any thoughts on this? Thanks -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD my /home away from home ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF question
It's actually quite simple: you need an EEM applet that triggers on X occurences of a well-known SYSLOG message (OSPF neighbor going down) within Y seconds, modifies the configuration (to insert "passive-interface X" into the "router ospf Y") and alerts the operators via an e-mail. You'll find a few similar applets in my blog and my wiki: http://wiki.nil.com/Category:EEM_applet http://blog.ioshints.info/search/label/EEM Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -Original Message- > From: Tony Baade [mailto:t...@bobbroadband.com] > Sent: Friday, July 24, 2009 6:01 PM > To: Rodney Dunn > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] OSPF question > > Does anyone know if it's available in another IGP? > > Or does anyone have any sample scripts I might able to try out? > > > > Anthony J Baade > Network Engineer > Business Only Broadband, LLC > O (630) 590-6011 > C (630) 340-0696 > t...@bobbroadband.com > www.bobbroadband.com > > > -Original Message- > From: Rodney Dunn [mailto:rod...@cisco.com] > Sent: Thursday, July 23, 2009 9:33 PM > To: Tony Baade > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] OSPF question > > > > Tony Baade wrote: > > We experienced an issue on our network where we have a link > between 2 cisco ME6524s. There was packet loss across the > link, but the interfaces on either side never actually > dropped. The packet loss however was severe enough to cause > problems w/ our OSPF (the neighbor session kept dropping up > and down) and as a result this caused our iBGP hellos to > timeout, causing an outage affecting several routers. > > > > My question is there some way to dampen a flapping neighbor > in OSPF? > > Not natively. I tried to get that in a few years ago but > couldn't make > it happen. If you wanted it bad enough you could code it up > with EEM and > a TCL script to watch for a neighbor flap and passive that > interface for > some time. > > Interface event dampening covers the link flap but just for the OSPF > transport we don't do it. > > The enhancement request to track it was: > > CSCsi29746Routing protocol neighbor dampening request > > > So if the interface doesn't actually go down, but there is > X amount of > packet loss in Y amount of time (or if the neighbor goes up > and down a > certain number of times) the switch will recognize this issue > and stop > using that link? We are already using IP Event Dampening, > which didn't > kick in because the interfaces never actually went down. > > > > If there's no way in OSPF to do this, is there support for > this in another IGP, or is there any other workaround for > this kind of situation? > > > > Any advice is appreciated, thanks in advance, > > > > t. baade > > > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF NSSA question
That does look like it would work for me. Thanks for all the input. -Original Message- From: Ivan Pepelnjak [mailto:i...@ioshints.info] Sent: Thursday, July 23, 2009 11:50 AM To: 'Ruben Alvarez'; 'Mateusz Blaszczyk' Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] OSPF NSSA question Hi! You gave me a good reason to finally test this command and document what it does and how it's used in a hub-and-spoke environment: http://wiki.nil.com/OSPF_flooding_filters_in_hub-and-spoke_environment It's exactly what's needed to solve the original problem (but of course you need a static default route on the spoke routers as they lose all OSPF information). Best regards Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -Original Message- > From: Ruben Alvarez [mailto:r...@opusnet.com] > Sent: Wednesday, July 22, 2009 5:17 PM > To: 'Mateusz Blaszczyk'; 'Ivan Pepelnjak' > Cc: cisco-nsp@puck.nether.net > Subject: RE: [c-nsp] OSPF NSSA question > > I'm not sure filtering 'out' would work. Three routers all > have one interface, each connecting to the ABR (which has > four interfaces, three to the routers in area 1 and one in > area 0.) If I'm filtering out, The ABR wouldn't know which > routes are on each of the three routers. Right? The three > routers have thousands of single host routes spread out over > each router. The ABR knows which router has each host and > summarizes to area 0. > > -Original Message- > From: Mateusz Blaszczyk [mailto:blah...@gmail.com] > Sent: Wednesday, July 22, 2009 1:10 AM > To: Ivan Pepelnjak > Cc: Ruben Alvarez; cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] OSPF NSSA question > > 2009/7/22 Ivan Pepelnjak : > > You're probably looking for the "ip ospf database-filter > all out" command. > > And how the summary LSA with 0/0 would get to the spoke > router if that is filtered out? > (assuming nssa scenario in OP's hub n'spoke topology) > > Best Regards, > > -mat > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF question
Does anyone know if it's available in another IGP? Or does anyone have any sample scripts I might able to try out? Anthony J Baade Network Engineer Business Only Broadband, LLC O (630) 590-6011 C (630) 340-0696 t...@bobbroadband.com www.bobbroadband.com -Original Message- From: Rodney Dunn [mailto:rod...@cisco.com] Sent: Thursday, July 23, 2009 9:33 PM To: Tony Baade Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] OSPF question Tony Baade wrote: > We experienced an issue on our network where we have a link between 2 cisco > ME6524s. There was packet loss across the link, but the interfaces on either > side never actually dropped. The packet loss however was severe enough to > cause problems w/ our OSPF (the neighbor session kept dropping up and down) > and as a result this caused our iBGP hellos to timeout, causing an outage > affecting several routers. > > My question is there some way to dampen a flapping neighbor in OSPF? Not natively. I tried to get that in a few years ago but couldn't make it happen. If you wanted it bad enough you could code it up with EEM and a TCL script to watch for a neighbor flap and passive that interface for some time. Interface event dampening covers the link flap but just for the OSPF transport we don't do it. The enhancement request to track it was: CSCsi29746Routing protocol neighbor dampening request So if the interface doesn't actually go down, but there is X amount of packet loss in Y amount of time (or if the neighbor goes up and down a certain number of times) the switch will recognize this issue and stop using that link? We are already using IP Event Dampening, which didn't kick in because the interfaces never actually went down. > > If there's no way in OSPF to do this, is there support for this in another > IGP, or is there any other workaround for this kind of situation? > > Any advice is appreciated, thanks in advance, > > t. baade > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF question
The packet loss was caused poor link quality. -Original Message- From: Ray Burkholder [mailto:r...@oneunified.net] Sent: Thursday, July 23, 2009 5:33 PM To: Tony Baade; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] OSPF question > > We experienced an issue on our network where we have a link > between 2 cisco ME6524s. There was packet loss across the > link, but the interfaces on either side never actually > dropped. The packet loss however was severe enough to cause > problems w/ our OSPF (the neighbor session kept dropping up > and down) and as a result this caused our iBGP hellos to > timeout, causing an outage affecting several routers. > Was packet loss due to congestion or to bad link quality? If due to congestion, you can use MQOS to give the CS6 traffic dedicated bandwidth, thus in congesion, your routing protocols won't drop. -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MTU wierdness
Once you define the L2 MTU, packets on that VLAN can traverse any ports on that VLAN up to that MTU, but if you need to route them and retain the L2 MTU then the L3 SVI must have the same MTU. You can have the SVI different, say 1500, as long as you understand that the packets will be fragged if larger than 1500, or dropped if the DF bit is set. If you have defined an SVI to a 9k+ MTU, that will force the L2 interfaces on that vlan to be the same since they must carry that size packets. Well its sounds good anyway, but nobody knows everything ;~) Jeff Fitzwater OIT Networking & Communications Systems Princeton University On Jul 24, 2009, at 9:08 AM, Aaron Millisor wrote: It is likely that you have configured an SVI or a VLAN on the 6509 for 9216 already. If any VLAN that crosses the switchport is 9216, then you can't adjust the MTU of the port to a value below 9216. Do a 'show vlan' and also check all the SVI's for an MTU higher than 1504, then either reduce the MTU in those locations or I think you could also restrict the large VLAN from being sent on the trunk -- Aaron Millisor Michael Robson wrote: I have a 6509 (with Sup720-3B) that contains 2 x WS-X6704-10GE blades where I am trying to set the MTU to be 1504 on each of these interfaces. On one blade it will only allow me to set the MTU to 9216 if the interface is a switchport, the 1504 MTU size only becomes an option when it is changed to a routed port. Since this is not the case on other 6509s we have, anyone have an idea why this might be happening (it maybe worth noting that, at present, one of the other ports is a routed port with MTU of 9216)? Thanks, Michael ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP ENGINE consuming CPU
Hello Bill, How large is the ARP table? "sho ip arp summ" If it is around 15k then the issue is the ARP or BRIDGE table conversion that the route processor must do to go from hashed format to lexigraphical format which SNMP queries require.SNMP queries the RIP table for these MIBS which are in HASHED format and the FIB table is in LEX format. There are ways around the issue if you don't need to query those MIBS. I have had this issue with our sup-720-CXL running SXI or any earlier version only on our 6500 that has a 15k arp table (not sure where the actual boundary that s causes the problem is). I currently have a case open with CISCO to see if there is a fix for this. For us there is no workaround since our NMS must pole the ARP and BRIGDE tables via SNMP in order to do its job. This is extremely frustrating for us since we rely on the NMS (HP NNMi ) to build our layer 2 topo based on those MIBS, and also TRAP correlation which uses the L2 topo to isolate the problem. Jeff Fitzwater OIT Network & Communications Systems Princeton University On Jul 24, 2009, at 9:49 AM, Bill Blackford wrote: You hit on the issue. I had a NMS client polling the route table. This box has two full feeds and 12 other bilateral peers. Apparently, the cat7.6k/rsp720 doesn't do well in this scenario. I would imagine the GSR's or perhaps even the shiny new ASR's implement this in hardware, but I am speculating since I have no stick time on those platforms. I know this wouldn't be an issue on J, but that's a topic for another list. Yes, my IOS version needs updating. I'm on 12.2(33)SRB1. Any recommendations? Thank you for your feedback. -b -Original Message- From: Paolo Lucente [mailto:pl+l...@pmacct.net] Sent: Friday, July 24, 2009 2:13 AM To: Bill Blackford Cc: cisco-nsp mailing list Subject: Re: [c-nsp] SNMP ENGINE consuming CPU Hi Bill, Often this is symptom that one or more NMS tools are freely walking through the MIBs. Also, if you are running a recent 12.2SR train image (not a recent SRD), you might be hitting the CSCsv80014 bug. Btw, which IOS version are you running? A good (not specific to the 7600 platform) Cisco document about SNMP causing high CPU load is at the following URL: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml It simply suggests to put in place a view to cut down some pieces of the available MIBs which can easily become rather big (ie. ARP table, routing table). If any of the suggested solutions work, it could be a good starting point to pin-point the issue. A more final solution, viable only if you are somehow in control of the SNMP pollers that regularly access your routers, is to double-check who is doing what and why. The tricky corner case is indeed that your SNMP poller(s) are intentionally making use of some large MIB for something. Cheers, Paolo On Thu, Jul 23, 2009 at 02:04:33PM -0700, Bill Blackford wrote: Currently I have a 7606 RSP720 hitting 94% CPU. A 'sh proc cpu sorted' indicates that SNMP ENGINE is the source. Any thoughts on this? Thanks -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD my /home away from home ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP ENGINE consuming CPU
You hit on the issue. I had a NMS client polling the route table. This box has two full feeds and 12 other bilateral peers. Apparently, the cat7.6k/rsp720 doesn't do well in this scenario. I would imagine the GSR's or perhaps even the shiny new ASR's implement this in hardware, but I am speculating since I have no stick time on those platforms. I know this wouldn't be an issue on J, but that's a topic for another list. Yes, my IOS version needs updating. I'm on 12.2(33)SRB1. Any recommendations? Thank you for your feedback. -b -Original Message- From: Paolo Lucente [mailto:pl+l...@pmacct.net] Sent: Friday, July 24, 2009 2:13 AM To: Bill Blackford Cc: cisco-nsp mailing list Subject: Re: [c-nsp] SNMP ENGINE consuming CPU Hi Bill, Often this is symptom that one or more NMS tools are freely walking through the MIBs. Also, if you are running a recent 12.2SR train image (not a recent SRD), you might be hitting the CSCsv80014 bug. Btw, which IOS version are you running? A good (not specific to the 7600 platform) Cisco document about SNMP causing high CPU load is at the following URL: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml It simply suggests to put in place a view to cut down some pieces of the available MIBs which can easily become rather big (ie. ARP table, routing table). If any of the suggested solutions work, it could be a good starting point to pin-point the issue. A more final solution, viable only if you are somehow in control of the SNMP pollers that regularly access your routers, is to double-check who is doing what and why. The tricky corner case is indeed that your SNMP poller(s) are intentionally making use of some large MIB for something. Cheers, Paolo On Thu, Jul 23, 2009 at 02:04:33PM -0700, Bill Blackford wrote: > Currently I have a 7606 RSP720 hitting 94% CPU. > A 'sh proc cpu sorted' indicates that SNMP ENGINE is the source. > > Any thoughts on this? > > Thanks > > -b > > -- > Bill Blackford > Senior Network Engineer > Technology Systems Group > Northwest Regional ESD > > my /home away from home ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MTU wierdness
It is likely that you have configured an SVI or a VLAN on the 6509 for 9216 already. If any VLAN that crosses the switchport is 9216, then you can't adjust the MTU of the port to a value below 9216. Do a 'show vlan' and also check all the SVI's for an MTU higher than 1504, then either reduce the MTU in those locations or I think you could also restrict the large VLAN from being sent on the trunk -- Aaron Millisor Michael Robson wrote: I have a 6509 (with Sup720-3B) that contains 2 x WS-X6704-10GE blades where I am trying to set the MTU to be 1504 on each of these interfaces. On one blade it will only allow me to set the MTU to 9216 if the interface is a switchport, the 1504 MTU size only becomes an option when it is changed to a routed port. Since this is not the case on other 6509s we have, anyone have an idea why this might be happening (it maybe worth noting that, at present, one of the other ports is a routed port with MTU of 9216)? Thanks, Michael ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] RES: vrf-lite vs. MPLS vrf
Hi, > -Mensagem original- > De: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] > Em nome de Randy Densen > Enviada em: quinta-feira, 23 de julho de 2009 17:58 > Para: cisco-nsp@puck.nether.net > Assunto: [c-nsp] vrf-lite vs. MPLS vrf > > This is my first post. > I have 2 questions: > > 1) does The cisco-nsp Archives have a search function to look for posts that > may have already been addressed and/or answered? > You can use Google search: site:puck.nether.net c-nsp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS MTU / Jumbo frames etc.
> > For a 7200 with FE ports this translates into: > > mpls mtu 1546 But not PA-(2)FE-TX(-ISL) or IO-(2)FE because they have an inbuilt 1530B "on the wire" limitation > > Please see discussion regarding this from ~1 year back. > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP ENGINE consuming CPU
Hi Bill, Often this is symptom that one or more NMS tools are freely walking through the MIBs. Also, if you are running a recent 12.2SR train image (not a recent SRD), you might be hitting the CSCsv80014 bug. Btw, which IOS version are you running? A good (not specific to the 7600 platform) Cisco document about SNMP causing high CPU load is at the following URL: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800948e6.shtml It simply suggests to put in place a view to cut down some pieces of the available MIBs which can easily become rather big (ie. ARP table, routing table). If any of the suggested solutions work, it could be a good starting point to pin-point the issue. A more final solution, viable only if you are somehow in control of the SNMP pollers that regularly access your routers, is to double-check who is doing what and why. The tricky corner case is indeed that your SNMP poller(s) are intentionally making use of some large MIB for something. Cheers, Paolo On Thu, Jul 23, 2009 at 02:04:33PM -0700, Bill Blackford wrote: > Currently I have a 7606 RSP720 hitting 94% CPU. > A 'sh proc cpu sorted' indicates that SNMP ENGINE is the source. > > Any thoughts on this? > > Thanks > > -b > > -- > Bill Blackford > Senior Network Engineer > Technology Systems Group > Northwest Regional ESD > > my /home away from home ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MTU wierdness
Michael, Check: http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12 .2SX/configuration/guide/intrface.html#wp104 http://www.cisco.com/en/US/partner/docs/ios/interface/command/reference/ ir_l2.html#wp1030775 http://www.cisco.com/en/US/partner/docs/ios/fundamentals/command/referen ce/cf_s3.html#wp1019645 I think it should be in there. Arie -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Michael Robson Sent: Friday, July 24, 2009 12:32 To: cisco-nsp@puck.nether.net Subject: [c-nsp] MTU wierdness I have a 6509 (with Sup720-3B) that contains 2 x WS-X6704-10GE blades where I am trying to set the MTU to be 1504 on each of these interfaces. On one blade it will only allow me to set the MTU to 9216 if the interface is a switchport, the 1504 MTU size only becomes an option when it is changed to a routed port. Since this is not the case on other 6509s we have, anyone have an idea why this might be happening (it maybe worth noting that, at present, one of the other ports is a routed port with MTU of 9216)? Thanks, Michael -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MTU wierdness
I have a 6509 (with Sup720-3B) that contains 2 x WS-X6704-10GE blades where I am trying to set the MTU to be 1504 on each of these interfaces. On one blade it will only allow me to set the MTU to 9216 if the interface is a switchport, the 1504 MTU size only becomes an option when it is changed to a routed port. Since this is not the case on other 6509s we have, anyone have an idea why this might be happening (it maybe worth noting that, at present, one of the other ports is a routed port with MTU of 9216)? Thanks, Michael -- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] clear platform hardware capacity fabric counters?
Hello, I haven't been able to find the command for clearing "platform hardware capacity fabric / forwarding" counters. Or isn't it possible? and should I reboot? Kind regards, Bas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Network Registrar - TFTP redundancy
Hello , I am using CNR as a DNS , DHCP and TFTP server. I am planning to use DHCP , DNS and TFTP failover. I am thinking that , the CNR doesn't support failover functionality for TFTP service. I can not configure multiple TFTP addresses in the CNR's DHCP policies menu. But , i think i have found a workaround , i can configure multiple tftp addresses in the one line with ; ( for example 192.168.1.1 ; 192.168.1.2 in the value field ) Is it possible to use multiple tftp addresses like this ? Kind Regards... Burak ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Questions about upgrading and image of a Modular IOS
Hi Gert, We looked into modular some time ago, but I don't imagine much has changed. Patches were for as you say gaping security holes, not upgrades even of a point release. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gert Doering Sent: 24 July 2009 08:27 To: Jeff Cartier Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Questions about upgrading and image of a Modular IOS Hi, On Thu, Jul 23, 2009 at 09:04:40AM -0400, Jeff Cartier wrote: > Just for peace of mind, and a good nights sleep :-)...I was hoping for > some confirmation from the group if this is the correct way to upgrade > the IOS (the boss is against patching the IOS). So here are my steps... How does Cisco currently deal with "modular IOS" upgrades and patches? Are there patches available at all (and yes, where to find them)? If yes, can these patches be used to upgrade from, say, SXI1 to SXI2, or will they only fix gaping security holes? Are the rules for "what will be in a patch and what not" documented somewhere? We're in the process of upgrading a few boxes from SXI1 to SXI2 due to BGP memory leaks. Currently, this is "non-modular" code, but I wonder if modular+patches would bring me the fixed BGPD without having to do a full reload... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.20/2249 - Release Date: 07/21/09 18:02:00 -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison accept no liability for any damage caused by any virus transmitted by this email. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Questions about upgrading and image of a Modular IOS
Hi, On Thu, Jul 23, 2009 at 09:04:40AM -0400, Jeff Cartier wrote: > Just for peace of mind, and a good nights sleep :-)...I was hoping for > some confirmation from the group if this is the correct way to upgrade > the IOS (the boss is against patching the IOS). So here are my steps... How does Cisco currently deal with "modular IOS" upgrades and patches? Are there patches available at all (and yes, where to find them)? If yes, can these patches be used to upgrade from, say, SXI1 to SXI2, or will they only fix gaping security holes? Are the rules for "what will be in a patch and what not" documented somewhere? We're in the process of upgrading a few boxes from SXI1 to SXI2 due to BGP memory leaks. Currently, this is "non-modular" code, but I wonder if modular+patches would bring me the fixed BGPD without having to do a full reload... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp8ci3ZLfu5X.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
