Re: [c-nsp] Continous BGP session resets on SRD3

[Tima Maryin]

The bug id you provided describes exactly what happened for us.

I could assume that they are similar bugs (or have same root issue), but they 
have different "fixed in" lists...

CSCta33973 is fixed in 12.0(33)S5
CSCsy27511 is not fixed there according to bug toolkit

But you refer to SA which also referenced from CSCta33973 :)

So are those the same or not ?

Now i'm confused


Shimol Shah wrote:
Rodney, Luc and myself had a detailed discussion internally on this. 
Below is our summary of this issue. Sharing for everyone's benefit.


We think a large but valid AS PATH was originated by someone/somewhere, 
which included at-least one 4 byte ASN. When this reached the border 
router which was 4 byte ASN capable, it corrupted the update when 
sending it to ASN2 only peer. So the ASN2 peer on receiving it reset the 
peer-ship to ASN4 peer and logged the notification 3/4 message.


This is a bug on the border router. It is addressed via CSCsy27511.

The issue can be possibly worked around by configuring "bgp maxas-limit 
#"  knob on the ASN4 capable upstream(border, box corrupting the 
packet), but issue with that is there is no right value to use for it. 
We have been able to reproduce above with a AS path length as small as 35.


So recommendation is to upgrade past the above bug.

A more compelling reason to upgrade are the more serious issues of:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml

Shimol

On 6/18/10 9:59 AM, Rodney Dunn wrote:

That's not it. Shimol is formulating an update on the issue and correct
bug id. Stand by...



On 6/18/10 8:41 AM, Tima Maryin wrote:

I've been told by TAC that this problem caused by CSCta33973

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[Justin M. Streiner]

On Wed, 23 Jun 2010, bha Qaqish wrote:


I did it
The 2 sessions are still stuck


Then you really don't have much choice but to schedule a maintenance 
window and reboot the router.


jms
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[bha Qaqish]

I did it 
The 2 sessions are still stuck

Eng. Bha Qaqish
 


-Original Message-
From: Bøvre Jon Harald [mailto:jon.harald.bo...@hafslund.no] 
Sent: Tuesday, June 22, 2010 11:18 PM
To: bha Qaqish; cisco-nsp@puck.nether.net
Subject: SV: VTY PROBLEM


find the TCP TCB session using:

show tcp brief
TCB   Local Address   Foreign Address(state)
833C88C4  xx.28.1.141.23  xx.28.0.34.50517   ESTAB
83A81DCC  xx.28.1.141.23  xx.28.0.34.50509   ESTAB

release the failing TCP session by clearing tcb (in this case the second line):

clear tcp tcb 83A81DCC

This method also works for hanging BGP sessions (bug in some older IOS)

Jon Harald Bøvre




Fra: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] 
på vegne av bha Qaqish [bha.qaq...@nitc.gov.jo]
Sendt: 22. juni 2010 20:27
Til: cisco-nsp@puck.nether.net
Emne: [c-nsp] VTY PROBLEM

Dear
I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty 
sessions that stuck , I can not clear it , its stuck for 70 weeks , I can not 
restart the router cause we are an ISP, so how could I clear the sessions , I 
have a --- exec-timeout 60 0 --- on the vty.
Please help ASAP


BR


Eng. Bha Qaqish







*

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[bha Qaqish]

I did it several times but did not do anything

Eng. Bha Qaqish
 

-Original Message-
From: David Prall [mailto:d...@dcptech.com] 
Sent: Tuesday, June 22, 2010 11:13 PM
To: bha Qaqish; 'Jeff Wojciechowski'; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] VTY PROBLEM

Do a "who" and see who has a hold of it. Then put an acl on the ingress
interface so deny it in and out. Your exec-timeout should eventually kick it
off. If not, at least they won't be able to connect again. I'd also do
"clear line 3" and confirm a couple of times.

David

--
http://dcp.dcptech.com


> -Original Message-
> From: bha Qaqish [mailto:bha.qaq...@nitc.gov.jo]
> Sent: Tuesday, June 22, 2010 3:17 PM
> To: David Prall; 'Jeff Wojciechowski'; cisco-nsp@puck.nether.net
> Subject: RE: [c-nsp] VTY PROBLEM
> 
> It's the same , not cleared
> 
> Eng. Bha Qaqish
> 
> 
> 
> 
> -Original Message-
> From: David Prall [mailto:d...@dcptech.com]
> Sent: Tuesday, June 22, 2010 10:14 PM
> To: bha Qaqish; 'Jeff Wojciechowski'; cisco-nsp@puck.nether.net
> Subject: RE: [c-nsp] VTY PROBLEM
> 
> Should be "clear line 3"
> 
> David
> 
> --
> http://dcp.dcptech.com
> 
> 
> > -Original Message-
> > From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> > boun...@puck.nether.net] On Behalf Of bha Qaqish
> > Sent: Tuesday, June 22, 2010 2:48 PM
> > To: Jeff Wojciechowski; cisco-nsp@puck.nether.net
> > Subject: Re: [c-nsp] VTY PROBLEM
> >
> > Yes
> > I can see the session in this command , and when I make the clear
> line
> > vty 3 for example , its not cleared. It still exist in the show
> > command
> >
> > Eng. Bha Qaqish
> >
> >
> > -Original Message-
> > From: Jeff Wojciechowski [mailto:jeff.wojciechow...@midlandpaper.com]
> > Sent: Tuesday, June 22, 2010 9:44 PM
> > To: bha Qaqish; cisco-nsp@puck.nether.net
> > Subject: RE: VTY PROBLEM
> >
> > Can you see the session using show line and then clear line X (where
> X=
> > line number of stuck VTY session)?
> >
> > -Jeff
> >
> > -Original Message-
> > From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> > boun...@puck.nether.net] On Behalf Of bha Qaqish
> > Sent: Tuesday, June 22, 2010 1:27 PM
> > To: cisco-nsp@puck.nether.net
> > Subject: [c-nsp] VTY PROBLEM
> >
> >
> >
> >
> >
> > Dear
> > I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet
> vty
> > sessions that stuck , I can not clear it , its stuck for 70 weeks , I
> > can not restart the router cause we are an ISP, so how could I clear
> > the sessions , I have a --- exec-timeout 60 0 --- on the vty.
> > Please help ASAP
> >
> >
> > BR
> >
> >
> > Eng. Bha Qaqish
> >
> >
> >
> >
> >
> >
> >
> > *
> >
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] weird BGP stuff

[Rodney Dunn]

A lot of times it's the return path that's failing. When you do the 
traceroute from another device you have changed the source so it may 
have a valid return path.


Not sure what code but you could look at Mini Protocol Analyzer to give 
you an inline trace view to watch for the forward and reverse packets:


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/mpa.html

You mentioned equal cost paths so you can look at 'sh mls cef 
exact-route srcip dstip' to see whic path the hardware would forward down.


You then need to check the downstream neighbor with some form of packet 
capture (netflow, ACL's, etc..) to find out where it's truly lost.


Rodney



On 6/22/10 7:36 PM, Paul Stewart wrote:

Hey folks...



I'm looking for a second set of eyes here ;)  Have a pair of 7606 boxes that
have been handling 100's of BGP sessions for a long time now with no
problems (well, performance but I'll leave that alone).



We added a Juniper MX480 into the mix recently and now seem to be having a
routing issue that I can't seem to pinpoint where it's occurring.



Here's a quick rundown to get started of a remote site that is reachable
from other providers and should be reachable from us we'd confident:



traceroute to 216.166.249.148 (216.166.249.148), 30 hops max, 40 byte
packets

  1  dis1-rtr-mb-vl10.nexicom.net (216.168.115.177)  0.468 ms  0.477 ms
0.543 ms

  2  core2-rtr-to-ge4-12-vl4.nexicom.net (98.124.0.226)  8.803 ms  8.866 ms
8.941 ms

3  * * *

  4  * * *

  5  * * *

  6  * * *

  7  * * *



So dis1 is a 6500 and core2 in this case is on the BGP speaking 7606's I was
talking about.  Traffic just stops at 98.124.0.226 or the next hop - it's
unclear.  So using this destination for example I jump onto core2 and do a
lookup:



core2-rtr-to#sh ip bgp 216.166.249.148

BGP routing table entry for 216.166.248.0/21, version 315975

Paths: (2 available, best #1, table Default-IP-Routing-Table)

   Advertised to update-groups:

  11 13 17 18 19 22 23

   6939 22561

 209.51.163.145 from 98.124.59.17 (76.75.100.59)

   Origin IGP, localpref 100, valid, internal, best

   Community: 11666:1000 11666:1006

   6939 22561

 209.51.163.145 from 98.124.59.25 (76.75.100.59)

   Origin IGP, localpref 100, valid, internal

   Community: 11666:1000 11666:1006



You'll see two paths, both valid and both from an iBGP neighbour.  The next
hop of 98.124.59.17 is valid and reachable.



If I run a traceroute directly on the core2 7606 box I get timeouts:



core2-rtr-to#traceroute 216.166.249.148



Type escape sequence to abort.

Tracing the route to 216-166-249-148.clec.peknil.commercial.madisonriver.net
(216.166.249.148)



   1  *  *  *

   2  *  *



Finally, the MX480 where this transit provider connects I do a traceroute
and it's perfect:



p...@core1.toronto1>  traceroute 216.166.249.148

traceroute to 216.166.249.148 (216.166.249.148), 30 hops max, 40 byte
packets

  1  gige-g2-20.core1.tor1.he.net (209.51.163.145)  0.458 ms  0.401 ms  0.294
ms

  2  10gigabitethernet1-2.core1.nyc5.he.net (72.52.92.165)  21.863 ms  22.573
ms  24.961 ms

  3  10gigabitethernet1-4.core1.nyc1.he.net (72.52.92.153)  27.827 ms  18.939
ms  25.197 ms

  4  198.32.160.19 (198.32.160.19)  16.381 ms  16.543 ms  16.427 ms

  5  bb-nycmny83-jx9-02-ae0-0.core.centurytel.net (208.110.248.114)  27.572
ms  16.578 ms  16.591 ms

  MPLS Label=521136 CoS=0 TTL=1 S=1

  6  bb-chcgilwu-jx9-02-ae4-0.core.centurytel.net (208.110.248.69)  38.239 ms
38.107 ms  38.254 ms

  MPLS Label=570289 CoS=0 TTL=1 S=1

  7  bb-mrghmoqa-jx9-02-xe-1-1-0.core.lightcore.net (206.51.69.45)  60.820 ms
45.567 ms  45.416 ms

  MPLS Label=656386 CoS=0 TTL=1 S=1

  8  bb-peknilxd-jm1-01-ge-0-1-0-298.core.lightcore.net (206.51.69.238)
51.356 ms  51.256 ms  51.440 ms

  9  peknil-coe-ci7507-01.grics.net (64.40.75.4)  54.189 ms  53.656 ms
54.102 ms

10  209-102-183-102.nworla.commercial.madisonriver.net (209.102.183.102)
63.918 ms  60.269 ms  60.593 ms





So why is it failing from the Cisco to the Juniper?  I'm pulling my hair
(what I have left) out on this ... and it's only happening to a handful of
routes that we are aware of so far



Thanks,



Paul



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GigE woes

[Tim Durack]

After a month of denial, the providerjust reconfigured the GigE
circuit to be "clear channel", and it is now behaving itself |-\

Provider says we must be doing some weird encap/encryption. Nope. Just
two 6504s, SUP720-3BXL, GigE L3 interface. We replaced SFPs, tried
different 6504s, linecards, SUP720s. Tried a pair of simple HP L2
switches. No resolution.

Finally put some Anritsu GigE testers and ran RFC2544. Fails tests
with high loss at 64B frame, high loss on burst tests, and weird
latency results.

The fact that "clear channel" fixes this makes me think there is an
OEO element with a framing problem. At this point the circuit is
working, so it is academic. Like to know more for the next time
though...

Anyone else got ideas?

Tim:>

On Fri, May 14, 2010 at 2:53 PM, Tim Durack  wrote:
> I've got a crazy GigE circuit that's having problems:
>
> RTR-1#ping vrf v10 10.241.1.10 repeat 1 df-bit size 9000 timeout 1
>
> Type escape sequence to abort.
> Sending 1, 9000-byte ICMP Echos to 10.241.1.10, timeout is 1 seconds:
> Packet sent with the DF bit set
> !!
> !!
> !!
> !!
> !!
> !!
> !!
> !!
> !!!
> Success rate is 100 percent (587/587), round-trip min/avg/max = 8/18/408 ms
>
> RTR-1#ping vrf v10 10.241.1.10 repeat 1 df-bit size 200 timeout 1
>
> Type escape sequence to abort.
> Sending 1, 200-byte ICMP Echos to 10.241.1.10, timeout is 1 seconds:
> Packet sent with the DF bit set
> ..!..!..!.!!..!..!.!!..!...!..!..!..!..!.!!...!.!..!..!!..!..!
> ..!..!!..!..!..!.!.!..!!.!..!..!..!..!!..!..!..!..!.!.!..!
> .!..!..!..!..!!..!..!..!..!!!..!.!..!!.!!!..!..!..!..!
> !.!..
> Success rate is 32 percent (72/219), round-trip min/avg/max = 4/160/1180 ms
>
> RTR-1#ping vrf v10 10.241.1.10 repeat 1 df-bit size 9000 timeout 1
>
> Type escape sequence to abort.
> Sending 1, 9000-byte ICMP Echos to 10.241.1.10, timeout is 1 seconds:
> Packet sent with the DF bit set
> !!
> !!
> !!
> !
> Success rate is 100 percent (255/255), round-trip min/avg/max = 12/16/228 ms
>
> Ping with large frame size appears to pass. Small frame size results
> in packet loss and unusually high rtt.
>
> Additionally, traffic must be present in both directions for any
> traffic to cross the link. I have to start the ping on both routers
> simultaneously. If the ping is stopped on one side, the ping from the
> other side stops returning.
>
> Have mostly ruled out my equipment, but the carrier doesn't believe
> there is anything wrong on their side. They strap a GigE tester across
> the path and of course it works just fine. But try convincing arp/ospf
> to work across such a link.
>
> The link appears to be a muxponder over the carriers DWDM network, so
> it is mostly optical, possibly only two OEO points at the customer
> hand off.
>
> Anyone seen anything like this before?
>
> --
> Tim:>
>



-- 
Tim:>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Etherchannel plus OSPF in GNS3

[Ivan Šimko]

Hi all

I've got question for GNS experienced guys. In my attached topology I have
routers with etherchannel groups. Then 2 VRFs light and OSPF over SVI.
Purpose of the network is achieve load balancing on port-channels and load
balancing over OSPF also. Better understanding is here:

Router has got 2 Etherchannel groups
Router has got VRF with 2 VLANs
One VLAN is memmber of etherchannel group 1
Second VLAN memmber of group 2
Each group consists from 2 ports - I'm using two different links for
transmitting and want use them for higher throughput, that is the reason for
etherchannel group
OSPF for VRF
Both VLANs are memmber of same VRF.
Interconnections are VLANs /30.


Netwrok works pretty nice but only thing what I'm missing are counters on
physical FE ports and Port-channels what are still zero. Only ones updated
counters are SVIs.

OSPF does load balancing based on flow
Port channel is set up based on src-dst-ip - how to confirm??

I want prove that portchannel is using both ports in one direction only.
Counters should to help me  but nothing is incremented.

Used devices: 3640


Thanks for comments

Ivan
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] weird BGP stuff

[Paul Stewart]

Hey folks...

 

I'm looking for a second set of eyes here ;)  Have a pair of 7606 boxes that
have been handling 100's of BGP sessions for a long time now with no
problems (well, performance but I'll leave that alone).

 

We added a Juniper MX480 into the mix recently and now seem to be having a
routing issue that I can't seem to pinpoint where it's occurring.

 

Here's a quick rundown to get started of a remote site that is reachable
from other providers and should be reachable from us we'd confident:

 

traceroute to 216.166.249.148 (216.166.249.148), 30 hops max, 40 byte
packets

 1  dis1-rtr-mb-vl10.nexicom.net (216.168.115.177)  0.468 ms  0.477 ms
0.543 ms

 2  core2-rtr-to-ge4-12-vl4.nexicom.net (98.124.0.226)  8.803 ms  8.866 ms
8.941 ms

3  * * *

 4  * * *

 5  * * *

 6  * * *

 7  * * *

 

So dis1 is a 6500 and core2 in this case is on the BGP speaking 7606's I was
talking about.  Traffic just stops at 98.124.0.226 or the next hop - it's
unclear.  So using this destination for example I jump onto core2 and do a
lookup:

 

core2-rtr-to#sh ip bgp 216.166.249.148

BGP routing table entry for 216.166.248.0/21, version 315975

Paths: (2 available, best #1, table Default-IP-Routing-Table)

  Advertised to update-groups:

 11 13 17 18 19 22 23

  6939 22561

209.51.163.145 from 98.124.59.17 (76.75.100.59)

  Origin IGP, localpref 100, valid, internal, best

  Community: 11666:1000 11666:1006

  6939 22561

209.51.163.145 from 98.124.59.25 (76.75.100.59)

  Origin IGP, localpref 100, valid, internal

  Community: 11666:1000 11666:1006

 

You'll see two paths, both valid and both from an iBGP neighbour.  The next
hop of 98.124.59.17 is valid and reachable.

 

If I run a traceroute directly on the core2 7606 box I get timeouts:

 

core2-rtr-to#traceroute 216.166.249.148

 

Type escape sequence to abort.

Tracing the route to 216-166-249-148.clec.peknil.commercial.madisonriver.net
(216.166.249.148)

 

  1  *  *  *

  2  *  *

 

Finally, the MX480 where this transit provider connects I do a traceroute
and it's perfect:

 

p...@core1.toronto1> traceroute 216.166.249.148

traceroute to 216.166.249.148 (216.166.249.148), 30 hops max, 40 byte
packets

 1  gige-g2-20.core1.tor1.he.net (209.51.163.145)  0.458 ms  0.401 ms  0.294
ms

 2  10gigabitethernet1-2.core1.nyc5.he.net (72.52.92.165)  21.863 ms  22.573
ms  24.961 ms

 3  10gigabitethernet1-4.core1.nyc1.he.net (72.52.92.153)  27.827 ms  18.939
ms  25.197 ms

 4  198.32.160.19 (198.32.160.19)  16.381 ms  16.543 ms  16.427 ms

 5  bb-nycmny83-jx9-02-ae0-0.core.centurytel.net (208.110.248.114)  27.572
ms  16.578 ms  16.591 ms

 MPLS Label=521136 CoS=0 TTL=1 S=1

 6  bb-chcgilwu-jx9-02-ae4-0.core.centurytel.net (208.110.248.69)  38.239 ms
38.107 ms  38.254 ms

 MPLS Label=570289 CoS=0 TTL=1 S=1

 7  bb-mrghmoqa-jx9-02-xe-1-1-0.core.lightcore.net (206.51.69.45)  60.820 ms
45.567 ms  45.416 ms

 MPLS Label=656386 CoS=0 TTL=1 S=1

 8  bb-peknilxd-jm1-01-ge-0-1-0-298.core.lightcore.net (206.51.69.238)
51.356 ms  51.256 ms  51.440 ms

 9  peknil-coe-ci7507-01.grics.net (64.40.75.4)  54.189 ms  53.656 ms
54.102 ms

10  209-102-183-102.nworla.commercial.madisonriver.net (209.102.183.102)
63.918 ms  60.269 ms  60.593 ms

 

 

So why is it failing from the Cisco to the Juniper?  I'm pulling my hair
(what I have left) out on this ... and it's only happening to a handful of
routes that we are aware of so far

 

Thanks,

 

Paul

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[Pepa Verich]

Hi.

You can try command "clear TCP line vty X". Sometimes it works.

Pepa


Dne 22.6.2010 20:47, bha Qaqish napsal(a):
> Yes 
> I can see the session in this command , and when I make the clear line vty 3 
> for example , its not cleared. It still exist in the show  command
> 
> Eng. Bha Qaqish
>  
> 
> -Original Message-
> From: Jeff Wojciechowski [mailto:jeff.wojciechow...@midlandpaper.com] 
> Sent: Tuesday, June 22, 2010 9:44 PM
> To: bha Qaqish; cisco-nsp@puck.nether.net
> Subject: RE: VTY PROBLEM
> 
> Can you see the session using show line and then clear line X (where X= line 
> number of stuck VTY session)?
> 
> -Jeff
> 
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net 
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of bha Qaqish
> Sent: Tuesday, June 22, 2010 1:27 PM
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] VTY PROBLEM
> 
> 
> 
> 
> 
> Dear
> I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty 
> sessions that stuck , I can not clear it , its stuck for 70 weeks , I can not 
> restart the router cause we are an ISP, so how could I clear the sessions , I 
> have a --- exec-timeout 60 0 --- on the vty. 
> Please help ASAP
> 
> 
> BR
> 
> 
> Eng. Bha Qaqish
>  
>  
>  
>  
>  
>  
> 
> *
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[Bøvre Jon Harald]

find the TCP TCB session using:

show tcp brief
TCB   Local Address   Foreign Address(state)
833C88C4  xx.28.1.141.23  xx.28.0.34.50517   ESTAB
83A81DCC  xx.28.1.141.23  xx.28.0.34.50509   ESTAB

release the failing TCP session by clearing tcb (in this case the second line):

clear tcp tcb 83A81DCC

This method also works for hanging BGP sessions (bug in some older IOS)

Jon Harald Bøvre




Fra: cisco-nsp-boun...@puck.nether.net [cisco-nsp-boun...@puck.nether.net] 
på vegne av bha Qaqish [bha.qaq...@nitc.gov.jo]
Sendt: 22. juni 2010 20:27
Til: cisco-nsp@puck.nether.net
Emne: [c-nsp] VTY PROBLEM

Dear
I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty 
sessions that stuck , I can not clear it , its stuck for 70 weeks , I can not 
restart the router cause we are an ISP, so how could I clear the sessions , I 
have a --- exec-timeout 60 0 --- on the vty.
Please help ASAP


BR


Eng. Bha Qaqish







*

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[Billy Guthrie]

Yeah, we had someone stuck for 4 years on a 2511 Terminal Server, did 
everything including the comment from Joseph.
As already indicated, if it is really not allowing you to sleep at 
night, schedule a maintenance window and reboot, if not,

wait for the next scheduled maintenance for that device.

Billy

Joseph Karpenko wrote:

you can also use "clear tcp tcb " (obtained from the
output of the "show tcp brief" command) to clear the socket or
SNMP[1] to clear hung connections.  ;)

[1] 



regards,

  


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[David Prall]

Do a "who" and see who has a hold of it. Then put an acl on the ingress
interface so deny it in and out. Your exec-timeout should eventually kick it
off. If not, at least they won't be able to connect again. I'd also do
"clear line 3" and confirm a couple of times.

David

--
http://dcp.dcptech.com


> -Original Message-
> From: bha Qaqish [mailto:bha.qaq...@nitc.gov.jo]
> Sent: Tuesday, June 22, 2010 3:17 PM
> To: David Prall; 'Jeff Wojciechowski'; cisco-nsp@puck.nether.net
> Subject: RE: [c-nsp] VTY PROBLEM
> 
> It's the same , not cleared
> 
> Eng. Bha Qaqish
> 
> 
> 
> 
> -Original Message-
> From: David Prall [mailto:d...@dcptech.com]
> Sent: Tuesday, June 22, 2010 10:14 PM
> To: bha Qaqish; 'Jeff Wojciechowski'; cisco-nsp@puck.nether.net
> Subject: RE: [c-nsp] VTY PROBLEM
> 
> Should be "clear line 3"
> 
> David
> 
> --
> http://dcp.dcptech.com
> 
> 
> > -Original Message-
> > From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> > boun...@puck.nether.net] On Behalf Of bha Qaqish
> > Sent: Tuesday, June 22, 2010 2:48 PM
> > To: Jeff Wojciechowski; cisco-nsp@puck.nether.net
> > Subject: Re: [c-nsp] VTY PROBLEM
> >
> > Yes
> > I can see the session in this command , and when I make the clear
> line
> > vty 3 for example , its not cleared. It still exist in the show
> > command
> >
> > Eng. Bha Qaqish
> >
> >
> > -Original Message-
> > From: Jeff Wojciechowski [mailto:jeff.wojciechow...@midlandpaper.com]
> > Sent: Tuesday, June 22, 2010 9:44 PM
> > To: bha Qaqish; cisco-nsp@puck.nether.net
> > Subject: RE: VTY PROBLEM
> >
> > Can you see the session using show line and then clear line X (where
> X=
> > line number of stuck VTY session)?
> >
> > -Jeff
> >
> > -Original Message-
> > From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> > boun...@puck.nether.net] On Behalf Of bha Qaqish
> > Sent: Tuesday, June 22, 2010 1:27 PM
> > To: cisco-nsp@puck.nether.net
> > Subject: [c-nsp] VTY PROBLEM
> >
> >
> >
> >
> >
> > Dear
> > I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet
> vty
> > sessions that stuck , I can not clear it , its stuck for 70 weeks , I
> > can not restart the router cause we are an ISP, so how could I clear
> > the sessions , I have a --- exec-timeout 60 0 --- on the vty.
> > Please help ASAP
> >
> >
> > BR
> >
> >
> > Eng. Bha Qaqish
> >
> >
> >
> >
> >
> >
> >
> > *
> >
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[bha Qaqish]

It's the same , not cleared

Eng. Bha Qaqish
 



-Original Message-
From: David Prall [mailto:d...@dcptech.com] 
Sent: Tuesday, June 22, 2010 10:14 PM
To: bha Qaqish; 'Jeff Wojciechowski'; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] VTY PROBLEM

Should be "clear line 3"

David

--
http://dcp.dcptech.com


> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] On Behalf Of bha Qaqish
> Sent: Tuesday, June 22, 2010 2:48 PM
> To: Jeff Wojciechowski; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] VTY PROBLEM
> 
> Yes
> I can see the session in this command , and when I make the clear line
> vty 3 for example , its not cleared. It still exist in the show
> command
> 
> Eng. Bha Qaqish
> 
> 
> -Original Message-
> From: Jeff Wojciechowski [mailto:jeff.wojciechow...@midlandpaper.com]
> Sent: Tuesday, June 22, 2010 9:44 PM
> To: bha Qaqish; cisco-nsp@puck.nether.net
> Subject: RE: VTY PROBLEM
> 
> Can you see the session using show line and then clear line X (where X=
> line number of stuck VTY session)?
> 
> -Jeff
> 
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] On Behalf Of bha Qaqish
> Sent: Tuesday, June 22, 2010 1:27 PM
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] VTY PROBLEM
> 
> 
> 
> 
> 
> Dear
> I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty
> sessions that stuck , I can not clear it , its stuck for 70 weeks , I
> can not restart the router cause we are an ISP, so how could I clear
> the sessions , I have a --- exec-timeout 60 0 --- on the vty.
> Please help ASAP
> 
> 
> BR
> 
> 
> Eng. Bha Qaqish
> 
> 
> 
> 
> 
> 
> 
> *
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[David Prall]

Should be "clear line 3"

David

--
http://dcp.dcptech.com


> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] On Behalf Of bha Qaqish
> Sent: Tuesday, June 22, 2010 2:48 PM
> To: Jeff Wojciechowski; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] VTY PROBLEM
> 
> Yes
> I can see the session in this command , and when I make the clear line
> vty 3 for example , its not cleared. It still exist in the show
> command
> 
> Eng. Bha Qaqish
> 
> 
> -Original Message-
> From: Jeff Wojciechowski [mailto:jeff.wojciechow...@midlandpaper.com]
> Sent: Tuesday, June 22, 2010 9:44 PM
> To: bha Qaqish; cisco-nsp@puck.nether.net
> Subject: RE: VTY PROBLEM
> 
> Can you see the session using show line and then clear line X (where X=
> line number of stuck VTY session)?
> 
> -Jeff
> 
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] On Behalf Of bha Qaqish
> Sent: Tuesday, June 22, 2010 1:27 PM
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] VTY PROBLEM
> 
> 
> 
> 
> 
> Dear
> I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty
> sessions that stuck , I can not clear it , its stuck for 70 weeks , I
> can not restart the router cause we are an ISP, so how could I clear
> the sessions , I have a --- exec-timeout 60 0 --- on the vty.
> Please help ASAP
> 
> 
> BR
> 
> 
> Eng. Bha Qaqish
> 
> 
> 
> 
> 
> 
> 
> *
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Console problems

[Richey]

I got to the root of the problem yesterday.  Someone had borrowed my
USB/Serial adaptor to connector to connect to what they thought was a serial
port on a power supply.That port was not a serial port and had power on
certain pins which damaged the adaptor.  I was able to see messages coming
from the router but I could not  send anything to it.   The LEDs on the
device indicated that I was transmitting and receiving.  I guess LEDs come
before whatever component broke.

 

Richey

 

From: Anh Khoa Le Viet [mailto:lvak...@gmail.com] 
Sent: Monday, June 21, 2010 12:22 PM
To: Richey
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Console problems

 

what is the terminal you are using? Try with other Terminals like putty,
hyperTerminal ... sometimes I faced the same issue with Cisco APs and
switched to HyperTerminal then everything was working fine.

Regards,
Khoa

On Thu, Jun 17, 2010 at 10:04 AM, Richey  wrote:

I can't seem to come up with the right keyword combination to google this.
I've got a 7206VXR with an NPE-400 and an I/O 2FE/E card.  Using a Belkin
USB to Serial adaptor I can watch the router boot and get to the Press
Return to get Started prompt.  After I hit return the interfaces go up and
then admin down.  After that I can't get anything out of the console.   I
can insert and remove a DS3 card and I will see a message saying the card
was inserted and removed but I can't interact with the box.   I've connected
to a 3550 I have laying here and I am able to get a console session going
with it. Does anyone have any ideas on this one?   Everything I am
googleing relates to the router crashing or hanging which this one does not
seem to do.

Richey

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[David Prall]

Exec-timeout is actively sending information on the vty so the 60 minute
timer is not kicking in it would appear. Do you have "service
tcp-keepalives-in" and "service tcp-keepalives-out" configured. This will
disconnect a session that isn't doing keepalives anymore. Of course it would
have to have been configured prior to the current session.

Sh line, then clear X where it is the VTY number, should clear it.

David

--
http://dcp.dcptech.com


> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] On Behalf Of Jeff Wojciechowski
> Sent: Tuesday, June 22, 2010 2:44 PM
> To: bha Qaqish; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] VTY PROBLEM
> 
> Can you see the session using show line and then clear line X (where X=
> line number of stuck VTY session)?
> 
> -Jeff
> 
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] On Behalf Of bha Qaqish
> Sent: Tuesday, June 22, 2010 1:27 PM
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] VTY PROBLEM
> 
> 
> 
> 
> 
> Dear
> I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty
> sessions that stuck , I can not clear it , its stuck for 70 weeks , I
> can not restart the router cause we are an ISP, so how could I clear
> the sessions , I have a --- exec-timeout 60 0 --- on the vty.
> Please help ASAP
> 
> 
> BR
> 
> 
> Eng. Bha Qaqish
> 
> 
> 
> 
> 
> 
> 
> *
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[Jeff Wojciechowski]

Per Justin's reply I would also agree that it's time to schedule some downtime 
so you can reload.or contact TAC...or they may tell you the same thing.

-Jeff
-Original Message-
From: bha Qaqish [mailto:bha.qaq...@nitc.gov.jo] 
Sent: Tuesday, June 22, 2010 2:06 PM
To: Jeff Wojciechowski; cisco-nsp@puck.nether.net
Subject: RE: VTY PROBLEM

I made debug telnet , and there is nothing worng When I enable the debug and 
clear the line vty , the session still exist


Eng. Bha Qaqish
 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[bha Qaqish]

I made debug telnet , and there is nothing worng
When I enable the debug and clear the line vty , the session still exist


Eng. Bha Qaqish
 


-Original Message-
From: Jeff Wojciechowski [mailto:jeff.wojciechow...@midlandpaper.com] 
Sent: Tuesday, June 22, 2010 9:52 PM
To: bha Qaqish
Subject: RE: VTY PROBLEM

Anything in the system log that you can Google?

Perhaps try "debug telnet" and then try and clear the session again?

-Jeff



-Original Message-
From: bha Qaqish [mailto:bha.qaq...@nitc.gov.jo] 
Sent: Tuesday, June 22, 2010 1:48 PM
To: Jeff Wojciechowski; cisco-nsp@puck.nether.net
Subject: RE: VTY PROBLEM

Yes 
I can see the session in this command , and when I make the clear line vty 3 
for example , its not cleared. It still exist in the show  command

Eng. Bha Qaqish
 

-Original Message-
From: Jeff Wojciechowski [mailto:jeff.wojciechow...@midlandpaper.com] 
Sent: Tuesday, June 22, 2010 9:44 PM
To: bha Qaqish; cisco-nsp@puck.nether.net
Subject: RE: VTY PROBLEM

Can you see the session using show line and then clear line X (where X= line 
number of stuck VTY session)?

-Jeff

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of bha Qaqish
Sent: Tuesday, June 22, 2010 1:27 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VTY PROBLEM





Dear
I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty 
sessions that stuck , I can not clear it , its stuck for 70 weeks , I can not 
restart the router cause we are an ISP, so how could I clear the sessions , I 
have a --- exec-timeout 60 0 --- on the vty. 
Please help ASAP


BR


Eng. Bha Qaqish
 
 
 
 
 
 

*

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[bha Qaqish]

I will check tomorrow  And I will inform you
Eng. Bha Qaqish   

Eng. Bha Qaqish
 

-Original Message-
From: Jeff Wojciechowski [mailto:jeff.wojciechow...@midlandpaper.com] 
Sent: Tuesday, June 22, 2010 9:52 PM
To: bha Qaqish
Subject: RE: VTY PROBLEM

Anything in the system log that you can Google?

Perhaps try "debug telnet" and then try and clear the session again?

-Jeff



-Original Message-
From: bha Qaqish [mailto:bha.qaq...@nitc.gov.jo] 
Sent: Tuesday, June 22, 2010 1:48 PM
To: Jeff Wojciechowski; cisco-nsp@puck.nether.net
Subject: RE: VTY PROBLEM

Yes 
I can see the session in this command , and when I make the clear line vty 3 
for example , its not cleared. It still exist in the show  command

Eng. Bha Qaqish
 

-Original Message-
From: Jeff Wojciechowski [mailto:jeff.wojciechow...@midlandpaper.com] 
Sent: Tuesday, June 22, 2010 9:44 PM
To: bha Qaqish; cisco-nsp@puck.nether.net
Subject: RE: VTY PROBLEM

Can you see the session using show line and then clear line X (where X= line 
number of stuck VTY session)?

-Jeff

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of bha Qaqish
Sent: Tuesday, June 22, 2010 1:27 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VTY PROBLEM





Dear
I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty 
sessions that stuck , I can not clear it , its stuck for 70 weeks , I can not 
restart the router cause we are an ISP, so how could I clear the sessions , I 
have a --- exec-timeout 60 0 --- on the vty. 
Please help ASAP


BR


Eng. Bha Qaqish
 
 
 
 
 
 

*

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[Joseph Karpenko]

you can also use "clear tcp tcb " (obtained from the
output of the "show tcp brief" command) to clear the socket or
SNMP[1] to clear hung connections.  ;)

[1] 



regards,

-- 

/karpenko

[*] on 2010.06.22-14:50:41 -0400, Justin M. Streiner
 wrote:
> On Tue, 22 Jun 2010, bha Qaqish wrote:
> 
>> I have a 7206 VXR WITH npeg2, there is a problem, there is a
>> telnet vty sessions that stuck , I can not clear it , its stuck
>> for 70 weeks , I can not restart the router cause we are an
>> ISP, so how could I clear the sessions , I have a ---
>> exec-timeout 60 0 --- on the vty.
> 
> If a "clear line vty X", where X is the stuck VTY, does not
> work, your best and cleanest option will be to reload the
> router.  Can you still log into the router, but one VTY is
> stuck, or can you no longer log in, except on the console?
> 
> Sometimes things like this happen because of code bugs, resource
> exhaustion, etc, so taking a 5-10 minute outage to reboot the
> router might not be a bad idea, and a much better idea than
> letting the router crash on its own.  That might also be a good
> opportunity to determine if your router should be running a more
> recent IOS image to address code bugs, security vulnerabilities,
> etc.
> 
> Getting slightly off topic, most ISPs have provisions in their
> service agreements to do normal maintenance as needed, or at
> least during scheduled maintenance windows.
> 
> jms
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VTY PROBLEM

[bha Qaqish]

Dear
I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty 
sessions that stuck , I can not clear it , its stuck for 70 weeks , I can not 
restart the router cause we are an ISP, so how could I clear the sessions , I 
have a --- exec-timeout 60 0 --- on the vty. 
Please help ASAP


BR


Eng. Bha Qaqish
 
 Network Engineer
 
 
 
 
 

*

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[bha Qaqish]

Yes 
I can see the session in this command , and when I make the clear line vty 3 
for example , its not cleared. It still exist in the show  command

Eng. Bha Qaqish
 

-Original Message-
From: Jeff Wojciechowski [mailto:jeff.wojciechow...@midlandpaper.com] 
Sent: Tuesday, June 22, 2010 9:44 PM
To: bha Qaqish; cisco-nsp@puck.nether.net
Subject: RE: VTY PROBLEM

Can you see the session using show line and then clear line X (where X= line 
number of stuck VTY session)?

-Jeff

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of bha Qaqish
Sent: Tuesday, June 22, 2010 1:27 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VTY PROBLEM





Dear
I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty 
sessions that stuck , I can not clear it , its stuck for 70 weeks , I can not 
restart the router cause we are an ISP, so how could I clear the sessions , I 
have a --- exec-timeout 60 0 --- on the vty. 
Please help ASAP


BR


Eng. Bha Qaqish
 
 
 
 
 
 

*

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[Jeff Wojciechowski]

Can you see the session using show line and then clear line X (where X= line 
number of stuck VTY session)?

-Jeff

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of bha Qaqish
Sent: Tuesday, June 22, 2010 1:27 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] VTY PROBLEM





Dear
I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty 
sessions that stuck , I can not clear it , its stuck for 70 weeks , I can not 
restart the router cause we are an ISP, so how could I clear the sessions , I 
have a --- exec-timeout 60 0 --- on the vty. 
Please help ASAP


BR


Eng. Bha Qaqish
 
 
 
 
 
 

*

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] VTY PROBLEM

[Justin M. Streiner]

On Tue, 22 Jun 2010, bha Qaqish wrote:

I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty 
sessions that stuck , I can not clear it , its stuck for 70 weeks , I 
can not restart the router cause we are an ISP, so how could I clear the 
sessions , I have a --- exec-timeout 60 0 --- on the vty.


If a "clear line vty X", where X is the stuck VTY, does not work, your 
best and cleanest option will be to reload the router.  Can you still log 
into the router, but one VTY is stuck, or can you no longer log in, except 
on the console?


Sometimes things like this happen because of code bugs, resource 
exhaustion, etc, so taking a 5-10 minute outage to reboot the router 
might not be a bad idea, and a much better idea than letting the router 
crash on its own.  That might also be a good opportunity to determine if 
your router should be running a more recent IOS image to address code 
bugs, security vulnerabilities, etc.


Getting slightly off topic, most ISPs have provisions in their service 
agreements to do normal maintenance as needed, or at least during 
scheduled maintenance windows.


jms
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 6509-E connection issue

[Renelson Panosky]

I have a Cisco 6509 connected to a Cisco 3845 gi0/0 and a taidaran machine
connected to port gi7/47 - 48 on the 6509-E


3845 configuration
interface GigabitEthernet0/0.440
 encapsulation dot1Q 440
 ip address 10.221.254.62 255.255.255.248
 no snmp trap link-status


Eigrp statement
 network 10.221.254.56 0.0.0.7


6509-E  port config

interface GigabitEthernet5/9
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 436
 switchport trunk allowed vlan 436-441
 switchport mode trunk


interface GigabitEthernet7/47
 description TADIRAN Maintenance Port
 switchport
 switchport access vlan 440
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet7/48
 description Tadiran_IP_Uplink_VLAN440
 switchport
 switchport access vlan 440
 switchport mode access
 spanning-tree portfast

Now i can ping 10.221.254.62
and 10.221.254.56
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VTY PROBLEM

[bha Qaqish]

Dear
I have a 7206 VXR WITH npeg2, there is a problem, there is a telnet vty 
sessions that stuck , I can not clear it , its stuck for 70 weeks , I can not 
restart the router cause we are an ISP, so how could I clear the sessions , I 
have a --- exec-timeout 60 0 --- on the vty. 
Please help ASAP


BR


Eng. Bha Qaqish
 
 
 
 
 
 

*

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF for Routed Access -- OSPF in IP Base on 3650/3750?

[Asbjorn Hojmark - Lists]

On Tue, 22 Jun 2010 12:50:30 -0400 (EDT), you wrote:

>> "OSPF for Routed Access supports only one OSPFv2 and one OSPFv3
>> instance with a maximum number of 200 dynamically learned routes".

> So, what would you do with that?  Put each "OSPF for Routed Access"
> switch in its own NSSA area uplinked to a more capable ASBR, using
> OSPF to advertise customer routes, but learning nothing but a default?

This is really meant for L3 in the wiring closet, not SP stuff, where
you'd likely want to run customer routes in BGP. But yes, put it in a
totally (not so) stubby area to make sure it'll learn no more than 200
routes. 

> BTW...is there really a 3650 switch, or is that just a very common typo 
> for 3560?  It's even in some cisco documents.

It's a common typo.

-A

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750X?

[Nick Hilliard]

On 22/06/2010 16:16, Adrian Minta wrote:
> Googling for SFP+ ZR (80Km) reveal more and more results. Perhaps some
> of them are real, perhaps C knows something here.

But none with prices and availability.  Once you get your hands on an 80km
sfp+ transceiver, please let me know! :-)

Nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF for Routed Access -- OSPF in IP Base on 3650/3750?

[Geoffrey Pendery]

We're told this was added to 4500/Sup6E IP Base as well, and we're
very interested in that.
Anyone out there running it, or can comment on it?

-Geoff

On Tue, Jun 22, 2010 at 9:55 AM, Brandon Ewing  wrote:
> Greetings,
>
> Just spotted a feature called "OSPF for Routed Access" in the 6500 SXI4
> release notes, which seems to indicate that single-area OSPF support is
> coming to IP Base IOS images.  I wasn't able to find any information
> regarding this feature in the 3750/3650 release notes for 12.2.(53)SE --
> does anyone know if the feature is coming in the next release?  It'd be very
> desirable to be able to do simple OSPF without upgrading to the IP Services
> license.
>
>
> --
> Brandon Ewing                                        (nicot...@warningg.com)
>
> ___
> cisco-nsp mailing list  cisco-...@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF for Routed Access -- OSPF in IP Base on 3650/3750?

[Jon Lewis]

On Tue, 22 Jun 2010, Asbjorn Hojmark - Lists wrote:


"OSPF for Routed Access" is not limited to a single area. You can find
the limitations in e.g. the Catalyst 4500 Release Notes (Sup6 only):
"OSPF for Routed Access supports only one OSPFv2 and one OSPFv3
instance with a maximum number of 200 dynamically learned routes".


So, what would you do with that?  Put each "OSPF for Routed Access" switch 
in its own NSSA area uplinked to a more capable ASBR, using OSPF to 
advertise customer routes, but learning nothing but a default?


BTW...is there really a 3650 switch, or is that just a very common typo 
for 3560?  It's even in some cisco documents.


http://www.cisco.com/en/US/products/hw/switches/ps628/products_data_sheet09186a00801cfb71.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_37_se/configuration/guide/swintro.html
 Catalyst 3750-E and 3560-E Switch Software Configuration Guide, 12.2(37)SE

 The examples also apply to the Catalyst 3650-E switch. In the previous
 example, the specified interface on a Catalyst 3560-E switch is
 gigabitethernet0/5 (without the stack member number of 1/).


--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Why doesn't this IPv6 ACL work?

[Seth Mattinen]

On 6/22/10 1:16 AM, Phil Mayers wrote:
> 
> If I read it correctly, the problem was when applying the ACL to an
> interface, not defining the ACL?

Yes, correct. It will accept entries into the ACL that I know to be
unsupported such as "2620:0:950:beef::a" but it waits to throw the error
when you try to apply it to the interface. What I find frustrating is
that it will apply EUI-64 entries beginning with 2620:0:950 but not
2607:fe70. That has to be a bug.

~Seth
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MPLS best practices question

[Mark Tinka]

On Tuesday 22 June 2010 10:49:34 pm 
cisco...@secureobscure.com wrote:

> 1)   IGP LDP Sync. I am really looking for some
>  direction as to where it makes sense or not to use. The
>  same is also true for the IGP LDP startup delay timers.

We don't use it - we instead use IETF Graceful Restart for 
LDP and IS-IS.

> 2)   OSPF timers or BFD? Currently my approach has
>  been ospf timers of 1/4, its fast and seems pretty
>  compatible with everything I have tried it on. All of my
>  links are direct between routed ports so there are no
>  intermediate devices that would keep a link lit after
>  equipment failure. I know BFD makes sense but some of my
>  code is old and linecards are flakey so I'm curious to
>  know who has ditched low timers for BFD or vice versa.

We run BFD for IS-IS.

It's unstable on the NPE-G1, but works great on the NPE-G2, 
but can have false negatives when CPU utilization goes up 
(software routers).

We've seen more stable performance of BFD on hardware-based 
platforms (of course).

> 3)   OSPF costing, automatic bandwidth-based or
>  manual costing of PE-P and P-P links? I have seen both
>  used in production before, I do have 10gig interfaces
>  and 40gig port-channels so I would need to alter the
>  ospf reference bandwidth if auto-costing.

We do manual costing of the IGP, with a self-imposed 
reference bandwidth of 1Tbps.

> 4)   MTU on p2p gigabit ethernet links. Currently I
>  have stolen another list members MTU settings using 1530
>  for global & mpls MTU, and 1524 as IP MTU on all PE-P
>  and P-P interfaces. I don't have any jumbo frame
>  requirements, but do have upstream providers that may
>  not support jumbo so I'm trying to keep the MTU fairly
>  low.

We run 9,000 bytes on all core links.

We run 1,500 bytes on peering links.

Advice here would be to run with the worst MTU value in your 
network.

> 5)   Other knobs and tweeks? I'm usually a
>  minimalist, I go forward with the default settings and
>  test, then alter as little as I need to meet any special
>  needs. With that in mind, I do expect to find things
>  that are necessary to modify but really would like to
>  see wide adoption or clear requirements in doing so.

Same.

It is not uncommon to find that long-and-winded ways we've 
implemented features have now been made possible by a single 
command. In such scenarios, consider making your life easier 
after testing the command still achieves the same goal.

There's a lot of knobs in the IGP's, and in most cases, you 
don't need tons of them. Generally, if you're not sure 
whether a feature helps you, you probably don't need it.

Cheers,

Mark.


signature.asc
Description: This is a digitally signed message part.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF for Routed Access -- OSPF in IP Base on 3650/3750?

[Asbjorn Hojmark - Lists]

On Tue, 22 Jun 2010 09:55:41 -0500, you wrote:

> Just spotted a feature called "OSPF for Routed Access" in the 6500 SXI4
> release notes, which seems to indicate that single-area OSPF support is
> coming to IP Base IOS images.

"OSPF for Routed Access" is not limited to a single area. You can find
the limitations in e.g. the Catalyst 4500 Release Notes (Sup6 only):
"OSPF for Routed Access supports only one OSPFv2 and one OSPFv3
instance with a maximum number of 200 dynamically learned routes".

(http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_5184.html)

> I wasn't able to find any information regarding this feature in the
> 3750/3650 release notes for 12.2.(53)SE --

OSPF for Routed Access is not (yet) supported for those switches.
Contact your account team for more information.

-A

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] mpls ip -> lost packets

[Phil Mayers]

On 22/06/10 15:44, Peter Rathlev wrote:


The only problems I could think of regarding label allocation would
affect all traffic, not just drop things randomly.



If the label allocation has failed or been mis-programmed for some 
reason (e.g. you're running SXI ;o) then it could be punting to CPU, and 
various CPU rate limiters, CoPP or just plain insufficient CPU could 
cause sporadic drops.


We've seen things like this.

Having said that, I don't full understand the OPs setup or aims, but I 
can certainly see ways that label allocation can cause odd drops.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] mpls ip -> lost packets

[Jeff Bacon]

> On Tue, 2010-06-22 at 07:37 -0500, Jeff Bacon wrote:
> > It's packets that are being NATted by dev B. Anything else is fine,
> > labeled or unlabeled. (The NAT is in the global domain, edge handoff
> > to a vendor, so they are all egress points from the mpls mesh.)
> 
> Another shot in that dark: Could it be something about flow masks and
> some combination of NAT and MPLS making the NAT translations not work?

Yeah, that's come up - show fm fie shows no conflicts, but I've had some issues 
with NAT sessions before dropping due to having reflexive ACLs, mcast 
boundaries, and NAT all configured on the same switch (according to cisco L3, 
"pick any two" - supposedly it should be per-interface but it's really per 
PFC), though I could never pin it down.

> Or do all TCP sessions actually come up, and are the drops only
> intermittent?

I lose about 1 in 8-10 packets. The connection comes up and stays up, but it's 
just incredibly slow. 


> You can see that in the LFIB, i.e. "show mpls forwarding-table". If this
> link is the only MPLS link in the network the traffic should be
> untagged because of PHP.

It's the only link between dev A and dev B. dev B (which has the vendor 
connections w/NAT) has another inbound MPLS link, and dev A has a lot of other 
routes, so dev A has to publish labels for those. I need to look more closely 
at it later. 

(Basically I can only work on it after 5PM; I take down mpls during the prod 
day, and setting up a test environment that simulates what's going on is more 
work than just working on it after hours and then resetting the configs from 
RANCID.)

> > I think I understand _why_ it's doing it - the summary route isn't a
> > true summary, it's a static /16 on dev A, so it's redisted into EIGRP,
> > so it gets a label. With a bit of work I can change this structure and
> > advertise a /16 via EIGRP into dev A.
> 
> The only problems I could think of regarding label allocation would
> affect all traffic, not just drop things randomly.

I know. It's just ... weird. 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750X?

[Adrian Minta]

On 06/22/10 10:24, Marian Ďurkovič wrote:


ME-3800X datasheet appeared in between. It says 256 MB of buffering, which
sounds good.

However, the 10GE uplink options look like a bad joke - SR, LR, LRM and copper 
?!
Is this datacenter-oriented box or have service providers switched to multimode
&  copper during last months?

Please don't tell me there wasn't enough space for XFP cages, which would have
given us full choice between LR/ER/ZR/DWDM optics. Pushing SFP+ into this market
is complete ignorance of SP needs.

M.
   
Googling for SFP+ ZR (80Km) reveal more and more results. Perhaps some 
of them are real, perhaps C knows something here.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] OSPF for Routed Access -- OSPF in IP Base on 3650/3750?

[Brandon Ewing]

Greetings,

Just spotted a feature called "OSPF for Routed Access" in the 6500 SXI4
release notes, which seems to indicate that single-area OSPF support is
coming to IP Base IOS images.  I wasn't able to find any information
regarding this feature in the 3750/3650 release notes for 12.2.(53)SE --
does anyone know if the feature is coming in the next release?  It'd be very
desirable to be able to do simple OSPF without upgrading to the IP Services
license.


-- 
Brandon Ewing(nicot...@warningg.com)


pgpxPrNBt7cGn.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] MPLS best practices question

[cisconsp]

Good morning everyone,

 

If I may have a moment of your time, I'm approaching a small MPLS deployment
(L3 VPN functionality only, no TE or L2VPN) on existing infrastructure
primarily 6500's & ASR1k's and would very much like the opinion of the list
on some best practices. There are several technologies that I'm trying to
determine the appropriateness to activate or tune and I'm scared to blindly
enable them without a good reason to do so as I haven't seen some of them
used in a production environment before.

 

1)   IGP LDP Sync. I am really looking for some direction as to where it
makes sense or not to use. The same is also true for the IGP LDP startup
delay timers. 

 

2)   OSPF timers or BFD? Currently my approach has been ospf timers of
1/4, its fast and seems pretty compatible with everything I have tried it
on. All of my links are direct between routed ports so there are no
intermediate devices that would keep a link lit after equipment failure. I
know BFD makes sense but some of my code is old and linecards are flakey so
I'm curious to know who has ditched low timers for BFD or vice versa. 

 

3)   OSPF costing, automatic bandwidth-based or manual costing of PE-P
and P-P links? I have seen both used in production before, I do have 10gig
interfaces and 40gig port-channels so I would need to alter the ospf
reference bandwidth if auto-costing.

 

4)   MTU on p2p gigabit ethernet links. Currently I have stolen another
list members MTU settings using 1530 for global & mpls MTU, and 1524 as IP
MTU on all PE-P and P-P interfaces. I don't have any jumbo frame
requirements, but do have upstream providers that may not support jumbo so
I'm trying to keep the MTU fairly low.

 

5)   Other knobs and tweeks? I'm usually a minimalist, I go forward with
the default settings and test, then alter as little as I need to meet any
special needs. With that in mind, I do expect to find things that are
necessary to modify but really would like to see wide adoption or clear
requirements in doing so.

 

Thank you for your time, please feel free to share anything off list if you
don't want to disclose it to the general public. I really value the opinions
that list members have provided thus far,

 

John

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] mpls ip -> lost packets

[Peter Rathlev]

On Tue, 2010-06-22 at 07:37 -0500, Jeff Bacon wrote:
> It's packets that are being NATted by dev B. Anything else is fine,
> labeled or unlabeled. (The NAT is in the global domain, edge handoff
> to a vendor, so they are all egress points from the mpls mesh.) 

Another shot in that dark: Could it be something about flow masks and
some combination of NAT and MPLS making the NAT translations not work?

Or do all TCP sessions actually come up, and are the drops only
intermittent?

> One can argue, based on my imperfect reading of Luc De Ghein's book,
> that the above-mentioned traffic in tag 275 really shouldn't be
> encapsulated at all - since dev A is the egress LSR, dev B would be
> the penultimate and should be popping the label (indeed it shouldn't
> be labeled at all, I suppose). 

You can see that in the LFIB, i.e. "show mpls forwarding-table". If this
link is the only MPLS link in the network the traffic should be untagged
because of PHP.

> I think I understand _why_ it's doing it - the summary route isn't a
> true summary, it's a static /16 on dev A, so it's redisted into EIGRP,
> so it gets a label. With a bit of work I can change this structure and
> advertise a /16 via EIGRP into dev A. 

The only problems I could think of regarding label allocation would
affect all traffic, not just drop things randomly.

-- 
Peter


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7606 config issue !!!

[Andriy Bilous]

After a couple of fights we gave up using non-ASCII characters. Even when
IOS has no problems with representation, every single piece of management
software has its own special way at showing them.

If you think that underscore is the safe way to work around space characters
parsing then you're wrong.

R6#sh run | sec traffic
ip traffic-export profile test1
  interface FastEthernet0/0
  mac-address ..0001
ip traffic-export profile test_2
  interface FastEthernet0/1
  mac-address ..0001

R6#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R6(config)#no ip traffic-export profile test1
R6(config)#no ip traffic-export profile test_2
%Cannot Delete the profile.Another Session may be
using the profile. Exit from profile

R6(config)#^Z
R6#sh run | i traffic
ip traffic-export profile test_2

test_2 isn't applied to any interface. The only way to erase this line is
replacing startup-config without it and reload.

R6#sh ver | i Soft
Cisco IOS Software, 2801 Software (C2801-ADVIPSERVICESK9-M), Version
12.4(24)T1, RELEASE SOFTWARE (fc3)


On Tue, Jun 22, 2010 at 2:28 PM, LM  wrote:

> Few problems also with letters like á é í ó ó and spanish ones like ñ
> To avoid problems with spaces we used here the typical underscore _
> A classic issue
>
> El 21/06/10 19:20, Rodney Dunn escribió:
>
>  So we do "care". ;)
>>
>> Seriously, something like that that doesn't parse on reload is a bug.
>>
>> Rodney
>>
>>
>>
>> On 6/21/10 10:46 AM, Phil Mayers wrote:
>>
>>> On 21/06/10 15:10, Rodney Dunn wrote:
>>>
 Can someone demonstrate exactly what is being entered?

 I've seen some of these similar bugs fixed.

>>>
>>> Interesting. The vlan name one (long-standing irritation of mine) is
>>> fixed as of at least 12.2(33)SXI4:
>>>
>>> core-spare#conf t
>>> Enter configuration commands, one per line. End with ...
>>> core-spare(config)#vlan 999
>>> core-spare(config-vlan)#name test vlan
>>> ^
>>> % Invalid input detected at '^' marker.
>>>
>>> core-spare(config-vlan)#name "test vlan"
>>> core-spare(config-vlan)#^Z
>>> % Applying VLAN changes may take few minutes. Please w
>>>
>>> core-spare#sh run vlan 999
>>> Building configuration...
>>>
>>> Current configuration:
>>> !
>>> vlan 999
>>> name "test vlan"
>>> end
>>>
>>>
>>> It *used* to nvgen, under e.g. 12.2(18)SXF (6, I think):
>>>
>>> vlan 999
>>> name test vlan
>>> end
>>>
>>> ...which obviously failed to parse on reload. It's good that it's fixed.
>>> The "ip route name" seems to be fixed in that release too, though that's
>>> not a feature we use:
>>>
>>> core-spare#sh run partition ip-static-routes
>>> Building configuration...
>>>
>>> Current configuration : 116 bytes
>>> !
>>> Configuration of Partition - ip-static-routes
>>> !
>>> !
>>> ip route 1.2.3.4 255.255.255.255 Null0 name "foo bar"
>>> ___
>>> cisco-nsp mailing list cisco-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7606 config issue !!!

[Jared Mauch]

On Jun 22, 2010, at 8:42 AM, Gert Doering wrote:

> Hi,
> 
> On Tue, Jun 22, 2010 at 08:03:22AM -0400, Jared Mauch wrote:
>> The bug is CSCth43783. The control plane comes up but the data plane is not 
>> forwarded properly. The mls appears to be populated as drop.
>> 
>> Once it's resolved we are going to ask for sxi4a to be built.
> 
> Thanks for the heads up.  So we're postponing our long-awaited update to SXI4.
> 
> *grumble*.

Test it, it may work for you.  In our case it's a SXF16-SXI4 EoMPLS setup where 
we saw the issue.

- Jared
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7606 config issue !!!

[Gert Doering]

Hi,

On Tue, Jun 22, 2010 at 08:03:22AM -0400, Jared Mauch wrote:
> The bug is CSCth43783. The control plane comes up but the data plane is not 
> forwarded properly. The mls appears to be populated as drop.
> 
> Once it's resolved we are going to ask for sxi4a to be built.

Thanks for the heads up.  So we're postponing our long-awaited update to SXI4.

*grumble*.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpoM1ca5Fso0.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] mpls ip -> lost packets

[Jeff Bacon]

> You have "mpls ip" on both ends, right? Not that it should disrupt
> traffic like this though.

Doesn't work otherwise. :)

> > Shortly thereafter, TCP connections from clients off device B to vendor
> > off device A running via VLAN 300 started dropping packets. Not
> > consistently, but in bursts every few seconds.
> Does the switch say anything about drops? E.g. "show queueing interface
> GiX/Y" and "show interface GiX/Y | incl drop" on the physical interface
> carrying VLAN 300.

Nada. Switch reports clean. 

> Is there any system in the drops? Only large packets? Or grouped
> drops?

It's packets that are being NATted by dev B. Anything else is fine, labeled or 
unlabeled. (The NAT is in the global domain, edge handoff to a vendor, so they 
are all egress points from the mpls mesh.) 


>From doing a bunch of SPAN sessions and sniffing, it appears that it is device 
>B (the sup32) that is doing the dropping. It's hard to be entirely sure 
>because it's hard to pull it out of the tcpdumps on the WAN link - all of the 
>traffic flow out of dev B to dev A is mpls-encapsulated tag 275 (tag is 
>associated with a summarizing /16 static route on dev A pointing out an L3 
>portchannel into the datacenter core), and tcpdump will filter on tags but 
>tags-then-contents... not mastered that yet. 

One can argue, based on my imperfect reading of Luc De Ghein's book, that the 
above-mentioned traffic in tag 275 really shouldn't be encapsulated at all - 
since dev A is the egress LSR, dev B would be the penultimate and should be 
popping the label (indeed it shouldn't be labeled at all, I suppose). 

I think I understand _why_ it's doing it - the summary route isn't a true 
summary, it's a static /16 on dev A, so it's redisted into EIGRP, so it gets a 
label. With a bit of work I can change this structure and advertise a /16 via 
EIGRP into dev A. 

Then same might be argued the other way - dev B is really the egress LSR for 
the NATted traffic, so dev A shouldn't even bother labeling it. 

Or am I misreading something? 

And why would it matter anyway?

(dev A and dev B are merely two hops of a larger mesh of 6500s, slowly having 
mpls implemented on them. I'm indifferent about whether the traffic between 
them is tagged or not; the point of the exercise is to be able to create TE 
paths and VPNs across a multi-hop fiber mesh. But the basics still have to 
work, too.) 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7606 config issue !!!

[LM]

Few problems also with letters like á é í ó ó and spanish ones like ñ
To avoid problems with spaces we used here the typical underscore _
A classic issue

El 21/06/10 19:20, Rodney Dunn escribió:

So we do "care". ;)

Seriously, something like that that doesn't parse on reload is a bug.

Rodney



On 6/21/10 10:46 AM, Phil Mayers wrote:

On 21/06/10 15:10, Rodney Dunn wrote:

Can someone demonstrate exactly what is being entered?

I've seen some of these similar bugs fixed.


Interesting. The vlan name one (long-standing irritation of mine) is
fixed as of at least 12.2(33)SXI4:

core-spare#conf t
Enter configuration commands, one per line. End with ...
core-spare(config)#vlan 999
core-spare(config-vlan)#name test vlan
^
% Invalid input detected at '^' marker.

core-spare(config-vlan)#name "test vlan"
core-spare(config-vlan)#^Z
% Applying VLAN changes may take few minutes. Please w

core-spare#sh run vlan 999
Building configuration...

Current configuration:
!
vlan 999
name "test vlan"
end


It *used* to nvgen, under e.g. 12.2(18)SXF (6, I think):

vlan 999
name test vlan
end

...which obviously failed to parse on reload. It's good that it's fixed.
The "ip route name" seems to be fixed in that release too, though that's
not a feature we use:

core-spare#sh run partition ip-static-routes
Building configuration...

Current configuration : 116 bytes
!
Configuration of Partition - ip-static-routes
!
!
ip route 1.2.3.4 255.255.255.255 Null0 name "foo bar"
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] mpls ip -> lost packets

[Peter Rathlev]

On Mon, 2010-06-21 at 11:58 -0500, Jeff Bacon wrote:
> All I did was set "mpls ip" and "mpls mtu 1500" on the relevant SVI
> interfaces.

You have "mpls ip" on both ends, right? Not that it should disrupt
traffic like this though.

> Shortly thereafter, TCP connections from clients off device B to vendor
> off device A running via VLAN 300 started dropping packets. Not
> consistently, but in bursts every few seconds. 

Does the switch say anything about drops? E.g. "show queueing interface
GiX/Y" and "show interface GiX/Y | incl drop" on the physical interface
carrying VLAN 300.

Is there any system in the drops? Only large packets? Or grouped drops?

-- 
Peter


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7606 config issue !!!

[Jared Mauch]

The bug is CSCth43783. The control plane comes up but the data plane is not 
forwarded properly. The mls appears to be populated as drop.

Once it's resolved we are going to ask for sxi4a to be built.

Sent from my iThing

On Jun 22, 2010, at 2:47 AM, Phil Mayers  wrote:

> On 06/22/2010 06:48 AM, Gert Doering wrote:
>> Hi,
>> 
>> On Mon, Jun 21, 2010 at 02:11:38PM -0400, Jared Mauch wrote:
>>> Additionally, beware of SXI4 if you do martini-pseudowires, these appear
>>> to work in the control-plane, but data-plane may be one-way.
>> 
>> Uh.  What exactly are "martini" pseudowires?  (Sorry for the dumb question,
>> lost a bit track of all the variants).
> 
> EoMPLS IIRC. Which you (and we) are using :o(
> 
>> 
>> Since we're eager to install SXI4 to get the fix for the "STP-over-EoMPLS-
>> on-DFC3C-cards" bug, this statment worries me a bit :)
> 
> Likewise. Jared - do you have a bug ID?
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] How to find the root cause of packet loss

[Peter Rathlev]

On Tue, 2010-06-22 at 12:31 +0200, LM wrote:
> Is there any command inside the switch to determine a possible packet 
> loss?, more than the error counters under "sh int", I am curious about
> the ASIC values and buffer issues.

The 2970 has the "show platform pm if-numbers" and "show platform
port-asic stats drop asic " to give you that kind of information,
just like the 3560/3750.

The rest of this (long) mail is the output from the switch a switch that
has dropped 12 frames on Gi0/1.

Switch#show platform pm if-numbers

interface gid  gpn  lpn  port slot unit slun port-type lpn-idb gpn-idb
-
Gi0/1 1111/3  111local Yes Yes
Gi0/2 2221/2  122local Yes Yes
Gi0/3 3331/0  133local Yes Yes
Gi0/4 4441/1  144local Yes Yes
Gi0/5 5552/3  155local Yes Yes
Gi0/6 6662/2  166local Yes Yes
Gi0/7 7772/0  177local Yes Yes
Gi0/8 8882/1  188local Yes Yes
Gi0/9 9990/3  199local Yes Yes
Gi0/1010   10   10   0/2  110   10   local Yes Yes
Gi0/1111   11   11   0/0  111   11   local Yes Yes
Gi0/1212   12   12   0/1  112   12   local Yes Yes
Gi0/1313   13   13   3/3  113   13   local Yes Yes
[...]

Switch#sh platform port-asic stats drop asic 1

Port-asic Port Drop Statistics - Summary

  RxQueue 0 Drop Stats: 0
  RxQueue 1 Drop Stats: 0
  RxQueue 2 Drop Stats: 0
  RxQueue 3 Drop Stats: 0

  Port  0 TxQueue Drop Stats: 0
  Port  1 TxQueue Drop Stats: 0
  Port  2 TxQueue Drop Stats: 0
  Port  3 TxQueue Drop Stats: 12

  Supervisor TxQueue Drop Statistics
Queue  0: 0
Queue  1: 0
Queue  2: 0
Queue  3: 0
Queue  4: 0
Queue  5: 0
Queue  6: 0
Queue  7: 0
Queue  8: 0
Queue  9: 0
Queue 10: 0
Queue 11: 0
Queue 12: 0
Queue 13: 0
Queue 14: 0
Queue 15: 0

Port-asic Port Drop Statistics - Details

  RxQueue Drop Statistics
Queue 0
Weight 0 Frames: 0
Weight 1 Frames: 0
Weight 2 Frames: 0
Queue 1
Weight 0 Frames: 0
Weight 1 Frames: 0
Weight 2 Frames: 0
Queue 2
Weight 0 Frames: 0
Weight 1 Frames: 0
Weight 2 Frames: 0
Queue 3
Weight 0 Frames: 0
Weight 1 Frames: 0
Weight 2 Frames: 0

  Port 0 TxQueue Drop Statistics
Queue 0
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 1
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 2
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 3
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0

  Port 1 TxQueue Drop Statistics
Queue 0
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 1
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 2
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 3
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0

  Port 2 TxQueue Drop Statistics
Queue 0
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 1
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 2
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 3
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0

  Port 3 TxQueue Drop Statistics
Queue 0
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 1
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 2
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 0
Queue 3
  Weight 0 Frames 0
  Weight 1 Frames 0
  Weight 2 Frames 12
  Supervisor TxQueue Drop Statistics
Queue  0: 0
Queue  1: 0
Queue  2: 0
Queue  3: 0
Queue  4: 0
Queue  5: 0
Queue  6: 0
Queue  7: 0
Queue  8: 0
Queue  9: 0
Queue 10: 0
Queue 11: 0
Queue 12: 0
Queue 13: 0
Queue 14: 0
Queue 15: 0
Switch#sh ver
Cisco IOS Software, C2970 Software (C2970-LANBASEK9-M), Version 12.2(25)SEC2, 
RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 31-Aug-05 10:12 by antonino

ROM: Bootstrap program is C2970 boot loader
BOOTLDR: C2970 Boot Loader (C2970-HBOOT-M) Version 12.1(14r)EA1a, RELEASE 
SOFTWARE (fc1)

 Switch uptime is 22 minutes
System returned to ROM by power-on
System image file is "flash:/c2970-lanbasek9-mz.122-25.SEC2.bin"
[...]

HTH.

-- 
Peter


___
cisco-nsp mailing list  cisco-ns

Re: [c-nsp] Why doesn't this IPv6 ACL work?

[Alexander Clouter]

Hi,

Phil Mayers  wrote:
>
> On 06/22/2010 08:28 AM, Alexander Clouter wrote:
> 
>> Just to really be a pain, it all seems fine on our 3750 stack:
>> 
>> 103-1#show sdm prefer | include --useful-stuff
>>   The current template is "desktop IPv4 and IPv6 routing" template.
>>
>> 103-1#show ver | include --useful-stuff
>> Switch Ports Model  SW VersionSW Image
>> -- - -  ----
>> *1 52WS-C3750-48TS  12.2(53)SE1   C3750-IPSERVICESK9-M
>>   2 52WS-C3750-48TS  12.2(53)SE1   C3750-IPSERVICESK9-M
>>
>> 103-1#conf t
>> Enter configuration commands, one per line.  End with CNTL/Z.
>> 103-1(config)#ipv6 access-list test
>> 103-1(config-ipv6-acl)#permit tcp any host 2620:0:950:1:2c0:f0ff:fe5a:abe8 
>> eq 25
>> 103-1(config-ipv6-acl)#permit tcp any host 2607:fe70:0:1:2c0:f0ff:fe5a:abe8 
>> eq 25
>> 103-1(config-ipv6-acl)#end
> 
> If I read it correctly, the problem was when applying the ACL to an 
> interface, not defining the ACL?
> 
> I get exactly the same as the OP:
> 
> noc-rt1(config)#ipv6 access-list TEST
> noc-rt1(config-ipv6-acl)#permit tcp any host 
> 2607:FE70:0:1:2C0:F0FF:FE5A:ABE8 sequence 30
> 
> ...so it defines fine, then:
> 
> noc-rt1(config-ipv6-acl)#int vl51
> noc-rt1(config-if)#ipv6 traffic-filter TEST in
> % This ACL contains following unsupported entries.
> % Remove those entries and try again.
> permit tcp any host 2607:FE70:0:1:2C0:F0FF:FE5A:ABE8 sequence 30
> % This ACL can not be attached to the interface.
>  
> ...this on 12.2(52)SE
> 
...and SE1 :)

My bad.

Cheers

-- 
Alexander Clouter
.sigmonster says: BOFH excuse #71:
  The file system is full of it

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] How to find the root cause of packet loss

[LM]

Is there any command inside the switch to determine a possible packet 
loss?, more than the error counters under "sh int", I am curious about 
the ASIC values and buffer issues.



El 22/06/10 10:53, Peter Rathlev escribió:

On Fri, 2010-06-18 at 18:34 +0200, Sascha Pollok wrote:
   

Any idea how the EOSed 2970 performs in terms of buffers and
bursts? I have some of those in stock and wondering where to
put them next.
 

I just tested with a 2970 and it had no problems pushing 11+ MB/s when
transferring a 6 GB VirtualBox disk image. So it seems it does not have
the buffering problems of the 2960/3560/3750 family.

I tested between Gi0/1 and Gi0/3, so on the same ASIC. The switch was
with a blank configuration, except for "speed auto 100" on one interface
(Gi0/1). The software was 12.2(25)SEC2 LAN Base, but I don't think that
matters too much. It had 83 dropped packets from ~5 million packets.

   

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco ACS adding network devices to user defined vendors

[Torsten Waibel]

Hello,

we have added the user defined vendor RADIUS_HUAWEI to our Cisco ACS 4.2.1 
Windows Server.


Unfortunately there is a problem with importing network devices through odbc 
connection using the accountactions table with the action code 220.


The documentation tells us :
--
220
ADD_NAS
VN, V1, V2, V3
Adds a new AAA client (named in VN) with an IP address (V1), shared secret key 
(V2), and vendor (V3). Valid vendors are:


•VENDOR_ID_IETF_RADIUS—For IETF RADIUS.
•VENDOR_ID_CISCO_RADIUS—For Cisco IOS/PIX RADIUS.
•VENDOR_ID_CISCO_TACACS—For Cisco TACACS+.
•VENDOR_ID_AIRESPACE_RADIUS—For Cisco Airespace RADIUS.
•VENDOR_ID_ASCEND_RADIUS—For Ascend RADIUS.
•VENDOR_ID_ALTIGA_RADIUS—For Cisco 3000/ASA/PIX 7.x+ RADIUS.
•VENDOR_ID_AIRONET_RADIUS—For Cisco Aironet RADIUS.
•VENDOR_ID_NORTEL_RADIUS—For Nortel RADIUS.
•VENDOR_ID_JUNIPER_RADIUS—For Juniper RADIUS.
•VENDOR_ID_CBBMS_RADIUS—For Cisco BBMS RADIUS.
•VENDOR_ID_3COM_RADIUS—For Cisco 3COMUSR RADIUS.
-

The user defined vendor is:

C:\Program Files\CiscoSecure ACS v4.2\bin>CSUtil.exe -listUDV
CSUtil v4.2(1.15), Copyright 1997-2009, Cisco Systems Inc
UDV 0 - RADIUS (RADIUS_HUAWEI)


Our action code and variables look like:

A=220
VN="xxx"
V1="10.10.10.10"
V2="blabla"
V3="VENDOR_ID_RADIUS_HUAWEI"

Error Code is as following:

06/22/2010,10:21:12,W03P-3413,ERROR,Parse Error: Reason - Host vendor is unknown 
 [A=220 UN="" GN="" AI="" VN="xxx" V1="10.10.10.10" V2="blabla" 
V3="VENDOR_ID_RADIUS_HUAWEI"]


Does anybody knows the correct name for the V3-variable to import the network 
device in a correct way?


Best regards
Torsten Waibel


--
Mit freundlichen Grüßen

Torsten Waibel
Dipl.-Ing. (FH) Elektrotechnik
Network Engineer

Telefónica o2 Germany GmbH & Co. OHG
Hülshorstweg 30 , 33415 Verl
t: +49(0)5246-80-1966, f: +49(0)5246-80-2966
m: +49(0)171-5597768
torsten.wai...@telefonica.de
http://www.telefonica.de

Bitte finden Sie hier die
handelsrechtlichen Pflichtangaben: http://www.telefonica.de/pflichtangaben.html
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] How to find the root cause of packet loss

[Peter Rathlev]

On Fri, 2010-06-18 at 18:34 +0200, Sascha Pollok wrote:
> Any idea how the EOSed 2970 performs in terms of buffers and
> bursts? I have some of those in stock and wondering where to
> put them next.

I just tested with a 2970 and it had no problems pushing 11+ MB/s when
transferring a 6 GB VirtualBox disk image. So it seems it does not have
the buffering problems of the 2960/3560/3750 family.

I tested between Gi0/1 and Gi0/3, so on the same ASIC. The switch was
with a blank configuration, except for "speed auto 100" on one interface
(Gi0/1). The software was 12.2(25)SEC2 LAN Base, but I don't think that
matters too much. It had 83 dropped packets from ~5 million packets.

-- 
Peter


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Why doesn't this IPv6 ACL work?

[Phil Mayers]

On 06/22/2010 08:28 AM, Alexander Clouter wrote:


Just to really be a pain, it all seems fine on our 3750 stack:

103-1#show sdm prefer | include --useful-stuff
  The current template is "desktop IPv4 and IPv6 routing" template.

103-1#show ver | include --useful-stuff
Switch Ports Model  SW VersionSW Image
-- - -  ----
*1 52WS-C3750-48TS  12.2(53)SE1   C3750-IPSERVICESK9-M
  2 52WS-C3750-48TS  12.2(53)SE1   C3750-IPSERVICESK9-M

103-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
103-1(config)#ipv6 access-list test
103-1(config-ipv6-acl)#permit tcp any host 2620:0:950:1:2c0:f0ff:fe5a:abe8 eq 25
103-1(config-ipv6-acl)#permit tcp any host 2607:fe70:0:1:2c0:f0ff:fe5a:abe8 eq 
25
103-1(config-ipv6-acl)#end


If I read it correctly, the problem was when applying the ACL to an 
interface, not defining the ACL?


I get exactly the same as the OP:

noc-rt1(config)#ipv6 access-list TEST
noc-rt1(config-ipv6-acl)#permit tcp any host 
2607:FE70:0:1:2C0:F0FF:FE5A:ABE8 sequence 30


...so it defines fine, then:

noc-rt1(config-ipv6-acl)#int vl51
noc-rt1(config-if)#ipv6 traffic-filter TEST in
% This ACL contains following unsupported entries.
% Remove those entries and try again.
permit tcp any host 2607:FE70:0:1:2C0:F0FF:FE5A:ABE8 sequence 30
% This ACL can not be attached to the interface.


...this on 12.2(52)SE
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Why doesn't this IPv6 ACL work?

[Alexander Clouter]

Seth Mattinen  wrote:
>
> I tried changing the prefix to be out of my old /48 instead as a shot in
> the dark, and it didn't throw an error at me with this entry:
> 
> permit tcp any host 2620:0:950:1:2c0:f0ff:fe5a:abe8 eq 25
> 
> However, this continues to not work:
> 
> permit tcp any host 2607:fe70:0:1:2c0:f0ff:fe5a:abe8 eq 25
> 
> I can try switching to "routing" instead of "default" template.
> Otherwise I guess it's iptables/ip6tables time for me if this thing
> won't accept host addresses under my /32.
>
Just to really be a pain, it all seems fine on our 3750 stack:

103-1#show sdm prefer | include --useful-stuff
 The current template is "desktop IPv4 and IPv6 routing" template.

103-1#show ver | include --useful-stuff
Switch Ports Model  SW VersionSW Image 
-- - -  ----   
*1 52WS-C3750-48TS  12.2(53)SE1   C3750-IPSERVICESK9-M 
 2 52WS-C3750-48TS  12.2(53)SE1   C3750-IPSERVICESK9-M 

103-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
103-1(config)#ipv6 access-list test
103-1(config-ipv6-acl)#permit tcp any host 2620:0:950:1:2c0:f0ff:fe5a:abe8 eq 
25  

103-1(config-ipv6-acl)#permit tcp any host 2607:fe70:0:1:2c0:f0ff:fe5a:abe8 eq 
25  
   
103-1(config-ipv6-acl)#end


There seems to be no interesting difference between 53SE1 and 53SE2[1].  
Last time I had something 'strange'[2] to resolve when talking to Cisco, 
they suggested a "have you tried turning it off and on"...given that a 
whirl? :)

Cheers

[1] 
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_53_se/release/notes/OL21141.html#wp1036822
[2] the switch was acting like a hub for particular combination of
destination MAC

-- 
Alexander Clouter
.sigmonster says: BOFH excuse #254:
  Interference from lunar radiation

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750X?

[Marian Ďurkovič]

On Mon, 21 Jun 2010 12:45:40 +0300, Tassos Chatzithomaoglou wrote
> ME-3800X
> http://www1.cisco.com/en/US/products/ps10965/index.html
> 
> ME-3600X
> http://www1.cisco.com/en/US/products/ps10956/index.html
> 
> Their datasheets aren't available yet.

ME-3800X datasheet appeared in between. It says 256 MB of buffering, which
sounds good. 

However, the 10GE uplink options look like a bad joke - SR, LR, LRM and copper 
?!
Is this datacenter-oriented box or have service providers switched to multimode
& copper during last months?

Please don't tell me there wasn't enough space for XFP cages, which would have
given us full choice between LR/ER/ZR/DWDM optics. Pushing SFP+ into this market
is complete ignorance of SP needs.

   M.



 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7606 config issue !!!

[Phil Mayers]

On 06/22/2010 06:48 AM, Gert Doering wrote:

Hi,

On Mon, Jun 21, 2010 at 02:11:38PM -0400, Jared Mauch wrote:

Additionally, beware of SXI4 if you do martini-pseudowires, these appear
to work in the control-plane, but data-plane may be one-way.


Uh.  What exactly are "martini" pseudowires?  (Sorry for the dumb question,
lost a bit track of all the variants).


EoMPLS IIRC. Which you (and we) are using :o(



Since we're eager to install SXI4 to get the fix for the "STP-over-EoMPLS-
on-DFC3C-cards" bug, this statment worries me a bit :)


Likewise. Jared - do you have a bug ID?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7606 config issue !!!

[Gert Doering]

Hi,

On Mon, Jun 21, 2010 at 02:11:38PM -0400, Jared Mauch wrote:
> Additionally, beware of SXI4 if you do martini-pseudowires, these appear 
> to work in the control-plane, but data-plane may be one-way.

Uh.  What exactly are "martini" pseudowires?  (Sorry for the dumb question,
lost a bit track of all the variants).

Since we're eager to install SXI4 to get the fix for the "STP-over-EoMPLS-
on-DFC3C-cards" bug, this statment worries me a bit :)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpwVZpqabq7P.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7606 config issue !!!

[Mark Tinka]

On Tuesday 22 June 2010 01:48:09 pm Gert Doering wrote:

> Uh.  What exactly are "martini" pseudowires?  (Sorry for
>  the dumb question, lost a bit track of all the
>  variants).

I guess he means the commonly-used LDP-signaled EoMPLS 
point-to-point pw's that were developed by Luca Martini :-).

Mark <= who can't quite tell if this is a trick question :-)


signature.asc
Description: This is a digitally signed message part.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/