Re: [c-nsp] DDoS Attack detection and elimination suggestions

2011-03-31 Thread Lee Starnes
Thanks Mikael. Sorry about the direct reply. Should have done a cc.

-Lee

On Thu, Mar 31, 2011 at 10:55 PM, Mikael Abrahamsson wrote:

> On Thu, 31 Mar 2011, Lee Starnes wrote:
>
> You should send this to the list... but here goes part of the answer. I am
> not very interested in continuting this offlist, as nobody else will learn
> anything.
>
> But what you want to configure in your routers is this:
>
> http://www.linux.it/~md/text/blackholing.html
>
> That will drop all traffic to the blackholed IP.
>
> How you trigger this blackhole is another matter.
>
>
>  Thanks Mikael. I'm not really concerned about keeping the attacked
>> machine(s) up during an attack. I guess what I am more interested in, is
>> keeping all the rest of the network from being impacted. Better to have
>> one
>> customer down than 1 thousand customers. Since DoS attacks are going to
>> happen from time to time and they are usually not going to be the same, I
>> don't see how it can be prevented. Just want to be able to identify and
>> end
>> it or at least minimize the impact as quickly as possible.
>>
>> -Lee
>>
>>
>>
>> On Thu, Mar 31, 2011 at 10:30 PM, Mikael Abrahamsson > >wrote:
>>
>>  On Thu, 31 Mar 2011, Lee Starnes wrote:
>>>
>>>  I'm looking for pointers on how to best detect DDoS attacks and best
>>>
 practices for stopping one once identified.


>>> If you define what is being attacked and how, and what you would like to
>>> happen for it to be "stopped", you can probably get a better answer.
>>>
>>> Stopping a DDOS against infrastructure (often a packets/second problem)
>>> is
>>> one thing, trying to mitigate a DDOS SYN-flood against a web-server you
>>> want
>>> to continue working is another thing.
>>>
>>> --
>>> Mikael Abrahamssonemail: swm...@swm.pp.se
>>>
>>>
>>
> --
> Mikael Abrahamssonemail: swm...@swm.pp.se
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] DDoS Attack detection and elimination suggestions

2011-03-31 Thread Dobbins, Roland

On Apr 1, 2011, at 12:08 PM, Lee Starnes wrote:

> I'm looking for pointers on how to best detect DDoS attacks and best 
> practices for stopping one once identified.

http://www.arbornetworks.com/report (free registration required)











Please forgive the brief commercialistic propaganda mentions in a couple of the 
decks, the focus is on strengthening the infrastructure itself and on making 
use of freely-available tools/techniques.

> What is recommended as a replacement router

That's a large question that's really impossible to answer without a lot more 
details about your network in general, your peers/upstream/downstream transits, 
your customer base, et. al.  One answer is newer GSRs - if you take this 
option, be sure you get E3 or E5 linecards, whcih support NetFlow telemetry, 
ACLs, and uRPF.  Note you'll likely end up on IOS-XR or IOS-XE, rather than 
IOS, if you stick w/reasonable Cisco platforms.

Under no circumstances go down the 6500/7600 path - NetFlow caveats, ACL 
caveats, and uRPF caveats render these platforms suboptimal for SP edge 
applications.

GSR/12000 w/E3/E5 linecards, CRS-1 (Cisco make little ones and big ones), 
CRS-3, ASR9K, ASR1K, even 4500 with Sup7 (no previous Sups) or N7K can work, 
depending upon your particular circumstances, required interface density/types, 
required bandwidth/throughput performance envelope at different packet sizes 
and with different feature mixes, and general feature requirements.  

> and what would be recommended if the routers are not replaced? 


The stuff in the slides, plus getting PRPs and E3/E5 linecards.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] DDoS Attack detection and elimination suggestions

2011-03-31 Thread Mikael Abrahamsson

On Thu, 31 Mar 2011, Lee Starnes wrote:


I'm looking for pointers on how to best detect DDoS attacks and best
practices for stopping one once identified.


If you define what is being attacked and how, and what you would like to 
happen for it to be "stopped", you can probably get a better answer.


Stopping a DDOS against infrastructure (often a packets/second problem) is 
one thing, trying to mitigate a DDOS SYN-flood against a web-server you 
want to continue working is another thing.


--
Mikael Abrahamssonemail: swm...@swm.pp.se
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


[c-nsp] DDoS Attack detection and elimination suggestions

2011-03-31 Thread Lee Starnes
Hi,

I'm looking for pointers on how to best detect DDoS attacks and best
practices for stopping one once identified. Our current platform is using
12008 GRP-B routers, but I know they have their limits on what they can
handle when seeing things like 90 packets per second input rates.

What is recommended as a replacement router and what would be recommended if
the routers are not replaced? Is there an easy way to see and identify the
traffic on these existing routers or is there a way to do something similar
to RSPAN on the switches that will allow me to see this traffic?

Any help or direction to resources would be greatly appreciated.

Thanks,

Lee.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


[c-nsp] IPv4 Exhaustion Information

2011-03-31 Thread Srinivas (Sunny) Chendi



IPv4 Exhaustion Information



Dear NSP community,

We are writing to remind you that IPv4 exhaustion is an issue that
should now be a priority for your organization.

Most of you will be aware that the central pool of IPv4 addresses held
by IANA was depleted in February. APNIC is currently delegating IPv4
addresses from its remaining pool.

For more information on how APNIC currently delegates addresses, please
refer to:

  http://www.apnic.net/ipv4-exhaustion/stages


APNIC IPv4 Exhaustion Timeline?
---

Due to a large number of variables, the timeline for APNIC IPv4
exhaustion is not predictable with any assured accuracy. However, it is
the APNIC Secretariat's role to make as much information as possible
available to all stakeholders, so they may make their own assessments.

You can view the current APNIC IPv4 address pool, which is updated
daily:

  http://www.apnic.net/ipv4-exhaustion/graphs


Deploy IPv6 Now
---

If you are an APNIC Member, you can start your IPv6 deployment process
today with the APNIC Kickstart IPv6 program.

  http://www.apnic.net/kickstartipv6

APNIC actively supports IPv6 deployment in the following ways:

  - APNIC services and website are accessible over IPv6
  - IPv6 addresses are readily available to Members
  - APNIC provides IPv6 training courses
  - IPv6 liaison services
  - Regional IPv6 awareness initiatives

For more information on how APNIC can assist you to deploy IPv6 visit:

  http://www.apnic.net/ipv6


___

APNIC Secretariat secretar...@apnic.net
Asia Pacific Network Information Centre (APNIC)Tel: +61 7 3858 3100
PO Box 3646 South Brisbane, QLD 4101 Australia Fax: +61 7 3858 3199
6 Cordelia Street, South Brisbane, QLD http://www.apnic.net

  * Sent by email to save paper. Print only if necessary.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


[c-nsp] graphing bad hop counts

2011-03-31 Thread Brandon Porter
Hi,
I'm looking for a way to graph bad hop counts when you issue the "show ip 
traffic" command.  I have a multicast network and, short of constantly going 
into devices and issuing that command, there is no way of knowing or being 
notified (that I know of) as to when the bad hop count is reaching a certain 
threshold.  Does anyone know of any software or anything that can help me 
accomplish my goal?  Or alert me in some way when the bad hop count reaches a 
threshold?  Any help is appreciated.  Thanks.
-Brandon
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] FWSM upgrade

2011-03-31 Thread Ge Moua

i agree with tony here.

if you are somewhat paranoid; then take the compact flash and do:
dd to snapshot image
dd snapshot image to another compact flash with same capacity

if anything goes wrong with the upgrade then you have an exact replica 
of the previous f/s, ios, etc.


the fwsm is some linux derivative with a vanilla boot partition & ext 
filesystem


i've done this before and this works well.


--
Regards,
Ge Moua

Network Design Engineer
University of Minnesota | OIT - NTS
--


On 3/31/11 3:05 PM, Tony Varriale wrote:


I would save my config, load the software then reload.  3.1x to 3.2x 
isn't anything big.  If you are already on 3.1 you have the correct 
maintenance software.


http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/upgrade/guide/fwsm31up.html#wp2070189 



tv 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] FWSM upgrade

2011-03-31 Thread Tony Varriale

On 3/31/2011 1:29 PM, John Snow wrote:

Hi I am fairly new to fwsm, but what I need to do is upgrade from 3.1 to a 3.2 
release.

I don't have a spare blade to test this on so I will be upgrading on prod on 
the fly. I am putting a plan together before I make the change to avoid as much 
downtime as possible.


I would like to boot into cf:5, load the image and config, make sure everything 
is working as expected and then either load new image and config into cf:4 or 
copy the image and config from cf:5 into cf:4 and then boot from cf:4 again.



1.   Configure vlan1 on msfc

interface Vlan1
  description **in shutdown mode normally** li1  ten-193-9  10.193.9.0 /24   rsvd 
fwsm rom-boot cf:1 vlan 1 ip gw ->  ftp relay.sait
  ip address 10.193.9.254 255.255.255.0
end


2.Boot into maintenance partition

#hw-module module 9 reset cf:1


3.   Console session into fw

sess slot 9 proc 1


4.   Configure ip address/sm/gw

root@localhost.localdomain#ip  address 
10.193.9.1 255.255.255.0
root@localhost.localdomain#ip  gateway 
10.193.9.254

make sure I can ping ftp server

root@localhost.localdomain#ping  
142.110.254.131



5.   ftp image into flash cf:5 partition
root@localhost.localdomain#upgrade  
ftp://user:pw@142.110.254.131/C6SVC-FWM-K9-3-1-1.BIN cf:5

Application image upgrade complete. You can boot the image now.
root@localhost.localdomain#exit


6.   boot into cf:5
#hw-module module 9 reset cf:5


7.   load avtivation key

FWSM(config)# activation-key df9f1b5a 38203d9f 1a65ca81 3920ba83



Now at this point I have an image in cf:5, but no configuration yet.  This is 
where I am a bit stuck. I need to load/copy image into cf:5 - test - then move 
the image and config back into cf:4.


Any help would be appreciated.



I would save my config, load the software then reload.  3.1x to 3.2x 
isn't anything big.  If you are already on 3.1 you have the correct 
maintenance software.


http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/upgrade/guide/fwsm31up.html#wp2070189

tv
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


[c-nsp] FWSM upgrade

2011-03-31 Thread John Snow
Hi I am fairly new to fwsm, but what I need to do is upgrade from 3.1 to a 3.2 
release.

I don't have a spare blade to test this on so I will be upgrading on prod on 
the fly. I am putting a plan together before I make the change to avoid as much 
downtime as possible.


I would like to boot into cf:5, load the image and config, make sure everything 
is working as expected and then either load new image and config into cf:4 or 
copy the image and config from cf:5 into cf:4 and then boot from cf:4 again.



1.   Configure vlan1 on msfc

interface Vlan1
 description **in shutdown mode normally** li1  ten-193-9  10.193.9.0 /24   
rsvd fwsm rom-boot cf:1 vlan 1 ip gw -> ftp relay.sait
 ip address 10.193.9.254 255.255.255.0
end


2.Boot into maintenance partition

#hw-module module 9 reset cf:1


3.   Console session into fw

sess slot 9 proc 1


4.   Configure ip address/sm/gw

root@localhost.localdomain#ip address 
10.193.9.1 255.255.255.0
root@localhost.localdomain#ip gateway 
10.193.9.254

make sure I can ping ftp server

root@localhost.localdomain#ping 
142.110.254.131



5.   ftp image into flash cf:5 partition
root@localhost.localdomain#upgrade 
ftp://user:pw@142.110.254.131/C6SVC-FWM-K9-3-1-1.BIN cf:5

Application image upgrade complete. You can boot the image now.
root@localhost.localdomain#exit


6.   boot into cf:5
#hw-module module 9 reset cf:5


7.   load avtivation key

FWSM(config)# activation-key df9f1b5a 38203d9f 1a65ca81 3920ba83



Now at this point I have an image in cf:5, but no configuration yet.  This is 
where I am a bit stuck. I need to load/copy image into cf:5 - test - then move 
the image and config back into cf:4.


Any help would be appreciated.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


[c-nsp] customer facing edge switch reccomendation?

2011-03-31 Thread Mike

Hello,

	I will have some customers on copper and fiber and I am interested in 
learning about what cisco switch would offer me port based QoS / rate 
limiting / QinQ vlan stacking. I don't want IP only qos - I want to be 
able to say '45 megs in and out, period' no matter the traffic type. I'd 
also like to be able to apply more than 1 802.1q tag but this isn't a 
strict requirement. Can anyone suggest anything in the reasonable price 
ballpark that could be used for this application?


Thanks.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Blocking Peer-to-peer with a 7200

2011-03-31 Thread Justin M. Streiner

On Thu, 31 Mar 2011, Olav Langeland wrote:


On 30.03.2011 14:59, opsli...@rhemasound.org wrote:

 I am trying to block peer-to-peer from a hotel using a Cisco 7200.  Has
 anyone else had success doing this?  If so what config do you use, and
 what IOS version.
 I just finished getting nowhere with TAC on a case for a different
 location, our test PC doing Linux ISO downloads never got touched even
 though the counters were showing blocked traffic.

 Thanks.
Have a look at Cisco NBAR 
(http://www.cisco.com/en/US/products/ps6616/products_ios_protocol_group_home.html). 
"Mission critical applications including ERP and workforce optimization 
applications can be intelligently identified and classified using Network 
Based Application Recognition ( NBAR ). Once these mission critical 
applications are classified they can be guaranteed a minimum amount of 
bandwidth, policy routed, and marked for preferential treatment. Non-critical 
applications including Internet gaming applications and MP3 file sharing 
applications can also be classified using NBAR and marked for best effort 
service, policed, or blocked as required."


The last time I looked at NBAR, it did a decent job of catching some of 
the more well-defined stuff, but I don't know if I'd throw it at P2P 
traffic being tunneled over HTTP because that's going to be a 
constantly moving target.  You could probably also create a policy that 
permits known services and does best-effort on everything else, but 
keeping that policy up to date could get very resource-intensive on your 
ops staff.  Another thing to watch out for is that NBAR can get 
resource-intensive on the router as the traffic levels increase.


jms
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Blocking Peer-to-peer with a 7200

2011-03-31 Thread Olav Langeland

On 30.03.2011 14:59, opsli...@rhemasound.org wrote:

I am trying to block peer-to-peer from a hotel using a Cisco 7200.  Has anyone 
else had success doing this?  If so what config do you use, and what IOS 
version.
I just finished getting nowhere with TAC on a case for a different location, 
our test PC doing Linux ISO downloads never got touched even though the 
counters were showing blocked traffic.

Thanks.
Have a look at Cisco NBAR 
(http://www.cisco.com/en/US/products/ps6616/products_ios_protocol_group_home.html). 

"Mission critical applications including ERP and workforce optimization 
applications can be intelligently identified and classified using 
Network Based Application Recognition ( NBAR ). Once these mission 
critical applications are classified they can be guaranteed a minimum 
amount of bandwidth, policy routed, and marked for preferential 
treatment. Non-critical applications including Internet gaming 
applications and MP3 file sharing applications can also be classified 
using NBAR and marked for best effort service, policed, or blocked as 
required."


Some examples:
http://slaptijack.com/networking/controlling-peer-to-peer-p2p-traffic-with-cisco-nbar/
http://www.networkstraining.com/blocking-peer-to-peer-using-cisco-ios-nbar/

-olav
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] MLS rate limit logging ??

2011-03-31 Thread ryanL
+1. i fought in vain for this as well. there's no way that i know of
to see if the limiters are being hit, other than some likely hidden
command. would love to know if someone has it!


On Thu, Mar 31, 2011 at 10:35 AM, Jeff Fitzwater  wrote:
> Is there a way to log MLS RATE-LIMITs?
>
>
> I have enabled "mls rate-limit multicast ipv4 pim" due to a downstream host 
> on a PIM enabled vlan, sending hundreds  of PIM joins per second and spiking 
> CPU.  The MLS rate limit worked, but would like to know when the limit is 
> hit, but I see no way to enable logging for MLS RATE LIMITERS.
>
>
> Any ideas?
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
>
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


[c-nsp] MLS rate limit logging ??

2011-03-31 Thread Jeff Fitzwater
Is there a way to log MLS RATE-LIMITs?


I have enabled "mls rate-limit multicast ipv4 pim" due to a downstream host on 
a PIM enabled vlan, sending hundreds  of PIM joins per second and spiking CPU.  
The MLS rate limit worked, but would like to know when the limit is hit, but I 
see no way to enable logging for MLS RATE LIMITERS.


Any ideas?



Jeff Fitzwater
OIT Network Systems
Princeton University



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Understanding 10G line card oversubscription

2011-03-31 Thread Tim Stevenson

It is targeted for the 5.2 release (internal name "Delhi").
Tim

At 08:08 AM 3/31/2011, Peter Rathlev uttered:

On Thu, 2011-03-31 at 08:09 -0500, Tony Varriale wrote:
> Phil, looks like Cisco is launching (has launched) their marketing for
> MPLS phase 1 on N7K.
>
> 
http://www.cisco.com/en/US/prod/switches/ps9441/ps9402/nexus_7000.html#~MPLS


Anybody know what software version will support MPLS on N7k? I can't
seem to see that from the above.

--
Peter


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





Tim Stevenson, tstev...@cisco.com
Routing & Switching CCIE #5561
Distinguished Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759

The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Understanding 10G line card oversubscription

2011-03-31 Thread Peter Rathlev
On Thu, 2011-03-31 at 08:09 -0500, Tony Varriale wrote:
> Phil, looks like Cisco is launching (has launched) their marketing for
> MPLS phase 1 on N7K.
> 
> http://www.cisco.com/en/US/prod/switches/ps9441/ps9402/nexus_7000.html#~MPLS

Anybody know what software version will support MPLS on N7k? I can't
seem to see that from the above.

-- 
Peter


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Can I encrypt syslog traffic in IOS

2011-03-31 Thread Hammer
Nope. You're thinking correctly. But that's not the issue.

AUDIT

We don't syslog thru our management VLAN. That is not a scalable solution
for our WAN. However, this is more of a "due diligence" than anything. Like
authenticating NTP or using SSH instead of TELNET. This is a matter of "Are
you doing the best you can to ensure your traffic is not exposed?" Even
though some of it doesn't necessarily make sense.

I've noticed over the last about two years that both Internal and External
audit seem to be getting a lot more savvy with what they look at and what
they ask. Could just be a sign of the times. Who knows. But these are the
questions I'm being asked and then I'm being interrogated on my config. So
I'm just being proactive in looking for solutions to harden our standards.


 -Hammer-

"I was a normal American nerd."
-Jack Herer





On Tue, Mar 29, 2011 at 2:47 PM, Dobbins, Roland  wrote:

>
> On Mar 29, 2011, at 11:26 PM, Hammer wrote:
>
> >  In the end, we may just policy route the syslog traffic thru a tunnel.
>
> Out of curiosity, why do you want to encrypt your syslog traffic?  You're
> exporting down your OOB management network (i.e., DCN), yes?
>
> If anyone's in a position to sniff the syslog traffic on the DCN - or even
> inband on the production network, for that matter - then there are problems
> on said network which encrypting syslog won't solve, heh.
>
> ;>
>
> ---
> Roland Dobbins  // 
>
>The basis of optimism is sheer terror.
>
>  -- Oscar Wilde
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Understanding 10G line card oversubscription

2011-03-31 Thread Tony Varriale

On 3/23/2011 3:57 AM, Phil Mayers wrote:


The N7k is a nice platform in many ways. Far higher performance, 
better software and some interesting features like mcLAG. It would be 
a great fit for us, *if* it had the MPLS feature set. It doesn't == a 
shame (for us)


Phil, looks like Cisco is launching (has launched) their marketing for 
MPLS phase 1 on N7K.


http://www.cisco.com/en/US/prod/switches/ps9441/ps9402/nexus_7000.html#~MPLS

tv
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


[c-nsp] similar command "sh mls cef max-route" on 12k

2011-03-31 Thread Vikas Sharma
Hi,

Similar to 6500 "sh mls cef max-route" does anyone knows corresponding
command on 12k with XR?

Regards,
Vikas
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Unidirectional CDP traffic

2011-03-31 Thread Martin Komon
IMHO something makes it to London, as seen in the counters:
> LIXCORML01#sh int gi3/16
>   5 minute output rate 1000 bits/sec, 1 packets/sec
>  0 packets input, 287503 bytes, 0 no buffer
Maybe the encapsulation/framing is screwed, thus no packets are recognized.

My $0.02,

Martin

On 3/31/2011 2:01 PM, Daniel Dib wrote:
> On to, mar 31, 2011 at 13:50:33, Gökhan Gümüş wrote:
>> Subject: Re: [c-nsp] Unidirectional CDP traffic
>>
>> Hi Daniel,
>>
>> Thanks for this.
>> Actually interfaces are all working as trunk port however they 
>> configured like this.
>>
>> We cleared counters and made ping tests.
>> Please see our test results below,
>>
>>
>> Clearing counters:
>>
>>
>> === London ===
>> LIXCORML01#cle count gi3/16
>> Clear "show interface" counters on this interface [confirm] 
>> LIXCORML01#p 10.119.44.150
>>
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 10.119.44.150, timeout is 2 seconds:
>> .
>> Success rate is 0 percent (0/5)
>>
>> LIXCORML01#sh int gi3/16
>>
>> GigabitEthernet3/16 is up, line protocol is up (connected)
>>   Hardware is Gigabit Ethernet Port, address is 68ef.bd4f.ccd7 (bia
>> 68ef.bd4f.ccd7)
>>   Description: abc
>>   MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
>>  reliability 255/255, txload 1/255, rxload 1/255
>>   Encapsulation ARPA, loopback not set
>>   Keepalive set (10 sec)
>>   Full-duplex, 1000Mb/s, link type is force-up, media type is 
>> 1000BaseLH
>>   input flow-control is on, output flow-control is on
>>   ARP type: ARPA, ARP Timeout 04:00:00
>>   Last input never, output never, output hang never
>>   Last clearing of "show interface" counters 00:00:21
>>   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
>> 0
>>   Queueing strategy: fifo
>>   Output queue: 0/40 (size/max)
>>   5 minute input rate 0 bits/sec, 0 packets/sec
>>   5 minute output rate 1000 bits/sec, 1 packets/sec
>>  0 packets input, 287503 bytes, 0 no buffer
>>  Received 0 broadcasts (0 multicasts)
>>  0 runts, 0 giants, 0 throttles
>>  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>>  0 input packets with dribble condition detected
>>  38 packets output, 2720 bytes, 0 underruns
>>  0 output errors, 0 collisions, 0 interface resets
>>  0 babbles, 0 late collision, 0 deferred
>>  0 lost carrier, 0 no carrier
>>  0 output buffer failures, 0 output buffers swapped out
>>
>> LIXCORML01#sh cdp nei gi3/16
>> Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
>>   S - Switch, H - Host, I - IGMP, r - Repeater, P - 
>> Phone,
>>   D - Remote, C - CVTA, M - Two-port Mac Relay
>>
>> Device IDLocal Intrfce HoldtmeCapability  Platform
>> Port
>> ID
>> LIXCORML01#
>> ===
>>
>> === Stockholm ===
>>
>>
>> SOXCORML01#cle count gi3/11
>> Clear "show interface" counters on this interface [confirm] 
>> SOXCORML01#p 10.119.44.149
>>
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 10.119.44.149, timeout is 2 seconds:
>> .
>> Success rate is 0 percent (0/5)
>>
>> SOXCORML01#sh int gi3/11
>> GigabitEthernet3/11 is up, line protocol is up (connected)
>>   Hardware is Gigabit Ethernet Port, address is 68ef.bd4f.c51e (bia
>> 68ef.bd4f.c51e)
>>   Description: abc
>>   MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
>>  reliability 255/255, txload 1/255, rxload 1/255
>>   Encapsulation ARPA, loopback not set
>>   Keepalive set (10 sec)
>>   Full-duplex, 1000Mb/s, link type is force-up, media type is 
>> 1000BaseLH
>>   input flow-control is on, output flow-control is on
>>   ARP type: ARPA, ARP Timeout 04:00:00
>>   Last input 00:00:00, output never, output hang never
>>   Last clearing of "show interface" counters 00:00:21
>>   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
>> 0
>>   Queueing strategy: fifo
>>   Output queue: 0/40 (size/max)
>>   5 minute input rate 0 bits/sec, 0 packets/sec
>>   5 minute output rate 0 bits/sec, 0 packets/sec
>>  35 packets input, 2910 bytes, 0 no buffer
>>  Received 35 broadcasts (35 multicasts)
>>  0 runts, 0 giants, 0 throttles
>>  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>>  0 input packets with dribble condition detected
>>  53 packets output, 3776 bytes, 0 underruns
>>  0 output errors, 0 collisions, 0 interface resets
>>  0 babbles, 0 late collision, 0 deferred
>>  0 lost carrier, 0 no carrier
>>  0 output buffer failures, 0 output buffers swapped out
>>
>> SOXCORML01#sh cdp nei gi3/11
>> Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
>>   S - Switch, H - Host, I - IGMP, r - Repeater, P - 
>> Phone,
>>   D - Remote, C - CVTA, M - Two-port Mac Relay
>>
>> Device IDLocal Intrfce HoldtmeCapability  Platform
>> Port
>> ID
>> LIXCORML01.nd.barcapint.com 
>>  Gig 3/11  133 R S 

Re: [c-nsp] Unidirectional CDP traffic

2011-03-31 Thread Gökhan Gümüş
Hi Daniel,

I can enable PM on my DWDM devices and let you know.

Any ideas more? Is it certain that problem is not located at customer
devices?

Kind regards,
Gokhan

2011/3/31 Daniel Dib 

> On to, mar 31, 2011 at 13:50:33, Gökhan Gümüş wrote:
> > Subject: Re: [c-nsp] Unidirectional CDP traffic
> >
> > Hi Daniel,
> >
> > Thanks for this.
> > Actually interfaces are all working as trunk port however they
> > configured like this.
> >
> > We cleared counters and made ping tests.
> > Please see our test results below,
> >
> >
> > Clearing counters:
> >
> >
> > === London ===
> > LIXCORML01#cle count gi3/16
> > Clear "show interface" counters on this interface [confirm]
> > LIXCORML01#p 10.119.44.150
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 10.119.44.150, timeout is 2 seconds:
> > .
> > Success rate is 0 percent (0/5)
> >
> > LIXCORML01#sh int gi3/16
> >
> > GigabitEthernet3/16 is up, line protocol is up (connected)
> >   Hardware is Gigabit Ethernet Port, address is 68ef.bd4f.ccd7 (bia
> > 68ef.bd4f.ccd7)
> >   Description: abc
> >   MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
> >  reliability 255/255, txload 1/255, rxload 1/255
> >   Encapsulation ARPA, loopback not set
> >   Keepalive set (10 sec)
> >   Full-duplex, 1000Mb/s, link type is force-up, media type is
> > 1000BaseLH
> >   input flow-control is on, output flow-control is on
> >   ARP type: ARPA, ARP Timeout 04:00:00
> >   Last input never, output never, output hang never
> >   Last clearing of "show interface" counters 00:00:21
> >   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
> > 0
> >   Queueing strategy: fifo
> >   Output queue: 0/40 (size/max)
> >   5 minute input rate 0 bits/sec, 0 packets/sec
> >   5 minute output rate 1000 bits/sec, 1 packets/sec
> >  0 packets input, 287503 bytes, 0 no buffer
> >  Received 0 broadcasts (0 multicasts)
> >  0 runts, 0 giants, 0 throttles
> >  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
> >  0 input packets with dribble condition detected
> >  38 packets output, 2720 bytes, 0 underruns
> >  0 output errors, 0 collisions, 0 interface resets
> >  0 babbles, 0 late collision, 0 deferred
> >  0 lost carrier, 0 no carrier
> >  0 output buffer failures, 0 output buffers swapped out
> >
> > LIXCORML01#sh cdp nei gi3/16
> > Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
> >   S - Switch, H - Host, I - IGMP, r - Repeater, P -
> > Phone,
> >   D - Remote, C - CVTA, M - Two-port Mac Relay
> >
> > Device IDLocal Intrfce HoldtmeCapability  Platform
> > Port
> > ID
> > LIXCORML01#
> > ===
> >
> > === Stockholm ===
> >
> >
> > SOXCORML01#cle count gi3/11
> > Clear "show interface" counters on this interface [confirm]
> > SOXCORML01#p 10.119.44.149
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 10.119.44.149, timeout is 2 seconds:
> > .
> > Success rate is 0 percent (0/5)
> >
> > SOXCORML01#sh int gi3/11
> > GigabitEthernet3/11 is up, line protocol is up (connected)
> >   Hardware is Gigabit Ethernet Port, address is 68ef.bd4f.c51e (bia
> > 68ef.bd4f.c51e)
> >   Description: abc
> >   MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
> >  reliability 255/255, txload 1/255, rxload 1/255
> >   Encapsulation ARPA, loopback not set
> >   Keepalive set (10 sec)
> >   Full-duplex, 1000Mb/s, link type is force-up, media type is
> > 1000BaseLH
> >   input flow-control is on, output flow-control is on
> >   ARP type: ARPA, ARP Timeout 04:00:00
> >   Last input 00:00:00, output never, output hang never
> >   Last clearing of "show interface" counters 00:00:21
> >   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
> > 0
> >   Queueing strategy: fifo
> >   Output queue: 0/40 (size/max)
> >   5 minute input rate 0 bits/sec, 0 packets/sec
> >   5 minute output rate 0 bits/sec, 0 packets/sec
> >  35 packets input, 2910 bytes, 0 no buffer
> >  Received 35 broadcasts (35 multicasts)
> >  0 runts, 0 giants, 0 throttles
> >  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
> >  0 input packets with dribble condition detected
> >  53 packets output, 3776 bytes, 0 underruns
> >  0 output errors, 0 collisions, 0 interface resets
> >  0 babbles, 0 late collision, 0 deferred
> >  0 lost carrier, 0 no carrier
> >  0 output buffer failures, 0 output buffers swapped out
> >
> > SOXCORML01#sh cdp nei gi3/11
> > Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
> >   S - Switch, H - Host, I - IGMP, r - Repeater, P -
> > Phone,
> >   D - Remote, C - CVTA, M - Two-port Mac Relay
> >
> > Device IDLocal Intrfce HoldtmeCapability  Platform
> > Port
> > ID
> > LIXCORML01.nd.barcapint.com 
> >  Gig 3/11  133 R S I  WS-C4900M Gig
>

Re: [c-nsp] Unidirectional CDP traffic

2011-03-31 Thread Daniel Dib
On to, mar 31, 2011 at 13:50:33, Gökhan Gümüş wrote:
> Subject: Re: [c-nsp] Unidirectional CDP traffic
> 
> Hi Daniel,
> 
> Thanks for this.
> Actually interfaces are all working as trunk port however they 
> configured like this.
> 
> We cleared counters and made ping tests.
> Please see our test results below,
> 
> 
> Clearing counters:
> 
> 
> === London ===
> LIXCORML01#cle count gi3/16
> Clear "show interface" counters on this interface [confirm] 
> LIXCORML01#p 10.119.44.150
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.119.44.150, timeout is 2 seconds:
> .
> Success rate is 0 percent (0/5)
> 
> LIXCORML01#sh int gi3/16
> 
> GigabitEthernet3/16 is up, line protocol is up (connected)
>   Hardware is Gigabit Ethernet Port, address is 68ef.bd4f.ccd7 (bia
> 68ef.bd4f.ccd7)
>   Description: abc
>   MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
>  reliability 255/255, txload 1/255, rxload 1/255
>   Encapsulation ARPA, loopback not set
>   Keepalive set (10 sec)
>   Full-duplex, 1000Mb/s, link type is force-up, media type is 
> 1000BaseLH
>   input flow-control is on, output flow-control is on
>   ARP type: ARPA, ARP Timeout 04:00:00
>   Last input never, output never, output hang never
>   Last clearing of "show interface" counters 00:00:21
>   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
> 0
>   Queueing strategy: fifo
>   Output queue: 0/40 (size/max)
>   5 minute input rate 0 bits/sec, 0 packets/sec
>   5 minute output rate 1000 bits/sec, 1 packets/sec
>  0 packets input, 287503 bytes, 0 no buffer
>  Received 0 broadcasts (0 multicasts)
>  0 runts, 0 giants, 0 throttles
>  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>  0 input packets with dribble condition detected
>  38 packets output, 2720 bytes, 0 underruns
>  0 output errors, 0 collisions, 0 interface resets
>  0 babbles, 0 late collision, 0 deferred
>  0 lost carrier, 0 no carrier
>  0 output buffer failures, 0 output buffers swapped out
> 
> LIXCORML01#sh cdp nei gi3/16
> Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
>   S - Switch, H - Host, I - IGMP, r - Repeater, P - 
> Phone,
>   D - Remote, C - CVTA, M - Two-port Mac Relay
> 
> Device IDLocal Intrfce HoldtmeCapability  Platform
> Port
> ID
> LIXCORML01#
> ===
> 
> === Stockholm ===
> 
> 
> SOXCORML01#cle count gi3/11
> Clear "show interface" counters on this interface [confirm] 
> SOXCORML01#p 10.119.44.149
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.119.44.149, timeout is 2 seconds:
> .
> Success rate is 0 percent (0/5)
> 
> SOXCORML01#sh int gi3/11
> GigabitEthernet3/11 is up, line protocol is up (connected)
>   Hardware is Gigabit Ethernet Port, address is 68ef.bd4f.c51e (bia
> 68ef.bd4f.c51e)
>   Description: abc
>   MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
>  reliability 255/255, txload 1/255, rxload 1/255
>   Encapsulation ARPA, loopback not set
>   Keepalive set (10 sec)
>   Full-duplex, 1000Mb/s, link type is force-up, media type is 
> 1000BaseLH
>   input flow-control is on, output flow-control is on
>   ARP type: ARPA, ARP Timeout 04:00:00
>   Last input 00:00:00, output never, output hang never
>   Last clearing of "show interface" counters 00:00:21
>   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
> 0
>   Queueing strategy: fifo
>   Output queue: 0/40 (size/max)
>   5 minute input rate 0 bits/sec, 0 packets/sec
>   5 minute output rate 0 bits/sec, 0 packets/sec
>  35 packets input, 2910 bytes, 0 no buffer
>  Received 35 broadcasts (35 multicasts)
>  0 runts, 0 giants, 0 throttles
>  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>  0 input packets with dribble condition detected
>  53 packets output, 3776 bytes, 0 underruns
>  0 output errors, 0 collisions, 0 interface resets
>  0 babbles, 0 late collision, 0 deferred
>  0 lost carrier, 0 no carrier
>  0 output buffer failures, 0 output buffers swapped out
> 
> SOXCORML01#sh cdp nei gi3/11
> Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
>   S - Switch, H - Host, I - IGMP, r - Repeater, P - 
> Phone,
>   D - Remote, C - CVTA, M - Two-port Mac Relay
> 
> Device IDLocal Intrfce HoldtmeCapability  Platform
> Port
> ID
> LIXCORML01.nd.barcapint.com 
>  Gig 3/11  133 R S I  WS-C4900M Gig
> 3/16
> SOXCORML01#
> ===
> 
> Thanks in advance.
> 
> Gokhan
> 
> 

Traffic is flowing from London to STHLM and STHLM is responding as seen by
counters. If you debug ICMP you should see that STHLM is receving an echo
request and sending an echo reply. However the traffic never makes it back
to London. I think you need to troubleshoot your WDM network. Do you have
any counters available there?

/Daniel


_

Re: [c-nsp] Unidirectional CDP traffic

2011-03-31 Thread Gökhan Gümüş
Hi Daniel,

Thanks for this.
Actually interfaces are all working as trunk port however they configured
like this.

We cleared counters and made ping tests.
Please see our test results below,

*Clearing counters:

*
=== London ===
LIXCORML01#cle count gi3/16
Clear "show interface" counters on this interface [confirm]
LIXCORML01#p 10.119.44.150

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.119.44.150, timeout is 2 seconds:
.
Success rate is 0 percent (0/5)

LIXCORML01#sh int gi3/16
GigabitEthernet3/16 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet Port, address is 68ef.bd4f.ccd7 (bia
68ef.bd4f.ccd7)
  Description: abc
  MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, link type is force-up, media type is 1000BaseLH
  input flow-control is on, output flow-control is on
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:00:21
  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 1000 bits/sec, 1 packets/sec
 0 packets input, 287503 bytes, 0 no buffer
 Received 0 broadcasts (0 multicasts)
 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 input packets with dribble condition detected
 38 packets output, 2720 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 babbles, 0 late collision, 0 deferred
 0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out

LIXCORML01#sh cdp nei gi3/16
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
  D - Remote, C - CVTA, M - Two-port Mac Relay

Device IDLocal Intrfce HoldtmeCapability  Platform  Port ID
LIXCORML01#
===

=== Stockholm ===

SOXCORML01#cle count gi3/11
Clear "show interface" counters on this interface [confirm]
SOXCORML01#p 10.119.44.149

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.119.44.149, timeout is 2 seconds:
.
Success rate is 0 percent (0/5)

SOXCORML01#sh int gi3/11
GigabitEthernet3/11 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet Port, address is 68ef.bd4f.c51e (bia
68ef.bd4f.c51e)
  Description: abc
  MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, link type is force-up, media type is 1000BaseLH
  input flow-control is on, output flow-control is on
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output never, output hang never
  Last clearing of "show interface" counters 00:00:21
  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 35 packets input, 2910 bytes, 0 no buffer
 Received 35 broadcasts (35 multicasts)
 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 input packets with dribble condition detected
 53 packets output, 3776 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 babbles, 0 late collision, 0 deferred
 0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out

SOXCORML01#sh cdp nei gi3/11
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
  D - Remote, C - CVTA, M - Two-port Mac Relay

Device IDLocal Intrfce HoldtmeCapability  Platform  Port ID
LIXCORML01.nd.barcapint.com 
 Gig 3/11  133 R S I  WS-C4900M Gig 3/16
SOXCORML01#
===

Thanks in advance.

Gokhan

2011/3/31 Daniel Dib 

> On to, mar 31, 2011 at 13:22:19, Gökhan Gümüş wrote:
> > Subject: [c-nsp] Unidirectional CDP traffic
> >
> > Hi all,
> >
> > One of our customer is experiencing a strange problem.
> > We are providing a link between London and Stockholm via DWDM.
> > Customer is not able to ping remote site.
> > Strange things from Stockholm he can see London site as CDP neighbor.
> > From London he can not...
> > Configs are below;
> >
> > === London ===
> > LIXCORML01#cle count gi3/16
> > Clear "show interface" counters on this interface [confirm]
> > LIXCORML01#p 10.119.44.150
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 10.119.44.150, timeout is 2 seconds:
> > .
> > Suc

Re: [c-nsp] Unidirectional CDP traffic

2011-03-31 Thread Daniel Dib
On to, mar 31, 2011 at 13:22:19, Gökhan Gümüş wrote:
> Subject: [c-nsp] Unidirectional CDP traffic
> 
> Hi all,
> 
> One of our customer is experiencing a strange problem.
> We are providing a link between London and Stockholm via DWDM.
> Customer is not able to ping remote site.
> Strange things from Stockholm he can see London site as CDP neighbor.
> From London he can not...
> Configs are below;
> 
> === London ===
> LIXCORML01#cle count gi3/16
> Clear "show interface" counters on this interface [confirm] 
> LIXCORML01#p 10.119.44.150
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.119.44.150, timeout is 2 seconds:
> .
> Success rate is 0 percent (0/5)
> 
> -Stockholm
> 
> SOXCORML01#sh cdp nei gi3/11
> Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
>   S - Switch, H - Host, I - IGMP, r - Repeater, P - 
> Phone,
>   D - Remote, C - CVTA, M - Two-port Mac Relay
> 
> Device IDLocal Intrfce HoldtmeCapability  Platform
> Port ID
> LIXCORML01.abc 
>  Gig 3/11  133 R S I  WS-C4900M Gig
> 3/16
> SOXCORML01#
> 
> Interface configs are below;
> 
> === London ===
> interface GigabitEthernet3/16
>  description euNetworks BAR0001_LON_STO_GE_26254_001 to SOXCORML01
> Gi3/11  switchport access vlan 628  switchport trunk native vlan 628 
> switchport trunk allowed vlan 628,728  switchport mode trunk  speed 
> nonegotiate end === === Stockholm === interface GigabitEthernet3/11 
> description euNetworks BAR0001_LON_STO_GE_26254_001 to LIXCORML01
> Gi3/16  switchport access vlan 628  switchport trunk native vlan 628 
> switchport trunk allowed vlan 628,728  switchport mode trunk  speed 
> nonegotiate  spanning-tree portfast end
> 
> === London ===
> LIXCORML01#sh int gi3/16 sw
> Name: Gi3/16
> Switchport: Enabled
> Administrative Mode: trunk
> Operational Mode: trunk
> Administrative Trunking Encapsulation: dot1q Operational Trunking
> Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 628
> (628-SOX-PROD) Trunking Native Mode VLAN: 628 (628-SOX-PROD) 
> Administrative Native VLAN tagging: enabled Voice VLAN: none 
> Administrative private-vlan host-association: none Administrative 
> private-vlan mapping: none Administrative private-vlan trunk native
> VLAN: none Administrative private-vlan trunk Native VLAN tagging:
> enabled Administrative private-vlan trunk encapsulation: dot1q 
> Administrative private-vlan trunk normal VLANs: none Administrative 
> private-vlan trunk associations: none Administrative private-vlan 
> trunk
> mappings: none Operational private-vlan: none Trunking VLANs Enabled:
> 628,728 Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture 
> VLANs Allowed: ALL
> 
> Unknown unicast blocked: disabled
> Unknown multicast blocked: disabled
> Appliance trust: none
> ===
> === Stockholm ===
> SOXCORML01#sh int gi3/11 sw
> Name: Gi3/11
> Switchport: Enabled
> Administrative Mode: trunk
> Operational Mode: trunk
> Administrative Trunking Encapsulation: dot1q Operational Trunking
> Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 628
> (628-LIX-PROD) Trunking Native Mode VLAN: 628 (628-LIX-PROD) 
> Administrative Native VLAN tagging: enabled Voice VLAN: none 
> Administrative private-vlan host-association: none Administrative 
> private-vlan mapping: none Administrative private-vlan trunk native
> VLAN: none Administrative private-vlan trunk Native VLAN tagging:
> enabled Administrative private-vlan trunk encapsulation: dot1q 
> Administrative private-vlan trunk normal VLANs: none Administrative 
> private-vlan trunk associations: none Administrative private-vlan 
> trunk
> mappings: none Operational private-vlan: none Trunking VLANs Enabled:
> 628,728 Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture 
> VLANs Allowed: ALL
> 
> Unknown unicast blocked: disabled
> Unknown multicast blocked: disabled
> Appliance trust: none
> SOXCORML01#
> ===
> 
> Anybody had such an experience before?
> 
> Thanks and regards,
> Gokhan Gumus
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

If he can see London from STHLM that would imply that TX from London and RX
in STHLM is working as expected. The issue should be with LONDON RX and
STHLM TX. On the London port you have both the port configured as access and
as a trunk, that can cause weird things. Is this the same in STHLM also? You
are using speed nonegotiate which shouldn't cause issues like this but it's
better to have auto enabled unless you absolutely cannot get the link stable
with it. What about the counters for the interfaces in LONDON and STHLM, are
they increasing? And are they increasing both inbound and outbound?

/Daniel



[c-nsp] Unidirectional CDP traffic

2011-03-31 Thread Gökhan Gümüş
Hi all,

One of our customer is experiencing a strange problem.
We are providing a link between London and Stockholm via DWDM.
Customer is not able to ping remote site.
Strange things from Stockholm he can see London site as CDP neighbor.
>From London he can not...
Configs are below;

=== London ===
LIXCORML01#cle count gi3/16
Clear "show interface" counters on this interface [confirm]
LIXCORML01#p 10.119.44.150

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.119.44.150, timeout is 2 seconds:
.
Success rate is 0 percent (0/5)

-Stockholm

SOXCORML01#sh cdp nei gi3/11
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
  D - Remote, C - CVTA, M - Two-port Mac Relay

Device IDLocal Intrfce HoldtmeCapability  Platform  Port ID
LIXCORML01.abc 
 Gig 3/11  133 R S I  WS-C4900M Gig 3/16
SOXCORML01#

Interface configs are below;

=== London ===
interface GigabitEthernet3/16
 description euNetworks BAR0001_LON_STO_GE_26254_001 to SOXCORML01 Gi3/11
 switchport access vlan 628
 switchport trunk native vlan 628
 switchport trunk allowed vlan 628,728
 switchport mode trunk
 speed nonegotiate
end
===
=== Stockholm ===
interface GigabitEthernet3/11
 description euNetworks BAR0001_LON_STO_GE_26254_001 to LIXCORML01 Gi3/16
 switchport access vlan 628
 switchport trunk native vlan 628
 switchport trunk allowed vlan 628,728
 switchport mode trunk
 speed nonegotiate
 spanning-tree portfast
end

=== London ===
LIXCORML01#sh int gi3/16 sw
Name: Gi3/16
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 628 (628-SOX-PROD)
Trunking Native Mode VLAN: 628 (628-SOX-PROD)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 628,728
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
===
=== Stockholm ===
SOXCORML01#sh int gi3/11 sw
Name: Gi3/11
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 628 (628-LIX-PROD)
Trunking Native Mode VLAN: 628 (628-LIX-PROD)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 628,728
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
SOXCORML01#
===

Anybody had such an experience before?

Thanks and regards,
Gokhan Gumus
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Layer 2 Local Switching - 7606 ES-20

2011-03-31 Thread Dmitry Valdov

Hello,


We did local switching on ES20 cards, but not in port-to-port mode.
We have working configuration when one VLAN from 1st port connected using
local switching to a VLAN on 2nd port. I think you can do it for as
many VLANs as you want. But we didn't try more then one.

Native VLANs on both ports are L3 terminated on the device.



==
interface TenGigabitEthernet2/0/0
 description x
 mtu 9216
 no ip address
 mls qos trust dscp
 service instance 2 ethernet # <- We do local switchong of VLAN 32  from this 
port  to VLAN 32 of port TE2/0/1
  encapsulation dot1q 32
 !

interface TenGigabitEthernet2/0/0.1 # <- native VLAN is L3 terminated
 description UU
 encapsulation dot1Q 2 native
 ip address x.x.x.x 255.255.255.252
 ip flow ingress
 ip pim sparse-mode
 mpls ip


interface TenGigabitEthernet2/0/1
 description DD
 mtu 9216
 no ip address
 ip flow ingress
 mls qos trust dscp
 service instance 2 ethernet   <- We do local switching of VLAN 32 from this 
port to VLAN 32 on  TE 2/0/0
  encapsulation dot1q 32
 !

interface TenGigabitEthernet2/0/1.1  <- native VLAN is L3 terminated
 description Y
 encapsulation dot1Q 3 native
 ip address x.x.x.x 255.255.255.252
 ip flow ingress
 ip pim sparse-mode
 mpls ip
end

connect connection-name TenGigabitEthernet2/0/0 2 TenGigabitEthernet2/0/1 2


==
Everything is working as expected.


On Wed, 30 Mar 2011, Andrew K. wrote:

I am attempting to aggregate multiple layer 2 switches into a 7606 
(12.2(33)SRE3) but I do not want the 7606 being part of the layer 2 network.


To achieve this I am trying to use layer 2 local switching between two router 
ports on a ES20 (7600-ES20-GE3C) card.


The configuration seems simple enough but I can not get this working.

7606# sh run
interface GigabitEthernet1/0/2
description MM FIBER TRUNK TO CAT4500 (Gi1/1)
no ip address
no mls qos trust
!
interface GigabitEthernet1/0/3
description SM FIBER TO LNS (Gi0/0/2)
no ip address
no mls qos trust

connect WORKTHISTIME GigabitEthernet1/0/3 GigabitEthernet1/0/2

7606#sh connection all

ID   NameSegment 1  Segment 2  State

9 WORKTHISTIMEGi1/0/3Gi1/0/2UP

In theory I should be able to plug a host into both those ports, address them 
on the same subnet and pass traffic correct?


This cisco document confirms this should work : 
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1172344


This does not seem to be working, am I missing something?

Any help would be greatly appreciated.

Thanks in advance,
Andrew.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



--
Dmitry Valdov
CCIE #15379 (R&S and SP)
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/