Re: [c-nsp] Strange 7600 behavior
Hello, Raphael Costa! It looks like we have the same problem at the our C7600. There are configured only one eBGP session and one iBGP session, static and connected routes to BGP nexthops. While router loading bgp full table from the eBGP neighbor at the first time, and starts forwarding traffic, RP CPU usage increases to 90-100%. 'sh ibc brief' command at this moment shows about 1Gbit traffic punted to the RP. After the command 'clear cef linecard" RP cpu usage normalizes, and 'sh ibc brief' shows about 30kbit traffic to RP. R1#sh platform hardware pfc mode PFC operating mode : PFC3CXL We are using only CFC cards in this box. Do you find problem o resole it? On Wed, 16 Mar 2011 17:26:01 -0300 Raphael Costa wrote: > After a router reload: > > Router#ps > CPU utilization for five seconds: 18%/17%; one minute: 19%; five > minutes: 14% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY > Process 2 12 85141 0.00% 0.01% 0.00% 0 > Load Meter 83848 213 18065 0.00% 0.86% > 0.64% 0 Check heaps 160 88 8 11000 0.00% > 0.01% 0.00% 0 Per-minute Jobs > 164 928 993934 0.00% 0.11% 0.13% 1 > Virtual Exec > 186 0 12514 0 0.00% 0.02% 0.00% 0 ACE > Tunnel Task > 222 0 12514 0 0.07% 0.01% 0.00% 0 IP > ARP Retry Age > 223 3282253145 0.00% 0.01% 0.03% 0 IP > Input 259 0 47032 0 0.07% 0.08% 0.07% 0 > Ethernet Msec Ti > 263 8 12514 0 0.07% 0.01% 0.00% 0 IPAM > Manager > 3043152 355 8878 0.00% 0.02% 0.30% 0 XDR > mcast 312 12216 225 54293 0.00% 0.08% 1.31% 0 > IP RIB Update > 388 212 213995 0.15% 0.06% 0.04% 0 > HIDDEN VLAN Proc > 470 206001416 14548 0.07% 0.20% 2.11% 0 BGP > Router 493 56 567 98 0.07% 0.01% 0.00% > 0 Port manager per > 499 5961027580 0.00% 0.00% 0.04% 0 BGP > I/O 5522132 163 13079 0.00% 0.01% 0.22% 0 > BGP Task 5534060 22 184545 0.00% 0.77% > 0.69% 0 BGP Scanner > > Router#sho > Router#show ib > Router#show ibc | i rate > 5 minute rx rate 4547000 bits/sec, 8434 packets/sec > 5 minute tx rate 11063000 bits/sec, 16861 packets/sec > > > 2011/3/16 Raphael Costa > > > Guys, > > > > Definitely there is something really wrong. :-) > > > > The router stoped consuming cpu due interrupts. > > > > The only thing that I've changed was, changed uplink interface from > > 5/2 to 4/48 on the fly. After that the router began responding well. > > > > So, to check again, I came the cable back to 5/2. And the router is > > working well. > > > > How could this be possible? > > > > > > Router#show platform hardware capacity forwarding > > L2 Forwarding Resources > >MAC Table usage: Module Collisions Total Used > > %Used > > 50 98304 7 > > 1% > > > > VPN CAM usage: Total Used > > %Used > > 512 0 > > 0% > > L3 Forwarding Resources > > Module FIB TCAM usage: Total > > Used %Used > >5 72 bits (IPv4, MPLS, EoM) 524288 > > 349774 67% > > > > 144 bits (IP mcast, IPv6) 262144 > > 9 1% > > > > detail: ProtocolUsed > > %Used > > IPv4 347726 > > 66% > > > > MPLS2048 > > 1% > > EoM0 > > 0% > > > > IPv6 2 > > 1% > > IPv4 mcast 4 > > 1% > > IPv6 mcast 3 > > 1% > > > > Adjacency usage: TotalUsed > > %Used > >1048576 169 > > 1% > > > > Forwarding engine load: > > Module pps peak-pps > > peak-time > > 5 41127 86367 12:34:28 UTC Wed > > Mar 16 2011 > > > > Router#show platform hardware capacity forwarding > > Router#sh int g5/2 > > GigabitEthernet5/2 is up, line protocol is up (connected) > > Hardware is C7600 1Gb 802.3, address is c471.fe02.b200 (bia > > c471.fe02.b200) > > Internet address is 201.20.8.70/28 > > MTU 1500 bytes, BW 100 Kbit/sec, DLY 10 usec, > > reliability 255/255, txload 1/255, rxload 93/255 > > Encapsulation ARPA, loopback not set > > Keepalive set (10 sec) > > Full-d
[c-nsp] hardware fault on sup720.
hello, a confidence building question… we have a sup720 in a 6500 which has developed a 'minor fault'. The unit is up and still forwarding but Cisco recommends we replace the module asap. I have a second sup720 (verbatim). There is only one SUP in the chassis at this time. my plan is to insert the new 720, sync the config then fail the primary and pull it out. seem sane? how long does the fail over process take? thanks for your time, greg -- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Alternatives for port-security in a L2 host redundancy environment
On Thu, 2011-04-28 at 12:59 -0400, Christopher Pilkington wrote: > Has anyone else run into this and found an alternate solution to > port-security? Basically we want to defend against two things: 1. > someone unplugging the firewall and utilizing its switchport for other > purposes (which is game over anyway, since that implies physical > access to cage) Yeah, anyone who can do that can also trivially find out what MAC address the firewall uses and use it themselves. MAC based port-security does not defend against the determined attacker at all, it just makes it a little more difficult for people to cause trouble. Someone with physical access to your firewall (or the switch to which your firewall is connected) is a determined attacker. I'm not deeply familiar with audits like these, but if they're seriously asking for port-security on infrastructure ports they have IMHO misunderstood something. User facing ports: yes maybe. Infrastructure ports: no. > 2. someone hijacking the MAC of the firewall from a > different network interface. Make sure the VLAN doesn't exist anywhere it shouldn't. If hosts have a L2 connection to your firewall, secure the access ports with e.g. DAI, DHCP snooping or static MAC entries. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Alternatives for port-security in a L2 host redundancy environment
We have a situation where auditors are requiring us to use port-security on L2 switchports. However, we have firewalls that cluster and move their mac address from one switchport to the other. On a single switch, this would result in the port being disabled. In redundant switches, the port doesn't disable, but the MAC is being nailed in the static table on both switches, which seems to cause the firewalls some trouble, as they are in an active/passive configuration. Has anyone else run into this and found an alternate solution to port-security? Basically we want to defend against two things: 1. someone unplugging the firewall and utilizing its switchport for other purposes (which is game over anyway, since that implies physical access to cage) 2. someone hijacking the MAC of the firewall from a different network interface. Thanks! -cjp ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1002-F NetFlow
On Wed, Apr 27, 2011 at 04:52:08PM +0200, Henry-Nicolas Tourneur wrote: > Hello, > > We are using NetFlow v9 on 2 edge BGP routers (ASR 1002-F) but that works > only partially. > Indeed, approximatevily 50% of destination and source AS are marked as AS0. > On the 6500 platform, flows exported with a src AS or dst AS 0 represent your own AS. Not sure if this is true on the ASR platform. -- Brandon Ewing(nicot...@warningg.com) pgpPI3a8Uol9A.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] snmp config
On Thu, 2011-04-28 at 11:22 +0200, Tóth András wrote: > How To Copy Configurations To and From Cisco Devices Using SNMP > http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080094aa6.shtml Beware that CISCO-CONFIG-COPY-MIB is not supported on all devices. For those that don't support it, OLD-CISCO-SYS-MIB (supported by every IOS device I met) has "writeNet": snmpset [auth options] device.example.com OLD-CISCO-SYS-MIB::writeNet.10.20.30.40 s device-config.txt Where "10.20.30.40" is the IP address of a TFTP server and "device-config.txt" is the path relative to the TFTP root on the server. This path can contain "/" to address subdirectories. If every device you have support CISCO-CONFIG-COPY-MIB it has a lot of advantages: you can copy more than just running-config, you can use other protocols than TFTP, you can check the status of long running operations. It's programatically more complex though. Keep in mind that your TFTP server might not allow creating new files, so you might have to first create a world-writable file for the device to overwrite. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] snmp config
Hi, How To Copy Configurations To and From Cisco Devices Using SNMP http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080094aa6.shtml Best regards, Andras On Thu, Apr 28, 2011 at 10:47 AM, Thatayaone Sehube wrote: > can anyone assist on how to retrieve configuration from cisco router device > using snmp > > -tvs > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Redistributing certain BGP routes into OSPF
Oh, well if you set next hop self all eBGP routes will come in with DMZ's address. iBGP routes are never modified. They are long overdue for BGP, lots of other boxes already run it and have been for years. On Wed, Apr 27, 2011 at 7:59 PM, Christopher J. Wargaski wrote: > Hey Keegan-- > >Yes, I have two routers separated by a firewall (which is incapable of > running BGP). The two routers exchange routes via eBGP multi-hop without > problem. Now, I would like to take some of those routes advertised by the > DMZ-rtr (and learned by the Indy-rtr) and advertise them back to the ASA > with the next hop being the DMZ-rtr. > >Re-advertising the routes is not the problem, I can do that fine. > However, making the next-hop be the DMZ-rtr is the thing that I have not > been able to do. After some more thought today, I am afraid this will just > not work so I think I'll wait until the ASA will run BGP. (Which > incidentally is targeted for late 2011.) > > > cjw > > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] snmp config
can anyone assist on how to retrieve configuration from cisco router device using snmp -tvs ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6PE question
Hi, I need another advice on IPv6. Setup looks like - rtr1 -- P rtr3 and it's 6PE setup. 7206 is SRE3 image and 12k is 4.0.1 image. rtr.LAB-7206G2#show ipv6 route 2001:920:0:f002:10:54:0:3 Routing entry for 2001:920:0:F002:10:54:0:3/128 Known via "bgp 8220", distance 200, metric 0, type internal Route count is 1/1, share count 0 Routing paths: 10.54.0.3%default indirectly connected <<< any idea abt this? it should be shown as ; also what is % sign ? MPLS label: 16048 Last updated 17:58:59 ago 10.54.0.3 is loopback ip of rtr1. But when I see on rtr3.lab for rtr1.lab loopback, I see following RP/0/9/CPU0:rtr3.LAB-12410#sh route ipv6 2001:920:0:F002:10:54:0:9 Mon Apr 25 22:47:31.344 UTC Routing entry for 2001:920:0:f002:10:54:0:9/128 Known via "bgp 8220", distance 200, metric 0, type internal Installed Apr 21 04:47:10.868 for 4d18h Routing Descriptor Blocks :::10.54.0.9, from :::10.54.0.6 << this is correct Nexthop in Vrf: "default", Table: "default", IPv4 Unicast, Table Id: 0xe000 Route metric is 0 No advertising protos. Regards, Vikas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/