Re: [c-nsp] Catalyst 6500 Snmp IfIndex Assignment Logic

[Phil Mayers]

On 12/09/2011 12:47 AM, Michael Balasko wrote:

All,


For the TL:DR crowd- Does anyone know dead nuts how the Catalyst 6500
allocates SNMP ifindex numbers? Specifically the 6513/Sup720-10Gig?


Sort of.

It does it sequentially based on interface creation in my experience. If 
you take a completely empty box, chances are Te1/1 will have ifindex 1, 
Te1/2 ifindex 2, and so on.


For example, we have a "been in service long time" box, and the ifindex 
values are:


Te1/1 = 1
Te1/2 = 2
Te1/3 = 3
Te1/4 = 4
Gi5/1 = 5
Gi5/2 = 6
Gi6/1 = 7
Gi6/2 = 8
Gi8/1 = 9

...and when this chassis was intially powered up, it had a 6704 in slot 
1, sup720 in slot 5 & 6, and SFP linecard in slot 8 & 9. The ifindex 
values climb sequentially through those cards until I reach virtual 
interfaces:


Vlan1 = 105
EOBC0/0 = 106
Null0 = 107
Loop1 = 108
Loop2 = 109

...and then into SVIs and such. As far as my memory can tell, the 
ifindex values seem to be sequential for when I created the SVIs; 
likewise, the newer linecards in other slots have much higher ifindex 
values.


So, I reckon it's sequential, but I can't explain why you're seeing 
other behaviour.


You've already indicated you're aware of the ability to persist ifindex 
values, but it sounds like you want to control the assignment of new ones?




Subtext: We are converting our Core infrastructure switches from
CatOS to IOS(YAY!)  and we have nearly 500 devices plugged into EACH
of these monsters(WOW). The ifindexes of course are going to change
and I would like to be able to predict them (HAHAHAH) to what they
will be and or figure out if I can manipulate them such that I can
have a script ready to realign our monitoring and trending systems.


I'm afraid not. AFAIK you can't specify an ifindex (which seems like it 
would be a pretty trivial feature - one global command for an 
"automatic" ifindex range, one per-interface command for a static value, 
presumably outside of that range).


I would plan to instead use snmp against e.g. ifName before and after, 
and upgrade your NMS. Tedious I know (especially if you are using 
something horrible, like Cacti ;o)


The only other suggestion I can make is to try copying the ifindex 
persist file for CatOS and IOS off - they might be the same format, or 
if not, it might be possible to convert one to the other, and "force" 
the IOS box to read the persist file.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Catalyst 6500 Snmp IfIndex Assignment Logic

[Andrew Miehs]

Why extended? A small perl/ ruby script which collects the values
beforehand and then after reboot a second script that compares the
values and updates your software. Or do you set these things via a
clickablf gui?

You should be back up and monitoring within 5 min.

On 09.12.2011, at 02:09, Michael Balasko
 wrote:

> That is what we are faced with so far as the only option but like I 
> mentioned, no visibility to over 500 physical devices for an extended period 
> of time is makes bladder control difficult.
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] prefix lists updates and max prefix filters

[Mark Tinka]

On Friday, December 09, 2011 01:54:54 AM Mack McBride wrote:

>  If everyone used route registries to generate
> prefix lists and kept them up to date this wouldn't be
> as much of an issue. 

Many providers today, including so-called Tier-1's, have 
major issues with their RPSL infrastructure. We've had to 
bang them many times to manually accept our routes because 
their route server implementation that pulls from all 
reputable sources is simply broken.

Much pain has been seen over this.

RPKI is a solution, but that's an entirely different 
discussion :-).

> Thankfully with IPv6 most ASNs will only have one prefix
> and most of these issues are significantly reduced.  Ie.
> The prefix list at this point has a maximum of 7K
> entries.

I don't think this is something we should get comfortable 
about.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3600 - HSRP with an EoMPLS vc as the bridging mechanism

[Waris Sagheer (waris)]

This configuration will not work. However you can achieve it through
"Routed Pseudowire" where you can configure the xconnect under "int
vlan".

-Waris


-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jason Lixfeld
Sent: Thursday, December 08, 2011 8:18 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ME3600 - HSRP with an EoMPLS vc as the bridging
mechanism

Seeing as how the ME3x00X BU has epically shit the bed by omitting the
SPAN feature, I have no way to troubleshoot this as I experiment with
it, so maybe someone here has already tried and can tell me if I'm out
to lunch or not...

I want to configure HSRP on two ME3600s (15.1(2)EY) and I want to use an
EoMPLS VC to act as the bridging mechanism between the two EFPs, where
one would normally use a VLAN.

Is that possible with something like this? :

! me3600-1
!
interface loopback 0
 ip address 2.2.2.2
!
interface GigabitEthernet0/24
 switchport trunk allowed vlan none
 switchport mode trunk
 xconnect 1.1.1.1 1 encapsulation mpls
 service instance 1 ethernet
  encapsulation untagged
  l2protocol tunnel
  bridge-domain 10
 !
!
interface Vlan10
 ip address 10.10.10.253 255.255.255.0
 standby 1 ip 10.10.10.1
!

! me3600-2
!
interface loopback 0
 ip address 1.1.1.1
!
interface GigabitEthernet0/24
 switchport trunk allowed vlan none
 switchport mode trunk
 xconnect 2.2.2.2 1 encapsulation mpls
 service instance 1 ethernet
  encapsulation untagged
  l2protocol tunnel
  bridge-domain 10
 !
!
interface Vlan10
 ip address 10.10.10.254 255.255.255.0
 standby 1 ip 10.10.10.1
!

Thanks in advance..


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ME3600 - HSRP with an EoMPLS vc as the bridging mechanism

[Jason Lixfeld]

Seeing as how the ME3x00X BU has epically shit the bed by omitting the SPAN 
feature, I have no way to troubleshoot this as I experiment with it, so maybe 
someone here has already tried and can tell me if I'm out to lunch or not...

I want to configure HSRP on two ME3600s (15.1(2)EY) and I want to use an EoMPLS 
VC to act as the bridging mechanism between the two EFPs, where one would 
normally use a VLAN.

Is that possible with something like this? :

! me3600-1
!
interface loopback 0
 ip address 2.2.2.2
!
interface GigabitEthernet0/24
 switchport trunk allowed vlan none
 switchport mode trunk
 xconnect 1.1.1.1 1 encapsulation mpls
 service instance 1 ethernet
  encapsulation untagged
  l2protocol tunnel
  bridge-domain 10
 !
!
interface Vlan10
 ip address 10.10.10.253 255.255.255.0
 standby 1 ip 10.10.10.1
!

! me3600-2
!
interface loopback 0
 ip address 1.1.1.1
!
interface GigabitEthernet0/24
 switchport trunk allowed vlan none
 switchport mode trunk
 xconnect 2.2.2.2 1 encapsulation mpls
 service instance 1 ethernet
  encapsulation untagged
  l2protocol tunnel
  bridge-domain 10
 !
!
interface Vlan10
 ip address 10.10.10.254 255.255.255.0
 standby 1 ip 10.10.10.1
!

Thanks in advance..


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Catalyst 6500 Snmp IfIndex Assignment Logic

[Jared Mauch]

On Dec 8, 2011, at 8:06 PM, Matlock, Kenneth L wrote:

> What you want is:
> 
> "snmp-server ifindex persist"
> 
> That will make the ifindex values persist, even across a full chassis reboot. 
> Get the mapping once, and then don't worry about it :)


The other solution is to use software that will do this on the backside vs 
forcing the router to track this.  You never know when you will have to swap a 
SUP or something else and lose that locally cached bit of information.

- Jared


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Catalyst 6500 Snmp IfIndex Assignment Logic

[Matlock, Kenneth L]

What you want is:
 
"snmp-server ifindex persist"
 
That will make the ifindex values persist, even across a full chassis reboot. 
Get the mapping once, and then don't worry about it :)
 
Ken



From: cisco-nsp-boun...@puck.nether.net on behalf of Michael Balasko
Sent: Thu 12/8/2011 5:47 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Catalyst 6500 Snmp IfIndex Assignment Logic



All,


For the TL:DR crowd-
Does anyone know dead nuts how the Catalyst 6500 allocates SNMP ifindex 
numbers? Specifically the 6513/Sup720-10Gig?

Subtext:
We are converting our Core infrastructure switches from CatOS to IOS(YAY!)  and 
we have nearly 500 devices plugged into EACH of these monsters(WOW). The 
ifindexes of course are going to change and I would like to be able to predict 
them (HAHAHAH) to what they will be and or figure out if I can manipulate them 
such that I can have a script ready to realign our monitoring and trending 
systems.

I normally would take a same chassis and build the switch identical(Line card 
wise) to what is being converted and then when I swap the SUP's they all line 
up but in this case I am up the brown fecal river, paddle-less.

I've called TAC but I  got the we dunno its not supported answer.


More subtext:
I flipped a  Sup720 from Cat to IOS and then deleted the ifindex table from 
nvram: and then followed it up with a write erase. I powered off the switch, 
pulled every line card out and then powered up the switch. When the SUP was 
back alive I inserted a 6148TX into slot 3 and got an index number of 77 as the 
start index. The old one is 86.  I see that the Sup starts at 1 and the rest to 
me is not really decipherable.

So does anyone know the answer or THE 6K guy that knows who I could ask using 
beer or whatever beverage choice he would like?


Michael Balasko
CCSP,CCNP,MCSE,SCP
Network Specialist II
City of Henderson
240 Water St.
Henderson, Nv 89015

Coincidence, n.:
  You weren't paying attention to the other half of what was going on.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


*** Exempla Confidentiality Notice *** The information contained in this 
message may be privileged and confidential and protected from disclosure. If 
the reader of this message is not the intended recipient, or an employee or 
agent responsible for delivering this message to the intended recipient, you 
are hereby notified that any other dissemination, distribution or copying of 
this communication is strictly prohibited. If you have received this 
communication in error, please notify me immediately by replying to the message 
and deleting it from your computer. Thank you. *** Exempla Confidentiality 
Notice ***


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] auto versioning of device configs, ala RANCID or ??

[Koch, Andrew]

On December 8, 2011 13:59, Garry wrote: 
> On 08.12.2011 19:59, Peter Rathlev wrote:
> > We use regular polling of variable in CISCO-CONFIG-MAN-MIB
> > (ccmHistoryRunningLastChanged and ccmHistoryStartupLastChanged) and
> > backup via OLD-CISCO-SYS-MIB::writeNet. It works very well and makes it
> > easy to customize.
> 
> Talking about using SNMP to initiate writing a config - this works fine
> on many Cisco devices, but fails on ASR1001 (works on our 1002F) and
> Nexus 5548 ... anybody know the updated MIB entry that does the same
> thing?
> 

OLD-CISCO-SYS-MIB has been deprecated.  Check out CISCO-CONFIG-COPY-MIB - see 
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080094aa6.shtml
 for further details.

Andy

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Catalyst 6500 Snmp IfIndex Assignment Logic

[Matlock, Kenneth L]

Ahh, I completely misunderstood the question, my apologies! :)
 
Ken



From: Michael Balasko [mailto:michael.bala...@cityofhenderson.com]
Sent: Thu 12/8/2011 6:15 PM
To: Matlock, Kenneth L
Cc: 
Subject: Re: [c-nsp] Catalyst 6500 Snmp IfIndex Assignment Logic


Agreed- But it will NOT survive the CatOS to IOS conversion process and that is 
the part I am looking to get around. 


Michael Balasko
CCSP,CCNP,MCSE,SCP
Network Specialist II
City of Henderson
240 Water St.
Henderson, Nv 89015
P:702-267-4337
C:702-373-2730
 
Coincidence, n.:
  You weren't paying attention to the other half of what was going on.
*** Exempla Confidentiality Notice *** The information contained in this 
message may be privileged and confidential and protected from disclosure. If 
the reader of this message is not the intended recipient, or an employee or 
agent responsible for delivering this message to the intended recipient, you 
are hereby notified that any other dissemination, distribution or copying of 
this communication is strictly prohibited. If you have received this 
communication in error, please notify me immediately by replying to the message 
and deleting it from your computer. Thank you. *** Exempla Confidentiality 
Notice ***


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OER Question

[Jay Hennigan]

On 12/8/11 2:27 AM, M K wrote:

> Hi , please guys anyone do not want to help can save his words for himself !!
> i heard about this forum and a lot of people who told me about it received a 
> lot of help
> i already have a solution but i am not sure if its complete

This looks like a homework or certification practice question.  If so,
groupstudy.com is your best place to ask it as others have suggested.

If this is a real production network, what behavior are you expecting
and what behavior are you getting?

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Catalyst 6500 Snmp IfIndex Assignment Logic

[Michael Balasko]

Agreed- But it will NOT survive the CatOS to IOS conversion process and that is 
the part I am looking to get around.


Michael Balasko
CCSP,CCNP,MCSE,SCP
Network Specialist II
City of Henderson
240 Water St.
Henderson, Nv 89015
P:702-267-4337
C:702-373-2730

Coincidence, n.:
  You weren't paying attention to the other half of what was going on.

On Dec 8, 2011, at 5:06 PM, Matlock, Kenneth L wrote:

What you want is:

"snmp-server ifindex persist"

That will make the ifindex values persist, even across a full chassis reboot. 
Get the mapping once, and then don't worry about it :)

Ken



From: 
cisco-nsp-boun...@puck.nether.net on 
behalf of Michael Balasko
Sent: Thu 12/8/2011 5:47 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Catalyst 6500 Snmp IfIndex Assignment Logic



All,


For the TL:DR crowd-
Does anyone know dead nuts how the Catalyst 6500 allocates SNMP ifindex 
numbers? Specifically the 6513/Sup720-10Gig?

Subtext:
We are converting our Core infrastructure switches from CatOS to IOS(YAY!)  and 
we have nearly 500 devices plugged into EACH of these monsters(WOW). The 
ifindexes of course are going to change and I would like to be able to predict 
them (HAHAHAH) to what they will be and or figure out if I can manipulate them 
such that I can have a script ready to realign our monitoring and trending 
systems.

I normally would take a same chassis and build the switch identical(Line card 
wise) to what is being converted and then when I swap the SUP's they all line 
up but in this case I am up the brown fecal river, paddle-less.

I've called TAC but I  got the we dunno its not supported answer.


More subtext:
I flipped a  Sup720 from Cat to IOS and then deleted the ifindex table from 
nvram: and then followed it up with a write erase. I powered off the switch, 
pulled every line card out and then powered up the switch. When the SUP was 
back alive I inserted a 6148TX into slot 3 and got an index number of 77 as the 
start index. The old one is 86.  I see that the Sup starts at 1 and the rest to 
me is not really decipherable.

So does anyone know the answer or THE 6K guy that knows who I could ask using 
beer or whatever beverage choice he would like?


Michael Balasko
CCSP,CCNP,MCSE,SCP
Network Specialist II
City of Henderson
240 Water St.
Henderson, Nv 89015

Coincidence, n.:
 You weren't paying attention to the other half of what was going on.

___
cisco-nsp mailing list  
cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


*** Exempla Confidentiality Notice *** The information contained in this 
message may be privileged and confidential and protected from disclosure. If 
the reader of this message is not the intended recipient, or an employee or 
agent responsible for delivering this message to the intended recipient, you 
are hereby notified that any other dissemination, distribution or copying of 
this communication is strictly prohibited. If you have received this 
communication in error, please notify me immediately by replying to the message 
and deleting it from your computer. Thank you. *** Exempla Confidentiality 
Notice ***



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Catalyst 6500 Snmp IfIndex Assignment Logic

[Andrew Miehs]

On 09/12/2011, at 1:47 AM, Michael Balasko wrote:
> I normally would take a same chassis and build the switch identical(Line card 
> wise) to what is being converted and then when I swap the SUP's they all line 
> up but in this case I am up the brown fecal river, paddle-less.
> 
> I've called TAC but I  got the we dunno its not supported answer.
> 
> 
> More subtext:
> I flipped a  Sup720 from Cat to IOS and then deleted the ifindex table from 
> nvram: and then followed it up with a write erase. I powered off the switch, 
> pulled every line card out and then powered up the switch. When the SUP was 
> back alive I inserted a 6148TX into slot 3 and got an index number of 77 as 
> the start index. The old one is 86.  I see that the Sup starts at 1 and the 
> rest to me is not really decipherable.

Although not the answer to your question, a possible work around would be to 
extract the interface names attached to each ifindex before and after the 
migration, and do your transposition based on that?

Cheers

Andrew
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Catalyst 6500 Snmp IfIndex Assignment Logic

[Michael Balasko]

All,


For the TL:DR crowd-
Does anyone know dead nuts how the Catalyst 6500 allocates SNMP ifindex 
numbers? Specifically the 6513/Sup720-10Gig?

Subtext:
We are converting our Core infrastructure switches from CatOS to IOS(YAY!)  and 
we have nearly 500 devices plugged into EACH of these monsters(WOW). The 
ifindexes of course are going to change and I would like to be able to predict 
them (HAHAHAH) to what they will be and or figure out if I can manipulate them 
such that I can have a script ready to realign our monitoring and trending 
systems.

I normally would take a same chassis and build the switch identical(Line card 
wise) to what is being converted and then when I swap the SUP's they all line 
up but in this case I am up the brown fecal river, paddle-less.

I've called TAC but I  got the we dunno its not supported answer.


More subtext:
I flipped a  Sup720 from Cat to IOS and then deleted the ifindex table from 
nvram: and then followed it up with a write erase. I powered off the switch, 
pulled every line card out and then powered up the switch. When the SUP was 
back alive I inserted a 6148TX into slot 3 and got an index number of 77 as the 
start index. The old one is 86.  I see that the Sup starts at 1 and the rest to 
me is not really decipherable.

So does anyone know the answer or THE 6K guy that knows who I could ask using 
beer or whatever beverage choice he would like?


Michael Balasko
CCSP,CCNP,MCSE,SCP
Network Specialist II
City of Henderson
240 Water St.
Henderson, Nv 89015

Coincidence, n.:
  You weren't paying attention to the other half of what was going on.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] HSRP and removing connected route

[Jay Nakamura]

On Thu, Dec 8, 2011 at 4:44 PM, Jay Hennigan  wrote:
> On 12/8/11 12:23 PM, Jay Nakamura wrote:
>> So, the situation is this.
>>
>> Let's say I have a topology where there are two routers, each router
>> connected to separate switches, and the two switches are connected to
>> a gigabit ethernet WAN.
>
> Just to each other or to other resources on the WAN?

So, router A <-> switch C <-- WAN --> switch D <-> router B

Router A & switch C is in city X
Router B & switch D is in city Y

Router A and Router B has upstream connection out the internet.

>> One router and switch is in one city, other router and switch is in
>> another city.
>>
>> There is a VLAN that spans the two routers, two switches and servers
>> hosted in one city.
>
> Somewhat confused here, as previously you indicated that there was one
> router/switch pair in each city.  Or is it router/switch A along with
> servers in city A and router/switch B in city B that wants to reach the
> servers in city A?

Did the above explanation help with this question?

>> I have the VLAN on HSRP between the two routers.
>>
>> The problem is this.  When the gigabit WAN goes down, the one end of
>> the router without the host will still try to route that traffic out
>> it's VLAN.  Is there a way to prevent that by using IP SLA or track
>> command or some other trick?  Perhaps shutdown the subinterface auto
>> magically?  (Although, if it shuts it down, I am not sure how it will
>> detect that the service is back up)
>
> Is there a backup route via another path for the orphaned remote city to
> reach the servers?

There is through upstream connectivity to the internet.  But the route
it would have will be the default route so the more specific connected
route would be followed in City Y.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] HSRP and removing connected route

[Jay Nakamura]

On Thu, Dec 8, 2011 at 5:30 PM, Phil Mayers  wrote:
> On 12/08/2011 08:23 PM, Jay Nakamura wrote:
> This is such an odd setup, I feel sure there is more to it than described.
>
> Question: why are you using HSRP at all? Why not just route from city 1 to
> city 2?

There is a long history where the condition and requirement has
changed repeatedly to end in this configuration.  I was trying to
figure out if there is a way to work around it or just have to
redesign it from bottom up.  I feel that it needs to be redesigned but
right now, not sure if that's feasible equipment and effort wise.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 5505 SSH

[Josh Farrelly]

Make sure 'aaa authentication ssh console LOCAL' is set.
Confirm your settings are ok via 'show ssh'
Make sure you're connecting to the 'outside' address FROM the 'outside'
(e.g. if you're on the inside, and trying to connect to the outside
interface it will fail).

Regards,

Josh.

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Querubin
Sent: Friday, 9 December 2011 11:31 a.m.
To: Rhino Lists
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASA 5505 SSH

On Thu, 8 Dec 2011, Rhino Lists wrote:

> I have a newly configured ASA 5505 that for some reason will NOT 
> authenticate a user via SSH?
>
> I have the following:
>
> ssh 0.0.0.0 0.0.0.0 outside
>
> aaa authentication ssh console LOCAL
>
> and I have a username and password defined.  When I ssh it accepts the

> connection and keeps reporting Access Denied?
>
> I have also tried it without the aaa authentication ssh console LOCAL 
> and tried using the username pix with the password specified in the 
> config but I get same results?  Am I missing something?

Did you create the crypto key?

crypto key generate rsa general-keys

--
Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750 with IP-BASE, QoS

[John Gill]

Hi Mark,
You can use a policer to mark on conform and exceed, but you can mark 
separately from a policer configuration as well:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml#cg22

One can police on ingress, but we already drop within the output queues 
based on the queue or buffer available.  I don't believe the OP is 
looking to drop traffic unless it's lower priority under congestion, 
perhaps Joe can clarify?  If you prioritize your traffic on egress you 
will guarantee the rate you configure in the worst case scenario and 
will not limit it during times of no congestion.  A policer would work 
well in the scenario where you have a contractual agreement with 
downstream subscribers and they have to pay for overage.  Why limit 
yourself with a policer during times of no congestion?


One thing I can't determine is what the egress interface is, if it's an 
enterprise 1Gb/s port or maybe a transparent LAN service, maybe Joe can 
expand on that. If it is a sub-rate ethernet interface, there is another 
feature on this platform that can idle the Tx interface to make these 
ratios comparable for something less than line rate.  The srr-queue 
bandwidth-limit command will let you assume the interface is a different 
speed, and the ratios of bandwidth can be calculated off of this new value.


Regards,
John Gill
cisco


On 12/8/11 4:48 PM, Mack McBride wrote:

Errr not to be contrary but you use input policing to mark(classify) CoS on 
conform and exceed.
I don't think the OP wants to use drop though.

Mack

-Original Message-
From: John Gill [mailto:johg...@cisco.com]
Sent: Thursday, December 08, 2011 2:20 PM
To: Mack McBride
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 3750 with IP-BASE, QoS

Well, you wouldn't want to police unless there was congestion.  The 3750 can 
use shared SRR queues as well as priority queuing to guarantee strict priority.

You will need to familiarize yourself with the QoS operations in the
plagform:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml

You can use the access lists to classify this traffic into different DSCP or 
COS values, and then map those values to the desired queue and threshold.

  From there, you can then configure your srr queuing to guarantee a % of the 
time to a given queue.  Note you cannot set a bandwidth in Mb/s, but rather a 
ratio of weights will be used.

For example:
srr-queue bandwidth share 10 20 30 40
priority-queue out

This means if there is traffic in the priority queue, it is serivced.
While there is no traffic in the priority queue, you will see queue 1 get 
10/100 or 10% of the interface time to transmit, guaranteed (again, assuming no 
priority traffic).  If that is a 1Gb/s interface, that's 100Mb.  If it was a 
100Mb/s interface, you would be guaranteeing 10Mb/s.
   You can adjust the shared values accordingly to get acceptable numbers, the 
range is 1-255 last time I checked.

Regards,
John Gill
cisco


On 12/8/11 2:24 PM, Mack McBride wrote:

On the 3750 you would use a police statement with rate, burst, exceeds and 
violates.
The rate would be your various bandwidths.
The burst would be calculated from the rate.
It sounds like you only want to push these into queues, so you mark
your CoS on input using the police statements.  Then the queue sizes would be 
set on the various ports.

LR Mack McBride
Network Architect

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Freeman
Sent: Thursday, December 08, 2011 12:02 PM
To: Cisco-nsp
Subject: [c-nsp] 3750 with IP-BASE, QoS

I've inherited a site that's a mix of a 3750 stack and Force 10 gear.
the 3750 stack is where the layer 3 is happening between vlans in that site. I 
have a need to implement QoS for some voice traffic.

Since the 3750 doesn't do QoS the way the routers do, I'm sort of at a 
standstill..

ip access-list extended AgentVoice1
permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 80 permit tcp
10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 443 permit tcp
10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 8081 permit tcp
10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 8843 permit tcp
10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 8880 permit tcp
10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 range 2200 2300 permit udp
10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 range 1024 65535 permit udp
XX.XX.XX.0 0.0.0.255 10.52.200.0 0.0.1.255 range 5060 5063 permit udp
XX.XX.XX.0 0.0.0.255 10.52.200.0 0.0.1.255 range 8000 8007

ip access-list ext AgentAppsList
permit ip 10.52.200.0 0.0.1.255 host 10.4.77.48 permit ip 10.52.200.0
0.0.1.255 XX.XX.XX.230 0.0.0.1 permit ip host 10.4.77.48 10.52.200.0
0.0.1.255 permit ip XX.XX.XX.230 0.0.0.1 10.52.200.0 0.0.1.255

ip access-list ext AgentVoice2
permit ip 10.52.133.0 0.0.1.255 10.100.5.0 0.0.0.255 permit ip
10.52.133.0 0.0.1.255 10.59.5.0 0.0.0.255 permit ip 10.100.5.0

Re: [c-nsp] ASA 5505 SSH

[Antonio Querubin]

On Thu, 8 Dec 2011, Rhino Lists wrote:


I have a newly configured ASA 5505 that for some reason will NOT
authenticate a user via SSH?

I have the following:

ssh 0.0.0.0 0.0.0.0 outside

aaa authentication ssh console LOCAL

and I have a username and password defined.  When I ssh it accepts the
connection and keeps reporting Access Denied?

I have also tried it without the aaa authentication ssh console LOCAL and
tried using the username pix with the password specified in the config but I
get same results?  Am I missing something?


Did you create the crypto key?

crypto key generate rsa general-keys

--
Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] HSRP and removing connected route

[Phil Mayers]

On 12/08/2011 08:23 PM, Jay Nakamura wrote:

So, the situation is this.

Let's say I have a topology where there are two routers, each router
connected to separate switches, and the two switches are connected to
a gigabit ethernet WAN.

One router and switch is in one city, other router and switch is in
another city.

There is a VLAN that spans the two routers, two switches and servers
hosted in one city.

I have the VLAN on HSRP between the two routers.

The problem is this.  When the gigabit WAN goes down, the one end of
the router without the host will still try to route that traffic out
it's VLAN.  Is there a way to prevent that by using IP SLA or track
command or some other trick?  Perhaps shutdown the subinterface auto
magically?  (Although, if it shuts it down, I am not sure how it will
detect that the service is back up)

Or is there something I am not thinking of I should be doing other than HSRP?


This is such an odd setup, I feel sure there is more to it than described.

Question: why are you using HSRP at all? Why not just route from city 1 
to city 2?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750 with IP-BASE, QoS

[Mack McBride]

Errr not to be contrary but you use input policing to mark(classify) CoS on 
conform and exceed.
I don't think the OP wants to use drop though.

Mack

-Original Message-
From: John Gill [mailto:johg...@cisco.com] 
Sent: Thursday, December 08, 2011 2:20 PM
To: Mack McBride
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 3750 with IP-BASE, QoS

Well, you wouldn't want to police unless there was congestion.  The 3750 can 
use shared SRR queues as well as priority queuing to guarantee strict priority.

You will need to familiarize yourself with the QoS operations in the
plagform:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml

You can use the access lists to classify this traffic into different DSCP or 
COS values, and then map those values to the desired queue and threshold.

 From there, you can then configure your srr queuing to guarantee a % of the 
time to a given queue.  Note you cannot set a bandwidth in Mb/s, but rather a 
ratio of weights will be used.

For example:
srr-queue bandwidth share 10 20 30 40
priority-queue out

This means if there is traffic in the priority queue, it is serivced. 
While there is no traffic in the priority queue, you will see queue 1 get 
10/100 or 10% of the interface time to transmit, guaranteed (again, assuming no 
priority traffic).  If that is a 1Gb/s interface, that's 100Mb.  If it was a 
100Mb/s interface, you would be guaranteeing 10Mb/s. 
  You can adjust the shared values accordingly to get acceptable numbers, the 
range is 1-255 last time I checked.

Regards,
John Gill
cisco


On 12/8/11 2:24 PM, Mack McBride wrote:
> On the 3750 you would use a police statement with rate, burst, exceeds and 
> violates.
> The rate would be your various bandwidths.
> The burst would be calculated from the rate.
> It sounds like you only want to push these into queues, so you mark 
> your CoS on input using the police statements.  Then the queue sizes would be 
> set on the various ports.
>
> LR Mack McBride
> Network Architect
>
> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net 
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Freeman
> Sent: Thursday, December 08, 2011 12:02 PM
> To: Cisco-nsp
> Subject: [c-nsp] 3750 with IP-BASE, QoS
>
> I've inherited a site that's a mix of a 3750 stack and Force 10 gear.
> the 3750 stack is where the layer 3 is happening between vlans in that site. 
> I have a need to implement QoS for some voice traffic.
>
> Since the 3750 doesn't do QoS the way the routers do, I'm sort of at a 
> standstill..
>
> ip access-list extended AgentVoice1
> permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 80 permit tcp 
> 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 443 permit tcp 
> 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 8081 permit tcp 
> 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 8843 permit tcp 
> 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 8880 permit tcp 
> 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 range 2200 2300 permit udp 
> 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 range 1024 65535 permit udp 
> XX.XX.XX.0 0.0.0.255 10.52.200.0 0.0.1.255 range 5060 5063 permit udp 
> XX.XX.XX.0 0.0.0.255 10.52.200.0 0.0.1.255 range 8000 8007
>
> ip access-list ext AgentAppsList
> permit ip 10.52.200.0 0.0.1.255 host 10.4.77.48 permit ip 10.52.200.0 
> 0.0.1.255 XX.XX.XX.230 0.0.0.1 permit ip host 10.4.77.48 10.52.200.0 
> 0.0.1.255 permit ip XX.XX.XX.230 0.0.0.1 10.52.200.0 0.0.1.255
>
> ip access-list ext AgentVoice2
> permit ip 10.52.133.0 0.0.1.255 10.100.5.0 0.0.0.255 permit ip 
> 10.52.133.0 0.0.1.255 10.59.5.0 0.0.0.255 permit ip 10.100.5.0 
> 0.0.0.255 10.52.133.0 0.0.1.255 permit ip 10.59.5.0 0.0.0.255 
> 10.52.133.0 0.0.1.255
>
> class-map match-all Voice1
> descr All voice traffic for agent group 1 match access-group name 
> AgentVoice1
>
> class-map match-all AgentApps
> descr Agent application traffic to/from Agent Applications match 
> access-group name AgentAppsList
>
> class-map match-all Agent_Voice_other
> descr Agent group2 voice traffic
> match access-group name Agent_Voice2
>
> policy-map Basic_QoS
> class Voice1
> ! should be set to guarantee 32Mbps, low latency, priority queuing 
> class AgentApps ! should be set to guarantee 8M, normal queuing 
> (mostly http and rdp traffic) class Agent_Voice_other ! should be set 
> to guarantee 12M, low latency, priority queuing class class-default ! 
> gets whatever is leftover/available
>
>
> So, the question is... how do I map that into a qos config that works
> (well) on the 3750?
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cis

Re: [c-nsp] HSRP and removing connected route

[Jay Hennigan]

On 12/8/11 12:23 PM, Jay Nakamura wrote:
> So, the situation is this.
> 
> Let's say I have a topology where there are two routers, each router
> connected to separate switches, and the two switches are connected to
> a gigabit ethernet WAN.

Just to each other or to other resources on the WAN?

> One router and switch is in one city, other router and switch is in
> another city.
> 
> There is a VLAN that spans the two routers, two switches and servers
> hosted in one city.

Somewhat confused here, as previously you indicated that there was one
router/switch pair in each city.  Or is it router/switch A along with
servers in city A and router/switch B in city B that wants to reach the
servers in city A?

> I have the VLAN on HSRP between the two routers.
> 
> The problem is this.  When the gigabit WAN goes down, the one end of
> the router without the host will still try to route that traffic out
> it's VLAN.  Is there a way to prevent that by using IP SLA or track
> command or some other trick?  Perhaps shutdown the subinterface auto
> magically?  (Although, if it shuts it down, I am not sure how it will
> detect that the service is back up)

Is there a backup route via another path for the orphaned remote city to
reach the servers?

If the link goes down, HSRP will fail to see heartbeats and both routers
will assume the virtual IP and primary role.  This may not be what you
want, but if the orphaned end is connected to nothing it probably won't
hurt anything.  You probably want to use preempt if you want one router
to be "sticky" as primary after a failure and recovery.

You can certainly use IP SLA and track to pull down a static route
should the other end not be pingable.  Unless there's a backup path it
won't do anything useful, though.

I wouldn't shut down the VLAN unless you WANT to have to manually bring
it back up after a failure.

> Or is there something I am not thinking of I should be doing other than HSRP?

If a host on the WAN link that is critical to reach is a router you can
run a routing protocol over it such as OSPF.  Depending on exactly what
the problem is that you're trying to solve you might also be able to use
a routing protocol instead of HSRP just between the pair to determine
what do do in case of a link failure.

Things to consider are other potential failure modes, convergence time,
scalability and growth.  HSRP with IP/SLA and track are probably fine
for a pair of devices, but if you expect this to grow to other sites you
might want to consider a routing protocol.

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 5505 SSH

[Rhino Lists]

I setup the key, but here is the interesting thing that I have found.  I am
able to SSH to the asa via the PRIMARY Outside Interface no problems, but I
have a backup ISP on this ASA that I can't access even though it prompts me
for a username and password?

 

interface Vlan20

nameif outside

security-level 0

ip address x.x.x30 255.255.255.248

!

interface Vlan21

nameif backup

security-level 0

ip address x.x.x.122 255.255.255.252

!

 

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 backup

 

 

 

 

 

 

From: Scott Voll [mailto:svoll.v...@gmail.com] 
Sent: Thursday, December 08, 2011 3:14 PM
To: Rhino Lists
Subject: Re: [c-nsp] ASA 5505 SSH

 

have you setup your rsa key?

 

hostname and domain I think are mandatory.

 

crypto key gen rsa

 

Scott

On Thu, Dec 8, 2011 at 12:00 PM, Rhino Lists  wrote:

I have a newly configured ASA 5505 that for some reason will NOT
authenticate a user via SSH?

I have the following:

ssh 0.0.0.0 0.0.0.0 outside

aaa authentication ssh console LOCAL

and I have a username and password defined.  When I ssh it accepts the
connection and keeps reporting Access Denied?

I have also tried it without the aaa authentication ssh console LOCAL and
tried using the username pix with the password specified in the config but I
get same results?  Am I missing something?




K

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750 with IP-BASE, QoS

[John Gill]

Well, you wouldn't want to police unless there was congestion.  The 3750 
can use shared SRR queues as well as priority queuing to guarantee 
strict priority.


You will need to familiarize yourself with the QoS operations in the 
plagform:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml

You can use the access lists to classify this traffic into different 
DSCP or COS values, and then map those values to the desired queue and 
threshold.


From there, you can then configure your srr queuing to guarantee a % of 
the time to a given queue.  Note you cannot set a bandwidth in Mb/s, but 
rather a ratio of weights will be used.


For example:
srr-queue bandwidth share 10 20 30 40
priority-queue out

This means if there is traffic in the priority queue, it is serivced. 
While there is no traffic in the priority queue, you will see queue 1 
get 10/100 or 10% of the interface time to transmit, guaranteed (again, 
assuming no priority traffic).  If that is a 1Gb/s interface, that's 
100Mb.  If it was a 100Mb/s interface, you would be guaranteeing 10Mb/s. 
 You can adjust the shared values accordingly to get acceptable 
numbers, the range is 1-255 last time I checked.


Regards,
John Gill
cisco


On 12/8/11 2:24 PM, Mack McBride wrote:

On the 3750 you would use a police statement with rate, burst, exceeds and 
violates.
The rate would be your various bandwidths.
The burst would be calculated from the rate.
It sounds like you only want to push these into queues, so you mark your CoS on 
input
using the police statements.  Then the queue sizes would be set on the various 
ports.

LR Mack McBride
Network Architect

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Freeman
Sent: Thursday, December 08, 2011 12:02 PM
To: Cisco-nsp
Subject: [c-nsp] 3750 with IP-BASE, QoS

I've inherited a site that's a mix of a 3750 stack and Force 10 gear.
the 3750 stack is where the layer 3 is happening between vlans in that site. I 
have a need to implement QoS for some voice traffic.

Since the 3750 doesn't do QoS the way the routers do, I'm sort of at a 
standstill..

ip access-list extended AgentVoice1
permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 80 permit tcp 
10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 443 permit tcp 10.52.200.0 
0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 8081 permit tcp 10.52.200.0 0.0.1.255 
XX.XX.XX.0 0.0.0.255 eq 8843 permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 
0.0.0.255 eq 8880 permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 range 
2200 2300 permit udp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 range 1024 
65535 permit udp XX.XX.XX.0 0.0.0.255 10.52.200.0 0.0.1.255 range 5060 5063 
permit udp XX.XX.XX.0 0.0.0.255 10.52.200.0 0.0.1.255 range 8000 8007

ip access-list ext AgentAppsList
permit ip 10.52.200.0 0.0.1.255 host 10.4.77.48 permit ip 10.52.200.0 0.0.1.255 
XX.XX.XX.230 0.0.0.1 permit ip host 10.4.77.48 10.52.200.0 0.0.1.255 permit ip 
XX.XX.XX.230 0.0.0.1 10.52.200.0 0.0.1.255

ip access-list ext AgentVoice2
permit ip 10.52.133.0 0.0.1.255 10.100.5.0 0.0.0.255 permit ip 10.52.133.0 
0.0.1.255 10.59.5.0 0.0.0.255 permit ip 10.100.5.0 0.0.0.255 10.52.133.0 
0.0.1.255 permit ip 10.59.5.0 0.0.0.255 10.52.133.0 0.0.1.255

class-map match-all Voice1
descr All voice traffic for agent group 1 match access-group name AgentVoice1

class-map match-all AgentApps
descr Agent application traffic to/from Agent Applications match access-group 
name AgentAppsList

class-map match-all Agent_Voice_other
descr Agent group2 voice traffic
match access-group name Agent_Voice2

policy-map Basic_QoS
class Voice1
! should be set to guarantee 32Mbps, low latency, priority queuing class 
AgentApps ! should be set to guarantee 8M, normal queuing (mostly http and rdp 
traffic) class Agent_Voice_other ! should be set to guarantee 12M, low latency, 
priority queuing class class-default ! gets whatever is leftover/available


So, the question is... how do I map that into a qos config that works
(well) on the 3750?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASA 5505 SSH

[Javier Henderson]

On Dec 8, 2011, at 3:00 PM, Rhino Lists wrote:

> I have a newly configured ASA 5505 that for some reason will NOT
> authenticate a user via SSH?
> 
> I have the following:
> 
> ssh 0.0.0.0 0.0.0.0 outside
> 
> aaa authentication ssh console LOCAL
> 
> and I have a username and password defined.  When I ssh it accepts the
> connection and keeps reporting Access Denied?
> 
> I have also tried it without the aaa authentication ssh console LOCAL and
> tried using the username pix with the password specified in the config but I
> get same results?  Am I missing something?

Do you have:

aaa server LOCAL protocol local

in your config?

-jav


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASA 5505 SSH

[Rhino Lists]

I have a newly configured ASA 5505 that for some reason will NOT
authenticate a user via SSH?

I have the following:

ssh 0.0.0.0 0.0.0.0 outside

aaa authentication ssh console LOCAL

and I have a username and password defined.  When I ssh it accepts the
connection and keeps reporting Access Denied?

I have also tried it without the aaa authentication ssh console LOCAL and
tried using the username pix with the password specified in the config but I
get same results?  Am I missing something?




K

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] HSRP and removing connected route

[Jay Nakamura]

So, the situation is this.

Let's say I have a topology where there are two routers, each router
connected to separate switches, and the two switches are connected to
a gigabit ethernet WAN.

One router and switch is in one city, other router and switch is in
another city.

There is a VLAN that spans the two routers, two switches and servers
hosted in one city.

I have the VLAN on HSRP between the two routers.

The problem is this.  When the gigabit WAN goes down, the one end of
the router without the host will still try to route that traffic out
it's VLAN.  Is there a way to prevent that by using IP SLA or track
command or some other trick?  Perhaps shutdown the subinterface auto
magically?  (Although, if it shuts it down, I am not sure how it will
detect that the service is back up)

Or is there something I am not thinking of I should be doing other than HSRP?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] auto versioning of device configs, ala RANCID or ??

[Garry]

On 08.12.2011 19:59, Peter Rathlev wrote:
> We use regular polling of variable in CISCO-CONFIG-MAN-MIB
> (ccmHistoryRunningLastChanged and ccmHistoryStartupLastChanged) and
> backup via OLD-CISCO-SYS-MIB::writeNet. It works very well and makes it
> easy to customize.

Talking about using SNMP to initiate writing a config - this works fine
on many Cisco devices, but fails on ASR1001 (works on our 1002F) and
Nexus 5548 ... anybody know the updated MIB entry that does the same thing?

Tnx, -garry
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 3750 with IP-BASE, QoS

[Mack McBride]

On the 3750 you would use a police statement with rate, burst, exceeds and 
violates.
The rate would be your various bandwidths.
The burst would be calculated from the rate.
It sounds like you only want to push these into queues, so you mark your CoS on 
input
using the police statements.  Then the queue sizes would be set on the various 
ports.

LR Mack McBride
Network Architect

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Joe Freeman
Sent: Thursday, December 08, 2011 12:02 PM
To: Cisco-nsp
Subject: [c-nsp] 3750 with IP-BASE, QoS

I've inherited a site that's a mix of a 3750 stack and Force 10 gear.
the 3750 stack is where the layer 3 is happening between vlans in that site. I 
have a need to implement QoS for some voice traffic.

Since the 3750 doesn't do QoS the way the routers do, I'm sort of at a 
standstill..

ip access-list extended AgentVoice1
permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 80 permit tcp 
10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 443 permit tcp 10.52.200.0 
0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 8081 permit tcp 10.52.200.0 0.0.1.255 
XX.XX.XX.0 0.0.0.255 eq 8843 permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 
0.0.0.255 eq 8880 permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 range 
2200 2300 permit udp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 range 1024 
65535 permit udp XX.XX.XX.0 0.0.0.255 10.52.200.0 0.0.1.255 range 5060 5063 
permit udp XX.XX.XX.0 0.0.0.255 10.52.200.0 0.0.1.255 range 8000 8007

ip access-list ext AgentAppsList
permit ip 10.52.200.0 0.0.1.255 host 10.4.77.48 permit ip 10.52.200.0 0.0.1.255 
XX.XX.XX.230 0.0.0.1 permit ip host 10.4.77.48 10.52.200.0 0.0.1.255 permit ip 
XX.XX.XX.230 0.0.0.1 10.52.200.0 0.0.1.255

ip access-list ext AgentVoice2
permit ip 10.52.133.0 0.0.1.255 10.100.5.0 0.0.0.255 permit ip 10.52.133.0 
0.0.1.255 10.59.5.0 0.0.0.255 permit ip 10.100.5.0 0.0.0.255 10.52.133.0 
0.0.1.255 permit ip 10.59.5.0 0.0.0.255 10.52.133.0 0.0.1.255

class-map match-all Voice1
descr All voice traffic for agent group 1 match access-group name AgentVoice1

class-map match-all AgentApps
descr Agent application traffic to/from Agent Applications match access-group 
name AgentAppsList

class-map match-all Agent_Voice_other
descr Agent group2 voice traffic
match access-group name Agent_Voice2

policy-map Basic_QoS
class Voice1
! should be set to guarantee 32Mbps, low latency, priority queuing class 
AgentApps ! should be set to guarantee 8M, normal queuing (mostly http and rdp 
traffic) class Agent_Voice_other ! should be set to guarantee 12M, low latency, 
priority queuing class class-default ! gets whatever is leftover/available


So, the question is... how do I map that into a qos config that works
(well) on the 3750?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 3750 with IP-BASE, QoS

[Joe Freeman]

I've inherited a site that's a mix of a 3750 stack and Force 10 gear.
the 3750 stack is where the layer 3 is happening between vlans in that
site. I have a need to implement QoS for some voice traffic.

Since the 3750 doesn't do QoS the way the routers do, I'm sort of at a
standstill..

ip access-list extended AgentVoice1
permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 80
permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 443
permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 8081
permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 8843
permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 eq 8880
permit tcp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 range 2200 2300
permit udp 10.52.200.0 0.0.1.255 XX.XX.XX.0 0.0.0.255 range 1024 65535
permit udp XX.XX.XX.0 0.0.0.255 10.52.200.0 0.0.1.255 range 5060 5063
permit udp XX.XX.XX.0 0.0.0.255 10.52.200.0 0.0.1.255 range 8000 8007

ip access-list ext AgentAppsList
permit ip 10.52.200.0 0.0.1.255 host 10.4.77.48
permit ip 10.52.200.0 0.0.1.255 XX.XX.XX.230 0.0.0.1
permit ip host 10.4.77.48 10.52.200.0 0.0.1.255
permit ip XX.XX.XX.230 0.0.0.1 10.52.200.0 0.0.1.255

ip access-list ext AgentVoice2
permit ip 10.52.133.0 0.0.1.255 10.100.5.0 0.0.0.255
permit ip 10.52.133.0 0.0.1.255 10.59.5.0 0.0.0.255
permit ip 10.100.5.0 0.0.0.255 10.52.133.0 0.0.1.255
permit ip 10.59.5.0 0.0.0.255 10.52.133.0 0.0.1.255

class-map match-all Voice1
descr All voice traffic for agent group 1
match access-group name AgentVoice1

class-map match-all AgentApps
descr Agent application traffic to/from Agent Applications
match access-group name AgentAppsList

class-map match-all Agent_Voice_other
descr Agent group2 voice traffic
match access-group name Agent_Voice2

policy-map Basic_QoS
class Voice1
! should be set to guarantee 32Mbps, low latency, priority queuing
class AgentApps
! should be set to guarantee 8M, normal queuing (mostly http and rdp traffic)
class Agent_Voice_other
! should be set to guarantee 12M, low latency, priority queuing
class class-default
! gets whatever is leftover/available


So, the question is... how do I map that into a qos config that works
(well) on the 3750?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] auto versioning of device configs, ala RANCID or ??

[Peter Rathlev]

On Thu, 2011-12-08 at 13:08 +, John Brown wrote:
> What is the list.wisdom on automating the capture of device config and
> config changes ??
> 
> RANCID is what we have used in the past.  Just wondering if there is
> something "newer / better"

Probably +1 for RANCID unless you like to tinker. ;-) I havn't tried
RANCID myself but it comes highly recommended.

We use regular polling of variable in CISCO-CONFIG-MAN-MIB
(ccmHistoryRunningLastChanged and ccmHistoryStartupLastChanged) and
backup via OLD-CISCO-SYS-MIB::writeNet. It works very well and makes it
easy to customize.

-- 
Peter


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] HP Loop-protect on Cisco

[Peter Rathlev]

On Thu, 2011-12-08 at 17:16 +0100, Andrew Miehs wrote:
> Using an old switch I have in my lab :
>  
> Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version
> 12.2(44)SE6, RELEASE SOFTWARE (fc1)

I forgot to specify what I was using. :-) The specific messages was from
a 3550 running 12.2(52)SE:

 Cisco IOS Software, C3550 Software (C3550-IPBASEK9-M), Version
   12.2(52)SE, RELEASE SOFTWARE (fc3)

I'd have thought you would see the same messages. The specific loop on
my "test switch" was caused by Type-1 cable and some kind of defective
balun.

> If I connect an unmanged 8 port switch to cat3550-0/1 and once it is
> connected create a loop on the 8 port switch:
>  
> *Mar  1 02:15:32.811: %LINK-3-UPDOWN: Interface FastEthernet0/1,
> changed state to up
> *Mar  1 02:15:33.811: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> FastEthernet0/1, changed state to down
> *Mar  1 02:15:34.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> FastEthernet0/1, changed state to up
> *Mar  1 02:17:29.003: %SYS-2-MALLOCFAIL: Memory allocation of 1692
> bytes failed from 0x158568, alignment 0
> Pool: I/O  Free: 21284  Cause: Memory fragmentation
> Alternate Pool: None  Free: 0  Cause: No Alternate pool
>  -Process= "Pool Manager", ipl= 0, pid= 5

Hmm... I'd have thought that these swithes should never experience
malloc failures. Is this reproducible across reboots? It might relate to
an IOS bug.

The ethernet loopback test wouldn't work/activate if the neighbor is a
switch, since that isn't a direct physical loop.

> *Mar  1 02:17:35.515: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> FastEthernet0/1, changed state to down
> *Mar  1 02:17:40.779: %PM-4-ERR_DISABLE: dtp-flap error detected on
> Fa0/1, putting Fa0/1 in err-disable state

Would this mean that the dumb switch sends the DTP frames back toward
the 3550 because of the loop?

You should be able to use BPDU Guard to prevent loops like this.

> So unfortunately on this old switch the port only goes down if the
> loop occurs after the interface comes up on the Cisco.
> I will try this with a newer switch which has the
> "ETHCNTR-3-LOOP_BACK_DETECTED" feature in the next few days.

I'm pretty sure that the loopback test was "always" there, and most
certainly in 12.2(44)SE, which isn't all that old. But the loopback-test
only works if the cable itself (or a dumb hub) creates a loop. A logical
loop through a switch (no matter how dumb) would never result in this
kind of loopback.

BPDU Guard is the answer here.

-- 
Peter



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] prefix lists updates and max prefix filters

[Mack McBride]

We have pretty good route-maps and we still wind up changing them every so 
often.
Most of these changes relate to adding additional community translations for 
things
received from customers and sent to upstreams.

So having a second level of filtering is still a good idea.

Of course we have gotten most of our upstreams to filter on a route registry.
We still have a couple that are manual updates.

Mack


-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de] 
Sent: Thursday, December 08, 2011 11:36 AM
To: Mack McBride
Cc: Pete Templin; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] prefix lists updates and max prefix filters

Hi,

On Thu, Dec 08, 2011 at 09:54:54AM -0800, Mack McBride wrote:
> I should have said not filtering with a prefix list is not really an answer.
> Any time the route-map has to be changed you can and often do get leakage.

There is no need to ever change that route-map.  Which is the great thing about 
this scheme :-)

> Therefore you need a second method of filtering.

No...

> The upstream should also be filtering.

Yes.

>  If everyone used route registries to generate prefix lists and 
> kept them up to date this wouldn't be as much of an issue. 
> 
> Thankfully with IPv6 most ASNs will only have one prefix and most of 
> these issues are significantly reduced.  Ie. The prefix list at this point 
> has a maximum of 7K entries.

True, but IPv6 won't magically make those lazy upstreams start filtering their 
downstreams.  Even if it's less lines of auto-generated prefix lists.

gert
--
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] prefix lists updates and max prefix filters

[Gert Doering]

Hi,

On Thu, Dec 08, 2011 at 09:54:54AM -0800, Mack McBride wrote:
> I should have said not filtering with a prefix list is not really an answer.
> Any time the route-map has to be changed you can and often do get leakage.

There is no need to ever change that route-map.  Which is the great
thing about this scheme :-)

> Therefore you need a second method of filtering.

No...

> The upstream should also be filtering.

Yes.

>  If everyone used route registries to generate prefix lists and kept 
> them up to date 
> this wouldn't be as much of an issue. 
> 
> Thankfully with IPv6 most ASNs will only have one prefix and most of these 
> issues are
> significantly reduced.  Ie. The prefix list at this point has a maximum of 7K 
> entries.

True, but IPv6 won't magically make those lazy upstreams start filtering
their downstreams.  Even if it's less lines of auto-generated prefix lists.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpQqDNDrhExi.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GSR 12410 vs XR 12410

[Gert Doering]

Hi,

On Thu, Dec 08, 2011 at 09:47:59AM -0800, Mack McBride wrote:
> The 6500 product line has roadmap out to 2020 and beyond.
> Keep in mind that the ASR platforms support much larger route tables than
> the 6500.  The 6500 is probably not going to be viable for full routing tables
> in two years giving the de-aggregation expected in the IPv4 space.

How many routing table slots will the ASRs (which ones, btw, 1k, 9k, 9xx?)
support?

Sup720-XL and Sup-2T for the 6500 give me 1 million, which we'll partition
to something like 600k IPv4 / 200k IPv6, which will be fine for us for 
many years to come - but we don't take full routing tables anyway, filtering
out /24+/23 more-specifics from non-RIPE-/8s (adding a default route).

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpbu1P0rmWm0.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 650x sup2 / sup32 configuration - what makes sense?

[Jon Lewis]

On Thu, 8 Dec 2011, Seth Mattinen wrote:


On 12/8/11 9:38 AM, Jon Lewis wrote:

On Thu, 8 Dec 2011, Seth Mattinen wrote:


And the 6148A supports jumbo frames, if that matters. But yeah, it has
2.6MB per port buffers instead of 1MB shared across 8 ports.


It's supposed to have more than that.

https://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper09186a0080131086.html



Hmm, I normally look at this one:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sheet0900aecd8017376e.html

Either way it's still per-port.


Interesting.  I wonder which, if either, is correct?

--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 650x sup2 / sup32 configuration - what makes sense?

[Dimuth Ileperuma]

Dimuth Ileperuma MSc, CCIP
Pricipal Cisco Engineer
For and on behalf of
BUSINESS ENVIRONMENT LIMITED
Part of the Business Environment group of companies

Tel:   +44 (0) 207 959 6033
Fax:  +44 (0) 207 959 6041
Email:   dim...@beoffices.com
Web:www.beoffices.com

Business Environment Limited | 12 Groveland Court | Bow Lane | London | EC4M 9EH

This e-mail transmission is intended only for the use of the person(s) to whom 
it is addressed and may be privileged, confidential and exempt from disclosure 
under applicable law.  If you are not the intended recipient please do not copy 
or convey this message to any
ther person but delete this message and notify us via e-mail to 
i...@beoffices.com

It shall be understood by the recipient(s) that conclusions, opinions and other 
information contained in the above e-mail not relating to the official scope of 
Business Environment Limited shall be deemed not to have been given or endorsed 
by Business Environment Limited.

Business Environment Limited  Registered in England No. 05729231  Registered 
office: Emerald House East Street Epsom Surrey KT17 1HS

 please do not print this e-mail unless you really need to


- Original Message -
From: cisco-nsp-boun...@puck.nether.net 
To: Łukasz Bromirski ; cisco-nsp@puck.nether.net 

Sent: Thu Dec 08 12:52:39 2011
Subject: Re: [c-nsp] Cisco 650x sup2 / sup32 configuration - what makes sense?

You need the newer fan module though for the SUP720/RSP720

Kind regards,
Sibbi

Þann 7.12.2011 23:29, skrifaði "Łukasz Bromirski" :

>On 2011-12-08 00:25, Andrew Miehs wrote:
>
>>> The 67XX/69XX cards are incompatible with the Sup2/Sup32 since they are
>>> non-fabric enabled supervisors.
>>> For the 67XX cards you'll need a SUP/RSP720
>> And he/ you will require an "-E" chasis.
>
>Sup720 and 67xx will actually work in non E chassis.
>
>You need E chassis for Sup2T and new 80Gbit/s LCs.
>
>--
>"There's no sense in being precise when |   Łukasz Bromirski
>  you don't know what you're talking |  jid:lbromir...@jabber.org
>  about."   John von Neumann |http://lukasz.bromirski.net
>___
>cisco-nsp mailing list  cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 650x sup2 / sup32 configuration - what makes sense?

[Seth Mattinen]

On 12/8/11 9:38 AM, Jon Lewis wrote:
> On Thu, 8 Dec 2011, Seth Mattinen wrote:
> 
>> And the 6148A supports jumbo frames, if that matters. But yeah, it has
>> 2.6MB per port buffers instead of 1MB shared across 8 ports.
> 
> It's supposed to have more than that.
> 
> https://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper09186a0080131086.html
> 

Hmm, I normally look at this one:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sheet0900aecd8017376e.html

Either way it's still per-port.

~Seth


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GSR 12410 vs XR 12410

[Mack McBride]

Based on your requirements, you may want an ASR 1006 with ESP 40.
The maintenance on an ASR 1k will be lower than the GSR.
You don't mention what cards you have in the GSR.
Some of them may not be compatible with the XR code.

I would recommend against new 7600 deployments since the platform
seems to be lacking a roadmap.  The ASR 9K is the probable replacement for the 
7600.

LR Mack McBride
Network Architect

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver
Sent: Wednesday, December 07, 2011 9:31 AM
To: 'John Brown'; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] GSR 12410 vs XR 12410

Not sure if anyone pointed this out yet sorry for the late reply but you don't 
need IOS XR to do what you're proposing with a GSR 12410.

Thanks,
-Drew


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Brown
Sent: Monday, December 05, 2011 11:55 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] GSR 12410 vs XR 12410

Is there a way to make a 12410 into a XR ??

Or would it be better to go down he 7600 route.

Need to Route 1GigE and a few 10GigE interfaces between POP sites.
Full BGP v4 and v6

Thanks

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] prefix lists updates and max prefix filters

[Mack McBride]

I should have said not filtering with a prefix list is not really an answer.
Any time the route-map has to be changed you can and often do get leakage.
Therefore you need a second method of filtering.
The upstream should also be filtering.

 If everyone used route registries to generate prefix lists and kept them 
up to date 
this wouldn't be as much of an issue. 

Thankfully with IPv6 most ASNs will only have one prefix and most of these 
issues are
significantly reduced.  Ie. The prefix list at this point has a maximum of 7K 
entries.

LR Mack McBride
Network Architect

-Original Message-
From: Pete Templin [mailto:peteli...@templin.org] 
Sent: Thursday, December 08, 2011 10:47 AM
To: Mack McBride
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] prefix lists updates and max prefix filters

On 12/8/2011 11:37 AM, Mack McBride wrote:
> Not filtering announcements isn't really an answer.
> You run into the same problems with a route-map.
> The best solution is to use both a route-map and a prefix-filter.
> Your upstream should also be using a filter.

Say what?  Nobody's recommending that the OP not filter.  They're recommending 
that they filter on the way into their network, where the filtering can be done 
at a very granular level (this customer can send me this, that customer can 
send me that).  Any routes that meet said criteria are given a certificate (in 
the form of a 32-bit BGP community) indicating it's allowed to exist and 
allowed to leave.  At egress points, the only routes allowed to leave are those 
that possess the magic certificate.  Easy (in the grand scheme of things), 
scalable (new customer only requires provisioning at the ingress router), done.

pt

> -Original Message-
> From: cisco-nsp-boun...@puck.nether.net 
> [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Blake Dunlap
> Sent: Monday, December 05, 2011 11:35 AM
> To: James Ashton
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] prefix lists updates and max prefix filters
>
> This is straight up a design problem. Don't filter what you announce, filter 
> what you accept, and allow what you specify via route map community matching 
> out.

(And Gert posted a more-detailed version of this.)

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GSR 12410 vs XR 12410

[Mack McBride]

The 6500 product line has roadmap out to 2020 and beyond.
Keep in mind that the ASR platforms support much larger route tables than
the 6500.  The 6500 is probably not going to be viable for full routing tables
in two years giving the de-aggregation expected in the IPv4 space.

Mack

-Original Message-
From: John Brown [mailto:j...@citylinkfiber.com] 
Sent: Thursday, December 08, 2011 10:44 AM
To: Mack McBride; Drew Weaver; cisco-nsp@puck.nether.net
Subject: RE: GSR 12410 vs XR 12410

what about the 65xx product line.

thanks for the good info

From: Mack McBride [mack.mcbr...@viawest.com]
Sent: Thursday, December 08, 2011 10:28 AM
To: Drew Weaver; John Brown; cisco-nsp@puck.nether.net
Subject: RE: GSR 12410 vs XR 12410

Based on your requirements, you may want an ASR 1006 with ESP 40.
The maintenance on an ASR 1k will be lower than the GSR.
You don't mention what cards you have in the GSR.
Some of them may not be compatible with the XR code.

I would recommend against new 7600 deployments since the platform seems to be 
lacking a roadmap.  The ASR 9K is the probable replacement for the 7600.

LR Mack McBride
Network Architect

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver
Sent: Wednesday, December 07, 2011 9:31 AM
To: 'John Brown'; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] GSR 12410 vs XR 12410

Not sure if anyone pointed this out yet sorry for the late reply but you don't 
need IOS XR to do what you're proposing with a GSR 12410.

Thanks,
-Drew


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Brown
Sent: Monday, December 05, 2011 11:55 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] GSR 12410 vs XR 12410

Is there a way to make a 12410 into a XR ??

Or would it be better to go down he 7600 route.

Need to Route 1GigE and a few 10GigE interfaces between POP sites.
Full BGP v4 and v6

Thanks

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] prefix lists updates and max prefix filters

[Pete Templin]

On 12/8/2011 11:37 AM, Mack McBride wrote:

Not filtering announcements isn't really an answer.
You run into the same problems with a route-map.
The best solution is to use both a route-map and a prefix-filter.
Your upstream should also be using a filter.


Say what?  Nobody's recommending that the OP not filter.  They're 
recommending that they filter on the way into their network, where the 
filtering can be done at a very granular level (this customer can send 
me this, that customer can send me that).  Any routes that meet said 
criteria are given a certificate (in the form of a 32-bit BGP community) 
indicating it's allowed to exist and allowed to leave.  At egress 
points, the only routes allowed to leave are those that possess the 
magic certificate.  Easy (in the grand scheme of things), scalable (new 
customer only requires provisioning at the ingress router), done.


pt


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Blake Dunlap
Sent: Monday, December 05, 2011 11:35 AM
To: James Ashton
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] prefix lists updates and max prefix filters

This is straight up a design problem. Don't filter what you announce, filter 
what you accept, and allow what you specify via route map community matching 
out.


(And Gert posted a more-detailed version of this.)
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GSR 12410 vs XR 12410

[John Brown]

what about the 65xx product line.

thanks for the good info

From: Mack McBride [mack.mcbr...@viawest.com]
Sent: Thursday, December 08, 2011 10:28 AM
To: Drew Weaver; John Brown; cisco-nsp@puck.nether.net
Subject: RE: GSR 12410 vs XR 12410

Based on your requirements, you may want an ASR 1006 with ESP 40.
The maintenance on an ASR 1k will be lower than the GSR.
You don't mention what cards you have in the GSR.
Some of them may not be compatible with the XR code.

I would recommend against new 7600 deployments since the platform
seems to be lacking a roadmap.  The ASR 9K is the probable replacement for the 
7600.

LR Mack McBride
Network Architect

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Drew Weaver
Sent: Wednesday, December 07, 2011 9:31 AM
To: 'John Brown'; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] GSR 12410 vs XR 12410

Not sure if anyone pointed this out yet sorry for the late reply but you don't 
need IOS XR to do what you're proposing with a GSR 12410.

Thanks,
-Drew


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of John Brown
Sent: Monday, December 05, 2011 11:55 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] GSR 12410 vs XR 12410

Is there a way to make a 12410 into a XR ??

Or would it be better to go down he 7600 route.

Need to Route 1GigE and a few 10GigE interfaces between POP sites.
Full BGP v4 and v6

Thanks

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 650x sup2 / sup32 configuration - what makes sense?

[Jon Lewis]

On Thu, 8 Dec 2011, Seth Mattinen wrote:


And the 6148A supports jumbo frames, if that matters. But yeah, it has
2.6MB per port buffers instead of 1MB shared across 8 ports.


It's supposed to have more than that.

https://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper09186a0080131086.html

--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] prefix lists updates and max prefix filters

[Mack McBride]

Not filtering announcements isn't really an answer.
You run into the same problems with a route-map.
The best solution is to use both a route-map and a prefix-filter.
Your upstream should also be using a filter.

LR Mack McBride
Network Architect

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Blake Dunlap
Sent: Monday, December 05, 2011 11:35 AM
To: James Ashton
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] prefix lists updates and max prefix filters

This is straight up a design problem. Don't filter what you announce, filter 
what you accept, and allow what you specify via route map community matching 
out.

I'm honestly surprised one of your upstreams hasn't yelled at you and made you 
fix this long ago.

-Blake

On Mon, Dec 5, 2011 at 11:08, James Ashton  wrote:

> Hi all.
>
>  I have run into a problem that seams obvious, but is new to me.
>
>  I control outbound announcements with a prefix filter. I update this 
> filter daily with a small shell script. t has been working for several 
> years now without problem, but for the last few months one of our 
> upstreams has dropped our session for hitting a max prefix filter. The 
> session drops
> within seconds of issuing the "no ip prefix-list XXX" command.   Before I
> can rebuild the filter.
>
>  As I said, the problem seams obvious, but the solutions all seam less 
> than elegant. I can only really see 2 ways through it, but I am 
> probably missing several.  First would be to run a prefix list and an access 
> list
> and update them one at a time.   So one it always in place.  The second
> would be to edit the prefix list one line at a time and never actually 
> regenerate the entire list in one shot.  This seams the most 
> proper/elegant method and the one putting the least CPU strain on a hard 
> working router.
> It would also cause me to write good bit more code that no-one else 
> here could edit.
>
> I am using rtconfig to generate the lists, so adding another isn't a 
> huge project, but will add additional CPU time to a router that is 
> begging for more CPU as it is.
>
>
> Thoughts?
>
>
> Thank You
> James
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 650x sup2 / sup32 configuration - what makes sense?

[Seth Mattinen]

On 12/8/11 7:58 AM, Jon Lewis wrote:
> On Thu, 8 Dec 2011, Gert Doering wrote:
> 
>> The best choice?  Don't use 6148-GE-TX modules.  They are fundamentally
>> broken (8 ports share one ASIC with a single-GE uplink, one port that's
>> "full" will block out the other 7 ports, ...).  It's even worse if
>> you use them for 100M links, because a saturated 100M link will eat
>> all the buffers from the other 7 ports on the same ASIC, causing RTT
>> jumps on these other ports.
> 
> Just to clarify, as I understand it, this (shared buffers) is an issue
> with the 6148-GE-TX, but not with the 6148A-GE-TX, which according to
> cisco documentation has much larger buffers and they're per port, not
> shared by the ports in each 8 port group.  The 6148A-GE-TX is still 8:1
> oversubscribed, so it's a poor choice if you have a need for lots of
> 1000baseT ports handling much traffic, but at least it has nice per-port
> buffers.  I suspect if most of the ports are used as 100baseT, and you
> have the occasional 1000baseT port that might carry just a little more
> than 100mbit/s, it should do fine.
> 

And the 6148A supports jumbo frames, if that matters. But yeah, it has
2.6MB per port buffers instead of 1MB shared across 8 ports.

~Seth
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7K fabric behavior

[Tim Stevenson]

Hi Tim, please see inline below:

At 08:35 AM 12/8/2011, Tim Durack submitted:


Trying to get something clear in my mind:

N7K, 2x FAB-2, fabric redundancy, 220G capacity.

N7K, 3x FAB-2, fabric redundancy, 330G capacity.

...

N7K, 5x FAB-2, fabric redundancy, 550G capacity.


Cisco recommend a minimum of 3 FAB-2 cards. Why?



The origin of this recommendation is around M1 10G modules, which are 
80G/slot cards. So 2 fabrics give you full b/w & the 3rd gives you 
N+1 redundancy. This rule however doesn't apply to some of the higher 
performing cards (F1, F2).





If I choose to ignore this recommendation, what is the impact?

Is the fabric behavior different for M1/F1/F2 generation line cards?


The key is that Fab 2 in the chassis does not change the b/w 
capabilities of modules with a local fab 1. M1 10G cards are still 
80G/slot, F1 10G cards are still 230G/slot (with 5 fabrics).




I understand the implications of over-subscription. If a 2x FAB-2
chassis is not over-subscribed due to the mix of 1G and 10G ports,
will the fabric perform correctly? (I'm thinking yes, as this is a
simple math equation. There is no other fabric-magic going on.



Yes, you are correct - every card works and any port can talk to any 
port in the system even with a *single* fabric module. You 
(obviously) just won't get full bandwidth.


Hope that helps,
Tim




Sales-Engineering is trying to convince me otherwise :-)

Thanks for humoring me.

--
Tim:>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at 
http://puck.nether.net/pipermail/cisco-nsp/





Tim Stevenson, tstev...@cisco.com
Routing & Switching CCIE #5561
Distinguished Technical Marketing Engineer, Cisco Nexus 7000
Cisco - http://www.cisco.com
IP Phone: 408-526-6759

The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] N7K fabric behavior

[Tim Durack]

Trying to get something clear in my mind:

N7K, 2x FAB-2, fabric redundancy, 220G capacity.

N7K, 3x FAB-2, fabric redundancy, 330G capacity.

...

N7K, 5x FAB-2, fabric redundancy, 550G capacity.


Cisco recommend a minimum of 3 FAB-2 cards. Why?

If I choose to ignore this recommendation, what is the impact?

Is the fabric behavior different for M1/F1/F2 generation line cards?

I understand the implications of over-subscription. If a 2x FAB-2
chassis is not over-subscribed due to the mix of 1G and 10G ports,
will the fabric perform correctly? (I'm thinking yes, as this is a
simple math equation. There is no other fabric-magic going on.
Sales-Engineering is trying to convince me otherwise :-)

Thanks for humoring me.

-- 
Tim:>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] HP Loop-protect on Cisco

[Andrew Miehs]

 Hi Peter,


> AFAIK all Cisco switches always send "Ethernet Loopback" (ethertype
> 0x9000) packets on switchport interfaces and disable the port is things
> loop. Loops would result in a message like this:
>
>  %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on
> FastEthernet0/37
>
> This would possibly be followed by:
>
>  %PM-4-ERR_DISABLE: loopback error detected on Fa0/37, putting Fa0/37 in
> err-disable state
>

Using an old switch I have in my lab :

Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version
12.2(44)SE6, RELEASE SOFTWARE (fc1)

If I connect an unmanged 8 port switch to cat3550-0/1 and once it is
connected create a loop on the 8 port switch:

*Mar  1 02:15:32.811: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed
state to up
*Mar  1 02:15:33.811: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to down
*Mar  1 02:15:34.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up
*Mar  1 02:17:29.003: %SYS-2-MALLOCFAIL: Memory allocation of 1692 bytes
failed from 0x158568, alignment 0
Pool: I/O  Free: 21284  Cause: Memory fragmentation
Alternate Pool: None  Free: 0  Cause: No Alternate pool
 -Process= "Pool Manager", ipl= 0, pid= 5
*Mar  1 02:17:35.515: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to down
*Mar  1 02:17:40.779: %PM-4-ERR_DISABLE: dtp-flap error detected on Fa0/1,
putting Fa0/1 in err-disable state
*Mar  1 02:17:42.791: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed
state to down

However, if the loop already exists on the unmanged 8 port switch:


*Mar  1 02:34:01.099: %SYS-2-MALLOCFAIL: Memory allocation of 1692 bytes
failed from 0x158568, alignment 0
Pool: I/O  Free: 21284  Cause: Memory fragmentation
Alternate Pool: None  Free: 0  Cause: No Alternate pool
 -Process= "Pool Manager", ipl= 0, pid= 5
*Mar  1 02:34:02.199: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed
state to up
*Mar  1 02:34:03.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/17, changed state to up
*Mar  1 02:34:31.103: %SYS-2-MALLOCFAIL: Memory allocation of 1692 bytes
failed from 0x158568, alignment 0
Pool: I/O  Free: 21284  Cause: Memory fragmentation
Alternate Pool: None  Free: 0  Cause: No Alternate pool
 -Process= "Pool Manager", ipl= 0, pid= 5
*Mar  1 02:35:01.151: %SYS-2-MALLOCFAIL: Memory allocation of 1692 bytes
failed from 0x158568, alignment 0
Pool: I/O  Free: 21284  Cause: Memory fragmentation
Alternate Pool: None  Free: 0  Cause: No Alternate pool
 -Process= "Pool Manager", ipl= 0, pid= 5
So unfortunately on this old switch the port only goes down if the loop
occurs after the interface comes up on the Cisco.
I will try this with a newer switch which has the
"ETHCNTR-3-LOOP_BACK_DETECTED" feature in the next few days.


Thanks again,

Andrew
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 650x sup2 / sup32 configuration - what makes sense?

[Gert Doering]

Hi,

On Thu, Dec 08, 2011 at 10:58:41AM -0500, Jon Lewis wrote:
> Just to clarify, as I understand it, this (shared buffers) is an issue 
> with the 6148-GE-TX, but not with the 6148A-GE-TX, which according to 
> cisco documentation has much larger buffers and they're per port, not 
> shared by the ports in each 8 port group.  

Thanks for clarifying.  Yes, this is much more reasonable.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpplOrsEO2Sa.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 650x sup2 / sup32 configuration - what makes sense?

[Jon Lewis]

On Thu, 8 Dec 2011, Gert Doering wrote:


The best choice?  Don't use 6148-GE-TX modules.  They are fundamentally
broken (8 ports share one ASIC with a single-GE uplink, one port that's
"full" will block out the other 7 ports, ...).  It's even worse if
you use them for 100M links, because a saturated 100M link will eat
all the buffers from the other 7 ports on the same ASIC, causing RTT
jumps on these other ports.


Just to clarify, as I understand it, this (shared buffers) is an issue 
with the 6148-GE-TX, but not with the 6148A-GE-TX, which according to 
cisco documentation has much larger buffers and they're per port, not 
shared by the ports in each 8 port group.  The 6148A-GE-TX is still 8:1 
oversubscribed, so it's a poor choice if you have a need for lots of 
1000baseT ports handling much traffic, but at least it has nice per-port 
buffers.  I suspect if most of the ports are used as 100baseT, and you 
have the occasional 1000baseT port that might carry just a little more 
than 100mbit/s, it should do fine.


--
 Jon Lewis, MCP :)   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 650x sup2 / sup32 configuration - what makes sense?

[MKS]

You basically have two options

SUP32, then go for the 6148A-GE-TX, if you can live with the 1gig per
8port limit.
the A version doesn't have the buffer issue like the no-A.

SUP-720, and go for the 67xx cards. You should be able to get the 67xx
cards refurbished at a good price these days...

Regards
MKS
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] l2tp xconnect problem with packets > 1430

[Peter Rathlev]

On Wed, 2011-12-07 at 19:09 -1000, Antonio Querubin wrote:
> On Wed, 7 Dec 2011, Peter Rathlev wrote:
> > If the L2TPv2 packets cannot exceed 1500 bytes then the ICMP payload
> > size of an encapsulated packet cannot exceed 1430 bytes, assuming
> > you're not transporting a 802.1Q frame.
...
> Understood.  What I don't understand is why the large pings (in this
> case large is anything > 1430) will sometimes work and sometimes not.
> There is no packet loss between the two routers and pmtud works
> between them.  They can ping each other with large packets all day.
> Not so the xconnected hosts.

What Gert said. What is the distribution of forwarded/non-forwarded
packets? Maybe there's a timeout on the PMTUD resettings things, and
maybe the router accepts fragmenting for a short while here.

It shouldn't work with an MTU larger than 1430 though. It's an error
that it does. ;-)

-- 
Peter

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OER Question

[Peter Rathlev]

On Thu, 2011-12-08 at 12:27 +0200, M K wrote:
> please guys anyone do not want to help can save his words for
> himself !!

Um... as you wish. Don't complain if nobody wants to answer you of
course.

-- 
Peter


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] auto versioning of device configs, ala RANCID or ??

[Gert Doering]

Hi,

On Thu, Dec 08, 2011 at 01:08:57PM +, John Brown wrote:
> RANCID is what we have used in the past.  Just wondering if there is 
> something "newer / better"

The canonical answer seems to be RANCID.

We use our own system which is more closely integrated into our ticketing
and change management (and doesn't have that smell of TCL) - but under the
hood, it does the same things, so if you start from scratch, use Rancid :-)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgptv5MZbnbbl.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] auto versioning of device configs, ala RANCID or ??

[John Brown]

Hi,

What is the list.wisdom on automating the capture of device config and config 
changes ??

RANCID is what we have used in the past.  Just wondering if there is something 
"newer / better"

thanks
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 650x sup2 / sup32 configuration - what makes sense?

[Sigurbjörn Birkir Lárusson]

You need the newer fan module though for the SUP720/RSP720

Kind regards,
Sibbi

Þann 7.12.2011 23:29, skrifaði "Łukasz Bromirski" :

>On 2011-12-08 00:25, Andrew Miehs wrote:
>
>>> The 67XX/69XX cards are incompatible with the Sup2/Sup32 since they are
>>> non-fabric enabled supervisors.
>>> For the 67XX cards you'll need a SUP/RSP720
>> And he/ you will require an "-E" chasis.
>
>Sup720 and 67xx will actually work in non E chassis.
>
>You need E chassis for Sup2T and new 80Gbit/s LCs.
>
>-- 
>"There's no sense in being precise when |   Łukasz Bromirski
>  you don't know what you're talking |  jid:lbromir...@jabber.org
>  about."   John von Neumann |http://lukasz.bromirski.net
>___
>cisco-nsp mailing list  cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OER Question

[M K]

Hi , please guys anyone do not want to help can save his words for himself !!
i heard about this forum and a lot of people who told me about it received a 
lot of help
i already have a solution but i am not sure if its complete

R4#sh run | sec ip access
ip access-list extended DSCP31
 permit ip 1.1.44.0 0.0.0.255 any dscp 31
ip access-list extended DSCP41
 permit ip 1.1.44.0 0.0.0.255 any dscp 41
ip access-list extended EF
 permit ip host 1.1.44.4 host 1.1.58.5 dscp ef

R4#sh run | sec oer-map
oer-map MAP 10
 match traffic-class access-list DSCP31
 set next-hop 1.1.29.10
oer-map MAP 20
 match traffic-class access-list DSCP41
 set next-hop 1.1.17.7
oer-map MAP 30
 match traffic-class access-list EF
 set delay threshold 40
 set jitter threshold 100
 set active-probe jitter 1.1.58.5 target-port 1024 codec g729a
 set probe frequency 20

R4#sh run | sec oer master
oer master
 policy-rules MAP
 logging
 !
 border 1.1.1.1 key-chain KEY
  interface FastEthernet0/0 external
  interface Serial1/0 internal
  interface Tunnel0 internal
 !
 border 1.1.2.2 key-chain KEY
  interface FastEthernet0/0 external
  interface Serial1/0 internal
  interface Tunnel0 internal

> Date: Wed, 7 Dec 2011 10:10:17 -0600
> From: peteli...@templin.org
> To: gunner_...@live.com
> CC: rob...@raszuk.net; b...@whack.org; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] OER Question
> 
> On 12/7/2011 2:17 AM, M K wrote:
> > Hi all , Bruce i am asking on the best Cisco forum , is that wrong 
> In this case, yes.  What you're doing is a direct violation of the CCIE 
> NDA.  As soon as Cisco finds out, you won't be able to attempt your lab 
> again for at least a year, and good luck passing it when you try.
> 
> You should not be asking this on ANY forum.
> 
> pt
> 
  
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CISCO 1841

[Nikolay Shopik]

You are having faulty patch-cord, replace it and you should be fine.

On 08/12/11 14:01, Wakwa Nduati wrote:

On the main device I get on both interfaces

f0/0 136 unknown protocol drops
f0/1 31 unknown protocol drops

On the connecting switch

  Input:  1350 input errors, 0 runts, 0 giants,  - throttles, 1153 CRC
  - frame,  - overruns, 197 aborts, - ignored, - parity errors

and

Input:  43301 input errors, 0 runts, 0 giants,  - throttles, 41151 CRC
  - frame,  - overruns, 2150 aborts, - ignored, - parity errors

Thanks


On Thu, Dec 8, 2011 at 12:46 PM, David Rotherawrote:


I take it you also have the associated down messages as well? If you are
having interface drops then I would look into that rather than just
ignoring it.

Do you get drops on the device that is on the other end of these
connections?

David Rothera



On Thu, Dec 8, 2011 at 9:17 AM, Wakwa Nduati  wrote:


Hi,

I have a cisco 1841 on my network and though working ok has this messages.

It is connected to a gigabit switch and the ports set to 100Mbps.

What would this mean and how do I clear them?

: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

Config

global - ip cef is enabled

interface FastEthernet0/0
  ip address x.x.x.x y.y.y.y
  ip ospf message-digest-key 
  ip ospf priority 0
  duplex auto
  speed auto
  no cdp enable
  max-reserved-bandwidth 100
!
interface FastEthernet0/1 (connected and supporting dot1q interfaces)
  no ip address
  duplex auto
  speed auto

Thanks.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 650x sup2 / sup32 configuration - what makes sense?

[Gert Doering]

Hi,

On Wed, Dec 07, 2011 at 11:10:24PM +0100, Jeff Meyers wrote:
> When a customer bursts a GigE port on the 6148-GE-TX, the available 
> bandwidth on all other ports (at least ports 1-24 which seem to share an 
> asic) are affected as well although there is not more than just 
> 2-3GBit/s of traffic on the whole module. What is the best choice here 
> to have reasonable amounts of bandwidth available across the whole box?

The best choice?  Don't use 6148-GE-TX modules.  They are fundamentally
broken (8 ports share one ASIC with a single-GE uplink, one port that's 
"full" will block out the other 7 ports, ...).  It's even worse if
you use them for 100M links, because a saturated 100M link will eat
all the buffers from the other 7 ports on the same ASIC, causing RTT
jumps on these other ports.

> Does it make sense to replace the 6148-GE-TX with a 6748 or is the sup2 
> respectively the sup32 the actual bottleneck?

67xx won't work with the sup32 (thanks, cisco).  I'd go for 6516-GE-TX,
which have a much saner architecture than the 6148-GE-TX *and* will 
work with non-fabric-enabled supervisors.

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpe7I702ZiCp.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASSERTION FAILED in file ../les/if_ng_dslsar_tx.c, line 385

[Pierre Emeriaud]

> What does your memory utilization look like? Sounds like a possible memory
> leak which is leaving nothing free for processes to allocate (or at least I
> have seen this before)

Mmh, looks like I have some free memory :


a9#sh mem st
HeadTotal(b) Used(b) Free(b)   Lowest(b)  Largest(b)
Processor   84790F409416478022943500712212807118877671191192
  I/O780 8388608 2343628 6044980 5945104 6000412


I found bug CSCse61869, which look similar, but on this router we have
no ipsec, just basic IP over ATM and some very basic access-lists...


-pierre
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] l2tp xconnect problem with packets > 1430

[Gert Doering]

Hi

On Wed, Dec 07, 2011 at 07:09:35PM -1000, Antonio Querubin wrote:
> Understood.  What I don't understand is why the large pings (in this case 
> large is anything > 1430) will sometimes work and sometimes not.  

Because sometimes fragmentation of the *outer* L2TP packet happens, and
sometimes not.  If fragmentation happens, anything will go through - and
the CPU load will go up through the roof.

> There is 
> no packet loss between the two routers and pmtud works between them.  They 
> can ping each other with large packets all day.  Not so the xconnected 
> hosts.

The routers will know how to fragment their pings.  The hosts won't.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpm7AZzc1ruA.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CISCO 1841

[Wakwa Nduati]

On the main device I get on both interfaces

f0/0 136 unknown protocol drops
f0/1 31 unknown protocol drops

On the connecting switch

 Input:  1350 input errors, 0 runts, 0 giants,  - throttles, 1153 CRC
 - frame,  - overruns, 197 aborts, - ignored, - parity errors

and

Input:  43301 input errors, 0 runts, 0 giants,  - throttles, 41151 CRC
 - frame,  - overruns, 2150 aborts, - ignored, - parity errors

Thanks


On Thu, Dec 8, 2011 at 12:46 PM, David Rothera wrote:

> I take it you also have the associated down messages as well? If you are
> having interface drops then I would look into that rather than just
> ignoring it.
>
> Do you get drops on the device that is on the other end of these
> connections?
>
> David Rothera
>
>
>
> On Thu, Dec 8, 2011 at 9:17 AM, Wakwa Nduati  wrote:
>
>> Hi,
>>
>> I have a cisco 1841 on my network and though working ok has this messages.
>>
>> It is connected to a gigabit switch and the ports set to 100Mbps.
>>
>> What would this mean and how do I clear them?
>>
>> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
>> : %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
>> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
>> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
>> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
>> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
>> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
>> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
>>
>> Config
>>
>> global - ip cef is enabled
>>
>> interface FastEthernet0/0
>>  ip address x.x.x.x y.y.y.y
>>  ip ospf message-digest-key 
>>  ip ospf priority 0
>>  duplex auto
>>  speed auto
>>  no cdp enable
>>  max-reserved-bandwidth 100
>> !
>> interface FastEthernet0/1 (connected and supporting dot1q interfaces)
>>  no ip address
>>  duplex auto
>>  speed auto
>>
>> Thanks.
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASSERTION FAILED in file ../les/if_ng_dslsar_tx.c, line 385

[David Rothera]

What does your memory utilization look like? Sounds like a possible memory
leak which is leaving nothing free for processes to allocate (or at least I
have seen this before)

David Rothera



On Thu, Dec 8, 2011 at 8:22 AM, Pierre Emeriaud  wrote:

> Hello list,
>
>
> Since yesterday, one of my 2611XM is popping out a strange message in
> the log buffer, which look like a dsl code/wic firmware debug string :
>
> Dec  7 17:43:32.991 GMT+1: ASSERTION FAILED: file
> "../les/if_ng_dslsar_tx.c", line 385
>
>
> - there were a few line flaps (on WIC-1SHDSL-V3) the day before
> yesterday, but it stabilized then
> - I modified the NTP configuration on the router to display the logs
> correctly
> - One hour and a half later, the router started to spit the annoying
> log messge.
> - Wic dsl chipset is DSLSAR.
>
>
> Output interpretor doesn't show anything useful, IOS is
> C2600-SPSERVICESK9-M, Version 12.4(6)T, RELEASE SOFTWARE (fc1), uptime
> is 11 weeks, 5 days, 4 hours, 53 minutes.
>
> There is also a WIC-1B-S/T for isdn backup.
>
>
> Does anyone has an idea about what is this issue and what to do about it?
>
>
> Log extract:
>
> *May 21 13:44:56.106 GMT+2: %SYS-5-CONFIG_I: Configured from console
> by xxx on vty1 (xxx.xxx.xxx.xxx)  <<< NTP config
> Dec  7 16:04:46.867 GMT+1: %SYS-5-CONFIG_I: Configured from console by
> xxx on vty1 (xxx.xxx.xxx.xxx)  <<< NTP re-config
> Dec  7 17:21:43.018 GMT+1: ASSERTION FAILED: file
> "../les/if_ng_dslsar_tx.c", line 385
> Dec  7 17:43:32.991 GMT+1: ASSERTION FAILED: file
> "../les/if_ng_dslsar_tx.c", line 385
> Dec  7 21:33:32.702 GMT+1: ASSERTION FAILED: file
> "../les/if_ng_dslsar_tx.c", line 385
> Dec  7 21:40:52.693 GMT+1: ASSERTION FAILED: file
> "../les/if_ng_dslsar_tx.c", line 385
> Dec  7 21:41:42.695 GMT+1: ASSERTION FAILED: file
> "../les/if_ng_dslsar_tx.c", line 385
> Dec  7 21:42:22.692 GMT+1: ASSERTION FAILED: file
> "../les/if_ng_dslsar_tx.c", line 385
> Dec  7 21:45:32.687 GMT+1: ASSERTION FAILED: file
> "../les/if_ng_dslsar_tx.c", line 385
> Dec  7 21:53:42.680 GMT+1: ASSERTION FAILED: file
> "../les/if_ng_dslsar_tx.c", line 385
> ... and continues like this...
>
>
> Thanks,
>
> - Pierre.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] CISCO 1841

[David Rothera]

I take it you also have the associated down messages as well? If you are
having interface drops then I would look into that rather than just
ignoring it.

Do you get drops on the device that is on the other end of these
connections?

David Rothera



On Thu, Dec 8, 2011 at 9:17 AM, Wakwa Nduati  wrote:

> Hi,
>
> I have a cisco 1841 on my network and though working ok has this messages.
>
> It is connected to a gigabit switch and the ports set to 100Mbps.
>
> What would this mean and how do I clear them?
>
> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
> : %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
> : %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
>
> Config
>
> global - ip cef is enabled
>
> interface FastEthernet0/0
>  ip address x.x.x.x y.y.y.y
>  ip ospf message-digest-key 
>  ip ospf priority 0
>  duplex auto
>  speed auto
>  no cdp enable
>  max-reserved-bandwidth 100
> !
> interface FastEthernet0/1 (connected and supporting dot1q interfaces)
>  no ip address
>  duplex auto
>  speed auto
>
> Thanks.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] CISCO 1841

[Wakwa Nduati]

Hi,

I have a cisco 1841 on my network and though working ok has this messages.

It is connected to a gigabit switch and the ports set to 100Mbps.

What would this mean and how do I clear them?

: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

Config

global - ip cef is enabled

interface FastEthernet0/0
 ip address x.x.x.x y.y.y.y
 ip ospf message-digest-key 
 ip ospf priority 0
 duplex auto
 speed auto
 no cdp enable
 max-reserved-bandwidth 100
!
interface FastEthernet0/1 (connected and supporting dot1q interfaces)
 no ip address
 duplex auto
 speed auto

Thanks.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASSERTION FAILED in file ../les/if_ng_dslsar_tx.c, line 385

[Pierre Emeriaud]

Hello list,


Since yesterday, one of my 2611XM is popping out a strange message in
the log buffer, which look like a dsl code/wic firmware debug string :

Dec  7 17:43:32.991 GMT+1: ASSERTION FAILED: file
"../les/if_ng_dslsar_tx.c", line 385


- there were a few line flaps (on WIC-1SHDSL-V3) the day before
yesterday, but it stabilized then
- I modified the NTP configuration on the router to display the logs correctly
- One hour and a half later, the router started to spit the annoying
log messge.
- Wic dsl chipset is DSLSAR.


Output interpretor doesn't show anything useful, IOS is
C2600-SPSERVICESK9-M, Version 12.4(6)T, RELEASE SOFTWARE (fc1), uptime
is 11 weeks, 5 days, 4 hours, 53 minutes.

There is also a WIC-1B-S/T for isdn backup.


Does anyone has an idea about what is this issue and what to do about it?


Log extract:

*May 21 13:44:56.106 GMT+2: %SYS-5-CONFIG_I: Configured from console
by xxx on vty1 (xxx.xxx.xxx.xxx)  <<< NTP config
Dec  7 16:04:46.867 GMT+1: %SYS-5-CONFIG_I: Configured from console by
xxx on vty1 (xxx.xxx.xxx.xxx)  <<< NTP re-config
Dec  7 17:21:43.018 GMT+1: ASSERTION FAILED: file
"../les/if_ng_dslsar_tx.c", line 385
Dec  7 17:43:32.991 GMT+1: ASSERTION FAILED: file
"../les/if_ng_dslsar_tx.c", line 385
Dec  7 21:33:32.702 GMT+1: ASSERTION FAILED: file
"../les/if_ng_dslsar_tx.c", line 385
Dec  7 21:40:52.693 GMT+1: ASSERTION FAILED: file
"../les/if_ng_dslsar_tx.c", line 385
Dec  7 21:41:42.695 GMT+1: ASSERTION FAILED: file
"../les/if_ng_dslsar_tx.c", line 385
Dec  7 21:42:22.692 GMT+1: ASSERTION FAILED: file
"../les/if_ng_dslsar_tx.c", line 385
Dec  7 21:45:32.687 GMT+1: ASSERTION FAILED: file
"../les/if_ng_dslsar_tx.c", line 385
Dec  7 21:53:42.680 GMT+1: ASSERTION FAILED: file
"../les/if_ng_dslsar_tx.c", line 385
... and continues like this...


Thanks,

- Pierre.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/