Re: [c-nsp] ASR1000 - Software Redundancy
2Gb for internal purpose, it just over-top IMO. I can't think out anything what can use that 2Gb of memory on router, just for internal purposes. On 01/02/12 06:04, Mark Tinka wrote: If you have 4GB DRAM in the router, IOSd itself will take 2GB and the other 2GB will be used for internal purposes ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IDS/IPS on 881 series
Salut, I have the default License: License Information for 'c880-data' License Level: advsecurity Type: Permanent Next reboot license Level: advsecurity ios: c880data-universalk9-mz.152-1.T.bin The Cisco Feature Navigator says that my IOS and License includes: Firewall Intrusion Detection (IDS) Signature Enhancements Firewall Intrusion Detection System Maybe i must activate them in global configuration somehow. I think you need to purchase a license. Check this data sheet: http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78_4595 42_ps380_Products_Data_Sheet.html By the way, the 42xx are IPS appliances. Here you have the IPS options: cisco.com/go/ips Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Marius Catrangiu Sent: terça-feira, 31 de Janeiro de 2012 18:56 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco IDS/IPS on 881 series Hello, I'm new to ios security configurations. I would like to ask you if it is possible to configure IDS/IPS on Cisco 880 Router Series (on the internet i found 42xx series)?? If it is, with what ios image version ? I tried the following: c880data-universalk9-mz.150-1.M6.bin (default) c880data-universalk9-mz.124-24.T.bin c880data-universalk9-mz.152-1.T.bin (current) with no success. When i try to configure the ip audit command, the ios software does not know audit. Router#show version | in IOS Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2(1)T, RELEASE SOFTWARE (fc1) Router# Thanks in advance. -- Marius Catrangiu, RCS RDS SA Pitesti Branch Phone: +40 348 400 421 ==== Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible fordelivery of the message to such person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. ==== ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
On Wednesday, February 01, 2012 05:11:51 PM Nikolay Shopik wrote: 2Gb for internal purpose, it just over-top IMO. I can't think out anything what can use that 2Gb of memory on router, just for internal purposes. I couldn't agree more. But I guess that's why IOS is closed source :-). Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IDS/IPS on 881 series
You need Advanced IP Services. Check table 7. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Marius Catrangiu [mailto:marius.catran...@pitesti.rcs-rds.ro] Sent: quarta-feira, 1 de Fevereiro de 2012 09:21 To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco IDS/IPS on 881 series Salut, I have the default License: License Information for 'c880-data' License Level: advsecurity Type: Permanent Next reboot license Level: advsecurity ios: c880data-universalk9-mz.152-1.T.bin The Cisco Feature Navigator says that my IOS and License includes: Firewall Intrusion Detection (IDS) Signature Enhancements Firewall Intrusion Detection System Maybe i must activate them in global configuration somehow. I think you need to purchase a license. Check this data sheet: http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78_4595 42_ps380_Products_Data_Sheet.html By the way, the 42xx are IPS appliances. Here you have the IPS options: cisco.com/go/ips Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Marius Catrangiu Sent: terça-feira, 31 de Janeiro de 2012 18:56 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco IDS/IPS on 881 series Hello, I'm new to ios security configurations. I would like to ask you if it is possible to configure IDS/IPS on Cisco 880 Router Series (on the internet i found 42xx series)?? If it is, with what ios image version ? I tried the following: c880data-universalk9-mz.150-1.M6.bin (default) c880data-universalk9-mz.124-24.T.bin c880data-universalk9-mz.152-1.T.bin (current) with no success. When i try to configure the ip audit command, the ios software does not know audit. Router#show version | in IOS Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2(1)T, RELEASE SOFTWARE (fc1) Router# Thanks in advance. -- Marius Catrangiu, RCS RDS SA Pitesti Branch Phone: +40 348 400 421 ==== Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible fordelivery of the message to such person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. ==== ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
Yes, lesson learned, no software redundancy at least with the RP1 which memory maximum is 4GB which means 700MB usable... In the meanwhile, I saw that it's possible to switch to the underlying OS and we can do linux commands like top: top - 03:50:16 up 12:22, 0 users, load average: 0.21, 0.13, 0.09 Tasks: 136 total, 2 running, 134 sleeping, 0 stopped, 0 zombie Cpu(s): 1.0%us, 2.6%sy, 0.0%ni, 96.0%id, 0.0%wa, 0.3%hi, 0.0%si, 0.0%st Mem: 3874968k total, 1707248k used, 2167720k free, 127152k buffers Swap:0k total,0k used,0k free, 1075788k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 25147 root 20 0 26784 14m 12m S 1.3 0.4 6:40.53 imand 23063 root 20 0 28008 10m 8136 S 1.0 0.3 4:51.46 cmand 25922 root 20 0 1916m 403m 142m R 0.7 10.7 9:42.53 linux_iosd-imag (...) We see lots of free memory so I suspect we can change the default values that IOSd is able to allocate. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Mark Tinka [mailto:mti...@globaltransit.net] Sent: quarta-feira, 1 de Fevereiro de 2012 02:04 To: cisco-nsp@puck.nether.net Cc: Antonio Soares Subject: Re: [c-nsp] ASR1000 - Software Redundancy On Tuesday, January 31, 2012 11:38:53 PM Antonio Soares wrote: The box has 4 GB of memory but the IOSd only allocates 1,7 GB. Is this dynamic ? How do we control this ? We turned on software redundancy on our ASR1002's a couple of years back, while they were running at least 3x full BGP feeds. This was still on IOS XE 2.6. Over several weeks, the box run out of memory and crashed. We traced the issue back to the software redundancy + large memory consumption due to BGP routing. We disabled software redundancy and have never turned it on since. If we want control plane redundancy, we buy the ASR1006, which is one of the reasons we never buy the ASR1004. Only the ASR1002 (size, cost) and the ASR1006 (redundant, high capacity). If you have 4GB DRAM in the router, IOSd itself will take 2GB and the other 2GB will be used for internal purposes. If you have SSO turned on for software redundancy, the 2GB that was allocated to IOSd will be halved further to 1GB for the native IOSd, and another 1GB for the redundant IOSd. However, other internal processes would consume memory from the remaining 1GB of the native IOSd, leaving with you about 600MB - 700MB of free memory on that partition. Now throw a couple of full BGP feeds into the remaining odd 700MB, and you quickly see what is wrong with this picture. There is a caveat (unofficial) that Cisco do not recommend running software redundancy if the router is running BGP. You won't find this recommendation online anywhere, as it was an internal discussion within the ASR1000 BU. But AFAIK, internal notes have been made available to account teams in case customers have questions about this. Bottom line, don't enable software redundancy if you have BGP running. Personally, I don't enable software redundancy, period. I bought a box with a single control plane. If I want redundancy, I'll buy one with two control planes. The idea is novel, but it doesn't really work. Hope this helps. Cheers, Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
With Software Redundancy active, we still have almost 2GB free: top - 04:10:27 up 12 min, 0 users, load average: 0.20, 0.61, 0.68 Tasks: 150 total, 2 running, 148 sleeping, 0 stopped, 0 zombie Cpu(s): 6.6%us, 14.3%sy, 0.0%ni, 78.7%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st Mem: 3874968k total, 2115692k used, 1759276k free, 127128k buffers Swap:0k total,0k used,0k free, 1118852k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 25898 root 20 0 916m 417m 141m R 2.3 11.0 1:17.92 linux_iosd-imag 2605 root 20 0 915m 452m 137m S 1.3 12.0 1:04.51 linux_iosd-imag (...) Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Antonio Soares [mailto:amsoa...@netcabo.pt] Sent: quarta-feira, 1 de Fevereiro de 2012 11:59 To: 'mti...@globaltransit.net'; 'cisco-nsp@puck.nether.net' Subject: RE: [c-nsp] ASR1000 - Software Redundancy Yes, lesson learned, no software redundancy at least with the RP1 which memory maximum is 4GB which means 700MB usable... In the meanwhile, I saw that it's possible to switch to the underlying OS and we can do linux commands like top: top - 03:50:16 up 12:22, 0 users, load average: 0.21, 0.13, 0.09 Tasks: 136 total, 2 running, 134 sleeping, 0 stopped, 0 zombie Cpu(s): 1.0%us, 2.6%sy, 0.0%ni, 96.0%id, 0.0%wa, 0.3%hi, 0.0%si, 0.0%st Mem: 3874968k total, 1707248k used, 2167720k free, 127152k buffers Swap:0k total,0k used,0k free, 1075788k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 25147 root 20 0 26784 14m 12m S 1.3 0.4 6:40.53 imand 23063 root 20 0 28008 10m 8136 S 1.0 0.3 4:51.46 cmand 25922 root 20 0 1916m 403m 142m R 0.7 10.7 9:42.53 linux_iosd-imag (...) We see lots of free memory so I suspect we can change the default values that IOSd is able to allocate. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Mark Tinka [mailto:mti...@globaltransit.net] Sent: quarta-feira, 1 de Fevereiro de 2012 02:04 To: cisco-nsp@puck.nether.net Cc: Antonio Soares Subject: Re: [c-nsp] ASR1000 - Software Redundancy On Tuesday, January 31, 2012 11:38:53 PM Antonio Soares wrote: The box has 4 GB of memory but the IOSd only allocates 1,7 GB. Is this dynamic ? How do we control this ? We turned on software redundancy on our ASR1002's a couple of years back, while they were running at least 3x full BGP feeds. This was still on IOS XE 2.6. Over several weeks, the box run out of memory and crashed. We traced the issue back to the software redundancy + large memory consumption due to BGP routing. We disabled software redundancy and have never turned it on since. If we want control plane redundancy, we buy the ASR1006, which is one of the reasons we never buy the ASR1004. Only the ASR1002 (size, cost) and the ASR1006 (redundant, high capacity). If you have 4GB DRAM in the router, IOSd itself will take 2GB and the other 2GB will be used for internal purposes. If you have SSO turned on for software redundancy, the 2GB that was allocated to IOSd will be halved further to 1GB for the native IOSd, and another 1GB for the redundant IOSd. However, other internal processes would consume memory from the remaining 1GB of the native IOSd, leaving with you about 600MB - 700MB of free memory on that partition. Now throw a couple of full BGP feeds into the remaining odd 700MB, and you quickly see what is wrong with this picture. There is a caveat (unofficial) that Cisco do not recommend running software redundancy if the router is running BGP. You won't find this recommendation online anywhere, as it was an internal discussion within the ASR1000 BU. But AFAIK, internal notes have been made available to account teams in case customers have questions about this. Bottom line, don't enable software redundancy if you have BGP running. Personally, I don't enable software redundancy, period. I bought a box with a single control plane. If I want redundancy, I'll buy one with two control planes. The idea is novel, but it doesn't really work. Hope this helps. Cheers, Mark. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
Hi, On Wed, Feb 01, 2012 at 12:16:48PM -, Antonio Soares wrote: With Software Redundancy active, we still have almost 2GB free: Can't give all the memory to these greedy IOSd processes! gert, still hoping to see something resembling *real* modularity show up -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpw8l5pI50xz.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
Hi, On Wed, 1 Feb 2012, Antonio Soares wrote: Yes, lesson learned, no software redundancy at least with the RP1 which memory maximum is 4GB which means 700MB usable... In the meanwhile, I saw that it's possible to switch to the underlying OS and we can do linux commands like top: top - 03:50:16 up 12:22, 0 users, load average: 0.21, 0.13, 0.09 Tasks: 136 total, 2 running, 134 sleeping, 0 stopped, 0 zombie Cpu(s): 1.0%us, 2.6%sy, 0.0%ni, 96.0%id, 0.0%wa, 0.3%hi, 0.0%si, 0.0%st Mem: 3874968k total, 1707248k used, 2167720k free, 127152k buffers Swap:0k total,0k used,0k free, 1075788k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 25147 root 20 0 26784 14m 12m S 1.3 0.4 6:40.53 imand 23063 root 20 0 28008 10m 8136 S 1.0 0.3 4:51.46 cmand 25922 root 20 0 1916m 403m 142m R 0.7 10.7 9:42.53 linux_iosd-imag (...) We see lots of free memory so I suspect we can change the default values that IOSd is able to allocate. if you search the archives there have been several threads on asr1k memory usage: following posting claims that the memory allocated to ios is currently not configurable: https://puck.nether.net/pipermail/cisco-nsp/2011-August/080691.html All this still does not explain following on a pair of asr1001 boxes cisco ASR1001 (1RU) processor with 1207124K/6147K bytes of memory. 9 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 7782399K bytes of eUSB flash at bootflash:. this is explicitly without any software redundancy and the IOS still only sees 1G of the potential 2G it should bee seeing. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
Can you open a shell and do a top so we can see the memory consumption ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Christian Kratzer [mailto:ck-li...@cksoft.de] Sent: quarta-feira, 1 de Fevereiro de 2012 13:29 To: Antonio Soares Cc: mti...@globaltransit.net; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASR1000 - Software Redundancy Hi, On Wed, 1 Feb 2012, Antonio Soares wrote: Yes, lesson learned, no software redundancy at least with the RP1 which memory maximum is 4GB which means 700MB usable... In the meanwhile, I saw that it's possible to switch to the underlying OS and we can do linux commands like top: top - 03:50:16 up 12:22, 0 users, load average: 0.21, 0.13, 0.09 Tasks: 136 total, 2 running, 134 sleeping, 0 stopped, 0 zombie Cpu(s): 1.0%us, 2.6%sy, 0.0%ni, 96.0%id, 0.0%wa, 0.3%hi, 0.0%si, 0.0%st Mem: 3874968k total, 1707248k used, 2167720k free, 127152k buffers Swap:0k total,0k used,0k free, 1075788k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 25147 root 20 0 26784 14m 12m S 1.3 0.4 6:40.53 imand 23063 root 20 0 28008 10m 8136 S 1.0 0.3 4:51.46 cmand 25922 root 20 0 1916m 403m 142m R 0.7 10.7 9:42.53 linux_iosd-imag (...) We see lots of free memory so I suspect we can change the default values that IOSd is able to allocate. if you search the archives there have been several threads on asr1k memory usage: following posting claims that the memory allocated to ios is currently not configurable: https://puck.nether.net/pipermail/cisco-nsp/2011-August/080691.html All this still does not explain following on a pair of asr1001 boxes cisco ASR1001 (1RU) processor with 1207124K/6147K bytes of memory. 9 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 7782399K bytes of eUSB flash at bootflash:. this is explicitly without any software redundancy and the IOS still only sees 1G of the potential 2G it should bee seeing. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Flow collector and analysis program
Hello, I am looking for the open source flow collector program and open source flow analysis program which are able to use in the ISP size. Specially i am expecting the functions from the flow collector analysis system which are ; - traffic analysis, network visibility and baselining - detect network anomalies - forensics and incident response Could you share your experiences about this subject , and give me some recommendations about the how and where do i start to this project ? My routers are supporting cflowd. Kind Regards. Burak Dikici ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPv6 in Bridge-Group on 2921 w/ 15.1.3T3
Hello, I'm trying to have IPv6 packets injected into a bridge-group. I have seen that a bug was around (CSCta27529), until at least 15.1.2. I'm now running 15.1.3T3 and still can't get 2 facing IPv6 BVI interfaces to ping each other. This is working with IPv4 on the same BG. Here is how the interfaces are configured on each 2921 (second unit has its IPs incremented by 1). interface GigabitEthernet0/1/0.99 (To the facing 2921, same config) encapsulation dot1Q 99 bridge-group 99 interface BVI99 ip address 1.2.3.60 255.255.255.240 standby 99 ip 1.2.3.62 standby 99 priority 151 standby 99 preempt ipv6 address 2001:db8::60/64 ipv6 enable interface GigabitEthernet0/1.99 encapsulation dot1Q 99 bridge-group 99 #sh ipv6 int bvi99 BVI99 is up, line protocol is up IPv6 is enabled, link-local address is FE80::200:CFF:FADA:74C8 No Virtual link-local address(es): Global unicast address(es): 2001:db8::60, subnet is 2001:db8::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:60 FF02::1:FADA:74C8 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 3 milliseconds (using 3) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses. The output looks the same on the other router. So far, i've tried the following images : c2900-universalk9-mz.SPA.151-1.T.bin c2900-universalk9-mz.SPA.151-3.T3.bin c2900-universalk9-mz.SPA.151-4.M.bin debug ipv6 packet shows that the packets are sent into the bridge-group, but they seem to disappear then. Has anyone experienced such a behavior ? Thanks a lot for any help on this topic Best regards, Annie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
Here's how to do it (asr1004): conf t platform shell end request platform software system shell rp active Then you have Linux :) Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Christian Kratzer [mailto:c...@cksoft.de] Sent: quarta-feira, 1 de Fevereiro de 2012 14:08 To: Antonio Soares Cc: mti...@globaltransit.net; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ASR1000 - Software Redundancy Hi, On Wed, 1 Feb 2012, Antonio Soares wrote: Can you open a shell and do a top so we can see the memory consumption ? if you tell me how to ? Greetings Christian Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Christian Kratzer [mailto:ck-li...@cksoft.de] Sent: quarta-feira, 1 de Fevereiro de 2012 13:29 To: Antonio Soares Cc: mti...@globaltransit.net; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASR1000 - Software Redundancy Hi, On Wed, 1 Feb 2012, Antonio Soares wrote: Yes, lesson learned, no software redundancy at least with the RP1 which memory maximum is 4GB which means 700MB usable... In the meanwhile, I saw that it's possible to switch to the underlying OS and we can do linux commands like top: top - 03:50:16 up 12:22, 0 users, load average: 0.21, 0.13, 0.09 Tasks: 136 total, 2 running, 134 sleeping, 0 stopped, 0 zombie Cpu(s): 1.0%us, 2.6%sy, 0.0%ni, 96.0%id, 0.0%wa, 0.3%hi, 0.0%si, 0.0%st Mem: 3874968k total, 1707248k used, 2167720k free, 127152k buffers Swap:0k total,0k used,0k free, 1075788k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 25147 root 20 0 26784 14m 12m S 1.3 0.4 6:40.53 imand 23063 root 20 0 28008 10m 8136 S 1.0 0.3 4:51.46 cmand 25922 root 20 0 1916m 403m 142m R 0.7 10.7 9:42.53 linux_iosd-imag (...) We see lots of free memory so I suspect we can change the default values that IOSd is able to allocate. if you search the archives there have been several threads on asr1k memory usage: following posting claims that the memory allocated to ios is currently not configurable: https://puck.nether.net/pipermail/cisco-nsp/2011-August/080691.html All this still does not explain following on a pair of asr1001 boxes cisco ASR1001 (1RU) processor with 1207124K/6147K bytes of memory. 9 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 7782399K bytes of eUSB flash at bootflash:. this is explicitly without any software redundancy and the IOS still only sees 1G of the potential 2G it should bee seeing. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SSL VPN on an ASA 5505
On Tue, Jan 31, 2012 at 15:59:49, Ryan wrote: Subject: [c-nsp] SSL VPN on an ASA 5505 I used the VPN Wizard on ASDM 6.4(7) with an ASA 5505 running 8.4(3) to create a config for SSL VPNs. The ASDM didn't configure split-tunneling, so I did that manually by creating the NONAT access list and applying it to the Group Policy. The Anyconnect client connects successfully with the appropriate routes, but I can't get any traffic going to the networks that I've VPNed into. The sanitized config is below. Any thoughts? Anything in the logs or debugs that you could post as well? The new butchered no nat statements look ok to me. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Flow collector and analysis program
On Wed, 1 Feb 2012, Burak Dikici wrote: Could you share your experiences about this subject , and give me some recommendations about the how and where do i start to this project ? My routers are supporting cflowd. Kind Regards. The best place to start would be to search the archives of this mailing list, along with other related lists, such as NANOG and juniper-nsp. Netflow collection and analysis has been discussed several times in the past, and there is lots of good info in the archives. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] prioritize VoIP and Skype traffic in office routers
I would like to improve packet processing prioritization in case of temporary congestions in my gateways(Cisco 1842, C1841-ADVIPSERVICESK9-M) which are serving two small offices in different cities. My ISP(same for both offices) does not support RSVP so I can't make any RSVP requests. In addition, they do not support prioritization based on DSCP or TOS field values. VoIP gateways are located in office LAN's. So far I have came up with following ideas: 1) Process packets passing the router using CEF(ip cef in global configuration mode). Should I consider changing the load-sharing algorithm? At the moment I use universal load-sharing algorithm for CEF. 2) Change interface queuing strategy(currently it's FIFO) for all Fast Ethernet interfaces in gateways. There are many possibilities like Custom Queuing, CBWFQ, Priority Queuing. Priority Queuing seems to be especially appealing in this scenario- Skype and VoIP traffic would have the highest priority and there isn't a worry that they could take all of the available bandwidth. Any opinions here? Is Priority Queuing a smart decision here? 3) use WRED For classifying traffic I would use NBAR for Skype(http://www.cisco.com/en/US/docs/ios/12_4t/qos/configuration/guide/qsnbarrm.html) and transport layer protocol + port numbers for VoIP. Which interface buffer queuing would be the best in described scenario? Are all three methods reasonable? PS if any additional information is needed, feel free to ask! regards, martin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QOS for 4948E - 15.0(2)SG3 code
Does anyone have documentation on QOS for the 4948E running 15.0(2)SG3 code? It is significantly different from 12.2(54)SG3. Cisco does not yet have a configuration guide on-line or at least not under the 4900 switches :( LR Mack McBride Network Architect ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
Hi, On Wed, 1 Feb 2012, Christophe Fillot wrote: Antonio Soares wrote: Here's how to do it (asr1004): conf t platform shell end request platform software system shell rp active Then you have Linux :) Unfortunately not on the latest IOS-XE releases: ASR_x#request platform software system shell rp active Activity within this shell can jeopardize the functioning of the system. Are you sure you want to continue? [y/n] y Error acquiring an internal services license: Request failed due to no license interesting thats the same message I got. Possible that a reboot is needed to after platform shell has been added to the config but I cannot boot the box in production at the moment. I did find following command: monitor platform software process rp active on http://www.cisco.com/en/US/products/ps9343/products_tech_note09186a0080af252a.shtml that gives following top like output: top - 17:07:26 up 101 days, 12:58, 0 users, load average: 0.97, 1.24, 1.36 Tasks: 222 total, 5 running, 217 sleeping, 0 stopped, 0 zombie Cpu(s): 17.0%us, 43.4%sy, 0.0%ni, 39.6%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 3944844k total, 3827944k used, 116900k free, 157432k buffers Swap:0k total,0k used,0k free, 1583916k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 22860 root 20 0 5612 4360 1060 S4 0.1 1833:12 btrace_rotate.s 25636 root 20 0 2137m 1.2g 181m S2 32.4 5004:59 linux_iosd-imag 1770 root 20 0 1457m 375m 37m R1 9.7 1164:13 fman_fp_image And yes I can see that the iosd-image has 2G of ram on the outside in the linux. although it advertises the following from inside the ios: cisco ASR1001 (1RU) processor with 1207124K/6147K bytes of memory. 9 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 7782399K bytes of eUSB flash at bootflash:. It seems that a lot is getting eaten inside the ios itself. The numbers most propably measure different things like executable and data segment sizes. We would need an architecture whitepaper to understand this. The other interesting question is what function the fman_fp_image process has. It seems to have the better part of the other 2 gigs in the box. I really wonder who took this stupid decision (and why). licensing fun. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
Strange, I'm running 3.4.2S. Can you try after adding the service internal into the global configuration ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Christophe Fillot [mailto:c...@utc.fr] Sent: quarta-feira, 1 de Fevereiro de 2012 15:58 To: Antonio Soares Cc: 'Christian Kratzer'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASR1000 - Software Redundancy Antonio Soares wrote: Here's how to do it (asr1004): conf t platform shell end request platform software system shell rp active Then you have Linux :) Unfortunately not on the latest IOS-XE releases: ASR_x#request platform software system shell rp active Activity within this shell can jeopardize the functioning of the system. Are you sure you want to continue? [y/n] y Error acquiring an internal services license: Request failed due to no license I really wonder who took this stupid decision (and why). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] prioritize VoIP and Skype traffic in office routers
Martin, It depends on your ISP connections. If Ethernet, then it's probably rate limited by ISP in one or both directions. If so, plain prioritization won't help alone, you'll need to police/shape yourself, but send the VoIP/Skype first. It's do-able. If your circuits are T1 or something else that is essentially line-rate to/from you, then prioritization alone will work. NBAR is good for VoIP, Skype I'm not so sure about, haven't tried it. Changing the CEF load sharing won't have any effect. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Martin T Sent: Wednesday, February 01, 2012 10:57 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] prioritize VoIP and Skype traffic in office routers I would like to improve packet processing prioritization in case of temporary congestions in my gateways(Cisco 1842, C1841-ADVIPSERVICESK9-M) which are serving two small offices in different cities. My ISP(same for both offices) does not support RSVP so I can't make any RSVP requests. In addition, they do not support prioritization based on DSCP or TOS field values. VoIP gateways are located in office LAN's. So far I have came up with following ideas: 1) Process packets passing the router using CEF(ip cef in global configuration mode). Should I consider changing the load-sharing algorithm? At the moment I use universal load-sharing algorithm for CEF. 2) Change interface queuing strategy(currently it's FIFO) for all Fast Ethernet interfaces in gateways. There are many possibilities like Custom Queuing, CBWFQ, Priority Queuing. Priority Queuing seems to be especially appealing in this scenario- Skype and VoIP traffic would have the highest priority and there isn't a worry that they could take all of the available bandwidth. Any opinions here? Is Priority Queuing a smart decision here? 3) use WRED For classifying traffic I would use NBAR for Skype(http://www.cisco.com/en/US/docs/ios/12_4t/qos/configuration/guide/qsnb arrm.html) and transport layer protocol + port numbers for VoIP. Which interface buffer queuing would be the best in described scenario? Are all three methods reasonable? PS if any additional information is needed, feel free to ask! regards, martin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
Antonio Soares wrote: Strange, I'm running 3.4.2S. Can you try after adding the service internal into the global configuration ? I already had it in the config. Same message if I remove it. I'm using 3.4.0aS: asr1001-universalk9.03.04.00a.S.151-3.S0a.bin Maybe newer releases don't have this limit. About the memory allocated to IOSd processes: iirc there are a bit similar to IOU and they are started by a script which specifies the amount of memory to use: # show platform software process environment ios rp active [...] PROCESS linux_iosd-image PROCESS_ARGUMENTS -n 32768 -m 1400 -c /config NETIO_NETMAP/usr/binos/bin/rp/NETMAP Maybe it would be possible to change the value for the -m parameter, but that would be unsupported. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] QOS for 4948E - 15.0(2)SG3 code
On Feb 1, 2012, at 10:04 AM, Mack McBride wrote: Does anyone have documentation on QOS for the 4948E running 15.0(2)SG3 code? It is significantly different from 12.2(54)SG3. Cisco does not yet have a configuration guide on-line or at least not under the 4900 switches :( Replies to list appreciated. I've not run across this yet, but I'm sure I will soon and heads-up info would be helpful. --Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
Antonio Soares wrote: Here's how to do it (asr1004): conf t platform shell end request platform software system shell rp active Then you have Linux :) Unfortunately not on the latest IOS-XE releases: ASR_x#request platform software system shell rp active Activity within this shell can jeopardize the functioning of the system. Are you sure you want to continue? [y/n] y Error acquiring an internal services license: Request failed due to no license I really wonder who took this stupid decision (and why). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
On Wednesday, February 01, 2012 09:29:16 PM Christian Kratzer wrote: this is explicitly without any software redundancy and the IOS still only sees 1G of the potential 2G it should bee seeing. I can't tell you about the ASR1001. I've only seen this on the ASR1002 and above, as well as all IOS XR-based systems. Maybe there's something minutely different about the ASR1001. Keep tracking this as you move between images, it may be related. Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] prioritize VoIP and Skype traffic in office routers
On Wednesday, February 01, 2012 11:56:53 PM Martin T wrote: I would like to improve packet processing prioritization in case of temporary congestions in my gateways(Cisco 1842, C1841-ADVIPSERVICESK9-M) which are serving two small offices in different cities. My ISP(same for both offices) does not support RSVP so I can't make any RSVP requests. You mean as in trying to signal RSVP-based resource reservation from your network to your ISP's network? As in IntServ? In addition, they do not support prioritization based on DSCP or TOS field values. VoIP gateways are located in office LAN's. Well, if your ISP won't support QoS, how would you expect to have your QoS policy implemented end-to-end? If you implemented it on your routers, it would only be on in your network. Once your QoS'ed packets enter your ISP's network, they won't be given any corresponding treatment. Unless I'm missing something... Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 - Software Redundancy
Hi, On Wed, 1 Feb 2012, Christophe Fillot wrote: Antonio Soares wrote: Strange, I'm running 3.4.2S. Can you try after adding the service internal into the global configuration ? I already had it in the config. Same message if I remove it. I'm using 3.4.0aS: asr1001-universalk9.03.04.00a.S.151-3.S0a.bin Maybe newer releases don't have this limit. About the memory allocated to IOSd processes: iirc there are a bit similar to IOU and they are started by a script which specifies the amount of memory to use: # show platform software process environment ios rp active [...] PROCESS linux_iosd-image PROCESS_ARGUMENTS -n 32768 -m 1400 -c /config NETIO_NETMAP/usr/binos/bin/rp/NETMAP Maybe it would be possible to change the value for the -m parameter, but that would be unsupported. unsupported but very interesting. Now if I only had one of these boxes in a lab ... From what I see there does not seem to be much room on a 4G box to raise these limits unless one lowers something else. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] prioritize VoIP and Skype traffic in office routers
Mark: You mean as in trying to signal RSVP-based resource reservation from your network to your ISP's network? As in IntServ? I thought manual RSVP reservation. For example there are four routers: gateway_A - ISP_router_A - ISP_router_B - gateway_B gateway_A and gateway_B would be under my management. I thought to configure ip rsvp sender and ip rsvp reservation to both gateway devices, but as much as I understand, this still requires ISP to configure it's router interfaces for handling RSVP requests. Well, if your ISP won't support QoS, how would you expect to have your QoS policy implemented end-to-end? If you implemented it on your routers, it would only be on in your network. Once your QoS'ed packets enter your ISP's network, they won't be given any corresponding treatment. I don't expect my QoS policy to be implemented end-to-end as my ISP doesn't support this. All I would like to insure is that prioritized traffic(VoIP and Skype) would get processed in my routers as fast as possible. Chuck, yes, it's Ethernet and my connection speed is limited in ISP edge routers using the CAR(basically rate-limit input/rate-limit output; exceed-action drop). So for example in case my connection speed is 20Mbps in both directions(set by ISP), then I should traffic-shape or rate-limit my traffic to 20Mbps already in my gateways(this brings possible congestion point to my routers) and configure for example Priority Queueing for VoIP and Skype traffic- did I understand you correctly? In addition, why do you prefer NBAR for VoIP while this should be doable using the extended access-list as well? regards, martin Kuupäeval 1. veebruar 2012 18:30 kirjutas Chuck Church chuckchu...@gmail.com: Martin, It depends on your ISP connections. If Ethernet, then it's probably rate limited by ISP in one or both directions. If so, plain prioritization won't help alone, you'll need to police/shape yourself, but send the VoIP/Skype first. It's do-able. If your circuits are T1 or something else that is essentially line-rate to/from you, then prioritization alone will work. NBAR is good for VoIP, Skype I'm not so sure about, haven't tried it. Changing the CEF load sharing won't have any effect. Chuck -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Martin T Sent: Wednesday, February 01, 2012 10:57 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] prioritize VoIP and Skype traffic in office routers I would like to improve packet processing prioritization in case of temporary congestions in my gateways(Cisco 1842, C1841-ADVIPSERVICESK9-M) which are serving two small offices in different cities. My ISP(same for both offices) does not support RSVP so I can't make any RSVP requests. In addition, they do not support prioritization based on DSCP or TOS field values. VoIP gateways are located in office LAN's. So far I have came up with following ideas: 1) Process packets passing the router using CEF(ip cef in global configuration mode). Should I consider changing the load-sharing algorithm? At the moment I use universal load-sharing algorithm for CEF. 2) Change interface queuing strategy(currently it's FIFO) for all Fast Ethernet interfaces in gateways. There are many possibilities like Custom Queuing, CBWFQ, Priority Queuing. Priority Queuing seems to be especially appealing in this scenario- Skype and VoIP traffic would have the highest priority and there isn't a worry that they could take all of the available bandwidth. Any opinions here? Is Priority Queuing a smart decision here? 3) use WRED For classifying traffic I would use NBAR for Skype(http://www.cisco.com/en/US/docs/ios/12_4t/qos/configuration/guide/qsnb arrm.html) and transport layer protocol + port numbers for VoIP. Which interface buffer queuing would be the best in described scenario? Are all three methods reasonable? PS if any additional information is needed, feel free to ask! regards, martin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Router - L2L VPN and Remote Access VPN on same Router Example
Does anyone have an example of a Cisco Router that has a L2L VPN and a Remote Access VPN with xAuth? I can get one or the other working, but not both. For some reason the L2L VPN want to use XAuth cause it not to work. Just need the crypt * and the aaa * commands. Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] prioritize VoIP and Skype traffic in office routers
On Thursday, February 02, 2012 08:58:53 AM Martin T wrote: I thought manual RSVP reservation. For example there are four routers: gateway_A - ISP_router_A - ISP_router_B - gateway_B gateway_A and gateway_B would be under my management. I thought to configure ip rsvp sender and ip rsvp reservation to both gateway devices, but as much as I understand, this still requires ISP to configure it's router interfaces for handling RSVP requests. You're talking about IntServ, which was signaling of reservations via RSVP on a global basis. This never quite took off, as there was no feasible way to scale the Internet if it was full of RSVP reservations across many different ISP's. Even DSCP rarely cross AS boundaries (by rarely I mean that you can find DSCP crossing AS boundaries in VPN NNI arrangements, but not much else). I don't expect my QoS policy to be implemented end-to-end as my ISP doesn't support this. All I would like to insure is that prioritized traffic(VoIP and Skype) would get processed in my routers as fast as possible. Okay, that makes sense then. As some posters have already mentioned, if you're trying to avoid congestion or microburst-induced drops at your border router, then implementing QoS there might certainly help to ensure you deliver your important traffic to the ISP first. Mark. signature.asc Description: This is a digitally signed message part. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/