[c-nsp] WS-X6704-10GE, WS-X6708-10GE
Hi, List! May be these questions was discussed earlier... can't find it... Please give me some links than. I'm tring to clarify my understanding of switching paths on these line cards. From one point of view, Cisco docs says that if the traffic should ingress via one port on the line card and then should egress through another port on the same line card it will never leave this line card. So it will be switched via internal bus. Right? At one of our POPs we have Cisco 7606-S chassis with the folowing: Mod Ports Card Type Model --- - -- -- 24 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE 3 48 CEF720 48 port 1000mb SFP WS-X6748-SFP 4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX 52 Route Switch Processor 720 (Active)RSP720-3CXL-GE At peaks we see total ingress thraffic on all 10GE ports around 30-32Gbps and increase of overruns on all 10GE ports. Utilization of the fabric and forwarding performance are as folows: Switch Fabric Resources Bus utilization: current: 10%, peak was 51% at 21:31:26 EET Sat Feb 18 2012 Fabric utilization: IngressEgress Module Chanl Speed rate peak rate peak 2 020G 15% 46% @22:57 30Jan12 15% 49% @22:02 31Jan12 2 120G 15% 49% @20:08 01Feb12 15% 46% @20:14 25Feb12 3 020G0%2% @10:49 02Feb120%1% @14:16 30Jan12 3 120G1%1% @14:16 30Jan120%2% @19:25 30Jan12 4 020G1% 16% @19:22 11Feb123% 11% @19:40 04Feb12 4 120G3%9% @22:23 31Jan121% 10% @19:23 11Feb12 5 020G0%1% @14:16 30Jan120%2% @21:24 10Feb12 Switching mode: Module Switching mode 2 compact 3 compact 4 compact 5 compact a L2 Forwarding Resources MAC Table usage: Module Collisions Total Used %Used 50 98304292 1% VPN CAM usage: Total Used %Used 512 0 0% L3 Forwarding Resources Module FIB TCAM usage: Total Used %Used 5 72 bits (IPv4, MPLS, EoM) 524288 13963 3% 144 bits (IP mcast, IPv6) 262144 316 1% detail: ProtocolUsed %Used IPv47057 1% MPLS6897 1% EoM9 1% IPv6 117 1% IPv4 mcast 196 1% IPv6 mcast 3 1% Adjacency usage: TotalUsed %Used 10485767759 1% Forwarding engine load: Module pps peak-pps peak-time 51965007 10703659 21:31:21 EET Sat Feb 18 2012 Actually, typical PPS is about 5-6 millions at peak times in evening and bus utilization is about 20%. I made simple calculations and found that about 16Gbps switched via internal bus at line card and about 14-15 Gbps switched via fabric. So the problem is internal 16Gbps (atually 16Gbps+16Gbps?) bus on linecard. So, the possible solution seems to install additional 6704 line card ad distribute links between them according to main traffic flows. Is it correct that CFC is not an issue in this particular situation? D-Bus is not overutilized yet. I agree that this is goog to install DFC dauter cards (or even 6708 with DFC), but not now. I kbow that WS-X6708 much better option (and it is DFC), but now we have no possibility to replace all 6704 by 6708 ones. Is it all correct or I'm missing something? Is it possible somehow to disable switching via internal bus on linecard and reroute all traffic via fabric? Similar problem was found on another router with WS-X6708 line card. After swapping some 10GE links between ports most part of traffic starts to go via fabric. And overruns disappeared. Thanks in advance! -- Sincerely yours, Artyom Viklenko. --- ar...@aws-net.org.ua | http://www.aws-net.org.ua/~artem ar...@viklenko.net | JID: ar...@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org ___ cisco-nsp mailing list
Re: [c-nsp] replacing CARP with Cisco possible ?
Hi, any idea how other providers offer such redundancy to end customers (if they do at all) ? We have a mass of customers with /29 or /28 networks and losing IPs isn't an option in such cases imo. Using bigger networks would require giving up vlan separation each customer, no option either. regards Rolf On Thu, 2012-03-01 at 16:30 +0100, Rolf HanÃen wrote: Is there a way to configure virtual IPs that do not belong to the hard-coded network (ip address x.x.x.x y.y.y.y) of the interface ? I see that it is possible to configure other IPs, but this results in a warning and there is no possibility to set the netmask at all. I was wondering the same some years ago. Take a look at this thread: http://puck.nether.net/pipermail/cisco-nsp/2007-November/045409.html We never got it to work. ARP requests are sourced from the real address, and you cannot add a connected static route for a VRF enabled interface, i.e. ip route vrf A 192.168.1.0 255.255.255.0 Vlan50 fails. Also keep in mind that TTL exceeded replies (traceroute) would source from the real interface address. Is there a possibility to have static routes that are only active if the node has enabled the virtual IP ? This in itself would be possible with an EEM script that follows the HSRP log messages and adjusts the configuration. It would trigger a configuration change, so Rancid or whatever you might use would log a change every time the HSRP state changes. Is there anything else to take care of ? Any limitations except the 4096 HSRP-IDs ? That's 256 for HSRPv1 by the way. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6704-10GE, WS-X6708-10GE
without DFC cards, some work/decisions still have to go to the supervisor. DFC (distributed) is what gives your modules autonomy alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] A switch with PoE support and powered by 48V DC
Colleagues, I need a switch with PoE support and powered by 48V DC, do you know of such? TIA for any advice. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6704-10GE, WS-X6708-10GE
On 2012-03-02 09:13, Artyom Viklenko wrote: I'm tring to clarify my understanding of switching paths on these line cards. From one point of view, Cisco docs says that if the traffic should ingress via one port on the line card and then should egress through another port on the same line card it will never leave this line card. So it will be switched via internal bus. Right? No, and if it says so somewhere, please point it to the doc team to fix it. Both 6704 and 6708 have two complex of Fabric ASICs. The 6708 you can see on figure 21 here: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html The port mappings for Fabric ASICs should be found in the hardware installation notes under the 'Switch fabric connections' in the tables for specific LC: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/02ethern.html#wp1048010 Essentially, traffic from one Fabric ASIC to the ports on the other Fabric ASIC will go over the fabric itself. Only traffic belonging the the same Fabric ASIC will be switched locally if of course there's a DFC installed. -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6704-10GE, WS-X6708-10GE
On 02.03.2012 13:07, Łukasz Bromirski wrote: On 2012-03-02 09:13, Artyom Viklenko wrote: I'm tring to clarify my understanding of switching paths on these line cards. From one point of view, Cisco docs says that if the traffic should ingress via one port on the line card and then should egress through another port on the same line card it will never leave this line card. So it will be switched via internal bus. Right? No, and if it says so somewhere, please point it to the doc team to fix it. Both 6704 and 6708 have two complex of Fabric ASICs. The 6708 you can see on figure 21 here: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html The port mappings for Fabric ASICs should be found in the hardware installation notes under the 'Switch fabric connections' in the tables for specific LC: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/02ethern.html#wp1048010 Essentially, traffic from one Fabric ASIC to the ports on the other Fabric ASIC will go over the fabric itself. Only traffic belonging the the same Fabric ASIC will be switched locally if of course there's a DFC installed. ok. Now I see Switch Fabric Resources Bus utilization: current: 13%, peak was 51% at 21:31:26 EET Sat Feb 18 2012 Fabric utilization: IngressEgress Module Chanl Speed rate peak rate peak 2 020G 23% 46% @22:57 30Jan12 18% 49% @22:02 31Jan12 2 120G 21% 49% @20:08 01Feb12 25% 46% @20:14 25Feb12 I.e. 4,6 Gbps on channel 0 and 4,2 Gbps on channel 1. No DFC on module. Total input on all four 10GE ~ 19 Gbps. Fabric switching only 8,8 Gbps. Similar approach I see on 6708 with DFC. Some part of traffic goes via fabric and some in line card itself. AFAIK, presense of DFC influence only forwarding decisions process (and policyng, for example) but not on moving traffic itself? Anyway, if traffic should be switched in ASIC what is the limitations in terms of bandwidth or PPS? -- Sincerely yours, Artyom Viklenko. --- ar...@aws-net.org.ua | http://www.aws-net.org.ua/~artem ar...@viklenko.net | JID: ar...@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6704-10GE, WS-X6708-10GE
On (2012-03-02 12:07 +0100), Łukasz Bromirski wrote: Essentially, traffic from one Fabric ASIC to the ports on the belonging the the same Fabric ASIC will be switched locally if of course there's a DFC installed. You don't need DFC for this, DFC has nothing to do with moving actual bits, it is just for lookups. So without DFC, you're still asking over DBUS from SUP PFC about egress, but once answer from RBUS comes, you're copying inside the linecard the packet to egress, without going through fabric. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6704-10GE, WS-X6708-10GE
On 2012-03-02 12:50, Saku Ytti wrote: On (2012-03-02 12:07 +0100), Łukasz Bromirski wrote: Essentially, traffic from one Fabric ASIC to the ports on the belonging the the same Fabric ASIC will be switched locally if of course there's a DFC installed. You don't need DFC for this, DFC has nothing to do with moving actual bits, it is just for lookups. That was my oversimplification. What I've meant to say, if the DFC is installed the process will be just as simple. For CFC, the process of moving the data will be similar, but will require request and answer from Sup over the shared bus. So without DFC, you're still asking over DBUS from SUP PFC about egress, but once answer from RBUS comes, you're copying inside the linecard the packet to egress, without going through fabric. Yes. -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6704-10GE, WS-X6708-10GE
On 2012-03-02 12:44, Artyom Viklenko wrote: Switch Fabric Resources Bus utilization: current: 13%, peak was 51% at 21:31:26 EET Sat Feb 18 2012 Fabric utilization: Ingress Egress Module Chanl Speed rate peak rate peak 2 0 20G 23% 46% @22:57 30Jan12 18% 49% @22:02 31Jan12 2 1 20G 21% 49% @20:08 01Feb12 25% 46% @20:14 25Feb12 I.e. 4,6 Gbps on channel 0 and 4,2 Gbps on channel 1. No DFC on module. Total input on all four 10GE ~ 19 Gbps. Fabric switching only 8,8 Gbps. Similar approach I see on 6708 with DFC. Some part of traffic goes via fabric and some in line card itself. That's normal for non-optimized traffic patters, so in real life :) You can check for example using NetFlow, if there are flows that could be optimized within one Port ASIC on one LC. Some people decide it's worth and do it, some skip it. AFAIK, presense of DFC influence only forwarding decisions process (and policyng, for example) but not on moving traffic itself? Yes, see my answer to Ytti. Anyway, if traffic should be switched in ASIC what is the limitations in terms of bandwidth or PPS? The bandwidth for 6704 is line rate of front ports, as it connects using 2x20Gbit/s channels to the fabric. The DFC however is limited to 48Mpps and the traffic through the fabric uses additional headers. So if you have 4 10GE ports doing forwarding for 64B packets fully locally, it will be 4x14.8Mpps=59.2Mpps, while the DFC can only do 48Mpps. Depending on your traffic profile, you'll either hit PPS limitation of the DFC (or the centrally located PFC) or the bandwidth constrain for the 64B packets (DDoS for example). -- There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromir...@jabber.org about. John von Neumann |http://lukasz.bromirski.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6704-10GE, WS-X6708-10GE
On 02.03.2012 13:03, Dmitry Valdov wrote: I had a simular problem a few months ago. I saw overruns and loss of packets when much traffic flowed from one port of 6704 to another port of the same card. (Actually it was port mirroring). The problem was fixed by configuring fabric buffer-reserve low (or medium). Hm.. this increase space for incoming packets? Correct? Interesting. Do I need to reload router after this command applied? On Fri, 2 Mar 2012, Artyom Viklenko wrote: On 02.03.2012 12:03, Alan Buxey wrote: without DFC cards, some work/decisions still have to go to the supervisor. DFC (distributed) is what gives your modules autonomy alan This is already clear. :) The only not-so-clear thing now is the internals of these line cards. Thank you! -- Sincerely yours, Artyom Viklenko. --- ar...@aws-net.org.ua | http://www.aws-net.org.ua/~artem ar...@viklenko.net | JID: ar...@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] A switch with PoE support and powered by 48V DC
On 02/03/2012 14:50, David Farrell wrote: On 02/03/2012 10:01, Victor Sudakov wrote: Colleagues, I need a switch with PoE support and powered by 48V DC, do you know of such? TIA for any advice. Hi Victor, If you are looking for PoE access switches, I believe the 3560-E and -X series might be worth looking at as there are some DC power options for that series. David. The ME3600X/ME3800X also have DC power options. David. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] A switch with PoE support and powered by 48V DC
On 02/03/2012 10:01, Victor Sudakov wrote: Colleagues, I need a switch with PoE support and powered by 48V DC, do you know of such? TIA for any advice. Hi Victor, If you are looking for PoE access switches, I believe the 3560-E and -X series might be worth looking at as there are some DC power options for that series. David. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] A switch with PoE support and powered by 48V DC
On 02/03/2012 14:55, David Farrell wrote: On 02/03/2012 14:50, David Farrell wrote: On 02/03/2012 10:01, Victor Sudakov wrote: Colleagues, I need a switch with PoE support and powered by 48V DC, do you know of such? TIA for any advice. Hi Victor, If you are looking for PoE access switches, I believe the 3560-E and -X series might be worth looking at as there are some DC power options for that series. David. The ME3600X/ME3800X also have DC power options. David. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ However, no PoE in ME switches (it's definitely Friday afternoon with me). David. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-X6704-10GE, WS-X6708-10GE
Hi! No reload required. I guess this command increases buffers between a card and fabric. Well.. When a packet arrives.. It must come to the fabric and return back to the card.. What happend when two packets arrive at the same time? On Fri, 2 Mar 2012, Artyom Viklenko wrote: On 02.03.2012 13:03, Dmitry Valdov wrote: I had a simular problem a few months ago. I saw overruns and loss of packets when much traffic flowed from one port of 6704 to another port of the same card. (Actually it was port mirroring). The problem was fixed by configuring fabric buffer-reserve low (or medium). Hm.. this increase space for incoming packets? Correct? Interesting. Do I need to reload router after this command applied? On Fri, 2 Mar 2012, Artyom Viklenko wrote: On 02.03.2012 12:03, Alan Buxey wrote: without DFC cards, some work/decisions still have to go to the supervisor. DFC (distributed) is what gives your modules autonomy alan This is already clear. :) The only not-so-clear thing now is the internals of these line cards. Thank you! -- Sincerely yours, Artyom Viklenko. --- ar...@aws-net.org.ua | http://www.aws-net.org.ua/~artem ar...@viklenko.net | JID: ar...@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org -- Dmitry Valdov CCIE #15379 (RS and SP) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco BPX Repairing BXM Module NVRAM
Hello Everyone, I'm trying to repair a BPX 8620 BPX-BXM-155-8DX card that has a bad NVRAM chip.I have successfully replaced the chip however now i need to burn the board identification values to it. These values include the board serial number so copying over the values from another card wont be an option. There is an official method of doing this. When logged in as the StrataCom user I found the command setnovram that walks me though resetting everything. However before the changes can be written to NVRAM it asks for a password. Has anyone on the list successfully used this command and know the password? I have tried all system passwords (Service, SuperUser, StrataCom) without success. Thanks -- Victor Matherly ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Config Backups
Quick question/poll What is everyone using for router/switch/firewall config backups? Is rancid still the one to use? Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
It's all about RANCID. Easy, very easy to modify and just works. That's my opinion anyway. Thanks Scott On Mar 2, 2012, at 2:57 PM, Erik Sundberg wrote: Quick question/poll What is everyone using for router/switch/firewall config backups? Is rancid still the one to use? Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
...If you dont mind paying.. we're using kiwicattools to backup thousand of devices. /fRank Sent from my iPhone On 3 Mar, 2012, at 3:57 AM, Erik Sundberg esundb...@nitelusa.com wrote: Quick question/poll What is everyone using for router/switch/firewall config backups? Is rancid still the one to use? Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
We are actually using 2 commercial products today; 1. Cisco Works 2. HP Network Automation And one home grown script on Linux that runs out and grabs the config on all firewall enabled routers every night to assure that the firewall is still applied - some of our techs disable firewall while troubleshooting issues and forget to re-enable it. We initially used Cisco Works only - then the security group developed the Linux script for the reason state above. After a few negative audit findings we purchased HP NA for the same thing so I suspect we will disable the Linux script. HP NA has turned out to be the easier product to use to fetch the old config. We can compare current config to any previous config, we can see each configuration change that has been made and we also use it for change management on firewall enabled devices. If a change is made outside of the tool then an event is triggered that the security group will investigate. A pricy tool that has a lot of advantages over Cisco Works and TAC/ACS mostly in the area of user friendliness. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Erik Sundberg Sent: Friday, March 02, 2012 1:57 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Config Backups Quick question/poll What is everyone using for router/switch/firewall config backups? Is rancid still the one to use? Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
I have also used Solarwinds' tool - NCM (formerly known as Cirrus). Works well with a nice interface, but obviously is not free. I believe it is licensed per device. Josh On Fri, Mar 2, 2012 at 3:53 PM, Rick Martin rick.mar...@arkansas.gov wrote: We are actually using 2 commercial products today; 1. Cisco Works 2. HP Network Automation And one home grown script on Linux that runs out and grabs the config on all firewall enabled routers every night to assure that the firewall is still applied - some of our techs disable firewall while troubleshooting issues and forget to re-enable it. We initially used Cisco Works only - then the security group developed the Linux script for the reason state above. After a few negative audit findings we purchased HP NA for the same thing so I suspect we will disable the Linux script. HP NA has turned out to be the easier product to use to fetch the old config. We can compare current config to any previous config, we can see each configuration change that has been made and we also use it for change management on firewall enabled devices. If a change is made outside of the tool then an event is triggered that the security group will investigate. A pricy tool that has a lot of advantages over Cisco Works and TAC/ACS mostly in the area of user friendliness. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Erik Sundberg Sent: Friday, March 02, 2012 1:57 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Config Backups Quick question/poll What is everyone using for router/switch/firewall config backups? Is rancid still the one to use? Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
Kiwi Catools works great. Alex Moya On Fri, Mar 2, 2012 at 3:59 PM, Josh Baird joshba...@gmail.com wrote: I have also used Solarwinds' tool - NCM (formerly known as Cirrus). Works well with a nice interface, but obviously is not free. I believe it is licensed per device. Josh On Fri, Mar 2, 2012 at 3:53 PM, Rick Martin rick.mar...@arkansas.gov wrote: We are actually using 2 commercial products today; 1. Cisco Works 2. HP Network Automation And one home grown script on Linux that runs out and grabs the config on all firewall enabled routers every night to assure that the firewall is still applied - some of our techs disable firewall while troubleshooting issues and forget to re-enable it. We initially used Cisco Works only - then the security group developed the Linux script for the reason state above. After a few negative audit findings we purchased HP NA for the same thing so I suspect we will disable the Linux script. HP NA has turned out to be the easier product to use to fetch the old config. We can compare current config to any previous config, we can see each configuration change that has been made and we also use it for change management on firewall enabled devices. If a change is made outside of the tool then an event is triggered that the security group will investigate. A pricy tool that has a lot of advantages over Cisco Works and TAC/ACS mostly in the area of user friendliness. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Erik Sundberg Sent: Friday, March 02, 2012 1:57 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Config Backups Quick question/poll What is everyone using for router/switch/firewall config backups? Is rancid still the one to use? Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
RANCID and a couple of home-made scripts for custom jobs alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
On Fri, Mar 02, 2012 at 01:57:02PM -0600, Erik Sundberg wrote: What is everyone using for router/switch/firewall config backups? A short local bash script that does an SNMP write to the correct OID on each switch to tell it to copy its config file to the tftp server. Is rancid still the one to use? Last I looked you had to give it telnet access to the switches - I didn't like giving a script that sort of access, or storing core router passwords (even for unpriv accounts) in plaintext anywhere. Maybe it's changed recently. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
Can do SSH. Use read-only account though, no need for a powerful account to read the config. Also stores the config with revision control/history and the file stored has obfuscated passwords/credentials. alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] preference on bgp route advertisements
I currently have prefix list filtering in place on my core routers and I advertise a default route to my dsl routers. My question is, what is the best practice for advertising bgp routes in the core? I would like to redistribute connected and static in bgp instead of adding network statements under the bgp process. Just trying to get some feedback on this before I start changing my core network. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
Thanks everyone, I just finished installing rancid and have it up and running already. What web front end are you using to browse the CVS tree? Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Config Backups
Websvn here. Sent from handheld On Mar 2, 2012, at 6:30 PM, Erik Sundberg esundb...@nitelusa.com wrote: Thanks everyone, I just finished installing rancid and have it up and running already. What web front end are you using to browse the CVS tree? Thanks Erik CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] A switch with PoE support and powered by 48V DC
David, Check out the Cisco Switch Catalog Doc. It covers all Cisco switches by models and specs in one place and list the power options too. http://www.cisco.com/en/US/prod/switches/ps5718/ps708/networking_solutions_products_genericcontent0900aecd805f0955.pdf Erik -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Farrell Sent: Friday, March 02, 2012 10:10 AM To: c-nsp Subject: Re: [c-nsp] A switch with PoE support and powered by 48V DC On 02/03/2012 14:55, David Farrell wrote: On 02/03/2012 14:50, David Farrell wrote: On 02/03/2012 10:01, Victor Sudakov wrote: Colleagues, I need a switch with PoE support and powered by 48V DC, do you know of such? TIA for any advice. Hi Victor, If you are looking for PoE access switches, I believe the 3560-E and -X series might be worth looking at as there are some DC power options for that series. David. The ME3600X/ME3800X also have DC power options. David. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ However, no PoE in ME switches (it's definitely Friday afternoon with me). David. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain confidential information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error please notify the sender immediately by replying to this e-mail. You must destroy the original transmission and its attachments without reading or saving in any manner. Thank you. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] McAfee M-4050 Console
Good evening I have this M-4050 IPS i am trying to console into and i am have a lot difficulties. Is anybody in here familiar with them ? any advice ? I am using the following set up.. Baud rate: 38400 Number bits: 8 Parity: None Stop bits: 1 Flow Control:None I am not able please help ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] router does not see IGMP joins
you may check IGMP activity: 8 joins, 6 leaves to see if new join is received. maybe something is wrong with multicast router config. On 3/2/12, Victor Sudakov v...@mpeks.tomsk.su wrote: Colleagues, What could be the reason that a Cisco 1841 router (IOS 12.4(13r)T) does not see IGMP joins to a particular group? tcpdump shows that the joins are being sent to the network, however debug ip igmp 224.0.1.3 does not show them. Here is the packet dump: http://zalil.ru/32803276 and the configuration: kedrovy#sh ip igmp interface fastEthernet 0/0 FastEthernet0/0 is up, line protocol is up Internet address is 10.14.128.129/26 IGMP is enabled on interface Current IGMP host version is 2 Current IGMP router version is 2 IGMP query interval is 60 seconds IGMP querier timeout is 120 seconds IGMP max query response time is 10 seconds Last member query count is 2 Last member query response interval is 1000 ms Inbound IGMP access group is not set IGMP activity: 8 joins, 6 leaves Multicast routing is enabled on interface Multicast TTL threshold is 0 Multicast designated router (DR) is 10.14.128.129 (this system) IGMP querying router is 10.14.128.129 (this system) Multicast groups joined by this system (number of users): 224.0.1.40(1) 224.0.1.1(1) kedrovy# I can forcibly join the interface to the 224.0.1.3 group and then the traffic begins to flow: kedrovy(config-if)#ip igmp join-group 224.0.1.3 kedrovy(config-if)#^Z kedrovy# 1w2d: IGMP(0): WAVL Insert group: 224.0.1.3 interface: FastEthernet0/0Successful 1w2d: IGMP(0): Send v2 Report for 224.0.1.3 on FastEthernet0/0 1w2d: IGMP(0): Received v2 Report on FastEthernet0/0 from 10.14.128.129 for 224.0.1.3 1w2d: IGMP(0): Received Group record for group 224.0.1.3, mode 2 from 10.14.128.129 for 0 sources 1w2d: IGMP(0): Switching to EXCLUDE mode for 224.0.1.3 on FastEthernet0/0 1w2d: IGMP(0): Updating EXCLUDE group timer for 224.0.1.3 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 0 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 4 1w2d: %SYS-5-CONFIG_I: Configured from console by vty0 (10.14.134.125) kedrovy# 1w2d: IGMP(0): Send v2 general Query on FastEthernet0/0 1w2d: IGMP(0): Set report delay time to 2.8 seconds for 224.0.1.3 on FastEthernet0/0 1w2d: IGMP(0): Send v2 general Query on FastEthernet0/1 kedrovy# 1w2d: IGMP(0): Send v2 Report for 224.0.1.3 on FastEthernet0/0 1w2d: IGMP(0): Received v2 Report on FastEthernet0/0 from 10.14.128.129 for 224.0.1.3 1w2d: IGMP(0): Received Group record for group 224.0.1.3, mode 2 from 10.14.128.129 for 0 sources 1w2d: IGMP(0): Updating EXCLUDE group timer for 224.0.1.3 1w2d: IGMP(0): MRT Add/Update FastEthernet0/0 for (*,224.0.1.3) by 0 -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/