date:20131115

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Methsri Wickramarathna

Pete >> I didn't get that clearly


On Fri, Nov 15, 2013 at 9:25 PM, Pete Lumbis  wrote:

> Syslogs to see when someone exited from config mode.
>
>
> On Fri, Nov 15, 2013 at 10:44 AM, Methsri Wickramarathna <
> mmethw2...@gmail.com> wrote:
>
>> Jon >> yes it's only the ip route command was missing , if configurations
>> was rolled back is there a way to identify it ???
>>
>>
>> On Fri, Nov 15, 2013 at 9:11 PM, Methsri Wickramarathna <
>> mmethw2...@gmail.com> wrote:
>>
>> > Harold >> yes that was the line
>> >
>> >
>> > On Fri, Nov 15, 2013 at 8:50 PM, Harold 'Buz' Dale > >wrote:
>> >
>> >> This is the line that was missing then?
>> >>
>> >> ip route 0.0.0.0 0.0.0.0 X.X.X.X
>> >>
>> >>
>> >> From: Methsri Wickramarathna 
>> >> Date: Friday, November 15, 2013 at 10:03 AM
>> >> To: Chuck Church 
>> >> Cc: Buz Dale , "cisco-nsp@puck.nether.net" <
>> >> cisco-nsp@puck.nether.net>
>> >>
>> >> Subject: Re: [c-nsp] Static Default route missing
>> >>
>> >> Chuck >> default route config
>> >>
>> >> ip route 0.0.0.0 0.0.0.0 X.X.X.X   # directed to next hop IP & no DHCP
>> >> configured
>> >>
>> >>
>> >> On Fri, Nov 15, 2013 at 8:31 PM, Chuck Church > >wrote:
>> >>
>> >>> Is there an IP address on the interface the default is using, or is it
>> >>> using DHCP?  DHCP can add a default route to the table, but wouldn't
>> show
>> >>> up in either config.
>> >>>
>> >>> Chuck
>> >>>
>> >>>
>> >>> -Original Message-
>> >>> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
>> Of
>> >>> Methsri Wickramarathna
>> >>> Sent: Friday, November 15, 2013 9:50 AM
>> >>> To: Harold 'Buz' Dale
>> >>> Cc: cisco-nsp@puck.nether.net
>> >>> Subject: Re: [c-nsp] Static Default route missing
>> >>>
>> >>> Nick >> Router is enabled with tacas+ AAA ... I can see all the
>> commands
>> >>> entered with the usernames...
>> >>>
>> >>> Chuck >> Router isn't rebooted .. uptime was 30 weeks :(
>> >>>
>> >>> Harold >> Router statement missing from both running and startup
>> configs
>> >>> ... When I enter *show ip route 0.0.0.0* it says network not
>> available :(
>> >>>
>> >>> Any ideas ???/
>> >>>
>> >>>
>> >>> On Fri, Nov 15, 2013 at 8:12 PM, Harold 'Buz' Dale 
>> >>> wrote:
>> >>>
>> >>> > My first thought was that it rebooted and wasn¹t in the saved
>> config.
>> >>> > IS the route statement missing or just the route from the table?
>> >>> > Luck,
>> >>> > Buz
>> >>> >
>> >>> > On 11/15/13, 6:42 AM, "Nick Hilliard"  wrote:
>> >>> >
>> >>> > >On 15/11/2013 10:44, Methsri Wickramarathna wrote:
>> >>> > >> Any Ideas ???
>> >>> > >
>> >>> > >most likely to be someone's typo.  Best idea to enable logging and
>> >>> > >tacacs+ AAA on the device so that you can see what's going on and
>> who
>> >>> > >did it.  AAA logging is an invaluable tool for follow-up problem
>> >>> diagnosis.
>> >>> > >
>> >>> > >Nick
>> >>> > >
>> >>> > >___
>> >>> > >cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> >>> > >https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >>> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>> >
>> >>> >
>> >>>
>> >>>
>> >>> --
>> >>> --
>> >>> ´`_,,,_
>> >>> ___´$$$`_´$$$`
>> >>> `$$$`__,,,,___´´
>> >>> _`$$$`´$$`_´$$`´$´
>> >>> __`$$$`_´$`_´$`__´$$$´
>> >>> ___`$$$_$$$_$$$_´$$$´_
>> >>> `$$_$$$_$$$`´$$´_
>> >>> ___,,__`$$_$$$_$$$_$$´_
>> >>> _´$``$$_$$$_$$$_$$´_
>> >>> ´$`´$$$_$$$_$$$_$´_
>> >>> ´$$_$$$_$$$_$´_
>> >>> ___`$$$_$$$_$$_$$´_
>> >>> __`$_$__$$_$$_$$´_
>> >>> ___`,___,,_,$´_
>> >>> _`$´_
>> >>> __`$$$´_
>> >>> `´_
>> >>> ___`´_
>> >>>
>> >>> ~~( ŊëŌ )~~
>> >>> ___
>> >>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>>
>> >>>
>> >>
>> >>
>> >> --
>> >> --
>> >> ´`_,,,_
>> >> ___´$$$`_´$$$`
>> >> `$$$`__,,,,___´´
>> >> _`$$$`´$$`_´$$`´$´
>> >> __`$$$`_´$`_´$`__´$$$´
>> >> ___`$$$_$$$_$$$_´$$$´_
>> >> `$$_$$$_$$$`´$$´_
>> >> ___,,__`$$_$$$_$$$_$$´_
>> >> _´$``$$_$$$_$$$_$$´_
>> >> ´$`´$$$_$$$_$$$_$´_
>> >> ´$$_$$$_$$$_$´_
>> >> ___`$$$_$$$_

Re: [c-nsp] N7k CoPP not MPLS-aware?

2013-11-15 Thread Phil Mayers


On 15/11/13 16:54, Pete Lumbis wrote:

Why do we want labeled traffic to punt at all? Anything destined locally


Er, no. Think "management in VRF", in which case traffic for the 
management loopback arrives labelled with the VRF label.



should be imp-null or would have the exp-null label stripped in
hardware.  So my bigger question would be "why are we punting?" Beyond
that what CoPP class should it match if it does punt? Are you staying
there is a class to match mpls traffic that is not actually matching?


No.

On sup720, labelled traffic to the box is matched against the CoPP 
policies after the labels are popped. This seems, obviously, more useful 
than matching before the labels (when the IP header is hidden).

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7k CoPP not MPLS-aware?

2013-11-15 Thread Pete Lumbis

Why do we want labeled traffic to punt at all? Anything destined locally
should be imp-null or would have the exp-null label stripped in hardware.
So my bigger question would be "why are we punting?" Beyond that what CoPP
class should it match if it does punt? Are you staying there is a class to
match mpls traffic that is not actually matching?

On Fri, Nov 15, 2013 at 11:20 AM, Phil Mayers wrote:

> On 15/11/13 16:08, Pete Lumbis wrote:
>
>> There is a "match protocol mpls" to match labeled traffic.
>>
>
> Not sure what use that is in the context of selectively
> dropping/permitting traffic, the standard use-case for CoPP.
>
> I could block all L3VPN traffic, but I might as well turn the box off if
> I'm going to do that ;o)
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7k CoPP not MPLS-aware?

2013-11-15 Thread Tim Durack

Does it make any difference if you run "label-allocation-mode per-vrf"?


On Fri, Nov 15, 2013 at 4:48 AM, Phil Mayers wrote:

> Has anyone else seen this? Our N7k CoPP policy seems to be letting packets
> through which are arriving MPLS-labelled. In particular, this means it's
> completely ineffective at protecting the CPU in an L3VPN, since all packets
> inside the VPN arrive labelled.
>
> Presumably the class-map isn't matching, since the IP header isn't
> visible. This is not the way other platforms e.g. sup720 work, and is
> distinctly unhelpful.
>
> The boxes are on an older release - 5.2(4) - but I didn't spot anything in
> the release notes about it...
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Tim:>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7k CoPP not MPLS-aware?

2013-11-15 Thread Phil Mayers


On 15/11/13 16:08, Pete Lumbis wrote:

There is a "match protocol mpls" to match labeled traffic.


Not sure what use that is in the context of selectively 
dropping/permitting traffic, the standard use-case for CoPP.


I could block all L3VPN traffic, but I might as well turn the box off if 
I'm going to do that ;o)

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7k CoPP not MPLS-aware?

2013-11-15 Thread Pete Lumbis

There is a "match protocol mpls" to match labeled traffic.

http://puck.nether.net/pipermail/cisco-nsp/2013-March/089936.html


On Fri, Nov 15, 2013 at 4:48 AM, Phil Mayers wrote:

> Has anyone else seen this? Our N7k CoPP policy seems to be letting packets
> through which are arriving MPLS-labelled. In particular, this means it's
> completely ineffective at protecting the CPU in an L3VPN, since all packets
> inside the VPN arrive labelled.
>
> Presumably the class-map isn't matching, since the IP header isn't
> visible. This is not the way other platforms e.g. sup720 work, and is
> distinctly unhelpful.
>
> The boxes are on an older release - 5.2(4) - but I didn't spot anything in
> the release notes about it...
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Pete Lumbis

Syslogs to see when someone exited from config mode.


On Fri, Nov 15, 2013 at 10:44 AM, Methsri Wickramarathna <
mmethw2...@gmail.com> wrote:

> Jon >> yes it's only the ip route command was missing , if configurations
> was rolled back is there a way to identify it ???
>
>
> On Fri, Nov 15, 2013 at 9:11 PM, Methsri Wickramarathna <
> mmethw2...@gmail.com> wrote:
>
> > Harold >> yes that was the line
> >
> >
> > On Fri, Nov 15, 2013 at 8:50 PM, Harold 'Buz' Dale  >wrote:
> >
> >> This is the line that was missing then?
> >>
> >> ip route 0.0.0.0 0.0.0.0 X.X.X.X
> >>
> >>
> >> From: Methsri Wickramarathna 
> >> Date: Friday, November 15, 2013 at 10:03 AM
> >> To: Chuck Church 
> >> Cc: Buz Dale , "cisco-nsp@puck.nether.net" <
> >> cisco-nsp@puck.nether.net>
> >>
> >> Subject: Re: [c-nsp] Static Default route missing
> >>
> >> Chuck >> default route config
> >>
> >> ip route 0.0.0.0 0.0.0.0 X.X.X.X   # directed to next hop IP & no DHCP
> >> configured
> >>
> >>
> >> On Fri, Nov 15, 2013 at 8:31 PM, Chuck Church  >wrote:
> >>
> >>> Is there an IP address on the interface the default is using, or is it
> >>> using DHCP?  DHCP can add a default route to the table, but wouldn't
> show
> >>> up in either config.
> >>>
> >>> Chuck
> >>>
> >>>
> >>> -Original Message-
> >>> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
> Of
> >>> Methsri Wickramarathna
> >>> Sent: Friday, November 15, 2013 9:50 AM
> >>> To: Harold 'Buz' Dale
> >>> Cc: cisco-nsp@puck.nether.net
> >>> Subject: Re: [c-nsp] Static Default route missing
> >>>
> >>> Nick >> Router is enabled with tacas+ AAA ... I can see all the
> commands
> >>> entered with the usernames...
> >>>
> >>> Chuck >> Router isn't rebooted .. uptime was 30 weeks :(
> >>>
> >>> Harold >> Router statement missing from both running and startup
> configs
> >>> ... When I enter *show ip route 0.0.0.0* it says network not available
> :(
> >>>
> >>> Any ideas ???/
> >>>
> >>>
> >>> On Fri, Nov 15, 2013 at 8:12 PM, Harold 'Buz' Dale 
> >>> wrote:
> >>>
> >>> > My first thought was that it rebooted and wasn¹t in the saved config.
> >>> > IS the route statement missing or just the route from the table?
> >>> > Luck,
> >>> > Buz
> >>> >
> >>> > On 11/15/13, 6:42 AM, "Nick Hilliard"  wrote:
> >>> >
> >>> > >On 15/11/2013 10:44, Methsri Wickramarathna wrote:
> >>> > >> Any Ideas ???
> >>> > >
> >>> > >most likely to be someone's typo.  Best idea to enable logging and
> >>> > >tacacs+ AAA on the device so that you can see what's going on and
> who
> >>> > >did it.  AAA logging is an invaluable tool for follow-up problem
> >>> diagnosis.
> >>> > >
> >>> > >Nick
> >>> > >
> >>> > >___
> >>> > >cisco-nsp mailing list  cisco-nsp@puck.nether.net
> >>> > >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>> >
> >>> >
> >>>
> >>>
> >>> --
> >>> --
> >>> ´`_,,,_
> >>> ___´$$$`_´$$$`
> >>> `$$$`__,,,,___´´
> >>> _`$$$`´$$`_´$$`´$´
> >>> __`$$$`_´$`_´$`__´$$$´
> >>> ___`$$$_$$$_$$$_´$$$´_
> >>> `$$_$$$_$$$`´$$´_
> >>> ___,,__`$$_$$$_$$$_$$´_
> >>> _´$``$$_$$$_$$$_$$´_
> >>> ´$`´$$$_$$$_$$$_$´_
> >>> ´$$_$$$_$$$_$´_
> >>> ___`$$$_$$$_$$_$$´_
> >>> __`$_$__$$_$$_$$´_
> >>> ___`,___,,_,$´_
> >>> _`$´_
> >>> __`$$$´_
> >>> `´_
> >>> ___`´_
> >>>
> >>> ~~( ŊëŌ )~~
> >>> ___
> >>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >>>
> >>
> >>
> >> --
> >> --
> >> ´`_,,,_
> >> ___´$$$`_´$$$`
> >> `$$$`__,,,,___´´
> >> _`$$$`´$$`_´$$`´$´
> >> __`$$$`_´$`_´$`__´$$$´
> >> ___`$$$_$$$_$$$_´$$$´_
> >> `$$_$$$_$$$`´$$´_
> >> ___,,__`$$_$$$_$$$_$$´_
> >> _´$``$$_$$$_$$$_$$´_
> >> ´$`´$$$_$$$_$$$_$´_
> >> ´$$_$$$_$$$_$´_
> >> ___`$$$_$$$_$$_$$´_
> >> __`$_$__$$_$$_$$´_
> >> ___`,___,,_,$´_
> >> _`$´_
> >> __`$$$´_
> >> `$

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Methsri Wickramarathna

Harold >> yes that was the line


On Fri, Nov 15, 2013 at 8:50 PM, Harold 'Buz' Dale  wrote:

> This is the line that was missing then?
>
> ip route 0.0.0.0 0.0.0.0 X.X.X.X
>
>
> From: Methsri Wickramarathna 
> Date: Friday, November 15, 2013 at 10:03 AM
> To: Chuck Church 
> Cc: Buz Dale , "cisco-nsp@puck.nether.net" <
> cisco-nsp@puck.nether.net>
>
> Subject: Re: [c-nsp] Static Default route missing
>
> Chuck >> default route config
>
> ip route 0.0.0.0 0.0.0.0 X.X.X.X   # directed to next hop IP & no DHCP
> configured
>
>
> On Fri, Nov 15, 2013 at 8:31 PM, Chuck Church wrote:
>
>> Is there an IP address on the interface the default is using, or is it
>> using DHCP?  DHCP can add a default route to the table, but wouldn't show
>> up in either config.
>>
>> Chuck
>>
>>
>> -Original Message-
>> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
>> Methsri Wickramarathna
>> Sent: Friday, November 15, 2013 9:50 AM
>> To: Harold 'Buz' Dale
>> Cc: cisco-nsp@puck.nether.net
>> Subject: Re: [c-nsp] Static Default route missing
>>
>> Nick >> Router is enabled with tacas+ AAA ... I can see all the commands
>> entered with the usernames...
>>
>> Chuck >> Router isn't rebooted .. uptime was 30 weeks :(
>>
>> Harold >> Router statement missing from both running and startup configs
>> ... When I enter *show ip route 0.0.0.0* it says network not available :(
>>
>> Any ideas ???/
>>
>>
>> On Fri, Nov 15, 2013 at 8:12 PM, Harold 'Buz' Dale 
>> wrote:
>>
>> > My first thought was that it rebooted and wasn¹t in the saved config.
>> > IS the route statement missing or just the route from the table?
>> > Luck,
>> > Buz
>> >
>> > On 11/15/13, 6:42 AM, "Nick Hilliard"  wrote:
>> >
>> > >On 15/11/2013 10:44, Methsri Wickramarathna wrote:
>> > >> Any Ideas ???
>> > >
>> > >most likely to be someone's typo.  Best idea to enable logging and
>> > >tacacs+ AAA on the device so that you can see what's going on and who
>> > >did it.  AAA logging is an invaluable tool for follow-up problem
>> diagnosis.
>> > >
>> > >Nick
>> > >
>> > >___
>> > >cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> > >https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >
>> >
>>
>>
>> --
>> --
>> ´`_,,,_
>> ___´$$$`_´$$$`
>> `$$$`__,,,,___´´
>> _`$$$`´$$`_´$$`´$´
>> __`$$$`_´$`_´$`__´$$$´
>> ___`$$$_$$$_$$$_´$$$´_
>> `$$_$$$_$$$`´$$´_
>> ___,,__`$$_$$$_$$$_$$´_
>> _´$``$$_$$$_$$$_$$´_
>> ´$`´$$$_$$$_$$$_$´_
>> ´$$_$$$_$$$_$´_
>> ___`$$$_$$$_$$_$$´_
>> __`$_$__$$_$$_$$´_
>> ___`,___,,_,$´_
>> _`$´_
>> __`$$$´_
>> `´_
>> ___`´_
>>
>> ~~( ŊëŌ )~~
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
>
> --
> --
> ´`_,,,_
> ___´$$$`_´$$$`
> `$$$`__,,,,___´´
> _`$$$`´$$`_´$$`´$´
> __`$$$`_´$`_´$`__´$$$´
> ___`$$$_$$$_$$$_´$$$´_
> `$$_$$$_$$$`´$$´_
> ___,,__`$$_$$$_$$$_$$´_
> _´$``$$_$$$_$$$_$$´_
> ´$`´$$$_$$$_$$$_$´_
> ´$$_$$$_$$$_$´_
> ___`$$$_$$$_$$_$$´_
> __`$_$__$$_$$_$$´_
> ___`,___,,_,$´_
> _`$´_
> __`$$$´_
> `´_
> ___`´_
>
> ~~( ŊëŌ )~~
>



-- 
-- 
´`_,,,_
___´$$$`_´$$$`
`$$$`__,,,,___´´
_`$$$`´$$`_´$$`´$´
__`$$$`_´$`_´$`__´$$$´
___`$$$_$$$_$$$_´$$$´_
`$$_$$$_$$$`´$$´_
___,,__`$$_$$$_$$$_$$´_
_´$``$$_$$$_$$$_$$´_
´$`´$$$_$$$_$$$_$´_
´$$_$$$_$$$_$´_
___`$$$_$$$_$$_$$´_
__`$_$__$$_$$_$$´_
___`,___,,_,$´_
_`$´_
__`$

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Methsri Wickramarathna

Jon >> yes it's only the ip route command was missing , if configurations
was rolled back is there a way to identify it ???


On Fri, Nov 15, 2013 at 9:11 PM, Methsri Wickramarathna <
mmethw2...@gmail.com> wrote:

> Harold >> yes that was the line
>
>
> On Fri, Nov 15, 2013 at 8:50 PM, Harold 'Buz' Dale wrote:
>
>> This is the line that was missing then?
>>
>> ip route 0.0.0.0 0.0.0.0 X.X.X.X
>>
>>
>> From: Methsri Wickramarathna 
>> Date: Friday, November 15, 2013 at 10:03 AM
>> To: Chuck Church 
>> Cc: Buz Dale , "cisco-nsp@puck.nether.net" <
>> cisco-nsp@puck.nether.net>
>>
>> Subject: Re: [c-nsp] Static Default route missing
>>
>> Chuck >> default route config
>>
>> ip route 0.0.0.0 0.0.0.0 X.X.X.X   # directed to next hop IP & no DHCP
>> configured
>>
>>
>> On Fri, Nov 15, 2013 at 8:31 PM, Chuck Church wrote:
>>
>>> Is there an IP address on the interface the default is using, or is it
>>> using DHCP?  DHCP can add a default route to the table, but wouldn't show
>>> up in either config.
>>>
>>> Chuck
>>>
>>>
>>> -Original Message-
>>> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
>>> Methsri Wickramarathna
>>> Sent: Friday, November 15, 2013 9:50 AM
>>> To: Harold 'Buz' Dale
>>> Cc: cisco-nsp@puck.nether.net
>>> Subject: Re: [c-nsp] Static Default route missing
>>>
>>> Nick >> Router is enabled with tacas+ AAA ... I can see all the commands
>>> entered with the usernames...
>>>
>>> Chuck >> Router isn't rebooted .. uptime was 30 weeks :(
>>>
>>> Harold >> Router statement missing from both running and startup configs
>>> ... When I enter *show ip route 0.0.0.0* it says network not available :(
>>>
>>> Any ideas ???/
>>>
>>>
>>> On Fri, Nov 15, 2013 at 8:12 PM, Harold 'Buz' Dale 
>>> wrote:
>>>
>>> > My first thought was that it rebooted and wasn¹t in the saved config.
>>> > IS the route statement missing or just the route from the table?
>>> > Luck,
>>> > Buz
>>> >
>>> > On 11/15/13, 6:42 AM, "Nick Hilliard"  wrote:
>>> >
>>> > >On 15/11/2013 10:44, Methsri Wickramarathna wrote:
>>> > >> Any Ideas ???
>>> > >
>>> > >most likely to be someone's typo.  Best idea to enable logging and
>>> > >tacacs+ AAA on the device so that you can see what's going on and who
>>> > >did it.  AAA logging is an invaluable tool for follow-up problem
>>> diagnosis.
>>> > >
>>> > >Nick
>>> > >
>>> > >___
>>> > >cisco-nsp mailing list  cisco-nsp@puck.nether.net
>>> > >https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> >
>>> >
>>>
>>>
>>> --
>>> --
>>> ´`_,,,_
>>> ___´$$$`_´$$$`
>>> `$$$`__,,,,___´´
>>> _`$$$`´$$`_´$$`´$´
>>> __`$$$`_´$`_´$`__´$$$´
>>> ___`$$$_$$$_$$$_´$$$´_
>>> `$$_$$$_$$$`´$$´_
>>> ___,,__`$$_$$$_$$$_$$´_
>>> _´$``$$_$$$_$$$_$$´_
>>> ´$`´$$$_$$$_$$$_$´_
>>> ´$$_$$$_$$$_$´_
>>> ___`$$$_$$$_$$_$$´_
>>> __`$_$__$$_$$_$$´_
>>> ___`,___,,_,$´_
>>> _`$´_
>>> __`$$$´_
>>> `´_
>>> ___`´_
>>>
>>> ~~( ŊëŌ )~~
>>> ___
>>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>
>>
>> --
>> --
>> ´`_,,,_
>> ___´$$$`_´$$$`
>> `$$$`__,,,,___´´
>> _`$$$`´$$`_´$$`´$´
>> __`$$$`_´$`_´$`__´$$$´
>> ___`$$$_$$$_$$$_´$$$´_
>> `$$_$$$_$$$`´$$´_
>> ___,,__`$$_$$$_$$$_$$´_
>> _´$``$$_$$$_$$$_$$´_
>> ´$`´$$$_$$$_$$$_$´_
>> ´$$_$$$_$$$_$´_
>> ___`$$$_$$$_$$_$$´_
>> __`$_$__$$_$$_$$´_
>> ___`,___,,_,$´_
>> _`$´_
>> __`$$$´_
>> `´_
>> ___`´_
>>
>> ~~( ŊëŌ )~~
>>
>
>
>
> --
> --
> ´`_,,,_
> ___´$$$`_´$$$`
> `$$$`__,,,,___´´
> _`$$$`´$$`_´$$`´$´
> __`$$$`_´$`_´$`__´$$$´
> ___`$$$_$$$_$$$_´$$$´_
> `$$_$$$_$$$`´$$´_

Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400

2013-11-15 Thread Mark Tinka

On Tuesday, November 12, 2013 09:31:34 PM c...@marenda.net 
wrote:

> But that extra Gig port is shared hardware with the FAS
> Management Port, (which could be Gig...). it's another
> chipset than the other three CPU?-Ports,
> and it's not performing very well :-(

You can't expect to run any of those ports at line rate.

The entire forwarding plane in that system is good for 
700Mbps - 950Mbps, aggregate.

Mark.

signature.asc
Description: This is a digitally signed message part.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Harold 'Buz' Dale

This is the line that was missing then?

ip route 0.0.0.0 0.0.0.0 X.X.X.X


From: Methsri Wickramarathna mailto:mmethw2...@gmail.com>>
Date: Friday, November 15, 2013 at 10:03 AM
To: Chuck Church mailto:chuckchu...@gmail.com>>
Cc: Buz Dale mailto:buz.d...@usg.edu>>, 
"cisco-nsp@puck.nether.net" 
mailto:cisco-nsp@puck.nether.net>>
Subject: Re: [c-nsp] Static Default route missing

Chuck >> default route config

ip route 0.0.0.0 0.0.0.0 X.X.X.X   # directed to next hop IP & no DHCP 
configured


On Fri, Nov 15, 2013 at 8:31 PM, Chuck Church 
mailto:chuckchu...@gmail.com>> wrote:
Is there an IP address on the interface the default is using, or is it using 
DHCP?  DHCP can add a default route to the table, but wouldn't show up in 
either config.

Chuck


-Original Message-
From: cisco-nsp 
[mailto:cisco-nsp-boun...@puck.nether.net]
 On Behalf Of Methsri Wickramarathna
Sent: Friday, November 15, 2013 9:50 AM
To: Harold 'Buz' Dale
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Static Default route missing

Nick >> Router is enabled with tacas+ AAA ... I can see all the commands 
entered with the usernames...

Chuck >> Router isn't rebooted .. uptime was 30 weeks :(

Harold >> Router statement missing from both running and startup configs ... 
When I enter *show ip route 0.0.0.0* it says network not available :(

Any ideas ???/


On Fri, Nov 15, 2013 at 8:12 PM, Harold 'Buz' Dale 
mailto:buz.d...@usg.edu>> wrote:

> My first thought was that it rebooted and wasn¹t in the saved config.
> IS the route statement missing or just the route from the table?
> Luck,
> Buz
>
> On 11/15/13, 6:42 AM, "Nick Hilliard" 
> mailto:n...@foobar.org>> wrote:
>
> >On 15/11/2013 10:44, Methsri Wickramarathna wrote:
> >> Any Ideas ???
> >
> >most likely to be someone's typo.  Best idea to enable logging and
> >tacacs+ AAA on the device so that you can see what's going on and who
> >did it.  AAA logging is an invaluable tool for follow-up problem diagnosis.
> >
> >Nick
> >
> >___
> >cisco-nsp mailing list  
> >cisco-nsp@puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


--
--
´`_,,,_
___´$$$`_´$$$`
`$$$`__,,,,___´´
_`$$$`´$$`_´$$`´$´
__`$$$`_´$`_´$`__´$$$´
___`$$$_$$$_$$$_´$$$´_
`$$_$$$_$$$`´$$´_
___,,__`$$_$$$_$$$_$$´_
_´$``$$_$$$_$$$_$$´_
´$`´$$$_$$$_$$$_$´_
´$$_$$$_$$$_$´_
___`$$$_$$$_$$_$$´_
__`$_$__$$_$$_$$´_
___`,___,,_,$´_
_`$´_
__`$$$´_
`´_
___`´_

~~( ŊëŌ )~~
___
cisco-nsp mailing list  
cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




--
--
´`_,,,_
___´$$$`_´$$$`
`$$$`__,,,,___´´
_`$$$`´$$`_´$$`´$´
__`$$$`_´$`_´$`__´$$$´
___`$$$_$$$_$$$_´$$$´_
`$$_$$$_$$$`´$$´_
___,,__`$$_$$$_$$$_$$´_
_´$``$$_$$$_$$$_$$´_
´$`´$$$_$$$_$$$_$´_
´$$_$$$_$$$_$´_
___`$$$_$$$_$$_$$´_
__`$_$__$$_$$_$$´_
___`,___,,_,$´_
_`$´_
__`$$$´_
`´_
___`´_

~~( ŊëŌ )~~
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Harold 'Buz' Dale

My first thought was that it rebooted and wasn¹t in the saved config. IS
the route statement missing or just the route from the table?
Luck,
Buz

On 11/15/13, 6:42 AM, "Nick Hilliard"  wrote:

>On 15/11/2013 10:44, Methsri Wickramarathna wrote:
>> Any Ideas ???
>
>most likely to be someone's typo.  Best idea to enable logging and tacacs+
>AAA on the device so that you can see what's going on and who did it.  AAA
>logging is an invaluable tool for follow-up problem diagnosis.
>
>Nick
>
>___
>cisco-nsp mailing list  cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Methsri Wickramarathna

Chuck >> default route config

ip route 0.0.0.0 0.0.0.0 X.X.X.X   # directed to next hop IP & no DHCP
configured


On Fri, Nov 15, 2013 at 8:31 PM, Chuck Church  wrote:

> Is there an IP address on the interface the default is using, or is it
> using DHCP?  DHCP can add a default route to the table, but wouldn't show
> up in either config.
>
> Chuck
>
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
> Methsri Wickramarathna
> Sent: Friday, November 15, 2013 9:50 AM
> To: Harold 'Buz' Dale
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] Static Default route missing
>
> Nick >> Router is enabled with tacas+ AAA ... I can see all the commands
> entered with the usernames...
>
> Chuck >> Router isn't rebooted .. uptime was 30 weeks :(
>
> Harold >> Router statement missing from both running and startup configs
> ... When I enter *show ip route 0.0.0.0* it says network not available :(
>
> Any ideas ???/
>
>
> On Fri, Nov 15, 2013 at 8:12 PM, Harold 'Buz' Dale 
> wrote:
>
> > My first thought was that it rebooted and wasn¹t in the saved config.
> > IS the route statement missing or just the route from the table?
> > Luck,
> > Buz
> >
> > On 11/15/13, 6:42 AM, "Nick Hilliard"  wrote:
> >
> > >On 15/11/2013 10:44, Methsri Wickramarathna wrote:
> > >> Any Ideas ???
> > >
> > >most likely to be someone's typo.  Best idea to enable logging and
> > >tacacs+ AAA on the device so that you can see what's going on and who
> > >did it.  AAA logging is an invaluable tool for follow-up problem
> diagnosis.
> > >
> > >Nick
> > >
> > >___
> > >cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > >https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
>
>
> --
> --
> ´`_,,,_
> ___´$$$`_´$$$`
> `$$$`__,,,,___´´
> _`$$$`´$$`_´$$`´$´
> __`$$$`_´$`_´$`__´$$$´
> ___`$$$_$$$_$$$_´$$$´_
> `$$_$$$_$$$`´$$´_
> ___,,__`$$_$$$_$$$_$$´_
> _´$``$$_$$$_$$$_$$´_
> ´$`´$$$_$$$_$$$_$´_
> ´$$_$$$_$$$_$´_
> ___`$$$_$$$_$$_$$´_
> __`$_$__$$_$$_$$´_
> ___`,___,,_,$´_
> _`$´_
> __`$$$´_
> `´_
> ___`´_
>
> ~~( ŊëŌ )~~
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


-- 
-- 
´`_,,,_
___´$$$`_´$$$`
`$$$`__,,,,___´´
_`$$$`´$$`_´$$`´$´
__`$$$`_´$`_´$`__´$$$´
___`$$$_$$$_$$$_´$$$´_
`$$_$$$_$$$`´$$´_
___,,__`$$_$$$_$$$_$$´_
_´$``$$_$$$_$$$_$$´_
´$`´$$$_$$$_$$$_$´_
´$$_$$$_$$$_$´_
___`$$$_$$$_$$_$$´_
__`$_$__$$_$$_$$´_
___`,___,,_,$´_
_`$´_
__`$$$´_
`´_
___`´_

~~( ŊëŌ )~~
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Chuck Church

Is there an IP address on the interface the default is using, or is it using 
DHCP?  DHCP can add a default route to the table, but wouldn't show up in 
either config.

Chuck


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Methsri 
Wickramarathna
Sent: Friday, November 15, 2013 9:50 AM
To: Harold 'Buz' Dale
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Static Default route missing

Nick >> Router is enabled with tacas+ AAA ... I can see all the commands 
entered with the usernames...

Chuck >> Router isn't rebooted .. uptime was 30 weeks :(

Harold >> Router statement missing from both running and startup configs ... 
When I enter *show ip route 0.0.0.0* it says network not available :(

Any ideas ???/


On Fri, Nov 15, 2013 at 8:12 PM, Harold 'Buz' Dale  wrote:

> My first thought was that it rebooted and wasn¹t in the saved config. 
> IS the route statement missing or just the route from the table?
> Luck,
> Buz
>
> On 11/15/13, 6:42 AM, "Nick Hilliard"  wrote:
>
> >On 15/11/2013 10:44, Methsri Wickramarathna wrote:
> >> Any Ideas ???
> >
> >most likely to be someone's typo.  Best idea to enable logging and 
> >tacacs+ AAA on the device so that you can see what's going on and who 
> >did it.  AAA logging is an invaluable tool for follow-up problem diagnosis.
> >
> >Nick
> >
> >___
> >cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


--
--
´`_,,,_
___´$$$`_´$$$`
`$$$`__,,,,___´´
_`$$$`´$$`_´$$`´$´
__`$$$`_´$`_´$`__´$$$´
___`$$$_$$$_$$$_´$$$´_
`$$_$$$_$$$`´$$´_
___,,__`$$_$$$_$$$_$$´_
_´$``$$_$$$_$$$_$$´_
´$`´$$$_$$$_$$$_$´_
´$$_$$$_$$$_$´_
___`$$$_$$$_$$_$$´_
__`$_$__$$_$$_$$´_
___`,___,,_,$´_
_`$´_
__`$$$´_
`´_
___`´_

~~( ŊëŌ )~~
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Methsri Wickramarathna

Nick >> Router is enabled with tacas+ AAA ... I can see all the commands
entered with the usernames...

Chuck >> Router isn't rebooted .. uptime was 30 weeks :(

Harold >> Router statement missing from both running and startup configs
... When I enter *show ip route 0.0.0.0* it says network not available :(

Any ideas ???/


On Fri, Nov 15, 2013 at 8:12 PM, Harold 'Buz' Dale  wrote:

> My first thought was that it rebooted and wasn¹t in the saved config. IS
> the route statement missing or just the route from the table?
> Luck,
> Buz
>
> On 11/15/13, 6:42 AM, "Nick Hilliard"  wrote:
>
> >On 15/11/2013 10:44, Methsri Wickramarathna wrote:
> >> Any Ideas ???
> >
> >most likely to be someone's typo.  Best idea to enable logging and tacacs+
> >AAA on the device so that you can see what's going on and who did it.  AAA
> >logging is an invaluable tool for follow-up problem diagnosis.
> >
> >Nick
> >
> >___
> >cisco-nsp mailing list  cisco-nsp@puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


-- 
-- 
´`_,,,_
___´$$$`_´$$$`
`$$$`__,,,,___´´
_`$$$`´$$`_´$$`´$´
__`$$$`_´$`_´$`__´$$$´
___`$$$_$$$_$$$_´$$$´_
`$$_$$$_$$$`´$$´_
___,,__`$$_$$$_$$$_$$´_
_´$``$$_$$$_$$$_$$´_
´$`´$$$_$$$_$$$_$´_
´$$_$$$_$$$_$´_
___`$$$_$$$_$$_$$´_
__`$_$__$$_$$_$$´_
___`,___,,_,$´_
_`$´_
__`$$$´_
`´_
___`´_

~~( ŊëŌ )~~
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Chuck Church

Is it possible the static default was in the running config, but not the 
startup, and the router rebooted?

Chuck

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Methsri 
Wickramarathna
Sent: Thursday, November 14, 2013 11:54 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] Static Default route missing

Hi all,
Yesterday we had a strange behavior on one of our Cisco 1841 router. Which was 
suddenly unreachable and after when we troubleshoot the issue and found out 
router has missing it's default-route. Initially we thought that someone may 
accidentally removed it. TAC logs enabled on router so I have went through all 
the logs and found no record regarding route removed.

We are taking router backups daily so I have compared previous router backups 
and found out, default route was there on 12th November and missing it on 13th 
November 2013.

Any idea about this issue.

Router IOS :- c1841-adventerprisek9-mz.150-1.M4.3.bin

~~( ŊëŌ )~~
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] eBGP with internet provider from DataCenters

2013-11-15 Thread Scott Granados

I can’t think of any reason to use more than 1.  If you have a meshed network 
and announce space to the public network then you need a real AS.  For your 
application if you’re using provider space and just looking for redundancy with 
in the DC you could get away with using a private AS.  I don’t see a need 
though to use more than one.

Thanks
Scott


On Nov 15, 2013, at 8:18 AM, Yham  wrote:

> Hi Guys,
> 
> If we have two active/active DataCenters on different geographical
> locations and going to peer with the same provider for internet. What are
> the pros and cons of having same Autonomous Number on both data centers. In
> other word which is more scalable and practical, having both data cernter
> on single public ASN or should be two different when peering with same
> internet providers. Can you please share you thoughts on it.
> 
> Regards
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] eBGP with internet provider from DataCenters

2013-11-15 Thread Yham

Hi Guys,

If we have two active/active DataCenters on different geographical
locations and going to peer with the same provider for internet. What are
the pros and cons of having same Autonomous Number on both data centers. In
other word which is more scalable and practical, having both data cernter
on single public ASN or should be two different when peering with same
internet providers. Can you please share you thoughts on it.

Regards
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7k CoPP not MPLS-aware?

2013-11-15 Thread Phil Mayers


On 15/11/13 12:02, Saku Ytti wrote:

On (2013-11-15 09:48 +), Phil Mayers wrote:


Has anyone else seen this? Our N7k CoPP policy seems to be letting
packets through which are arriving MPLS-labelled. In particular,
this means it's completely ineffective at protecting the CPU in an
L3VPN, since all packets inside the VPN arrive labelled.


Alas this is the rule, 7600 having working CoPP is the exception.

In 2006-03-16 I opened TAC case 603198067 complaining how 'explicit-null'
breaks CoPP in GSR, VXR, NSE100, 5400, result was that it was expected
behaviour.


Great. Doubly helpful, since VTY ACLs are broken on the version of NX-OS 
we're on :o(


(In case anyone wants to be helpful and suggest iACLs, do me a favour 
and move onto the next thread; they don't help in this specific case for 
reasons I have no interest in discussing)

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IPv6 filters

2013-11-15 Thread Tony Tauber

Yes, explicitly filtering prefixes outbound if you're an edge site and
inbound if you're a service provider is the right way to do it, whether
it's v4 or v6.
For BGP particularly, IPv6 is really nothing special at all; just mirror
your configurations and policies.

Depending on your OS, you may have to explicitly disable v6 routes being
sent over a v4 session.
That's possible to do but I don't know why one would want to in a truly
dual-stack deployment.
In v6 the only "v4 artifact" will be that the router ID is still a 32-bit
number which is most commonly set to the v4 loopback or some such.

Tony

On Thu, Nov 14, 2013 at 3:25 PM, Gert Doering  wrote:

> Hi,
>
> On Thu, Nov 14, 2013 at 07:58:26AM -0800, Scott Voll wrote:
> > I'm currently using a filter list:
> >
> > ip as-path access-list 1 permit ^$
> > ip as-path access-list 1 deny .*
> >
> > to make sure I'm not a transit provider.
> >
> > in my googleing around I'm not seeing that done in IPv6
>
> Besides the CPU impact (what Nick pointed out), this is actually *good*
> practice, both for IPv4 and for IPv6.
>
> Easier on CPU load but more maintenance if prefixes keep being added
> is to filter by prefix-list...  so it depends a bit on how fast your
> router's CPU is, how often prefixes change, etc.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>//
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025
> g...@net.informatik.tu-muenchen.de
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] N7k CoPP not MPLS-aware?

2013-11-15 Thread Saku Ytti

On (2013-11-15 09:48 +), Phil Mayers wrote:

> Has anyone else seen this? Our N7k CoPP policy seems to be letting
> packets through which are arriving MPLS-labelled. In particular,
> this means it's completely ineffective at protecting the CPU in an
> L3VPN, since all packets inside the VPN arrive labelled.

Alas this is the rule, 7600 having working CoPP is the exception.

In 2006-03-16 I opened TAC case 603198067 complaining how 'explicit-null'
breaks CoPP in GSR, VXR, NSE100, 5400, result was that it was expected
behaviour.

-- 
  ++ytti
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Nick Hilliard

On 15/11/2013 10:44, Methsri Wickramarathna wrote:
> Any Ideas ???

most likely to be someone's typo.  Best idea to enable logging and tacacs+
AAA on the device so that you can see what's going on and who did it.  AAA
logging is an invaluable tool for follow-up problem diagnosis.

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] GGSN Diameter Quota

2013-11-15 Thread naresh reddy

Hi Experts

I am working on migrating existing GGSN radius post charging process to a 
diameter quota services
we dont have a CGS, so is there a way to skip this. radius need to authenticate 
users and diameter provides the charring
quota for all the users

our base is a Cisco GGSN on MWAM module

Thank you
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

2013-11-15 Thread Methsri Wickramarathna

Any Ideas ???


On Fri, Nov 15, 2013 at 10:23 AM, Methsri Wickramarathna <
mmethw2...@gmail.com> wrote:

> Hi all,
> Yesterday we had a strange behavior on one of our Cisco 1841 router. Which
> was suddenly unreachable and after when we troubleshoot the issue and found
> out router has missing it's default-route. Initially we thought that
> someone may accidentally removed it. TAC logs enabled on router so I have
> went through all the logs and found no record regarding route removed.
>
> We are taking router backups daily so I have compared previous router
> backups and found out, default route was there on 12th November and missing
> it on 13th November 2013.
>
> Any idea about this issue.
>
> Router IOS :- c1841-adventerprisek9-mz.150-1.M4.3.bin
>
>
>
> ~~( ŊëŌ )~~
>



-- 
-- 
´`_,,,_
___´$$$`_´$$$`
`$$$`__,,,,___´´
_`$$$`´$$`_´$$`´$´
__`$$$`_´$`_´$`__´$$$´
___`$$$_$$$_$$$_´$$$´_
`$$_$$$_$$$`´$$´_
___,,__`$$_$$$_$$$_$$´_
_´$``$$_$$$_$$$_$$´_
´$`´$$$_$$$_$$$_$´_
´$$_$$$_$$$_$´_
___`$$$_$$$_$$_$$´_
__`$_$__$$_$$_$$´_
___`,___,,_,$´_
_`$´_
__`$$$´_
`´_
___`´_

~~( ŊëŌ )~~
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] N7k CoPP not MPLS-aware?

2013-11-15 Thread Phil Mayers

Has anyone else seen this? Our N7k CoPP policy seems to be letting 
packets through which are arriving MPLS-labelled. In particular, this 
means it's completely ineffective at protecting the CPU in an L3VPN, 
since all packets inside the VPN arrive labelled.


Presumably the class-map isn't matching, since the IP header isn't 
visible. This is not the way other platforms e.g. sup720 work, and is 
distinctly unhelpful.


The boxes are on an older release - 5.2(4) - but I didn't spot anything 
in the release notes about it...

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ACS 5.4 UCP - where does it listen?

2013-11-15 Thread Pierfrancesco Caci

> "Javier" == Javier Henderson (javier)  writes:

Javier> On Nov 13, 2013, at 9:15 AM, Pierfrancesco Caci  
wrote:

>> 
>> Hi,
>> I have an ACS 5.4 with two interfaces, one where we get the tacacs
>> queries, and one for management. Trying to get UCP (using the java
>> thingie) to work, I can't figure which of the two interfaces it's
>> listening on, and which port I need to open on the firewall. 
>> You can cluebat me with a pointer to the docs, if that's written
>> somewhere :-)

Javier> Ciao Pf,

Javier> UCP uses Ethernet 0.

Thanks Javier.

For the benefit of others new to the ACS like me, "GigabitEthernet 0" is
"eth0" on the underlying OS. 
"tech dumptcp" is plain old tcpdump.
I've noticed that if I send a UCP request to the tacacs address (in my
setup on eth3), I get a reply from the management address. Smells like
bug. 

In the end, I got the java UCP working. The python one instead comes
with a very old library, the rpm provided is 32 bits only, and the
library doesn't compile on current OS (tried on ubuntu
12.04LTS). Some comments around the 'net report that it doesn't work
with current python anyway. 

Pf

-- 
Pierfrancesco Caci
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ME3600 BFD session to A9K breaks after upgrade to 15.3(3)S1a

2013-11-15 Thread Adam Vitkovsky

Hi Folks

That is right even with padding disabled the several first hellos (i.e.
until adj-comes up) are padded to full interface MTU -3. 

Though with A9K and ME3600 the use of CLNS MTU is a bit funky. 

I'm glad to hear that the ancient bug is finally fixed in .S1a and the CLAN
MTU is computed correctly but they still missed that one byte offset I was
pointing out as well :). 

c3600x.test#sh clns int po1 
Port-channel1 is up, line protocol is up
  Checksums enabled, MTU 9195, Encapsulation SAP

Opposite site receives:
RP/0/RSP0/CPU0:Nov 15 16:33:50.644 : isis[1003]: RECV P2P IIH (L1) from
Bundle-Ether2 SNPA 203a.07c3.a642: System ID c3600x.test, Holdtime 30,
length 9194


As far as the acceptable CLNS MTU differences between A9K and ME3600:

A9K can accept CLNS hellos that are max 5 bytes larger than the interface
CLNS MTU. 
ME3600 can accept CLNS hellos that are max 8 bytes larger than the interface
CLNS MTU. 




adam
-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Jason Lixfeld
Sent: Friday, November 15, 2013 1:08 AM
To: Pshem Kowalczyk
Cc: cisco-nsp@puck.nether.net NSP
Subject: Re: [c-nsp] ME3600 BFD session to A9K breaks after upgrade to
15.3(3)S1a

Docs seem to indicate that it's still enabled by default, padded all the way
up to the full MTU size.

On Nov 14, 2013, at 6:51 PM, Pshem Kowalczyk  wrote:

> I can't check right now but what are the defaults for ISIS hello 
> padding on ME3600x?
> 
> kind regards
> Pshem
> 
> On 15 November 2013 06:39, Jason Lixfeld  wrote:
>> Hi all,
>> 
>> I got an answer on this and thought I'd share.  It bit me in the ass and
I'd hate for it to bite anyone else.
>> 
>> The root cause was due to a fix implemented in 15.3(3)S1a for CSCtl54835.
Essentially, the CLNS mtu is now properly calculated from the L3 interface
MTU whereas before, the CLNS MTU was always 1497 no matter what the L3
interface MTU was set to.  This fix was not listed in the list of resolved
caveats for that release, but it is now.
>> 
>> So,
>> 
>> After the upgrade, the CLNS MTU was calculated to be 9213 (based on a L3
interface MTU of 9216) which caused an incompatibility with it's adjacent 9K
which has a CLNS MTU of 9202 (based on a L3 interface MTU of 9216).
>> 
>> The fix was to lower the L3 MTU on the ME3600 to 9202 (which is the
correct MTU anyway when the A9K MTU is 9216).  This lowered the ME3600 CLNS
MTU to 9199 at which point ISIS/BFD was again operational.
>> 
>> I haven't read the CLNS or ISIS RFC, so I don't understand what the
expected behaviour is terms of CLNS MTU, but my findings are as follows:
>> 
>> Pre-15.3(3)S1a upgrade:
>> ME3600 interface MTU: 9216
>> ME3600 inherited CLNS MTU: 1497
>> ASR9K interface MTU: 9216
>> ASR9K inherited CLNS MTU: 9202
>> 
>> ME3600 CLNS MTU < ASR9K CLNS MTU
>> 
>> Result: ISIS/BFD Up
>> --
>> Post-15.3(3)S1a upgrade (no config change):
>> 
>> ME3600 interface MTU: 9216
>> ME3600 inherited CLNS MTU: 9213
>> ASR9K interface MTU: 9216
>> ASR9K inherited CLNS MTU: 9202
>> 
>> ME3600 CLNS MTU > ASR9K CLNS MTU
>> 
>> Result: ISIS/BFD Down
>> --
>> Post-15.3(3)S1a upgrade (config changed):
>> 
>> ME3600 interface MTU: 9202
>> ME3600 inherited CLNS MTU: 9199
>> ASR9K interface MTU: 9216
>> ASR9K inherited CLNS MTU: 9202
>> 
>> ME3600 CLNS MTU < ASR9K CLNS MTU
>> 
>> Result: ISIS/BFD Up
>> 
>> I have heard that it is the understanding of other people (who have
presumably read the RFC) that this configuration should still not work
because the CLNS MTU always needs to match on both ends.  So it seems that
there might be another issue afoot here?  To me, it seems that the A9K
cannot negotiate an ISIS adjacency when a neighbour CLNS MTU is larger than
itself, but the ME3600 can, but if the CLNS MTU is supposed to match always,
then both devices are actually misbehaving?
>> 
>> On Nov 12, 2013, at 9:57 AM, Jason Lixfeld  wrote:
>> 
>>> Before an upgrade to 15.3(3)S1a, a BFD session between a 9K and an
ME3600 worked just fine.  After the upgrade, BFD session wouldn't come up.
I looked at the release notes and couldn't see any notes about behaviour
changes in BFD or any specific caveats.  BFD still works fine if the
adjacent device is another ME3600 (only tested adjacent ME3600s that were
*not* upgraded to 15.3(3)S1a).
>>> 
>>> I've got Cisco looking at it, but I'm just curious if anyone else has
seen this change in behaviour.  Previously, this ME3600 was running 15.3(3)S
and it worked just fine to this same 9K (which is running XR 4.3.1).
>>> 
>>> ! A9K
>>> !
>>> router isis
>>> is-type level-2-only
>>> net 00.0720.1504.8009..00
>>> nsf cisco
>>> log adjacency changes
>>> log pdu drops
>>> address-family ipv4 unicast
>>> metric-style transition
>>> !
>>> interface TenGigE0/0/0/6
>>> bfd minimum-interval 300
>>> bfd multiplier 3
>>> bfd fast-detect ipv4
>>> link-down fast-detect
>>> address-family ipv4 unicast
>>> !
>>> 
>>> ! ME3600
>>> !
>>> interface TenGigabitEthernet0/1
>>> no switchport
>>> dampening

Re: [c-nsp] IPv6 filters

2013-11-15 Thread Gert Doering

Hi,

On Fri, Nov 15, 2013 at 06:49:43AM +0100, Mikael Abrahamsson wrote:
> On Thu, 14 Nov 2013, Gert Doering wrote:
> 
> >Easier on CPU load but more maintenance if prefixes keep being added is 
> >to filter by prefix-list...  so it depends a bit on how fast your 
> >router's CPU is, how often prefixes change, etc.
> 
> Just using prefix-lists has drawbacks as well, since customers who are no 
> longer customers can end up being transited to your network because you 
> now receive the prefix via a peer, but still announce it to your transits.

True.  As soon as customers with a BGP uplink enter the mix, I'd go for
a community-based scheme ("to-be-exported prefixes get stamped with a 
specific BGP community, and the export filters check on community values
only") - but for "I'm just a dual-homed leaf AS", this is way overkill.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpa6_jwyxM8Q.pgp
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IPv6 filters

2013-11-15 Thread Nikolay Shopik

Then mark all your and your customers prefixes with community and
announce only these marked.

On 15/11/13 09:49, Mikael Abrahamsson wrote:
> Just using prefix-lists has drawbacks as well, since customers who are
> no longer customers can end up being transited to your network because
> you now receive the prefix via a peer, but still announce it to your
> transits.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Static Default route missing

Re: [c-nsp] N7k CoPP not MPLS-aware?

Re: [c-nsp] N7k CoPP not MPLS-aware?

Re: [c-nsp] N7k CoPP not MPLS-aware?

Re: [c-nsp] N7k CoPP not MPLS-aware?

Re: [c-nsp] N7k CoPP not MPLS-aware?

Re: [c-nsp] Static Default route missing

Re: [c-nsp] Static Default route missing

Re: [c-nsp] Static Default route missing

Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400

Re: [c-nsp] Static Default route missing

Re: [c-nsp] Static Default route missing

Re: [c-nsp] Static Default route missing

Re: [c-nsp] Static Default route missing

Re: [c-nsp] Static Default route missing

Re: [c-nsp] Static Default route missing

Re: [c-nsp] eBGP with internet provider from DataCenters

[c-nsp] eBGP with internet provider from DataCenters

Re: [c-nsp] N7k CoPP not MPLS-aware?

Re: [c-nsp] IPv6 filters

Re: [c-nsp] N7k CoPP not MPLS-aware?

Re: [c-nsp] Static Default route missing

[c-nsp] GGSN Diameter Quota

Re: [c-nsp] Static Default route missing

[c-nsp] N7k CoPP not MPLS-aware?

Re: [c-nsp] ACS 5.4 UCP - where does it listen?

Re: [c-nsp] ME3600 BFD session to A9K breaks after upgrade to 15.3(3)S1a

Re: [c-nsp] IPv6 filters

Re: [c-nsp] IPv6 filters

29 matches

Site Navigation

Mail list logo

Footer information