Re: [c-nsp] OT: Wireless 2.4ghz
;) I guess the answer quotidian be 'when you want to' . There will always be legacy devices out there that people want to keep and won't do 5GHz It will be down to you when you turn of 2.4GHz support.a decision bases in support costs/overhead. I guess you already disable 802.11b? Are there any 5GHz only APs ? Perhaps time to talk to the wifi vendors about that. :) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Wireless 2.4ghz
On Tue, Feb 3, 2015 at 3:53 PM, Scott Voll wrote: > Not talking pie in the sky but reality. when do you think we will be > able to turn off 2.4ghz wifi radios? we currently have about 50/50 5ghz vs > 2.4ghz. > > What do you think? 18 months? When are manufacturers going to stop making 2.4 GHz equipment? I just got this: http://www.amazon.com/Panda-300Mbps-Wireless-N-Adapter-button/dp/B00JDVRCI0/ref=sr_1_2?ie=UTF8&qid=1421788003&sr=8-2&keywords=usb+wifi I guess I didn't pay attention to the frequency range that it used when I searched, but received it and it is 2.4 only. -m ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OT: Wireless 2.4ghz
Not talking pie in the sky but reality. when do you think we will be able to turn off 2.4ghz wifi radios? we currently have about 50/50 5ghz vs 2.4ghz. What do you think? 18 months? TIA Scott ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PBR Limits for Nexus 7k
At 10:17 AM 2/3/2015 Tuesday, Tim Stevenson quipped: Hi Brian, please see inline below: At 09:06 AM 2/3/2015 Tuesday, Brian Christopher Raaen quipped: I was doing some research and found the Nexus listed a limit of 23 entries for PBR. This is a limit on number of PBR route-map sequences. Each sequence can have a match statement pointing to an ACL of arbitrary size. I have some situations that require source based routing for more than that many pairings(more like 200-300). This limitation would essentially restrict you to 23 unique sets of next-hops (ie, each sequence can set 1 or more next-hops) for each set of match criteria (ACL). Let me clarify/reword that: This limitation would essentially restrict you to 23 unique sets of next-hops (ie, each sequence can set 1 or more next-hops), each with its own set of match criteria (ACL). Thanks, Tim Let me know if you have any questions. Thanks, Tim Does this mean I will need to look for a solution other than a Nexus 7k or am I misunderstanding what this limit means? The datasheet I found it here http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/verified_scalability/b_Cisco_Nexus_7000_Series_NX-OS_Verified_Scalability_Guide.html#reference_DF4FD746AB1145838991CE0BDE9DE621 -- Brian Christopher Raaen Network Architect Zcorum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstev...@cisco.com Routing & Switching CCIE #5561 Distinguished Engineer, Technical Marketing Data Center Switching Cisco - http://www.cisco.com +1(408)526-6759 Tim Stevenson, tstev...@cisco.com Routing & Switching CCIE #5561 Distinguished Engineer, Technical Marketing Data Center Switching Cisco - http://www.cisco.com +1(408)526-6759 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PBR Limits for Nexus 7k
Hi Brian, please see inline below: At 09:06 AM 2/3/2015 Tuesday, Brian Christopher Raaen quipped: I was doing some research and found the Nexus listed a limit of 23 entries for PBR. This is a limit on number of PBR route-map sequences. Each sequence can have a match statement pointing to an ACL of arbitrary size. I have some situations that require source based routing for more than that many pairings(more like 200-300). This limitation would essentially restrict you to 23 unique sets of next-hops (ie, each sequence can set 1 or more next-hops) for each set of match criteria (ACL). Let me know if you have any questions. Thanks, Tim Does this mean I will need to look for a solution other than a Nexus 7k or am I misunderstanding what this limit means? The datasheet I found it here http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/verified_scalability/b_Cisco_Nexus_7000_Series_NX-OS_Verified_Scalability_Guide.html#reference_DF4FD746AB1145838991CE0BDE9DE621 -- Brian Christopher Raaen Network Architect Zcorum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Tim Stevenson, tstev...@cisco.com Routing & Switching CCIE #5561 Distinguished Engineer, Technical Marketing Data Center Switching Cisco - http://www.cisco.com +1(408)526-6759 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PBR Limits for Nexus 7k
I was doing some research and found the Nexus listed a limit of 23 entries for PBR. I have some situations that require source based routing for more than that many pairings(more like 200-300). Does this mean I will need to look for a solution other than a Nexus 7k or am I misunderstanding what this limit means? The datasheet I found it here http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/verified_scalability/b_Cisco_Nexus_7000_Series_NX-OS_Verified_Scalability_Guide.html#reference_DF4FD746AB1145838991CE0BDE9DE621 -- Brian Christopher Raaen Network Architect Zcorum ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco IOS XR CGN
Hi allI have ASR9k running CGN NAT44 and I need to graph some outputsFirst , how to pull a specific output if it has no OID ? and Does Cisco has OIDs for ASR9k ISM ? Thanks ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3400 high cpu
> Its most certainly not. If you neither know the exact configuration of the box, nor if the box is layer 2 or layer 3 switching, then you better not partition the tcam for a specific purpose. > Check logging, check your routing table. If you have a routing-table (aka "ip routing" in the config), then you cannot use the layer 2 template. I'm not use the routing. It is l2 switch. Why does it have the high percent of interrupt process? 3400#sho ip rou Default gateway is 10.1.7.1 Host Gateway Last UseTotal Uses Interface ICMP redirect cache is empty 3400# Thank you very much. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
> I can see "easier to use", but more flexibility - actually, no :-) > > It's hard to come up with a really useful example, but given that extended > ACLs match both on prefix base and netmask with wildcards bits, this is > more flexibility than you'll ever use without your brain blowing up. > > access-list 100 permit 10.0.5.0 0.255.0.0 255.255.255.0 0.0.0.255 > > "for every /24 out of 10/0 that is 10.x.5.0/24, permit /24../32" > > do that with a prefix list :-) Yes, extended ACLs are more flexible, but not very easy on the eyes. We are supposed to read, understand and find issues in those configurations at 03 o'clock in the morning and I don't see this happening with extended ACLs. Unless you have such a specific requirement like the one above, prefix-lists are the better tool to do this job. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
Hi, On Tue, Feb 03, 2015 at 09:48:35AM +0100, Peter Rathlev wrote: > On Tue, 2015-02-03 at 09:30 +0100, Gert Doering wrote: > > It's hard to come up with a really useful example, but given that extended > > ACLs match both on prefix base and netmask with wildcards bits, this is > > more flexibility than you'll ever use without your brain blowing up. > > > > access-list 100 permit 10.0.5.0 0.255.0.0 255.255.255.0 0.0.0.255 > > > > "for every /24 out of 10/0 that is 10.x.5.0/24, permit /24../32" > > > > do that with a prefix list :-) > > On the other hand, almost all people doing this are doing something > wrong. ;-) I do have to agree on that - I just wanted to challenge the "more flexible" statement from Lukas. And I'm not doing anything like that today ;-) (OTOH, it depends on your addressing plans... "in every site out there, .x.5.0/24 is the XX-LAN, while .x.6.0/23 is the YY-LAN, and to ensure that no more-specifics are learned, take /24 only for .x.5.0/24, and /23 for .x.6.0/23...") > And that's _almost_ all of course. Someone very skilled might have a > legitimate purpose for doing exactly this, but OP (and people like me) > are not among those. > > I'd say stick to prefix-lists and then when you can write route-maps in > your sleep from arbitrary policy wishes, but still can't solve a given > problem with prefix-lists _then_ look at using access-lists. :-) Amen :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgploMtntd7MQ.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
On Tue, 2015-02-03 at 09:30 +0100, Gert Doering wrote: > It's hard to come up with a really useful example, but given that extended > ACLs match both on prefix base and netmask with wildcards bits, this is > more flexibility than you'll ever use without your brain blowing up. > > access-list 100 permit 10.0.5.0 0.255.0.0 255.255.255.0 0.0.0.255 > > "for every /24 out of 10/0 that is 10.x.5.0/24, permit /24../32" > > do that with a prefix list :-) On the other hand, almost all people doing this are doing something wrong. ;-) And that's _almost_ all of course. Someone very skilled might have a legitimate purpose for doing exactly this, but OP (and people like me) are not among those. I'd say stick to prefix-lists and then when you can write route-maps in your sleep from arbitrary policy wishes, but still can't solve a given problem with prefix-lists _then_ look at using access-lists. :-) -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
Thanks Gert...really appreciate the explanation. > Date: Tue, 3 Feb 2015 09:35:37 +0100 > From: g...@greenie.muc.de > To: cisconsp_l...@hotmail.com > CC: g...@greenie.muc.de; cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] BGP/route-map/acl question/logic... > > Hi, > > On Tue, Feb 03, 2015 at 07:32:43PM +1100, CiscoNSP List wrote: > > Cheers Gert - Understand it now :) > > > > The "continue" part (When to use/when not to use), I definitely need to > > read up on! > > Basically, when you want to match+set something, and then continue processing > the route-map - while normally it would end at the first clause that matches > something. > > IOW, if a route-map has 10 clauses and half of them have the same "set xxx" > thing in them, it might make sense. But it does complicate understanding > the actual flow through the route-map, so use with care. > > Of course we all want route-policy (and "vi") for IOS :-) > > gert > -- > USENET is *not* the non-clickable part of WWW! >//www.muc.de/~gert/ > Gert Doering - Munich, Germany g...@greenie.muc.de > fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
> On Tue, Feb 03, 2015 at 08:39:09AM +0100, Lukas Tribus wrote: > > > route-map UPSTREAM_A_IN permit 10 > > > match ip address 98 > > > > I would strongly suggest to use prefix-lists instead of access-lists, they > > are > > made on purpose to match prefixes, are a lot easier to use and provide > > much more flexibility. > > I can see "easier to use", but more flexibility - actually, no :-) > > It's hard to come up with a really useful example, but given that extended > ACLs match both on prefix base and netmask with wildcards bits, this is > more flexibility than you'll ever use without your brain blowing up. > > access-list 100 permit 10.0.5.0 0.255.0.0 255.255.255.0 0.0.0.255 > > "for every /24 out of 10/0 that is 10.x.5.0/24, permit /24../32" > > do that with a prefix list :-) lol...after that acl example, I think my brain is about to explodehehe, I can sense some regex examples coming :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
> > > Thanks Lukas - Under what circumstances would you use an access-list > > over a prefix-list? > > I would use an ACL when I need to match specific traffic (e.g. in an > interface acl, > firewall or nat context), as opposed to match specific routes (e.g. when > configuring > routing protocols). > Cheers Lukas. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
Cheers Gert - Understand it now :) The "continue" part (When to use/when not to use), I definitely need to read up on! Thanks again for all the replies. > Date: Tue, 3 Feb 2015 09:26:56 +0100 > From: g...@greenie.muc.de > To: cisconsp_l...@hotmail.com > CC: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] BGP/route-map/acl question/logic... > > Hi, > > On Tue, Feb 03, 2015 at 04:21:42PM +1100, CiscoNSP List wrote: > > route-map UPSTREAM_A_IN permit 10 > > match ip address 98 > > continue 20 > > route-map UPSTREAM_A_IN permit 20 > > set community 12345:1 > > > > access-list 98 deny 10.0.0.0 0.255.255.255 > > access-list 98 permit any > > Why fiddle with continue? "Continue to next block" will effectively turn > this into a no-operation > > - if it matches, go to 20 > - if it does not match, go to next block, which happens to be 20 > > read up on route-maps :-) > > I'd do: > > route-map UPSTREAM_A_IN deny 10 > match ip address 98 > > route-map UPSTREAM_A_IN permit 20 > set community 12345:1 > > access-list 98 permit 10.0.0.0 0.255.255.255 > access-list 98 deny any > > (-> positive match on what you want to drop, then drop. If no match, > fall through to 20, tag) > > gert > > > -- > USENET is *not* the non-clickable part of WWW! >//www.muc.de/~gert/ > Gert Doering - Munich, Germany g...@greenie.muc.de > fax: +49-89-35655025g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS LDP Sync w/ ISIS over point to point Link
I've been in a similar situation before and my understanding is as follows. If you use loopbacks for your LDP peering and have a default route in your global table you will end up in a catch 22. Assume R1 and R2 . R1 is up and connected to the rest of your domain and has a default route installed. R2 is connected to R1 and is just coming up. They both send LDP hellos. R2 sees the LDP hellos sourced from R1's loopback. It does not have a route to that so it tries to bring up the IGP. R1 sees R2's hellos, sourced from R2's loopback. It does have a matching route for that ( the default ) so it will not bring up the IGP ( until the holddown expires, which is never by default ). Holddown should fix this, as suggested. You may want to reevaluate whether you want ldp-igp sync in such a design though. Depending on your design goals, there might be other knobs or procedures more suited to them. On 3 Feb 2015 01:09, dip wrote: Without going too deep right now as I am outside I think "mpls ldp igp sync holddown sec" should fix the problem . On Monday, February 2, 2015, Troy Boutso wrote: > Hey > > I've been rolling out new routers to various sites throughout our > organisation. And in doing so, I've been applying the "mpls ldp sync" > command under the "router isis" subsection. > This has been fine up until now. Because all other sites are running OSPF > and ISIS together (as we are in the process of migrating away from an OSPF > network to an ISIS based MPLS core network, etc). > > With this new site, I only planed on only bringing up the isis adjacency as > it is a new site and no OSPF is required (because I don't need to migrate > anything off). However the ISIS adjacency won't come up because it doesn't > have an LDP session up yet. And the LDP session wont come up without the > IGP coming up. > > This is some real chicken and egg stuff right here. > > It has become quiet clear that all my other routers in production which > have LDP sessions are essentially relying on that OSPF adjacency to help > form the initial LDP session. > One day I plan to shut those down. Which could cause me big issues further > down the road. > I do have ldp session protection enabled ... but if a router was to reboot > and have no ospf to help form the initial LDP, then it seems my isis > adjecencie may never form. That is the worst case scenario > > > Getting back to my point ... If I remove the mpls ldp sync on both routers > the ISIS adjacency forms immediately. So this is definitely the culprit. > How on earth is this feature supposed to work in a production environment? > Am I missing something here? > > Am I supposed to manually form ldp sessions (targeted) or something? > If anyone has experience with this, I'm all ears. > > Kind Regards > Troy > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Sent from iPhone ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This e-mail and any attachment(s) contained within are confidential and are intended only for the use of the individual to whom they are addressed. The information contained in this communication may be privileged, or exempt from disclosure. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete the communication without retaining any copies. Rolaware Hellas SA is not responsible for, nor endorses, any opinion, recommendation, conclusion, solicitation, offer or agreement or any information contained in this communication. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
Hi, On Tue, Feb 03, 2015 at 07:32:43PM +1100, CiscoNSP List wrote: > Cheers Gert - Understand it now :) > > The "continue" part (When to use/when not to use), I definitely need to read > up on! Basically, when you want to match+set something, and then continue processing the route-map - while normally it would end at the first clause that matches something. IOW, if a route-map has 10 clauses and half of them have the same "set xxx" thing in them, it might make sense. But it does complicate understanding the actual flow through the route-map, so use with care. Of course we all want route-policy (and "vi") for IOS :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpaJZeSjVuAe.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
> Thanks Lukas - Under what circumstances would you use an access-list > over a prefix-list? I would use an ACL when I need to match specific traffic (e.g. in an interface acl, firewall or nat context), as opposed to match specific routes (e.g. when configuring routing protocols). ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
Hi, On Tue, Feb 03, 2015 at 08:39:09AM +0100, Lukas Tribus wrote: > > route-map UPSTREAM_A_IN permit 10 > > match ip address 98 > > I would strongly suggest to use prefix-lists instead of access-lists, they are > made on purpose to match prefixes, are a lot easier to use and provide > much more flexibility. I can see "easier to use", but more flexibility - actually, no :-) It's hard to come up with a really useful example, but given that extended ACLs match both on prefix base and netmask with wildcards bits, this is more flexibility than you'll ever use without your brain blowing up. access-list 100 permit 10.0.5.0 0.255.0.0 255.255.255.0 0.0.0.255 "for every /24 out of 10/0 that is 10.x.5.0/24, permit /24../32" do that with a prefix list :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpJK5TTI2K1b.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3400 high cpu
> Yes, I used layer-2 template. I think it appropriated with the traffic. How > could I know? Its most certainly not. If you neither know the exact configuration of the box, nor if the box is layer 2 or layer 3 switching, then you better not partition the tcam for a specific purpose. Check logging, check your routing table. If you have a routing-table (aka "ip routing" in the config), then you cannot use the layer 2 template. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
Hi, On Tue, Feb 03, 2015 at 04:21:42PM +1100, CiscoNSP List wrote: > route-map UPSTREAM_A_IN permit 10 > match ip address 98 > continue 20 > route-map UPSTREAM_A_IN permit 20 > set community 12345:1 > > access-list 98 deny 10.0.0.0 0.255.255.255 > access-list 98 permit any Why fiddle with continue? "Continue to next block" will effectively turn this into a no-operation - if it matches, go to 20 - if it does not match, go to next block, which happens to be 20 read up on route-maps :-) I'd do: route-map UPSTREAM_A_IN deny 10 match ip address 98 route-map UPSTREAM_A_IN permit 20 set community 12345:1 access-list 98 permit 10.0.0.0 0.255.255.255 access-list 98 deny any (-> positive match on what you want to drop, then drop. If no match, fall through to 20, tag) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp5bczArl4si.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
Thanks very much for the explanation(And examples), and yes, I agree it is a tad counter-intuitive, hence my confusion why my first attempt was not working as I expected it to (Or what I thought it logically should be doing!) Cheers. > Date: Tue, 3 Feb 2015 10:08:23 +0200 > From: cisco-...@lnx.ro > To: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] BGP/route-map/acl question/logic... > > > Hi, > > route-maps are "first rule match" based. > > The "permit any" in the acl will "match" the announcement and skip the > rest of the rules. > > you need to do something like: > > access-list 98 permit 10.0.0.0 0.255.255.255 > (or better: > prefix-list PL-NAME permit 10.0.0.0/8 > ) > route-map UPSTREAM_A_IN *deny* 10 > match ip address 98 > (or better: > match ip address prefix-list PL-NAME > ) > route-map UPSTREAM_A_IN permit 20 > set community 12345:1 > > You "permit" the prefix to be denied. A bit counter-intuitive, yes :) > > Dumitru > > > On 02/03/2015 07:21 AM, CiscoNSP List wrote: > > Hi Everyone, > > > > If I want to block certain prefixes from an upstream, and accept the rest > > and then tag the accepted prefixes, which is the correct method..I > > *thought* the first one was correct, but it doesnt do what I > > expected...i.e. the ACL gets a hit on deny 10.0.0.0/24, but it is still > > allowed(i.e We still receive the prefix)?: > > > > route-map UPSTREAM_A_IN permit 10 > > match ip address 98 > > continue 20 > > route-map UPSTREAM_A_IN permit 20 > > set community 12345:1 > > > > access-list 98 deny 10.0.0.0 0.255.255.255 > > access-list 98 permit any > > > > or...(I havent tested this one yet): > > > > route-map UPSTREAM_A_IN deny 10 > > match ip address 98 > > continue 20 > > route-map UPSTREAM_A_IN permit 20 > > set community 12345:1 > > > > access-list 98 permit 10.0.0.0 0.255.255.255 > > > > Cheers. > > > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
Thanks Lukas - Under what circumstances would you use an access-list over a prefix-list? Cheers. > From: luky...@hotmail.com > To: cisconsp_l...@hotmail.com; cisco-nsp@puck.nether.net > Subject: RE: [c-nsp] BGP/route-map/acl question/logic... > Date: Tue, 3 Feb 2015 08:39:09 +0100 > > > route-map UPSTREAM_A_IN permit 10 > > match ip address 98 > > I would strongly suggest to use prefix-lists instead of access-lists, they are > made on purpose to match prefixes, are a lot easier to use and provide > much more flexibility. > > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
Thanks very much Karsten - So, matches from route-map section 10, are not carried through to route-map section 20 (Section 20, basically allows all, and just tags)? > Date: Tue, 3 Feb 2015 08:14:13 +0100 > From: karsten_thom...@linfre.de > To: cisconsp_l...@hotmail.com > CC: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] BGP/route-map/acl question/logic... > > Hi, > > if you want to deny the prefix you have to use deny ;) > The untested version of your route-map should do the expected, but you > don't need the continue 20 as the continue doesn't work with a deny. > > Karsten > > Am 03.02.2015 06:21, schrieb CiscoNSP List: > > Hi Everyone, > > > > If I want to block certain prefixes from an upstream, and accept the rest > > and then tag the accepted prefixes, which is the correct method..I > > *thought* the first one was correct, but it doesnt do what I > > expected...i.e. the ACL gets a hit on deny 10.0.0.0/24, but it is still > > allowed(i.e We still receive the prefix)?: > > > > route-map UPSTREAM_A_IN permit 10 > > match ip address 98 > > continue 20 > > route-map UPSTREAM_A_IN permit 20 > > set community 12345:1 > > > > access-list 98 deny 10.0.0.0 0.255.255.255 > > access-list 98 permit any > > > > or...(I havent tested this one yet): > > > > route-map UPSTREAM_A_IN deny 10 > > match ip address 98 > > continue 20 > > route-map UPSTREAM_A_IN permit 20 > > set community 12345:1 > > > > access-list 98 permit 10.0.0.0 0.255.255.255 > > > > Cheers. > > > > ___ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP/route-map/acl question/logic...
Hi, route-maps are "first rule match" based. The "permit any" in the acl will "match" the announcement and skip the rest of the rules. you need to do something like: access-list 98 permit 10.0.0.0 0.255.255.255 (or better: prefix-list PL-NAME permit 10.0.0.0/8 ) route-map UPSTREAM_A_IN *deny* 10 match ip address 98 (or better: match ip address prefix-list PL-NAME ) route-map UPSTREAM_A_IN permit 20 set community 12345:1 You "permit" the prefix to be denied. A bit counter-intuitive, yes :) Dumitru On 02/03/2015 07:21 AM, CiscoNSP List wrote: Hi Everyone, If I want to block certain prefixes from an upstream, and accept the rest and then tag the accepted prefixes, which is the correct method..I *thought* the first one was correct, but it doesnt do what I expected...i.e. the ACL gets a hit on deny 10.0.0.0/24, but it is still allowed(i.e We still receive the prefix)?: route-map UPSTREAM_A_IN permit 10 match ip address 98 continue 20 route-map UPSTREAM_A_IN permit 20 set community 12345:1 access-list 98 deny 10.0.0.0 0.255.255.255 access-list 98 permit any or...(I havent tested this one yet): route-map UPSTREAM_A_IN deny 10 match ip address 98 continue 20 route-map UPSTREAM_A_IN permit 20 set community 12345:1 access-list 98 permit 10.0.0.0 0.255.255.255 Cheers. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ME3400 high cpu
Hi, Can you describe the traffic going through the switch? I think l2 and l3 mpls VPN. I'm not sure. How could I know? It looks like the CPU is getting pushed up due to IGMP snooping. But the IGMPSN process is just about 10%. Is there any possibility that you have the 'layer-2' SDM template applied? Yes, I used layer-2 template. I think it appropriated with the traffic. How could I know? Thank you very much. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
