Re: [c-nsp] Cisco 6500 with SIP-400 ?

2017-01-26 Thread Gert Doering
Hi,

On Fri, Jan 27, 2017 at 01:12:07AM +0100, Olivier CALVANO wrote:
> anyone can why we have a "OutSrvc" status ?

I'd expect the router to log something at card insertion time that
clarifies why it isn't liking the SPA - hardware revision, wrong
software version (no _wan?), etc.


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Nexus 93108TC-EX Breakout Support

2017-01-26 Thread Tim Stevenson

Hi Nick, please see inline below:


At 02:47 PM 1/26/2017  Thursday, Nick Cutting quipped:

This is the second generation 10 gig copper leaf switch with 100 gig uplinks.
The first generation did not support 40 gig x 10 SFP+ breakouts on 
the uplinks.


I believe this Generation 2 version does - (you can run the 100's at 
40, and the 40's should support breakouts)


I have looked at the switch documentation - which points to the 9k 
breakout document - which DOES not include the generation 2 EX switches.
So I cannot find any doc that says it is supported - including the 
cisco live PDF's.


Any insight would be greatly appreciated.



It is supported:

93108tc-ex-1# sh mod 1 | eg TC
154   48x10GT + 6x40G/100G Ethernet Module  N9K-C93108TC-EX   active
93108tc-ex-1# sh ver | eg NXOS:
  NXOS: version 7.0(3)I5(1)
93108tc-ex-1# sh int e1/49-54 cap | eg -i ^eth|break|speed
Ethernet1/49
  Speed: 1000,1,25000,4,5,10
  Breakout capable:  yes
Ethernet1/50
  Speed: 1000,1,25000,4,5,10
  Breakout capable:  yes
Ethernet1/51
  Speed: 1000,1,25000,4,5,10
  Breakout capable:  yes
Ethernet1/52
  Speed: 1000,1,25000,4,5,10
  Breakout capable:  yes
Ethernet1/53
  Speed: 1000,1,25000,4,5,10
  Breakout capable:  yes
Ethernet1/54
  Speed: 1000,1,25000,4,5,10
  Breakout capable:  yes
93108tc-ex-1#

You can find that (buried) in the NXOS release notes here:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/release/notes/70342_nxos_rn.html

Search for "breakout cable".

Hope that helps,
Tim





Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/






Tim Stevenson, tstev...@cisco.com
Routing & Switching CCIE #5561
Distinguished Engineer, Technical Marketing
Data Center Switching
Cisco - http://www.cisco.com
+1(408)526-6759

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


[c-nsp] Cisco 6500 with SIP-400 ?

2017-01-26 Thread Olivier CALVANO
Hi

i have installed a 7600-SIP-400 into a 6500 with SUP720-3BXL, the router
see the SIP card

Mod Ports Card Type  Model  Serial
No.
--- - -- --
---
  12  Supervisor Engine 720 (Active) WS-SUP720-3BXL
SAD100100AU
  20  4-subslot SPA Interface Processor-400  7600-SIP-400
SAL1544U24H
  3   16  SFM-capable 16 port 1000mb GBICWS-X6516-GBIC
 SAD060303M0


but for SPA:

Mod  Sub-Module  Model  Serial   Hw
Status
 --- -- --- ---
---
  1  Policy Feature Card 3   WS-F6K-PFC3BXL SAD094606KV  1.6Ok
  1  MSFC3 Daughterboard WS-SUP720  SAD095205RF  2.3Ok
 2/0 2xGE SPASPA-2X1GE-V2   SAL1925HGJ0  1.2
 OutSrvc

anyone can why we have a "OutSrvc" status ?


and we have add this card for support PPPoE/VPDN, anyone use this card for
this ?


thanks
Olivier
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


[c-nsp] Nexus 93108TC-EX Breakout Support

2017-01-26 Thread Nick Cutting
This is the second generation 10 gig copper leaf switch with 100 gig uplinks.
The first generation did not support 40 gig x 10 SFP+ breakouts on the uplinks.

I believe this Generation 2 version does - (you can run the 100's at 40, and 
the 40's should support breakouts)

I have looked at the switch documentation - which points to the 9k breakout 
document - which DOES not include the generation 2 EX switches.
So I cannot find any doc that says it is supported - including the cisco live 
PDF's.

Any insight would be greatly appreciated.

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

2017-01-26 Thread Saku Ytti
On 26 January 2017 at 18:41, Phil Mayers  wrote:

> Box-wide though, right? No way to only do this on the IXP interface with MLS
> RL.

Unfortunately no. I guess per DFC should be possible, unsure if it's supported.

-- 
  ++ytti
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

2017-01-26 Thread Phil Mayers

On 26/01/2017 16:08, Saku Ytti wrote:

On 26 January 2017 at 13:54, Phil Mayers  wrote:

Hey,


Worth noting that CoPP on sup720 is done in software for multicast and
broadcast. I assume it'll come before MLD processing so would stop the
queries arriving and thus replies being sent, but worth testing.

Although this is not the use-case OP has, we have tried and failed to
protect a sup720 from an MLD storm with CoPP. The puny CPU and software CoPP
just didn't help.


If you do not allow MCAST on CoPP, you will software process. If you
allow MCAST in CoPP and MLS rate-limit, you can drop them in HW.


Box-wide though, right? No way to only do this on the IXP interface with 
MLS RL.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

2017-01-26 Thread Saku Ytti
On 26 January 2017 at 13:54, Phil Mayers  wrote:

Hey,

> Worth noting that CoPP on sup720 is done in software for multicast and
> broadcast. I assume it'll come before MLD processing so would stop the
> queries arriving and thus replies being sent, but worth testing.
>
> Although this is not the use-case OP has, we have tried and failed to
> protect a sup720 from an MLD storm with CoPP. The puny CPU and software CoPP
> just didn't help.

If you do not allow MCAST on CoPP, you will software process. If you
allow MCAST in CoPP and MLS rate-limit, you can drop them in HW.

-- 
  ++ytti
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

2017-01-26 Thread Phil Mayers

On 26/01/17 08:18, Lukas Tribus wrote:

  I've been testing workarounds based upon filtering the incoming MLD
query, on a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco
6500 w. SUP720-3B running 15.1(2)SY).


Control Plane Policing is probably the way to address this (in case MLD
cannot be properly disabled, I mean).


Worth noting that CoPP on sup720 is done in software for multicast and 
broadcast. I assume it'll come before MLD processing so would stop the 
queries arriving and thus replies being sent, but worth testing.


Although this is not the use-case OP has, we have tried and failed to 
protect a sup720 from an MLD storm with CoPP. The puny CPU and software 
CoPP just didn't help.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

2017-01-26 Thread Enno Rey
Hi,

On Wed, Jan 25, 2017 at 06:35:19PM +, James A. T. Rice wrote:
> Hi Folks,
> 
> I'm trying to gather information on how to disable MLD reports for various 
> Cisco devices in use at IXPs - where MLD queries and reports are often both 
> prohibited traffic.
> 
> There doesn't seem to be a configuration line to disable replying to MLD 
> queries with MLD reports.

from the top of my head "no ipv6 mld join-group" should achieve that (whereas 
"no ipv6 mld router" disables the querier side of things).
have you tried that (the former)?

A while ago a bunch of guys (incl. myself) tried to suggest an "RA guard" 
similar thing called "MLD guard" but the draft never gained much ground. [see 
https://www.ietf.org/archive/id/draft-vyncke-pim-mld-security-01.txt]
So an ACL like the one you suggested below actually is the best/only way to go 
when it comes to filtering.

best

Enno



> 
> I've been testing workarounds based upon filtering the incoming MLD query, on 
> a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco 6500 w. SUP720-3B 
> running 15.1(2)SY).
> 
> Using the following ACL:
> 
> ipv6 access-list v6-denymldquery-in
> deny icmp any host ff02::1 mld-query
> permit ipv6 any any
> interface 
> ipv6 traffic-filter v6-denymldquery-in in
> 
> works on both the 4500 and 6500, when applied to the SVI/L3 interface.
> However, on the 4500 when applied to the SVI/L3 interface this gets processed 
> in CPU. It's better to use an SVI, and have the ACL applied on the L2 port, 
> or in a VLAN map, in which case the traffic is filtered in hardware.
> Conversely, on the 6500, it appears better to not use an SVI, since with a L3 
> port the SP CPU isn't hit. I've not found a way to filter the traffic such 
> that it doesn't hit the RP CPU.
> Configuration lines from after write erase, reload, for each test case, are 
> in the attached file, in case anyone would like to repeat this.
> 
> prevents MLD responses[a] SVI/L3 ACL  [b] L2 port ACL  [c] VLAN map ACL
> / cpu@3kpps
> [1] 4500 L3 port  yes n/a  no
>   60%cpu
> [2] 4500 SVI + L2 access  yes yes  yes
>   60%cpu  0%cpu0%cpu
> [3] 4500 SVI + L2 trunk   yes yes  yes
>   60%cpu  0%cpu0%cpu
> [4] 6500 L3 port  yes n/a  n/a
>   20%rp 0%sp
> [5] 6500 SVI + L2 access  yes no   no
>   20%rp 40%sp
> [6] 6500 SVI + L3 trunk   yes no   no
>   20%rp 40%sp
> 
> 
> Does anyone have any better configurations for blocking MLD queries (i.e. on 
> the 6500 is there a way to make it process the ACL in HW, thus not affect RP 
> or the SP CPU)?
> 
> Does anyone have any configurations for the best way of stopping MLD 
> responses on other platforms, and whether it's possible for these to be 
> applied entirely in hardware? I don't have any more platforms to test on, but 
> ASR1K/ASR9K both seem to be popular peering platforms, and 7201 isn't unheard 
> of.
> 
> Bizarrely, one way of making the 6500 stop responding to MLD queries seems to 
> be to send 3000 pps of queries towards it for about 100 seconds, around which 
> point it will stop responding to any more until a chassis reload.
> 
> Thanks
> James Rice
> Jump Networks Ltd.

> prevents MLD responses [a] SVI/L3 ACL  [b] L2 port ACL  [c] VLAN map ACL
> / cpu@3kpps
> [1] 4500 L3 port   yes n/a  no
> 60%cpu
> [2] 4500 SVI + L2 access   yes yes  yes
> 60%cpu  0%cpu0%cpu
> [3] 4500 SVI + L2 trunkyes yes  yes
> 60%cpu  0%cpu0%cpu
> [4] 6500 L3 port   yes n/a  n/a
> 20%rp 0%sp
> [5] 6500 SVI + L2 access   yes no   no
> 20%rp 40%sp
> [6] 6500 SVI + L3 trunkyes no   no
> 20%rp 40%sp
> 
> 
> 
> [1] 4500 with L3 port
> ipv6 unicast-routing
> int g1/48
>  no switchport
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  ipv6 address 2001:DB8:4:1::22EF:2/64
>  ipv6 nd ra suppress all
>  no ipv6 redirects
>  no ipv6 unreachables
>  no cdp enable
> [1.a]
> ipv6 access-list v6-denymldquery-in
>  deny icmp any host ff02::1 mld-query
>  permit ipv6 any any
> interface g1/48
>  ipv6 traffic-filter v6-denymldquery-in in
> [1.c]
> do show vlan internal usage
> ipv6 access-list match-mld-query
>  permit icmp any host ff02::1 mld-query
> vlan access-map drop-mld-query
>  match ipv6 address match-mld-query
>  action drop
> vlan filter drop-mld-query vlan-list 1006
> 
> [2] 4500 with SVI + access port
> ipv6

Re: [c-nsp] Stopping MLD responses & protecting CPU from MLD queries

2017-01-26 Thread Lukas Tribus
> I've been testing workarounds based upon filtering the incoming MLD
> query, on a 4500 (Cisco 4948E running 15.1(2)SG) and a 6500 (Cisco
> 6500 w. SUP720-3B running 15.1(2)SY).

Control Plane Policing is probably the way to address this (in case MLD
cannot be properly disabled, I mean).



> Bizarrely, one way of making the 6500 stop responding to MLD queries
> seems to be to send 3000 pps of queries towards it for about 100 seconds,
> around which point it will stop responding to any more until a chassis reload.

Huh, that is a very ciscoesque way to workaround this. Don't tell 'em; they
may document this "workaround" ;)


cheers,
lukas
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/