Re: [c-nsp] 2960X SDM Template
Yes, the “lanbase-default” seems much better than the “lanbase-routing”. I just wanted to know why did they call it that way… Can you share your experience ? I guess it wasn’t very good J Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP/DC) amsoa...@netcabo.pt http://www.ccie18473.net <http://www.ccie18473.net/> From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: sexta-feira, 8 de Julho de 2016 21:08 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 2960X SDM Template Yes. Tell me about it. The values for the routing SDM are worse across the board so why would you use that profile instead??? One day I'll get a nice explanation ;) alan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2960X SDM Template
Team, I just realized that with only a few SVIs and one static route I got the message bellow when using the SDM Template "lanbase-routing": %PLATFORM_UCAST-4-PREFIX: One or more, more specific prefixes could not be programmed into TCAM and are being covered by a less specific prefix, and the packets may be software forwarded Looking at the SDM Table comparison on the link bellow, it seems I am hitting the maximum value for the "number of indirect IPv4 routes": http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15- 2_2_e/system_manage/configuration_guide/b_sm_1522e_2960x_cg/b_sm_152ex_2960- x_cg_chapter_0100.html So it seems the more appropriate SDM Template for my setup is the Template "lanbase-default" instead of the "lanbase-routing". What I don't understand is why the "lanbase-routing" has much less resources for routing purposes than the "lanbase-default" template. They call it routing, right ? But the context sensitive help shows this: 2960x-lab(config)#sdm prefer ? default Default bias lanbase-default Enhanced support for both IPv4 and IPv6 Routing lanbase-routing Supports both IPv4 and IPv6 Static Routing 2960x-lab(config)# The "lanbase-default" is enhanced for routing ??? And the "lanbase-routing" is not ??? What am I missing here ? I tested the "lanbase-default" template and it works fine. No TCAM error messages and routing works normally (between SVIs and using the static route). I'm using 15.2(2)E3. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP/DC) <mailto:amsoa...@netcabo.pt> amsoa...@netcabo.pt http://www.ccie18473.net <http://www.ccie18473.net/> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 3064PQ-10GX vs. Nexus 3064PQ-10GE
All I was able to find is that the 3064PQ went EOS in 2013 and replaced by the 3064PQ-10GX: http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3000-series- switches/eol_c51-713679.html The 3064PQ must be the 3064PQ-10GE but it seems there's no trace of information about this model. Regards, Antonio Soares, CCIE #18473 (RS/SP/DC) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alireza Soltanian Sent: domingo, 19 de Junho de 2016 04:33 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Nexus 3064PQ-10GX vs. Nexus 3064PQ-10GE Hi Everybody I am looking to buy Nexus Switches and I encountered two variations of Nexus 3064PQ. They are 10GX and 10GE. I wonder what is the major difference between these two switches? I know there is a T variation which supports Copper cables only but I could not find anything about major difference between these two variations. Is there anybody who can help me in this regard? Thank you Alireza ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Nexus 7K FCoE Load Balancing
Hello Team, Anyone knows details about this note: "Note: On Nexus 7000, by default the source-destination-oxid load balancing mechanism is used for FCoE traffic." On this document: http://www.cisco.com/c/en/us/support/docs/switches/nexus-5000-series-switche s/116298-configure-nexus-00.html I can't understand the logic behind it. On the 5K, if we want to do the same thing we need "port-channel load-balance ethernet source-dest-port". Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net <http://www.ccie18473.net/> ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Enabling multicast routing on 3750G platform
Try again after removing the IGMP join on the outside vlan. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lobo Sent: quinta-feira, 29 de Janeiro de 2015 00:57 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Enabling multicast routing on 3750G platform I've moved the configuration on the switch so that the ports are routed now instead of using vlans but still no go. Here is the output from a show ip mroute: Switch#sh ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group V - RD Vector, v - Vector Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.255.255.250), 00:01:03/00:02:56, RP 3.3.3.3, flags: SJC Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: GigabitEthernet1/0/2, Forward/Sparse, 00:01:03/00:02:06 GigabitEthernet1/0/1, Forward/Sparse, 00:01:03/00:02:56 (*, 239.0.0.1), 00:01:22/00:02:56, RP 3.3.3.3, flags: SJCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: GigabitEthernet1/0/2, Forward/Sparse, 00:01:23/00:02:56 (*, 224.0.1.40), 00:01:23/00:02:08, RP 3.3.3.3, flags: SJCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Loopback0, Forward/Sparse, 00:01:23/00:02:08 Switch# Switch#sh ip pim interface Address InterfaceVer/ NbrQuery DR DR Mode Count Intvl Prior 3.3.3.3 Loopback0v2/S 0 30 1 3.3.3.3 1.1.1.2 GigabitEthernet1/0/1 v2/S 0 30 1 1.1.1.2 2.2.2.2 GigabitEthernet1/0/2 v2/S 0 30 1 2.2.2.2 Switch# The traffic is still coming in on port 1: Switch#sh int g1/0/1 GigabitEthernet1/0/1 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 0018.73bf.12c1 (bia 0018.73bf.12c1) Internet address is 1.1.1.2/24 MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 12/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX snip 30 second input rate 4822000 bits/sec, 444 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec but not exiting on port 2 Switch#sh int g1/0/2 GigabitEthernet1/0/2 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 0018.73bf.12c2 (bia 0018.73bf.12c2) Internet address is 2.2.2.2/24 MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX snip 30 second input rate 4000 bits/sec, 6 packets/sec 30 second output rate 1000 bits/sec, 1 packets/sec I've changed the TTL on VLC to 10 and I've also changed things to sparse-mode and put it on the loopback as well. Any other suggestions? ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ip pim sparse-mode ! interface GigabitEthernet1/0/1 no switchport ip address 1.1.1.2 255.255.255.0 ip pim sparse-mode load-interval 30 spanning-tree portfast ! interface GigabitEthernet1/0/2 no switchport ip address 2.2.2.2 255.255.255.0 ip pim sparse-mode ip igmp join-group 239.0.0.1 load-interval 30 spanning-tree portfast ! ip routing no ip domain-lookup ! ! ip multicast-routing distributed ! ! ip pim rp-address 3.3.3.3 ! Jose On Wed, Jan 28, 2015 at 4:43 PM, Lobo loboti...@gmail.com wrote: Thanks for the replies. I'll post a show mroute and tweak the VLC parameters once I get access to the device tonight. BTW, all of this testing is just on a single switch so no other topology exists. Jose On Wed, Jan 28, 2015 at 12:55 PM, Adrian Minta adrian.mi...@gmail.com wrote: Hi, look for the stream TTL. On 28.01.2015 19:37, Lobo wrote: Hi everyone. I've been trying to get multicast routing to work on a single 3750G switch between two vlans but for the life of me it just doesn't work. When the host and receiver are on a single vlan the streaming works The server streaming via VLC is 1.1.1.1 and is using 239.0.0.1 for the multicast address. The receiver is 2.2.2.1 and using VLC to stream. I can see the traffic coming in on port 1 but no traffic leaving the switch's other port. BTW, I tried dense-mode and sparse-mode
Re: [c-nsp] Enabling multicast routing on 3750G platform
Enable PIM on the loopback. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lobo Sent: quarta-feira, 28 de Janeiro de 2015 17:38 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Enabling multicast routing on 3750G platform Hi everyone. I've been trying to get multicast routing to work on a single 3750G switch between two vlans but for the life of me it just doesn't work. When the host and receiver are on a single vlan the streaming works but then you don't even need multicast routing enabled for it to work. When I split the two hosts onto separate vlans that's where the problem begins. This is what I've configured so far and I'm sure it's just some extra commands I'm missing or something: ip multicast-routing distributed ! ip pim rp-address 3.3.3.3 ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface GigabitEthernet1/0/1 switchport access vlan 100 ! interface GigabitEthernet1/0/2 switchport access vlan 200 ! interface Vlan100 ip address 1.1.1.2 255.255.255.0 ip pim sparse-dense-mode ! interface Vlan200 ip address 2.2.2.2 255.255.255.0 ip pim sparse-dense-mode ip igmp join-group 239.0.0.1 ! The server streaming via VLC is 1.1.1.1 and is using 239.0.0.1 for the multicast address. The receiver is 2.2.2.1 and using VLC to stream. I can see the traffic coming in on port 1 but no traffic leaving the switch's other port. BTW, I tried dense-mode and sparse-mode as well with similar results. Any thoughts? Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1001 RAM
These outputs are always relevant. Here you should see what is the maximum routes available. It should be different in case you have 4GB or 8GB or RAM. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gabriel Sent: terça-feira, 12 de Agosto de 2014 23:15 To: Cisco Network Service Providers Subject: Re: [c-nsp] ASR1001 RAM I'm now filtering the full tables on these routers. In this situation, would those outputs still be relevant? On Tue, Aug 12, 2014 at 5:59 PM, Antonio Soares amsoa...@netcabo.pt wrote: Can you share these outputs from both routers ? show cef fib show cef table Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gabriel Sent: terça-feira, 12 de Agosto de 2014 14:36 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASR1001 RAM Hi, we have 2 ASR1001 in one location. They each receive a full table from different providers and have an iBGP session between them. One of them generated this message today: *Aug 11 23:11:16.983: %FIB-2-FIBDOWN: CEF has been disabled due to a low memory condition. It can be re-enabled by configuring ip cef [distributed] For some reason, it only saw 500k prefixes today (I'm assuming the provider is doing some aggregation before sending the full table?). I had to put some filtering in place and then re-enabled CEF. IOS-XE version is 3.07.01.S.152-4.S1 We have the exact same setup in another location (with different ISPs). The only difference is the IOS-XE version: 3.06.00.S.152-2.S. I saw one of these exceed 500k and there were no error messages whatsoever. On Mon, Aug 11, 2014 at 9:35 PM, Rich Lewis rle...@sis.tv wrote: Those memory figures below are from an ASR1001 running IOS-XE 03.09.00.S / 15.3(2)S. What was the image that you ran into memory issues with? Just so I know to avoid it! :-) -Original Message- From: Gustav UHLANDER [mailto:gustav.ulan...@steria.se] Sent: 09 August 2014 23:33 Yea that depends on sw version. We ran into the issue when upgrading to a newer image on routers that receive full feeds from upstream. Sent it to tac and they said it was memory issue. Skickas med OWA för iPad Från: cisco-nsp cisco-nsp-boun...@puck.nether.net för Rich Lewis rle...@sis.tv Skickat: den 6 augusti 2014 21:30:55 FWIW, we have full tables on an ASR1001 with 4GB RAM, and with add-path enabled: 503890 network entries using 124964720 bytes of memory 982424 path entries using 110031488 bytes of memory BGP using 281251490 total bytes of memory I guess it depends what else you're doing, but 4GB would seem ample on the face of it. * * Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307 The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system. * * ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1001 RAM
Can you share these outputs from both routers ? show cef fib show cef table Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gabriel Sent: terça-feira, 12 de Agosto de 2014 14:36 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASR1001 RAM Hi, we have 2 ASR1001 in one location. They each receive a full table from different providers and have an iBGP session between them. One of them generated this message today: *Aug 11 23:11:16.983: %FIB-2-FIBDOWN: CEF has been disabled due to a low memory condition. It can be re-enabled by configuring ip cef [distributed] For some reason, it only saw 500k prefixes today (I'm assuming the provider is doing some aggregation before sending the full table?). I had to put some filtering in place and then re-enabled CEF. IOS-XE version is 3.07.01.S.152-4.S1 We have the exact same setup in another location (with different ISPs). The only difference is the IOS-XE version: 3.06.00.S.152-2.S. I saw one of these exceed 500k and there were no error messages whatsoever. On Mon, Aug 11, 2014 at 9:35 PM, Rich Lewis rle...@sis.tv wrote: Those memory figures below are from an ASR1001 running IOS-XE 03.09.00.S / 15.3(2)S. What was the image that you ran into memory issues with? Just so I know to avoid it! :-) -Original Message- From: Gustav UHLANDER [mailto:gustav.ulan...@steria.se] Sent: 09 August 2014 23:33 Yea that depends on sw version. We ran into the issue when upgrading to a newer image on routers that receive full feeds from upstream. Sent it to tac and they said it was memory issue. Skickas med OWA för iPad Från: cisco-nsp cisco-nsp-boun...@puck.nether.net för Rich Lewis rle...@sis.tv Skickat: den 6 augusti 2014 21:30:55 FWIW, we have full tables on an ASR1001 with 4GB RAM, and with add-path enabled: 503890 network entries using 124964720 bytes of memory 982424 path entries using 110031488 bytes of memory BGP using 281251490 total bytes of memory I guess it depends what else you're doing, but 4GB would seem ample on the face of it. ** Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307 The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system. ** ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600
When you changed the settings, you rebooted the all box, right ? Check this: https://supportforums.cisco.com/discussion/1156/cisco-7609-rsp720-3cxl-g e-mls-cef-maximum-routes Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Rod James Bio [mailto:rju...@gmail.com] Sent: quinta-feira, 7 de Agosto de 2014 03:18 To: Mack McBride; Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 On my OP, I mentioned that I have two supervising engine on SSO mode which is: 15 Route Switch Processor 720 10GE (Activ RSP720-3CXL-10GE 25 Route Switch Processor 720 10GE (Hot) RSP720-3CXL-10GE Though, the second one was added much later. I was running c7600rsp72043-adventerprisek9-mz.153-1.S1.bin before but now I updated it to c7600rsp72043-adventerprisek9-mz.153-3.S3.bin. Running sh mls cef max, I see: #sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) User configured :- --- IPv4- 768k MPLS- 24k IPv6 + IP Multicast - 112k (default) Upon reboot :- --- IPv4- 768k MPLS- 24k IPv6 + IP Multicast - 112k (default) BUT remote command switch show mls cef max, I see: FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) Could this mean that the two sups are not sync? Here is the output of show redundancy states: #sh redundancy states my state = 13 -ACTIVE peer state = 8 -STANDBY HOT Mode = Duplex Unit = Primary Unit ID = 1 Redundancy Mode (Operational) = sso Redundancy Mode (Configured) = sso Redundancy State = sso Maintenance Mode = Disabled Communications = Up client count = 169 client_notification_TMR = 3 milliseconds keep_alive TMR = 9000 milliseconds keep_alive count = 1 keep_alive threshold = 18 RF debug mask = 0x0 Regards, On 8/6/14, 23:51, Mack McBride wrote: This is a silly question but do you have dual sups? That could be causing the issue. Also what code revision are you running? Finally, what line cards are installed? The message you are getting indicates the config is not working For whatever reason, one of the reasons could be line card incompatibility. A show module should list the line cards. Also once you configure the routes on the supervisor and save the config Execute the following command: remote command switch show mls cef max That will determine if the max routes command is getting properly Pushed to the switch processor. And a side note multicast and ipv6 both use two entries. The other poster that said you were 28 short was incorrect. Those settings should have worked. Mack McBride | Network Architect | ViaWest, Inc. O: 720.891.2502 | mack.mcbr...@viawest.com | www.viawest.com | LinkedIn | Twitter | YouTube -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rod James Bio Sent: Tuesday, August 05, 2014 1:38 PM To: Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 Hmm I somewhat tried that with these, sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) User configured :- --- IPv4- 768k MPLS- 16k IPv6 + IP Multicast - 120k (default) Upon reboot :- --- IPv4- 768k MPLS- 16k IPv6 + IP Multicast - 120k (default) but still no dice. IOS bug? Regards, On 8/6/14, 3:27, Antonio Soares wrote: Maybe IPv6 and IP Multicast must share the same region of the TCAM. Just try to remove all the mls cef maximum-routes commands then just add this one: mls cef maximum-routes ip 768 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Rod James Bio [mailto:rju...@gmail.com] Sent: terça-feira, 5 de Agosto de 2014 19:41 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 This is what I tried, #sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) User configured :- --- IPv4 + MPLS - 768k (default) IPv6- 100k IP Multicast- 28k After a wr mem and reboot this is what I got: *Aug 6 02:15:46.975 PHT: %MLSCEF
Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600
Those settings work on a SUP720-3BXL: Router#sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4- 768k MPLS- 16k (default) IPv6 + IP Multicast - 120k (default) Router# In your case, it's strange we don't see the MPLS value marked as default. Are you sure you removed the mls cef maximum-routes for MPLS ? You should have only one line: Router#sh run | inc mls cef max mls cef maximum-routes ip 768 Router# Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Rod James Bio [mailto:rju...@gmail.com] Sent: terça-feira, 5 de Agosto de 2014 20:38 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 Hmm I somewhat tried that with these, sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) User configured :- --- IPv4- 768k MPLS- 16k IPv6 + IP Multicast - 120k (default) Upon reboot :- --- IPv4- 768k MPLS- 16k IPv6 + IP Multicast - 120k (default) but still no dice. IOS bug? Regards, On 8/6/14, 3:27, Antonio Soares wrote: Maybe IPv6 and IP Multicast must share the same region of the TCAM. Just try to remove all the mls cef maximum-routes commands then just add this one: mls cef maximum-routes ip 768 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Rod James Bio [mailto:rju...@gmail.com] Sent: terça-feira, 5 de Agosto de 2014 19:41 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 This is what I tried, #sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) User configured :- --- IPv4 + MPLS - 768k (default) IPv6- 100k IP Multicast- 28k After a wr mem and reboot this is what I got: *Aug 6 02:15:46.975 PHT: %MLSCEF-SP-1-MAX_ROUTE_MISMATCH: Maximum routes config mismatch. Reconfigure the maximum routes values and reload the box. As you will see the max routes adds to 1024k but still It resets to the default values. Regards, On 8/6/14, 1:28, Antonio Soares wrote: As already mentioned, the sum should be 1024k, for example, I have this on a SUP720-3BXL: sup720-3bxl#show mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4- 1007k MPLS- 1k (default) IPv6 + IP Multicast - 8k (default) 1007+1+(2x8) = 1024 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rod James Bio Sent: terça-feira, 5 de Agosto de 2014 16:13 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 I read before the link you sent. BTW, Here is the output of sh mls cef max: #sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) User configured :- --- IPv4- 600k MPLS- 10k IPv6- 100k IP Multicast- 28k Upon reboot :- IPv4- 600k MPLS- 10k IPv6- 100k IP Multicast- 28k Regards, On 8/5/14, 22:15, Antonio Soares wrote: Check this document, maybe it can help you: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-ser ie s-swit ches/117712-problemsolution-cat6500-00.html Can you share the show mls cef max output ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rod James Bio Sent: terça-feira, 5 de Agosto de 2014 12:03 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 Hi, I'd like to ask anyone in the group who owns cisco 7600 if they had experience when they adjusted the allocation to increase the maximum routes for ipv4 etc. We are near the 512K ipv4 limit (~509K) for the 7600 (default size) and I tried adjusting the tcam allocation by running: mls cef maximum
Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600
Check this document, maybe it can help you: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-swit ches/117712-problemsolution-cat6500-00.html Can you share the show mls cef max output ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rod James Bio Sent: terça-feira, 5 de Agosto de 2014 12:03 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 Hi, I'd like to ask anyone in the group who owns cisco 7600 if they had experience when they adjusted the allocation to increase the maximum routes for ipv4 etc. We are near the 512K ipv4 limit (~509K) for the 7600 (default size) and I tried adjusting the tcam allocation by running: mls cef maximum-routes ip 750 mls cef maximum-routes ipv6 100 mls cef maximum-routes mpls 10 mls cef maximum-routes ip-multicast 28 But after rebooting the whole box I got an error, Maximum routes config mismatch. reconfigure the maximum routes values and reload the box (Sorry this is all I copied from the console) and the tcam was back to the default values. I have a dual RSP720-3CXL-10GE sups on sso mode and c7600rsp72043-adventerprisek9-mz.153-1.S1.bin if those info help. Thanks, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600
As already mentioned, the sum should be 1024k, for example, I have this on a SUP720-3BXL: sup720-3bxl#show mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4- 1007k MPLS- 1k (default) IPv6 + IP Multicast - 8k (default) 1007+1+(2x8) = 1024 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rod James Bio Sent: terça-feira, 5 de Agosto de 2014 16:13 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 I read before the link you sent. BTW, Here is the output of sh mls cef max: #sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) User configured :- --- IPv4- 600k MPLS- 10k IPv6- 100k IP Multicast- 28k Upon reboot :- IPv4- 600k MPLS- 10k IPv6- 100k IP Multicast- 28k Regards, On 8/5/14, 22:15, Antonio Soares wrote: Check this document, maybe it can help you: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-serie s-swit ches/117712-problemsolution-cat6500-00.html Can you share the show mls cef max output ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rod James Bio Sent: terça-feira, 5 de Agosto de 2014 12:03 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 Hi, I'd like to ask anyone in the group who owns cisco 7600 if they had experience when they adjusted the allocation to increase the maximum routes for ipv4 etc. We are near the 512K ipv4 limit (~509K) for the 7600 (default size) and I tried adjusting the tcam allocation by running: mls cef maximum-routes ip 750 mls cef maximum-routes ipv6 100 mls cef maximum-routes mpls 10 mls cef maximum-routes ip-multicast 28 But after rebooting the whole box I got an error, Maximum routes config mismatch. reconfigure the maximum routes values and reload the box (Sorry this is all I copied from the console) and the tcam was back to the default values. I have a dual RSP720-3CXL-10GE sups on sso mode and c7600rsp72043-adventerprisek9-mz.153-1.S1.bin if those info help. Thanks, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600
Maybe IPv6 and IP Multicast must share the same region of the TCAM. Just try to remove all the mls cef maximum-routes commands then just add this one: mls cef maximum-routes ip 768 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Rod James Bio [mailto:rju...@gmail.com] Sent: terça-feira, 5 de Agosto de 2014 19:41 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 This is what I tried, #sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) User configured :- --- IPv4 + MPLS - 768k (default) IPv6- 100k IP Multicast- 28k After a wr mem and reboot this is what I got: *Aug 6 02:15:46.975 PHT: %MLSCEF-SP-1-MAX_ROUTE_MISMATCH: Maximum routes config mismatch. Reconfigure the maximum routes values and reload the box. As you will see the max routes adds to 1024k but still It resets to the default values. Regards, On 8/6/14, 1:28, Antonio Soares wrote: As already mentioned, the sum should be 1024k, for example, I have this on a SUP720-3BXL: sup720-3bxl#show mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4- 1007k MPLS- 1k (default) IPv6 + IP Multicast - 8k (default) 1007+1+(2x8) = 1024 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rod James Bio Sent: terça-feira, 5 de Agosto de 2014 16:13 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 I read before the link you sent. BTW, Here is the output of sh mls cef max: #sh mls cef maximum-routes FIB TCAM maximum routes : === Current :- --- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) User configured :- --- IPv4- 600k MPLS- 10k IPv6- 100k IP Multicast- 28k Upon reboot :- IPv4- 600k MPLS- 10k IPv6- 100k IP Multicast- 28k Regards, On 8/5/14, 22:15, Antonio Soares wrote: Check this document, maybe it can help you: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-serie s-swit ches/117712-problemsolution-cat6500-00.html Can you share the show mls cef max output ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Rod James Bio Sent: terça-feira, 5 de Agosto de 2014 12:03 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Adjusting TCAM allocation weird behavior on 7600 Hi, I'd like to ask anyone in the group who owns cisco 7600 if they had experience when they adjusted the allocation to increase the maximum routes for ipv4 etc. We are near the 512K ipv4 limit (~509K) for the 7600 (default size) and I tried adjusting the tcam allocation by running: mls cef maximum-routes ip 750 mls cef maximum-routes ipv6 100 mls cef maximum-routes mpls 10 mls cef maximum-routes ip-multicast 28 But after rebooting the whole box I got an error, Maximum routes config mismatch. reconfigure the maximum routes values and reload the box (Sorry this is all I copied from the console) and the tcam was back to the default values. I have a dual RSP720-3CXL-10GE sups on sso mode and c7600rsp72043-adventerprisek9-mz.153-1.S1.bin if those info help. Thanks, ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Divide large PVST domain?
MST is the way to go. It was designed with that in mind. Check this: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protoc ol/24248-147.html You just need to be careful because there are two MST flavors running on cisco switches: pre-standard and standard. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Victor Sudakov Sent: terça-feira, 8 de Julho de 2014 10:09 To: cisco-nsp Subject: [c-nsp] Divide large PVST domain? Colleagues, I have a train of about 20 C3560X switches connected successively. I know such a diameter is not good for STP, however, when I place the root bridge in the middle of the train, PVST still works more or less reliably. However, if I wanted to divide this single STP domain into several smaller ones, which way is best? I can define three geographical areas between which no loop is physically possible and which cannot have any redundant links between one another. Should I just configure a bpdufilter on the border switches to separate the areas, or is there a smarter way, maybe going for MST instead of PVST? Thanks in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Divide large PVST domain?
Check this article: http://slaptijack.com/networking/max-spanning-tree-stp-diameter/ Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Victor Sudakov Sent: Tuesday, July 08, 2014 12:40 PM To: Antonio Soares Cc: 'cisco-nsp' Subject: Re: [c-nsp] Divide large PVST domain? Antonio Soares wrote: I have a train of about 20 C3560X switches connected successively. I know such a diameter is not good for STP, however, when I place the root bridge in the middle of the train, PVST still works more or less reliably. However, if I wanted to divide this single STP domain into several smaller ones, which way is best? I can define three geographical areas between which no loop is physically possible and which cannot have any redundant links between one another. Should I just configure a bpdufilter on the border switches to separate the areas, or is there a smarter way, maybe going for MST instead of PVST? MST is the way to go. It was designed with that in mind. Check this: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree- protocol/24248-147.html Cisco recommends that you place as many switches as possible into a single region; it is not advantageous to segment a network into separate regions I wonder if MST has any limits on the network diameter. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco'€™s Commitment to Customers
You need to have spares before doing any major changes to your network. Virtually all Cisco Products are affected by this issue: http://www.cisco.com/web/about/doing_business/memory.html#~field The problem is that if you order via RMA several similar parts, you may get this: As we do not normally support proactive RMA, we are contacting our planning team for further instruction Then they will tell you Fix on Failure. Not easy to handle... Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jon Lewis Sent: segunda-feira, 30 de Junho de 2014 15:12 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco'€™s Commitment to Customers I'm currently dealing with TAC on the failure of a WS-6708 that I believe is connected with the defective memory component issue talked about here: http://blogs.cisco.com/news/ciscos-commitment-to-customers/ i.e. it was working fine...the router was rebooted, after which, the card no longer passes boot-up diagnostics. This passage: Despite many of these products being out of warranty, Cisco has decided to take a charge of $655m related to the expected cost of managing these issues. We are taking this action to support our customers and partners. This charge was excluded from our non-GAAP financials, as we do not believe it is reflective of ongoing business and operating results. implies to me that Cisco plans to replace such cards regardless of smartnet coverage. I thought I was about to get a replacement shipped out when the TAC rep sent this: I couldn't find any valid contract for RMA based on serial number of module 8, can you please provide contract number for the RMA so that I can proceed further. So, what's the real deal with these time-bomb cards? Will cisco replace them as they fail, or only if they're covered by a current smartnet contract? If the latter, what was the point of the blog post? In the comments and responses to comments, Curtis has been evasive when asked what cisco will do for people with affected products and no smartnet coverage. I've got a number of 6500s that need reloads to change the v4/v6 routing split, and after seeing a 6708 fail in each of the last two 6500s I've reloaded, I'm not feeling really good about proceeding. -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sup720 (6k/7600) FIB_EXCEPTION_THRESHOLD warnings
Hello Pete, Two topics that could be added to the article: - recommendations when receiving 1 full ipv4 + 1 full ipv6 BGP feeds - issues if using ebgp multipath Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pete Lumbis Sent: segunda-feira, 9 de Junho de 2014 19:38 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Sup720 (6k/7600) FIB_EXCEPTION_THRESHOLD warnings If you have a Sup720 pulling a full BGP feed you've probably seen error messages like this: *%MLSCEF-SP-4-FIB_EXCEPTION_THRESHOLD: Hardware CEF entry usage is at 95% capacity for IPv4 unicast protocol* A document was just published on Cisco.com describing the issue and how to correct it. http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-swit ches/117712-problemsolution-cat6500-00.html Regards, Pete ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6K_MPLS_LC-SP-5-TCAM_EXCEPTION: TCAM exception occured for MPLS, traffic will be software switched
Usually it doesn't recover by itself... Check the FIB TCAM Exception section: https://supportforums.cisco.com/document/59926/troubleshooting-high-cpu-6500 -sup720 I had the same kind of problem (3BXL, SXI) a few days ago but with IPv6: --- %CONST_V6-SP-5-FIB_EXCEP_ON: Failed to insert an IPv6 prefix in hardware FIB TCAM --- #sh mls cef exception status Current IPv4 FIB exception state = FALSE Current IPv6 FIB exception state = TRUE Current MPLS FIB exception state = FALSE --- #sh mls cef max FIB TCAM maximum routes : === Current :- --- IPv4- 1007k MPLS- 1k (default) IPv6 + IP Multicast - 8k (default) --- By the way, what values are you guys using with 1xfull BGP ipv4 + 1xfull BGP ipv6 feeds ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tim Durack Sent: quarta-feira, 4 de Junho de 2014 15:59 To: cisco-nsp@puck.nether.net Subject: [c-nsp] C6K_MPLS_LC-SP-5-TCAM_EXCEPTION: TCAM exception occured for MPLS, traffic will be software switched C6K, VS-S720-10G-3CXL, 15.1(SY), someone blew up the FIB. Last time I was involved in such an experiment, reload was the only recovery. Logs claim the exception has been cleared. Jun 3 22:59:26.790 UTC: %MLSCEF-SP-4-FIB_EXCEPTION_THRESHOLD: Hardware CEF entry usage is at 95% capacity for MPLS protocol. Jun 3 23:00:02.414 UTC: %C6K_MPLS_LC-SP-5-TCAM_EXCEPTION: TCAM exception occured for MPLS, traffic will be software switched Jun 3 23:15:02.712 UTC: %C6K_MPLS_LC-SP-5-TCAMEXPRECOVER: TCAM exception recovered for MPLS, traffic will be hardware switched Sup says the same: RTR-1#show mls cef exception status Current IPv4 FIB exception state = FALSE Current IPv6 FIB exception state = FALSE Current MPLS FIB exception state = FALSE Not sure that I believe this. (Config is Internet in a L3VPN vrf, default from transit, full routes from peering.) Thoughts? Tim: -- Tim: ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ifIndex-table
It works. Procedure: Old SUP: #copy nvram:ifIndex-table disk0: New SUP: #delete nvram:ifIndex-table #copy disk0:ifIndex-table nvram: #reload Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: segunda-feira, 19 de Maio de 2014 22:45 To: 'Sigurbjörn Birkir Lárusson'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ifIndex-table Thanks for the feedback. That's a good option. But I will try to move the file from the old SUP to the new SUP to see what happens. I will update the list with my findings. Someone asked the same thing a few years ago: http://www.gossamer-threads.com/lists/cisco/nsp/99968 In fact, in a situation where you only have one SUP and it gets faulty, the procedure I mentioned would be perfect. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Sigurbjörn Birkir Lárusson [mailto:sigurbjo...@vodafone.is] Sent: segunda-feira, 19 de Maio de 2014 17:10 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ifIndex-table If you have a spare 720, you should be able to boot the spare perform a switch to the spare-sup, replace the main one, and switch back. That way you should keep the box running with all configuration and the indexes Kind regards, Sibbi On 19.5.2014 15:56, Antonio Soares amsoa...@netcabo.pt wrote: Hello guys, I need to replace a few SUP720s. In order to keep the same interfaces indexes, the only way I see to achieve that easily is moving the nvram:ifIndex-table from the old SUP to the new SUP. Does it work ? This document says that the file can be downloaded and viewed: http://www.cisco.com/c/en/us/support/docs/ip/simple-network-management- pro to col-snmp/28420-ifIndex-Persistence.html But nothing about moving it to a new SUP/Router. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 7000 and OTV
No issues with OTV on a stick: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/DCI/wh itepaper/DCI3_OTV_Intro/DCI_1.html#wp1215970 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Blake Pfankuch - Mailing List Sent: terça-feira, 20 de Maio de 2014 20:32 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Nexus 7000 and OTV Looking to deploy OTV between 2 datacenters on some Nexus 7000 equipment. Anyone have any experience with this? Any feedback would be appreciated, good or bad. Thanks, Blake ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ifIndex-table
Hello guys, I need to replace a few SUP720s. In order to keep the same interfaces indexes, the only way I see to achieve that easily is moving the nvram:ifIndex-table from the old SUP to the new SUP. Does it work ? This document says that the file can be downloaded and viewed: http://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-proto col-snmp/28420-ifIndex-Persistence.html But nothing about moving it to a new SUP/Router. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ifIndex-table
Thanks for the feedback. That's a good option. But I will try to move the file from the old SUP to the new SUP to see what happens. I will update the list with my findings. Someone asked the same thing a few years ago: http://www.gossamer-threads.com/lists/cisco/nsp/99968 In fact, in a situation where you only have one SUP and it gets faulty, the procedure I mentioned would be perfect. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Sigurbjörn Birkir Lárusson [mailto:sigurbjo...@vodafone.is] Sent: segunda-feira, 19 de Maio de 2014 17:10 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ifIndex-table If you have a spare 720, you should be able to boot the spare perform a switch to the spare-sup, replace the main one, and switch back. That way you should keep the box running with all configuration and the indexes Kind regards, Sibbi On 19.5.2014 15:56, Antonio Soares amsoa...@netcabo.pt wrote: Hello guys, I need to replace a few SUP720s. In order to keep the same interfaces indexes, the only way I see to achieve that easily is moving the nvram:ifIndex-table from the old SUP to the new SUP. Does it work ? This document says that the file can be downloaded and viewed: http://www.cisco.com/c/en/us/support/docs/ip/simple-network-management- pro to col-snmp/28420-ifIndex-Persistence.html But nothing about moving it to a new SUP/Router. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD bypassing CoPP on 6500
Did you find anything else in the meanwhile ? What you found is potentially catastrophic... Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Robert Williams Sent: domingo, 4 de Maio de 2014 17:20 To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] BFD bypassing CoPP on 6500 Hi, I can’t seem to find any relevant documentation on this so I’m hoping someone may know. I’ve identified that BFD traffic appears to bypass the CoPP in some respects (platform is 6500/Sup720/15.1SY). The relevant test config is: class-map match-any CoPP-bfd match access-group name V4-CoPP-bfd ip access-list extended V4-CoPP-bfd permit udp 10.10.0.0 0.0.255.255 gt 49151 any eq 3784 permit udp 10.10.0.0 0.0.255.255 gt 49151 any eq 3785 within control-plane policy class CoPP-bfd police 32000 10 10 conform-action transmit exceed-action drop So for example, if you send 50mbit/s of BFD traffic to it, then the output of “show policy-map control-plane input class CoPP-bfd” correctly shows that there is 50mbit/s of traffic being matched (in hardware) and that only 32,000bps of it is being forwarded. All looks fine, however, the CPU grinds to a halt, even though the exceed-action is set to ‘drop’ so nothing more than a tiny 32,000 should get through. I’ve confirmed it is indeed all getting through as you can see it in a CPU span session. Also, the class-default in the control-plane policy is set to conform-action drop as well. So how is it even getting through? Interestingly, if you set the conform-action to drop on class CoPP-bfd then it still hits 100% CPU. Although strangely if you _do_ set CoPP-bfd to conform-drop then also the genuine BFD ‘real’ sessions suddenly stop working. So the ‘drop’ feature does have some impact still, somehow… This is in a lab setup with little else running on the boxes and I’m able to test anything if anyone has any ideas why this is occurring. #remote command switch show tcam interface vlan 1013 qos type2 ip * Global Defaults shared -- QOS Results: A - Aggregate Policing F - Microflow Policing M - Mark T - Trust U - Untrust -- MAUudp 10.10.0.0 0.0.255.255 gt 49151 any eq 3784 MAUudp 10.10.0.0 0.0.255.255 gt 49151 any eq 3785 #remote command switch show tcam interface vlan 1013 qos type2 ip detail Interface: 1013 label: 3 lookup_type: 2 protocol: IP packet-type: 0 +-+-+---+---+---+---+---+---++-+---+--+---+---+ |T|Index| Dest Ip Addr | Source Ip Addr| DPort | SPort | TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P| +-+-+---+---+---+---+---+---++-+---+--+---+---+ V 35925 0.0.0.0 10.10.0.0 P=3784 P49151-- 17 1 0 -- --- 0-0 - M 35927 0.0.0.0 255.255.0.0 65535-- 255 --X- 1 0 - R rslt: 503 - V 35926 0.0.0.0 10.10.0.0 P=3785 P49151-- 17 1 0 -- --- 0-0 - M 35927 0.0.0.0 255.255.0.0 65535-- 255 --X- 1 0 - R rslt: 503 - Since it’s just UDP on a certain port I don’t see how/why this would be treated any differently from any other type of traffic going to the CPU. I know there are various restrictions and limitations (like ARP, IP Options etc.) but this is nothing ‘special’ – just UDP traffic - or at least I thought so? So what am I missing here? Cheers! Robert Williams Custodian Data Centre Email: rob...@custodiandc.com http://www.CustodianDC.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD bypassing CoPP on 6500
I can try it on our lab. I need the exact IOS version and the module/submodule used as input interface. Also, the method to simulate the high levels of BFD traffic. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Robert Williams [mailto:rob...@custodiandc.com] Sent: segunda-feira, 5 de Maio de 2014 12:38 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] BFD bypassing CoPP on 6500 Hi, I've not got any further with it I'm afraid, although I did find that a service-policy applied on a physical interface 'does' correctly match and police the traffic. However, it fails to work if you apply it to a vlan (or CoPP, as per my original email). So if policy is applied to: CoPP = doesn't match properly (stops BFD from working, but doesn't limit traffic rate or protect CPU) VLAN = same behaviour as CoPP Port = matches and limits correctly if applied to physical interface I'd be curious to know if someone else could confirm this behaviour so I now it's not just something odd about this setup/kit in our lab. Cheers, Robert Williams Custodian Data Centre Email: rob...@custodiandc.com http://www.CustodianDC.com -Original Message- From: Antonio Soares [mailto:amsoa...@netcabo.pt] Sent: 05 May 2014 12:21 To: Robert Williams; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] BFD bypassing CoPP on 6500 Did you find anything else in the meanwhile ? What you found is potentially catastrophic... Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] WS-X6908-10GE Crashes
Hello group, I have a situation where a WS-X6908-10GE is crashing. The crashinfos have this: Apr 25 xx:xx:xx: %EARL_L3_ASIC-DFC7-3-RMA: EARL L3 ASIC 0: fatal interrupt PO block adjacency statistics data for read is unavailable Anyone has seen something similar ? The problem is that after replacement and after changing the slot, the problem happened again SUP2T system running 12.2(50)SY4. I had something similar one year ago. And the funny part is that the SNs are very close. Maybe theres a (hidden) field notice about this Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange Issue with 3560X and 4500X
Spanning-tree was working normally but it was Cisco's RPVST. CDP was working normally but it uses a Cisco MCast address. UDLD was working as well, once again it uses a Cisco MCast address. ARP, IGMP, Multicast were not working. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Beck, Andre Sent: quarta-feira, 23 de Abril de 2014 13:42 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Strange Issue with 3560X and 4500X Hi, On Sat, Apr 12, 2014 at 01:57:42PM +0100, Antonio Soares wrote: It's exactly this ! cat4k stops processing ARP, IGMP and other control protocols Uhh-oh. Does it also stop L2 processing? In other words, is STP going to melt down? We've had a very similar case with 4900M boxes that slowly filled the L2 processing queue when no vtp was configured on an interface, on every VTP frame they received from the peer. Great timebomb (took roughly a fortnight to explode, and given it hit the L2 queue, it was quite the daisycutter). CSCuj73571 https://tools.cisco.com/bugsearch/bug/cscuj73571 Unbelievable, this was marked with severity 2 ?!!! What I conclude from there, this really hit public releases in 15.2(1), so 15.1(2)SG3 (aka 03.04.03.SG) isn't in danger? The dysfunctional NTP access groups there are bad enough, but at least it seems stable otherwise... Thanks, Andre. -- Cool .signatures are so 90s... - Andre Beck+++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden - ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange Issue with 3560X and 4500X
Group, We found that all the 3560-Xs connected to the secondary 4500-X stopped responding to SNMP queries at the same exact minute which leads to the common denominator being the 4500-X. Anyone has experienced strange things with 4500-Xs running 3.5.0E / 15.2(1)E ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: sexta-feira, 11 de Abril de 2014 14:09 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Strange Issue with 3560X and 4500X Group, This is one of the most weird things I saw these last years. Imagine a network where you have two 4500-X in the Core (no VSS) and a few 3560-X pairs forming squares between the 4500-Xs and the 3560-Xs. One of the 4500-X is the STP root for all Vlans, the other 4500-X is the backup STP root for all Vlans as well. Between the 4500-Xs and the 3560-Xs I have LACP, CDP and UDLD running. The issue: The network was up and running well the first 4 days after installation. More or less on the fifth day, all the 3560-Xs connected to the secondary 4500-X, stopped responding to ping requests from anywhere in the network, even from the directly attached neighbors, the two 4500-Xs and the other 3560-X. A reboot to the 3560-X didnt solve the problem. UDLD, CDP and LACP didnt fail at all. In order to get normal access to the 3560-X, I had to shutdown the uplink from the 3560-X to the 4500-X. I have a simple diagram here: http://ccie18473.net/issue-sw2.jpg What seems to happen is that broadcasts (ARP, DHCP) and multicast start to fail somewhere in time. It must be a very severe 4500X or 3560X bug but I wasnt able to find anything. The most important information: WS-C4500X-32, cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin WS-C3560X-48P, c3560e-universalk9-mz.150-2.SE.bin, the uplink is fiber optic, the C3KX-NM-10G is used, between the 3560Xs I have copper Unfortunately I cant reload/upgrade the 4500X-s or the 3560X-s Any pointers are more than welcome. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange Issue with 3560X and 4500X
Great, thanks for the feedback. Are you able to tell me the bug id ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dan Brisson Sent: sábado, 12 de Abril de 2014 13:15 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Strange Issue with 3560X and 4500X We had a problem about 6 months ago when we installed our first pair of 4500Xs where they could reach certain hosts but not reach other hosts on the same subnet. TAC said it was a bug that has since been fixed. We are on this version now and the problem has been resolved: cat4500e-universalk9.SPA.03.05.01.E.152-1.E1.bin -dan Dan Brisson Network Engineer University of Vermont dbris...@uvm.edu On 4/12/14, 7:03 AM, Antonio Soares wrote: Group, We found that all the 3560-Xs connected to the secondary 4500-X stopped responding to SNMP queries at the same exact minute which leads to the common denominator being the 4500-X. Anyone has experienced strange things with 4500-Xs running 3.5.0E / 15.2(1)E ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: sexta-feira, 11 de Abril de 2014 14:09 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Strange Issue with 3560X and 4500X Group, This is one of the most weird things I saw these last years. Imagine a network where you have two 4500-X in the Core (no VSS) and a few 3560-X pairs forming squares between the 4500-Xs and the 3560-Xs. One of the 4500-X is the STP root for all Vlans, the other 4500-X is the backup STP root for all Vlans as well. Between the 4500-Xs and the 3560-Xs I have LACP, CDP and UDLD running. The issue: The network was up and running well the first 4 days after installation. More or less on the fifth day, all the 3560-Xs connected to the secondary 4500-X, stopped responding to ping requests from anywhere in the network, even from the directly attached neighbors, the two 4500-Xs and the other 3560-X. A reboot to the 3560-X didnt solve the problem. UDLD, CDP and LACP didnt fail at all. In order to get normal access to the 3560-X, I had to shutdown the uplink from the 3560-X to the 4500-X. I have a simple diagram here: http://ccie18473.net/issue-sw2.jpg What seems to happen is that broadcasts (ARP, DHCP) and multicast start to fail somewhere in time. It must be a very severe 4500X or 3560X bug but I wasnt able to find anything. The most important information: WS-C4500X-32, cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin WS-C3560X-48P, c3560e-universalk9-mz.150-2.SE.bin, the uplink is fiber optic, the C3KX-NM-10G is used, between the 3560Xs I have copper Unfortunately I cant reload/upgrade the 4500X-s or the 3560X-s Any pointers are more than welcome. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Strange Issue with 3560X and 4500X
It's exactly this ! cat4k stops processing ARP, IGMP and other control protocols CSCuj73571 https://tools.cisco.com/bugsearch/bug/cscuj73571 Unbelievable, this was marked with severity 2 ?!!! Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Dan Brisson [mailto:dbris...@uvm.edu] Sent: sábado, 12 de Abril de 2014 13:36 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Strange Issue with 3560X and 4500X Ah, didn't think I had it or I would have included it in the first email, but turns out I do have it: Csuj73571 Hope that helps! -dan Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbris...@uvm.edu On 4/12/14, 8:22 AM, Antonio Soares wrote: Great, thanks for the feedback. Are you able to tell me the bug id ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dan Brisson Sent: sábado, 12 de Abril de 2014 13:15 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Strange Issue with 3560X and 4500X We had a problem about 6 months ago when we installed our first pair of 4500Xs where they could reach certain hosts but not reach other hosts on the same subnet. TAC said it was a bug that has since been fixed. We are on this version now and the problem has been resolved: cat4500e-universalk9.SPA.03.05.01.E.152-1.E1.bin -dan Dan Brisson Network Engineer University of Vermont dbris...@uvm.edu On 4/12/14, 7:03 AM, Antonio Soares wrote: Group, We found that all the 3560-Xs connected to the secondary 4500-X stopped responding to SNMP queries at the same exact minute which leads to the common denominator being the 4500-X. Anyone has experienced strange things with 4500-Xs running 3.5.0E / 15.2(1)E ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: sexta-feira, 11 de Abril de 2014 14:09 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Strange Issue with 3560X and 4500X Group, This is one of the most weird things I saw these last years. Imagine a network where you have two 4500-X in the Core (no VSS) and a few 3560-X pairs forming squares between the 4500-Xs and the 3560-Xs. One of the 4500-X is the STP root for all Vlans, the other 4500-X is the backup STP root for all Vlans as well. Between the 4500-Xs and the 3560-Xs I have LACP, CDP and UDLD running. The issue: The network was up and running well the first 4 days after installation. More or less on the fifth day, all the 3560-Xs connected to the secondary 4500-X, stopped responding to ping requests from anywhere in the network, even from the directly attached neighbors, the two 4500-Xs and the other 3560-X. A reboot to the 3560-X didnt solve the problem. UDLD, CDP and LACP didnt fail at all. In order to get normal access to the 3560-X, I had to shutdown the uplink from the 3560-X to the 4500-X. I have a simple diagram here: http://ccie18473.net/issue-sw2.jpg What seems to happen is that broadcasts (ARP, DHCP) and multicast start to fail somewhere in time. It must be a very severe 4500X or 3560X bug but I wasnt able to find anything. The most important information: WS-C4500X-32, cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin WS-C3560X-48P, c3560e-universalk9-mz.150-2.SE.bin, the uplink is fiber optic, the C3KX-NM-10G is used, between the 3560Xs I have copper Unfortunately I cant reload/upgrade the 4500X-s or the 3560X-s Any pointers are more than welcome. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Strange Issue with 3560X and 4500X
Group, This is one of the most weird things I saw these last years. Imagine a network where you have two 4500-X in the Core (no VSS) and a few 3560-X pairs forming squares between the 4500-Xs and the 3560-Xs. One of the 4500-X is the STP root for all Vlans, the other 4500-X is the backup STP root for all Vlans as well. Between the 4500-Xs and the 3560-Xs I have LACP, CDP and UDLD running. The issue: The network was up and running well the first 4 days after installation. More or less on the fifth day, all the 3560-Xs connected to the secondary 4500-X, stopped responding to ping requests from anywhere in the network, even from the directly attached neighbors, the two 4500-Xs and the other 3560-X. A reboot to the 3560-X didnt solve the problem. UDLD, CDP and LACP didnt fail at all. In order to get normal access to the 3560-X, I had to shutdown the uplink from the 3560-X to the 4500-X. I have a simple diagram here: http://ccie18473.net/issue-sw2.jpg What seems to happen is that broadcasts (ARP, DHCP) and multicast start to fail somewhere in time. It must be a very severe 4500X or 3560X bug but I wasnt able to find anything. The most important information: WS-C4500X-32, cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin WS-C3560X-48P, c3560e-universalk9-mz.150-2.SE.bin, the uplink is fiber optic, the C3KX-NM-10G is used, between the 3560Xs I have copper Unfortunately I cant reload/upgrade the 4500X-s or the 3560X-s Any pointers are more than welcome. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NetFlow Performance Analysis (CRS)
Hello group, I'm looking for Information about the impact of enabling NetFlow on the Cisco CRS. The best I was able to find was this very good but very old document: http://www.cisco.com/c/dam/en/us/solutions/collateral/service-provider/secur e-infrastructure/net_implementation_white_paper0900aecd80308a66.pdf Anyone has pointers to share ? The hardware I need to analyze is the MSC-B, FP40 and FP140. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RAM thing
It happened to me. Last week two ASAs with 4 GB or RAM each (4x1GB) died after a power off/power on. All the 1Gb modules were tested individually and were dead. The reference of the module for those interested: Micron, PC3200U-30331-B1, 1GB, DDR, 400, CL3, ECC Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: quinta-feira, 13 de Fevereiro de 2014 15:16 To: cisco-nsp@puck.nether.net Subject: [c-nsp] RAM thing I'm sure most people have seen this, but for those who haven't: http://www.cisco.com/web/about/doing_business/memory.html tl;dr - faulty RAM in a bunch of Cisco (and it is implied, other vendors) kit from ca. 2005-2010 suffering sudden death on power cycle, across many product ranges. They downplay it somewhat in the FAQ - let's hope it really is only a minor thing. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
I'm looking for the simplest way to do it. Most customers have L2 connections between Data Centers. The edge device controlled by the customer is a Layer 2 Switch. The mechanisms like IPSec, GETVPN, FlexVPN, an so on, need a router in the edge. This implies modification of the customer's topologies. L2 encryption seems the perfect solution and it seems there are several options on the market. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Jeff Orr [mailto:j...@communicorr.com] Sent: domingo, 2 de Fevereiro de 2014 17:25 To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Transparent WAN Encryption If you are using a private MPLS (I.e. Not over Internet) have Cisco CE routers consider GETVPN. For the reasons you mentioned, we as a customer went this direction. We needed to ensure our WAN (150 sites/multiple data centers)traveling across a variety of links/providers including DS1/DS3/Metro-e is secure. It has really scaled worked well. GETVPN is VRF aware can function on the PE side as well. -jeff Sent from my ATT iPhone On Feb 1, 2014, at 9:16 PM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, Service Provider WAN links are not secure anymore and I have more and more enterprise customer asking transparent WAN encryption solutions. I came across these two products: EncryptTight: http://www.blackbox.com/Store/Results.aspx/Networking/Security-Optimiz ation/ Encryption/n-4294953119 TrustNet: http://www.certesnetworks.com/securitysolutions/wan-encryption.html Anyone has experience with these products ? This seems the ideal solution. The networks remain exactly the same as they were, we simply add these devices to do their job. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transparent WAN Encryption
Great ! Here are the links for those interested on this subject: Thales: http://www.thales-esecurity.com/products-and-services/products-and-services/ network-encryption-appliances/datacryptor-link-and-layer-2-encryption SafeNet: http://www.safenet-inc.com/data-protection/network-encryption/ And heres another one I received offline: Engage: http://www.engageinc.com/Products2/BlackDoor.htm Now Im trying to find if someone already made a comparison of the available options on the market. Regards, Antonio Soares, CCIE #18473 (RS/SP) mailto:amsoa...@netcabo.pt amsoa...@netcabo.pt http://www.ccie18473.net/ http://www.ccie18473.net From: Eugeniu Patrascu [mailto:eu...@imacandi.net] Sent: domingo, 2 de Fevereiro de 2014 12:47 To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Transparent WAN Encryption On Sun, Feb 2, 2014 at 4:16 AM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, Service Provider WAN links are not secure anymore and I have more and more enterprise customer asking transparent WAN encryption solutions. I came across these two products: EncryptTight: http://www.blackbox.com/Store/Results.aspx/Networking/Security-Optimization/ http://www.blackbox.com/Store/Results.aspx/Networking/Security-Optimization /%0d%0aEncryption/n-4294953119 Encryption/n-4294953119 TrustNet: http://www.certesnetworks.com/securitysolutions/wan-encryption.html Anyone has experience with these products ? This seems the ideal solution. The networks remain exactly the same as they were, we simply add these devices to do their job. You can also look at Thales and SafeNet. They can also 2 Layer2 encryption (think of it like encrypted VPLS). They come in 100M/1G/10G line rate boxes. Eugeniu ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Transparent WAN Encryption
Hello group, Service Provider WAN links are not secure anymore and I have more and more enterprise customer asking transparent WAN encryption solutions. I came across these two products: EncryptTight: http://www.blackbox.com/Store/Results.aspx/Networking/Security-Optimization/ Encryption/n-4294953119 TrustNet: http://www.certesnetworks.com/securitysolutions/wan-encryption.html Anyone has experience with these products ? This seems the ideal solution. The networks remain exactly the same as they were, we simply add these devices to do their job. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cannot open TAC case (tool issues)
Hello group, Today I wasnt able to open a TAC case with the tool I always use: https://tools.cisco.com/ServiceRequestTool/create/DefineProblem.do The page loads but shows nothing. Same behavior with IE and FF. Can someone confirm what I see ? And that this tool is not going way ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cannot open TAC case (tool issues)
Thanks Adam. I'm aware of the new SCM tool. Does it mean that the old tool is gone ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Adam Vitkovsky [mailto:adam.vitkov...@swan.sk] Sent: segunda-feira, 9 de Dezembro de 2013 11:43 To: 'Antonio Soares'; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] Cannot open TAC case (tool issues) Hello Antonio, I'm using this one: https://tools.cisco.com/ServiceRequestTool/scm/mgmt/case?referring_site=supp ort_mm adam -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Monday, December 09, 2013 12:29 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cannot open TAC case (tool issues) Hello group, Today I wasn't able to open a TAC case with the tool I always use: https://tools.cisco.com/ServiceRequestTool/create/DefineProblem.do The page loads but shows nothing. Same behavior with IE and FF. Can someone confirm what I see ? And that this tool is not going way ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] %PLATFORM-CIH-5-ASIC_ERROR_SCRUB_THRESH
I can confirm that the reload solved the issue. It was a 1x100GBE/CRS-FP140 pair of cards. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Edward Salonia [mailto:e...@edgeoc.net] Sent: quarta-feira, 6 de Novembro de 2013 16:33 To: Antonio Soares Cc: jean-francois.d...@videotron.com; cisco-nsp; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] %PLATFORM-CIH-5-ASIC_ERROR_SCRUB_THRESH There should be an SMU to suppress those informational messages. Apparently they resulted in a bunch of unnecessary RMA's. - Ed On Nov 6, 2013, at 7:13, Antonio Soares amsoa...@netcabo.pt wrote: Thank you for the feedback. It's good to know that the reload worked for you. The new bug tool shows that 65 support cases were opened for this issue: https://tools.cisco.com/bugsearch/bug/CSCts11174 If it was something severe, we would know it. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: jean-francois.d...@videotron.com [mailto:jean-francois.d...@videotron.com] Sent: terça-feira, 5 de Novembro de 2013 22:54 To: amsoa...@netcabo.pt Cc: cisco-nsp@puck.nether.net; cisco-nsp Subject: RE: [c-nsp] %PLATFORM-CIH-5-ASIC_ERROR_SCRUB_THRESH Hi Antonio, I had a similar issue and decided to reload the linecard. pse_pogo_driver[281]: %PLATFORM-CIH-5-ASIC_ERROR_SPECIAL_HANDLE : pse[1]: A sbe error has occurred causing data corrected. 0x12470007 I don't like to see any messages regarding single bit error (SBE) and even less when it's in packet switching engine (PSE) ASIC so that's why I reloaded the linecard. The messages went away. I used show asic-errors all detail location 0/x/CPU0 to see the errors on the linecard. Cheers, JF Jean-François Dubé Technicien, Opérations Réseau IP Ingénierie Exploitation des Réseaux Vidéotron cisco-nsp cisco-nsp-boun...@puck.nether.net a écrit sur 2013-10-28 11:52:02 : De : Antonio Soares amsoa...@netcabo.pt A : cisco-nsp@puck.nether.net, Date : 2013-10-28 11:54 Objet : [c-nsp] %PLATFORM-CIH-5-ASIC_ERROR_SCRUB_THRESH Envoyé par : cisco-nsp cisco-nsp-boun...@puck.nether.net Hello Team, I'm getting this message: pse_pogo_driver[244]: %PLATFORM-CIH-5-ASIC_ERROR_SCRUB_THRESH : pse[1]: A sbe error has occurred causing data corrected. 0x12470009 Threshold has been exceeded Exactly every 14 minutes and 10 seconds. I found bug CSCts11174 and they say: Workaround: Sometimes an LC reload can fix the issue but it is not guaranteed. This does not harm any user or control traffic and should not trigger RMA or EFA in particular. Can someone confirm that this is really cosmetic ? I'm getting it on a 1X100GBE/CRS-FP140. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] con0 and XRemote problem which ends with serious memory issues
Hello Team, I found this old question since I am getting exactly the same problem. The 6500 is running 122-33.SXH8b. Apart from the reboot or possibly from the Supervisor Switchover, anyone knows who to solve this ? It was the first time I heard about Cisco IOS running XRemote. I was able to reproduce this in the lab with 12.2.18SFX17b. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Andy B. Sent: quinta-feira, 12 de Maio de 2011 14:39 To: cisco-nsp@puck.nether.net Subject: [c-nsp] con0 and XRemote problem which ends with serious memory issues Hi, I'm facing an issue with a 6500 running SXI5 that eventually ends up eating all memory and reload is the only way to solve it: #who Line User Host(s) Idle Location 0 con 0XRemote: 24 clients 01:54:29 This box has been up for 12 hours, and the number of XRemote increases over the day, while no console is attached to con 0. I tried to clear line con 0 to no avail and then I also tried to identify the TCB by using sh tcp brief and then clearing the TCB. Here is an example: 5B09CF34 x.x.189.1.8000 x.218.199.147.2055 CLOSED #sh tcp tcb 5B09CF34 Connection state is CLOSED, I/O status: 8, unread input bytes: 9 Mininum incoming TTL 0, Outgoing TTL 255 Local host: x.x.189.1, Local port: 8000 Foreign host: x.218.199.147, Foreign port: 2055 Enqueued packets for retransmit: 0, input: 1 mis-ordered: 0 (0 bytes) Event Timers (current time is 0x289A8DC): Timer StartsWakeupsNext Retrans 1 0 0x0 TimeWait0 0 0x0 AckHold 1 1 0x0 SendWnd 0 0 0x0 KeepAlive 0 0 0x0 GiveUp 0 0 0x0 PmtuAger0 0 0x0 DeadWait1 0 0x291DA40 iss: 2341161453 snduna: 2341161454 sndnxt: 2341161454 sndwnd: 65535 irs: 1925376677 rcvnxt: 1925376687 rcvwnd: 4119 delrcvwnd: 0 SRTT: 52 ms, RTTO: 1968 ms, RTV: 1916 ms, KRTT: 0 ms minRTT: 416 ms, maxRTT: 416 ms, ACK hold: 200 ms Flags: passive open, higher precedence, retransmission timeout path mtu capable Datagrams (max data segment is 1460 bytes): Rcvd: 4 (out of order: 0), with data: 1, total data bytes: 9 Sent: 4 (retransmit: 0), with data: 0, total data bytes: 0 (Note that all those XRemote sessions seem to be on port 8000, but I cannot explain why) #clear tcp tcb 5B09CF34 [confirm] [OK] It does not disappear from the list and I tried to clear it numerous times, and eventually it disappeared. Furthermore, while this goes on, this is spamming my logs: May 12 15:32:05.660 CEST: %SYS-2-GETBUF: Bad getbuffer, bytes= -10 -Process= Exec, ipl= 0, pid= 119 -Traceback= 42377590 422007D0 422013A4 42200A60 42203984 4052E5B0 4233FCAC 4055C178 41392EC8 41392EB4 May 12 15:32:05.928 CEST: %SYS-2-GETBUF: Bad getbuffer, bytes= -10 -Process= Exec, ipl= 0, pid= 119 -Traceback= 42377590 422007D0 422013A4 42200A60 42203984 4052E5B0 4233FCAC 4055C178 41392EC8 41392EB4 May 12 15:32:06.180 CEST: %SYS-2-GETBUF: Bad getbuffer, bytes= -10 -Process= Exec, ipl= 0, pid= 119 -Traceback= 42377590 422007D0 422013A4 42200A60 42203984 4052E5B0 4233FCAC 4055C178 41392EC8 41392EB4 May 12 15:32:06.432 CEST: %SYS-2-GETBUF: Bad getbuffer, bytes= -10 -Process= Exec, ipl= 0, pid= 119 -Traceback= 42377590 422007D0 422013A4 42200A60 42203984 4052E5B0 4233FCAC 4055C178 41392EC8 41392EB4 May 12 15:32:06.684 CEST: %SYS-2-GETBUF: Bad getbuffer, bytes= -10 -Process= Exec, ipl= 0, pid= 119 -Traceback= 42377590 422007D0 422013A4 42200A60 42203984 4052E5B0 4233FCAC 4055C178 41392EC8 41392EB4 May 12 15:32:06.936 CEST: %SYS-2-GETBUF: Bad getbuffer, bytes= -10 -Process= Exec, ipl= 0, pid= 119 -Traceback= 42377590 422007D0 422013A4 42200A60 42203984 4052E5B0 4233FCAC 4055C178 41392EC8 41392EB4 May 12 15:32:07.200 CEST: %SYS-2-GETBUF: Bad getbuffer, bytes= -10 -Process= Exec, ipl= 0, pid= 119 -Traceback= 42377590 422007D0 422013A4 42200A60 42203984 4052E5B0 4233FCAC 4055C178 41392EC8 41392EB4 The main problem is that the number of XRemote sessions is going up to 128 and it is slowly eating up all available memory until it is all used up and you are forced to reload. Last time this happened, memory was full in roughly 6 weeks. I have no service and no ACL using port 8000. When I reload the box it's good for a while, and then it starts over again. Has anyone seen this behaviour? How can this be solved without reloading every once and a while? Thanks. Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net
Re: [c-nsp] TAC hits a new record level of aggravation...
Another tool that is a nightmare. The new bug search tool: it hangs my IE 9, my FF 25, ... This is what FF tells me: A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. Script: https://tools.cisco.com/bugsearch/resources-2.0.5/js/jquery-1.8.2.js:624; Java, JavaScript, etc, why do we need that ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner Sent: domingo, 3 de Novembro de 2013 14:35 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] TAC hits a new record level of aggravation... On Sun, 3 Nov 2013, Jeff Kell wrote: Customer support died a decade ago. For the front-end stuff, sure. To be fair, and to give credit where credit is due, I have dealt with some TAC engineers who have been incredibly helpful, professional, and responsive. For the things I generally reach out to TAC for, it seems like the level of response I've gotten recently has improved a bit from, say, two years ago. jms ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] %PLATFORM-CIH-5-ASIC_ERROR_SCRUB_THRESH
Thank you for the feedback. It's good to know that the reload worked for you. The new bug tool shows that 65 support cases were opened for this issue: https://tools.cisco.com/bugsearch/bug/CSCts11174 If it was something severe, we would know it. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: jean-francois.d...@videotron.com [mailto:jean-francois.d...@videotron.com] Sent: terça-feira, 5 de Novembro de 2013 22:54 To: amsoa...@netcabo.pt Cc: cisco-nsp@puck.nether.net; cisco-nsp Subject: RE: [c-nsp] %PLATFORM-CIH-5-ASIC_ERROR_SCRUB_THRESH Hi Antonio, I had a similar issue and decided to reload the linecard. pse_pogo_driver[281]: %PLATFORM-CIH-5-ASIC_ERROR_SPECIAL_HANDLE : pse[1]: A sbe error has occurred causing data corrected. 0x12470007 I don't like to see any messages regarding single bit error (SBE) and even less when it's in packet switching engine (PSE) ASIC so that's why I reloaded the linecard. The messages went away. I used show asic-errors all detail location 0/x/CPU0 to see the errors on the linecard. Cheers, JF Jean-François Dubé Technicien, Opérations Réseau IP Ingénierie Exploitation des Réseaux Vidéotron cisco-nsp cisco-nsp-boun...@puck.nether.net a écrit sur 2013-10-28 11:52:02 : De : Antonio Soares amsoa...@netcabo.pt A : cisco-nsp@puck.nether.net, Date : 2013-10-28 11:54 Objet : [c-nsp] %PLATFORM-CIH-5-ASIC_ERROR_SCRUB_THRESH Envoyé par : cisco-nsp cisco-nsp-boun...@puck.nether.net Hello Team, I'm getting this message: pse_pogo_driver[244]: %PLATFORM-CIH-5-ASIC_ERROR_SCRUB_THRESH : pse[1]: A sbe error has occurred causing data corrected. 0x12470009 Threshold has been exceeded Exactly every 14 minutes and 10 seconds. I found bug CSCts11174 and they say: Workaround: Sometimes an LC reload can fix the issue but it is not guaranteed. This does not harm any user or control traffic and should not trigger RMA or EFA in particular. Can someone confirm that this is really cosmetic ? I'm getting it on a 1X100GBE/CRS-FP140. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] %PLATFORM-CIH-5-ASIC_ERROR_SCRUB_THRESH
Hello Team, I'm getting this message: pse_pogo_driver[244]: %PLATFORM-CIH-5-ASIC_ERROR_SCRUB_THRESH : pse[1]: A sbe error has occurred causing data corrected. 0x12470009 Threshold has been exceeded Exactly every 14 minutes and 10 seconds. I found bug CSCts11174 and they say: Workaround: Sometimes an LC reload can fix the issue but it is not guaranteed. This does not harm any user or control traffic and should not trigger RMA or EFA in particular. Can someone confirm that this is really cosmetic ? I'm getting it on a 1X100GBE/CRS-FP140. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5585-X upgrade error
Thanks for the feedback. Just found the bug a few minutes ago: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet chBugDetails http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fe tchBugDetailsbugId=CSCuh25271 bugId=CSCuh25271 In my case I have 8.4.3.9 and I want to go to 8.4.6.5. I would love to know if the intermediate upgrade to 8.4.6 will be enough. I didnt see the problem on the 5520s, only on the 5585-X. The bug doesnt mention anything about that Regards, Antonio Soares, CCIE #18473 (RS/SP) mailto:amsoa...@netcabo.pt amsoa...@netcabo.pt http://www.ccie18473.net/ http://www.ccie18473.net From: Karl Putland [mailto:k...@simplesignal.com] Sent: sexta-feira, 20 de Setembro de 2013 19:14 To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA 5585-X upgrade error You have to got 9.1.2 first, then upgrade to 9.1.3 I just hit this today too. --Karl Karl Putland Senior Engineer SimpleSignal Anywhere: 303-242-8608 http://www.simplesignal.com/explainer_video.php http://www.simplesignal.com/images/email/ico-sig-frost-sullivan.png On Fri, Sep 20, 2013 at 12:08 PM, Antonio Soares amsoa...@netcabo.pt wrote: Hello guys, I was preparing a few 5585-X upgrades to 8.4.6.5 and I got this: + FW# copy ftp: disk0: Address or name of remote host [x.x.x.x]? Source filename [asa846-5-smp-k8.bin]? Destination filename [asa846-5-smp-k8.bin]? Accessing ftp://x.x.x.x/asa846-5-smp-k8.bin... ! (...) !! No Cfg structure found in downloaded image file FW# + The file is not copied to the disk. With ASDM I get a strange HTTP error. Anyone has seen something like this ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA 5585-X upgrade error
Hello guys, I was preparing a few 5585-X upgrades to 8.4.6.5 and I got this: + FW# copy ftp: disk0: Address or name of remote host [x.x.x.x]? Source filename [asa846-5-smp-k8.bin]? Destination filename [asa846-5-smp-k8.bin]? Accessing ftp://x.x.x.x/asa846-5-smp-k8.bin... ! (...) !! No Cfg structure found in downloaded image file FW# + The file is not copied to the disk. With ASDM I get a strange HTTP error. Anyone has seen something like this ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA 8.4.3.9 crash - duplicate ACE entries
Hello group, Strange issue, duplicate ACE entries are detected in the configuration, then when one of the duplicate entries is removed (using the line keyword), remote access to the device is lost. Then on the console a show run causes a crash. The Firewall is a pair of 5585-X running 8.4.3.9. Has anyone seen something like this ? I found a somewhat related bug but it doesnt mention what happens if one of the duplicate entries is removed: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet chBugDetailsbugId=CSCub28721 And the problem happened with regular Object Based ACLs, not with Webtype ACLs. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to reset password on Sup 2t
It seems that info is not easy to find. If I were you, I would remove the Compact Flash from the Card. It will go to rommon since it won't be able to find a valid boot image. There is this discussion but I don't think it will be very helpful: https://supportforums.cisco.com/thread/2211058 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Sai Sent: sexta-feira, 6 de Setembro de 2013 14:36 To: cisco-nsp@puck.nether.net Subject: [c-nsp] How to reset password on Sup 2t I cannot find any documentation on how to reset/recover password on Catalyst 6500E with Supervisor 2T. Any pointers? Thanks, Sai ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Disabling per-interface mls qos in 12.2SX, Possible? Was: CoPP and WRR
Hello Group, I just found this unanswered question that is related with the WRR issues I have: http://puck.nether.net/pipermail/cisco-nsp/2008-July/052657.html What type of hardware/software supports this ? It is not supported with 12.2.33SXI4a and WS-X6704-10GE/WS-X6724-SFP/WS-X6548-GE-TX. The feature seems specific to the 7600 and some kind of hardware but the documentation is not clear at all. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Disabling per-interface mls qos in 12.2SX, Possible? Was: CoPP and WRR
I need to see all the possibilities. Typing lots of stuff to tell the device to do nothing is not something that makes me happy :) I will consider this closed. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: quinta-feira, 5 de Setembro de 2013 17:12 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Disabling per-interface mls qos in 12.2SX, Possible? Was: CoPP and WRR On 05/09/13 16:54, Antonio Soares wrote: Hello Group, I just found this unanswered question that is related with the WRR issues I have: http://puck.nether.net/pipermail/cisco-nsp/2008-July/052657.html What type of hardware/software supports this ? It is not supported with 12.2.33SXI4a and WS-X6704-10GE/WS-X6724-SFP/WS-X6548-GE-TX. The feature seems specific to the 7600 and some kind of hardware but the documentation is not clear at all. The docs suggest it's for WAN/OSM cards. You seem to be desperately clinging to the idea you can avoid per-interface queue config on LAN cards - you can't. You will need to do the typing. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CoPP and WRR
Making WRR work as a default FIFO queue brings me another issue. It seems the 6500 doesn't have any special treatment for network control traffic: http://www.cisco.com/en/US/tech/tk543/tk544/technologies_tech_note09186a0080 094612.shtml#pripack Can someone confirm that this is really true ? That when we don't have QoS enabled, the network control traffic doesn't have any special treatment in the output queue ? I know that there is SPD but this only applies for the input direction: http://www.cisco.com/web/about/security/intelligence/spd.html Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: terça-feira, 3 de Setembro de 2013 18:22 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] CoPP and WRR Thanks for the feedback. It seems it's a bit more difficult than I thought. For example, by default, the 6704-10GE uses a combination of Tail Drop and WRED: Router#sh queueing interface tenGigabitEthernet 2/1 ... queue tail-drop-thresholds -- 1 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 2 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 3 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 4 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 5 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 6 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 7 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] queue random-detect-min-thresholds -- 140[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8] 240[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8] 370[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8] 4100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 5100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 6100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 7100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] queue random-detect-max-thresholds -- 170[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 270[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 3100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 4100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 5100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 6100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 7100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] WRED disabled queues: 4 5 6 7 ... So in order to make queue 1 behave like the default (non qos) fifo queue, I think we need something like this: no wrr-queue random-detect 1 wrr-queue threshold 1 100 1 1 1 1 1 1 1 The final configuration for each 10GE interface would be: Router#sh run int te2/1 Building configuration... Current configuration : 263 bytes ! interface TenGigabitEthernet2/1 no ip address shutdown wrr-queue bandwidth percent 100 0 0 0 0 0 0 wrr-queue queue-limit 100 0 0 0 0 0 0 wrr-queue threshold 1 100 1 1 1 1 1 1 1 no wrr-queue random-detect 1 wrr-queue cos-map 1 1 0 1 2 3 4 5 6 7 end Router# Does it make sense ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: terça-feira, 3 de Setembro de 2013 13:39 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] CoPP and WRR On 03/09/13 13:23, Saku Ytti wrote: On (2013-09-03 13:10 +0100), Antonio Soares wrote: wrr-queue bandwidth percent 100 0 0 0 0 0 0 wrr-queue queue-limit 100 0 0 0 0 0 0 wrr-queue cos-map 1 1 0 1 2 3 4 5 6 7 But doing this kind of stuff for hundreds of interfaces doesn't make too much sense. Alas it is what you must do. The problem is that default QoS isn't this, it should be. But Cisco tries to be helpful in Catalyst BU and offer some magic default QoS which I'm certain causes more issues than it solves. Yeah, it's a shame you can't set the global defaults - it's a lot of typing, and slows down the already-too-slow NVGEN on these platforms. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CoPP and WRR
Hello group, Due to the implementation of CoPP on a few 6500s, we had to enable QoS. Now we are suffering of outputs drops on many interfaces, mainly due to fact that the majority of the traffic is COS=0. Is there a way to disable WRR and get the previous behavior (no qos) ? I dont like the idea of managing the complexity of SRR if we dont have QoS Policies in place. We have 1p7q8t, 1p2q2t and 1p3q8t type of cards. The only option I see is to put all the traffic into queue 1 to simulate the default fifo queue, something like this for the 1p3q8t card (6704-10GE): +++ Router(config-if)#do sh run int te2/1 Building configuration... Current configuration : 190 bytes ! interface TenGigabitEthernet2/1 no ip address shutdown wrr-queue bandwidth percent 100 0 0 0 0 0 0 wrr-queue queue-limit 100 0 0 0 0 0 0 wrr-queue cos-map 1 1 0 1 2 3 4 5 6 7 end Router(config-if)# +++ But doing this kind of stuff for hundreds of interfaces doesnt make too much sense. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CoPP and WRR
Thanks for the feedback. It seems it's a bit more difficult than I thought. For example, by default, the 6704-10GE uses a combination of Tail Drop and WRED: Router#sh queueing interface tenGigabitEthernet 2/1 ... queue tail-drop-thresholds -- 1 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 2 70[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 3 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 4 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 5 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 6 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 7 100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] queue random-detect-min-thresholds -- 140[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8] 240[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8] 370[1] 70[2] 70[3] 70[4] 70[5] 70[6] 70[7] 70[8] 4100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 5100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 6100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 7100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] queue random-detect-max-thresholds -- 170[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 270[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 3100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 4100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 5100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 6100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] 7100[1] 100[2] 100[3] 100[4] 100[5] 100[6] 100[7] 100[8] WRED disabled queues: 4 5 6 7 ... So in order to make queue 1 behave like the default (non qos) fifo queue, I think we need something like this: no wrr-queue random-detect 1 wrr-queue threshold 1 100 1 1 1 1 1 1 1 The final configuration for each 10GE interface would be: Router#sh run int te2/1 Building configuration... Current configuration : 263 bytes ! interface TenGigabitEthernet2/1 no ip address shutdown wrr-queue bandwidth percent 100 0 0 0 0 0 0 wrr-queue queue-limit 100 0 0 0 0 0 0 wrr-queue threshold 1 100 1 1 1 1 1 1 1 no wrr-queue random-detect 1 wrr-queue cos-map 1 1 0 1 2 3 4 5 6 7 end Router# Does it make sense ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: terça-feira, 3 de Setembro de 2013 13:39 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] CoPP and WRR On 03/09/13 13:23, Saku Ytti wrote: On (2013-09-03 13:10 +0100), Antonio Soares wrote: wrr-queue bandwidth percent 100 0 0 0 0 0 0 wrr-queue queue-limit 100 0 0 0 0 0 0 wrr-queue cos-map 1 1 0 1 2 3 4 5 6 7 But doing this kind of stuff for hundreds of interfaces doesn't make too much sense. Alas it is what you must do. The problem is that default QoS isn't this, it should be. But Cisco tries to be helpful in Catalyst BU and offer some magic default QoS which I'm certain causes more issues than it solves. Yeah, it's a shame you can't set the global defaults - it's a lot of typing, and slows down the already-too-slow NVGEN on these platforms. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5585-X SSP-10 multi-context failover not stateful with IPv4
Do you have logs associated with the problem ? Did you see something like no valid adjacency ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: vinny_abe...@dell.com [mailto:vinny_abe...@dell.com] Sent: segunda-feira, 8 de Julho de 2013 20:11 To: amsoa...@netcabo.pt; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ASA 5585-X SSP-10 multi-context failover not stateful with IPv4 No, just static routes in this environment. And I'm running a version that is already supposedly fixed, 9.1(2) as this was fixed in 9.1(1.1), But thanks. -Original Message- From: Antonio Soares [mailto:amsoa...@netcabo.pt] Sent: Monday, July 08, 2013 10:46 AM To: Abello, Vinny; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ASA 5585-X SSP-10 multi-context failover not stateful with IPv4 Are you running OSPF ? If yes, check this bug: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet chBugDetailsbugId=CSCuc12967 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of vinny_abe...@dell.com Sent: segunda-feira, 8 de Julho de 2013 14:58 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA 5585-X SSP-10 multi-context failover not stateful with IPv4 Hi all, I have a bizarre situation that isn't making sense to me. I have two ASA 5585-X firewalls with SSP-10. They are in an Active/Standby configuration and running in multi-context mode. I have replication of state information between them working just fine. We're running both IPv4 and IPv6 and have the latest 9.1(2) code loaded. The problem is if I force a failover from the system context, any open connections over IPv4 coming in the outside interface of a context via a NAT translation seems to get lost during the failover. I'm not positive if it's the state table or the NAT table that is having an issue or if they are one in the same on the ASA. The interesting part is my IPv6 connectivity persists without any problems during the failover. I can be transferring a file via FTP or stay connected via RDP to the machines behind the firewall (Windows servers) over IPv6 and everything is seamless as it should be. If I am connected via RDP over IPv4, the connection hangs, eventually resets and reconnects. Nothing looks out of the ordinary as far as I can tell. This is the first environment I've worked on with the ASA's in multi-context mode. From the system context, this is the failover configuration: failover failover lan unit primary failover lan interface failover GigabitEthernet0/7 failover replication http failover mac address GigabitEthernet0/0 acf2.c5f2.d301 acf2.c5f2.d302 failover mac address GigabitEthernet0/1 acf2.c5f2.d311 acf2.c5f2.d312 failover mac address GigabitEthernet0/2 acf2.c5f2.d321 acf2.c5f2.d322 failover mac address GigabitEthernet0/3 acf2.c5f2.d331 acf2.c5f2.d332 failover mac address GigabitEthernet0/4 acf2.c5f2.d341 acf2.c5f2.d342 failover mac address GigabitEthernet0/5 acf2.c5f2.d351 acf2.c5f2.d352 failover mac address GigabitEthernet0/6 acf2.c5f2.d361 acf2.c5f2.d362 failover mac address TenGigabitEthernet0/8 acf2.c5f2.d393 acf2.c5f2.d394 failover link failover GigabitEthernet0/7 failover interface ip failover 172.16.255.1 255.255.255.0 standby 172.16.255.2 At first I thought it was some type of ARP issue which is why I have configured the mac addresses for primary and secondary units. I read the following in the Active/Standby guide: If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow. The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not learn of the MAC address change for these addresses. That is the reason for the MAC address configuration above but it didn't seem to help. All interfaces show Normal (Monitored) both in the system context and in the context in question. Stateful update statistics show the following in the system context: Stateful Failover Logical Update Statistics Link : failover GigabitEthernet0/7 (up) Stateful Objxmit xerr rcvrerr General 45334 0 141772620242 sys cmd 31679 0 31678 0 up time 0 0 0 0 RPC services0 0 0 0 TCP conn9634 0 1012694327 UDP conn2055 0 196454 0 ARP tbl 8330 87033 0 Xlate_Timeout 0 0 0 0 IPv6 ND tbl 9160 89861 280 VPN IKEv1 SA0 0 0 0 VPN IKEv1 P20 0 0 0 VPN IKEv2 SA0
Re: [c-nsp] ASA 5585-X SSP-10 multi-context failover not stateful with IPv4
Are you running OSPF ? If yes, check this bug: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fet chBugDetailsbugId=CSCuc12967 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of vinny_abe...@dell.com Sent: segunda-feira, 8 de Julho de 2013 14:58 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA 5585-X SSP-10 multi-context failover not stateful with IPv4 Hi all, I have a bizarre situation that isn't making sense to me. I have two ASA 5585-X firewalls with SSP-10. They are in an Active/Standby configuration and running in multi-context mode. I have replication of state information between them working just fine. We're running both IPv4 and IPv6 and have the latest 9.1(2) code loaded. The problem is if I force a failover from the system context, any open connections over IPv4 coming in the outside interface of a context via a NAT translation seems to get lost during the failover. I'm not positive if it's the state table or the NAT table that is having an issue or if they are one in the same on the ASA. The interesting part is my IPv6 connectivity persists without any problems during the failover. I can be transferring a file via FTP or stay connected via RDP to the machines behind the firewall (Windows servers) over IPv6 and everything is seamless as it should be. If I am connected via RDP over IPv4, the connection hangs, eventually resets and reconnects. Nothing looks out of the ordinary as far as I can tell. This is the first environment I've worked on with the ASA's in multi-context mode. From the system context, this is the failover configuration: failover failover lan unit primary failover lan interface failover GigabitEthernet0/7 failover replication http failover mac address GigabitEthernet0/0 acf2.c5f2.d301 acf2.c5f2.d302 failover mac address GigabitEthernet0/1 acf2.c5f2.d311 acf2.c5f2.d312 failover mac address GigabitEthernet0/2 acf2.c5f2.d321 acf2.c5f2.d322 failover mac address GigabitEthernet0/3 acf2.c5f2.d331 acf2.c5f2.d332 failover mac address GigabitEthernet0/4 acf2.c5f2.d341 acf2.c5f2.d342 failover mac address GigabitEthernet0/5 acf2.c5f2.d351 acf2.c5f2.d352 failover mac address GigabitEthernet0/6 acf2.c5f2.d361 acf2.c5f2.d362 failover mac address TenGigabitEthernet0/8 acf2.c5f2.d393 acf2.c5f2.d394 failover link failover GigabitEthernet0/7 failover interface ip failover 172.16.255.1 255.255.255.0 standby 172.16.255.2 At first I thought it was some type of ARP issue which is why I have configured the mac addresses for primary and secondary units. I read the following in the Active/Standby guide: If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow. The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not learn of the MAC address change for these addresses. That is the reason for the MAC address configuration above but it didn't seem to help. All interfaces show Normal (Monitored) both in the system context and in the context in question. Stateful update statistics show the following in the system context: Stateful Failover Logical Update Statistics Link : failover GigabitEthernet0/7 (up) Stateful Objxmit xerr rcvrerr General 45334 0 141772620242 sys cmd 31679 0 31678 0 up time 0 0 0 0 RPC services0 0 0 0 TCP conn9634 0 1012694327 UDP conn2055 0 196454 0 ARP tbl 8330 87033 0 Xlate_Timeout 0 0 0 0 IPv6 ND tbl 9160 89861 280 VPN IKEv1 SA0 0 0 0 VPN IKEv1 P20 0 0 0 VPN IKEv2 SA0 0 0 0 VPN IKEv2 P20 0 0 0 VPN CTCP upd0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd0 0 0 0 SIP Session 0 0 0 0 Route Session 2140 0 19635 User-Identity 3 0 6 0 CTS SGTNAME 0 0 0 0 CTS PAC 0 0 0 0 TrustSec-SXP0 0 0 0 IPv6 Route 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q: 0 39 1888781 Xmit Q: 0 3
[c-nsp] CRS-8-RP V09
Hello group, We had 4 faulty CRS-8-RP processors these last weeks. The same problem happened twice: CRS power-off, CRS power-on and the two RPs went faulty. There is a pattern. The SN begins with SAD132900xx and the Hw revision is 09: PID: CRS-8-RP , VID: V09, SN: SAD132900xx Anyone knows if there is a field notice for this ? We opened a case but TAC said there is no FN but I'm not convinced. More details about the failures. There are two cases: 1) the RP hangs just after the memory detection Initializing DDR SDRAM...found 4096 MB Initializing ECC on bank 0 Initializing ECC on bank 1 Initializing ECC on bank 2 Initializing ECC on bank 3 Turning off data cache, using DDR for first time [hangs] 2) the RP reboots when it is supposed to access the bootflash Initializing DDR SDRAM...found 4096 MB Initializing ECC on bank 0 Initializing ECC on bank 1 Initializing ECC on bank 2 Turning off data cache, using DDR for first time Initializing NVRAM... Testing a portion of DDR SDRAM ...done Reading ID EEPROMs ... ..Initializing SQUID ... Initializing PCI ... PCI0 device[1]: Vendor ID 0x10ee PCI0 device[1]: Device ID 0x300e PCI1 device[1]: Device ID 0x1100 PCI1 device[1]: Vendor ID 0x1013 PCI1 device[2]: Device ID 0x680 PCI1 device[2]: Vendor ID 0x1095 PCI1 device[3]: Device ID 0x5618 PCI1 device[3]: Vendor ID 0x14e4 Configuring MPPs ... Configuring PCMCIA slots ... System Bootstrap, Version 2.04(20110408:051659) [CRS ROMMON], Copyright (c) 1994-2011 by Cisco Systems, Inc. Acquiring backplane mastership ... successful Preparing for fan initialization. ready Setting fan speed to 4000 RPMs successful Reading backplane EEPROM ... Released backplane mastership ... Board type is 0x12 (1048578) Switch 0 initialized Enabling watchdog G4(7457-NonSMP-MV64360 Rev 4) platform with 4096 MB of main memory .. [reboot] We made some tests in the lab with one faulty card. This one hanged just after the Memory tests. After the RAM modules replacement, we got it like the others: the memory test was ok but the RP rebooted when it was supposed to load the image. This was a split boot setup. The disks are FAT32 formatted so the boot starts on the bootflash and the continues on the disks. I would say the RAM and/or the bootflash are the faulty components. Unfortunately the bootflash is not replaceable so we couldn't confirm this suspicion. The replacement RPs are V10 and V11. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS-8-RP V09
I forgot to mention that in the lab, and after replacing the faulty RAM modules, we were able to go to Rommon. In Rommon, the dir bootflash: caused a reboot and this was systematic. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: segunda-feira, 3 de Junho de 2013 13:37 To: cisco-nsp@puck.nether.net Subject: [c-nsp] CRS-8-RP V09 Hello group, We had 4 faulty CRS-8-RP processors these last weeks. The same problem happened twice: CRS power-off, CRS power-on and the two RPs went faulty. There is a pattern. The SN begins with SAD132900xx and the Hw revision is 09: PID: CRS-8-RP , VID: V09, SN: SAD132900xx Anyone knows if there is a field notice for this ? We opened a case but TAC said there is no FN but I'm not convinced. More details about the failures. There are two cases: 1) the RP hangs just after the memory detection Initializing DDR SDRAM...found 4096 MB Initializing ECC on bank 0 Initializing ECC on bank 1 Initializing ECC on bank 2 Initializing ECC on bank 3 Turning off data cache, using DDR for first time [hangs] 2) the RP reboots when it is supposed to access the bootflash Initializing DDR SDRAM...found 4096 MB Initializing ECC on bank 0 Initializing ECC on bank 1 Initializing ECC on bank 2 Turning off data cache, using DDR for first time Initializing NVRAM... Testing a portion of DDR SDRAM ...done Reading ID EEPROMs ... ..Initializing SQUID ... Initializing PCI ... PCI0 device[1]: Vendor ID 0x10ee PCI0 device[1]: Device ID 0x300e PCI1 device[1]: Device ID 0x1100 PCI1 device[1]: Vendor ID 0x1013 PCI1 device[2]: Device ID 0x680 PCI1 device[2]: Vendor ID 0x1095 PCI1 device[3]: Device ID 0x5618 PCI1 device[3]: Vendor ID 0x14e4 Configuring MPPs ... Configuring PCMCIA slots ... System Bootstrap, Version 2.04(20110408:051659) [CRS ROMMON], Copyright (c) 1994-2011 by Cisco Systems, Inc. Acquiring backplane mastership ... successful Preparing for fan initialization. ready Setting fan speed to 4000 RPMs successful Reading backplane EEPROM ... Released backplane mastership ... Board type is 0x12 (1048578) Switch 0 initialized Enabling watchdog G4(7457-NonSMP-MV64360 Rev 4) platform with 4096 MB of main memory .. [reboot] We made some tests in the lab with one faulty card. This one hanged just after the Memory tests. After the RAM modules replacement, we got it like the others: the memory test was ok but the RP rebooted when it was supposed to load the image. This was a split boot setup. The disks are FAT32 formatted so the boot starts on the bootflash and the continues on the disks. I would say the RAM and/or the bootflash are the faulty components. Unfortunately the bootflash is not replaceable so we couldn't confirm this suspicion. The replacement RPs are V10 and V11. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPC-6-LOG_LIBSVI_SVI_MCEC_TYPE2_FAILED
It seems you have a Type 2 consistency check failure. Check the output of the show vpc consistency-parameters. I think this is the best document about this topic: http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/operations/ n5k_vpc_ops.html Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Manu Chao Sent: segunda-feira, 27 de Maio de 2013 10:12 To: cisco-nsp@puck.nether.net Subject: [c-nsp] VPC-6-LOG_LIBSVI_SVI_MCEC_TYPE2_FAILED Any idea about this N5K VPC syslog message? NX(OS)5.1(3)N2(1b) %VPC-6-LOG_LIBSVI_SVI_MCEC_TYPE2_FAILED: interface-Vlan Type 2 configuration for VPC is not compatible No idea what is interface-Vlan Type 2... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1002 FIB/TCAM with full IPv4/v6 tables
This was discussed here: https://supportforums.cisco.com/thread/2133112 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dikkema, Michael (Business Technology) Sent: quinta-feira, 9 de Maio de 2013 16:45 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASR 1002 FIB/TCAM with full IPv4/v6 tables We're running a pair of ASR 1002 routers with full v4/v6 routes from 3 providers. I believe that there's a 512k FIB limit on the IPv4 routes, and 128k on IPv6. I'm wondering when we should start getting very concerned about pruning off v4 /24 routes. Should I assume that because you can take only 1/4 of the IPv6 routes on this platform that they use 4 times the TCAM resources? Are there show commands to view FIB usage on this platform? Aside from buying new routers or dropping some routes, are there other ways to manage this problem? Thanks. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 4GE-SFP-LC EoS
Hello group, The official announcement of the End-of-Sale/End-of-Support of the 4GE-SFP-LC card: http://www.cisco.com/en/US/prod/collateral/routers/ps167/end_of_life_notice_ c51-683932.html Says that the end of support is on 2017. We are trying to renew some contracts but the contracts team is refusing that saying that the card reached the end of life on 30-Jun-2011. The mentioned a Product Bulletin but they don't disclose it. Can someone confirm what is the correct End of Support Date ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6704-10GE huge input drops (flushes)
Somewhere in the past the queue was increased due to the same type of symptoms it seems. But the impact this time is worse (bgp/isis sessions going down). Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Peter Rathlev [mailto:pe...@rathlev.dk] Sent: terça-feira, 7 de Maio de 2013 06:22 To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6704-10GE huge input drops (flushes) On Mon, 2013-05-06 at 23:59 +0100, Antonio Soares wrote: Before: cat6k#sh int te1/1 | inc drops Input queue: 1/2000/10310609/10310609 (size/max/drops/flushes); Total output drops: 0 cat6k# After: cat6k#sh int te1/1 | inc drops Input queue: 0/2000/15863293/15863293 (size/max/drops/flushes); Total output drops: 0 cat6k# This is a L3 interface is connected directly to a 12K (sip-601+spa-10ge). Hm... the queue size of 2000 is default for a switchport where 75 is default for a L3 port. Did you just happen to increase it with hold-queue 2000 in? The drops might not just be the port. Traffic directed at the CPU might get dropped and will (AFAIK) be counted towards drops on the input port. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6704-10GE huge input drops (flushes)
The outputs related with the fabric don't show any drops. What bothers me is the impact: how could the drops affect the bgp/isis adjacencies to the point of bringing them down ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Mack McBride [mailto:mack.mcbr...@viawest.com] Sent: terça-feira, 7 de Maio de 2013 01:56 To: Antonio Soares; cisco-nsp@puck.nether.net Subject: RE: [c-nsp] 6704-10GE huge input drops (flushes) For what every reason the box could not forward packets properly. This could be caused by congestion on the output queue of a completely unrelated interface, except that the packet at the head of queue was destined for that interface. This usually happens on floods destined for a 1G port coming in on a 10G port. This can also be caused by backplane congestion. But that is a much larger topic. LR Mack McBride Network Architect -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Monday, May 06, 2013 4:59 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] 6704-10GE huge input drops (flushes) Hello group, I'm trying to find out what caused this huge increase in the input drops on a 6704-10GE line card. 6509 chassis with SUP720 running 12.2.18SXF16. Before: cat6k#sh int te1/1 | inc drops Input queue: 1/2000/10310609/10310609 (size/max/drops/flushes); Total output drops: 0 cat6k# After: cat6k#sh int te1/1 | inc drops Input queue: 0/2000/15863293/15863293 (size/max/drops/flushes); Total output drops: 0 cat6k# This is a L3 interface is connected directly to a 12K (sip-601+spa-10ge). I was thinking about bursts or micro-bursts but when this happened, the bgp/isis sessions that go over this link went down. The 6704-10GE card has low buffers compared with newer models like the 6708 or 6716: 6704 - 16MB per port, 2MB Rx, 14 Mb Tx 6708 - 256MB per port, 109MB Rx, 92MB Tx But it makes some sense because the 6704 does full-rate and the 6708/6716 are oversubscribed (more buffering capacity needed). The drops are flushes so it should mean something related with buffers. Or maybe the old release that is running has some issues. Any hints ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6704-10GE huge input drops (flushes)
The ibc values I see now (normal behavior): cat6k#show ibc | inc packets 5 minute rx rate 65000 bits/sec, 94 packets/sec 5 minute tx rate 27000 bits/sec, 35 packets/sec Show ibc from show tech captured two hours after the first occurrence: Interface information: Interface IBC0/0(idb 0x50ECB7A8) Hardware is Mistral IBC (revision 5) 5 minute rx rate 323000 bits/sec, 89 packets/sec 5 minute tx rate 37000 bits/sec, 29 packets/sec 5868647586 packets input, 801582284787 bytes 1350630188 broadcasts received 3458894285 packets output, 636391923013 bytes 1580035101 broadcasts sent 0 Inband input packet drops 0 Bridge Packet loopback drops 973954452 Packets CEF Switched, 11041138 Packets Fast Switched 0 Packets SLB Switched, 0 Packets CWAN Switched IBC resets = 1; last at 06:30:38.772 UTC Thu Jan 13 2011 I was convinced that the flushes had to do with Hw. What happens with these counters when we have bursts of traffic ? Is it possible to a have a burst of traffic impacting the bgp/igp adjacencies ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Saku Ytti Sent: terça-feira, 7 de Maio de 2013 07:38 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6704-10GE huge input drops (flushes) On (2013-05-06 23:59 +0100), Antonio Soares wrote: Input queue: 0/2000/15863293/15863293 (size/max/drops/flushes); Total I was thinking about bursts or micro-bursts but when this happened, the bgp/isis sessions that go over this link went down. But it makes some sense because the 6704 does full-rate and the 6708/6716 are oversubscribed (more buffering capacity needed). These counters have nothing to do with HW, they are from SW path. You're either SW switching or getting some trash to control-plane. You could do netdr or pinnacle or RP/SP ERSPAN capture to see what packets are hitting control-plane First step would be to compare 'show ibc | i packets/sec' between other box which does not suffer from this, to confirm that packet rates are unexpectedly high. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6704-10GE huge input drops (flushes)
The counters were cleared yesterday and no issues were seen but we already see some drops: cat6k#sh int te1/1 | inc drops|rate|clearing Last clearing of show interface counters 16:12:04 Input queue: 0/2000/899/899 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo 30 second input rate 1212044000 bits/sec, 317185 packets/sec 30 second output rate 2868403000 bits/sec, 368467 packets/sec cat6k# Yes, back-to-back L3 interface to a GSR. No MPLS, no sub-interfaces. Only IPv4/IPv6 addressing and ISIS there. When the last occurrence happened, we saw an increase of 5 million drops. It's a sporadic thing, it lasts a couple of minutes then everything returns to normal. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Saku Ytti [mailto:s...@ytti.fi] Sent: terça-feira, 7 de Maio de 2013 11:42 To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6704-10GE huge input drops (flushes) It's probably some trash ending up in control-plane, congesting your receive queue, consequently other valid control-plane stuff, like BGP/IGP have to compete for gaining access to processing. I'm very surprised it's back-to-back to GSR. Are there subinterfaces between them? Or just single untagged core IP/MPLS interface? I presume you're not seeing constant growth in the drops? That is, what ever issue you have is sporadic, and when it happens, you get huge amount of trash, otherwise nothing? On 7 May 2013 13:10, Antonio Soares amsoa...@netcabo.pt wrote: The ibc values I see now (normal behavior): cat6k#show ibc | inc packets 5 minute rx rate 65000 bits/sec, 94 packets/sec 5 minute tx rate 27000 bits/sec, 35 packets/sec Show ibc from show tech captured two hours after the first occurrence: Interface information: Interface IBC0/0(idb 0x50ECB7A8) Hardware is Mistral IBC (revision 5) 5 minute rx rate 323000 bits/sec, 89 packets/sec 5 minute tx rate 37000 bits/sec, 29 packets/sec 5868647586 packets input, 801582284787 bytes 1350630188 broadcasts received 3458894285 packets output, 636391923013 bytes 1580035101 broadcasts sent 0 Inband input packet drops 0 Bridge Packet loopback drops 973954452 Packets CEF Switched, 11041138 Packets Fast Switched 0 Packets SLB Switched, 0 Packets CWAN Switched IBC resets = 1; last at 06:30:38.772 UTC Thu Jan 13 2011 I was convinced that the flushes had to do with Hw. What happens with these counters when we have bursts of traffic ? Is it possible to a have a burst of traffic impacting the bgp/igp adjacencies ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Saku Ytti Sent: terça-feira, 7 de Maio de 2013 07:38 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6704-10GE huge input drops (flushes) On (2013-05-06 23:59 +0100), Antonio Soares wrote: Input queue: 0/2000/15863293/15863293 (size/max/drops/flushes); Total I was thinking about bursts or micro-bursts but when this happened, the bgp/isis sessions that go over this link went down. But it makes some sense because the 6704 does full-rate and the 6708/6716 are oversubscribed (more buffering capacity needed). These counters have nothing to do with HW, they are from SW path. You're either SW switching or getting some trash to control-plane. You could do netdr or pinnacle or RP/SP ERSPAN capture to see what packets are hitting control-plane First step would be to compare 'show ibc | i packets/sec' between other box which does not suffer from this, to confirm that packet rates are unexpectedly high. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6704-10GE huge input drops (flushes)
I was exactly looking to this document: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note0918 6a00804916e0.shtml#utilities Where the SPAN and the command you mentioned are. But the document mentions a surprising thing: In this output, you can see that the incoming traffic is Layer 3-switched instead of Layer 2-switched. This indicates that the traffic is being punted to the CPU. This is not correct, right ? In my case I just see the L3 in/out Switched value increasing. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Dale W. Carder Sent: terça-feira, 7 de Maio de 2013 20:37 To: Saku Ytti Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] 6704-10GE huge input drops (flushes) Thus spake Saku Ytti (s...@ytti.fi) on Tue, May 07, 2013 at 02:23:27PM +0300: On (2013-05-07 12:11 +0100), Antonio Soares wrote: Yes, back-to-back L3 interface to a GSR. No MPLS, no sub-interfaces. Only IPv4/IPv6 addressing and ISIS there. When the last occurrence happened, we saw an increase of 5 million drops. It's a sporadic thing, it lasts a couple of minutes then everything returns to normal. I would probably setup ERSPAN of SP/RP traffic and wait for drop counter to increase and see if I have something dodgy on capture. But I'm bit worried if they're seen by that capture, as drop equals flush precisely. You could also run show buffers input-interface blah dump to see what is getting punted. Dale ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6704-10GE huge input drops (flushes)
Hello group, I'm trying to find out what caused this huge increase in the input drops on a 6704-10GE line card. 6509 chassis with SUP720 running 12.2.18SXF16. Before: cat6k#sh int te1/1 | inc drops Input queue: 1/2000/10310609/10310609 (size/max/drops/flushes); Total output drops: 0 cat6k# After: cat6k#sh int te1/1 | inc drops Input queue: 0/2000/15863293/15863293 (size/max/drops/flushes); Total output drops: 0 cat6k# This is a L3 interface is connected directly to a 12K (sip-601+spa-10ge). I was thinking about bursts or micro-bursts but when this happened, the bgp/isis sessions that go over this link went down. The 6704-10GE card has low buffers compared with newer models like the 6708 or 6716: 6704 - 16MB per port, 2MB Rx, 14 Mb Tx 6708 - 256MB per port, 109MB Rx, 92MB Tx But it makes some sense because the 6704 does full-rate and the 6708/6716 are oversubscribed (more buffering capacity needed). The drops are flushes so it should mean something related with buffers. Or maybe the old release that is running has some issues. Any hints ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco CRS-3 RP Message
Hello group, I want to clear one message that appears on the Active RP. The message is: PWR SHLF A OFF This happened after a conversion from Fixed Configuration DC Power System to Modular Configuration DC Power System. It seems there's something for the 12K (clear card-message) but not for the CRS. The XR release is 4.1.1. The message was generated when the CRS was powered off but it remained on the RP LEDS. + RP/0/RP0/CPU0:CRS1#RP/0/RP0/CPU0:Apr 16 05:17:07.590 : envmon[201]: %PLATFORM-ENVMON-4-CB_OFF_ALARM : MAJOR alarm - circuit breaker is OFF alarm generated by Power Supply A + Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] uRPF Core Internet Routers
Hello group, I looking for Information about anti-spoofing measures namely uRPF. My initial reference is a quite old document: http://www.cisco.com/web/about/security/intelligence/urpf.pdf It's funny to see this on the document: General questions on uRPF can be sent to unicast-...@cisco.com or cisco-nsp@puck.nether.net. So I must be on the right list :) Now my question, is it appropriate to use uRPF loose mode on Core Routers (Full Routing Tables) ? How about the impact/restrictions ? I was able to find a few restrictions when comparing the SUP720 with the SUP-2T but I'm more interested on IOS-XR Platforms. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] channel fails when using sup 10g port ?
I just found that there is a best practices document saying that with DEC (Distributed EtherChannel) we should enable Mac Address Synchronization: Bullet 1.11.5.1: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/best/pr actices/recommendations.html#wp1046596 The document also mentions that if we have WS-X6716-10GE or WS-X6708-10GE, Mac Address Synchronization is enabled by default. Well, this didn't happen in my case: 6509-E#show mac-address-table synchronize statistics | inc Status of|Default|Configured Status of feature enabled on the switch : off Default activity time : 160 Configured current activity time: 160 Status of feature enabled on the switch : off Default activity time : 160 Configured current activity time: 160 Status of feature enabled on the switch : off Default activity time : 160 Configured current activity time: 160 6509-E# The output above is related with 6716-10GE in slot 1 and SUP720-10GE in slots 5 and 6. Maybe I need to follow these recommendations to avoid the weird behavior previously seen. Anyone has played with this feature before ? Is strange the fact that there is no word about this on the config guide: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configu ration/guide/channel.html#Configuring_EtherChannels They mention DEC but there's nothing about Mac Address Sync. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Antonio Soares [mailto:amsoa...@netcabo.pt] Sent: segunda-feira, 18 de Março de 2013 13:30 To: 'Jeffrey G. Fitzwater'; 'cisco-nsp@puck.nether.net' Subject: RE: [c-nsp] channel fails when using sup 10g port ? Sorry to bring back this old thread but I had something weird and that seems related with the problem you had. By the way, what of the conclusion of this ? In the case I'm investigating, the Port-channel involved 1 port of the SUP720-10GE and 1 port of the 6716-10GE. Strange issues like CDP neighbors disappearing, loss of connectivity to local attached servers and so on. The scenario basically is a triangle with one 6509-E in each vertex and with 20G POs between each pair of boxes. The PO between the non-root switches was shutted down in order to recover normal behavior. 6500's running 12.2.33SXJ5 but the same happened with a old SXH release. No QOS enabled in any box so the option no mls qos channel-consistency and mls qos 10g-only do not apply here (I think). Is there something special when bundling the 10G interfaces from the SUP with one 10G from the 6704/6708/6716 ? Never saw issues with this before. Any pointers are welcome. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeffrey G. Fitzwater Sent: quinta-feira, 5 de Janeiro de 2012 12:13 To: cisco-nsp@puck.nether.net Subject: [c-nsp] channel fails when using sup 10g port ? I am trying to use the sup720-10G 10g port and another 10g port on a 6708-10G module as an ether-channel pair. Running IOS 12.2.SXI3 QOS enabled globally, but not enabled on 10G ports by default. If I do a show mls qos it tells me that qos is NOT enabled on the 10G modules. (FIFO mode) The command mls qos 10g-only must be run to enable it on the 10g ports, but you cannot use the 1g sup ports, which I do use. I have NOT enabled this feature. When I set up the channel, I added the no mls qos channel-consistancy. Not sure if I need it do to the above issue, just our policy to make sure there is no mismatch issues. When I try to bring up the channel I get the following and the channel creates a data loop and everything goes to hell, so I shut down one port to break the loop. Group Port-channel ProtocolPorts --+-+---+--- --+-+---+ 16 Po16(SU)LACP Te13/1(P) 16 Po16A(SU) LACP Te7/4(P) --- I have never seen the above documented anywhere but it definitely doesn't look right. I have tried every config possible for the channel but it still fails. (LACP active/passive and ON) The only thing I can think of is... there must be some issue with using the sup 10G port in a channel. Any ideas out there before I open a case? Thanks for any help. Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing
Re: [c-nsp] channel fails when using sup 10g port ?
Sorry to bring back this old thread but I had something weird and that seems related with the problem you had. By the way, what of the conclusion of this ? In the case I'm investigating, the Port-channel involved 1 port of the SUP720-10GE and 1 port of the 6716-10GE. Strange issues like CDP neighbors disappearing, loss of connectivity to local attached servers and so on. The scenario basically is a triangle with one 6509-E in each vertex and with 20G POs between each pair of boxes. The PO between the non-root switches was shutted down in order to recover normal behavior. 6500's running 12.2.33SXJ5 but the same happened with a old SXH release. No QOS enabled in any box so the option no mls qos channel-consistency and mls qos 10g-only do not apply here (I think). Is there something special when bundling the 10G interfaces from the SUP with one 10G from the 6704/6708/6716 ? Never saw issues with this before. Any pointers are welcome. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jeffrey G. Fitzwater Sent: quinta-feira, 5 de Janeiro de 2012 12:13 To: cisco-nsp@puck.nether.net Subject: [c-nsp] channel fails when using sup 10g port ? I am trying to use the sup720-10G 10g port and another 10g port on a 6708-10G module as an ether-channel pair. Running IOS 12.2.SXI3 QOS enabled globally, but not enabled on 10G ports by default. If I do a show mls qos it tells me that qos is NOT enabled on the 10G modules. (FIFO mode) The command mls qos 10g-only must be run to enable it on the 10g ports, but you cannot use the 1g sup ports, which I do use. I have NOT enabled this feature. When I set up the channel, I added the no mls qos channel-consistancy. Not sure if I need it do to the above issue, just our policy to make sure there is no mismatch issues. When I try to bring up the channel I get the following and the channel creates a data loop and everything goes to hell, so I shut down one port to break the loop. Group Port-channel ProtocolPorts --+-+---+--- --+-+---+ 16 Po16(SU)LACP Te13/1(P) 16 Po16A(SU) LACP Te7/4(P) --- I have never seen the above documented anywhere but it definitely doesn't look right. I have tried every config possible for the channel but it still fails. (LACP active/passive and ON) The only thing I can think of is... there must be some issue with using the sup 10G port in a channel. Any ideas out there before I open a case? Thanks for any help. Jeff Fitzwater OIT Network Systems Princeton University ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VSS to vPC - vPC to Etherchannel
It's very easy to bring down a network when configuring channel-mode on. If we do it first on the root switch, the spanning-tree loop is already there. Someone that wrote about this and explains some scenarios: http://www.dasblinkenlichten.com/?p=684 channel-mode on is very bad and dangerous. I don't understand why some design guides still have this... Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gert Doering Sent: sábado, 16 de Março de 2013 18:37 To: Joseph Hardeman Cc: cisco-nsp Subject: Re: [c-nsp] VSS to vPC - vPC to Etherchannel Hi, On Sat, Mar 16, 2013 at 11:28:42AM -0400, Joseph Hardeman wrote: No actually they are configured as mode on no LACP. I spoke with a CCIE a couple of years ago and he told me that use mode on from switch to switch and lacp from switch to server so thats what I am putting in. That was years ago, and is not good advice today. Propably wasn't good advice then, but that depends on how many years ago... With LACP you'll *know* that both ports belong to the same channel on the other side, and both are ready to be used, not uh, link up, but line card crashed or this is a multichannel LAG, and one of the chassis' is just booting and not really participating yet, or such. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PHY-4-MODULE_DUP Message
Hello group, Another one that I see for the first time: 1) ME3750 running 12.2.52.SE without issues 2) for some reason, a connection to a 6500 goes down: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/2, changed state to down %LINK-3-UPDOWN: Interface GigabitEthernet1/0/2, changed state to down 3) in the troubleshooting process, the GLC-T was moved from Gi1/0/2 to Gi1/0/1 and surprise: %PHY-4-MODULE_DUP: SFPs in Gi1/0/1 and in Gi1/0/2 have duplicate vendor-id and serial numbers %PM-4-ERR_DISABLE: gbic-invalid error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state 4) reloading the ME3750 solves the problem Anyone has seen something like this ? The GLC-T is Cisco. The idprom command says the following: General SFP Information --- Identifier: 0x03 Connector : 0x00 Transceiver : 0x00 0x00 0x00 0x08 0x00 0x00 0x00 0x00 Encoding : 0x01 BR_Nominal: 0x0D Vendor Name : CISCO-METHODE Vendor Part Number: SP7041 Vendor Revision : 0x45 0x20 0x20 0x20 Vendor Serial Number : 0MTC130601MK It seems to be an IOS issue that may be triggered by a GLC-T problem. Any hints ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot
There are a few problems that can trigger a failover: CSCts98806 Standby ASA 5585 Reporting Service Card Failure on Signature Update CSCtx92801 ASA: Failover due to data channel failure when making IPS config changes CSCud41702 IPS: After IPS config change, a false failover occurs with the ASA Cisco has an enhancement to overcome these limitations: CSCsm81086 Allow user to exclude the status of the SSM or SSP from failover checks Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ryan West Sent: quinta-feira, 21 de Fevereiro de 2013 14:11 To: Scott Voll; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot Scott, On Thu, Feb 21, 2013 at 08:50:02, Scott Voll wrote: Subject: [c-nsp] ASA IPS Module SSM-20 in Failover Reboot I just installed a couple SSM-20's in my ASA's. install was a little less that I had hoped as the backup came online with the module and the Primary didn't have the module yet. So we will just say we had a little down time (ever so brief). my question now becomes, how do I reboot one of these modules without the ASA failing over to the backup? I don't want to knock off all my VPN users. I think you need to treat it like a zero downtime upgrade. Fail over to the secondary firewall, reload the module on the old primary and fail back after state is synced up. You should not lose VPN authentications during a failover. IPsec RA, L2L, webvpn, and SVC sessions should stay intact between failovers. -ryan ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPSEC over NAT - what am I missing?
Remove AH from the equation and it should work. For example, change your
Transform Set to this:
crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac
I'm not sure but maybe NAT-T doesn't work with AH.
Regards,
Antonio Soares, CCIE #18473 (RS/SP)
amsoa...@netcabo.pt
http://www.ccie18473.net
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Garry
Sent: sexta-feira, 25 de Janeiro de 2013 14:57
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] IPSEC over NAT - what am I missing?
Hi,
I've tried to set up a VPN connection between two Cisco routers via a 4G
link ... after having it running in a lab (without NAT though), we moved to
config to the actual site routers and it failed ...
So now we went back to the Lab (GNS3 in this case) and tried again,
activating NAT on the gateway in between. It also failed. After trying just
about anything we could think of, we're at a dead end ... here's some
excerpts from the configs ...
Site A (static IP):
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key test address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 20 10
!
crypto ipsec transform-set L2L ah-sha-hmac esp-aes 256 esp-sha-hmac !
crypto dynamic-map DYNVPN 10
set transform-set L2L
set reverse-route distance 200
match address VPNNETZE
reverse-route
!
crypto map VPN 65535 ipsec-isakmp dynamic DYNVPN !
interface FastEthernet0/0
description WAN1 phys.
ip address 192.168.150.160 255.255.255.192
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet1/0
description LAN
ip address 105.1.5.70 255.0.0.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.150.190 !
ip access-list extended VPNNETZE
permit ip any 106.0.0.0 0.255.255.255
Site B (dynamic IP, outgoing NAT on the gateway):
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key test address 192.168.150.160 crypto isakmp keepalive 20 10
!
crypto ipsec transform-set L2L ah-sha-hmac esp-aes 256 esp-sha-hmac !
crypto map VPN 10 ipsec-isakmp
set peer 192.168.150.160
set transform-set L2L
set reverse-route distance 200
match address VPNNETZE
reverse-route static
!
interface FastEthernet0/0
description WAN1 physikalisch - LTE Modem
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet1/0
description VLAN1 LAN
ip address 106.1.5.2 255.0.0.0
duplex auto
speed auto
!
ip access-list extended VPNNETZE
permit ip 106.0.0.0 0.255.255.255 105.0.0.0 0.255.255.255
Gateway (simulating the Internet and the NATing gateway):
interface FastEthernet0/0
ip address 192.168.150.190 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip nat inside source list NAT interface FastEthernet0/0 overload !
!
ip access-list extended NAT
permit ip 192.168.2.0 0.0.0.255 any
No matter if NAT is enabled or not, the ISAKMP SA is up:
SiteA#sho crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.150.160 192.168.150.190 QM_IDLE 10050 ACTIVE
SiteB#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.150.160 192.168.2.2 QM_IDLE 10050 ACTIVE
But with NAT on the gateway, pings do not get through:
SiteB#ping 105.1.5.70 source fa1/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 105.1.5.70, timeout is 2 seconds:
Packet sent with a source address of 106.1.5.2 .
Packets are encrypted, though:
SiteB#show crypto ips sa
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 192.168.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (172.30.30.6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.30.30.5/255.255.255.255/0/0)
current_peer 192.168.150.160 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 192.168.2.2, remote crypto endpt.:
192.168.150.160
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x4B38900E(1261998094)
The remote end does not accept those packets though:
SiteA#show crypto ip
*Mar 1 01:42:37: %SYS-5-CONFIG_I: Configured from console by admin on
consoles sa
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 192.168.150.160
protected vrf
[c-nsp] Cisco Software Advisor
Hello group, Can we trust Software Advisor ? http://tools.cisco.com/Support/Fusion/FusionHome.do I'm using the Find software compatible with my hardware option with one 6500 and the latest release I see is SXI9 (March 2012). I don't see SXI10 (September 2012) and I don't see either any SXJ. Basically what I want to know is if a move from SXI4 to SXI10 or SXJ4 is a good option. Common cards (SUP720, 6704, 6724, 6748) and common features (BGP, ISIS, IPv6) are in use. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Software Advisor
SXI4 has more than two years. The purpose is just to have an updated image and have working the things that were working. Are you already on SXJ4 ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: quinta-feira, 24 de Janeiro de 2013 12:14 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Cisco Software Advisor On 24/01/13 11:27, Antonio Soares wrote: Hello group, Can we trust Software Advisor ? http://tools.cisco.com/Support/Fusion/FusionHome.do I'm using the Find software compatible with my hardware option with one 6500 and the latest release I see is SXI9 (March 2012). I don't see SXI10 (September 2012) and I don't see either any SXJ. Basically what I want to know is if a move from SXI4 to SXI10 or SXJ4 is a good option. Common cards (SUP720, 6704, 6724, 6748) and common features (BGP, ISIS, IPv6) are in use. Good option is a bit vague. Based on what criteria? We're on the SXJ train and are happy with it. I generally consult the SX train release notes for release info on this platform. They're usually pretty complete. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Log Error: L3 MGR:Failed to send self purge, scp state 0
This was almost 6 years ago: http://puck.nether.net/pipermail/cisco-nsp/2007-March/038946.html I would upgrade to the latest catos/msfc releases to see if it goes away. I assume these are not in production. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Craig Horchem Sent: quinta-feira, 24 de Janeiro de 2013 14:56 To: cisco-nsp@puck.nether.net Subject: [c-nsp] Log Error: L3 MGR:Failed to send self purge, scp state 0 All, We have had L3 MGR:Failed to send self purge, scp state 0 come up in several ancient SUP1's / SUP2's in the MSFC2 running hybrid. Has anyone came across this before? I can't find any record online with any useful information. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR Faulty Sensor
Group, Anyone has seen something like this ? +++ ASR1006# show facility-alarm status System Totals Critical: 1 Major: 0 Minor: 0 Source Severity Description [Index] -- --- Temp: Center 0/15 CRITICAL Faulty Temperature Sensor [0] +++ We are not able to clear this alarm. What should be done here ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover
TAC tells me that is related with this bug: +++ CSCud41702 Bug Details IPS: After IPS config change, a false failover occurs with the ASA Symptom: Immediately after an IPS config change, an ASA failover occurs with the following messages: Nov 14 23:01:41 10.30.91.76 ASA-1-505013 ASA5585-SSP-IPS40 Module in slot 1, application reloading IPS, vers ion 7.1(6)E4 Config Change Nov 14 23:01:45 10.30.91.76 ASA-1-505015 ASA5585-SSP-IPS40 Module in slot 1, application up IPS, version 7. 1(6)E4 Normal Operation Nov 14 23:01:45 10.30.91.76 ASA-1-323006 ASA5585-SSP-IPS40 Module in slot 1 experienced a data channel communi cation failure, data channel is DOWN. Conditions: ASA-IPS pair in failover running code versions 8.4(4)1 and 7.1(6)E4, respectively Workaround: None +++ Fixed-In: Release-Pending Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: sexta-feira, 18 de Janeiro de 2013 19:23 To: 'Pete Lumbis' Cc: 'cisco-nsp' Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover Just found that even with a basic configuration change like enabling a signature, I have a failover... Is this normal ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: sexta-feira, 9 de Novembro de 2012 23:56 To: 'Pete Lumbis' Cc: 'cisco-nsp' Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover Thanks, it seems another enhancement that won't see the light of day... Found in 8.0.3... Code that has almost 5 years... Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Pete Lumbis [mailto:alum...@gmail.com] Sent: sexta-feira, 9 de Novembro de 2012 22:06 To: Antonio Soares Cc: cisco-nsp Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover CSCsm81086 - Allow user to exclude the status of the SSM or SSP from failover checks Still in the New state :( On Fri, Nov 9, 2012 at 3:08 PM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, I had a bad surprise today, I was updating the IPS software of two ASA5585-SSP-IPS10 modules and found that it caused the Failover of the parent ASA5585-SSP-10. It seems this is the normal behavior (https://supportforums.cisco.com/thread/2035549) but I was not expecting this at all. I'm not using any of the SSP-IPS10 interfaces thus there is not monitoring on those interfaces so why the hell this is like this ? I knew that the IPS upgrade would cause the module reload but taking into account what I mentioned, it caught me completely by surprise. This should not be a big problem but since I have OSPF running on the ASAs, Failover is something that breaks a lot of things. No NSF support... :( Anyone knows if it is possible to disable this behavior, I mean, the implicit monitoring of the IPS module ? This is what failover history shows me: 18:36:55 WEST Nov 9 2012 Standby Ready Just ActiveService card in other unit has failed 18:36:55 WEST Nov 9 2012 Just ActiveActive Drain Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Drain Active Applying Config Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Applying Config Active Config Applied Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Config Applied Active Service card in other unit has failed Is this really the expected behavior ? I'm still trying to find where this is documented. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CRS-8-DC-KIT-M
Hello group, I need to install the CRS-8-DC-KIT-M on a few CRS-8. Basically this means the change from the Fixed Configuration Power System to the Modular Power System. I'm not able to find anywhere the kit installation guide. I wonder if it really exists. I have queried the local SE and he was not able to help me. Anyone has experience with this ? Here I have the description of each Power System: http://www.cisco.com/en/US/docs/routers/crs/crs1/8_slot/system/description/h q6345_2.html But no details about moving from one to the other. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRS-8-DC-KIT-M
Thanks. It seems theres something. I was searching for the KIT PN but no luck Regards, Antonio Soares, CCIE #18473 (RS/SP) mailto:amsoa...@netcabo.pt amsoa...@netcabo.pt http://www.ccie18473.net/ http://www.ccie18473.net From: gawu...@gmail.com [mailto:gawu...@gmail.com] On Behalf Of Andrew Koch Sent: terça-feira, 22 de Janeiro de 2013 19:01 To: Antonio Soares Cc: cisco-nsp Subject: Re: [c-nsp] CRS-8-DC-KIT-M On Tue, Jan 22, 2013 at 12:21 PM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, I need to install the CRS-8-DC-KIT-M on a few CRS-8. Basically this means the change from the Fixed Configuration Power System to the Modular Power System. I'm not able to find anywhere the kit installation guide. I wonder if it really exists. I have queried the local SE and he was not able to help me. Anyone has experience with this ? Here I have the description of each Power System: http://www.cisco.com/en/US/docs/routers/crs/crs1/8_slot/system/description/h http://www.cisco.com/en/US/docs/routers/crs/crs1/8_slot/system/description/ h%0d%0aq6345_2.html q6345_2.html But no details about moving from one to the other. The install guide has good information on removal and installation of both power systems: http://www.cisco.com/en/US/docs/routers/crs/crs1/8_slot/installation/guide/h qlcch2.html#wp1193161 Andy ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR Faulty Sensor
Thank you Hagen. Did they tell you what is the impact of this ? We are thinking about not doing anything :) Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Hagen AMEN Sent: terça-feira, 22 de Janeiro de 2013 22:23 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASR Faulty Sensor Antonio Soares wrote: * Anyone has seen something like this ? ASR1006# show facility-alarm status System Totals Critical: 1 Major: 0 Minor: 0 Source Severity Description [Index] -- --- Temp: Center 0/15 CRITICAL Faulty Temperature Sensor [0] We are not able to clear this alarm. What should be done here ?* Antonio, I've had that very issue on an ASR1006. That sensor (Center 0/15) is located on SIP 0. If you do a 'show platform hardware slot 0 sensor prod all', you should see sensor ID 15 isn't being polled (the last polled field wasn't the same). I opened a TAC case back in June, and was advised to power cycle the SIP. The sensor is located on the SIP, not the chassis. A SIP reload, as part of an already scheduled ISSU, cleared the sensor state. It has not recurred. No bug ID was ever revealed, if it exists. -- Hagen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover
Just found that even with a basic configuration change like enabling a signature, I have a failover... Is this normal ? Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: sexta-feira, 9 de Novembro de 2012 23:56 To: 'Pete Lumbis' Cc: 'cisco-nsp' Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover Thanks, it seems another enhancement that won't see the light of day... Found in 8.0.3... Code that has almost 5 years... Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Pete Lumbis [mailto:alum...@gmail.com] Sent: sexta-feira, 9 de Novembro de 2012 22:06 To: Antonio Soares Cc: cisco-nsp Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover CSCsm81086 - Allow user to exclude the status of the SSM or SSP from failover checks Still in the New state :( On Fri, Nov 9, 2012 at 3:08 PM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, I had a bad surprise today, I was updating the IPS software of two ASA5585-SSP-IPS10 modules and found that it caused the Failover of the parent ASA5585-SSP-10. It seems this is the normal behavior (https://supportforums.cisco.com/thread/2035549) but I was not expecting this at all. I'm not using any of the SSP-IPS10 interfaces thus there is not monitoring on those interfaces so why the hell this is like this ? I knew that the IPS upgrade would cause the module reload but taking into account what I mentioned, it caught me completely by surprise. This should not be a big problem but since I have OSPF running on the ASAs, Failover is something that breaks a lot of things. No NSF support... :( Anyone knows if it is possible to disable this behavior, I mean, the implicit monitoring of the IPS module ? This is what failover history shows me: 18:36:55 WEST Nov 9 2012 Standby Ready Just ActiveService card in other unit has failed 18:36:55 WEST Nov 9 2012 Just ActiveActive Drain Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Drain Active Applying Config Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Applying Config Active Config Applied Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Config Applied Active Service card in other unit has failed Is this really the expected behavior ? I'm still trying to find where this is documented. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ACS 5.x and ASA - Webtype ACL
Guys, I was trying to send an large Webtype ACL from ASA5.3 to ASA8.4. To do that, I use the Cisco AV Pairs. This is configured under Policy Elements-Authorization and Permissions-Network Access-Authorization Profiles. Each Cisco AV Pair sent has the format “webvpn:inacl#nnn=permit ”. Now my problem: the amount of ACL entries is so large that it goes beyond the maximum packet size for Radius (RFC2865) which is 4096 bytes. Cisco says that ACS5.x doesn’t support the fragmentation of these radius packets. It seems it supports the fragmentation of the Radius packets used to send the IP ACLs (Policy Elements-Authorization and Permissions-Named Permission Objects-Downloadable ACLs). Has anyone run into the same problem ? The only workaround I see is via the configuration of the Webtype ACL on the ASA but I want to avoid it. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vs interface problem on nexus7K
You don't see the interfaces when you switch to the VDC in question ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland Sent: terça-feira, 15 de Janeiro de 2013 17:27 To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] vs interface problem on nexus7K Hi all. I have a problem with Nexus7K It's 7009 chassis and dual sup2. The line cards are N7K-F132XP-15 and N7K-M108X2-12L. I can't se the interfaces in the config. If I do sh vdc membership, it says that the interfaces are allocated to the vdc. Have anyone seen something like this or am I missing something here. abs1nxq2(config)# sh vdc membership vdc_id: 0 vdc_name: Unallocated interfaces: Ethernet3/13 Ethernet3/14 Ethernet3/15 Ethernet3/16 Ethernet3/17 Ethernet3/18 Ethernet3/19 Ethernet3/20 Ethernet3/21 Ethernet3/22 Ethernet3/23 Ethernet3/24 Ethernet3/25 Ethernet3/26 Ethernet3/27 Ethernet3/28 Ethernet3/29 Ethernet3/30 Ethernet3/31 Ethernet3/32 Ethernet4/4 Ethernet4/5 Ethernet4/6 Ethernet4/7 Ethernet4/8 vdc_id: 1 vdc_name: abs1nxq2 interfaces: vdc_id: 2 vdc_name: RN_DRIFT interfaces: Ethernet3/1 Ethernet3/2 Ethernet3/3 Ethernet3/4 Ethernet3/5 Ethernet3/6 Ethernet3/7 Ethernet3/8 Ethernet3/9 Ethernet3/10 Ethernet3/11 Ethernet3/12 Ethernet4/1 Ethernet4/2 Ethernet4/3 /Arne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vs interface problem on nexus7K
Must be related with the new 4+1 or 8+1 VDC support in the SUP2/SUP2E. Check this: http://ccie5851.blogspot.pt/2012/09/supervisor-22e-and-admin-vdc-in-june-of. html Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Antonio Soares [mailto:amsoa...@netcabo.pt] Sent: terça-feira, 15 de Janeiro de 2013 18:54 To: 'Arne Larsen / Region Nordjylland'; 'cisco-nsp@puck.nether.net' Subject: RE: [c-nsp] vs interface problem on nexus7K You don't see the interfaces when you switch to the VDC in question ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland Sent: terça-feira, 15 de Janeiro de 2013 17:27 To: 'cisco-nsp@puck.nether.net' Subject: [c-nsp] vs interface problem on nexus7K Hi all. I have a problem with Nexus7K It's 7009 chassis and dual sup2. The line cards are N7K-F132XP-15 and N7K-M108X2-12L. I can't se the interfaces in the config. If I do sh vdc membership, it says that the interfaces are allocated to the vdc. Have anyone seen something like this or am I missing something here. abs1nxq2(config)# sh vdc membership vdc_id: 0 vdc_name: Unallocated interfaces: Ethernet3/13 Ethernet3/14 Ethernet3/15 Ethernet3/16 Ethernet3/17 Ethernet3/18 Ethernet3/19 Ethernet3/20 Ethernet3/21 Ethernet3/22 Ethernet3/23 Ethernet3/24 Ethernet3/25 Ethernet3/26 Ethernet3/27 Ethernet3/28 Ethernet3/29 Ethernet3/30 Ethernet3/31 Ethernet3/32 Ethernet4/4 Ethernet4/5 Ethernet4/6 Ethernet4/7 Ethernet4/8 vdc_id: 1 vdc_name: abs1nxq2 interfaces: vdc_id: 2 vdc_name: RN_DRIFT interfaces: Ethernet3/1 Ethernet3/2 Ethernet3/3 Ethernet3/4 Ethernet3/5 Ethernet3/6 Ethernet3/7 Ethernet3/8 Ethernet3/9 Ethernet3/10 Ethernet3/11 Ethernet3/12 Ethernet4/1 Ethernet4/2 Ethernet4/3 /Arne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 series (IOS XE) feature comparison
Feature Navigator should do the job: http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Blake Pfankuch Sent: sábado, 12 de Janeiro de 2013 02:55 To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASR1000 series (IOS XE) feature comparison Well I sure am posting a lot this month... I am looking at replacing some 7206VXR routers with ASR1000 series routers. Looking to find a breakdown of what features are in each version of IOS XE available (IP Base, Advanced IP Services, and Advanced Enterprise Services) on the ASR1000 series, specifically the ASR1001. I am not super familiar with IOS XE and not sure if it correlates to IOS feature sets. We have a very limited feature requirement for these routers, only HSRP and basic BGP, The current 7200's don't even take a full table. Has anyone been able to find a good table with feature comparison that I can put down in front of our team to select an appropriate feature set? Thanks, Blake ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multilink PPP over LNS and links that have different bandwidth
Have you played with fragment delay ? The usage guidelines mentions the different bandwidth links: http://www.cisco.com/en/US/docs/ios/dial/command/reference/dia_p2.html#wp101 3182 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alberto Cruz Sent: sexta-feira, 7 de Dezembro de 2012 21:17 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Multilink PPP over LNS and links that have different bandwidth Hello everybody. Somebody that can give me a clue or a document that I can read? Thanks Alberto -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alberto Cruz Sent: November-30-12 10:06 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Multilink PPP over LNS and links that have different bandwidth Importance: High Hello everybody good afternoon. I am looking for you advice and experience. We have been working to deploy a MLPPP bundle solution for ADSL using Cisco platform. We have a Cisco 7301 as LNS and Cisco 891 as CPE. We have been facing some challenges because we don't have the control over the ADSL network. We are a wholesale customer from Bell. If our customer has ADSL links using the same profile (Download speed, Upload speed) everything works fine; we got twice the speed and the routers don't show any errors about fragmentation or packet lost. However, if our customer has ADSL links with different speeds and latency, the download traffic uses the slowest link only, and the CPE reports fragmentation errors: Multilink PPP Interface at CPE Virtual-Access4 Bundle name: PPPoE-Server Remote Endpoint Discriminator: [1] PPPoE-Server Local Username: int.ml...@execulink.commailto:int.ml...@execulink.com Local Endpoint Discriminator: [1] mlPPP_Test Bundle up for 04:46:37, total bandwidth 112, load 18/255 Receive buffer limit 24384 bytes, frag timeout 1741 ms Dialer interface is Dialer1 45/540 fragments/bytes in reassembly list 8 lost fragments, 4485 reordered 39/14974 discarded fragments/bytes, 7 lost received 0x3BA8 received sequence, 0x2E3D sent sequence Member links: 2 (max 255, min not set) Vi2, since 04:46:37 Vi3, since 04:46:37 Log from CPE Nov 29 18:26:46.712: Vi4 MLP: Lost fragment 51E9 (RX buffer overflow), new seq 51EA Nov 29 18:26:46.712: Vi4 MLP: Discard reassembled packet Nov 29 18:26:46.716: Vi4 MLP: Received lost fragment seq 51A5, expecting 51EB Nov 29 18:26:46.716: Vi4 MLP: Lost fragment 51EB (RX buffer overflow), new seq 51EC Nov 29 18:26:46.716: Vi4 MLP: Discard reassembled packet Nov 29 18:26:46.716: Vi4 MLP: Lost fragment 51ED (RX buffer overflow), new seq 51EE Nov 29 18:26:46.716: Vi4 MLP: Discard reassembled Nov 29 18:26:46.724: Vi4 MLP: Lost fragment 51F5 (RX buffer overflow), new seq 51F6 Nov 29 18:26:46.724: Vi4 MLP: Discard reassembled packet Nov 29 18:26:46.724: Vi4 MLP: Received lost fragment seq 51AF, expecting 51F7 Nov 29 18:26:46.728: Vi4 MLP: Lost fragment 51F7 (RX buffer overflow), new seq 51F8 Nov 29 18:26:46.728: Vi4 MLP: Discard reassembled packet Nov 29 18:26:46.728: Vi4 MLP: Received lost fragment seq 51B1, expecting 51F9 In the scenario using ADSL links with different speeds, we have noticed that the multilink interface at the LNS shows members using different weight: * Multilink PPP interface at LNS Virtual-Access3 Bundle name: int.ml...@execulink.commailto:int.ml...@execulink.com Remote Username: int.ml...@execulink.commailto:int.ml...@execulink.com Remote Endpoint Discriminator: [1] mlPPP_Test Local Endpoint Discriminator: [1] PPPoE-Server Bundle up for 02:26:41, total bandwidth 1155520, load 1/255 Receive buffer limit 23776 bytes, frag timeout 1000 ms Using relaxed lost fragment detection algorithm. 0/0 fragments/bytes in reassembly list 0 lost fragments, 756 reordered 0/0 discarded fragments/bytes, 0 lost received 0xCBE received sequence, 0xA1C sent sequence Member links: 2 (max 255, min not set) 3xeQl1Nk:Vi5 (192.168.32.104), since 02:26:41, 375 weight, 1480 frag size, unsequenced 3xeQl1Nk:Vi4 (192.168.32.100), since 02:26:41, 583200 weight, 1480 frag size, unsequenced We have tried to override this behavior by disabling fragmentation. Despite we can achieve the sum of the speed of the links, fragmentation errors at the CPE increase dramatically. Is there a workaround to achieve a MLPPP bundle using links with different speed? Can the weight assigned per multilink member be overridden? Is it normal that the LNS uses the bandwidth information calculated from the uplink interface instead from the multilink link member? Bundle up for 02:26:41, total bandwidth 1155520, load 1/255 Regards Alberto ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https
[c-nsp] Nexus 7000 VDC Design
Hello group, I have a design requirement. Decouple the default VDC that has everything there (L2 and L3) into two separate VDCs: Core and Aggregation. I have to move from the top diagram to the bottom diagram: http://www.ccie18473.net/dc-evolution.jpg The blue lines are L2 links and the red lines are L3 links. And two 7Ks in each DC. I have OTV on-a-stick and I want to keep it that way. But I want to move the L3 routing protocols to the Core and only keep the SVIs/HSRP in the Aggregation. Basically doing the L2/L3 boundary on the Aggregation Layer. I see many challenges when doing something like this. I wonder if there is some documentation that can help me doing this. There is the BRKDCT-2121 presentation about VDC design but is not deep enough. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 7K NX-OS Upgrade
Just for future reference if someone runs into the same issues: The hw revision of the M132XP that had no problems: 1.7 The hw revision of the M132XP that failed: 1.5 The hw revision of the spare card that had no problems: 2.3 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: sábado, 17 de Novembro de 2012 21:24 To: 'Colin Whittaker'; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade Unbelievable, this is a 70k card, isn't it ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Colin Whittaker Sent: sábado, 17 de Novembro de 2012 18:22 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade On Sat, Nov 17, 2012 at 05:28:48PM -, Antonio Soares wrote: Another long night... The upgrade of one Nexus was completely clean, the second one was a nightmare. One M1-32XP card remained in the state powered-up forever... The reload didn't make it work, neither the re-seat or even the NX-OS downgrade... Had to open a P1 TAC case and then the engineer said it was a faulty card. Got the replacement but had to delay the installation 48 hours. Anyone has have bad experiences with this M1 type of cards card lately ? It's the second one that gets faulty in less than a year. It seems the MTBF is inversely proportional to the price :( Upgrade cycles tend to flush out latent faults in the linecards. When doing upgrades it is best to have spare cards on hand to handle those that fail. The failure rate on the M1 cards has gotten a lot better over the last two years. Gone are the days of 20% of the cards being DOA. Colin -- Colin Whittaker +353 (0)86 8211 965 http://colin.netech.ie co...@netech.ie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 7K NX-OS Upgrade
What upgrade did you make ? In my case it was from 5.2.3a to 5.2.7. The 5.2.3 EPLD was already installed. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Neil Barnett [mailto:interarchet...@gmail.com] Sent: segunda-feira, 19 de Novembro de 2012 14:22 To: 'Antonio Soares'; 'Tim Stevenson'; 'Dirk Woellhaf' Cc: 'Charles Spurgeon'; 'cisco-nsp' Subject: RE: [c-nsp] Nexus 7K NX-OS Upgrade I had an odd situation where I did a software upgrade on one box successfully. On the 2nd box the VLAN Configurations were arbitrarily missing, which was frustrating As we thought immediately that the vpc was down for other reasons. Not sure if this had anything to do with the m1, (I did do an EPLD Upgrade as well) Psion -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Antonio Soares Sent: Saturday, November 17, 2012 12:29 PM To: 'Tim Stevenson'; 'Dirk Woellhaf' Cc: 'Charles Spurgeon'; 'cisco-nsp' Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade Another long night... The upgrade of one Nexus was completely clean, the second one was a nightmare. One M1-32XP card remained in the state powered-up forever... The reload didn't make it work, neither the re-seat or even the NX-OS downgrade... Had to open a P1 TAC case and then the engineer said it was a faulty card. Got the replacement but had to delay the installation 48 hours. Anyone has have bad experiences with this M1 type of cards card lately ? It's the second one that gets faulty in less than a year. It seems the MTBF is inversely proportional to the price :( Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Tim Stevenson [mailto:tstev...@cisco.com] Sent: quinta-feira, 8 de Novembro de 2012 18:21 To: Antonio Soares; 'Dirk Woellhaf' Cc: 'cisco-nsp'; 'Charles Spurgeon' Subject: RE: [c-nsp] Nexus 7K NX-OS Upgrade At 09:36 AM 11/8/2012, Antonio Soares mused: Thanks Tim, I will follow that procedure, it's the one that makes perfect sense. The documentation should be more clear about this kind of situations, don't you think ? There are important things that are omitted between steps 10 and 11: You mean specific to also upgrading the DRAM? This particular procedure is not intended to cover also upgrading DRAM at the same time, that's not really something we assume you're doing every time you upgrade. BTW, Sukumar does make a good point about the install script - it will potentially make some changes to the config based on updated features, CoPP being a prominent example. An alternative in your case would be to just power off, upgrade DRAM, reboot, and then install all. Clearly that involves 2 reboots with a single sup. Tim http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/upgrad e/gui de/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide __Rel ease_5.x_chapter_00.html#task_304731 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Tim Stevenson [mailto:tstev...@cisco.com] Sent: quinta-feira, 8 de Novembro de 2012 15:51 To: Antonio Soares; 'Dirk Woellhaf' Cc: 'cisco-nsp'; 'Charles Spurgeon' Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade At 07:18 AM 11/8/2012, Antonio Soares mused: I just have one SUP... You are talking about dual supervisors setup, right ? Ah. In that case, clearly, the box is going to go offline when you upgrade. You might want to consider buying another sup. IMO, there is no huge benefit in using the install all script in a single sup system - in the end, all it will do for you is a little sanity checking and maybe save you from fat fingering a bootstring. In your situation, I would copy over the new images you want; manually change the bootstrings save to startup; power off the box, yank the sup add the DRAM; and then power it all back on. Tim Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Dirk Woellhaf [mailto:dirk.woell...@gmail.com] Sent: quinta-feira, 8 de Novembro de 2012 14:10 To: Antonio Soares Cc: Charles Spurgeon; cisco-nsp Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade Hi Antonio, You should be able to do the memory-upgrade without rebooting the box. I've never done it on my I own but I know a few which did without any problem. I believe they first upgraded the memory and then did the update! Dirk Sent from my iPhone On 08.11.2012, at 13:42, Antonio Soares amsoa...@netcabo.pt wrote: Thanks, I don't know if you noticed but somewhere in the thread the bug was mentioned and it is resolved in 5.1.5 and later. Bug CSCtn61286 - Boot variables are not set up correctly on Sup-2 after ISSU So in my case, it should not give me problems (5.2.3a to 5.2.7
Re: [c-nsp] Nexus 7K NX-OS Upgrade
Another long night... The upgrade of one Nexus was completely clean, the second one was a nightmare. One M1-32XP card remained in the state powered-up forever... The reload didn't make it work, neither the re-seat or even the NX-OS downgrade... Had to open a P1 TAC case and then the engineer said it was a faulty card. Got the replacement but had to delay the installation 48 hours. Anyone has have bad experiences with this M1 type of cards card lately ? It's the second one that gets faulty in less than a year. It seems the MTBF is inversely proportional to the price :( Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Tim Stevenson [mailto:tstev...@cisco.com] Sent: quinta-feira, 8 de Novembro de 2012 18:21 To: Antonio Soares; 'Dirk Woellhaf' Cc: 'cisco-nsp'; 'Charles Spurgeon' Subject: RE: [c-nsp] Nexus 7K NX-OS Upgrade At 09:36 AM 11/8/2012, Antonio Soares mused: Thanks Tim, I will follow that procedure, it's the one that makes perfect sense. The documentation should be more clear about this kind of situations, don't you think ? There are important things that are omitted between steps 10 and 11: You mean specific to also upgrading the DRAM? This particular procedure is not intended to cover also upgrading DRAM at the same time, that's not really something we assume you're doing every time you upgrade. BTW, Sukumar does make a good point about the install script - it will potentially make some changes to the config based on updated features, CoPP being a prominent example. An alternative in your case would be to just power off, upgrade DRAM, reboot, and then install all. Clearly that involves 2 reboots with a single sup. Tim http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/upgrad e/gui de/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide __Rel ease_5.x_chapter_00.html#task_304731 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Tim Stevenson [mailto:tstev...@cisco.com] Sent: quinta-feira, 8 de Novembro de 2012 15:51 To: Antonio Soares; 'Dirk Woellhaf' Cc: 'cisco-nsp'; 'Charles Spurgeon' Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade At 07:18 AM 11/8/2012, Antonio Soares mused: I just have one SUP... You are talking about dual supervisors setup, right ? Ah. In that case, clearly, the box is going to go offline when you upgrade. You might want to consider buying another sup. IMO, there is no huge benefit in using the install all script in a single sup system - in the end, all it will do for you is a little sanity checking and maybe save you from fat fingering a bootstring. In your situation, I would copy over the new images you want; manually change the bootstrings save to startup; power off the box, yank the sup add the DRAM; and then power it all back on. Tim Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Dirk Woellhaf [mailto:dirk.woell...@gmail.com] Sent: quinta-feira, 8 de Novembro de 2012 14:10 To: Antonio Soares Cc: Charles Spurgeon; cisco-nsp Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade Hi Antonio, You should be able to do the memory-upgrade without rebooting the box. I've never done it on my I own but I know a few which did without any problem. I believe they first upgraded the memory and then did the update! Dirk Sent from my iPhone On 08.11.2012, at 13:42, Antonio Soares amsoa...@netcabo.pt wrote: Thanks, I don't know if you noticed but somewhere in the thread the bug was mentioned and it is resolved in 5.1.5 and later. Bug CSCtn61286 - Boot variables are not set up correctly on Sup-2 after ISSU So in my case, it should not give me problems (5.2.3a to 5.2.7). But since I also need to upgrade the SUP1 RAM from 4G to 8G, I have no other option than doing the traditional upgrade. It's the only way to just send the box down 1 time: - update the boot variables - power off and upgrade the RAM - power on The install all script has another limitation: it won't let us to reboot when we chose to do it. This is what happened to me last time: + Switch will be reloaded for disruptive upgrade. Do you want to continue with the installation (y/n)? y Install is in progress, please wait. (..) A few minutes later: Finishing the upgrade, switch will reboot in 10 seconds. + I don't see how to upgrade the RAM and upgrade the NX-OS with the install script in just one shot... Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Charles Spurgeon [mailto:c.spurg...@austin.utexas.edu] Sent: quinta-feira, 8 de Novembro de 2012 00:50
Re: [c-nsp] Nexus 7K NX-OS Upgrade
Unbelievable, this is a 70k card, isn't it ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Colin Whittaker Sent: sábado, 17 de Novembro de 2012 18:22 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade On Sat, Nov 17, 2012 at 05:28:48PM -, Antonio Soares wrote: Another long night... The upgrade of one Nexus was completely clean, the second one was a nightmare. One M1-32XP card remained in the state powered-up forever... The reload didn't make it work, neither the re-seat or even the NX-OS downgrade... Had to open a P1 TAC case and then the engineer said it was a faulty card. Got the replacement but had to delay the installation 48 hours. Anyone has have bad experiences with this M1 type of cards card lately ? It's the second one that gets faulty in less than a year. It seems the MTBF is inversely proportional to the price :( Upgrade cycles tend to flush out latent faults in the linecards. When doing upgrades it is best to have spare cards on hand to handle those that fail. The failure rate on the M1 cards has gotten a lot better over the last two years. Gone are the days of 20% of the cards being DOA. Colin -- Colin Whittaker +353 (0)86 8211 965 http://colin.netech.ie co...@netech.ie ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA5585-X IPS Upgrade causes ASA failover
Hello group, I had a bad surprise today, I was updating the IPS software of two ASA5585-SSP-IPS10 modules and found that it caused the Failover of the parent ASA5585-SSP-10. It seems this is the normal behavior (https://supportforums.cisco.com/thread/2035549) but I was not expecting this at all. I'm not using any of the SSP-IPS10 interfaces thus there is not monitoring on those interfaces so why the hell this is like this ? I knew that the IPS upgrade would cause the module reload but taking into account what I mentioned, it caught me completely by surprise. This should not be a big problem but since I have OSPF running on the ASAs, Failover is something that breaks a lot of things. No NSF support... :( Anyone knows if it is possible to disable this behavior, I mean, the implicit monitoring of the IPS module ? This is what failover history shows me: 18:36:55 WEST Nov 9 2012 Standby Ready Just ActiveService card in other unit has failed 18:36:55 WEST Nov 9 2012 Just ActiveActive Drain Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Drain Active Applying Config Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Applying Config Active Config Applied Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Config Applied Active Service card in other unit has failed Is this really the expected behavior ? I'm still trying to find where this is documented. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover
Thanks, it seems another enhancement that won't see the light of day... Found in 8.0.3... Code that has almost 5 years... Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Pete Lumbis [mailto:alum...@gmail.com] Sent: sexta-feira, 9 de Novembro de 2012 22:06 To: Antonio Soares Cc: cisco-nsp Subject: Re: [c-nsp] ASA5585-X IPS Upgrade causes ASA failover CSCsm81086 - Allow user to exclude the status of the SSM or SSP from failover checks Still in the New state :( On Fri, Nov 9, 2012 at 3:08 PM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, I had a bad surprise today, I was updating the IPS software of two ASA5585-SSP-IPS10 modules and found that it caused the Failover of the parent ASA5585-SSP-10. It seems this is the normal behavior (https://supportforums.cisco.com/thread/2035549) but I was not expecting this at all. I'm not using any of the SSP-IPS10 interfaces thus there is not monitoring on those interfaces so why the hell this is like this ? I knew that the IPS upgrade would cause the module reload but taking into account what I mentioned, it caught me completely by surprise. This should not be a big problem but since I have OSPF running on the ASAs, Failover is something that breaks a lot of things. No NSF support... :( Anyone knows if it is possible to disable this behavior, I mean, the implicit monitoring of the IPS module ? This is what failover history shows me: 18:36:55 WEST Nov 9 2012 Standby Ready Just ActiveService card in other unit has failed 18:36:55 WEST Nov 9 2012 Just ActiveActive Drain Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Drain Active Applying Config Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Applying Config Active Config Applied Service card in other unit has failed 18:36:55 WEST Nov 9 2012 Active Config Applied Active Service card in other unit has failed Is this really the expected behavior ? I'm still trying to find where this is documented. Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 7K NX-OS Upgrade
Thanks, I don't know if you noticed but somewhere in the thread the bug was mentioned and it is resolved in 5.1.5 and later. Bug CSCtn61286 - Boot variables are not set up correctly on Sup-2 after ISSU So in my case, it should not give me problems (5.2.3a to 5.2.7). But since I also need to upgrade the SUP1 RAM from 4G to 8G, I have no other option than doing the traditional upgrade. It's the only way to just send the box down 1 time: - update the boot variables - power off and upgrade the RAM - power on The install all script has another limitation: it won't let us to reboot when we chose to do it. This is what happened to me last time: + Switch will be reloaded for disruptive upgrade. Do you want to continue with the installation (y/n)? y Install is in progress, please wait. ( .) A few minutes later: Finishing the upgrade, switch will reboot in 10 seconds. + I don't see how to upgrade the RAM and upgrade the NX-OS with the install script in just one shot... Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Charles Spurgeon [mailto:c.spurg...@austin.utexas.edu] Sent: quinta-feira, 8 de Novembro de 2012 00:50 To: Antonio Soares Cc: 'Tóth András'; 'cisco-nsp' Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade While doing some more testing this aft I also removed the sup from slot 5 and did a disruptive single sup ISSU upgrade from 5.1(5) to 5.2(7) on the slot 6 sup without issues. -Charles On Tue, Nov 06, 2012 at 11:48:35PM +, Antonio Soares wrote: Great, I must confess that I searched a lot and I didn't find this bug. So I suppose the install all script will work well this time. I will come back to the list next week with the good news. I hope :) Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Tóth András [mailto:diosbej...@gmail.com] Sent: terça-feira, 6 de Novembro de 2012 23:35 To: Antonio Soares Cc: cisco-nsp Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade Hi Antonio, In general, doing a traditional upgrade (changing boot variables) will not update the BIOS for example, while an ISSU does and it's non-disruptive with dual-supervisors. There's a defect which caused the behavior you were seeing, CSCtn61286 which affects 5.1(3). Since you were upgrading from that version, it was still impacting the upgrade process. It has been fixed in 5.1(4) and 5.2(1) already, so upgrading from 5.2(3a) to 5.2(7) will not have the same issue. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?meth od=fet chBugDetailsbugId=CSCtn61286 If the boot variables are incorrect, you can edit them as you'd do on an IOS device, make sure you update the kickstart and system as well. Upgrading from 5.2(3a) to 5.2(7) can be done using the install all (ISSU) method. Best regards On Tue, Nov 6, 2012 at 11:38 AM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, Anyone knows the difference between using the install all script or just update the boot system flash command when upgrading NX-OS on a Nexus 7K ? The question applies to a single supervisor setup. The official documentation mentions the two ways of doing it: - using the install all script: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/upg ra de/gui de/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Gu id e__Rel ease_5.x_chapter_00.html#con_314241 - using the traditional procedure: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/upg ra de/gui de/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Gu id e__Rel ease_5.x_chapter_00.html#task_39E26688E1204F8CAAE876450A575E73 I had a bad experience in the past with the install all script. I was doing an upgrade to a 7010 with only 1 supervisor that was installed in slot 6. The install all script has a problem, may a bug, it only correctly updates the boot variables for slot 5: boot kickstart bootflash:/n7000-s1-kickstart.5.2.3a.bin sup-1 boot system bootflash:/n7000-s1-dk9.5.2.3a.bin sup-1 boot kickstart bootflash:/n7000-s1-kickstart.5.1.3.bin sup-2 The install all script assumes that if there is only one supervisor, it should be on slot 5. Above we can see that the boot system is missing for sup-2. In summary, is there any problem if I simply update the boot variables and reload ? May I end up with the supervisor running the new NX-OS release and the modules the old NX-OS release ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https
Re: [c-nsp] Nexus 7K NX-OS Upgrade
Yes it is. But you can still use the ISSU method of doing things (install all) with just one SUP. It doesn't make too much sense, right ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Alexander Lim [mailto:nsp.alexander@gmail.com] Sent: quinta-feira, 8 de Novembro de 2012 04:56 To: Charles Spurgeon Cc: Antonio Soares; cisco-nsp Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade Hi Charles, I thought redundant sup is required for ISSU? Regards, Alexander Lim On 8 Nov, 2012, at 8:50 AM, Charles Spurgeon c.spurg...@austin.utexas.edu wrote: While doing some more testing this aft I also removed the sup from slot 5 and did a disruptive single sup ISSU upgrade from 5.1(5) to 5.2(7) on the slot 6 sup without issues. -Charles On Tue, Nov 06, 2012 at 11:48:35PM +, Antonio Soares wrote: Great, I must confess that I searched a lot and I didn't find this bug. So I suppose the install all script will work well this time. I will come back to the list next week with the good news. I hope :) Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Tóth András [mailto:diosbej...@gmail.com] Sent: terça-feira, 6 de Novembro de 2012 23:35 To: Antonio Soares Cc: cisco-nsp Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade Hi Antonio, In general, doing a traditional upgrade (changing boot variables) will not update the BIOS for example, while an ISSU does and it's non-disruptive with dual-supervisors. There's a defect which caused the behavior you were seeing, CSCtn61286 which affects 5.1(3). Since you were upgrading from that version, it was still impacting the upgrade process. It has been fixed in 5.1(4) and 5.2(1) already, so upgrading from 5.2(3a) to 5.2(7) will not have the same issue. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?met hod=fet chBugDetailsbugId=CSCtn61286 If the boot variables are incorrect, you can edit them as you'd do on an IOS device, make sure you update the kickstart and system as well. Upgrading from 5.2(3a) to 5.2(7) can be done using the install all (ISSU) method. Best regards On Tue, Nov 6, 2012 at 11:38 AM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, Anyone knows the difference between using the install all script or just update the boot system flash command when upgrading NX-OS on a Nexus 7K ? The question applies to a single supervisor setup. The official documentation mentions the two ways of doing it: - using the install all script: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/upg ra de/gui de/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Gu id e__Rel ease_5.x_chapter_00.html#con_314241 - using the traditional procedure: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/upg ra de/gui de/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Gu id e__Rel ease_5.x_chapter_00.html#task_39E26688E1204F8CAAE876450A575E73 I had a bad experience in the past with the install all script. I was doing an upgrade to a 7010 with only 1 supervisor that was installed in slot 6. The install all script has a problem, may a bug, it only correctly updates the boot variables for slot 5: boot kickstart bootflash:/n7000-s1-kickstart.5.2.3a.bin sup-1 boot system bootflash:/n7000-s1-dk9.5.2.3a.bin sup-1 boot kickstart bootflash:/n7000-s1-kickstart.5.1.3.bin sup-2 The install all script assumes that if there is only one supervisor, it should be on slot 5. Above we can see that the boot system is missing for sup-2. In summary, is there any problem if I simply update the boot variables and reload ? May I end up with the supervisor running the new NX-OS release and the modules the old NX-OS release ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 7K NX-OS Upgrade
I just have one SUP... You are talking about dual supervisors setup, right ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Dirk Woellhaf [mailto:dirk.woell...@gmail.com] Sent: quinta-feira, 8 de Novembro de 2012 14:10 To: Antonio Soares Cc: Charles Spurgeon; cisco-nsp Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade Hi Antonio, You should be able to do the memory-upgrade without rebooting the box. I've never done it on my I own but I know a few which did without any problem. I believe they first upgraded the memory and then did the update! Dirk Sent from my iPhone On 08.11.2012, at 13:42, Antonio Soares amsoa...@netcabo.pt wrote: Thanks, I don't know if you noticed but somewhere in the thread the bug was mentioned and it is resolved in 5.1.5 and later. Bug CSCtn61286 - Boot variables are not set up correctly on Sup-2 after ISSU So in my case, it should not give me problems (5.2.3a to 5.2.7). But since I also need to upgrade the SUP1 RAM from 4G to 8G, I have no other option than doing the traditional upgrade. It's the only way to just send the box down 1 time: - update the boot variables - power off and upgrade the RAM - power on The install all script has another limitation: it won't let us to reboot when we chose to do it. This is what happened to me last time: + Switch will be reloaded for disruptive upgrade. Do you want to continue with the installation (y/n)? y Install is in progress, please wait. ( .) A few minutes later: Finishing the upgrade, switch will reboot in 10 seconds. + I don't see how to upgrade the RAM and upgrade the NX-OS with the install script in just one shot... Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Charles Spurgeon [mailto:c.spurg...@austin.utexas.edu] Sent: quinta-feira, 8 de Novembro de 2012 00:50 To: Antonio Soares Cc: 'Tóth András'; 'cisco-nsp' Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade While doing some more testing this aft I also removed the sup from slot 5 and did a disruptive single sup ISSU upgrade from 5.1(5) to 5.2(7) on the slot 6 sup without issues. -Charles On Tue, Nov 06, 2012 at 11:48:35PM +, Antonio Soares wrote: Great, I must confess that I searched a lot and I didn't find this bug. So I suppose the install all script will work well this time. I will come back to the list next week with the good news. I hope :) Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Tóth András [mailto:diosbej...@gmail.com] Sent: terça-feira, 6 de Novembro de 2012 23:35 To: Antonio Soares Cc: cisco-nsp Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade Hi Antonio, In general, doing a traditional upgrade (changing boot variables) will not update the BIOS for example, while an ISSU does and it's non-disruptive with dual-supervisors. There's a defect which caused the behavior you were seeing, CSCtn61286 which affects 5.1(3). Since you were upgrading from that version, it was still impacting the upgrade process. It has been fixed in 5.1(4) and 5.2(1) already, so upgrading from 5.2(3a) to 5.2(7) will not have the same issue. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?met h od=fet chBugDetailsbugId=CSCtn61286 If the boot variables are incorrect, you can edit them as you'd do on an IOS device, make sure you update the kickstart and system as well. Upgrading from 5.2(3a) to 5.2(7) can be done using the install all (ISSU) method. Best regards On Tue, Nov 6, 2012 at 11:38 AM, Antonio Soares amsoa...@netcabo.pt wrote: Hello group, Anyone knows the difference between using the install all script or just update the boot system flash command when upgrading NX-OS on a Nexus 7K ? The question applies to a single supervisor setup. The official documentation mentions the two ways of doing it: - using the install all script: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/upg ra de/gui de/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Gu id e__Rel ease_5.x_chapter_00.html#con_314241 - using the traditional procedure: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/upg ra de/gui de/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Gu id e__Rel ease_5.x_chapter_00.html#task_39E26688E1204F8CAAE876450A575E73 I had a bad experience in the past with the install all script. I was doing an upgrade to a 7010 with only 1 supervisor that was installed in slot 6. The install all script has a problem, may a bug, it only correctly updates the boot variables for slot 5: boot kickstart bootflash:/n7000-s1-kickstart.5.2.3a.bin sup-1 boot system bootflash:/n7000-s1
Re: [c-nsp] Nexus 7K NX-OS Upgrade
Thanks Tim, I will follow that procedure, it's the one that makes perfect sense. The documentation should be more clear about this kind of situations, don't you think ? There are important things that are omitted between steps 10 and 11: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/upgrade/gui de/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide__Rel ease_5.x_chapter_00.html#task_304731 Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Tim Stevenson [mailto:tstev...@cisco.com] Sent: quinta-feira, 8 de Novembro de 2012 15:51 To: Antonio Soares; 'Dirk Woellhaf' Cc: 'cisco-nsp'; 'Charles Spurgeon' Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade At 07:18 AM 11/8/2012, Antonio Soares mused: I just have one SUP... You are talking about dual supervisors setup, right ? Ah. In that case, clearly, the box is going to go offline when you upgrade. You might want to consider buying another sup. IMO, there is no huge benefit in using the install all script in a single sup system - in the end, all it will do for you is a little sanity checking and maybe save you from fat fingering a bootstring. In your situation, I would copy over the new images you want; manually change the bootstrings save to startup; power off the box, yank the sup add the DRAM; and then power it all back on. Tim Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Dirk Woellhaf [mailto:dirk.woell...@gmail.com] Sent: quinta-feira, 8 de Novembro de 2012 14:10 To: Antonio Soares Cc: Charles Spurgeon; cisco-nsp Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade Hi Antonio, You should be able to do the memory-upgrade without rebooting the box. I've never done it on my I own but I know a few which did without any problem. I believe they first upgraded the memory and then did the update! Dirk Sent from my iPhone On 08.11.2012, at 13:42, Antonio Soares amsoa...@netcabo.pt wrote: Thanks, I don't know if you noticed but somewhere in the thread the bug was mentioned and it is resolved in 5.1.5 and later. Bug CSCtn61286 - Boot variables are not set up correctly on Sup-2 after ISSU So in my case, it should not give me problems (5.2.3a to 5.2.7). But since I also need to upgrade the SUP1 RAM from 4G to 8G, I have no other option than doing the traditional upgrade. It's the only way to just send the box down 1 time: - update the boot variables - power off and upgrade the RAM - power on The install all script has another limitation: it won't let us to reboot when we chose to do it. This is what happened to me last time: + Switch will be reloaded for disruptive upgrade. Do you want to continue with the installation (y/n)? y Install is in progress, please wait. (..) A few minutes later: Finishing the upgrade, switch will reboot in 10 seconds. + I don't see how to upgrade the RAM and upgrade the NX-OS with the install script in just one shot... Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Charles Spurgeon [mailto:c.spurg...@austin.utexas.edu] Sent: quinta-feira, 8 de Novembro de 2012 00:50 To: Antonio Soares Cc: 'Tóth András'; 'cisco-nsp' Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade While doing some more testing this aft I also removed the sup from slot 5 and did a disruptive single sup ISSU upgrade from 5.1(5) to 5.2(7) on the slot 6 sup without issues. -Charles On Tue, Nov 06, 2012 at 11:48:35PM +, Antonio Soares wrote: Great, I must confess that I searched a lot and I didn't find this bug. So I suppose the install all script will work well this time. I will come back to the list next week with the good news. I hope :) Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Tóth András [mailto:diosbej...@gmail.com] Sent: terça-feira, 6 de Novembro de 2012 23:35 To: Antonio Soares Cc: cisco-nsp Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade Hi Antonio, In general, doing a traditional upgrade (changing boot variables) will not update the BIOS for example, while an ISSU does and it's non-disruptive with dual-supervisors. There's a defect which caused the behavior you were seeing, CSCtn61286 which affects 5.1(3). Since you were upgrading from that version, it was still impacting the upgrade process. It has been fixed in 5.1(4) and 5.2(1) already, so upgrading from 5.2(3a) to 5.2(7) will not have the same issue. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?m et h od=fet chBugDetailsbugId=CSCtn61286 If the boot variables are incorrect, you can edit them
[c-nsp] Nexus 7K NX-OS Upgrade
Hello group, Anyone knows the difference between using the install all script or just update the boot system flash command when upgrading NX-OS on a Nexus 7K ? The question applies to a single supervisor setup. The official documentation mentions the two ways of doing it: - using the install all script: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/upgrade/gui de/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide__Rel ease_5.x_chapter_00.html#con_314241 - using the traditional procedure: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/upgrade/gui de/b_Cisco_Nexus_7000_Series_NX-OS_Software_Upgrade_and_Downgrade_Guide__Rel ease_5.x_chapter_00.html#task_39E26688E1204F8CAAE876450A575E73 I had a bad experience in the past with the install all script. I was doing an upgrade to a 7010 with only 1 supervisor that was installed in slot 6. The install all script has a problem, may a bug, it only correctly updates the boot variables for slot 5: boot kickstart bootflash:/n7000-s1-kickstart.5.2.3a.bin sup-1 boot system bootflash:/n7000-s1-dk9.5.2.3a.bin sup-1 boot kickstart bootflash:/n7000-s1-kickstart.5.1.3.bin sup-2 The install all script assumes that if there is only one supervisor, it should be on slot 5. Above we can see that the boot system is missing for sup-2. In summary, is there any problem if I simply update the boot variables and reload ? May I end up with the supervisor running the new NX-OS release and the modules the old NX-OS release ? Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net http://www.ccie18473.net/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 7K NX-OS Upgrade
Thanks, I appreciate your feedback. Since it is a lab environment, may I ask you to see what happens when you upgrade with the install all script and with the sup in slot 6 ? I had the problem when upgrading from 5.1.3 to 5.2.3a. Now I need to upgrade to 5.2.7 and I want to avoid the issue. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net -Original Message- From: Charles Spurgeon [mailto:c.spurg...@austin.utexas.edu] Sent: terça-feira, 6 de Novembro de 2012 22:39 To: Antonio Soares Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Nexus 7K NX-OS Upgrade On Tue, Nov 06, 2012 at 10:38:46AM +, Antonio Soares wrote: Hello group, Anyone knows the difference between using the install all script or just update the boot system flash command when upgrading NX-OS on a Nexus 7K ? In summary, is there any problem if I simply update the boot variables and reload ? May I end up with the supervisor running the new NX-OS release and the modules the old NX-OS release ? I was just testing that this aft and it works fine in my lab tests, with the caveat that I have a dual-sup 7010. Manually configuring the boot strings and then typing reload resulted in sups and mods all coming up on the new code. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurg...@its.utexas.edu / 512.475.9265 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA High Availability - Stateful Failover with Dynamic Routing Protocols
Hello group, ASA release 8.4.1 introduced a feature called Stateful Failover with Dynamic Routing Protocols: Routes that are learned through dynamic routing protocols (such as OSPF and EIGRP) on the active unit are now maintained in a Routing Information Base (RIB) table on the standby unit. Upon a failover event, traffic on the secondary active unit now passes with minimal disruption because routes are known. Routes are synchronized only for link-up or link-down events on an active unit. If the link goes up or down on the standby unit, dynamic routes sent from the active unit may be lost. This is normal, expected behavior. http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#w p43273 But this feature has many limitations. When you have a failover and you are peering with another IOS Router or Switch, the IOS device detects that the neighbor changed and deletes everything learned from the ASA and about 10 seconds later rebuilds the routing table: +++ 000190: *Mar 1 04:08:26: %OSPF-5-ADJCHG: Process 2011, Nbr 172.x.x.x on Vlanxxx from FULL to EXSTART, SeqNumberMismatch 000191: *Mar 1 04:08:31: %OSPF-5-ADJCHG: Process 2011, Nbr 172.x.x.x on Vlanxxx from EXSTART to EXCHANGE, Negotiation Done 000192: *Mar 1 04:08:31: %OSPF-5-ADJCHG: Process 2011, Nbr 172.x.x.x on Vlanxxx from EXCHANGE to LOADING, Exchange Done 000193: *Mar 1 04:08:31: %OSPF-5-ADJCHG: Process 2011, Nbr 172.x.x.x on Vlanxxx from LOADING to FULL, Loading Done 000194: *Mar 1 04:08:32.277: RT: del 172.x.x.x/29 via 172.x.x.x, ospf metric [110/21] (...) 000275: *Mar 1 04:08:42.284: RT: add 172.x.x.x/29 via 172.x.x.x, ospf metric [110/21] +++ This causes the obvious downtime of 10 seconds but worse than that, other ASAs in the network terminate the TCP connections due to lack of routing information: +++ %ASA-6-110003: Routing failed to locate next hop for TCP from outside:172.x.x.x/23 to inside:9.x.x.x/35365 %ASA-6-302014: Teardown TCP connection 3609 for inside:9.x.x.x/35365 to outside:172.x.x.x/23 duration 0:01:00 bytes 50721 No valid adjacency +++ Cisco has an enhancement to solve this that basically is the implementation of the Non-Stop Forwarding feature (CSCsu90386) but it seems it will take months or years to be available. Basically the current implementation of Stateful Failover is a Joke. The only workaround I have is getting rid of OSPF or EIGRP and use static routing. Does anyone has/had this problem and found any type of workaround ? I have this in the lab if someone is interested in more details: (inside network)===IOS Switch===OSPF===ASA Failover Pair===OSPF===ASA Failover Pair===(outside network) Thanks. Regards, Antonio Soares, CCIE #18473 (RS/SP) amsoa...@netcabo.pt http://www.ccie18473.net ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
