Re: [c-nsp] ASR9K XR 6.4.2 and SNMP monitoring
On 12/17/2019 2:30 PM, Lee Starnes wrote: Hello everyone, I am trying to find out if there is a way to monitor the CRIT, MAJ, MIN and Fail alarms via SNMP. I read through a boatload of documentation on SNMP monitoring for the ASR but was not able to find anything on these alarms. I want to poll the system for status, bit trap send them. Does anyone know if this is possible? These are the alarms we are looking for, #sh environment leds Tue Dec 17 14:25:26.016 PST R/S/I Modules LED Status 0/RSP0/* hostCritical-Alarm Off hostMajor-Alarm Off hostMinor-Alarm Off hostACO Off hostFailOff 0/RSP1/* hostCritical-Alarm Off hostMajor-Alarm Off hostMinor-Alarm Off hostACO Off hostFailOff Have you looked at the Entity Alarm MIB? ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENTITY-ALARM-MIB.my Full list of ASR1K MIBs here ftp://ftp.cisco.com/pub/mibs/supportlists/asr1000/asr1000-supportlist.html -- = bep ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10Gb for VSAN
On 7/25/2018 6:39 AM, Nick Cutting wrote: > Nexus 93xx are also suitable for this task. We have tested VSAN on these. > They talk about buffers in the VSAN Docs? > Second that recommendation. We are running VSAN successfully on 93xx-EX in our spine/leaf topology with 9508 spines. -- = bep ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP partial routes and partial carrier failures
On 10/3/2014 12:38 AM, Saku Ytti wrote: On (2014-10-02 12:29 -0700), Bruce Pinsky wrote: Hi Bruce, How about not taking the default from them and set your own default based on whatever criteria you chose. You could, for instance, use Conditional Advertisements to inject the default based on the presence or absence of routing information from one or the other provider. You could also use PfR to select the outbound path based on availability/performance/cost. You don't actually need anything this complex. Just recursing static route will do, and IOS by default recurses. So both upstreams would advertise to you some prefix they don't originate in the peer router, maybe their PA network from the core. Then you'd have something like ip route 0.0.0.0 0.0.0.0 pa-prefix If one upstream peer gets disconnected from their core, the PA-prefix is no longer sent via that peer, and it'll now recurse to the other provider. This can certainly work. The good thing about conditional advertisements is that they don't have to depend on just one prefix. With the recurse method, they do. -- = bep ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EIGRP feasible successors
On 10/3/2014 7:03 AM, Howard, Christopher wrote: I'm hoping for some clarification as to whether I'm incorrect or my switch is incorrect. I have a switch (4500X) that has 3 different routes to another switch. Two routes traverse 10G links and the other is a 1G link. However, traffic is getting transferred through the 1G link thanks to EIGRP. I think EIGRP is wrong. First, the topology table says it has 3 successors, but only lists 2. I have filtered out to just one subnet, but there are others this way. switch#sh ip eigrp vrf green topology P 172.1.2.0/24, 3 successors, FD is 3072 via 10.1.1.6 (3072/2816), Vlan910 via 10.1.9.6 (3072/2816), Vlan2910 If I tell it to show me all links in the topology table, I can see the third route. switch#sh ip eigrp vrf green topology all-links P 172.1.2.0/24, 3 successors, FD is 3072, serno 25436 via 10.1.1.6 (3072/2816), Vlan910 via 10.1.9.6 (3072/2816), Vlan2910 via 10.1.5.3 (3328/3072), Vlan1910 Now, as I understand it, the first two routes are successors because they have the lowest feasible distance. The third route should not be considered a feasible successor because the advertised distance is equal to the feasible distance of the successors (the feasibility condition explicitly states less than). However, it appears that the switch is considering this third route as a successor. And worse, due to the use of the variance command, the switch is using the third route as the active one. switch#sh ip route vrf green 172.1.2.0 Last update from 10.1.9.6 on Vlan2910, 3w5d ago 10.1.9.6, from 10.1.9.6, 3w5d ago, via Vlan2910 Route metric is 3072, traffic share count is 40 * 10.1.5.3, from 10.1.5.3, 3w5d ago, via Vlan1910 Route metric is 3328, traffic share count is 37 10.1.1.6, from 10.1.1.6, 3w5d ago, via Vlan910 Route metric is 3072, traffic share count is 40 I can remove the variance from EIGRP so that route will drop from the route table, but am I incorrect in thinking that route should not be a feasible successor in the first place? No, there are two conditions that must be met for variance to work. The first is this one: The route must be loop-free. This condition is satisfied when the reported distance is less than the total distance or when the route is a feasible successor. I think you are getting bit by the first part of the condition because the computed total distance is 3328 and the reported distance is 3072. Now variance works as multiples of the metric of the best route. So, if you have any variance other than 1, that third path is going to be installed. -- = bep ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP partial routes and partial carrier failures
On 10/2/2014 12:14 PM, Paul Wozney wrote: Someone on another forum suggested using IP SLA and EEM to react to network changes. It's definitely an idea. How about not taking the default from them and set your own default based on whatever criteria you chose. You could, for instance, use Conditional Advertisements to inject the default based on the presence or absence of routing information from one or the other provider. You could also use PfR to select the outbound path based on availability/performance/cost. As is normally the case with Cisco, there are any number of ways to skin this cat, but the key is not taking default from the providers since you can't trust them. Taking full routes achieves the same thing (by getting rid of default), but you can solve this issue without the additional memory load and potentially cost. -- = bep ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Global vs. VRF
On 8/5/2014 1:35 AM, M K wrote: In MPLS network if a router receives the same route from global and at the same time through a VRF , will there be a problem ? it will prefer one over the other ? we are using the same routing protocol Packets that are being routed in the global context will use the route in the global table. Packets that are being routed in the VRF context will use the route in the VRF table. Really no different than having the same route in two different VRFs. -- = bep ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Dual Homing
Darwis Herman wrote: Dear Gurus and Friend, I am seeking a little help on my setup as below:- /---1st Link (C4500)--\ ISP -- CUSTOMER (Fortigate 200B) \---2nd Link (C4500)--/ Current Setup:- Customer is having 2 connection to a same ISP. ISP assigned both links with 2 VLANs with point-to-point (/30) IP addresses for gateway termination. ISP also assigned a pool of /27 public IP addresses to CUSTOMER. CUSTOMER requires the /27 public IP to be accessible from both links. What are you expecting out of the C4500's? ISP controls the inbound. Fortigate controls the outbound. -- = bep ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS/VPN Loadbalancing with 2 CPE routers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Boehmer (oboehmer) wrote: Oliver, forget what I said... I've read will prefer instead of will never prefer :-( It's good to know that another provider is using this kind of architecture. It's not something we want to use for all our customers but this specific customer has some constraints which require to loadbalance their traffic. I guess we could also use OSPF and have the same cost for the path CE1 -- PE1 and the second path CE1 -- CE2 -- PE2. What would be the best in this case ? eBGP multihop or OSPF with costs ? if OSPF is an option, I would prefer this as it is cleaner and more natural routing, and no risk of running into loops. and with OSPF you could even come up with an EEM script on the CEs to adjust the CE-PE link metric based on the HSRP status, so you can even provide load-sharing when the HSRP master fails over to the standby (if such a failure scenario would still allow the standby CE to perform load-sharing, that is).. Isn't this a classic case for PfR? - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlK5Lo8ACgkQE1XcgMgrtyZQIgCfeLlW2xCJS2KBT2SUnaETsbB9 6fYAmwXRRSA+0iVDu/LbPvgrKIEFeFRB =o6be -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] raspberry pi
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Preston Chilcote (pchilcot) wrote: Hi Everyone, I'm curious: Does anyone use one or more raspberry pis in their network (for networking related stuff)? What kinds of things are they used for? For my home network, I use it as a secondary/backup server for local services like DHCP, DNS, NTP, Squid proxy-filtering, etc. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKRDZUACgkQE1XcgMgrtyZ1nwCglnq+K8cYSK0EGizp2v/889Ab 210AoK0ko57b1a68+P6OhmKIKqpbYZkp =7xC4 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN/mGRE on L3VPN - anyone experience issues with encapsulation overhead/MTU?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 JP Senior wrote: Hey, all. I'm looking at an option to consolidate and reduce complexity of a multi-provider L3VPN network in a way that lets me also use internet-based VPNs for backup. Right now I have dual provider uplinks at all of my sites to provide me inter-office WAN connectivity. DMVPN is a nice and easy option where I can have everything run in a single routing domain, drasticially simplifying my network topology. Has anyone experience with a network running in such a design? I am concerned about increased latency, and worse, packet overhead. I'm not sure I'll be able to get jumbos on these providers, so I'll have to deal with ipsec/gre overhead. I don't do anything crazy blocking with ICMP, but I'm still hesitant to move forward with such a design. -JP Senior I have customers who run DMVPN over both L3VPN and Internet as the substrate so that they have consistency in the design and architecture. There can be MTU issues, but that varies by provider. Otherwise, it works great for them. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJVmAgACgkQE1XcgMgrtya7fQCdGzGb2iQToBCidejusDRQugh8 G/cAnA1ZOaATEI//2+mXlkW09GVwiEzE =g7Eb -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] XRv (xr on a server)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick Hilliard wrote: On 03/10/2013 16:16, quinn snyder wrote: on a side note -- it requires a lot of compute to run successfully (ram and proc). It shouldn't need that much (although the csr1000v's insane compute requirements are a complete mystery to me) - anyway, ram and cpu are both cheap resources these days. large scale networks will require large pools of resources. This may or may not be true, depending on the scale of what you're trying to model. A hypervisor with 8 cores and 128 gigs of ram costs a small amount of money, and would be enough to run a relatively large model deployment. XRv images typically require from about 4G to 8G each of RAM depending on the image. That's on top of the orchestration pieces which aren't that heavy weight. Other operating systems are around 4G each currently. the software may be free -- but running it may not be if you're short on servers. The software costs money to develop but there is no cost associated with making another copy of it. There are costs for ongoing development and sustaining. There are also costs to provide real product support. The most important thing for Cisco to remember is that it's trivial to build virtualised test labs with Junos Olive. This approach allows people to learn enough about the operating system that they feel comfortable about switching to or buying more Juniper kit. I know a good many people who started out with Olive and who liked it so much they started buying Juniper kit in volume. Cisco really missed the boat on this - to their cost. I don't particularly expect Cisco to provide this sort of facility for free, but unless they refrain from their usual policy of premium pricing, I'll shrug my shoulders, then move on and spend my budgets on other vendors. There will be different delivery models and price points that should be attractive to multiple customer audiences. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJPXDUACgkQE1XcgMgrtybbTgCgsAh/vkOCIMv2pmdv3OI922lX yF0AnjFg+aN2IosdrJHQgdyhkmnJ8rZl =hNwk -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Ethernet interface QoS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steven Saner wrote: I have a QoS question that I'm hoping someone can help me understand. We use last mile technology that is ethernet based. So at one end of a link we might have a router with a FastEthernet interface connected to some device that acts as an ethernet bridge connected to some last mile technology (ethernet-over-copper, xDSL, etc). I need to perform some QoS to give priority to VOIP traffic. I understand basically how to set up policy-maps on a Cisco router to classify the traffic that I am interested in and then give priority to that traffic. I also understand that such policy maps affect queuing during times of congestion. My question is, does the interface know when the network is congested? The router interface may be 100 Mbps. It is then connected to a last mile technology device and the bandwidth capacity through this last mile technology is, say, 5 Mbps. So if the router tries to send data at a rate that is greater than 5 Mbps, we have congestion in the network. But, that is no where near the capacity of the router's physical interface. Does the router know at that point that congestion is happening, and do the policy maps go in to effect? If not, is there some way to tell the 100 Mbps ethernet interface that it only has 5 Mbps to work with? Or, is the only way to get QoS to work in this case, to do it on the last mile technology gear where the bottleneck actually occurs? I fear I'm missing some fundamental truth here. Thanks for any help. Steve You need to shape the overall traffic to the bandwidth capacity you have purchased on the link. So, in your case, you have a 100Mbps ethernet presentation that needs to be shaped to 5Mbps. Then, within that 5Mbps, you need to shape/police your various traffic classes. Basically, Hierarchical Queuing. http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/qos_frhqf_support.html - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJF+AMACgkQE1XcgMgrtyYMHwCdEktJpUHUlgIfgBPu4C1gjWKl vbcAn1DUYs1gKBAViWpTfSjvDCosD5Gd =2uvt -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] fabricpath and qos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Arne Larsen / Region Nordjylland wrote: Hi all Does someone know about fabricpath and qos implementation How it works, is it different for normal qos on nexus, and if where can I find some doc about it. What relationship are you looking for between FabricPath and QoS? - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlICm3AACgkQE1XcgMgrtybkcwCg9Gk6tT65m4DxboWNnK4KYvAZ aVUAoPzJtpt0TJRdzYNzvXt4azFlhwMp =4aRW -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco LFA FRR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 M K wrote: I had a look at many Cisco documents related to this topic , but was not so clear What isn't clear about the Cisco doc that Fredrik references? - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIAu9MACgkQE1XcgMgrtyaQUwCfQI08yyyMWgg3YEDI4Zol+Q/y CT4AmQEH7AWpo1z82kiBS86vYGGl51QO =YEW2 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to tell what routes are not in CEF and follow DEFAULT path?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeffrey G. Fitzwater wrote: I would like to find out what routes are NOT in my route table and therefore follow the DEFAULT path to 0.0.0.0. I am running a 6500 sup-720-10G with SXI. Is there any CEF command that might tell me this or is it something very simple I just missed. Would show ip cef unresolved work ? I get nothing back when I run it but maybe there is nothing to see. There isn't a command to say print me all the IPv4 routes that aren't in my routing table. Think about it for a minute... - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlHTO+sACgkQE1XcgMgrtybGiwCbBcLmva0gC2NoTEAQzlwZlKnk W0EAniv7z09U1EONAWjcPn7+posQaBE2 =fqYK -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to tell what routes are not in CEF and follow DEFAULT path?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeffrey G. Fitzwater wrote: I have 0.0.0.0 pointing to one of our ISP so that any prefix /24 ( which we don't permit in from any ISP) would get pushed to that ISP which might have route. I am just trying to figure out how may are being pushed to default. Netflow? - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlHTUaMACgkQE1XcgMgrtyb0yACg8lVUINDKK+BdyGhDTbAtnLjy OnsAn1x6XBJhH3SJeqcTu/KXZLHpzFZi =CT9d -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS L3VPN - EIGRP routes not being advertised to CE router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dan Brisson wrote: Right, in IP Base an eigrp device can only function in stub mode which means it won't pass on any dynamically learned routes. Static routes would fix this problem but I doubt u want to go down that road. Since it's stub, it should be able to send default and summary routes. Generate a default and use the eigrp summary-address command on the CE facing interface to generate a summarized EIGRP route toward the CE. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlG4lf0ACgkQE1XcgMgrtyaAggCgpUTxS0OLMOPCREJ2jaHD+iTt rcUAoLdg0VgPFSDyFOnQ1h/TXgL1vASC =wdrr -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS L3VPN - EIGRP routes not being advertised to CE router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Huffman wrote: Although we've done several MPLS VPNs in the past, we've always used BGP as the PE-CE routing protocol. Now, I have a new customer that wants to use EIGRP instead. The configuration doesn't seem too hard, but something isn't working correctly: - We are learning routes from the customer at each location (2 currently, with more to follow) - PE1 and PE2 both learn routes from their respective CE1 and CE2 - Those routes get passed onto our Route Reflector - PE2 knows routes in the VRF from PE1, and vice versa - Neither CE1 nor CE2 are learning any routes, other than connected ones The customer is getting antsy, and from the documentation I can find, we should be set up correctly. Any help you guys can provide would be GREATLY appreciated! Now the details: PE1=RR==PE2 | | | | CE1 CE2 Our Route Reflector is a Catalyst 6503 w/SUP720-3BXL running 12.2(33)SXH5. The two PEs are ME-C6524GT-8S running 12.2(18)ZU2. Below is the config from the PE routers (IPs and ASNs changed to protect the innocent): ip vrf CustomerA description L3VPN for CustomerA rd 65002:10 route-target export 65002:10 route-target import 65002:10 router eigrp 65002 auto-summary ! address-family ipv4 vrf CustomerA redistribute bgp 1234 network 10.3.63.0 0.0.0.3 default-metric 1 1 255 1 1500 no auto-summary autonomous-system 65002 eigrp stub connected summary exit-address-family eigrp stub connected summary You have it set up as EIGRP Stub with Summary. What routes are you expecting to see at each of the respective CE's? - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlG3pNEACgkQE1XcgMgrtyYhYwCdFes+3iaeqtT2PrNlxaDXFnyG P68An3JfZtcBMIoY012Gj60YdRACvd+l =qzg6 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Signalled VPLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adam Vitkovsky wrote: advertisement and the use of a split-horizon label appended to multi-destination packets. Or in case of the PBB overlay simply by common b-mac source address. Yes, that too. I was speaking to eVPN vs PBB. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlF3jl0ACgkQE1XcgMgrtyYEjwCgpRK2Ov2pzfm5kXQLmK3GGV04 w8UAoO+vfs6fkm3WgTNOhJThPTSKqoUw =gLyH -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Signalled VPLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Caillin Bathern wrote: Aaron, I think bep is referring to EVPN in his comment. In BGP signalled + BGP AD VPLS, you don't use a specific split-horizon label. Instead if you think of the most simple case where you have three PEs: PE-A, PE-B and PE-C. PE-A (better local pref)and PE-B (worse local pref) are multi-homed to site CE-A and PE-C is single-homed to site CE-C. Now if you consider the BGP advertisements received at PE-C, it has two possible routes to site CE-A (distinguished by the identical RD, VE ID and VE block offset). Hence PE-C selects one of these two sites as its route to CE-A via BGP route selection process, being via PE-A because of local-pref. Now PE-C sets up a single BGP signalled pseudo-wire between PE-C to PE-A and begins forwarding traffic. Any traffic received at PE-B is dropped because it has no pseudo-wires set up to any other PEs and there is no loop in the network. J* have a good article describing exactly that here http://www.juniper.net/techpubs/en_US/junos/information-products/topic-c ollections/nce/bgp-vpls-multihoming/validating-a-bgp-based-vpls-multihom ing-configuration.pdf Yes, with the cavaet that you are using the same VE ID on the two PE's connected to the same site. If you don't, then you must provide some loop prevention mechanism. So it is still possible to shoot yourself in the foot. EVPN is a little different because in that above example, PE-C would have set up pseudo-wires to both PE-A and PE-B allowing active-active forwarding. Any BUM traffic will still be forwarded using split-horizon though using the split-horizon label. At least that is my understanding.. Exactly. Loop prevention is inherent in the implementation due to the active-active capability. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlF4CPMACgkQE1XcgMgrtybgKwCeM8e/VNcjYPxq/Zme3IJb2VhA TE4AoI8qbkv49DA/EP5RnCPxYzOU7qDm =ORAh -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Signalled VPLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aaron wrote: Thanks Caillin/Saku/Adam, this differentiation of VPLS LDP Sig compared to BGP Sig as it relates to loop prevention during redundant pe/ce at edge is of interest to me...(I actually had a l2 forwarding loop scare me to death and had to shut down backside c-to-c during maintenance window a few months ago)i walked away from that with a big question in my head as to how does customer spanning tree feed into the loop prevention of split horizon groups within a vpls as how pw forwarding treatment occurs...and I thought to myself , it probably doesn't... which has had me wondering about this for a few months BUT, now y'all mention that bgp signaled vpls as it relates to redundant pe/ce avoids this correct? I have adam's link, thanks adam, but does anyone have more links related to understanding all that? Adam's implementation link http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/lxvpn/co nfiguration/guide/lesc43pbb.html#wp1183684 By the selection of a Designated Forwarder via the Ethernet AD route advertisement and the use of a split-horizon label appended to multi-destination packets. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlF2wpMACgkQE1XcgMgrtybrjQCePMQp1veqynrm8qcWlfqcz325 vZcAoJRF1aOQb7Iz/1qsMN4fyMRm+G9u =IsdS -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Signalled VPLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Adam Vitkovsky wrote: While we are on the topic what do you folks think about BGP signaled VPLS please? While I would prefer BGP in favor of LDP signaling as I believe it saves control plane overhead (1 BGP session VS n-1 LDP sessions), I have heard a valid objection as to why to run yet another functionality/feature (not tested by majority of operators) when the reliable and stable LDP functionality is enabled already anyways (for p2p PWs and base MPLS). eVPN will be based on BGP. http://tools.ietf.org/html/draft-ietf-l2vpn-evpn-03 http://tools.ietf.org/html/draft-ietf-l2vpn-pbb-evpn-04 - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlF1bdEACgkQE1XcgMgrtybGSQCgg8B7+XXk3MfUuJlPNSVvOBZF OCoAoPKLIfDDbBeSClwQxyMPQwqj8Gq7 =Lnj8 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Terminating lots of double-tagged vlans
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simon Lockhart wrote: All, I'm working on a project which uses GPON to connect tens of thousands of properties in a fibre-to-the-home environment. Each property will be handed off to me as a double-tagged vlan, one per property. Obviously I don't want to manually create tens of thousands of subinterfaces on a router, and I'm sure there's a better way of doing this. What I'd come up with is that I'd ignore the inner tags, and just use the outer S-Tag to put the properties into subnets (one per S-Tag), and then just do DHCP. However, I'm not quite sure how I'd achieve this. This is obviously a common problem for people to solve, so how do others sort it out? The devices I'd typically use include Cisco 6500/SUP720, ME3600, ASR1k, and smaller stuff like the 3750/3560. http://www.cisco.com/en/US/docs/ios/lanswitch/configuration/guide/lsw_ieee_802.1q.html#wp1027258 - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFu/pEACgkQE1XcgMgrtyYfzQCg+R40qBuc0FlafjNzgiPhPXTw tU8AoKK6pyoZFjBH8qFSNWXTzo8u+GDq =2xC3 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco ASA static dhcp binding
On Fri, 29 Mar 2013 19:16:11 +0300, Andrey Petrenko andy.petre...@gmail.com wrote: Hello everyone! I have Cisco ASA 5510 (8.4(5)). Can i configure dhcp servers with static mapping? (e.g for mac :: assign ip addr 192.168.1.100? Unfortunately, no. -- == bpe ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP neighbor fall-over vs BFD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Neiberger wrote: In the case I'm thinking of using it, we do all over our internal BGP peering to loopbacks, which are in OSPF. If we enable fallover, it sounds like the peer will be torn down as soon as that next hop is removed from the routing table. One problem we have that I'm trying to solve is that we also have a null0 static route used for aggregation for the loopback addresses. This static route stops the BGP routes from being invalidated until the peer goes down because the next hop is technically still reachable, although via Null0. I'm pondering the use of selective next-hop filtering so that only /32 routes in OSPF can be used to validate next hops, but I wonder if just enabling fallover would be better option. We aren't using BFD right now. Not sure why. It seems like using fallover with BFD would be an excellent solution to this problem. As I mentioned, there is no dampening mechanism on fast fall-over and peers are dropped immediately when the next hop is lost. If the next-hop of the routing entries is the same as the peering address, then next-hop tracking should be sufficient to cause the routes to flush from the RIB if reachability is lost and next-hop tracking has a delay/dampening mechanism built in. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlE+FGUACgkQE1XcgMgrtyZuQACfVCtmFdMUzAWzknpsrNs2xD4N dUgAnRfi5NtL3XPHS/xvcoNKRAENg4Ai =tI/s -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP neighbor fall-over vs BFD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Neiberger wrote: I was just reading a bit about next-hop tracking and neighbor fall-over and now I'm a little confused about what fall-over actually does. The docs say that it enables fast peering session deactivation, but I can't tell what that really means. The wording in the docs makes it sound a lot like BFD, but not exactly. In fact, fall-over can be used with BFD. Can someone shed some light on this? What is fall-over really doing and when might it be useful? fall-over basically tears down the peering session as soon as reachability to the peering address is lost. It is event-driven rather than timer based session deactivation. The issue with the feature is that there is no delay/dampening method and so a momentary loss of reachability can result in the peer(s) being torn down. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlE+D08ACgkQE1XcgMgrtyZOswCfYk3yinAkfBgFTH/mpyDpK0aD 9wEAnAkMIrFe6+GmsFyHrNhK11U7qXJL =IYuT -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco TAC successfully disappoints again
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jared Mauch wrote: There's only one type of bug that they don't disclose to customers, and that is if the notes have $$PSIRT in there marking it as a security related defect. All other defects encountered by a customer should get a RNE (release note) and be set to be visible on CCO. It is not the job of the account team to provide you information about software defects, it is the role of the support organization. If you have more details, eg SR/DDTS I can forward a note to some people there, or there are some folks from Cisco on the list that can look it up and provide details. Most people at Cisco are not familiar with their policy of making all bugs that impact customers available, so just take the lazy way out. You should also talk to the DM aka Duty Manager and they can work to resolve the issue. - Jared On Dec 19, 2012, at 10:49 AM, Joe Maimon wrote: What exactly does Support mean? I just cannot believe the following fits the definition. Hello Joe, My name is J*** C and I’m the manager of the Routing Protocols team within Cisco TAC. I’m contacting you on behalf of J*** M* who is the owner of this SR. After reviewing the case notes, I understand that you’re hitting a known bug and J*** was able to share with you some details of it as it is an internal bug. Due to this situation, we can not disclose any additional details as we can’t go against our policies, what I would like to suggest is in case you have an account team, feel free to contact them directly so they can help you with this request. Feel free to contact me in case you have any other concerns, and also please let us know how to proceed with this SR. Kind regards, J C ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Please send me the case and bug number. I'll do some follow up. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlDR/kcACgkQE1XcgMgrtyY6MQCcDXxwjgG6LBj6mtHADUJBOVPC FHUAn2C4sWveJQqF7VV90Ryk6XIcHC9L =bhh3 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How is this working..... ASA 5505 inside DHCP?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Voll wrote: I have a ASA 5505 running and working. The inside interface is 192.168.1.1/24 but the config shows: interface Vlan192 nameif inside security-level 100 ip address dhcp setroute this 5505 is also the DHCP server for this network and default GW. How in the hey is it working? That address looks like one that would be assigned by low-end CPE router. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlDBSSMACgkQE1XcgMgrtyb28QCfX9lxgOHgC6JtBUJkAPOyh4gw ujMAoJFWdeEfSXK6gPbhl67Dqz8zGUdD =fHN+ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS and VRF
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric A Louie wrote: I've been reading and studying but I'm still not quite getting a few concepts down around it. I'm looking for the relationship between the labels and transparency through non-MPLS routers, if there is any, and the relationship between VRFs and labels. Anyone have any guidance for me? Labels are used to forward packets through the MPLS network. If there are any non-MPLS routers in the path, then you don't have an end-to-end LSP (Label Switch Path) and the packets will get dropped. In L3VPN over MPLS, there are two labels attached to the packet. One represents which PE the packet should be forwarded to and the other represents which VPN on that PE the packet belongs to. VRFs are simply the logical separation of routing/forwarding tables on the PE. Labels are used to represent which VRF (VPN) a packets belongs in. The label information for VPNs is transmitted as part of the VPNv4 address family in BGP. Here is an example of how a packet flows through the MPLS network: http://www.google.com/imgres?hl=enclient=firefox-ahs=FKBsa=Xrls=org.mozilla:en-US:officialbiw=1600bih=699tbm=ischprmd=imvnstbnid=rrTrsJp0TSWTVM:imgrefurl=http://cisco-vpn.org.ua/1587051044/ch06lev1sec1.htmldocid=Ikb3Z8KNnYKLLMimgurl=http://cisco-vpn.org.ua/1587051044/images/06fig22_alt.jpgw=1000h=427ei=dHSIUKe_BanWyQH96oDYDgzoom=1iact=rcdur=453sig=115233268954071552763page=2tbnh=117tbnw=274start=23ndsp=30ved=1t:429,r:14,s:20,i:180tx=203ty=32 - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCIdX0ACgkQE1XcgMgrtybCuACgild0NgXIuBovIOY0y3REQgTI aUUAoI6jmjN7e2FDnw/w83ZtxA1iK6HG =wNyp -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 PE-CE
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Saku Ytti wrote: On (2012-10-17 17:11 +0300), Mohammad Khalil wrote: I was trying to implement OSPFv3 and EIGRP6 as the PE-CE in 6VPE deployment but seems IOS does not support that yet Out of curiosity. Why are people choosing to run IGP in network borders? Link-state is complex, expensive and poorly manageable (in terms of filters/policies/route-map) Customers are asking for and willing to pay for it - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlB/sOgACgkQE1XcgMgrtyZC3ACgzW24qhxTXolrM0OAEigekotk IQgAn0C/OWAdTH8uwXXDNs5NYNkoeEWi =Br+4 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 NAT and asymmetric routing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew DeSantos wrote: All, Hopefully I can explain this correctly. I'm having an issue with communication (telnet/ssh) from a public server to remote private nodes. The issue is the return path, private IPs can't route via the INET. So, my initial thought was to plug the servers into the ASA and give them private IPs. However, these servers actively monitor our private IPs. If I change the IP of the server(s) this will require a lot of manual changes. The private nodes will need to be updated to allow the new private IP access. I'm thinking I need to configure static PAT or some sort of NAT. This is where I'm stuck and don't fully understand how to implement. The setup is below: Public Server(s) -[ROUTER]---ASAtunnel=ASA--[ROUTER] Private IP (10.1.0.0/17) Again, I need to allow these servers telnet and ssh access (we run scripts from these servers). I've been reading the ASA 5505 configuration guide, but I'm at a stand still now. The inside and outside interfaces plug into my upstream router. The servers are actively monitoring all the private nodes via the tunnel, but I can't telnet/ssh to these devices from the public servers (asymmetrical routing). If anyone has previous experience with this type of setup I would greatly appreciate some direction/assistance. Your drawing shows a tunnel between the ASA's. Assuming the public servers reside behind your ASA and don't have to be reached via the public internet from the private IP addresses, you can simply put static routes in each of the ASAs that point to the addresses in question over the tunnel. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBzFD8ACgkQE1XcgMgrtyYfxQCeLQ/1p0eUwxHutVfCpe7d3maD /BoAnj4x8F1kMOp8qWgOVeYxHJR8t6gh =VBsQ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5505 NAT and asymmetric routing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew DeSantos wrote: This is the problem I'm having. The public servers aren't behind the asa and have to be reached via the internet. I'm trying to keep the public side public and the private (internal) stuff private. In recent versions of the ASA software, you can do conditional NAT'ing. For example, I don't apply NAT when traffic is destined to my AnyConnect VPN clients. access-list inside_nat0_outbound extended permit ip object Inside-Network object VPN-Anyconnect-1 nat (inside,any) source static Inside-Network Inside-Network destination static VPN-Anyconnect-1 VPN-Anyconnect-1 no-proxy-arp Seeing it in ASDM makes it a lot clearer. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBzOiEACgkQE1XcgMgrtya4FQCg5bi5v7tgaGxb/wS2FnwkUVvF /NsAni/9xORUjjnw+YrZQm4zUdMw91sk =8pLP -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS 15.0 ipv6-related weirdness (fails to fallback to ipv4)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Ulitskiy wrote: Heh. c2800#sh ipv6 interface VoIP-Null0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::226:99FF:FED0:1290 No Virtual link-local address(es): No global unicast address is configured Joined group address(es): FF02::1 FF02::1:FFD0:1290 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is not supported ND reachable time is 3 milliseconds (using 3) Don't see any way to disable it. Can't even find any description what it is, but obviously it's voip-related and this router is indeed sip gateway. Now I have to make sure that sip servers it's talking to don't publish , until I manage to upgrade to something that has it fixed. Have you tried?: int voip-null0 no ipv6 enable - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/8ZScACgkQE1XcgMgrtybGQACgywQ3l6hQWV/o6ed6ZawYAjdB i+cAoLPThDKCAFXxAb+pJB3pCWv9CYMm =kjfg -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IOS 15.0 ipv6-related weirdness (fails to fallback to ipv4)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Ulitskiy wrote: Hello, I have a 2800 router with IOS 15.0(1)M7 with no ipv6 connectivity. There are no ipv6 addresses configured on any interfaces and i've added: no ipv6 cef no ipv6 unicast-routing commands to config. Nonetheless when I try to ping google the following happens: c2800#ping google.com Translating google.com...domain server (167.206.112.138) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2607:F8B0:4006:801::1004, timeout is 2 seconds: % No valid source address for destination Success rate is 0 percent (0/1) c2800#sh hosts Default domain is aceinnovative.com Name/address lookup uses domain service Name servers are 167.206.112.138, 167.206.7.4 Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate temp - temporary, perm - permanent NA - Not Applicable None - Not defined Host Port Flags Age Type Address(es) google.comNone (temp, OK) 0 IPv6 2607:F8B0:4006:801::1004 So when it sees record it tries to use it (regardless ipv6 routing has been disabled), sees there're no valid ipv6 addresses to use as source and fails, instead of trying to use alternative ipv4 addresses. It's also very strange that only IPv6 address has been cached by resolver. It looks like resolver discards any A record in the presence of . FYI: c2800#sh ipv6 interface brief FastEthernet0/0[up/up] unassigned FastEthernet0/1[up/up] unassigned c2800#sh ipv6 route IPv6 Routing Table - default - 1 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 L FF00::/8 [0/0] via Null0, receive I wonder if this is a known issue, if there are any workarounds or if I'm missing something? Is ipv6 enable configured on any interface at all? What does a show ipv6 interfaces say? With ipv6-unicast routing disabled, the router will still function as an ipv6 host if there are any IPv6 configured interfaces. And google returns both an A and record for google.com. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/7h8oACgkQE1XcgMgrtybrxgCgkjn1okrSrVdjNdxya7upf1Sj lfoAoN8ql0aXuchVf1ThxsHcJzL2cxRo =5EFq -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] gns3 - router/switch types supported
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eduardo Angueta wrote: Does anyone knows about IUO and if we can simulate IOS-XR there? I'm trying to get started with CCIE SP track. The current IOS-XR virtualization requires a hardware emulation layer that makes it difficult to implement on scale and doesn't provide all the necessary features. That is why you have not seen it available in either the CCIE360 or the Cisco Learning Labs (CLL) products (nor implemented as virtual in the CCIE SP and SP-OPs exams). Look for some enhancements in the CLL product later this year that will make it more attractive as a platform for CCIE RS practice and as a general lab mockup environment. Introduction of an XR virtualization for the environment is still dependent on development that must be completed by the BU and consequently, there is no current timeline for its introduction. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/fd/IACgkQE1XcgMgrtyZ6wwCfcLJGnSKH4ulnE45bTs+mnJvh 6oUAn0goY72bXsdZKeEQlw5yupP5uhRN =BwOK -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ospf with vrf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aaron wrote: I think I found the answer, although I don't fully understand it all yet. I have heard about this before and recall some of it. This seemed to do the trick...under, router ospf vrf testvrf capability vrf-lite I read this. https://supportforums.cisco.com/thread/202402 Apparently it has something to do with loop prevention and pe checks of domain id and down bit or something like that to keep pe from adding anything other than type 1 and 2's to rib. It has something to do with this: http://www.networkworld.com/community/node/19293 - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/dn80ACgkQE1XcgMgrtyZ17wCff7EZaor5ST9To8tjgZdVd/qR Cp4AmwSZGnkp/n0fMDa2Ri8NgYyTeJly =xSfy -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ipv6 nhrp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Conn wrote: Hello, What platforms other than 18xx support; int Tunnel6 ! ... ipv6 nhrp ... ... ! ? I have tried to find supported platforms and have come up nil. Feature navigator doesn't seem to make a difference between nhrp/dmvpn and ipv6 nhrp/dmvpn. It would appear that any platform that supports 12.4(20)T. http://tools.cisco.com/Support/CLILookup/cltSearchAction.do?AT=getCommandListIndexId=1IndexOptionId=76PageNumber=0caller=pluginredirectorSearchPhrase=ipv6+nhrp - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+tOCUACgkQE1XcgMgrtybJlgCgsxcMc8sSL2dWbPymC74xjDSD asAAnjWIpeXfPXMsPYJXeoTax9jp5zJs =tTUl -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Understanding Out/Input bytes in Interface Counters on 2811
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck Church wrote: Could be a bunch of reasons. Were the counters cleared at the time when the provider's time of measure started? Did the router reboot or were the counters cleared since? These counters are either a 32 or 64 bit counter. They do occasionally wrap and start over at 0, pretty frequent on 32 bit counters. If the interface counters were cleared, might consider looking at the SNMP counters as they do not get cleared except on reboot. They can wrap, however, just like the interface counters. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+QSYUACgkQE1XcgMgrtyb+IwCfVc0RFMrjyM0UuLUA+dEcRZXu 8QIAoJaRLJbneBUQhhOVkoNRGc4mQyFn =d8Lz -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Understanding Out/Input bytes in Interface Counters on 2811
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter Subnovic wrote: Thanks Chuck, Bruce and James for your replys, I did clear the counters 6 weeks ago (near the beginning of march) while i was troubleshooting another issue . The router was not rebooted for 15 weeks. Thanks for the hint that the counters are (most probably) 32-bit counters, although the 3 Billion bytes reported as output should fit in the counter. Guess i'll have to live with it and need to implement a better approach to track this stuff. I would recommend using Netflow and export to a Netflow collector. We used that to measure utilization for billing purposes at one company I worked at. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+QWqsACgkQE1XcgMgrtybmGQCg9kaQFtyoirh1EU8hJefxffzw f9UAniY0xZSBzRBH6ZjMzael060LDxGN =VuBL -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3VPN works, but not default route
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aaron wrote: I didn't have to use import, and they still came into vrf. ? any idea why? With unique RD, each route advertised by each PE is considered a separate prefix with a different nexthop. So, bestpath is run for each of those unique RD/Prefixes and the bestpath is then imported into the VRF. maximum-paths only comes into play when you have more than one nexthop for each unique RD/prefix (such as when you have redundant RRs). - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+QXGEACgkQE1XcgMgrtyZI6ACfdKbMaBfqQ5oNRnXo745qi4KW wFMAn2hYdLo9Kg51vfWtPiXryotiGtgA =/B1T -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VASI interface and NAT on ASR1k
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew Melbourne wrote: Hi, Does anyone have any pointers to some real-world use cases for VASI interfaces on an ASR1k? I have a corner case where I can't use MP-BGP to import a route from one VRF into another, when the next-hop of the route is in a separate VRF (the case is VRF-aware IPsec with FVRF/iVRF configuration). It looks like the issue can be worked around using VASI interfaces (i.e. a vasileft/vasiright pair). I have used a /30 to address the VASI interfaces and this appears to work, but is this best practice? NAT may be another useful requirement in this scenario, but I have seen other cisco-nsp postings which suggests 'ip nat outside' shouldn't be configured on an interface which isn't in the global table. A suggestions is that ip nat enable and hence NVI be used in preference to classic NAT for VASI interfaces? VASI does appear to be a rather poorly documented feature in IOS-XE :) VASI interfaces are really designed to allow for services (encryption for example) to be applied prior to label imposition on packets that would be label forwarded toward the core. The VASI-left interface serves as a pseudo-CE and the VASI-right serves as a pseudo-PE. In the VASI scenarios I've seen, BGP is used to send routes learned from the MP-BGP sessions to the PE-CE BGP sessions and vice versa. So, in essence, you have three different BGP domains, the PE-CE, the MP-BGP, and the inter-VASI. In effect, you have two different redistributions going on. This is the result of having the VASI interfaces shimmed between the real interfaces facing the CE and the P/PE MPLS core. In those scenarios, the VASI interfaces were addressed out of the same /30 subnet. A BGP session was then established between those VASI interface addresses to advertise the routes from the VASI-left VRF to the VASI-right VRF. The VASI-right VRF was the same VRF (same RD/RTs) as the VPN on the other PEs and the VASI-left was a separate VRF (different RD) that serves as the pseudo-CE. There was no need to have the VASI-left pseudo-CE configured for import/export of route targets and the VASI-right VRF was not configured to import the VASI-left route targets. The BGP session between the VASI interfaces propagates the routes without the need for import/export of the RTs. In the scenario we were testing, we were able to have GETVPN on the MPLS P/PE side providing PE to PE encryption within the MPLS core. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9eZEUACgkQE1XcgMgrtyYc7QCghIFYcYdVAIhLa6Z8BG9KPjPD H0sAn3OISw2e7oq8QxNVqFSiocTA4dLS =pklf -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Moving ports on ASA's
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Voll wrote: I have two ASA's running in Active / Standby. I need to move a set of interfaces (non production DMZ set) from one switch to a different switch. if I don't want the ASA's to failover during the move, can I just shut the interface do the move and then no shut the interfaces? I don't want to affect other traffic on the ASA's with a Failover. How do you have your failover rules set? You could change a number of factors that would prevent a failover from occurring for just one interface. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9Y+ZAACgkQE1XcgMgrtyb72wCg3mgVK28XIemVs8eRAawgzAp2 xXUAnRG8cTzAbJ0g2fLEPY3In0/+jk/C =t7tJ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VASI interfaces on IOS XR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick Ryce wrote: Hi Bruce, I was hoping to have an easy way out from import / export :-) In the VASI scenarios I've seen, BGP is used to send routes learned from the MP-BGP sessions to the the PE-CE BGP sessions and vice versa. So, in essence, you have three different BGP domains, the PE-CE, the MP-BGP, and the inter-VASI. In effect, you have two different redistributions going on. This is the result of having the VASI interfaces shimmed between the real interfaces facing the CE and the P/PE MPLS core. Since you don't need the VASI construct as you are not trying to apply services to a label switched interface, I don't think you need the complexity of what VASI introduces. If you simply need to get routes from one VRF to another, I think that you should be able to do something like this: router ospf 1 redistribute ospf 2 vrf bar router ospf 2 redistribute ospf 1 vrf foo I know that VRF aware redistribution is available in IOS, but not sure about XR (didn't spend a lot of time hunting through the docs). To me the downside of redistribution is that you end up with external routes but perhaps that's not an issue in your environment. Import/Export may seem like a pain, but I don't think anymore so than mutual redistribution and the access-lists and/or tags to prevent loops. I suppose you could get fancy and use BGP between VASI interfaces and redistribute your OSPF into BGP to get it across. But I think it violates the KISS and 2am principles unnecessarily. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9EpZcACgkQE1XcgMgrtya2pgCfc5fHnvtYSj2HPhORDoAu9poi 6hgAoNg+9LTpLsVo0Kv6pkoZ7JTr6WBx =xQXV -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VASI interfaces on IOS XR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick Ryce wrote: Hi Guys, Does anyone know if these type of interfaces can be used without a services blade? Also is there a specific version of XR required? I have been scouring documentation and can't really find anything. Would InterFlex interfaces do the same thing? I am looking to have 1 link in a VRF and the other in a separate VRF. Then create ospf adjacencies do redistribute routes between the 2 VRF tables. Any thoughts? Are the routes from those different interfaces learned from other OSPF adjacencies? Seems like you should just be able to import the routes from the other VRF via an import statement? Am I missing what you are trying to do? VASI interfaces are really designed to allow for services to be applied prior to label imposition on packets that would be label forwarded toward the core. The VASI-left interface serves as a pseudo-CE and the VASI-right serves as a pseudo-PE. If the routes you are learning and needing to be readvertised are coming and going from untagged interfaces, I don't think VASI is what you need. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9EM0MACgkQE1XcgMgrtybl5gCeMHq2qYSblgbNX+9xR79pJ22t t+0AoKau5fgjS//erKDT5ScwLT9B3TWp =hgr4 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OER Question
M K wrote: Hi all, i have the below OER question i have been trying since a while but i am not sure about the solution can anyone please help ? Configure R4 to be the master controller and R1 and R2 to be the Border routers. The OER implementation should be optimized such that when the packets with a DSCP of 41 is passing through the network, it is routed out to R1 exit interface and also, when a DSCP of 31 is passing through, it is routed out to R2 exit interface. You are allowed to create extended ACL with one entry to accomplish this task. Set active probes only For traffic going from Vlan 44 to YY.YY.55.5, set jitter as 40, delay as 20, probe frequency as 2. Enable constant probe via all exit interfaces. R5 -- SW2 -- SW1 -- R1 F0/0 R1 S0/0 -- R4 S0/0 , R4 S0/1 -- R2 S0/0 R2 F0/0 -- SW4 -- SW3 all the switches are trunk interconnected The wording on this question sounds suspiciously like a Cisco certification question and that you are fishing for an answer. -- = bep ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA VPN groups... pointer/howto/cookbook?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Granados wrote: Sounds like what you want is the anyconnect client. You can have your users browse to a URL and install the clients that way instead of having to push out pcf files. Infact I believe this is the preferred method. You can also control group access or have groups available from a pulldown. Clients are available for most platforms including Linux and Android so it might be something to look at. Agreed. Plus you can define AnyConnect client profiles that can be pushed down to the client upon login time in addition to the VPN connection profiles and group policies that can be defined on the ASA itself. The other nice thing is that the AnyConnect client can either be pre-installed or downloaded at login time from a Web portal as mentioned above. The pre-install is nice in situations where users are not granted admin privs on their systems. When downloaded from the web portal, the first install requires admin privs, however, if you choose to leave the client installed on the system, subsequent logins to the web portal will not require the client to be downloaded again. Once installed, the user has the option of connecting to the web portal or directly from the client (if you so choose) on their system via a pre-defined host list in the client or by typing in a hostname/ip addr. By defining different connection and group policies, you can even setup different VPN policies for connecting from someone's own laptop vs connecting from a public location where you would want to remove the client and sanitize the environment at logoff. Contact me off-list if you have some more questions. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6DfAgACgkQE1XcgMgrtybN8QCgxhVz0qMPdoRBmlbGWHZgajln GYQAn3x+D2iJ4q1GPOzWkkIArpj2G0aq =l/k0 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN with PE over GRE tunnels
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ross Halliday wrote: It seems I made an error in the subject of my message, should read MPLS VPN with CE over GRE tunnels... Looks like a few people didn't read far beyond the subject line :P Thank you Gert and Cristophe, I will give that a test tonight. Does the same sort of gotcha exist on the 7200 platform? I moved the interfaces over to that router, which also runs MPLS, and before I corrected the VPNv4 iBGP relationships the traffic worked fine when the 7204 sent packets out labeled for that default route (which caused them to be sent back via OSPF into an SVI). Once I fixed the BGP peering so that the 7204 learned the far VPNv4 route properly it exhibited the same problem as the 6509. The 7204 is a dinky ol' NPE-225 running 12.4(22)T. Reading that page that Cristophe linked, I'm curious why this isn't default behavior. Is it just some magic knob to stump people on a CCIE exam or is there some performance impact or other side effects? No, the recirculation issue is only related to the 6500. It has to do with what operations can be performed in the hardware in a single cycle. The 7200 is a software switching platform and would not have such a limitation. If you are having a problem on the 7200, there is something else going on here. We terminate DMVPN in VRFs for L3VPN on 7200's all the time without issue. Some additional troubleshooting info would be useful such as traceroutes in both directions, ping tests from the CE site to the PE itself, etc to see where the transit path is breaking down. Also, complete configs would be useful to see if anything jumps out. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk54w0cACgkQE1XcgMgrtyYubQCg93E8VwIUKVuy6+CDg/5AHqxq bY8AnAxA0DZ951Nju4LkJD78h6QxiH18 =yrvU -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA vs ISR ZBFW
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jay Nakamura wrote: I have been wondering lately, what advantages do ASA have over ISR as a firewall on the low end? As just one stand alone firewall, what features are there for ASA that distinguishes itself? Often, I rather have an ISR over an ASA so I have more flexibility in a budget environment. ASA5505-SEC-BUN-K9 is about the same price range as CISCO1921-SEC/K9 I believe. Which would you choose? What am I missing that I should be using ASA instead of ISR? Among others: - - Stateful redundancy - - Basic and complex URL filtering - - WebAuth - - Threat Detection - - Various UC functions - - Anti-spoofing - - ActiveX/Java/HTTP/HTTPS/FTP Filtering = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5pqlEACgkQE1XcgMgrtyZ9RgCeJwHyUBoRn2urt6V/40gaNVWn 610AoNucnP56VYtjCcqGVt+00xaIfMLF =CtyM -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Traffic Control
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jaycee Cockburn wrote: Hi Mo, Depends on where Subnet A B are physically attached... If they are on different (sub) interfaces you can always use VRF-lite...quick and easy and very secure... If not, I think policy routing is your friend... Or it could be as simple as a couple of ACLs. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5oWGMACgkQE1XcgMgrtyYUxwCbBmaDn1KUux2QTOiCPhh0gfFT vVYAoKxI/bARlZPnEX4DSMO8dN07Nhdm =wWn/ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 8.3 nat question asa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 dalton wrote: Hi, I have what is probably a simple question, however, my first occasion of working with new nat config on an asa running 8.3. I have defined dynamic source nat rule: Here is the relevant config: object network obj-10.201.0.0 subnet 10.201.0.0 255.255.0.0 object network obj-2.2.2.102 host 2.2.2.102 nat (inside,outside) source dynamic obj-10.201.0.0 obj-2.2.2.102 What i am looking to do, if possible (i believe it should be) is do a static mapping from the outside of 2.2.2.102:80 to a single ip address in the 10.201.0.0/16 net, for ex 10.201.10.10:80 I'm guessing the syntac would be similar to: 1) add object object network obj-10.201.10.10 host 10.201.10.10 2) Then add the manual nat rule nat (outside,inside) source static obj-2.2.2.102 obj-2.2.2.102 destination static obj-10.201.10.10 obj-10.201.10.10 Is that correct? Also, what is the syntax for mapping only port 80 of obj-2.2.2.102 to obj-10.201.10.10? so, obj-2.2.2.102 port 80 to obj-10.201.10.10 port 80 Any help or tips appreciated! I do something similar. I dynamic NAT all inside traffic to the outside interface address except for a single port that static maps to something inside. Here is the relevant config: object network Slingbox nat (inside,outside) static interface service tcp 5001 5001 object network Any nat (any,outside) dynamic interface - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5b4NMACgkQE1XcgMgrtyY8xQCfXtBy7N7zPI6WHL4/pSdExgUw g/UAoMWZQQMSTRKMYlp347NtJIWGFwf0 =Lzw3 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA access per domain
Scott Voll wrote: on an ASA is there a way to allow access via a domain name? ASA 8.2 Currently we block all outbound internet traffic and only allow the proxy server out. I have a request to open access to a site because the proxy is not dealing with it well. BUT the site is hosted with Akamai technologies so I don't want to open access to the server. is there a way to allow access to the domain of the site I'm looking for and not the other stuff hosted there? Check out https://supportforums.cisco.com/docs/DOC-1268 == bep ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA VPN with Local CA on the ASA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jay Nakamura wrote: I have been reading the documentation and trying to understand how this works. My understanding is, I can use a certificate to add another layer of authentication to VPN users on ASA. I can use the ASA as the CA to issue the cert and manage the cert. Is that correct? I wouldn't need additional CA server or external CA to purchase certs from? Does it work with both IPSec and Anyconnect clients? Anyone have a good configuration example or URL that goes over it? Yes, the ASA can serve as its own CA. The caveat appears to be that you can't have failover if you do that. If you have Active/Standby, the recommendation is using Microsoft's CA. Here are links for doing both: http://www.networkworld.com/community/blog/how-guide-cisco-asa-sslvpn-using-certificates http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5MErIACgkQE1XcgMgrtyZwJgCgkHbb1NstSuKLPyG4jppwUuwx CRYAn3qZJ01/KEdv9xOcUIKTYi8frphR =qaTi -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-lite configuration - BGP and Local Routes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joseph Hardeman wrote: Hi Everyone, I am hoping that someone can give me some guidance with how to setup VRF-Lite and routing with BGP and intra-vrf routing. I have been playing with this for about a week now and figured out how to setup vrf-lite to a certain point. I know if I apply the ip vrf xx to an interface such as physical, loopback, or vlan I can pass traffic up or down it on the same vrf, including if I set the vrf on an interface going outbound to a BGP peering neighbor I can pull in their bgp announcements to that vrf, but what I am having problems with is can this be done via the Global BGP routing table? Or can I somehow do a Global Leak so that the VRF can communicate out of its area to the remote peer? I hope I am clear here, if not I will be happy to share my testing configuration. Basically we are wanting to separate 2 networks so that they have their own BGP Routing tables so they have different routes out but at the same time be able to communicate between all of the local networks the router has installed on it. Leaking between VRFs is done via import/export statements indicating which route targets are put into the global VPNv4 table and which should be brought into a particular VRF. Leaking routes between into/out of the global routing table is typically accomplished via static routes. There are examples of both types of leaking here http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4uUQUACgkQE1XcgMgrtya7WwCg/oSEzUQndQTjcBSb0mrijOEj MOoAni2RS1Xv0NdBG26Z3qMpLgiH+7Eu =IlzE -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] GRE tunnel to do span vlan across two datacenters?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric Gauthier wrote: Hello, I am not sure that you can bridge two subnets together using GRE, so you may need some additional technology if your goal is to make the same subnet/IP float dynamically between locations. With that said, if you use GRE, you'll want to make sure that the underlying transport between your data centers supports an MTU large enough to handle the GRE header without fragmentation. Bridging over GRE, if it works at all, is not supported. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4UqC4ACgkQE1XcgMgrtybqVACg/vgSeU08ZJQR5pb0RV+0XINl CZwAoM2QWrz6wH74QDkQQfy4nlJEF7aG =kU5/ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 Support in Cisco IOS AnyConnect?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Mason wrote: Hi, Is anyone from Cisco able to confirm if IPv6 is supported when using the IOS based SSL VPN feature (inside the VPN)? The AnyConnect VPN client has a field for Client Address (IPv6) but I can't see how to enable it on the router. Using 15.0(1)M6 on the router and AnyConnect 2.5 on the client. I can see it is supported if I was using an ASA as the headend, but looking for some pointers when using an IOS based head-end? Yes, it is supported, however, I think you might need AC 3.0. Also not sure if it would work with a router vs an ASA. We have an ASA setup for IPv6 only connectivity for testing purposes at work. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk36N2EACgkQE1XcgMgrtyZ3cgCgp/SQjuqisuorEO5lO0S/04oG gjgAoNaBt8yX2whNT74PmO+YN6OAwpFQ =vsJg -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CCNP Labshi a
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mohammad Khalil wrote: Hi all i am in the process of building CCNP Switch and Route Labs what is the exact hardware needed ? CCNP is a set of computer based tests. There is no hardware. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2y7/EACgkQE1XcgMgrtyYfiwCfZM3IE3Tq//hmdXzenI2p5Lsn Nt0An0tJkpTv3lkPzRfcL9EjNxzsuKqT =MSTM -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CCNP Labshi a
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mohammad Khalil wrote: we are an academy and we want to prepare the a suitable lab To prepare for CCNP, I would suggest using the Cisco Learning Labs. https://learningnetwork.cisco.com/community/learning_center/cisco_learning_labs - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2y8ZIACgkQE1XcgMgrtyYBTgCgq17a1xq6Dqu5hTxStF8UFXsw FvYAoPdKVTSpdIyGPKHIKt07rk+3+S48 =r0bk -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Redistributed EIGRP Route Preferred over EBGP?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chris Mason wrote: Hi, I have a DMVPN setup running EIGRP between the HUB and SPOKES. The HUB is then running E-BGP back to the core. The HUB and SPOKES are all within the same EIGRP AS so the routes being learnt are internal EIGRP routes. I have remote sites which have a primary and secondary router with EIGRP being used on the secondary router. The primary router will be advertising the same prefixes via BGP. On the HUB, I am redistributing the EIGRP learnt routes into BGP. In the scenario below I am also learning the same prefix via BGP for the sites primary circuit. Based on the following output I would expect the BGP learnt route to be preferred over the EIGRP redistributed route as I am setting a weight of 64000 on the BGP route. The EIGRP route will have a weight of 32768 because it is locally redistributed: Router# show ip bgp vpnv4 vrf VPN-A 172.31.254.105/32 BGP routing table entry for 65222:400:172.31.254.105/32, version 125981 Paths: (2 available, best #2, table VPN-A) Advertised to update-groups: 2358 100 65000 65116 172.31.235.1 from 172.31.235.1 (172.16.0.33) Origin incomplete, metric 0, localpref 100, weight 64000, valid, external Extended Community: RT:65222:400 mpls labels in/out /nolabel Local 172.31.238.166 from 0.0.0.0 (172.31.235.254) Origin incomplete, metric 297372416, localpref 100, weight 32768, valid, sourced, best Extended Community: RT:65222:400 Cost:pre-bestpath:128:297372416 (default-1850111231) 0x8800:32768:0 0x8801:44:12928000 0x8802:65281:28416 0x8803:65362:1400 mpls labels in/out /nolabel I can't work out why we are preferring the EIGRP path to the BGP path? Does anyone have any ideas or am I missing something obvious? If I understand you correctly, an internal EIGRP route is being preferred in the RIB over an eBGP route. That would make sense as EIGRP has an admin distance of 20 and eBGP has an admin distance of 170. In the output you show above, the redist'd EIGRP route is preferred in BGP but that has no bearing on whether the eBGP route is preferred over an EIGRP route. Or am I missing something in your explanation? - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2sd/wACgkQE1XcgMgrtyaJuwCfVpSlEw5FcN9MmXhq6mCQErvi lpQAnjt0WSHOkjYU8585jW5InQoUjlbK =ASRq -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Can I encrypt syslog traffic in IOS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hammer wrote: Thanks Christopher. My research has yielded the same result. I went and told the unix team about an hour ago that I was flipping our syslog from UDP to TCP w/ SSL or VPN and he just about fell over. I'm trying to decide how much of an effort I want to make on this. Right now, I'm just enjoying watching him implode. Have you looked at this: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_reliable_del_filter.html While it talks a bunch about BEEP, it would appear that TLS is also supported as a transport. See the options here: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_reliable_del_filter.html#wp1055009 You can specify TLS as the transport and name the cipher and trustpoint credentials to be used. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2M+aEACgkQE1XcgMgrtyb2vQCg02JtyU+ij7k1LP9/Xpj2ukW5 nFIAniW70iMjEYaZNFJGSBYJSmMYCVqM =bVGb -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Can I encrypt syslog traffic in IOS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hammer wrote: Hey that's pretty cool. As long as my syslog host is fine with it. Thanks and I'll start researching. I haven't tried it to see if it works however. Good writeup here on doing Encrypted Syslog with rsyslogd. http://www.rsyslog.com/doc/rsyslog_secure_tls.html - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2M+1MACgkQE1XcgMgrtyYA7wCg9czCirA8pU7kHIfpaMhzsNLG T+QAnRECwH/5FbkQOnteooyXK4h3EE1b =ocQX -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Can I encrypt syslog traffic in IOS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hammer wrote: Cool. Doesn't apply to IOS but will work for my CheckPoints. If I make some headway I'll post back to this thread. Don't hold your breath. Well, I was thinking of rsyslogd on the server side, not the client. Then if the IOS TLS transport works for syslog, you'd be good to go. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2M/QoACgkQE1XcgMgrtyZAigCfT8tW61b/4/OJupm7R+x4PFLO bRsAoOsRN/NrwOAgzTGA+OPsW3FCDBGF =oOAL -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave Weis wrote: I'm trying to figure out if I can accomplish something in one box. We are setting up a VPN tunnel to a 3rd party and need to direct traffic for about a dozen /24's over that tunnel. The catch is that I need to NAT them to a globally routable IP on the way out, but we use 192.168.x.x subnets internally. Can this be done with a single ASA? I've tried to make it work on an Adtran with a combination of loopback addresses and policy routing but it's not cooperating and I'm not sure it's possible on that platform. So, basically, you need to NAT traffic that is going into the tunnel? If so, that is doable. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1sn04ACgkQE1XcgMgrtyZJLwCg2u92Djef8WZmNZoPjVrYDdtt in8AoKZxIVwsAT73QGV/bnvjYdZ45XME =Gef4 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.2.33.SRE Train and Dynamips
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Shahid Shafi wrote: Is anyone able to run 12.2.33 SRE train with Dynamips? I am trying to run it on NPE-G2 and NPE-400 with no luck. My routers keep crashing without any rhyme or reason. I also tried to decompress the image and bumped up the memory to 1 Gig but still no success. Please let me know if you are able to make it work and share your Dynamips settings. Go read this and you will understand why... http://www.dynagen.org/tutorial.htm - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk01ayAACgkQE1XcgMgrtyZGyACdGTNHjjUu9hEsaUTJEAvyE2IN plUAmwebZcBFT7wiS2IxABev8QpBx0Ey =ppza -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA ssl webvpn question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 dalton wrote: Hi all, I am in the process of reading through docs etc on this, but was hoping someone maybe has done this before and can give me a quick answer. I have an ASA running ssl vpn as well as normal remote access (cisco client based). What I am trying to do is exclude 1 particular user from using the ssl vpn. Is there a way to do this via tunnel-group or group-policy? Thanks for any insight. I don't believe you can exclude an individual in a tunnel-group or group-policy. I believe you can define the VPN policy for that user by adding them as a user on the ASA or via a Dynamic Access Policy. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0sI34ACgkQE1XcgMgrtyZKzACg2Z+EaxvTbFgx5VN+Uy6zCeVe hPoAoLaLe1KIM01Ht8Ocf2Qgwg+IhXvl =S31Y -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco SSL VPN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Charles Mills wrote: Anyone currently (successfully) using the SSL VPN on an ASA box (5520 or above)? I'm in uncharted territory with this feature and not sure if it is worth going down this route. I am using it quite extensively in a couple of areas. Contact me off-list if you want to discuss specifics. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqPCNQACgkQE1XcgMgrtya7rwCguWLugXuqTllcupdusxqQU/y6 WUkAoIPftPZckSUsShLC7Js+hWj0Sur3 =46x3 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Using 'shutdown' versus pulling the cable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 thomas.silla...@nextiraone.de wrote: Hi Dale, using the shutdown command is IMHO always cleaner because of graceful shutdown feature. If you plan a failover test physically disconnecting the link or powering off the device shows the real failover time. If you want a less well behaved failure, pull just the tx or rx side of the fiber...or introduce 10e-4 errors and see what happens. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAko2GF4ACgkQE1XcgMgrtyaBmQCgrOYQzV9JEBwWDT5l/853Kk7E dAoAoPP7d46mAvb0DNaXdcpPv26/lTrg =KlEo -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 madunix wrote: I have 3x sites with DS8100 SAN Storage at each side, I will be replicating data from one side to another (A - B, synchronous, distance 100Km) and (B-C, asynchronous, 300Km). Am thinking to use MPLS based on IP-VPN since its secure and not visible to other customers or internet. Out of your experience ...what do you think about ? Well, it's not secure, it's simply routing isolated. If you want security, as in encryption, you will need to do that on your own. If you need low convergence times, MPLS/VPN is probably not your best choice. I don't know of many (if any) providers who will guarantee the convergence times through their network. You should expect convergence times in the 10's of seconds or more for certain types of failures. You may want to consider getting an L2VPN solution such as VPWS or VPLS and running your own routing protocol and failure detection methods. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkogDOQACgkQE1XcgMgrtyZGgQCfWiGT5lRQBBLSfgG20sBbXsHr 0mIAoNr/tvJ7D+aP19LhTzlz2e6aJjXP =Cr6s -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Trouble in an ASA migration from CheckPoint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marcelo Zilio wrote: Hi, I'm working in a migration of a CheckPoint Firewall to an ASA5520. I freeze on a situation that seems ASA cannot reproduce CheckPoint configuration. Follow the scenario: - IP Address X on the Internet access IP Address X1 in the Inside network through the X-NAT Address. - IP Address Y on the Internet access IP Address Y1 in the Inside network through the same X-NAT Address. Can you give us a more concrete example please? I'm not grok'ing what you are trying to accomplish. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoDyS4ACgkQE1XcgMgrtybXvgCcDqe/dvPscRV6TQOzHmR5j8wf QkEAnjvietbq2yhO6RMIFOb6HvHHYgbu =7Dnq -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 12.2(33)SXI vpnv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Durack wrote: I'm running 12.2(33)SXI on some boxes in a PE-PE setup. I'm trying to enable vpnv6. BGP side of things is working: rtr-1#sh ipv6 route vrf v101 IPv6 Routing Table - v101 - 4 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 B 1:0:1:1::1/128 [200/0] via 1:0:1970::1%Default, indirectly connected B 1:0:1:1::2/128 [200/0] via 1:0:1970::2%Default, indirectly connected LC 1:0:1970:1::3/128 [0/0] via Loopback101, receive L FF00::/8 [0/0] via Null0, receive But cef/labels aren't being programmed: rtr-1#sh mls cef ipv6 vrf v101 Codes: + - Push label Index Prefix Adjacency 196640 1:0:1970:1::3/128receive 196672 ::/127 drop 196704 FE80::/10 receive 196736 FF00::/8glean 197152 ::/0drop vpnv4 is working fine, IPv6 in the global table is working, but not vpnv6. Any ideas? Got a config? Assume you did enable mls ipv6 vrf... - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm6yCMACgkQE1XcgMgrtyboiwCgyBTo9Cf9MZjOh089Zc7UgxSM TwMAn0b70Quqei+R/+S7ldKtePLDII6d =184z -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L2 traffic tunneling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Drew Weaver wrote: We have a scenario that looks like this: RouterRouter HostA- SwitchSwitch- HostB The switches are each connected to both routers, but not to each other. The routers are 12000s and the switches are 6500s. I'm wondering what the best way besides running a really long cable to get HostA and HostB in the same VLAN. I'm pretty sure my only choice is Q in Q but I wanted to check with you folks. http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1107177 - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmm3zgACgkQE1XcgMgrtyblJwCg2flRCV3IWitR8HrDEWmhSlkl rksAoOMnISTIfWmQqUaZ9KiFrZ1nxynX =LTzF -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ospf network type
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian Spade wrote: On Sat, Oct 25, 2008 at 11:09 PM, Bruce Pinsky [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Really depends on your convergence requirements. For some it's very important, for others not so much. If the link goes down, the missing ethernet keepalive should signal a topology change before the dead timer interval expires. Therefore, I'm not clear on how the difference in hello timers would impact convergence. It's not about the hello timers, it's about eliminating the DR/BDR election. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkEDOYACgkQE1XcgMgrtyYwlACg0FqzQDekc/7Ydyi4u06SZrUJ 7G0AoKuRpOgG8YLwfGCEpvgX3Uu1xuDZ =OKYJ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ospf network type
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian Spade wrote: Thanks Mark, that thread was very useful and answered my questions. My question stemmed from an insight into the best practice for this type of topology. Putting aside having to add additional commands for your OSPF configuration, the only advantage I see of changing the network type from broadcast to point-to-point is quicker OSPF adjacencies. So all-in-all, it probably doesn't make too much of a difference changing the default network type for this topology. Really depends on your convergence requirements. For some it's very important, for others not so much. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkECZoACgkQE1XcgMgrtya28wCgxwnqks1vop5OAdKxUrp3ik3R A6EAoP1HPTlyY+taooQlsDTq9Ku1RIEI =d9PC -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp transit, selecting providers based on source IP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael K. Smith - Adhost wrote: ...snip...snip... The answer to this may be no way. :-) If you have a peering session with the customer, why not only announce your routes from your two other providers so that the customer doesn't see the routes from the one they want to avoid? Wouldn't that accomplish the same thing? You could tag your transit routes with a community, add the two you want to transit to a community-list and then announce only the routes that match the list. Thinking out loud, but not necessarily well. :-) And when the packets reach his routers that have all 3 provider exit points available, how is he going to prevent those packets from choosing the undesired exit point? It's not a question of what he advertises to his customer, but rather how the forwarding decision is modified for just this customer. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH6rJdE1XcgMgrtyYRAqiUAJ9WrZEqdo3wvfHIECABL/1lumg4gACgvb2F 0ohoY6gFi5RWdjyEv86KT7Y= =2oTl -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] bgp transit, selecting providers based on source IP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wayne Lee wrote: Hi List We currently have 3 transit providers. all works as expected. We recently have connected a customer who requires BGP transit from us but with a twist. The customer for whatever reason do not want their traffic going via our preferred provider, is there any way I can force the customers outbound traffic to go via my other 2 providers instead? I have created the prefix-lists to stop announcing the customers routes via the main provider so no traffic should return by them. The customer is multi-homed with another transit provider. You could either use Policy Based Routing to forward based on their source address range or you could use VRF-Lite to create a separate routing table instance that only includes the routes to 2 out of the 3 providers. Which is best would require a bit more info about your environment. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH6YKUE1XcgMgrtyYRAlUsAJ9QRcnsjysMnEDBtPx30ieflWIKagCglGV2 GjGqa0l2pkVaQHRpvo1pXYw= =49Nn -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 bgp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Hi, I'm playing with IPv6 on some test routers. I noticed that sh ip bgp sum does not give information about IPv6 neighbors. IOS running on the boxes is 12.3(20). Is there an IOS version that has show commands regarding bgp and IPv6? If it's supported, BGP commands would be of the form sh bgp ipv6 so sh bgp ipv6 sum for example. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHqYzhE1XcgMgrtyYRArJpAJ4xJyDQLePOwOVjxCZv2lAwLNgANwCfeOUt koccrNcdlbFxhlIDJkgi9yI= =/1cJ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD for static routes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Phil Bedard wrote: That's really the killer app for this so to speak, is in a L2 metro scenario where you can't propagate the customer link-state back to the terminating L3 router. Even the lowest end Cisco router runs BGP these days, so I've used that in the past with private ASs for customers dual-homed, but that requires more configuration and monitoring, etc. The other option is GRE tunnels but that isn't a very good solution imho. BFD seems like a better option to me. It's supported by Juniper, but Cisco seems to only have support in IOS XR. I guess a question to pose to Cisco is what takes more CPU, BFD or IP SLA? If they are the same, IP SLA (reliable static routes) is certainly an option. It's supported in more than XR: http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fs_bfd.html#wp1240666 In fact, echo mode is supported on some platforms as well now. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHho8yE1XcgMgrtyYRAtWTAKDv6j5Ujq0DWF+HP20Ji3N1A31ZIwCg+Xwv Al+uHwDvDb+8Oxi5dF+Yrxk= =QYHd -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Remote rebooting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter Rathlev wrote: Don't know if this thread's still alive, but I just browsed through the Tech Update June 2007 from the Re: MPLS hardware-thread and noticed the Cisco Approved Remote Reboot device from Data Probe (p. 59 in the presentation). http://www.dataprobe.com/products/control/ib6500.html Note that the Dataprobe Model iB-6500 is designed to work with the 8700W power supply for the 6500. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhol8E1XcgMgrtyYRAgO3AKCrydYhJ10frWqeuR0IRMg9y2WizwCeJSBK eP0n/Y8t131QAMR7QFuNmIw= =3QKz -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BFD for static routes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Phil Bedard wrote: BFD is supported on pretty much everything, it's static route support for BFD that isn't. As I told Gert, I read it out of context...mea culpa... - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhpdXE1XcgMgrtyYRAuH3AJ0ainLoB94A/5KDaW1ebWM59aIBFQCg9bId 53joU/2A/PxQ7UIh11cUaEY= =zOWe -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] router and transparent bridging help needed.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aaron wrote: Ibrahim Abo Zaid wrote: Dear Aaron regarding the bridging frame directly to your internal router via your firewall , the below Cisco documents shows transparent bridging over many scenarios including frame-relay to ethernet bridging http://www.cisco.com/en/US/tech/tk331/tk660/technologies_tech_note09186a0080094471.shtml regarding the HW point , i believe that any cisco router support frame-relay will do it starting from Cisco 805 i hope you will find that useful in that case best regards -- Abo Zaid Thanks Abo, that seems to be exactly what I was needing and will do exactly what I was wanting. I wonder why so many different thoughts on what the IOS can and can't do. Because the person citing that doc fails to understand that the doc describes bridging from one router to another that is also bridging. What I thought you described (and I think others thought) is that you need a situation where one of the routers is bridging and the other downstream router is routing. That won't work. A frame encap'd IPv4 packet will be rejected by an interface that is expecting a frame encap'd bridge packet (and vice versa). So in the original example: ISP|unknown router|serial(Frame)|address 1.2.3.4 | __|___ wic-1t some cisco router ethernet -|- | 1.2.3.5eth0 internal router/firewall packets from unknown router will be frame encap'd with NLPID of 0xCC indicating IPv4 over frame relay. If wic-1t router is bridging, it is expecting to receive a frame encap'd packet with an NLPID of 0x80 with an OUI and PID indicating the type of MAC layer encapsulation to be expecting within the frame relay packet. NLPID's won't match so the packet will be rejected. If unknown router can bridge IP instead of routing it, then this could work with some cisco router acting as a pure bridge. But if that is the ISP router (as indicated), that isn't likely to happen. So, you're best choice here is probably to readdress internal router, place address 1.2.3.5 on the wic-1t interface, and make some cisco router routing between your ISP and the internal router. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHWHnkE1XcgMgrtyYRAivIAJsF9q55N8u3pjmgOqVRPQOdhMju6gCgoDQ6 hpt8F3FNfJb4DTu4s8roIDs= =NUvC -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] router and transparent bridging help needed.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aaron wrote: I have run into a situation where i need to bridge my incoming frame-relay t1 directly to an internal router's ethernet interface. I have no practical experience with cisco so i'm hoping the list can give me some pointers and suggestions and ideally i'll only get 2nd degree burns from the flames. The situation as i need it is as such:.. My isp has a ptp address of 1.2.3.4 and my assigned address is 1.2.3.5 (ips sanitized of course). I want to pass the 1.2.3.5 address directly through to my internal router eth0 interface. (sorry in adv. for the crappy ascii art) ISP|unknown router|serial(Frame)|address 1.2.3.4 | __|___ wic-1t some cisco router ethernet -|- | 1.2.3.5eth0 internal router/firewall I have seen some examples but honestly i'm not even sure what hardware I should be looking at. The example from the archives http://marc.info/?l=cisco-nspm=115982463524342w=2 was talking about a cisco 1601, but that was a ppp based connection. Another thread i found http://marc.info/?t=11866769005r=1w=2 talked about a frame connection but then they were using a 2600 and the replies seemed a little mixed as one guy said he should switch to ppp in half-bridging and someone else replied about something called IRB approach. I'm not sure if switching to ppp is an option here so I'd like to concentrate on frame. I don' need/want routing, blocking, natting at all to happen on the cisco, essentially I want it to act like a hub/switch connected to my internal firewall/router. The reasoning behind this is, and please correct me if i'm wrong, I want as simple and worry free a setup on the cisco as possible. After configuring it I won't be fiddling with configs unless something were to break. My internal router will do all the natting/firewalling and routing, and i am confident when configuring that. I believe the ability on the OS is much more important than the OS. I will not need to connect to the cisco via tcp at all, all connects will be via the management console. Any suggestions on hardware (less expensive the better), IOS version i'll need and probably most importantly, config suggestions, example or link to pertinent material(i'm willing to learn to fish) would be most appreciated. Thanks in advance. What you want is local switching of layer 2, but I don't think there is support for frame-relay to ethernet switching. Your other possibility would be PPP half-bridge but not sure if you can do PPP half-bridge over a frame relay connection or not. Wouldn't it be simpler to add a serial interface to the internal router/firewall? - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHVHVyE1XcgMgrtyYRAvR2AKDOoyzX37FKuafDBwFFE8gMV/K2igCfS4iI uDBewgyVXQCTDqkTJmqE0es= =IKmJ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Setting ip next-hop based on protocol
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Flip Power wrote: I would like to set ip next-hop based on layer 7 protocol. For example, I would like to write a class-maps catching all HTTP and FTP traffic and bind a policy that sets the next hop ip address on a match. This is taking place on IOS 12.2. In the policy-map I can see options for setting precedence and DSCP values, but not ip next-hop. Anyone know of a way to do this? Policy maps are for enforcing QoS policies. What you are talking about is Policy Based Routing (PBR). http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a008075fae6.html - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHUu+HE1XcgMgrtyYRAha/AKDsc0HMq7h6YpxnfIO5ae2f8yT/JQCdF6+g 01eXO+yZLNCdcP1g3LMXhaQ= =phr7 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco BGP Capability type code 131
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter Rathlev wrote: On Thu, 2007-11-29 at 09:50 +1030, Tom Storey wrote: google bgp capability 131 http://www.rfc-editor.org/rfc/rfc4760.txt snip I may have misunderstood something here, but as far as I can see, RFC4760 chapter 9 describes the SAFI namespace as per http://www.iana.org/assignments/safi-namespace. It does not descibe BGP capabilities, as defined in http://www.iana.org/assignments/capability-codes. RFC 4760 (and 2858 which it obsoletes) descibes sending BGP capability 1 (Multiprotocol Extensions for BGP-4) with a capability parameter that includes a SAFI, which could be 131 as per RFC 4760. (The RFC does not describe what SAFI 131 is though, just that it's part of a group which was private use and is now reserved/unallocated.) If the OPs question really is: What is BGP capability 131? then the answer is Vendor specific as per IANA definitions. Maybe OP can add some information to establish a context? BGP Multisession is capability 131 http://tools.ietf.org/html/draft-ietf-idr-bgp-multisession-03 - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHTiJfE1XcgMgrtyYRAt8XAJ9LJW3XME6z/cRbvimLJZ8bQn5++ACg0R/c iNh+aCAUFQF8RGAq1IX1ZlY= =DcNF -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] l2tpv3 support in 12.2(33)SXH
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Juan Angel Menendez wrote: Hi there, According to Feature Navigator, l2tpv3 is supported in 12.2(33)SXH. But I couldn't find any documentation on how to configure this feature on the Sup720. I've tried this version in our 6500 and it looks like l2tpv3 isn't available. Router(config)#pse Router(config)#pseudowire-class test Router(config-pw-class)#en Router(config-pw-class)#encapsulation ? mpls Use MPLS encapsulation Router(config-pw-class)#encapsulation Any insights on this ? Thanks in advance I would say Feature Navigator is incorrect. There is no mention of L2TPv3 in the Release Notes for SXH. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html#wp3766871 - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHD+1AE1XcgMgrtyYRApybAKCkQJV+Sy5W1hM6lWJ5qZKkqmGfSQCdHzhn PyuL2QoDJzKCuKHnjDgQlo8= =A+4G -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] replacing rcmd with ssh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dimitrios Kalogeras wrote: Hi *, Is it possible to replace the rcmd with ssh in crypto equipped IOS ? In general this is possible if it allowed to store some other's public keys in the keys storage place of the accepting peer. IOS does not support public key based authentication for SSH. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4DgeE1XcgMgrtyYRAqOoAJ0SambadXLI2/gS/3mIzJDzg6rlKACgoyEd MJNQr0nvoSWK5cxHhftbbTg= =ET6P -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Frame-relay to Ethernet Internetworking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joe Freeman wrote: Does anyone have a sample config or info as to how to internetwork frame-relay connected remote sites to an ethernet connected host? I'd like to see a point-to-point configuration where the dlci is mapped to a specific dot1q tag, and if possible a point-to-multipoint configuration where all the frame sites would be mapped to one dot1q tag. I've search CCO and found several white papers, but nothing as to actual configurations. http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s26/fsinterw.htm - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4HGiE1XcgMgrtyYRAhxnAJ9dCunQZ+I/wcPRgwPgS4Bn2NWBbQCggvAA Aw6FOcFdv8yT8MhNAe00E68= =F4Ik -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] high cpu usage because of process switching on mlppp interface
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Arda Balkanay wrote: Hi i have a problem about high cpu usage on a 7206 VXR NPE-G1 because of process switching on a multilink ppp interface. I have two E1 interfaces between 7206 and 3845 (below MTP-C72-02 indicates 7206 and ADN-C38-01 indicates 3845). I've bundled these two E1 interfaces. And when the amount of traffic rised CPU usage also increased about 15 percent more. show proc cpu output points increase at the processes of ip input and tag input. MTP-C72-02#sh proc cpu sorted CPU utilization for five seconds: 78%/64%; one minute: 79%; five minutes: 81% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 6839242000 258183793151 8.92% 8.20% 8.40% 0 IP Input 10925093708 119681214209 6.88% 7.37% 7.79% 0 Tag Input When i looked at the switching status of the interface i saw that 7206 is using process switching while 3845 uses fast switchig (especially for mpls) MTP-C72-02#sh inter mul 1 switching Multilink1 Maltepe - Adana MLPPP Throttle count 0 Drops RP 752707 SP 0 SPD Flushes Fast 0SSE 0 SPD Aggress Fast 0 SPD Priority Inputs259 Drops 0 Protocol IP Switching pathPkts In Chars In Pkts Out Chars Out Process 50148189 395174672 261949 26235771 Cache misses 0 - - - Fast 1325 105874 12194 724886 Auton/SSE 0 0 0 0 Protocol Tag Switching pathPkts In Chars In Pkts Out Chars Out Process 79390997 3601460527 5116 538398 Cache misses 0 - - - Fast 0 0 87354606 4071850482 Auton/SSE 0 0 0 0 ADN-C38-01#sh inter mu 1 switching Multilink1 Adana - Maltepe MLPPP Throttle count 0 Drops RP 0 SP 0 SPD Flushes Fast 0SSE 0 SPD Aggress Fast 0 SPD Priority Inputs242 Drops 0 Protocol IP Switching pathPkts In Chars In Pkts Out Chars Out Process 323942110804 175951260300 Cache misses 0 - - - Fast 559376 60411948154 8439 Auton/SSE 0 0 0 0 Protocol Tag Switching pathPkts In Chars In Pkts Out Chars Out Process 7106 398899 10784 539203 Cache misses 0 - - - Fast 87130476 3140243335 80454345 488241675 Auton/SSE 0 0 0 0 When i checked show ip interface output i can see that fast swithing is enabled but i didn't understand why 7206 uses process switching while 3845 uses fast swithcing with the same multilink interface configuration. ip interface output is as follows: MTP-C72-02#sh ip int mu 1 Multilink1 is up, line protocol is up ... IP fast switching is enabled IP fast switching on the same interface is enabled IP Flow switching is disabled IP CEF switching is enabled IP CEF Fast switching turbo vector IP Null turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF ... MTP-C72-02# ADN-C38-01#sh ip int mu 1 Multilink1 is up, line protocol is up ... IP fast switching is enabled IP fast switching on the same interface is enabled IP Flow switching is disabled IP CEF switching is enabled IP CEF Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF ... ADN-C38-01# 7206 uses ios c7200-jk9s-mz.123-14.T3.bin and 3845 uses c3845-spservicesk9-mz.124-8b.bin Do you have any idea about this situation ? Take a look at the output of show cef interface which will tell you why packets would be dropped into a slower switching path: Dialer1 is up (if_number 6) Corresponding hwidb fast_if_number 6 Corresponding hwidb firstsw-if_number 6 Internet address is 172.25.1.1/24 ICMP redirects are never sent Per packet load-sharing is disabled IP unicast RPF check is disabled Inbound access list is not set Outbound access list is not set IP policy routing is disabled BGP based policy accounting on
Re: [c-nsp] Bridge between Serial and ethernet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Everton da Silva Marques wrote: On Thu, Aug 16, 2007 at 06:14:32PM +0300, [EMAIL PROTECTED] wrote: I want to establish a connexion between the ?? Serial interface 1 ?? and ?? the ethernet interface 1 ??, its must be inside the same pool address (for e.g /30 netmask). For this, the router in the middle must be really transparent (bridge). Is it possible to establish this link ? If yes, could someone help us for the configuration ? Search for the following commands: interface Ethernet1 bridge-group 2 ! interface Serial1 bridge-group 2 ! bridge 2 protocol ieee And you would need to add no ip routing. Of course, it wasn't clear from his initial email if the serial interface was on device and the ethernet was on the other. In that case, you have an issue because you have different encaps on each end of the link. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGxKcSE1XcgMgrtyYRAkIDAJ9qKnco7DgCdvp/zP8gI/Gzd1TpXgCguPQl GAdiuRxYz3xJ9zdI4BvUZTA= =xATs -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Preventing IS-IS adjacencies over 1Q trunk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin Shore wrote: I have a situation with IS-IS that's perplexing me. I have a pair of core routers connected via an etherchannel. The etherchannel is also a 1Q trunk. The core routers have both routed connections to other routers as well as common VLANs w/ HSRP for non-router devices. My intention was to build and IS-IS adjacency over the native VLAN on the trunk. However I noticed that both routers are building adjacencies over 3 different VLANs that are permitted over that trunk. All 3 SVIs have IS-IS enabled on them. I'm assuming that I probably shouldn't have IS-IS enabled on the SVIs but is redistributing connected interfaces that appropriate solution? I'm trying to eliminate as much redistribution as possible. Is there a better way to handle this? I do need L2 between the chassis for the non-routed links. If your IOS version supports it, you could use the advertise-passive-only option in IS-IS. http://tools.cisco.com/Support/CLILookup/cltSearchAction.do?Application_ID=CLTIndexId=IOSIndexOptionId=123SearchPhrase=%22passive%22Paging=25ActionType=getCommandListBookmark=True - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGxLdNE1XcgMgrtyYRAhv6AJ9owp4MnlDB+mVZ0vZhNfl6YKuGygCg85PR 7ZJEokvmucUJOBZPlpTKFNw= =E2yQ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS VPN Ospf Area0 VS Sham Link
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Hi, are there any recommendations for what method to use in a MPLS VPN with OSPF to avoid the interarea over intra-area routing problem with OSPF interconnected VPN Sites : Sham-Links or Area 0 ? Is OSPF being used as the PE-CE protocol or just the local IGP at and between the sites? - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGvJakE1XcgMgrtyYRAuUzAKDehybXoHfgWPOzcjTYiCQPSLoZwgCff+Sw S2Cnb7mcUsLpGkJMi00E8Ik= =14lP -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Configure two AS on one BGP router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kamlesh Sharma wrote: Hi All, Configuring two AS in cisco router is not possible. but yes it is very easily possible in Juniper Router's. I know i shouldn't be talking about it but yes by creating vertual router in Juniper box you can have upto 15 AS no. on that. How is that multiple AS numbers in the same context? That would be 15 independent routing instances not unlike having 15 different VRFs. And IOS-XR offers a similar capability to what you are describing called Secure Domain Router (SDR). And depending on the application, BGP local-as may be applicable. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGoDfjE1XcgMgrtyYRAtGkAKDhcVotTZZA+b7q1wyzfYpbFWXjIwCfTD1x oEaV+C+8CZ13Nc7SCsVf79c= =69o0 -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NTP Issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 omar parihuana wrote: Hi List, I've set up an NTP master over a Catalyst 6500, my routers 7204 update the clock fine, but my Cisco 3640 don't update the clock, and I have an error: *Mar 7 04:29:12.713: NTP: packet from 172.24.129.254 failed validity tests 20 *Mar 7 04:29:12.713: Peer/Server Clock unsynchronized I don't kwow the reason for these errors, any suggestions? Rgds. http://www.beaglesoft.com/clwaciscontp.htm and RFC 1305. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjopQE1XcgMgrtyYRAoNHAJ9hwSkUEU7Yqwudt3NddknTkhQg1ACg2Dfk /50HnKtHT7LsXPqD6Owg3bU= =vqYC -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CSCeh18855, no fixed in for 65xx?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Freedman wrote: Can somebody from cisco on here please tell me what the first fixed-in 12.2SX or 12.2SR version is for this bug (CSCeh18855) Neither new nor old bugtools are being helpful. Affected system is 65xx with S720, PFC3BXL, box crashes when unconfiguring a service policy from an interface. (well, actually unconfiguring classmap from live service policy) Currently running 12.2(18)SXF7 Does not appear to be one yet. Fixed in: 12.3(20) 12.2(25)S10 12.2(27)SBB 12.2(37)S - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjSy7E1XcgMgrtyYRApbXAKDxyFTU5AGtF+ZIUKJ9HSJ3yzfCdgCgzGJz bsnjQ7cxS4rGTUySmTZKkh4= =Z55d -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DMVPN with OSPF
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vikas Sharma wrote: Hi, Can I configure DMVPN with ospf. Is there ant scalabilty issue with ospf wrt DMVPN? I can not use EIGRP as I have non cisco devices in the network. http://www.cisco.com/univercd/cc/td/doc/solution/dmvpn_x.pdf - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGd3K3E1XcgMgrtyYRAnoGAKDOsjVYRf2GEAhfCVk/ZSJaEuHovgCg+lqu /AyA8Nj7fJWS7Ycw2/tzo4Q= =iJ8I -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ipv6ip vs gre
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 matthew zeier wrote: What's the difference between an ipv6ip tunnel and a gre tunnel? v6 packets in an ipv6ip tunnel are directly encapsulated in an IPv4 header where v6 packets in a GRE tunnel are encapsulated in a GRE header and then the IPv4 header. See http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_configuration_guide_chapter09186a00801d6604.html#wp1027177 - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYD4DE1XcgMgrtyYRAlpiAJ0QYuktvB+RMYdkfvFmob+mP7OoQQCgvri6 jgdIT1PMe9rElK9FWE0BTaE= =Xslu -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] how to make all traffic flow through central node in MPLS-VPN?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Joe Shen wrote: You can do InterAs VPNv4 with mp-bgp between ASBR or mp-bpg between RR. You can find a detailed analysis of Carrier's Carrier architecture on MPLS-VPN VOLII book Thanks for the quick help. to my understanding, carrier's carrier VPN establish a pseudo-carrier over ISP network. What I'm not clear is, could it be possible to make traffic route inside that VPN flow through a customer's central node ? e.g. site-a \ \ \ site-b MPLS-VPN -- central_node / site-c / traffic from site_a to site_b will be routed to central node at first, then central_node will process those traffic after which it is sent to site_be. It is possible to create hub-and-spoke topologies with L3VPN by using a unique RD per spoke or through the Scalable Hub and Spoke MPLS VPN (aka MPLS VPN Half-duplex VRF) feature available in recent releases. http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080442090.html - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGKPamE1XcgMgrtyYRAkknAKDYPqOXgOxU8VxanrmyHdoUeNL9mgCgptS/ uWxacgyp3QcM5BlT1iwHHaQ= =CV+X -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RFC4090 and Implementation in Cisco
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Tks Oliver, I performed tests last night. On the implementation I tested (IOS 12.2.18.SXF) there is not alternative path then the headend keep using the same path, with local repair done by intermediate router. I tested several times, removing FRR and reproducing the interface flapping and also using IP Dampening. These are the results: -FRR works like a dampening feature. When the failure interface is recovered FRR does not revert immediately, but waits some seconds. -Without FRR there is CPU spike because all TE tunnels goes down. This has other negative impacts on other process like HSRP. -IP Dampening (tested several different values) did not help avoiding flapping on TE Tunnels. I got the impression that it is not integrated with MPLS TE the same way it is integrated with Routing Protocols. Based on the supported protocols list at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s22/s_ipevdp.htm I would say that MPLS/TE is not supported. I would think there is a need for some RSVP hooks in that scenario. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJ6ZkE1XcgMgrtyYRAmCQAJ0YD20ZHTegV8LdR4zS8Ebi9/7UVACeIquJ FlXrgLjTC5hOdo5LfS2U/xo= =/yIL -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Fast Reroute and Link Flapping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Hi Oli, Could you comment the 10-sec link-up debounce of POS? It is not the behavior on the links I handled last time. SONET alarms resulting from defects are held on for 10 seconds (10.5 +- .5) after the defect clears. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJ6chE1XcgMgrtyYRAhcBAKDh56i3Y/t10Eb5YKD3lJLMEzvE9wCghbEW tgmmFbBWY78ZfQSoOqC6ulM= =03Tk -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RFC4090 and Implementation in Cisco
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oliver Boehmer (oboehmer) wrote: ...snip...snip... Bruce: Based on the supported protocols list at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft /120limit/120s/120s22/s_ipevdp.htm I would say that MPLS/TE is not supported. I would think there is a need for some RSVP hooks in that scenario. Not sure there is. If IP event dampening holds the lineprotocol down (i.e. when the penalty accumulated is too high), ISIS/OSPF will not get notified, so the headend will not reoptimize (if it is configured to do so). Therein lies the rub. It is not interface dampening but rather IP event dampening. So the line protocol of the interface is not held down but rather the routing protocols are notified so that *they* can consider the interface down for the purposes of adjacency formation, route advertisement, and forwarding. That's why there is a supported protocol list. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJ83iE1XcgMgrtyYRAluhAKDILr1Jn6KLFmuriqgJIw0wsAqLMwCgwp6j LuHNsORm2NWeuUS6W4TLZ0s= =dQ8M -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Adequate RAM in 7206VXR/NPE-G1?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rick Kunkel wrote: Hello all, We've got a 7206VXR/NPE-G1. In it, we have the following modules: PA-T3 PA-A3-T3 The PA-T3 is totally unused. Nothing plugged in. The PA-A3-T3 has an ATM DS-3 from Verizon to aggregate our DSL customers. On the NPE-G1, one GigE port is taken by an 802.1q trunk to a bunch of colo customers. Another GigE port is taken by a 100 Mbps Ethernet connection ot the Internet. We get full routes from the upstream connected to the above port. My question is about RAM. If I'm reading the show ver correctly, we've got 256M of RAM. I was recently told that this is like the BARE minimum for a full routing table. And considering other factors of its use, probably rather lacking. Can anyone verify or refute this? A quick of a GSR that has 216K routes shows that the BGP router process is holding 156MB of memory. 175 0 372897988 120493880 156407792 0 0 BGP Router ^ VAS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 481 685748 19218 195807500 1w0d 216712 ^^ IOS (tm) GS Software (C12KPRP-K4P-M), Version 12.0(30)S2 ...snip...snip... Here's a show mem sum: --- HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 62502CA0 212849504 208938920 3910584 3294120 1029992 I/OF0016777216 47449001203231611853080 11608220 --- The 3MB free looks a little suspicious, but on the other hand, it hasn't hit zero before. 3MB is probably correct and to me is not much headroom. I'd prefer to see at least 10% of total memory free. Do a sh proc mem to see if the numbers add up. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGIAxbE1XcgMgrtyYRAjtFAJ9U0wnEx3JFwQPUEiYxwT7ZslbdvACglT8y docugAFXVgGh3IGzmQth2As= =m5cu -END PGP SIGNATURE- ___ cisco-nsp mailing list [EMAIL PROTECTED] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Layer 3 Core
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen Backholm wrote: Currently where I work we run a complete Layer 3 network core. This decision was made in order to keep Spanning Tree Protocol, ACls, QoS, and Policing out of the core and at the distribution layer. This has worked well for us, but we have a need for a few of our server VLANs to be in opposite geographic ends of campus for redundancy. These servers run as clusters and require Layer 2 connectivity between them, so in other words we need Layer 2 connectivity across our Layer 3 core. Here is the question. Would it be better to solve this problem with MPLS or just trunk the handful of server VLANs across our core? Your thoughts and/or suggestions are appreciated. L2TPv3 based pseudowires. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGFUN4E1XcgMgrtyYRAn3JAJ9GQKFie/smrVRrDv0c83DtD+SlnQCfaWBB MMbEkg6ShBzAK+beJLdewcY= =Qc2Y -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
