[c-nsp] Cisco Software Manager 4.0 (CSM)

[Erik Sundberg via cisco-nsp]

I am looking for where to download the install script for Cisco Software 
Manager\IOS XR Software Manager- 4.0.

The prebuilt ova is where the ASR9K software is located on cisco.com, but that 
only has the VMWare OVA files that is prebuilt on Ubuntu 18.04. Kinda of dont 
want to use thtat. The second options is to install the docker files yourself.

The CSM Installation guide: 
https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/smu/b-csm-install-guide/m-installing-csm-server.html
 says to download the installer from 
https://devhub.cisco.com/artifactory/software-manager-install-group/install.sh, 
but it's locked behind a login page.


# curl -Ls 
https://devhub.cisco.com/artifactory/software-manager-install-group/install.sh 
-O
# cat install.sh
{
  "errors" : [ {
"status" : 401,
"message" : "Unauthorized"
  } ]


I have a tac case on this, but cisco is slow to respond. Wondering if any one 
else had ideas on where cisco keeps the CSM software.

Erik



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner.
Thank you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9K using XR 7

[Erik Sundberg]

We're running the following right now.
ASR9906's
A99-RSP-SE
A9K-MOD200-SE with A9K-MPA-20X1GE and A9K-MPA-8X10GE
A9K-24X10GE-1G-SE


William, do you have have a bug id for the VPWS bug? We are doing a bunch of 
ethernet services.



Glad to hear that so far that XR 7 is working as expected and nothing major.

Thanks

Erik


-Original Message-
From: William McCall 
Sent: Thursday, July 29, 2021 9:46 PM
To: Erik Sundberg 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR9K using XR 7

On Thu, Jul 29, 2021 at 7:55 PM Erik Sundberg  wrote:
>
> Just wondering if anyone out there has and moved there ASR9K's to XR
> 7. We run a Service Provider Network (Internet, MPLS, Ethernet
> Services). We are going to be doing our own testing but would like to
> also see what challenges or issues others faced going to XR 7
>
> When talking with TAC I have been told different things, use 6.6.3, 6.7.3, or 
> 7.1.3.
>
> The current Extended Maintenance release is XR 7.1.3, with 7.3.x set to go 
> Extended Maintenance release around Q3/Q4 from what I can tell.
>
> Thanks
>
> Erik

Done some 7.1.3.

-Mind the possibility that you need golden FPD upgrades (previous release we 
were on claimed it did it, but 7.1.3 actually fixed it..
oops).
-Also, depending on how you handle VPWS configs, there may be a little funny 
behavior, already SMU'ed.
-If you've done Golden ISO in the past, you may run into a space problem on 
admin plane.

Overall, we're seeing nothing interesting so far on Tomahawk + RSP880/RP2.

--
William McCall



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner.
Thank you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR9K using XR 7

[Erik Sundberg]

Just wondering if anyone out there has and moved there ASR9K's to XR 7. We run 
a Service Provider Network (Internet, MPLS, Ethernet Services). We are going to 
be doing our own testing but would like to also see what challenges or issues 
others faced going to XR 7

When talking with TAC I have been told different things, use 6.6.3, 6.7.3, or 
7.1.3.

The current Extended Maintenance release is XR 7.1.3, with 7.3.x set to go 
Extended Maintenance release around Q3/Q4 from what I can tell.

Thanks

Erik



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner.
Thank you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7600 (RSP720) good for 1000 x DHCP server config?

[Erik Sundberg]

I think in this case it would make more sense for a 1 or more standalone 
Linux's server acting as a DHCP server. This will help relieve the CPU strain 
on the SUP720.

ip helper, i would think would be less CPU intensive than a DHCP server running 
on each vlan on the SUP720

It's also easier to troubleshoot DHCP issues and do packet captures on than on 
the SUP720. It would also give you a platform to test from in your setup.


From: cisco-nsp  on behalf of Tom Hill 

Sent: Tuesday, July 13, 2021 9:22 AM
To: cisco-nsp@puck.nether.net 
Subject: Re: [c-nsp] 7600 (RSP720) good for 1000 x DHCP server config?

On 05/07/2021 12:20, chiel wrote:
> I might going to use a 7600 with RSP720 to terminate 1000 users, where
> each user has a own vlan and L3. I will also be making a 1000 DHCP
> config, one for each vlan.
>
> My question is will the RSP720 have no problem with a 1000 x a DHCP
> config? Because the DHCP will be handled by the CPU I guess? I guess
> this wont be an issue but just want to check.
>
> Other then a couple of static routes and fiber termination the 7600 will
> not be doing anything else.

My main concern with terminating segments on a SUP/RSP720 (in any
situation) would be MLD messages, which are punted. Even
link-local/site-local configuration will produce MLD join/part messages
for the associated solicited-node multicast groups (to enable DAD). A
few kpps of MLD will shoot the CPU load up.

The risks here are that flapping L1 links cause rapid or repeated
up/down of device interfaces, or (in my case) spammers adding and
removing IPv6 addresses quickly to give different source IP6 addresses.

Granted that there's some detail missing on the exact nature of this
connectivity you're providing, but it is of course worth bearing in mind
that even if you're not provisioning IPv6 forwarding (you should) most
devices available today will have an expectation of IPv6 connectivity &
and therefore will (or at least *should*) come with an IPv6 stack
enabled by default, and many will configure multiple addresses.

Might not matter, but these devices are well beyond their sell-by-date
for these functions.

--
Tom
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner.
Thank you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR1000 local L2 bridge or local PW

[Erik Sundberg]

Hope this helps

I opened bug with Cisco where I had to shut and no shut the bridge domain, this 
is on a ASR920.  ASR1000's are also noted on the bug list.

Bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj18480/?rfs=iqvred

Here is what I submitted.

When creating a new VPLS Network on a ASR920. I need to shut and no shut the 
bridge-domain. The VFI's to the remote 3 device remain in down state.

See the below config
Router#conf t
Router(config)#bridge-domain 650
Router(config-bdomain)#
Router(config-bdomain)#l2 vfi 1 manual
Router(config-vfi)# vpn id 1
Router(config-vfi)# bridge-domain 650
Router(config-vfi)# mtu 9180
Router(config-vfi)# neighbor 192.168.0.96 pw-class VPLS
Router(config-vfi-neighbor)# neighbor 192.168.0.82 pw-class VPLS
Router(config-vfi-neighbor)# neighbor 192.168.0.92 pw-class VPLS
Router(config-vfi-neighbor)#
Router(config-vfi-neighbor)#int Gi0/0/1
Router(config-if)#  service instance 1 ethernet
Router(config-if-srv)#  encapsulation default
Router(config-if-srv)#  bridge-domain 650
Router(config-if-srv)#
Router(config-if-srv)#exit
Router(config-if)#exit
Router(config)#exit
Router#sh mpls l2transport vc vcid 1

Local intf Local circuit  Dest addressVC ID  Status
-  -- --- -- --
VFI 1  vfi192.168.0.82  1  DOWN
VFI 1  vfi192.168.0.92  1  DOWN
VFI 1  vfi192.168.0.96  1  DOWN

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#bridge-domain 650
Router(config-bdomain)#shut
Router(config-bdomain)#no shut
Router(config-bdomain)#end
Router#sh mpls l2transport vc vcid 1

Local intf Local circuit  Dest addressVC ID  Status
-  -- --- -- --
VFI 1  vfi192.168.0.82  1  UP
VFI 1  vfi192.168.0.92  1  UP
VFI 1  vfi192.168.0.96  1  UP

Router#

From: cisco-nsp  on behalf of Mark Tees 

Sent: Thursday, March 12, 2020 11:45 PM
To: Cisco-nsp List 
Subject: [c-nsp] ASR1000 local L2 bridge or local PW

Hey guys,

Has anyone got any form of local L2 working on ASR1000?

Still seems broken in latest code I have and needed it for a customer.
By broken I mean MAC's are learnt inside bridge domain but on either
ingress or egress tagging is something unexpected. I still need to
confirm PCAP.

I was using service instance on physical interface with a
bridge-domain to tie two ports together and some tag mangling/rewrite.
I have the same config working on ASR920 but one is ASIC and other
ASR1000 ESP so I expect some differences there.

Tried the local xconnect variants also.

Was planning on lodging TAC case soon.

Cheers,

Mark



interface GigabitEthernet0/0/0
 service instance 666 ethernet
  encapsulation dot1q 666
  rewrite ingress tag pop 1 symmetric
  bridge-domain 667
 !
interface GigabitEthernet0/0/1
 service instance 667 ethernet
  encapsulation dot1q 667
  rewrite ingress tag pop 1 symmetric
  bridge-domain 667
 !
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] new ASR9901 ios update problem

[Erik Sundberg]

I have hope that one day the Cisco gods will discover "apt update; apt upgrade" 
and all this sorcery that we need for an upgrade will become a thing of the 
past.





From: cisco-nsp  on behalf of 
c...@marenda.net 
Sent: Saturday, November 2, 2019 10:58 AM
To: 'Aaron Gould' ; c...@marenda.net ; 
cisco-nsp@puck.nether.net 
Subject: Re: [c-nsp] new ASR9901 ios update problem

Thanks fort he flowers,  Aaron!

Now i got stuck in those patches called SMU.

Not only the mentioned time-consuming (each reload takes 15..20 minutes) is 
boring,
But after installing most of the SMUs and ony 5..7 remaining from the bunch of 
80+-5 SMUs,
the X device tells me on its console port, that the root filesystem is over 
80% or more full.

LC/0/0/CPU0:Nov  2 12:47:56.505 CET: resmon[290]: %HA-HA_WD-3-DISK_ALARM_ALERT 
: A monitored device / ( rootfs:/ ) is above 80% utilization. Current 
utilization = 80. Please remove unwanted user files and configuration rollback 
points.

Googling for this i found

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xr-software/116332-maintain-ios-xr-smu-00.html
[...]
Bootflash is above 80% utilization

The following message may appear after SMU installation.
RP/0/RSP0/CPU0:Jul  9 17:40:37.959 : wdsysmon[447]: %HA-HA_WD-4-DISK_WARN : A 
monitored device /bootflash: is above 80% utilization. Current utilization = 
89.  Please remove unwanted user files and configuration rollback points.
This message can be safely ignored.
As per design it is expected that IOS-XR will keep up to two MBIs on the 
bootflash following SMU install(s). At subsequent SMU install(s), if the 
bootflash space required by the new package(s) is not available, IOS-XR will 
clean up automatically old MBIs to make space for the new MBI package.
[...]

So i did continue and no it is 99-100% full, "install add source ..."
works but "install activate ..." aborts.

I do not have "userfiles" on it, i did but the ios,tar,smu's onto "harddisk:" .
I did not find any hint how to make space there,
i tried

"clear configuration commits oldest 100"

"install remove inactive all synchronous"

But this did not help.

#show install log 250 detail
Sat Nov  2 12:56:50.744 CET
Nov 02 09:56:57 Install operation 250 started by jm:
  install activate id 249
Nov 02 09:56:57 Package list:
Nov 02 09:56:57 asr9k-mgbl-x64-2.0.0.4-r653.CSCvr46090.x86_64
Nov 02 09:57:01 Action 1: install prepare action started
Nov 02 09:57:03 Install operation will continue in the background
Nov 02 09:57:03 The prepared software is set to be activated with process 
restart
Nov 02 09:57:47 Start preparing software for local installation
Nov 02 09:57:59 Action 1: install prepare action completed successfully
Nov 02 09:58:00 Action 2: install activate action started
Nov 02 09:58:00 The software will be activated with process restart
Nov 02 09:58:01 Activating XR packages
Nov 02 09:59:12 Node 0/RSP0/CPU0 encountered error(s) during operation. Please 
check 'show install log 250 detail' for error details
Nov 02 09:59:12

Error stack for location 0/RSP0/CPU0

1# Available disk space(including additional buffer 104857600) 
215699456 is not sufficient for rpm installation of archive size 110199132
2# failed to load files from ldpath (new)

Please collect 'show tech-support install one-showtech' from XR and 
'show tech-support ctrace' from Admin and pass this information to your TAC 
representative for support.


Nov 02 09:59:12 Agent on the lead has err'ed during SWC_BEGIN Aborting the 
operation
Nov 02 09:59:12 Action 2: install activate action aborted
Nov 02 10:00:21 Install operation 250 aborted
Nov 02 10:00:21 Ending operation 250

I submitted the output from 'show tech-support install one-showtech' to my TAC 
case
But i have not found out how to move the "admin'show tech-support ctrace'" 
output
out of the box. Looks like admin-harddisk: is not the same as harddisk:
and also admin copy does not know ftp as destination (and i believe it will not 
work
with my mgmt-vrf, ip information is a stange 192.168.0.4 not my mgmt-ip, )
Very very strange ☹

BTW, When i was at the approx. 80% SMU installation point,
i got the hint from tac that i can untar the SMUs,
and bundle them (without the .txt files) in one tape-archive to get it   
installed faster.
Way too late after 3 days of work

Looks that the documentation on how to upgrade the box has never been tested
(and in/output captured)
and also, no-one had ever tried to add all recommended patches.

Any idea on what is blocking space on / and can be removed ?

Repartiion and install from scratch ?
RMA it and get a refurbished device with scratches
instead of this expensive brand new garbage ?


I am also a little bit afraid on using such a thing for production.,
Thought version 6.5 would be 

Re: [c-nsp] new ASR9901 ios update problem

[Erik Sundberg]

It's pretty simple upgrade for asr9900's running 64 bit. Below is what we use 
for our ASR9906's when upgrading 64 bit to 64 bit.


!Do your upgrade prechecks (sh run, show redundancy, show platform, show 
install active, and etc.)

! If installing from an interface that's in a VRF.
http client vrf MANAGEMENT
http client source-interface ipv4 MgmtEth0/RSP0/CPU0/0

! add the software, let the router download it
install add source http://x.x.x.x/Cisco/ASR9906/6.5.3/ asr9k-mini-x64-6.5.3.iso 
ASR9K-x64-iosxr-px-k9-6.5.3.tar

! install it.
install activate asr9k-mini-x64-6.5.3 asr9k-k9sec-x64-2.1.0.0-r653.x86_64 
asr9k-ospf-x64-1.0.0.0-r653.x86_64 asr9k-mpls-x64-2.0.0.0-r653.x86_64 
asr9k-mgbl-x64-2.0.0.0-r653.x86_64 asr9k-li-x64-1.1.0.0-r653.x86_64 
asr9k-mcast-x64-2.0.0.0-r653.x86_64 asr9k-mpls-te-rsvp-x64-2.1.0.0-r653.x86_64 
asr9k-isis-x64-1.1.0.0-r653.x86_64

Router reboots automatically

! Make sure the Linecards are up
show platform

! Make sure the linecards were upgraded
show install active

! Commit the install, or you will need to do it all over again if you reboot 
the router with the software not commited.
install commit

! Check to see if the linecards need a firmware upgrade.
show hw-module fpd

! Upgrade the firmware if needed
upgrade hw-module location all fpd all

Reload the line cards that say RLOAD REQ.  We just reload the whole chassis.
admin
reload rack 0


And Done


-Original Message-
From: cisco-nsp  On Behalf Of Tim Warnock
Sent: Wednesday, October 30, 2019 6:40 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] new ASR9901 ios update problem

eXR makes this so much easier.

Other than the pain of 6.3.2 -> 6.3.3 (where RPM moved to code signing) pretty 
much none of that is necessary.

But yeah, 3* lines should get you from any version > 6.3.3 to any other 
version. ([conf t, fpd auto-upgrade enable, commit, end,] copy url:///file 
harddisk:/ [vrf ], install add source harddisk:/ , install activate 
id )

You can even stage the install during normal hours so the final activation 
happens much faster (copy, install add source, install prepare  then later 
on install activate).

But - if you really don't want to spend a few minutes setting up a tarball with 
all of the packages you want installed in one go then I hear CSM might be the 
solution. Also should handle RPM hell if you have lots of SMUs...

> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
> Of Aaron Gould
> Sent: Wednesday, 30 October 2019 1:33 AM
> To: c...@marenda.net; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] new ASR9901 ios update problem
>
> Btw, good job, and thanks Jürgen for the informative and detailed
> instruction on XR upgrade.
>
> -Aaron
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
> Of Aaron Gould
> Sent: Tuesday, October 29, 2019 10:23 AM
> To: c...@marenda.net; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] new ASR9901 ios update problem
>
> You just gave me another reason to like Juniper   :|
>
> -Aaron
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9900 - Copy files from USB key

[Erik Sundberg]

Little follow up.

On a ASR9906 6.3.3 (32bit) the usb key comes up as usb: but on 6.3.3 (64-bit) 
it's disk2:


Copying the 6.3.3 migration files from a USB Key was 182 seconds, with HTTP it 
was around 1 hour. (1.3 G File)
Doing a install add source 6.5.3 64-bit from a USB Key was 15 minutes and using 
http was an 1 1/2 hours.  (1.5 G File)

So sourcing files from a USB key are 4x times... Which is to be expected.

The bandwidth to the HTTP server is 100M and <30msec latency, but the circuit 
was never maxed. For some reason coping from a HTTP server is just super slow...

Erik

-Original Message-
From: cisco-nsp  On Behalf Of Erik Sundberg
Sent: Wednesday, May 15, 2019 11:29 PM
To: Peter Bruno ; Bryan Holloway 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR9900 - Copy files from USB key

Thanks Guys!!!

It’s showing up as disk2: using a 4G USB Key formatted as FAT32

Works on 9906 running 6.3.2 64-bit, 6.5.3 64-bit

Going to try installing the software via a USB key next week. Right now it’s 
taking about  1 ½ Hours to upload the 1.3G iso’s using http download.  
Painfully slow. And don’t let your session timeout.



RP/0/RSP0/CPU0:CR2.DAL1#sh log | i usb
Wed May 15 21:27:47.486 UTC
RP/0/RSP0/CPU0:May 15 21:13:50.304 UTC: usb_disk[69610]: %OS-SYSLOG-6-LOG_INFO 
: mounted device to /disk2:
RP/0/RSP0/CPU0:May 15 21:18:50.347 UTC: usb_disk[66997]: %OS-SYSLOG-6-LOG_INFO 
: disk removed /disk2:
RP/0/RSP0/CPU0:May 15 21:18:50.615 UTC: usb_disk[67016]: %OS-SYSLOG-6-LOG_INFO 
: disk removed RP/0/RSP0/CPU0:May 15 21:20:46.362 UTC: usb_disk[67216]: 
%OS-SYSLOG-6-LOG_INFO : mounted device to /disk2:


RP/0/RSP0/CPU0:CR2.DAL1#show filesystem
Wed May 15 21:15:59.776 UTC
File Systems:

 Size(b) Free(b)Type  Flags  Prefixes
  1014255616  1003970560  flash-disk rw  disk0:
   0   0 network rw  tftp:
   491065344   489840640   flash rw  /misc/config
  3561914368  3555708928harddisk rw  harddiska:
  4073914368  2378563584  flash-disk rw  disk2:
  3561914368  3555708928harddisk rw  harddiskb:
  2513158144  2449240064  flash-disk rw  apphost:
  5814747136  5796179968harddisk rw  harddisk:
   0   0 network rw  ftp:


RP/0/RSP0/CPU0:CR2.DAL1#dir disk2:
Wed May 15 21:16:06.655 UTC

Directory of disk2:
6 drwxr-xr-x 2   4096 May  3 18:32 System\ Volume\ Information
7 -rwxr-xr-x 1  106444800 May  2 23:15 ASR9K-x64-iosxr-px-k9-6.5.3.tar
8 -rwxr-xr-x 1 157552 Apr 23 11:43 asr9k-mini-x64-6.5.3.iso

3978432 kbytes total (2322816 kbytes free)



RP/0/RSP0/CPU0:CR2.DAL1#run
Wed May 15 21:16:09.650 UTC

[xr-vm_node0_RSP0_CPU0:~]$mount | grep usb /dev/vdd on /eusb type ext2 
(rw,relatime,sync,errors=continue,user_xattr,acl)
/dev/vdg on /mnt/usb/vdg type vfat 
(rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)


[xr-vm_node0_RSP0_CPU0:~]$ls /mnt/usb/vdg ASR9K-x64-iosxr-px-k9-6.5.3.tar  
System Volume Information  asr9k-mini-x64-6.5.3.iso







From: Peter Bruno 
Sent: Wednesday, May 15, 2019 2:11 PM
To: Bryan Holloway 
Cc: Erik Sundberg ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR9900 - Copy files from USB key

If you do a "dir ?" it should show you the possabilities... often "usb0:".  The 
size of the usb stick matters sometimes.  Try a small < 8G stick.

Peter

On Wed, May 15, 2019 at 1:36 PM Bryan Holloway 
mailto:br...@shout.net>> wrote:

On 5/15/19 4:53 AM, Erik Sundberg wrote:
> Has anyone been able to install\copy software images from a USB key to a 
> ASR9906. It take for ever to copy files from a http server, I would like to 
> try from a USB key to see if it's faster.
>
> The router never recognizes the usb key when it put into the rsp. The Cisco 
> Linux (Admin VM) also does not recognize it either.
>
> I am specifically running a Cisco ASR9906 with A99-RSP-SE 6.3.3 (32-bit). I 
> am Upgrading to 6.3.3 64-bit then to 6.5.3 (64 bit) the current process take 
> 3-4 hours.
>
>
> Thanks
>
> Erik


I've definitely copied files from a USB stick onto an ASR9001, so I can't 
imagine why you wouldn't be able to on a 990x platform. Pretty sure I did it on 
a 9006 with RP880s, but it's been awhile.

The trick is usually figuring out the correct device name. In my travels I've 
seen "usb:", "disk2:" ... ymmv.

___
cisco-nsp mailing list  
cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


--
Thank you,
Peter Bruno
609.335.6887 c



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, 

Re: [c-nsp] ASR9900 - Copy files from USB key

[Erik Sundberg]

Thanks Guys!!!

It’s showing up as disk2: using a 4G USB Key formatted as FAT32

Works on 9906 running 6.3.2 64-bit, 6.5.3 64-bit

Going to try installing the software via a USB key next week. Right now it’s 
taking about  1 ½ Hours to upload the 1.3G iso’s using http download.  
Painfully slow. And don’t let your session timeout.



RP/0/RSP0/CPU0:CR2.DAL1#sh log | i usb
Wed May 15 21:27:47.486 UTC
RP/0/RSP0/CPU0:May 15 21:13:50.304 UTC: usb_disk[69610]: %OS-SYSLOG-6-LOG_INFO 
: mounted device to /disk2:
RP/0/RSP0/CPU0:May 15 21:18:50.347 UTC: usb_disk[66997]: %OS-SYSLOG-6-LOG_INFO 
: disk removed /disk2:
RP/0/RSP0/CPU0:May 15 21:18:50.615 UTC: usb_disk[67016]: %OS-SYSLOG-6-LOG_INFO 
: disk removed
RP/0/RSP0/CPU0:May 15 21:20:46.362 UTC: usb_disk[67216]: %OS-SYSLOG-6-LOG_INFO 
: mounted device to /disk2:


RP/0/RSP0/CPU0:CR2.DAL1#show filesystem
Wed May 15 21:15:59.776 UTC
File Systems:

 Size(b) Free(b)Type  Flags  Prefixes
  1014255616  1003970560  flash-disk rw  disk0:
   0   0 network rw  tftp:
   491065344   489840640   flash rw  /misc/config
  3561914368  3555708928harddisk rw  harddiska:
  4073914368  2378563584  flash-disk rw  disk2:
  3561914368  3555708928harddisk rw  harddiskb:
  2513158144  2449240064  flash-disk rw  apphost:
  5814747136  5796179968harddisk rw  harddisk:
   0   0 network rw  ftp:


RP/0/RSP0/CPU0:CR2.DAL1#dir disk2:
Wed May 15 21:16:06.655 UTC

Directory of disk2:
6 drwxr-xr-x 2   4096 May  3 18:32 System\ Volume\ Information
7 -rwxr-xr-x 1  106444800 May  2 23:15 ASR9K-x64-iosxr-px-k9-6.5.3.tar
8 -rwxr-xr-x 1 157552 Apr 23 11:43 asr9k-mini-x64-6.5.3.iso

3978432 kbytes total (2322816 kbytes free)



RP/0/RSP0/CPU0:CR2.DAL1#run
Wed May 15 21:16:09.650 UTC

[xr-vm_node0_RSP0_CPU0:~]$mount | grep usb
/dev/vdd on /eusb type ext2 (rw,relatime,sync,errors=continue,user_xattr,acl)
/dev/vdg on /mnt/usb/vdg type vfat 
(rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)


[xr-vm_node0_RSP0_CPU0:~]$ls /mnt/usb/vdg
ASR9K-x64-iosxr-px-k9-6.5.3.tar  System Volume Information  
asr9k-mini-x64-6.5.3.iso







From: Peter Bruno 
Sent: Wednesday, May 15, 2019 2:11 PM
To: Bryan Holloway 
Cc: Erik Sundberg ; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR9900 - Copy files from USB key

If you do a "dir ?" it should show you the possabilities... often "usb0:".  The 
size of the usb stick matters sometimes.  Try a small < 8G stick.

Peter

On Wed, May 15, 2019 at 1:36 PM Bryan Holloway 
mailto:br...@shout.net>> wrote:

On 5/15/19 4:53 AM, Erik Sundberg wrote:
> Has anyone been able to install\copy software images from a USB key to a 
> ASR9906. It take for ever to copy files from a http server, I would like to 
> try from a USB key to see if it's faster.
>
> The router never recognizes the usb key when it put into the rsp. The Cisco 
> Linux (Admin VM) also does not recognize it either.
>
> I am specifically running a Cisco ASR9906 with A99-RSP-SE 6.3.3 (32-bit). I 
> am Upgrading to 6.3.3 64-bit then to 6.5.3 (64 bit) the current process take 
> 3-4 hours.
>
>
> Thanks
>
> Erik


I've definitely copied files from a USB stick onto an ASR9001, so I
can't imagine why you wouldn't be able to on a 990x platform. Pretty
sure I did it on a 9006 with RP880s, but it's been awhile.

The trick is usually figuring out the correct device name. In my travels
I've seen "usb:", "disk2:" ... ymmv.

___
cisco-nsp mailing list  
cisco-nsp@puck.nether.net<mailto:cisco-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


--
Thank you,
Peter Bruno
609.335.6887 c



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR9900 - Copy files from USB key

[Erik Sundberg]

Has anyone been able to install\copy software images from a USB key to a 
ASR9906. It take for ever to copy files from a http server, I would like to try 
from a USB key to see if it's faster.

The router never recognizes the usb key when it put into the rsp. The Cisco 
Linux (Admin VM) also does not recognize it either.

I am specifically running a Cisco ASR9906 with A99-RSP-SE 6.3.3 (32-bit). I am 
Upgrading to 6.3.3 64-bit then to 6.5.3 (64 bit) the current process take 3-4 
hours.


Thanks

Erik



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 mounting brackets

[Erik Sundberg]

Mike,


In the installation guide for the ASR920 it lists cisco's part number for the 
rack mount kits


ASR920-24 Port (SFP and J45) model: A920-RCKMT-23


https://www.cisco.com/c/en/us/support/routers/asr-920-series-aggregation-services-router/products-installation-guides-list.html




From: cisco-nsp  on behalf of Mike 

Sent: Monday, March 4, 2019 2:35:08 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ASR920 mounting brackets

Hi,


I have an ASR920 I am intending to mount in a 23" telco style rack. I
have no mounting hardware for it however. Can anyone recommend a
suitable kit for this?


Thanks.


Mike-

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Correct syntax for Boot system

[Erik Sundberg]

Scott,



This really depends on the platform and where the image is store. Below is a 
walk though command by command. This is an example for a ASR920, but will work 
on any IOS device. Let me know if you have any questions.



Type dir  or dir /all (Shows directories from all file systems)



Router#dir

Directory of bootflash:/  <<< This is the local filesystem. I have 
seen this call (Flash, Flash0, Disk0, Disk1, Bootflash, Bootdisk, and a couple 
more. It really depends on the router platform)



   12  -rw-404372822  Jun 30 2017 21:35:15 -05:00  
asr920-universalk9_npe.16.05.01.SPA.bin

   23  -rw-311139324   Aug 9 2017 04:01:41 -05:00  
asr920-universalk9_npe.03.16.04.S.155-3.S4-ext.bin

   25  -rw-311274492  Dec 21 2017 10:39:19 -06:00  
asr920-universalk9_npe.03.16.06b.S.155-3.S6b-ext.bin  <<< Let boot this file







Router (config)#boot ?

  bootstrap  Bootstrap image file

  config Configuration file

  host   Router-specific config file

  networkNetwork-wide config file

  system System image file  
boot the System image files



Router(config)#boot system ?

  WORD   TFTP filename or URL

  flash  Boot from flash memory<<< source 
will be from flash memory on

  ftpBoot from a server via ftp

  mopBoot from a Decnet MOP server

  rcpBoot from a server via rcp

  romBoot from rom

  tftp   Boot from a tftp server



Router(config)#boot system flash ?

  WORD  System image filename    This 
should be the :/

  



Router (config)#boot system flash 
bootflash:/asr920-universalk9_npe.03.16.06b.S.155-3.S6b-ext.bin



Save the config



How to Verify. Make sure it's the only image confiugred

Router#sh run | i boot

boot system flash 
bootflash:/asr920-universalk9_npe.03.16.06b.S.155-3.S6b-ext.bin





Router#sh bootvar  Not all Cisco Devices have this command

BOOT variable = 
bootflash:/asr920-universalk9_npe.03.16.06b.S.155-3.S6b-ext.bin,1;
<< On Behalf Of Hagen Amen
Sent: Thursday, February 28, 2019 12:16 PM
To: Scott Voll 
Cc: cisco-nsp 
Subject: Re: [c-nsp] Correct syntax for Boot system



I've found, same as Tyler, that the "flash:" alias doesn't work at boot (on my 
4Ks), so the stanza:



boot-start-marker

> boot system bootflash:isr4300-universalk9.16.06.03.SPA.bin

> boot-end-marker





works just fine. I do see systems out of the box with the extra "flash"

keyword. I haven't found one yet that doesn't work by pointing directly to the 
file system name. Does seem like a newer bit of added clutter.



sincerely,

Hagen





On Thu, Feb 28, 2019 at 10:06 AM Scott Voll 
mailto:svoll.v...@gmail.com>> wrote:



> External Sender - Be Suspicious of Attachments, Links, and Requests

> for Payment or Login Information.

>

> --

> --

>

> my question is the extra flash in the command:

>

> boot system *flash* bootflash:filename.bin

>

> is that something new?

>

> Scott

>

>

>

>

> On Thu, Feb 28, 2019 at 9:53 AM Tyler Applebaum 
> mailto:appleba...@ochin.org>>

> wrote:

>

> > On the 4k series I use bootflash:

> >

> > -Original Message-

> > From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf

> > Of Scott Voll

> > Sent: Thursday, February 28, 2019 9:40 AM

> > To: cisco-nsp mailto:cisco-nsp@puck.nether.net>>

> > Subject: [c-nsp] Correct syntax for Boot system

> >

> > I have always used

> >

> > boot system flash:xx.bin or boot system bootflash:.bin

> >

> > did the syntax change to boot system flash flash0:x.bin???

> >

> > I have a new 4331 that without the extra flash it failed to boot.   Is

> this

> > new?  did I miss the memo?

> >

> > does this carry over to ASRs and the older 29xx/39xx platforms?

> >

> > I'm booting a bunch of remote routers and don't want to be driving

> > to recover them from a simple mistake I missed.

> >

> > TIA

> >

> > Scott

> > ___

> > cisco-nsp mailing list  
> > cisco-nsp@puck.nether.net

> > https://puck.nether.net/mailman/listinfo/cisco-nsp

> > archive at http://puck.nether.net/pipermail/cisco-nsp/

> > Attention: Information contained in this message and or attachments

> > is intended only for the recipient(s) named above and may contain

> confidential

> > and or privileged material that is protected under State or Federal law.

> If

> > you are not the intended recipient, any disclosure, copying,

> > distribution or action taken on it is prohibited. If you believe you

> > have received

> this

> > email in error, please contact the sender with a copy to

> > complia...@ochin.org, delete this email and 
> > destroy all copies.

> >

> 

Re: [c-nsp] ASR920 Software Upgrade 2019

[Erik Sundberg]

I think its the best security feature ever implemented...


Erik Sundberg
Sr. Network Engineer
Nitel
350 N Orleans Street
Suite 1300N
Chicago, Il 60654
Desk: 773-661-5532
Cell: 708-710-7419
NOC: 866-892-0915
Email: esundb...@nitelusa.com
web: www.nitelusa.com


From: Jason Lixfeld 
Sent: Saturday, January 26, 2019 11:47 AM
To: Erik Sundberg
Cc: James Jun; Noah; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 Software Upgrade 2019

FWIW, be aware of CSCvm02572 if you’re planning a mass upgrade before April.

'login on-failure log’ or 'login block-for...' causes the box to reboot on a 
failed ssh login.

Currently still broken in 3.18. Fixed 15.6(2)SP6.

ASR920 not listed in affected platforms, but it is...

> On Jan 26, 2019, at 12:33 PM, Erik Sundberg  wrote:
>
> I just did a 3.16 to 3.18 upgrade on two devices it was at least 30 mins. 
> There was a fpga upgrade and additional reboot. So its normal
>
> Erik Sundberg
> Sr. Network Engineer
> Nitel
> 350 N Orleans Street
> Suite 1300N
> Chicago, Il 60654
> Desk: 773-661-5532
> Cell: 708-710-7419
> NOC: 866-892-0915
> Email: esundb...@nitelusa.com
> web: www.nitelusa.com
>
> 
> From: cisco-nsp  on behalf of James Jun 
> 
> Sent: Saturday, January 26, 2019 8:57 AM
> To: Noah
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] ASR920 Software Upgrade 2019
>
>>
>> We found that to be quite a long time compared to the last time we ever did
>> a similar upgrade 2 years ago.
>>
>> Has anyone had a similar experience and should this be the case?
>>
>
> Depends on the code releases you're crossing, it will need to run FPGA UPDATE 
> and
> reload the box for 2nd time. And if your device has been running for a while, 
> fsck
> may also need to run on boot, delaying the reload time further.
>
> So yea, this is normal and expected.
>
> James
> ___
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 
>
> CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
> previous e-mail messages attached to it may contain confidential information 
> that is legally privileged. If you are not the intended recipient, or a 
> person responsible for delivering it to the intended recipient, you are 
> hereby notified that any disclosure, copying, distribution or use of any of 
> the information contained in or attached to this transmission is STRICTLY 
> PROHIBITED. If you have received this transmission in error please notify the 
> sender immediately by replying to this e-mail. You must destroy the original 
> transmission and its attachments without reading or saving in any manner. 
> Thank you.
> ___
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 Software Upgrade 2019

[Erik Sundberg]

I just did a 3.16 to 3.18 upgrade on two devices it was at least 30 mins. There 
was a fpga upgrade and additional reboot. So its normal

Erik Sundberg
Sr. Network Engineer
Nitel
350 N Orleans Street
Suite 1300N
Chicago, Il 60654
Desk: 773-661-5532
Cell: 708-710-7419
NOC: 866-892-0915
Email: esundb...@nitelusa.com
web: www.nitelusa.com


From: cisco-nsp  on behalf of James Jun 

Sent: Saturday, January 26, 2019 8:57 AM
To: Noah
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 Software Upgrade 2019

>
> We found that to be quite a long time compared to the last time we ever did
> a similar upgrade 2 years ago.
>
> Has anyone had a similar experience and should this be the case?
>

Depends on the code releases you're crossing, it will need to run FPGA UPDATE 
and
reload the box for 2nd time. And if your device has been running for a while, 
fsck
may also need to run on boot, delaying the reload time further.

So yea, this is normal and expected.

James
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Quick Script to check the uptime of ASR920's

[Erik Sundberg]

All,

I just created a quick script to check the uptime of a ASR920 via SNMP if you 
have a fairly long list of devices. It's a simple bash script and snmpwalk 
version 2c. Figured I would share it with you. Happy Friday

Grab the code from GitHub: https://github.com/esundberg/CiscoRouterUptime
It's a quick and dirty script and my first repo on github. Let me know if there 
any issues with it.


Output Format in CSV
DeviceName, IP, Uptime in Days, OK/Warning

I set my warning to 800 Days, you can change this in the code


ASR920list.txt
-
ASR920-1.SEA1, 192.168.28.1, SuperSecretSNMPKey ASR920-2.SEA1, 192.168.28.2, 
SuperSecretSNMPKey snip you get the idea


Output

[user@Linux]$ ./CiscoRouterUptime.sh ASR920list.txt
ASR920-1.SEA1, 192.168.28.1, 827, WARNING
ASR920-2.SEA1, 192.168.28.2, 827, WARNING
ASR920-2.ATL1, 192.168.23.2, 828, WARNING
ASR920-1.ATL1, 192.168.23.1, 813, WARNING
ASR920-1.CHI1, 192.168.21.3, 828, WARNING
ASR920-1.NYC1, 192.168.25.1, 787, OK
ASR920-2.CHI1, 192.168.21.4, 720, OK
ASR920-3.CHI1, 192.168.21.5, 720, OK
ASR920-1.DAL1, 192.168.26.3, 488, OK
ASR920-4.CHI1, 192.168.21.6, 142, OK





CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASA 5512x VPN to Cradlepoint

[Erik Sundberg]

Here's two Cisco docs on this one is ikev1 and the other is ikev2


https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html


https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.html


 Just match the phase 1 and phase 2 crypto settings between the two.




From: cisco-nsp  on behalf of Garrett 
Skjelstad 
Sent: Wednesday, December 19, 2018 10:27:08 AM
To: Lee Starnes
Cc: cisco-nsp NSP
Subject: Re: [c-nsp] Cisco ASA 5512x VPN to Cradlepoint

Certificates or PSK?

On Tue, Dec 18, 2018, 10:48 Lee Starnes  Hello All,
>
> Does anyone have any good links on how to best setup an IPSec VPN tunnel
> from an ASA to a Cradlepoint that is on an LTE connection with a Dynamic
> IP? I have all the configuration for the Cradlepoint side done, but having
> difficulty with the ASA side since the cradlepoint is on an Dynamic IP.
>
> Best Regards,
>
> Lee
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR 99xx IOS-XR images are all EoL/EoS?

[Erik Sundberg]

So we purchased ASR9906 while they were on new product hold and not even listed 
on the website at the time. At the end of 2017. They were delivered in 2018 we 
have installed 7 of them with a 8th sitting on a pallet.

>From the get go we made the decision to run 64-bit. We started out with 6.3.1 
>and Cisco BU recommend that we run 6.3.2. So we deployed with 6.3.2, we also 
>have one router running 6.3.3.

We had a couple of minor issues
-Converting the router from 32-bit to 64-bit required a patch from Cisco due to 
software signing. Not a big deal just took a couple weeks to get.
-Couple of cosmetic bugs, that should be fixed now. Mainly showing 10 slots 
instead of 6 slots.
-We ran in to a TCP bug in 6.3.2 that was fixed in 6.3.3 This cause some 
BGP/NSR sessions to drop on the standby RSP. This was not service impacting.

Besides that we have been very happy with the 9906's and IOS-XR 64bit.

Service we run standard on our routers nothing too fancy.
Core: ISIS, BFD, iBGP
Layer 2 Services: L2VPN EoMPLS and VPLS
Layer3: Internet IPv4/IPv6 and MPLS L3VPN

-Original Message-
From: cisco-nsp  On Behalf Of Aaron
Sent: Thursday, December 20, 2018 1:06 PM
To: Charles Spurgeon 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR 99xx IOS-XR images are all EoL/EoS?

we are running 6.4.2 in classic xr. no confidence with 64 bit at the moment. 
need to see testing results from cisco first

On Thursday, December 20, 2018, Charles Spurgeon < 
c.spurg...@austin.utexas.edu> wrote:

> * Tom Hill  [2018-12-19 20:19:09 +]:
>
> > On 19/12/2018 19:59, Charles Spurgeon wrote:
> > > Does anyone have info on what is going on? What are people running
> > > on their ASR 99xx platforms?
> >
> > It matters deeply which 99xx, and what supervisor(s) you have in it.
> >
> >  9904 uses the same RSPs as 9006/9010.
> >  9906 and 9910 use a different RSP, with expandable 'S' capacity.
> >  9912 and 9922 use an RP, with the 'S' function entirely removed.
> >
> > A recent BRKARC-2003 (from Cisco Live!) will have more details.
> >
> > In this instance I suspect the 9904 is witnessing a push from Cisco
> > to move their customers towards 3rd generation supervisors and
> > above; that's RSP-880[-RL] and newer in the 9904's case. This will
> > be because those generations support the 64-bit variant of IOS-XR.
> >
>
> Thanks. Our 9904s have RSP880s and a 8X100GE-TR line card in each, so
> we're good for a 64-bit conversion.
>
> Meanwhile, our support channel dug up the info that a 6.5.2 EMR
> release is planned for Jan/Feb 2019.
>
> They also provided a link to an ASR software guidance doc at:
> https://community.cisco.com/t5/service-providers-documents/ios-xr-rele
> ase-
> strategy-and-deployment-recommendation/ta-p/3165422
>
> Given this info we plan to upgrade from 5.3.4 to 6.4.2 to get onto
> supported code and then we'll use the 6.5 release to convert to 64-bit
> operation during our summer maintenance in 2019.
>
> -Charles
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF routing question

[Erik Sundberg]

Lee,


Change the Floating static route to an administrative distance of 254, so it is 
higher than OSPF.


router static
 address-family ipv4 unicast
 45.x.x.0/22 Null0 254


When the route is learned via OSPF it will have a metric of 110 and the ospf 
route will be installed into the routing table.

When the route is not learned via OSPF the floating static router on your Edge 
router will be active. This will still allow BGP to advertise the route.



Also, if you don't want to advertise the floating static route to other devices 
in your network you can do the following.

Add the tag 1 on the static route will stop it from being redistributed in your 
network.


router static
 address-family ipv4 unicast
 45.x.x.0/22 Null0 254 tag 1


router ospf 1
 log adjacency changes
 redistribute static route-policy IPV4-OSPF-REDIST-STATIC


route-policy IPV4-OSPF-REDIST-STATIC
  if tag eq 1 then
drop
  endif
  done

If a static route has the tag of 1 it will not be redistributed into OSPF, so 
the rest of the network will not learn about the route.


-

Side note, most ISP's will only advertise there Loopback and Core "Circuits" 
IPs in there IGP.  They will run iBGP between all of the there devices and 
allow BGP to redistribute the static and connected interfaces. BGP is also 
easier to manipulate routes on your network. Send me an email if you would like 
to know more.

Here is an old but still very relevant power point on this.

https://www.pacnog.org/pacnog2/track2/routing/a3-1up.pdf
3 - OSPF for ISPs - 
PacNOG
www.pacnog.org
© 2005 Cisco Systems, Inc. All rights reserved. 1 Session Number 
Presentation_ID Cisco Confidential Deploying OSPF for ISPs ISP/IXP Workshops














From: cisco-nsp  on behalf of Lee Starnes 

Sent: Tuesday, July 17, 2018 4:17:25 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] OSPF routing question

Hello everyone,

I have a question about OSPF route redistribution. We have no issues
redistributing subnets in the network out of our /19 blocks. But we have a
/22 block that the entire /22 is allocated to a single client. The routes
redistribute across all the all switches except back to the edge routers
that announce them via BGP to our upstream carriers. This being because
there are holdown routes for the BGP on this of the same size IP block. Is
there a way to allow the /22 block to propagate to the edge routers and
still maintain the hold down routes we need to announce that /22 via BGP to
our various upstream carriers?

Edge routers are configured as such:

router static
 address-family ipv4 unicast
 45.x.x.0/22 Null0 19

router bgp ASNUMBER
address-family ipv4 unicast
network 45.x.x.0/22


router ospf NUMBER
 log adjacency changes
 redistribute connected
 redistribute static
 area W.X.Y.Z
  !
  interface TenGigE0/3/0/0
   passive disable
  !
  interface TenGigE0/3/3/0
   passive disable
  !


Any ideas are greatly appreciated.

-Lee
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] router suggestion for backup link

[Erik Sundberg]

BGP? Full Tables?


From: cisco-nsp  on behalf of aptgetd 

Sent: Monday, July 9, 2018 11:24:55 PM
To: cisco-nsp
Subject: [c-nsp] router suggestion for backup link

Hi,

Can anyone provide suggestion outside cisco ASR/ISR router line that can handle
2.5gb throughput base license/model and has room for growth? Both ASR/ISR seem
to be a little pricey/feature rich for what we are needing for our backup link
of 2Gb.

Any feedback will be appreciated.

-- sky
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9k from 6.1.4 to 6.2.3

[Erik Sundberg]

:52:57.856
20180122_16:52:57.856 BGP is operating in STANDALONE mode.
20180122_16:52:57.856
20180122_16:52:57.856
20180122_16:52:57.856 Process   RcvTblVer   bRIB/RIB   LabelVer  ImportVer  
SendTblVer  StandbyVer
20180122_16:52:57.856 Speaker   35442  35442  35442  35442  
 35442   35442
20180122_16:52:57.873
20180122_16:52:57.874 NeighborSpkAS MsgRcvd MsgSent   TblVer  InQ 
OutQ  Up/Down  St/PfxRcd
20180122_16:52:57.874 1.2.3.110 12345   94011 9503544200 
15:40:18834
20180122_16:52:57.874 1.2.3.120 12345  226770 2103544200 
01:52:28   3748
20180122_16:52:57.874 1.2.3.130 12345  174317 9093544200 
14:59:21   3032
20180122_16:52:57.874 1.2.3.170 12345  157958 9203544200 
15:10:15   2596
20180122_16:52:57.875 1.2.3.180 12345   86544 9193544200 
15:09:21   2148
20180122_16:52:57.875 1.2.3.220 12345  158198 9253544200 
15:14:50   2603
20180122_16:52:57.875 1.2.3.230 12345   85426 9253544200 
15:14:55   1153
20180122_16:52:57.875 1.2.3.280 12345  156259 9013544200 
14:51:07   4272
20180122_16:52:57.876 1.2.3.290 12345  119006 9013544200 
14:51:08   3680
20180122_16:52:57.876 1.2.3.410 12345   93887 9103544200 
14:59:59125
20180122_16:52:57.876 1.2.3.500 12345  122894 9133544200 
15:03:28980
20180122_16:52:57.876 1.2.3.510 12345  139575 9133544200 
15:03:30   3600
20180122_16:52:57.876 1.2.3.620 12345 951 8703544200 
14:19:50  0







-Original Message-
From: Ted Pelas Johansson [mailto:ted.johans...@tele2.com]
Sent: Tuesday, May 29, 2018 12:58 PM
To: Erik Sundberg 
Cc: James Bensley ; Cisco-nsp 
Subject: Re: [c-nsp] ASR9k from 6.1.4 to 6.2.3

Hi Erik,

That is the default of XR.

Best Regards
Ted

Sent while walking

> On 29 May 2018, at 18:53, Erik Sundberg  wrote:
>
> I ran into this bug going from 6.3.1 to 6.3.2  Very simple fix by 
> applying to smu patch files.
> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf01652?emailclick=CN
> Semail
>
>
>
> Not sure when this change in behavior happened, but by default BGP
> doesn't install/download/show VPNv4 routes unless the VRF is built on
> the system. You need to configure 'retain route-target all' under the
> vpnv4 address family
>
> router bgp 12345
> address-family vpnv4 unicast
>  retain route-target all
>
>
>
> Currently running a new deployment on 6.3.2 (64bit) No issues so far.
>
>
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf
> Of James Bensley
> Sent: Tuesday, May 29, 2018 3:30 AM
> To: Cisco-nsp 
> Subject: Re: [c-nsp] ASR9k from 6.1.4 to 6.2.3
>
>> On 28 May 2018 at 19:54, George Giannousopoulos  wrote:
>> We recently upgraded without any issue.
> ...
>> Beware of some rather minor syntax changes in the BNG config
>
> Same here, we're migrating from 5.3.3 to 6.2.3.
>
> Everything seems fine for us too, we're also not doing anything crazy,
> L2/L3 VPNs, RRs, ASBRs, OSPF, LDP, MP-BGP etc. (no multicast or BNG on the 
> boxes being tested with 6.2.3). Also same with us, a few syntax changes 
> between our 5.3.3 templates and 6.2.3 templates so best to test in the lab 
> first, only minor changes though. So far no issues.
>
> Cheers,
> James.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 
>
> CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
> previous e-mail messages attached to it may contain confidential information 
> that is legally privileged. If you are not the intended recipient, or a 
> person responsible for delivering it to the intended recipient, you are 
> hereby notified that any disclosure, copying, distribution or use of any of 
> the information contained in or attached to this transmission is STRICTLY 
> PROHIBITED. If you have received this transmission in error please notify the 
> sender immediately by replying to this e-mail. You must destroy the original 
> transmission and its attachments without reading or saving in any manner. 
> Thank you.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

 IMPORTANT NOTICE 
The content of this e-mail is intended for the addressee(s) only and may 
c

Re: [c-nsp] ASR9k from 6.1.4 to 6.2.3

[Erik Sundberg]

I ran into this bug going from 6.3.1 to 6.3.2  Very simple fix by applying 
to smu patch files.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf01652?emailclick=CNSemail



Not sure when this change in behavior happened, but by default BGP doesn't 
install/download/show VPNv4 routes unless the VRF is built on the system. You 
need to configure 'retain route-target all' under the vpnv4 address family

router bgp 12345
 address-family vpnv4 unicast
  retain route-target all



Currently running a new deployment on 6.3.2 (64bit) No issues so far.



-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James 
Bensley
Sent: Tuesday, May 29, 2018 3:30 AM
To: Cisco-nsp 
Subject: Re: [c-nsp] ASR9k from 6.1.4 to 6.2.3

On 28 May 2018 at 19:54, George Giannousopoulos  wrote:
> We recently upgraded without any issue.
...
> Beware of some rather minor syntax changes in the BNG config

Same here, we're migrating from 5.3.3 to 6.2.3.

Everything seems fine for us too, we're also not doing anything crazy,
L2/L3 VPNs, RRs, ASBRs, OSPF, LDP, MP-BGP etc. (no multicast or BNG on the 
boxes being tested with 6.2.3). Also same with us, a few syntax changes between 
our 5.3.3 templates and 6.2.3 templates so best to test in the lab first, only 
minor changes though. So far no issues.

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] line con 0 as terminal server on Cat6500?

[Erik Sundberg]

I think you can only do the reverse console from an aux port

We put console servers, OOB management network, and managed power strip at 
every pop for this reason... The small investment has saved us a lot of 
time and money.

Perle IOLAN SCS48
Avocent
Opengear
Digi
Old Cisco Router

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mailing 
Lists
Sent: Friday, May 18, 2018 6:14 AM
To: Cisco Network Service Providers 
Subject: Re: [c-nsp] line con 0 as terminal server on Cat6500?

 Airconsole Mini could work for this?

https://www.get-console.com/shop/en/airconsole-mini-20/
112-airconsole-20-mini.html

We use the 8 port variant and they work well enough so far.


On 18 May 2018 at 12:03, Aaron Gould  wrote:

> I've actually taken out a little 2600 just to act as a 1-port terminal
> server for this exact purpose
>
> (maybe you can even use an old 2500)
>
> Aaron
>
> > On May 18, 2018, at 6:00 AM, Aaron Gould  wrote:
> >
> > I'm not sure if you can use a console port for connecting to another
> router's console port , but you can use the auxiliary (aux) port to do
> that.  I've done it many times
> >
> > Aaron
> >
> >> On May 18, 2018, at 1:55 AM, Patrick M. Hausen  wrote:
> >>
> >> Hi all,
> >>
> >> last weekend one switch in our VSS pair failed. Redundancy/VSS did
> >> work and we kept our connectivity besides a couple of hosts that
> >> only have a single uplink and were connected to that particular
> >> chassis.
> >>
> >> When I came to the data centre I found the failed chassis in rommon.
> >> A simple "boot" command restored everything to working order.
> >>
> >> Now to spare me that drive in case that happens again - is it
> >> possible to use the console port of a working Catalyst 6500 to act
> >> as a terminal server for the other one? We have quite a lot of
> >> spare rollover cables
> ;-)
> >>
> >> I found these instructions but I think I'm missing something:
> >> https://www.cisco.com/c/en/us/support/docs/dial-access/
> asynchronous-connections/5466-comm-server.html
> >>
> >> ip host other 2000 1.2.3.4
> >>
> >> Core2#telnet 1.2.3.4 2000
> >> Trying 1.2.3.4, 2000 ...
> >> % Connection refused by remote host
> >>
> >> I used the real IP address of looppback0, of course.
> >>
> >>
> >> Side note/question: any idea what could cause a Cat6500 VS-S720-10G
> >> to fail, reset (I can understand *that*) and then not boot into IOS
> >> and
> stay
> >> in rommon?
> >>
> >> Standby BOOT variable = sup-bootdisk:s72033-
> adventerprisek9_wan-mz.122-33.SXJ10.bin,1;disk0:s72033-
> adventerprisek9_wan-mz.122-33.SXJ10.bin,1;
> >> Standby Configuration register is 0x2102
> >>
> >> Core2#dir slavesup-bootdisk:
> >> ...
> >> s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin
> >>
> >>
> >> Thanks!
> >> Patrick
> >> --
> >> punkt.de GmbHInternet - Dienstleistungen - Beratung
> >> Kaiserallee 13aTel.: 0721 9109-0 Fax: -100
> >> 76133 Karlsruhei...@punkt.dehttp://punkt.de
> >> AG Mannheim 108285Gf: Juergen Egeling
> >>
> >> ___
> >> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASR99xx 64-bit upgrade 6.3.1 to 6.3.2

[Erik Sundberg]

Here is a follow up to my email thread

Cisco release the following 6.3.2 bridge smu containing the following packages. 
These package allow the router to handle signed RPM’s. I will assume they will 
eventually be up on Cisco CCO website.
asr9k-sysadmin-system-6.3.1.1-r631.CSCvf01652.x86_64
asr9k-iosxr-infra-64-1.0.0.1-r631.CSCvf01652.x86_64

We are running Cisco ASR9906, but this should also apply for 9912, and 9922.


Also the IOS XR image file is now a ISO file and packages are now RPM’s. 
Install the files like you would for any other package on previous versions. I 
believe this started in IOS XR 6.x, not 100%  sure.


ftpServer: 1.2.3.4
VRF MANAGEMENT


#Set up your FTP source Interface. Same goes for HTTP too.
clear configuration inconsistency
conf t
ftp client vrf MANAGEMENT source-interface MgmtEth 0/RSP0/CPU0/0
commit
exit

### Commands to monitor install requests
#show install repository all
#show install log 
#show install request
#
# if needed to remove a package
# install remove 
#

#Patch 6.3.1
-
install add source 
ftp://tftp@1.2.3.4;MANAGEMENT/Cisco/ASR9906/6.3.2/632-bridge-smu/ 
asr9k-iosxr-infra-64-1.0.0.1-r631.CSCvf01652.x86_64.rpm
install add source 
ftp://tftp@1.2.3.4;MANAGEMENT/Cisco/ASR9906/6.3.2/632-bridge-smu/ 
asr9k-sysadmin-system-6.3.1.1-r631.CSCvf01652.x86_64.rpm
install activate asr9k-sysadmin-system-6.3.1.1-r631.CSCvf01652.x86_64 
asr9k-iosxr-infra-64-1.0.0.1-r631.CSCvf01652.x86_64
install commit


#Upgrade 6.3.1 to 6.3.2

#Add or remove any packages that fits your needs.

install add source ftp://tftp@1.2.3.4;MANAGEMENT/Cisco/ASR9906/6.3.2/ 
asr9k-mini-x64-6.3.2.iso asr9k-isis-x64-1.2.0.0-r632.x86_64.rpm 
asr9k-k9sec-x64-3.1.0.0-r632.x86_64.rpm asr9k-li-x64-1.1.0.0-r632.x86_64.rpm 
asr9k-mcast-x64-2.0.0.0-r632.x86_64.rpm asr9k-mgbl-x64-3.0.0.0-r632.x86_64.rpm 
asr9k-mpls-te-rsvp-x64-1.2.0.0-r632.x86_64.rpm 
asr9k-mpls-x64-2.0.0.0-r632.x86_64.rpm asr9k-ospf-x64-1.0.0.0-r632.x86_64.rpm

show install repository all

install activate asr9k-mini-x64-6.3.2 asr9k-isis-x64-1.2.0.0-r632.x86_64 
asr9k-k9sec-x64-3.1.0.0-r632.x86_64 asr9k-li-x64-1.1.0.0-r632.x86_64 
asr9k-mcast-x64-2.0.0.0-r632.x86_64 asr9k-mgbl-x64-3.0.0.0-r632.x86_64 
asr9k-mpls-te-rsvp-x64-1.2.0.0-r632.x86_64 asr9k-mpls-x64-2.0.0.0-r632.x86_64 
asr9k-ospf-x64-1.0.0.0-r632.x86_64

#System says install request completed successfully, then the router 
automatically reboots.
#After it comes back up on 6.3.2 verify the software version after all the 
linecards are up
show install active
show ver

#Then
install commit



I hope this helps someone else….


From: arulgobinath emmanuel [mailto:arulg...@gmail.com]
Sent: Friday, April 13, 2018 7:48 PM
To: Erik Sundberg <esundb...@nitelusa.com>
Subject: Re: [c-nsp] Cisco ASR99xx 64-bit upgrade 6.3.1 to 6.3.2

Hi Erik,
The error you are getting due to bridge smu. Have done few ncs upgrades faced 
the same issue. Smu they can publish its available internally.

BR,
Gobinath

On Sat, 14 Apr 2018, 00:50 Erik Sundberg, 
<esundb...@nitelusa.com<mailto:esundb...@nitelusa.com>> wrote:
I opened a TAC Case on this: TAC Responded We have asked the BU to tell us 
how to do this. So no I am waiting for a Conference call with the BU.

So in the mean time I tried what James said I do have my reservations about 
golden disk. In my opinion golden disk is usefully for deploying a new router 
not upgrading a working router, due to the fact you have to generate a new ISO 
for each router. I was able to do this and have the package added to the 
repository.


When I try to add one or more packages to the repo I get the file is corrupt, 
even though the file check sum matches...

RP/0/RSP0/CPU0:CR1.LAB1#sh install log 58
Fri Apr 13 09:41:48.156 UTC
Apr 12 12:21:52 Install operation 58 started by esundberg:
 install add source harddisk:/downloads/6.3.2 
asr9k-ospf-x64-1.0.0.0-r632.x86_64.rpm
Apr 12 12:21:53 Action 1: install add action started
Apr 12 12:21:54 Install operation will continue in the background
Apr 12 12:21:55 ERROR! Package "asr9k-ospf-x64-1.0.0.0-r632.x86_64.rpm" is 
invalid: asr9k-ospf-x64-1.0.0.0-r632.x86_64.rpm is corrupt
Apr 12 12:21:55 ERROR!! failed while handling validate reply

Apr 12 12:21:57 Install operation 58 aborted
Apr 12 12:21:57 Ending operation 58

RP/0/RSP0/CPU0:CR1.LAB1#



Erik Sundberg
Sr. Network Engineering
Network Engineering Department
p: 773.661.5532
c: 708.710.7419
e: esundb...@nitelusa.com<mailto:esundb...@nitelusa.com>
Main: 888.450.2100
NOC 24/7: 866.892.0915
350 North Orleans Street, Suite 1300N Chicago, IL 60654
www.nitelusa.com<http://www.nitelusa.com>

Managed Telecom Services
MPLS | Ethernet | Private Line | Internet | Voice | Security

-Original Message-
From: cisco-nsp 
[mailto:cisco-nsp-boun...@puck.nether.net<mailto:cisco-nsp-boun...@puck.nether.net>]
 On Behalf Of adamv0...@netconsultings.com<mailto:adamv0...@netconsultings.com>

Re: [c-nsp] Cisco ASR99xx 64-bit upgrade 6.3.1 to 6.3.2

[Erik Sundberg]

I opened a TAC Case on this: TAC Responded We have asked the BU to tell us 
how to do this. So no I am waiting for a Conference call with the BU.

So in the mean time I tried what James said I do have my reservations about 
golden disk. In my opinion golden disk is usefully for deploying a new router 
not upgrading a working router, due to the fact you have to generate a new ISO 
for each router. I was able to do this and have the package added to the 
repository.


When I try to add one or more packages to the repo I get the file is corrupt, 
even though the file check sum matches...

RP/0/RSP0/CPU0:CR1.LAB1#sh install log 58
Fri Apr 13 09:41:48.156 UTC
Apr 12 12:21:52 Install operation 58 started by esundberg:
 install add source harddisk:/downloads/6.3.2 
asr9k-ospf-x64-1.0.0.0-r632.x86_64.rpm
Apr 12 12:21:53 Action 1: install add action started
Apr 12 12:21:54 Install operation will continue in the background
Apr 12 12:21:55 ERROR! Package "asr9k-ospf-x64-1.0.0.0-r632.x86_64.rpm" is 
invalid: asr9k-ospf-x64-1.0.0.0-r632.x86_64.rpm is corrupt
Apr 12 12:21:55 ERROR!! failed while handling validate reply

Apr 12 12:21:57 Install operation 58 aborted
Apr 12 12:21:57 Ending operation 58

RP/0/RSP0/CPU0:CR1.LAB1#



Erik Sundberg
Sr. Network Engineering
Network Engineering Department
p: 773.661.5532
c: 708.710.7419
e: esundb...@nitelusa.com
Main: 888.450.2100
NOC 24/7: 866.892.0915
350 North Orleans Street, Suite 1300N Chicago, IL 60654
www.nitelusa.com

Managed Telecom Services
MPLS | Ethernet | Private Line | Internet | Voice | Security

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
adamv0...@netconsultings.com
Sent: Friday, April 13, 2018 9:36 AM
To: 'Tom Hill' <t...@ninjabadger.net>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco ASR99xx 64-bit upgrade 6.3.1 to 6.3.2

> Tom Hill
> Sent: Friday, April 13, 2018 1:46 PM
>
> On 12/04/18 18:06, Gert Doering wrote:
> > yum update
> >
> > ... now *that* would be nice...
>
> I thought you could do that...
>
>  https://www.cisco.com/c/dam/assets/global/DK/seminarer/pdfs/XR60.pdf
>  (pgs. 30 & 31)
>
Page 26 of the same doc:
IOS XR  packages  are  installed  with  "install  update/upgrade".
Install  commands  are  a  wrapper  around  YUM  to  provide  multiarch support.
-so there's your yum update

But from the initial discussions on this from a few years back I thought I'd be 
able to spin up container on new version and then just switch to new one in an 
instance, or failback quickly if needed, preferably 0 packet loss in the 
process (maybe I'm mistaken ncs6k with asr9k).
Makes me wonder what's going on under the hood on asr9ks ncs5ks actually -i.e. 
how does the picture look like at each LC (I guess we'll need to wait till this 
"modular" architecture arrives to LCs as well?) In this sense, to me the router 
chassis is like a small DC with compute nodes (in form of RPs and LCs) all 
connected via Ethernet network -it would be nice to have control over which 
containers and what versions run on each compute node.
And regarding the 0 packet loss,
I'm wondering whether the NPU microcode version is independent of the (I guess 
Admin Plane) version (or whether it's still monolithic)

Also wondering when we'll be able to take RPs out of the chassis that is spin 
up the Control container(s) (and third party containers) on COTS HW and let 
these talk to LCs.
As unfortunately these chassis-based systems can become full with just couple 
of LCs in them just because the RP can't cope with the high number of VRFs, 
prefixes and BGP sessions.

adam

netconsultings.com
::carrier-class solutions for the telecommunications industry::

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ASR99xx 64-bit upgrade 6.3.1 to 6.3.2

[Erik Sundberg]

yum / apt-get upgrade. All too easy..



-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Gert 
Doering
Sent: Thursday, April 12, 2018 12:06 PM
To: Nick Hilliard 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco ASR99xx 64-bit upgrade 6.3.1 to 6.3.2

Hi,

On Thu, Apr 12, 2018 at 05:04:54PM +0100, Nick Hilliard wrote:
> i could put up with a lot if using linux speeds up i/o access on the
> router's local disk, which was what turned the old upgrade process
> into such a bag of misery.

yum update

... now *that* would be nice...

gert

--
"If was one thing all people took for granted, was conviction that if you  feed 
honest figures into a computer, honest figures come out. Never doubted  it 
myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco ASR99xx 64-bit upgrade 6.3.1 to 6.3.2

[Erik Sundberg]

Anyone have the procedure for upgrade ios xr 64-bit  from 6.3.1 to 6.3.2 on a 
ASR99xx router?

Its a little differnent than upgrading a 32-bit ars9k

Also the a9k-mini file is an iso not a pie file.

Thanks

Erik





CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 Opinions

[Erik Sundberg]

I found a good example of BGP-SD

https://www.cisco.com/c/dam/en/us/products/collateral/routers/asr-920-series-aggregation-services-router/asr920-full-internet-routing-capability.pdf



-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James 
Bensley
Sent: Thursday, December 21, 2017 5:02 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 Opinions

Hi Jason,

I would second what everyone else has already said; we're using version 
3.16.something (can't remember off the top of my head) on probably a couple of 
hundred ASR920s; usually edge PE services:
L3 VPNs (IPv4, 6PE)
L2 VPNs (mostly pseudowires, just a tiny bit of VPLS on these, we avoid VPLS if 
possible but it does work) BGP OSPF LDP FRR/LFA/rLFA Per-VRF label mode as you 
mentioned

The only problem we have with them is the tiny FIB size, 20K IPv4 routes off 
the top of my head. If you're "unlucky" and PoP a site with a few large 
customers with lots of routes in their relevant customer VRFs you'll blow the 
TCAM long before you run out of ports of bandwidth.

As was mentioned below for full table Internet...

On 21 December 2017 at 17:17, Mark Tinka <mark.ti...@seacom.mu> wrote:
>
>
> On 20/Dec/17 00:36, Erik Sundberg wrote:
>
>>
>> One down side is the 20K IPv4/IPv6 Route limit. So no full routes and we 
>> also place a RT Filter on our VPNv4 sessions back to the core.
>
> BGP-SD is your friend.
>
> We hold a full IPv4/IPv6 table on each of them in RAM, which a handful 
> of useful routes in FIB. Works great!
>
> It means we can offer our customers a native eBGP session with a full 
> BGP table from the ASR920, i.e., no need for an eBGP Multi-Hop session 
> into the "clever" core.

However no Internet in a VRF here (yet!) and BGP-SD only works on the global 
routing table for the ME3600X/ME3800X, so I assume it's the same for the 
ASR920, meaning when we reach Internet-in-a-VRF deployment coverage == 100% 
we'll be stuffed.

But the full Internet table isn't really a problem for us, as others have 
mentioned you can pseudowire a customer back somewhere or run multi-hop BGP 
etc, but with only 20K FIB entries in TCAM we run out of TCAM just from a few 
large customer VRFs, which is frustrating. We run some of our MEs with the IP 
SDM profile which gives them 4K more IPv4 entries in TCAM (24K total), which is 
more than the ASR920s. That could be one more medium sized customer or several 
smaller ones, extra that we could fit on the device (in terms of the number of 
routes that customer has).

Overall a good stable MPLS-to-the-access layer box, but the TCAM limits make it 
more suited for layer 2 agg then layer 3 agg.

Someone mentioned the micro-burst thing and using "queue-limit percent 100" 
command; that command eventually hit the ME3600X/ME3800X's so we rolled that 
into our default templates back then because we had 10G back-haul links to the 
devices with 1G access facing circuits. When the ASR920 dropped we were hot on 
it with putting that command doing into our default ASR920 templates from the 
start, as we'd been bitten already by micro-burts on the MEs. This issue was 
fairly serious for us as we often have for example, a DSLAM hanging off of one 
or more of the 1G ports, customers are trunked up from the DSLAMs with say a 
10M EFM circuit, so you've actually got a 10G back-haul then a shaper on the ME 
or ASR down to 10M for that VLAN on that 1G link, that's actually two more 
orders of magnitude smaller than 10G > 1G.
"queue-limit percent 100" is a life safer. It's not perfect but works pretty 
well.

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 Opinions

[Erik Sundberg]

Whoa Never heard of this….. Definitely will have to check it out.

Does someone want hand out an early xmas present and show a sample config of 
this?!?!?


Thanks

Erik

From: Mark Tinka [mailto:mark.ti...@seacom.mu]
Sent: Thursday, December 21, 2017 11:17 AM
To: Erik Sundberg <esundb...@nitelusa.com>; Stephen Fulton 
<s...@lists.esoteric.ca>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 Opinions


On 20/Dec/17 00:36, Erik Sundberg wrote:





One down side is the 20K IPv4/IPv6 Route limit. So no full routes and we also 
place a RT Filter on our VPNv4 sessions back to the core.

BGP-SD is your friend.

We hold a full IPv4/IPv6 table on each of them in RAM, which a handful of 
useful routes in FIB. Works great!

It means we can offer our customers a native eBGP session with a full BGP table 
from the ASR920, i.e., no need for an eBGP Multi-Hop session into the "clever" 
core.

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 Opinions

[Erik Sundberg]

Stephen,

We have about 20 ASR920's deployed some are 24 Port Copper and some are 24 Port 
Fiber

Running version: asr920-universalk9_npe.03.16.04.S.155-3.S4-ext.bin
Advance metro IP license with 10G Ports

Core Facing ISIS+LDP+BFD,IPv4,IPv6,BGP 
Customer Services: Internet (Non BGP Customers), L3VPN, EoMPLS, 
VPLS/BridgeGroups, ENNI's, QOS Shaping and Policing

We will deploy these in a 10G ring of 6 devices then 2x 10G back to our core 
Routers

One down side is the 20K IPv4/IPv6 Route limit. So no full routes and we also 
place a RT Filter on our VPNv4 sessions back to the core.

We did hit a bug where sometime after you upgrade the 10G ports were admin 
down. I forget what Image this occurred on.

I am very happen with them the only down side is they don't have a 48x1G, 
4x10Gport model.


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Stephen 
Fulton
Sent: Tuesday, December 19, 2017 12:38 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 Opinions

Hi Jason,

We're running several, primarily as PE's facing external networks, with ISIS, 
LDP, BGP, VPNv4, IPv6 (not 6VPE) and EoMPLS.  So far, no major issues, we're 
running 03.16.04.S or 03.16.05.S.  Core facing interfaces are IP only, not 
trunks attached to BDI's.  My only concern up to this point is the buffer size. 
 The PDF "Handling Microburst on Cisco ASR920"
outlines steps to mitigate it but the commands do not work on the versions I'm 
running.  It hasn't been a problem yet, but we'll see.

-- Stephen

On 2017-12-19 1:31 PM, Jason Lixfeld wrote:
> Hey all,
> 
> With the ME3600 EOL, we’re looking to start deploying ASR920s.  These boxes 
> would run 100% L3 on the core facing sides (at 10 or 20Gbps), and aside from 
> the odd corner case, 100% L3 on the customer facing side.
> 
> Some of the more major features they’d run would be:
> ISIS
> LDP
> BFD
> BGP-VPNv4
> BGP-VPNv6 (6VPE)
> BGP Selective Route Download
> IPv6*
> ACL (ingress and egress)*
> Per-VRF label mode
> EoMPLS
> FAT-PW
> VRF aware DHCP Relay w/option 82 stamping (device, port (EFP?), VLAN) 
> VRF aware DHCP Server
> 
> Corner cases would include BGP signalled VPLS w/BGP-AD, and l2protocol 
> support for peer/forward/tunnel primarily on CDP and STP-type frames, as 
> required.
> 
> *ME3600s cannot support simultaneous configuration of egress ACLs and IPv6.  
> I’ve heard that the ASR920 resources are carved up differently, where this is 
> no longer a problem.
> 
> My understanding is that the ASR920 behaves more like an ASR1000 than an 
> ME3600 in terms of how L2 is implemented (ie: no more global vlan table, vlan 
> database, etc and all EFP/bridge-domain based).  Also, I understand that 
> these boxes have Netflow to some degree, but a cursory look at the 
> documentation seems to suggest that you need to set the SDM profile to video 
> (which affects the device scale as it re-configured the TCAM) if you want to 
> enable Netflow?
> 
> I know this isn't the first time a “what are your experiences with these 
> boxes like?” thread has made the rounds, but I wanted to throw it out again 
> to see how much has changed since the last time it circulated.  So, while we 
> wait for some of these guys for the lab, I’m looking for some feedback on 
> what to expect from these boxes in terms of reliability (hardware and 
> software), feature limitations/gotchas, a good, reliable code version, and 
> anything else someone might want to share about these guys, good, bad or 
> indifferent.
> 
> Thanks again, in advance.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR 1k vs 9k as a non-transit BGP router with full tables?

[Erik Sundberg]

Side Note.

Cisco is coming out with a ASR9901 with in the next couple months, not sure on 
the release date. I have seen a couple of slides on it.

2U
16x Ports for 1G
24x Ports 1G/10G (Configured in blocks of 4 for 1G or 10G)
2x 100G Ports

2x Tomahawk NPU's
456G Backplane
IOS XR 64bit
Front to back cooling
1200w power usage

I sure it will handle some 4M or 10M ipv4 or ipv6.

Also the ASR9906 that come out this month is an option. Not sure it is is 
online yet either.

Check out the Cisco Live slides from Vegas that are online


Erik Sundberg
Sr. Network Engineering
Network Engineering Department
p: 773.661.5532
c: 708.710.7419
e: esundb...@nitelusa.com
Main: 888.450.2100
NOC 24/7: 866.892.0915
350 North Orleans Street, Suite 1300N Chicago, IL 60654
www.nitelusa.com

Managed Telecom Services
MPLS | Ethernet | Private Line | Internet | Voice | Security


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Mark 
Tinka
Sent: Friday, August 4, 2017 3:43 AM
To: Łukasz Bromirski
Cc: Cisco Network Service Providers
Subject: Re: [c-nsp] ASR 1k vs 9k as a non-transit BGP router with full tables?



On 4/Aug/17 00:52, Łukasz Bromirski wrote:

>
> - the ‘HX’ series currently consist only of 1001HX and 1002HX, so both
> fixed platforms with some modularity included; there are no HX fully
> modular chassis, so my comment above was misleading in terms of
> 1001HX/1002HX supporting RP3 - they simply can’t

Understood.

So for all intents & purposes then, the only RP3-based systems today are the 
fully modular ASR1006-X, ASR1009-X and ASR1013, yes?

Mark.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NCS4200 - re-badged ASR920 / ASR900 ?

[Erik Sundberg]

I just had a presentation on this.

Sounded like the ASR920 AKA Rebranded as the NCS4200 will be running the NCS 
Code. Sounded like same hardware.

Also thinking it's more of a product switch to fill out the NCS Product set.



-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Pete 
Templin
Sent: Tuesday, April 25, 2017 10:09 AM
To: Gert Doering; CiscoNSP List
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] NCS4200 - re-badged ASR920 / ASR900 ?

Or the Nexus 5010 vs. UCS Fabric Interconnect debacle? I think there's one 
extra CPU/ASIC on the board of the FIs, and the paint color is different, but 
the code is different.


On 4/25/17 4:24 AM, Gert Doering wrote:
> Hi,
>
> On Tue, Apr 25, 2017 at 11:06:33AM +, CiscoNSP List wrote:
>> If feature parity between the 2 are identicalIt makes no sense?
> Look at the history of the 6500/7600 split...
>
> Starting out with identical hardware, just differently coloured, sold
> by different BUs.
>
> Then start differenciating - one BU builds a faster supervisor, and
> adds a software check "if we detect that the other BU got the money
> for this chassis, refuse to boot".   The other BU starts adding nice
> OS features that you really want (but are not supported on the *other*
> chassis, then) and down the drain goes the journey.
>
> I ended up having 6500s, because we wanted IOS modularity (which
> turned out to be no good, and was discontinued), and was lacking all
> the newer
> control-plane(!) features the 7600 IOS received after the split...
>
>
> (cisco-nsp archives have lots of material on this)
>
> gert
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco 7301 limitation ?

[Erik Sundberg]

I have had a couple of these where CEF wasn't turned on propery on the 
interface and had terrible throughput and high CPU.

Check to make sure CEF is enabled on the interface.

#show cef interface g0/0
GigabitEthernet0/0 is up (if_number 2)
  Corresponding hwidb fast_if_number 2
  Corresponding hwidb firstsw->if_number 2
  Internet Protocol processing disabled
  Hardware idb is GigabitEthernet0/0
  Fast switching type 1, interface type 27
  IP CEF switching enabled  <
  IP CEF switching turbo vector
  IP CEF turbo switching turbo vector
  IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
  Input fast flags 0x2008, Output fast flags 0x8004008
  ifindex 2(2)
  Slot  Slot unit 0 VC -1
  IP MTU 0


Also we are running Version 15.2(4)S7 just fine on our 7301.

You can check to see what is being punted to the cpu via.

#show cef not-cef-switched
% Command accepted but obsolete, see 'show (ip|ipv6) cef switching statistics 
[feature]'

IPv4 CEF Packets passed on to next switching layer
Slot  No_adj No_encap Unsupp'ted Redirect  Receive  Options   Access Frag
RP 0   0 1027549  307  6222801000
IPv6 CEF Packets passed on to next switching layer
Slot  No_adj No_encap Unsupp'ted Redirect  Receive  Options   Access  MTU
RP 0   0 17943680   988337000


#show ip cef switching statistics

Path   Reason  Drop   Punt  Punt2Host
RP LES Packet destined for us 03111368  0
RP LES Neighbor resolution req0 30  0
RP LES Total  03111398  0

RP PAS No route 121  0 31
RP PAS Packet destined for us 03111368359
RP PAS No adjacency 867  0  0
RP PAS Incomplete adjacency 2174690  0  0
RP PAS TTL expired0  01027232
RP PAS Routed to Null0   26  0201
RP PAS IP redirects   0  0307
RP PAS Unclassified reason  259  0  0
RP PAS Neighbor resolution req   172650  0  0
RP PAS Bad IP packet header leng   1346  0  0
RP PAS Link-layer broadcast/mult  11057  0  0
RP PAS Total236101631113681028130

AllTotal236101662227661028130


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Arie 
Vayner
Sent: Thursday, April 20, 2017 5:00 PM
To: Bill Blackford; Olivier CALVANO
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Cisco 7301 limitation ?

Even though it is a software router, there's a difference if packets are 
forwarded on the fast path or slow path (punt).

Arie

On Thu, Apr 20, 2017 at 2:49 PM Bill Blackford  wrote:

> It is a software router. I've had these fall over from too many small
> packets.
>
> Sent from my iPhone
>
> > On Apr 20, 2017, at 13:07, Arie Vayner  wrote:
> >
> > I would check for MTU and fragmentation issues... If the router is
> > fragmenting, it would bring the CPU up...
> >
> > On Thu, Apr 20, 2017 at 10:41 AM Olivier CALVANO
> > 
> > wrote:
> >
> >> Hi
> >>
> >> i have a problems with a cisco 7301 IOS:
> >>
> >> Cisco IOS Software, 7301 Software (C7301-ADVENTERPRISEK9-M),
> >> Version 12.2(33)SRD5, RELEASE SOFTWARE (fc2)
> >>
> >> No special config on C7301, no qos, no access list, no filter ...
> >> only
> IP
> >> Route
> >>
> >>
> >>
> >> On this router, i have two ports used:
> >>GigabitEthernet0/0
> >>GigabitEthernet0/1
> >>
> >> Port 0/0 it's a 1 Gbits link
> >> Port 0/1 it's a 1 Gbits link but i two vlan each vlan is a fiber
> >> remote link, one of 20Mbits and the second 500 Mbits
> >>
> >>
> >> When i start a upload from a pc behind the 500 Mbits vlan link, no
> >> problems, i have 500 Mbits and cpu is good:
> >> CPU utilization for five seconds: 33%/22%
> >>
> >>
> >>
> >> but when i download, i am limited to 266 Mbits and the CPU of the
> >> C7301
> are
> >> high:
> >>
> >> CPU utilization for five seconds: 98%/43%
> >>
> >>
> >> anyone know this problems ?
> >>
> >> It's possible because the cisco don't know that the vlan is limited
> >> at
> 500
> >> mbits and he want sent at 1 gbits ?
> >>
> >> regards
> >> Olivier
> >> ___
> >> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

Re: [c-nsp] Cisco ME1200 iCLI

[Erik Sundberg]

I was never able to get the iCLI work always was stuck in the awkward shell, or 
GUI. When talking to our cisco SE, he really wasn't familiar with it. We didn't 
spend a lot of time on it and moved on to the next project.

If someone could share how to change the device from a Shell like to iCLI, that 
would be appreciated.

-Original Message-
From: Holger L [mailto:ci...@entrap.de]
Sent: Tuesday, November 29, 2016 7:20 AM
To: Gregor Jeker
Cc: Erik Sundberg; cisco-nsp
Subject: Re: [c-nsp] Cisco ME1200 iCLI

On Mon, November 28, 2016 20:54, Gregor Jeker wrote:
> Hi Guys
> We have also been working with a demo pair of those, intended as CPE
> for some E-Line like services. From my side, I have never seen that
> weird CLI everyone is talking about, I just started with the console
> and had a very IOS-like CLI. I got the devices from the demo pool, so
> maybe someone before hit some magic command, or maybe it depends on
> the set of credentials or the firmware? I used admin/sandino, the software in 
> use is:
>
> ME1200-1# sh ver
> [...]
> Active Image
> 
> Image: me1200-universal-mz.156-2.SN.dat (primary)
> Version  : ME1200 OS Software Build 15.4-3.SN
>
> ME1200-1# show inventory
> NAME: "ME1200", DESCR: "Network Interface Device"
> PID: ME1200-4S-A , VID: V01 , SN: RTC1
>
> Just to give you some examples of what I am seeing with this device:
>
> ME1200-1# sh run int gig 1/1
> Building configuration...
> interface GigabitEthernet 1/1
>  switchport hybrid native vlan 100

Wow that's weird. Why do you get the iCLI and I get this crapy shell? Our Image 
is me1200-universal-mz.156-2.SN which is the same as yours. But our OS Version 
is different, we have "OS Software Build 15.6-2.SN" (same as the Image). And I 
also use the admin/sandino default priv 15 user..

>  Some commands and especially the show outputs are a little different
> than traditional IOS. However, no problems getting things up

It would be very happy with a shell like yours :) But how to get it?

>  Cheers,
>  Gregor

Cheers,
Holger





CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco ME1200 iCLI

[Erik Sundberg]

I have a couple of these sitting on the shelf too. Configuration guides didn't 
match how to configure the NID's. Don't know why Cisco thought it was a good 
idea to make the ME1200 completely different from the rest of the 
ME3400,3600,3800 lines.This device does not run IOS. So we are looking at Ciena 
and Accedian for NID's instead.

Very frustrating.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Holger L
Sent: Friday, November 25, 2016 7:24 AM
To: cisco-nsp
Subject: [c-nsp] Cisco ME1200 iCLI

Hi,

it's the first time I test a Cisco ME1200 and got some basic questions.
(Till now we used ME3400 Switches to deploy QinQ L2 VPNs.)

I got two ME1200-4S-A Switches and wonder how to get into iCLI? I am able to 
access the "NID Configuration" on console and to access the web interface 
(after I configured an IP in "NID Configuration").

But how to get into iCLI mode which has the well-known Cisco syntax?

In the docs they just exit the "NID Configuration" and do a "conf t" but this 
doesn't work.. As priv 15 admin:

(ProvisionPortVlanPortType)# exit
# configure terminal
% Command not permitted.

And it seems all the commands out of the iCLI docs are not available in my
shell:

# ?
Diagnostics  Diagnostics Tests
EpsPortType  Provision eps
ErpsPortType Provision Erps
FlexlinksPortTypeProvision Flexlinks Services
IPMCMVR  Enter cisco mvr Template Services
LSTPortType  Provision LST Services
LinkOamPortType  Provision linkoam
NtpPortType  NTP provision
OperationsMepPortTypeEnables FM and PM on Mep
PTPPortType  ME1200 PTP operations
ProvisionConfigManagementEnter Cisco ConfigMgmt Provisioning mode
ProvisionEVC Enter Cisco EVC Provisioning mode
ProvisionL2CPPortTypeProvision L2CP service
ProvisionLacpPortTypeProvision LACP service
ProvisionLldpPortTypeProvision lldp
ProvisionMacTableSecurityTypeMAC Address Table Management
ProvisionMepPortType Provision MEP
ProvisionNIDMgmtType Provision NID Management
ProvisionNotifications   Enter Notifications Configuration mode
ProvisionPhyPortType Physical Port Configuration
ProvisionPortVlanPortTypeProvision Vlan and SwitchPort Service
ProvisionQos QOS Provisioning
ProvisionSnmpConfProvision Snmp  Service
ProvisionStormControlProvision Storm Control  Service
ProvisionStpPortType Provision STP Services
ProvisionSystemType  show flash
RFC2544PortType  RFC2544 port type
ReachabilityPortType Enter Reachability Provisioning mode
SECURITYACL  Enter cisco acl Template Services
SFlowsFlow operations
Span Enter SPAN and RSPAN Provisioning mode
SyncESet SyncE configuration
Syslog   Syslog Properties and Methods
UDLDPortType Provision UDLD Configuration
ciscoY1564   Enter Cisco Y1564 Provisioning mode
do   To run exec commands in config mode
exit Exit from EXEC mode
help Description of the interactive help
system
httpsEnter HTTPS Provisioning mode
logout   Exit from EXEC mode
more Display file
ping Send ICMP echo messages
template Cisco template wise debug mode
ztp  Debugging functions

Same commands if I use ssh instead of console. Any Ideas?

BTW, I did not use a ME3800/ME3600 as controller. Do I need to do this to 
access iCLI?

Thanks, BR,
Holger

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. 

Re: [c-nsp] ASR9xx: 3.16.04S experiences?

[Erik Sundberg]

Just finished upgrading about 10 devices in production to 
asr920-universalk9_npe.03.16.04.S.155-3.S4-ext.bin

No issues so far... Knock on wood

Services running: Internet, MPLS, Ethernet
bgp, bgp vpnv4, bgp ipv6, VPLS, EoMPLS, QOS

We have been dealing with a couple of bugs since we purchase them, hopefully 
this code is finally stable.
-NTP Buffer Bug
-Memory Leak which leads to a reboot.


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of James 
Bensley
Sent: Wednesday, November 2, 2016 4:31 AM
To: James Jun; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR9xx: 3.16.04S experiences?

On 2 November 2016 at 01:50, James Jun  wrote:
> Gents,
>
> Anybody with ASR920 and/or 903 running 3.16.04S yet?  If so, experiences?
> We've been rolling 3.16.03aS out to most of our boxes til now.
>
> James


Hi James (top work on that name choice!),


We have lab tested 3.16.04S to replace 3aS, it has passed with no issues [1] 
and now we are doing the red tape / paper work to make it our official 
production version for the ASR920's. So no live production boxes yet but soon 
very soon hopefully as its passed the UAT.


[1] For us this is OSPF, BFD, LDP, MP-BGP (with various route maps, 
prefix/community/RT filters, and inter-AS MPLS), MPLS L2 VPNs (p-t-p EPL, 
VPLS), L3 VPNs, various H-QoS settings. Mininmal NAT and GRE testing though.


Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 (24SZ-M) 10Gb ports...not dual rate?

[Erik Sundberg]

Correct the 10G Ports on the high density 24 port ASR920 models are not dual 
rate.


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
CiscoNSP List
Sent: Tuesday, June 21, 2016 4:29 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] ASR920 (24SZ-M) 10Gb ports...not dual rate?

Hi Everyone,


Just tried inserting a 1G SFP into one of the 4 10Gb ports on one of our 
ASR920's, and got the following error:


Jun 21 2016 14:30:13.036 GMTWA: %TRANSCEIVER-6-INSERTED: SIP0: iomd:  
transceiver module inserted in TenGigabitEthernet0/0/25 Jun 21 2016 
14:30:18.076 GMTWA: %TRANSCEIVER-3-NOT_COMPATIBLE: SIP0: iomd:  Detected for 
transceiver module in TenGigabitEthernet0/0/25, module disabled


Quick Google, found this page:


http://www.cisco.com/c/en/us/td/docs/routers/asr920/hardware/chassis/guide/ASR920-Chassis-SW/Using_dual_rate_ports.html


"Dual rate ports are not supported on Cisco ASR 920 Series Router 
(ASR-920-24SZ-IM, ASR-920-24SZ-M, ASR-920-24TZ-M)."


...So on the 24 port version of the ASR920, the 10Gb ports cannot be used as 
1Gb it seemssmaller port models they can be?  Id love to know why 
lol.damnit...box is 4000 kilometres away...remote hands 4 hours 
away...looks like ill have to wait until tomorrow and get them to swap the 1G 
SFP to one of the 1Gb SFP ports

[http://www.cisco.com/web/fw/i/logo-open-graph.gif]

Cisco ASR 920 Series Aggregation Services Router 
...
www.cisco.com
Book Title. Cisco ASR 920 Series Aggregation Services Router Configuration 
Guide. Chapter Title. Using Dual Rate Ports. PDF - Complete Book (2.95 MB) ...



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 port based xconnect equivalent

[Erik Sundberg]

Example UNI Port XConnect, supporting mtu 9180, and l2cp, EoMPLS Xconnect

interface GigabitEthernet0/9
 description My UNI Port
 switchport trunk allowed vlan none
 switchport mode trunk
 mtu 9180
 service instance 1 ethernet
  encapsulation default
  l2protocol tunnel cdp stp vtp
  xconnect 1.1.1.1 123 encapsulation mpls pw-class L2VPN
 !

!pw-class template
pseudowire-class L2VPN
 encapsulation mpls
 interworking ethernet

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Stephen 
Fulton
Sent: Friday, June 03, 2016 7:01 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 port based xconnect equivalent

Inaccurate documentation?!  Never!


-- Stephen

On 2016-06-03 7:41 AM, Mark Tinka wrote:
>
>
> On 3/Jun/16 13:33, Stephen Fulton wrote:
>
>> For posterity, here is a link to the relevant docs (at this moment in
>> time):
>>
>> https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/gu
>> ide/mpls/mp-l2-vpns-xe-3s-asr920-book/mp-any-transport-xe.html#GUID-F
>> B013E0C-B37F-48CF-B2B0-374A45B9B9EC
>>
>
> What that link is missing is the need for "encapsulation default"
>
> We tested
> https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/gui
> de/mpls/mp-l2-vpns-xe-3s-asr920-book/mp-any-transport-xe.html#task_8CE
> DC61BD9A748E78B6659ACF7B14160 but if failed miserably. So we stuck
> with the old CLI.
>
> Mark.
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 - Any "outstanding" TAC cases people are working through?

[Erik Sundberg]

We have been using ASR920's for a couple months now.

I have an outstanding Memory leak issue in 
asr920-universalk9_npe.03.16.01a.S.155-3.S1a-ext.bin

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy87268

The work around doesn't work for me, I just tried it. TAC gave me the 
following. We have to reboot the ASR920 to lower the memory back down.

The fix for CSCuy87268 has been committed and would be available in the 
following releases:

XE 3.16.4S/15.5(3)S4 - planned for September 2016.
XE 3.18.S1/15.6(2)S1 - planned for mid June 2016.



Issue RP0 memory usage at 98% and growing, status is in the warning state. I 
had to reboot the device to get the memory back down, however it still grows.


Model: ASR-920-24SZ-M

ASR920 - #1
98% used memory and uptime is 24 weeks.
ASR920#sh platform software status control-processor bri
Load Average
 Slot  Status  1-Min  5-Min 15-Min
  RP0 Healthy   0.04   0.07   0.04

Memory (kB)
 Slot  StatusTotal Used (Pct) Free (Pct) Committed (Pct)
  RP0 Warning  3438048  3361672 (98%)76376 ( 2%)   3345388 (97%)

CPU Utilization
 Slot  CPU   User System   Nice   IdleIRQ   SIRQ IOwait
  RP00  11.93   7.22   0.00  80.64   0.00   0.20   0.00
 1   9.60   8.30   0.00  81.78   0.00   0.30   0.00


ASR920 - #2 Before Reboot (Uptime around 10 Weeks)

ASR920#sh platform software status control-processor bri
Load Average
  Slot  Status  1-Min  5-Min 15-Min
   RP0 Healthy   0.00   0.00   0.00

Memory (kB)
  Slot  StatusTotal Used (Pct) Free (Pct) Committed (Pct)
  RP0 Warning  3438048  3360436 (98%)77612 ( 2%)   3341328 (97%)

CPU Utilization
  Slot  CPU   User System   Nice   IdleIRQ   SIRQ IOwait
   RP00   6.60   3.70   0.00  89.38   0.00   0.30   0.00
1   1.40   0.80   0.00  97.80   0.00   0.00   0.00


ASR920 - #2 Post Reboot

EAR1.ATL1#sh platform software status control-processor bri
Load Average
 Slot  Status  1-Min  5-Min 15-Min
  RP0 Healthy   0.00   0.02   0.00

Memory (kB)
 Slot  StatusTotal Used (Pct) Free (Pct) Committed (Pct)
  RP0 Healthy  3438048  1855832 (54%)  1582216 (46%)   1512524 (44%)

CPU Utilization
 Slot  CPU   User System   Nice   IdleIRQ   SIRQ IOwait
  RP00  10.68  10.88   0.00  78.02   0.00   0.39   0.00
 1   6.29   6.49   0.00  86.91   0.00   0.29   0.00




The memory leaks in the process SPA_XCVR_OIR and  enqueue_oir_msg  from what 
tac has told me.

EAR1.ATL1#  show platform software memory iomd 0/0 brief
  module  allocated requested allocsfrees
  --
  DEVOBJ  38496 37792 880
  IOMd intr   1392  1104  360
  Summary 1198313647679413327 496656324 431793784
  appsess_ctx 1736  1728  1 0
  appsess_timer   56403 1
  bsess_hdl   40321 0
  cdh-shim7260  5940  165   0
  cdllib  1668  1660  7 6
  chunk   5573  5517  7 0
  enqueue_oir_msg 506580480 253290240 49236333  17575053
  env_wheel   20108 20100 1 0
  eventutil   310794307834386   16
  fpd_sb  208   200   1 0
  fpd_upg 5636  5548  110
  geim_esb5040  4816  280
  geim_hwidb  16352 16128 280
  geim_instance   16800 16576 280
  geim_spa_instance   13440 13216 280
  geim_spa_plugin 764   756   2 1
  ipc_shim_pak0 0 17057467  17057467
  null_spa_plugin 104   961 0
  oir_create  80721 0
  oir_enqueue_event   0 0 1 1
  oir_processing  24161 0
  queue   240   200   5 0
  spa_bay_array   128   964 0
  spa_bay_create  120   112   1 0
  spa_env_enq 0 0 7 7
  spa_env_subsys_init 512   384   160
  spa_oir_psm 264   240   2825
  spa_plugin  672   480   240
  spa_tdl_alloc   0 0 343085676 343085676
  spa_xcvr_oir691264468 425661956 50775367  17575053
  

Re: [c-nsp] QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

[Erik Sundberg]

A Catalyst Switch will only look at the first VLAN Tag(Outter), it doesn't care 
about the inner vlan tag and will forward the frame on. Just watch your MTU 
Size, because you lose 4btyes to the inner vlan tag.

A Good Example. http://blog.jhe.co/2009/11/dot1q-tunneling.html


Share the config for the following Ports, and I can check it for you.

Cisco 4500X Provider Port
Cisco 4500X Port to ME3800.
Cisco ME3800 Port Config




I Did lab this up on a ASR920, the commands should be fairly close, I noted the 
difference between the ASR920 and ME3800

Carrier Side: QinQ Interface Outer VLAN 800 InnerVLAN 20 IP 192.168.0.1/24

l2 vfi TESTING manual
 vpn id 820
 bridge-domain 820

interface GigabitEthernet0/0/11
 no ip address
 negotiation auto
 service instance 820 ethernet
  encapsulation dot1q 800 second-dot1q 20
  rewrite ingress tag pop 2 symmetric
  bridge-domain 820

!!! ON A ASR920
bridge-domain 820
interface BDI820
 ip vrf forwarding TESTING2
 ip address 192.168.0.2 255.255.255.0
 no shut

ON A ME3800
int vlan 820
  xconnect vfi TESTING
  ip address 192.168.0.2 255.255.255.0
  no shut


ASR920#ping vrf TESTING2 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ASR920#show mac-address-table bdomain 820

   Nile Mac Address Entries

   BDmac addrtype ports
   
--
   820   0012.448e.8062  DYNAMIC  Gi0/0/11.Efp820


ASR920#sh ip arp vrf TESTING2
Protocol  Address  Age (min)  Hardware Addr   Type   Interface
Internet  192.168.0.1 2   0012.448e.8062  ARPA   BDI820
Internet  192.168.0.2 -   00f2.8bdd.603f  ARPA   BDI820


-Original Message-
From: CiscoNSP List [mailto:cisconsp_l...@hotmail.com]
Sent: Wednesday, February 03, 2016 3:51 AM
To: Erik Sundberg <esundb...@nitelusa.com>; cisco-nsp@puck.nether.net
Subject: Re: QinQ 4500X -> ME3600 and access(pop) multiple inner vlans


Before I go any further trying to get this to work, Im hoping someone can 
answer this, so Im not trying to make something work that simply wont, given 
the hardware currently in place.

Given the "AGG" switch is a 4500X, ie not a "Metro E" switch, and double tagged 
frames is "Metro E", will our 4500X be seeing this double tagged frame as 
potentially "mangled" and drop it?

I have a suspicion this might be the casebut Im hoping I am wrong :(

Cheers
____
From: Erik Sundberg <esundb...@nitelusa.com>
Sent: Wednesday, 3 February 2016 6:32 PM
To: CiscoNSP List; cisco-nsp@puck.nether.net
Subject: RE: QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

http://supportforums.cisco.com/sites/default/files/legacy/8/2/1/96128-ASR%209000%20Multiple%20Services%20onthe%20same%20port%20example.jpg

Look at the Routed VPLS/EoMPLS section

http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-1_2_ey/configuration/guide/3800x3600xscg/swmpls.html#pgfId-1260366

What you are looking for a is a VPLS Routed Interface Configuration, just 
association the VPLS instance with the bridge group. I have never tried this, 
so I could be wrong, but it's worth a shot.

Try adding this. This creates' a VPLS Instance and associates it to the Bridge 
Group 941.
l2 vfi TESTING manual
 vpn id 941
 bridge-domain 941

Then under your VLAN Interface associate the VLAN Interface with the VPLS 
Instanace.
interface Vlan941
 xconnect vfi TESTING   <<<<<<<<<<<< ADD THIS
 description INNER_OUTER_TAG_TEST
 mtu 9100
 ip address xxx.xxx.xxx.xxx 255.255.255.252  no ip proxy-arp


Also watch your MTU Size's a mismatch can cause the VPLS instance to be down. 
You can check it with "show mpls l2transport vc vcid 941 detail"

This looks good

interface GigabitEthernet0/24   <- Connects to 4500X
service instance 940 ethernet
  description description Inner_outer_tag_test_Outer_940_Inner_941
  encapsulation dot1q 940 second-dot1q 941
  rewrite ingress tag pop 2 symmetric
  bridge-domain 941





-Original Message-----
From: CiscoNSP List [mailto:cisconsp_l...@hotmail.com]
Sent: Wednesday, February 03, 2016 12:06 AM
To: Erik Sundberg <esundb...@nitelusa.com>; cisco-nsp@puck.nether.net
Subject: Re: QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

Thanks Eric,

We have no visibility into the remote end, but I have setup the following on 
one of our ME's (Test service, that has supposedly been configured by carrier, 
and remote end)

Vlans are:

940 (outer)
941 (Inner)

Both vlans have been created on the ME, and only vlan 940 on the 4500X that 
connects to carrier:

ME3600 conf

interface GigabitEthernet0/24   <- Connects to 4500X
service instance 940 ethernet
  description description Inner_outer

Re: [c-nsp] QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

[Erik Sundberg]

Rememer you removed\popped off both vlan tags of 800 and 20 on the interface, 
then put the untagged frame in bridge group 820.  The bridge group could have 
been 300, the bridge group number has no assoication to the VLAN configuration 
on the interface.


Here is a step by step,

Step By Step DescriptionCommands "semi-colon is a new 
line"
--
1. Create a Bridge Groupl2 vfi TESTING manual;  vpn id 
820;  bridge-domain 820
2. Go to the interface  interface g0/0/11
3. Incoming frame Outter 800, inner 20  encapsulation dot1q 800 
second-dot1q 20
4. Removed Both Taggs 800 and 20rewrite ingress tag pop 2 
symmetric
5. Put Unttagged Frame in Bridge Group 820  bridge-domain 820
Global Config
6a. ASR920 Created L3 Routed Interface  bridge-group 820; interface bdi820
6b. ME3800 Create L3 Routed Interface   interface vlan 820
6b. ME3800 Connect Interface to BridgeGroup xconnect vfi TESTING
7. Assigned IP Address to the Interface ip address 192.168.0.2 
255.255.255.0


Does this help???


-Original Message-
From: CiscoNSP List [mailto:cisconsp_l...@hotmail.com]
Sent: Wednesday, February 03, 2016 4:47 PM
To: Erik Sundberg <esundb...@nitelusa.com>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

...and quick question (I hope) on the VFI config you tested in the lab..you 
stated outer vlan 800, inner vlan 20, but in your conf you are using vlan 820?  
Is this a typo, or on purpose?  i.e. shouldnt the bridge domain be 20, vpn id 
be 20 and vlan int be 20?Im not familiar at all with vfi's so could be 
completely wrong :)

Cheers:

"I Did lab this up on a ASR920, the commands should be fairly close, I noted 
the difference between the ASR920 and ME3800

Carrier Side: QinQ Interface Outer VLAN 800 InnerVLAN 20 IP 192.168.0.1/24

l2 vfi TESTING manual
 vpn id 820
 bridge-domain 820

interface GigabitEthernet0/0/11
 no ip address
 negotiation auto
 service instance 820 ethernet
  encapsulation dot1q 800 second-dot1q 20
  rewrite ingress tag pop 2 symmetric
  bridge-domain 820

!!! ON A ASR920
bridge-domain 820
interface BDI820
 ip vrf forwarding TESTING2
 ip address 192.168.0.2 255.255.255.0
 no shut

ON A ME3800
int vlan 820
  xconnect vfi TESTING
  ip address 192.168.0.2 255.255.255.0
  no shut"




From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> on behalf of CiscoNSP List 
<cisconsp_l...@hotmail.com>
Sent: Thursday, 4 February 2016 6:52 AM
To: Erik Sundberg; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] QinQ 4500X -> ME3600 and access(pop) multiple inner
vlans

Thanks for confirming Eric (Re the 4500X) - I have another question...4500X 
will receive frame from carrier with outer tag (vlan 940), and not care about 
inner tagvlan 940 must be configured on this switch, which it is, and 
tagged on both trunk ports (To carrier, and to ME3600)but what about 
"return" traffic?  i.e. we are popping the inner vlan 941 on the ME3600, and 
bringing that up in a vlan Int.wont return traffic be "tagged" vlan 941, 
and therefore be dropped by our 4500X?

And you are saying the only way to do this is via VPLS (i.e. My current conf, 
with just vlan Int wont work)

4500X to Carrier (Simple trunk port)

interface TenGigabitEthernet1/1/11
 description CARRIER_X_AGG_SY3_SN
 switchport trunk allowed vlan 76,940
 switchport mode trunk
 switchport nonegotiate
 mtu 1998
 storm-control broadcast level 1.00
 storm-control action trap
 spanning-tree bpdufilter enable
 spanning-tree guard root


4500X to ME3600 (Again, simple trunk portlot more vlans, as we do all cust 
links on the ME's as VRFs etc)

interface TenGigabitEthernet1/1/3
 description DOT1Q_TRUNK_TO_ME3600
 switchport trunk allowed vlan 5,109,135,143,144,147,158,183,221-223,228,229
 switchport trunk allowed vlan add 265-269,279,284-286,296,307,321,324-326,335
 switchport trunk allowed vlan add 338,339,357,396-398,412,413,463,466-468,576
 switchport trunk allowed vlan add 577,606,626,661,663-666,747,758,759,800-810
 switchport trunk allowed vlan add 823,829,832,835,836,854,864,865,873,881,899
 switchport trunk allowed vlan add 931,940,941,1035,1303  switchport mode trunk 
 switchport nonegotiate  mtu 9100  storm-control broadcast level 1.00  
storm-control action trap  spanning-tree bpdufilter enable  spanning-tree guard 
root


ME3600 Int conf that connects to 4500X:

interface GigabitEthernet0/24
 description DOT1QTRUNK_TO_4500X
 switchport trunk allowed vlan none
 switchport mode trunk
 dampening
 mtu 9100
 load-interval 30
 storm-control broadcast level pps 2k
 storm-control multicast level pps 2k
 storm-control acti

Re: [c-nsp] ASR920 "console" port....ugh

[Erik Sundberg]

Mine is all green

show facility-alarm status
System Totals  Critical: 0  Major: 0  Minor: 0


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Adrian 
Minta
Sent: Tuesday, February 02, 2016 12:30 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 "console" portugh

Since is ASR920 bashing time ... anyone else noticed the red led ?
Apparently red is the new green.

--
Best regards,
Adrian Minta


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

[Erik Sundberg]

http://www.cisco.com/c/dam/en/us/td/docs/switches/metro/me3600x_3800x/software/design/guide/ME3600x_Design_Guide.pdf

http://www.cisco.com/c/dam/en/us/td/docs/switches/metro/me3600x_3800x/software/design/guide/CE2-0_certification_v1.pdf

http://d2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKSPG-2209.pdf


You must do switchport commands
Services Instance is just a number, we keep it the same as the VLAN Id
Under the Service Instance you specify the VLAN ID with endcapsulation dot1q x
Rewrite ingress Tag POP 1 symmetric  -- This removes the first VLAN Tag on in 
incoming frame, if you do pop 2, it removes the 2 VLAN Tags.

First Example is VPLS with Bridge Domains. Bridge domain ID does not have to 
the same as the VLAN Id
Second Example is EoMPLS XConnect

VPLS
--
l2 vfi  VPLS1 manual
 vpn id 41
 bridge-domain 41
 neighbor 1.2.3.4 encapsulation mpls

interface GigabitEthernet0/19
 switchport trunk allowed vlan none
 switchport mode trunk
 mtu 9180

!VPLS Example
 service instance 41 ethernet
  encapsulation dot1q 41
  rewrite ingress tag pop 1 symmetric
  bridge-domain 41

!EoMPLS Example
service instance 117 ethernet
  encapsulation dot1q 117
  rewrite ingress tag pop 1 symmetric
  xconnect 3.4.5.6 275 encapsulation mpls pw-class L2VPN
  xconnect  



I hope this helps.


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
CiscoNSP List
Sent: Tuesday, February 02, 2016 3:28 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

Hi Everyone,


We have an AGG port(Standard trunk port) to a carrier on a 4500X - Port has 
multiple customer vlans for p-t-p eth services.

A service they have released will allow us to connect to azure/office 365 via 
QinQ(Carrier doing QinQ, not us) - i.e. We agree to an outer vlan tag with the 
carrier, and they create QinQ tunnel to azure/office 365...then multiple inner 
vlan tags are agreed to between us/azure for various services over this QinQ 
tunnel.

My question is this:

With our current setup (i.e. 4500X, standard dot1q trunk), we would just tag 
the outer vlan for the carrier to use for the QinQ tunnel to azure...this is 
fine, but for us to be able to "access" the inner vlans, Im hoping we can trunk 
this outer vlan to an ME3600, and then pop each inner vlan, and use them as 
needed.Is this possible? ie will the "inner" tags be maintained going 
through the 4500X, and if so, if someone could point me in the direction of 
ME3600 docco that details how to pop the individual inner vlans, it would be 
greatly appreciated.

Eg.

Carriers outer vlan is 800
Inner tags from azure are 10,20,30

Cheers


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

[Erik Sundberg]

You are probably better using a service instance for each vlan. Then you can 
send each VLAN where ever.

service instance 800 ethernet
  description description LINK_TO_CARRIER_X_VIA_4500X
  encapsulation dot1q 800 second-dot1q 10
  rewrite ingress tag pop 2 symmetric
  bridge-domain 10

service instance 801 ethernet
  description description LINK_TO_CARRIER_X_VIA_4500X
  encapsulation dot1q 800 second-dot1q 20
  rewrite ingress tag pop 2 symmetric
  bridge-domain 20


--

Another way of doing it is the following

If you have two tag come in, only POP 1 Tag. Then your CTag are put in to the 
Bridge Domain.

Int G0/1
service instance 800 ethernet
  description LINK_TO_CARRIER_X_VIA_4500X
  encapsulation dot1q 800
  rewrite ingress tag pop 1 symmetric
  bridge-domain 800


Then on your Egress port you can set it as untagged, C Tags of 10,20, 30 will 
be in the bridge domain and will be passed on egress.

 Int G0/2
Description to 4500x
service instance 400 ethernet
  description 4500X
  encapsulation dot1q untagged
  bridge-domain 800


If you need to pull one CTag out for something else you can do that like so.

Int G0/1
service instance 804 ethernet
  description Go Somewhere else
  encapsulation dot1q 800 second-dot1q 40
  rewrite ingress tag pop 1 symmetric
  bridge-domain 40


-Original Message-
From: CiscoNSP List [mailto:cisconsp_l...@hotmail.com]
Sent: Tuesday, February 02, 2016 4:01 AM
To: Erik Sundberg <esundb...@nitelusa.com>; cisco-nsp@puck.nether.net
Subject: Re: QinQ 4500X -> ME3600 and access(pop) multiple inner vlans


Thanks for the quick reply - We use service instances quite a bit, but only 
popping first tag, then creating vlan int (for vrf), or PWso fairly basic 
stuff :)

In this circumstance, where we would receive vlan 800 as outer tag, and we want 
to access inner vlans 10,20,30 how would this look under a service instance?

ie.  Something like?

 service instance 800 ethernet
  description description LINK_TO_CARRIER_X_VIA_4500X
  encapsulation dot1q 800 second-dot1q 10,20,30
  rewrite ingress tag pop 2 symmetric
  bridge-domain ?


or a separate service instance and pop inner vlans on each one?

 service instance 800 ethernet
  description description LINK_TO_CARRIER_X_VIA_4500X
  encapsulation dot1q 800 second-dot1q 10
  rewrite ingress tag pop 2 symmetric
  bridge-domain 10

service instance 801 ethernet
  description description LINK_TO_CARRIER_X_VIA_4500X
  encapsulation dot1q 800 second-dot1q 20
  rewrite ingress tag pop 2 symmetric
  bridge-domain 20

Cheers


____
From: Erik Sundberg <esundb...@nitelusa.com>
Sent: Tuesday, 2 February 2016 8:40 PM
To: CiscoNSP List; cisco-nsp@puck.nether.net
Subject: RE: QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

http://www.cisco.com/c/dam/en/us/td/docs/switches/metro/me3600x_3800x/software/design/guide/ME3600x_Design_Guide.pdf

http://www.cisco.com/c/dam/en/us/td/docs/switches/metro/me3600x_3800x/software/design/guide/CE2-0_certification_v1.pdf

http://d2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKSPG-2209.pdf


You must do switchport commands
Services Instance is just a number, we keep it the same as the VLAN Id Under 
the Service Instance you specify the VLAN ID with endcapsulation dot1q x 
Rewrite ingress Tag POP 1 symmetric  -- This removes the first VLAN Tag on in 
incoming frame, if you do pop 2, it removes the 2 VLAN Tags.

First Example is VPLS with Bridge Domains. Bridge domain ID does not have to 
the same as the VLAN Id Second Example is EoMPLS XConnect

VPLS
--
l2 vfi  VPLS1 manual
 vpn id 41
 bridge-domain 41
 neighbor 1.2.3.4 encapsulation mpls

interface GigabitEthernet0/19
 switchport trunk allowed vlan none
 switchport mode trunk
 mtu 9180

!VPLS Example
 service instance 41 ethernet
  encapsulation dot1q 41
  rewrite ingress tag pop 1 symmetric
  bridge-domain 41

!EoMPLS Example
service instance 117 ethernet
  encapsulation dot1q 117
  rewrite ingress tag pop 1 symmetric
  xconnect 3.4.5.6 275 encapsulation mpls pw-class L2VPN
  xconnect  



I hope this helps.


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
CiscoNSP List
Sent: Tuesday, February 02, 2016 3:28 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

Hi Everyone,


We have an AGG port(Standard trunk port) to a carrier on a 4500X - Port has 
multiple customer vlans for p-t-p eth services.

A service they have released will allow us to connect to azure/office 365 via 
QinQ(Carrier doing QinQ, not us) - i.e. We agree to an outer vlan tag with the 
carrier, and they create QinQ tunnel to azure/office 365...then multiple inner 
vlan tags are agreed to between us/azure for various services over this QinQ 
tunnel.

My question is this:

With our current setup (i.e. 4500X, standard dot1q trunk), we woul

Re: [c-nsp] QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

[Erik Sundberg]

http://supportforums.cisco.com/sites/default/files/legacy/8/2/1/96128-ASR%209000%20Multiple%20Services%20onthe%20same%20port%20example.jpg

Look at the Routed VPLS/EoMPLS section

http://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-1_2_ey/configuration/guide/3800x3600xscg/swmpls.html#pgfId-1260366

What you are looking for a is a VPLS Routed Interface Configuration, just 
association the VPLS instance with the bridge group. I have never tried this, 
so I could be wrong, but it's worth a shot.

Try adding this. This creates' a VPLS Instance and associates it to the Bridge 
Group 941.
l2 vfi TESTING manual
 vpn id 941
 bridge-domain 941

Then under your VLAN Interface associate the VLAN Interface with the VPLS 
Instanace.
interface Vlan941
 xconnect vfi TESTING   <<<<<<<<<<<< ADD THIS
 description INNER_OUTER_TAG_TEST
 mtu 9100
 ip address xxx.xxx.xxx.xxx 255.255.255.252  no ip proxy-arp


Also watch your MTU Size's a mismatch can cause the VPLS instance to be down. 
You can check it with
"show mpls l2transport vc vcid 941 detail"

This looks good

interface GigabitEthernet0/24   <- Connects to 4500X
service instance 940 ethernet
  description description Inner_outer_tag_test_Outer_940_Inner_941
  encapsulation dot1q 940 second-dot1q 941
  rewrite ingress tag pop 2 symmetric
  bridge-domain 941





-Original Message-
From: CiscoNSP List [mailto:cisconsp_l...@hotmail.com]
Sent: Wednesday, February 03, 2016 12:06 AM
To: Erik Sundberg <esundb...@nitelusa.com>; cisco-nsp@puck.nether.net
Subject: Re: QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

Thanks Eric,

We have no visibility into the remote end, but I have setup the following on 
one of our ME's (Test service, that has supposedly been configured by carrier, 
and remote end)

Vlans are:

940 (outer)
941 (Inner)

Both vlans have been created on the ME, and only vlan 940 on the 4500X that 
connects to carrier:

ME3600 conf

interface GigabitEthernet0/24   <- Connects to 4500X
service instance 940 ethernet
  description description Inner_outer_tag_test_Outer_940_Inner_941
  encapsulation dot1q 940 second-dot1q 941
  rewrite ingress tag pop 2 symmetric
  bridge-domain 941

interface Vlan941
 description INNER_OUTER_TAG_TEST
 mtu 9100
 ip address xxx.xxx.xxx.xxx 255.255.255.252  no ip proxy-arp


Im unable to ping remote end, nor am I seeing any dynamic Macs for bridge 
domain 941 - Is there any additional commands I can run to "see" if we are 
indeed receiving the Outer and Inner Tags on the ME?

The only MAC I am learning on the 4500X is from the ME3600

#sh mac address-table dynamic vlan 940
Unicast Entries
 vlan mac address typeprotocols   port
-+---++-+---
-+---++-+--
 940  3462.882a.4640   dynamic ip,ipx,assigned,other TenGigabitEthernet1/1/3


cheers


From: Erik Sundberg <esundb...@nitelusa.com>
Sent: Tuesday, 2 February 2016 10:10 PM
To: CiscoNSP List; cisco-nsp@puck.nether.net
Subject: RE: QinQ 4500X -> ME3600 and access(pop) multiple inner vlans

You are probably better using a service instance for each vlan. Then you can 
send each VLAN where ever.

service instance 800 ethernet
  description description LINK_TO_CARRIER_X_VIA_4500X
  encapsulation dot1q 800 second-dot1q 10
  rewrite ingress tag pop 2 symmetric
  bridge-domain 10

service instance 801 ethernet
  description description LINK_TO_CARRIER_X_VIA_4500X
  encapsulation dot1q 800 second-dot1q 20
  rewrite ingress tag pop 2 symmetric
  bridge-domain 20


--

Another way of doing it is the following

If you have two tag come in, only POP 1 Tag. Then your CTag are put in to the 
Bridge Domain.

Int G0/1
service instance 800 ethernet
  description LINK_TO_CARRIER_X_VIA_4500X
  encapsulation dot1q 800
  rewrite ingress tag pop 1 symmetric
  bridge-domain 800


Then on your Egress port you can set it as untagged, C Tags of 10,20, 30 will 
be in the bridge domain and will be passed on egress.

 Int G0/2
Description to 4500x
service instance 400 ethernet
  description 4500X
  encapsulation dot1q untagged
  bridge-domain 800


If you need to pull one CTag out for something else you can do that like so.

Int G0/1
service instance 804 ethernet
  description Go Somewhere else
  encapsulation dot1q 800 second-dot1q 40
  rewrite ingress tag pop 1 symmetric
  bridge-domain 40


-Original Message-
From: CiscoNSP List [mailto:cisconsp_l...@hotmail.com]
Sent: Tuesday, February 02, 2016 4:01 AM
To: Erik Sundberg <esundb...@nitelusa.com>; cisco-nsp@puck.nether.net
Subject: Re: QinQ 4500X -> ME3600 and access(pop) multiple inner vlans


Thanks for the quick reply - We use service instances quite a bit, but o

Re: [c-nsp] ASR920 "console" port....ugh

[Erik Sundberg]

Here are some pictures of the ASR920 Console kit A920-CONS-KIT-S


The Adapter Plugs in the Top Left USB Console Port and we have it wired up to a 
Perle IOLAN SCS48C console server using a rollover cable.

Here are some pictures of  it, since I can only find a brief mention of it in 
all the cisco docs.

http://imgur.com/a/w8clL


-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil 
Mayers
Sent: Monday, January 18, 2016 5:15 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 "console" portugh

On 17/01/16 11:10, Saku Ytti wrote:
> On 17 January 2016 at 04:04, Erik Sundberg <esundb...@nitelusa.com> wrote:
>
>> Nah... The next model will be console via bluetooth.
>
> I would hope people include in their RFPs true OOB as requirement. I
> think only one in networking market doing that is Cisco in their
> products with CMP. So Nexus7k RP1, SUP2T, RSP880?

As I'm sure you know, Cisco ditched this in N7k sup-2, because "customer didn't 
want it". So evidently, no, people aren't putting this in RFPs :o( 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 "console" port....ugh

[Erik Sundberg]

Nah... The next model will be console via bluetooth.

> On Jan 16, 2016, at 6:27 AM, Gert Doering  wrote:
>
> Hi,
>
>> On Sat, Jan 16, 2016 at 12:11:59PM +, Nick Hilliard wrote:
>> Gert Doering wrote:
>>> - for those with classic serial ports, or modem needs, there is a standard
>>>   serial console with *standard* layout (read: Cisco RJ45)
>>
>> i'm half expecting the ASR930 (if/when it ever happens) to come with the
>> following:
>>
>> http://i.imgur.com/iCdq3Qt.jpg
>
> Nah... since that BU is all fancy on USB-A for everything... my bet is
> on USB-A not RJ45.  And they will call it "USB C power supply".
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>   //www.muc.de/~gert/
> Gert Doering - Munich, Germany g...@greenie.muc.de
> fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 "console" port....ugh

[Erik Sundberg]

Just finished installing a ASR920 tonight... I had the same issue, just order 6 
of those console kits This is really annoying...

My rack mount brackets don't look like that...

Some changes from Cisco Norm for the ASR920
- No RJ45 console port, very disappointing
- The power plug for AC is a C15 not a normal C13
- Services Instances are 1-4000 not 4096. We usually keep the service instance 
id and the stag the same. You couldn't add another 96 service instances.
- Interface layout on the switch would have been nice if it was like cisco 
switch top left is the first port, but on the asr920 it's the bottom right is 
port G0/0/0.
- interface number start with 0 like a router, instead of 1 like the ME3800's
- Management Interface vrf name is forced to Mgmt-intf, you can't change it.
- It's weird that the power supplies stick out a 1/4" inch





-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
CiscoNSP List
Sent: Saturday, January 16, 2016 3:33 AM
To: Nathan Ward 
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 "console" portugh


Cheers Nathan...sane logic appears to have alluded the team responsible for 
some of these choices


From: Nathan Ward 
Sent: Saturday, 16 January 2016 8:11 PM
To: CiscoNSP List
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 "console" portugh

> On 16/01/2016, at 22:03, CiscoNSP List  wrote:
>
> Thanks Nathan - I really question Cisco's thought processwhat was "wrong" 
> with the traditional style RJ45 console port?  Took up too much realestate??
>
> We have rack kits for them, but Ive only just unpacked 2, found the fun 
> console ports, got that working, and upgraded XE on them bothhavent 
> installed rack kits yet, but thanks for the heads upcan they still be 
> racked on top of each other, or does the rack kit cause issues?

Caused issues for me, yeah.

Here's a pic:

http://imgur.com/W8Z2Imi

Those folded bits are so it can sit flat when in wall mount mode, but they make 
it taller than 1RU. Pretty stupid.

--
Nathan Ward

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 "console" port....ugh

[Erik Sundberg]

cisco ASR-920-24SZ-M

Rack mount Brackets   -- more like the cisco 2901 rack mount brackets
http://imgur.com/MpXp8li

This cisco page also show the brackets that I have 
http://www.cisco.com/c/en/us/td/docs/routers/asr920/hardware/installation/guide/ASR920_HIG/hw_installation.html


Power Supplies
http://imgur.com/PIvv8xh



Other wish list for the ASR920
- 36x or 48x 1G port model
- 24x 10G Port model
- I really don't like the licensing model, your almost always stuck buying the 
bulk license.




-Original Message-
From: Nathan Ward [mailto:cisco-...@daork.net]
Sent: Saturday, January 16, 2016 4:54 AM
To: Erik Sundberg <esundb...@nitelusa.com>
Cc: CiscoNSP List <cisconsp_l...@hotmail.com>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 "console" portugh


> On 16/01/2016, at 23:51, Erik Sundberg <esundb...@nitelusa.com> wrote:
>
> My rack mount brackets don't look like that...

Interesting! Post a pic?

--
Nathan Ward




CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR920 "console" port....ugh

[Erik Sundberg]

Here is the port numbering any port layout that I was talking about. Backwards 
from a ME Switch, but I guess this is a router...

Starts lower left with 0

http://imgur.com/qPLXsrI



-Original Message-
From: Nathan Ward [mailto:cisco-...@daork.net]
Sent: Saturday, January 16, 2016 4:54 AM
To: Erik Sundberg <esundb...@nitelusa.com>
Cc: CiscoNSP List <cisconsp_l...@hotmail.com>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ASR920 "console" portugh


> On 16/01/2016, at 23:51, Erik Sundberg <esundb...@nitelusa.com> wrote:
>
> My rack mount brackets don't look like that...

Interesting! Post a pic?

--
Nathan Ward




CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco 6500 SUP720-3BXL upgrade to 15.1.2.SY4a question

[Erik Sundberg]

Looking to upgrade a couple of our 6500 SUP720-3BXL to 15.1.2SY4a.  We have the 
WS-6748-GE-TX and WS-6724-SFP Cards installed, no SIP/SPA installed.

Just want to make sure the following associated software is correct. The 
software version numbers make you questions yourself because the IOS version is 
15.1.2 and the boot image is 12.2.33SXI and so on.

Boot Image: s72033-boot-mz.122-33.SXI14.bin
RP ROMMON: c6msfc3-rm2.srec.122-17r.SX7
SP ROMMON: c6ksup720-rm2.srec.8-5-4.srec
IOS: s72033-advipservicesk9-mz.151-2.SY4a.bin

Thanks

Erik



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MBUS-2-DNLDFAIL in cisco 12404

[Erik Sundberg]

Do the following


show inv
dir
sh ver




-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of 
thiyagarajan b
Sent: Wednesday, December 17, 2014 9:02 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] MBUS-2-DNLDFAIL in cisco 12404

Hello everyone,

I am finding a MBUS-2-DNLDFAIL error log thrown in cisco 12404 in 4 port GiGE 
card.

When I reset the LC I find the IOS is downloading but getting timeout after 
sometime,

Slot 2  type  = 4 Port ISE Gigabit Ethernet
state = FABLSTRT  Launching Fabric Downloader .
.
Slot 2  type  = 4 Port ISE Gigabit Ethernet
state = IOSDNLD   Downloading IOS
.
.
.
Slot 2  type  = 4 Port ISE Gigabit Ethernet
state = RTRYWAIT  Waiting to retry download after persistent failures .

This process is continuing and finally finding the below log:

*Dec 17 12:31:09.287 IST: %MBUS-2-DNLDFAIL: IOS download to slot 2 fail, 
timeout *Dec 17 12:31:09.287 IST: %RP-3-ABANDON_DOWNLOAD: End attempt to start 
the linecard in slot 2



Any issue in hardware or?



Warm Regards,
Thiyagarajan B.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] FWSM Maintenance software - where to download from

[Erik Sundberg]

Where in cisco's download tool do you download the maintenance software for the 
Firewall Services Module?

It's not listed under the FWSM Section under the following area
Switches
Campus LAN Switches - Core and Distribution
Cisco Catalyst 6500 Series Switches
Cisco Catalyst 6509-E Switch
Cisco Catalyst 6500 Series Firewall Services Module
Firewall Services Module (FWSM) Software-4.1(11)

Only the FWSM Image is located here...


Need the software that goes in cf:1


Thanks in advance!!!

Erik


CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FWSM Maintenance software - where to download from

[Erik Sundberg]

It's not the ASDM software... It's the underlying, I guess you can call it a 
BootROM  software on the blade. You have to reboot the blade in to the 
maintenance software to upgrade the IOS version on the Firewall Services Module.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/swcnfg_f.html
FSWM Configuration Guide says
 You must use maintenance software Release 2.1(2) or later with the FWSM... I 
am currently at 1.1(2).

The advantage of upgrading through the maintenance software is there is two 
Partitions that you can run software from cf:4 and cf:5... It's like having two 
OS's on the same computer and choosing which one to boot. This comes in handy 
when your upgrading from  3.x code to 4.x code... Very easy roll back to the 
old software version.

I could be wrong with everything I just said.. Im learning about the FWSM today.

Still looking for the maintenance software... Think im going to call cisco TAC.

Thanks

Erik


-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner
Sent: Wednesday, February 06, 2013 8:38 PM
To: Cisco-nsp (cisco-nsp@puck.nether.net)
Subject: Re: [c-nsp] FWSM Maintenance software - where to download from

On Wed, 6 Feb 2013, Erik Sundberg wrote:

 Where in cisco's download tool do you download the maintenance software for 
 the Firewall Services Module?

 It's not listed under the FWSM Section under the following area
 Switches Campus LAN Switches - Core and Distribution Cisco Catalyst
 6500 Series Switches Cisco Catalyst 6509-E Switch Cisco Catalyst 6500
 Series Firewall Services Module Firewall Services Module (FWSM)
 Software-4.1(11)

 Only the FWSM Image is located here...

Not sure what you mean by maintenance software.  Do you mean ASDM?

ASDM for FWSM is here:
http://software.cisco.com/download/release.html?mdfid=277413409softwareid=280775067release=6.2%283%29Frelind=AVAILABLErellifecycle=reltype=latest

If you mean something else, I'm not sure where you'd find it.  In that case, 
the best bet would be to check with the TAC or your account team.

jms
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FWSM Maintenance software - where to download from

[Erik Sundberg]

Justin,

It's not a patch for a software release.



I found the software for the Maintenance Partition it's located in the download 
manager under.
Cisco Interfaces and Modules
Cisco Services Modules
Cisco Catalyst 6500/6000 Series Services Maintenance Partition 
Maintenance
Partition Software-2.1(5)

Filename: c6svc-mp.2-1-5.bin.gz

You would think that they would also put a link to the software under the FWSM 
section...

Thanks

Erik

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner
Sent: Wednesday, February 06, 2013 8:46 PM
To: Cisco-nsp (cisco-nsp@puck.nether.net)
Subject: Re: [c-nsp] FWSM Maintenance software - where to download from

On Wed, 6 Feb 2013, Justin M. Streiner wrote:

 On Wed, 6 Feb 2013, Erik Sundberg wrote:

  Where in cisco's download tool do you download the maintenance
 software  for the Firewall Services Module?

  It's not listed under the FWSM Section under the following area
 Switches  Campus LAN Switches - Core and Distribution  Cisco Catalyst
 6500 Series Switches  Cisco Catalyst 6509-E Switch  Cisco Catalyst
 6500 Series Firewall Services Module  Firewall Services Module (FWSM)
 Software-4.1(11)

  Only the FWSM Image is located here...

 Not sure what you mean by maintenance software.  Do you mean ASDM?

 ASDM for FWSM is here:
 http://software.cisco.com/download/release.html?mdfid=277413409softwa
 reid=280775067release=6.2%283%29Frelind=AVAILABLErellifecycle=relt
 ype=latest

 If you mean something else, I'm not sure where you'd find it.  In that
 case, the best bet would be to check with the TAC or your account team.

I normally don't reply to my own posts, but I had another thought after I sent 
this.

If you're referring to a maintenance release of code, I've found one of two 
things to be the case in the past:
1. The TAC needs to make it available for you on request, or...
2. The release you see on CCO is the maintenance release.  For whatever reason, 
Cisco has often been very bad at clearly identifying maintenance/interim 
releases as such on CCO, at least for the FWSM and ASA.  I don't know if it's a 
business unit policy thing or what, but it can make things confusing for 
customers because you're not quite certain you're downloading the version of 
code that has feature or bug fix XYZ, and the image posting date on CCO doesn't 
always help.

jms
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] FWSM Maintenance software - where to download from

[Erik Sundberg]

!!
 
!
 

 
!!!
13740644 bytes copied in 65.10 secs (211394 bytes/sec)
FWSM#

FWSM# sh ver

FWSM Firewall Version 4.1(11) system
Device Manager Version 6.2(3)F

Then go to the interface ip of the admin interfaces. Also make sure http is 
enabled.
FWSM# show context
Context Name  Class  Interfaces   Mode URL
*admindefaultVlan10,Vlan11Routed   disk:/admin.cfg
 Context1 defaultVlan102,Vlan103  Routed   disk:/context1.cfg

Total active Security Contexts: 2
FWSM# changeto context admin
FWSM/admin# sh run | i http
http server enable
http 0.0.0.0 0.0.0.0 inside
FWSM/admin#
FWSM/admin# sh interface inside
Interface Vlan10 inside, is up, line protocol is up
Description: MANAGEMENT Interface
MAC address 0018.197c.e800, MTU 1500
IP address 192.168.3.71, subnet mask 255.255.255.0


-Original Message-
From: Erik Sundberg
Sent: Wednesday, February 06, 2013 9:27 PM
To: 'Justin M. Streiner'; Cisco-nsp (cisco-nsp@puck.nether.net)
Subject: RE: [c-nsp] FWSM Maintenance software - where to download from

Justin,

It's not a patch for a software release.



I found the software for the Maintenance Partition it's located in the download 
manager under.
Cisco Interfaces and Modules
Cisco Services Modules
Cisco Catalyst 6500/6000 Series Services Maintenance Partition 
Maintenance
Partition Software-2.1(5)

Filename: c6svc-mp.2-1-5.bin.gz

You would think that they would also put a link to the software under the FWSM 
section...

Thanks

Erik

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin M. Streiner
Sent: Wednesday, February 06, 2013 8:46 PM
To: Cisco-nsp (cisco-nsp@puck.nether.net)
Subject: Re: [c-nsp] FWSM Maintenance software - where to download from

On Wed, 6 Feb 2013, Justin M. Streiner wrote:

 On Wed, 6 Feb 2013, Erik Sundberg wrote:

  Where in cisco's download tool do you download the maintenance
 software  for the Firewall Services Module?

  It's not listed under the FWSM Section under the following area
 Switches  Campus LAN Switches - Core and Distribution  Cisco Catalyst
 6500 Series Switches  Cisco Catalyst 6509-E Switch  Cisco Catalyst
 6500 Series Firewall Services Module  Firewall Services Module (FWSM)
 Software-4.1(11)

  Only the FWSM Image is located here...

 Not sure what you mean by maintenance software.  Do you mean ASDM?

 ASDM for FWSM is here:
 http://software.cisco.com/download/release.html?mdfid=277413409softwa
 reid=280775067release=6.2%283%29Frelind=AVAILABLErellifecycle=relt
 ype=latest

 If you mean something else, I'm not sure where you'd find it.  In that
 case, the best bet would be to check with the TAC or your account team.

I normally don't reply to my own posts, but I had another thought after I sent 
this.

If you're referring to a maintenance release of code, I've found one of two 
things to be the case in the past:
1. The TAC needs to make it available for you on request, or...
2. The release you see on CCO is the maintenance release.  For whatever reason, 
Cisco has often been very bad at clearly identifying maintenance/interim 
releases as such on CCO, at least for the FWSM and ASA.  I don't know if it's a 
business unit policy thing or what, but it can make things confusing for 
customers because you're not quite certain you're downloading the version of 
code that has feature or bug fix XYZ, and the image posting date on CCO doesn't 
always help.

jms
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you

Re: [c-nsp] GSR faceplate P/N

[Erik Sundberg]

Try this... I have never used them I just found there website the other day.

$50 GSR10-BEZEL-TOP... not sure if it the right model... if not give them a 
call.

http://www.cablesandkits.com/cisco-gsr10-top-faceplate-part-gsr10bezelkit-p-703.html




-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jim Fitzgerald
Sent: Tuesday, February 05, 2013 12:07 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] GSR faceplate P/N

Perhaps someone here can assist me.  We need to replace the top plastic cover 
plate on one of our 12000's but I just cannot seem to locate a replacement or 
even a part number for this simple plastic component.

Heres a photo of where the particular cover plate goes.

  http://aries.spacelink.com/gsr.jpg

If anyone can point me in the right direction to either the P/N or where I can 
readily purchase a replacement that would be most helpful!

Thanks
-J
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WS-C2960G-48TC-L issue

[Erik Sundberg]

Need some info so we can help.

Show run
Sh int des
Show vlan
Sh ver



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nathaniel Bernadeau
Sent: Thursday, December 27, 2012 1:32 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] WS-C2960G-48TC-L issue

Customer has a WS-C2960G-48TC-L.  They are saying that switch can receive but 
not transmitting.  Not sure if it's a setting/configuration issue or something 
else.  Can anyone help me with this issue?

--
regards,


Nathaniel Bernadeau
Gallant Systems,  LLC
11064 Livingston RD Suite 106-C
Fort Washington, MD 20744
Ph: 301-627-6358 ext 401
Direct: 301-970-9911
Fax: 240-823-6897
Cell: 202-246-2229
nbernad...@gallantsys.com
www.gallantsys.com

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] custom fiber cables

[Erik Sundberg]

http://www.connectionconceptsinc.com/

All these guys do is telco assembles and fiber jumps... Used them for years.

Email me for the contact name and number.



-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matt Addison
Sent: Monday, November 12, 2012 9:15 AM
To: harbor235
Cc: Gerry Boudreaux; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] custom fiber cables

Sorry about last, we've had good luck with fiber instrument sales, decent 
turnaround time and we haven't had a bad jumper from them yet.

Doing it yourself with unicams is a decent option too, but like Jon mentioned 
the kit is expensive, and so are the connectors. And the cleaver which comes 
with the kit is kinda iffy at times which will make you want to go out and get 
a real cleaver pretty quickly.

Sent from my iPad

On Nov 10, 2012, at 8:55, harbor235 harbor...@gmail.com wrote:

 I have a couple runs of 150 and 350 feet, I assume they need to be
 made custom?

 Mike

 On Sat, Nov 10, 2012 at 8:48 AM, Gerry Boudreaux ge...@tape.net wrote:

 We have had great service and fast turn-around from
 http://www.fiberall.com/

 Hope this helps.

 G

 On Nov 10, 2012, at 07:23 , harbor235 harbor...@gmail.com wrote:

 Can anyone point me to a reputable custom fiber patch supplier,
 looking for an Internet based company with quick response times.


 thanks,

 Mike
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco 12K vrf limit

[Erik Sundberg]

On the Cisco 12k prp-2 there is a IPv4 Address limit of 1Million routes.

Is there an limit on the number of VRF's that you are able to have?

Thanks

Erik


CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7600-ES+20G3CXL supported in the 6500 720-3BXL?

[Erik Sundberg]

Steve,

Thanks for the response.

So I do see a list of ES+ modules listed as supported, they are the ES+ Cards 
with 10G Ports. I don't see the ES+ 20x1G Port Linecard listed

Linecards I need to verify works in the 6500E sup720 3BXL
-7600-ES+20G3CXL   (20 x 1G ports)
-7600-ES+40G3CXL   (40 x 1G ports)

Linecards listed in the release notes
-76-ES+XT-4TG3CXL, 76-ES+XT-4TG3C   (4x10G Ports)
-76-ES+XT-2TG3CXL, 76-ES+XT-2TG3C   (2x10G Ports)
-7600-ES+4TG3CXL, 7600-ES+4TG3C   (4x10G Ports)
-7600-ES+2TG3CXL, 7600-ES+2TG3C   (2x10G Ports)



Thanks

Erik




-Original Message-
From: Steve Dodd [mailto:steve.d...@vision.net]
Sent: Tuesday, October 09, 2012 9:16 AM
To: Erik Sundberg; cisco-nsp@puck.nether.net
Subject: RE: [c-nsp] 7600-ES+20G3CXL supported in the 6500 720-3BXL?

Yes,  ES+ cards are supported as long as you're running SXJ1

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/features.html#wp4805501

-Steve

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Erik Sundberg
Sent: Monday, October 08, 2012 4:00 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] 7600-ES+20G3CXL supported in the 6500 720-3BXL?

I am trying to verify if the 7600-ES+20G3CXL and 7600-ES+40G3CXL are supported 
in the 6509E w/ Sup720 3BXL

I have spent the better part of a day going in circles on Cisco website. The 
7600 ES+ Doc says there supported in the 6500 and references a document that 
only list the ES+20/ES+40 Linecards with 10G interfaces supported. We looking 
to use the 1G interfaces and not the 10G

This is the 7600 Cisco Doc
http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-49152.html

This is the 6500 Cisco Doc it references 
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/data_sheet_c78-643759.html

I hoping there doc is just out of date.

Thanks

Erik



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] 7600-ES+20G3CXL supported in the 6500 720-3BXL?

[Erik Sundberg]

I am trying to verify if the 7600-ES+20G3CXL and 7600-ES+40G3CXL are supported 
in the 6509E w/ Sup720 3BXL

I have spent the better part of a day going in circles on Cisco website. The 
7600 ES+ Doc says there supported in the 6500 and references a document that 
only list the ES+20/ES+40 Linecards with 10G interfaces supported. We looking 
to use the 1G interfaces and not the 10G

This is the 7600 Cisco Doc
http://www.cisco.com/en/US/prod/collateral/routers/ps368/data_sheet_c78-49152.html

This is the 6500 Cisco Doc it references
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/data_sheet_c78-643759.html

I hoping there doc is just out of date.

Thanks

Erik



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6500 L2 Switch Traffic locally between two SubInterfaces on different ports?

[Erik Sundberg]

Does service instance and bridge domains require the ES-20 Cards on the 6500s?

Thanks

Erik




-Original Message-
From: Aaron [mailto:aar...@gvtc.com]
Sent: Sunday, June 17, 2012 9:49 PM
To: Erik Sundberg
Subject: RE: [c-nsp] 6500 L2 Switch Traffic locally between two SubInterfaces 
on different ports?

Can you use service instance and bridge domain to tie them together?

Aaron

-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Erik Sundberg
Sent: Sunday, June 17, 2012 12:09 AM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] 6500 L2 Switch Traffic locally between two SubInterfaces on 
different ports?

I need to switch traffic at L2 between two sub interfaces G1/2.3000 and
G1/3.100

I was thinking I can do this with EoMPLS but no so much I get the following 
error and I understand why.

SWITCH(config)#int g1/3.100
SWITCH(config-subif)#encapsulation dot1Q 100 SWITCH(config-subif)#xconnect
192.168.0.2 3 encapsulation mpls Local switching to peer address 192.168.0.2 is 
not supported

Is there any way to switch L2 traffic between two subinterface on the same of 
different ports?




Cisco 6500 Sup720-3bxl using WS-x6724-SFP module, 
s72033_rp-ADVIPSERVICESK9_WAN-M, Version 12.2(33)SXH8b
-


interface GigabitEthernet1/2
 no ip address
!
interface GigabitEthernet1/2.2000
!To other MPLS Device on network EoMPLS
encapsulation dot1Q 2000
xconnect 192.168.0.1 1 encapsulation mpls !
Interface GigabitEthernet1/2.3000
!!Need to connect to
GigabitEthernet1/3.100 encapsulation dot1Q 3000 !
interface GigabitEthernet1/3
 no ip address
!
Interface GigabitEthernet1/3.100
Need to connect to G1/2.3000 
encapsulation dot1Q 100

Thanks

Erik




CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 6500 L2 Switch Traffic locally between two SubInterfaces on different ports?

[Erik Sundberg]

I was looking in to the connect command after posting. Unfortunately the only 
supported interfaces types are showing up on the switch is Dialer and MFR on 
the 6500


So the reason that i am not setting this up as a vlan is the following.

We have multiple GE circuits to different carriers that are setup as L2 NNIs. 
The carriers deliver circuits (T1s to MetroE) to our customers put the traffic 
for each customer on a VLAN on the GE.  Depending on the customers' needs they 
get Internet Access, L3VPN MPLS, or EoMPLS L2 P-P Service. With the multiple 
carriers going into this same chassis we have a lot of overlapping VLAN id's. 
(Config example at end of email)

So the need for a L2 connection between two carriers are on the same switch has 
come up and that is why i need to create the Local L2 switching between the two 
subinterfaces.

Here is what i am looking for in the XR Software but i am looking to be able to 
do the same thing on the Cat6500, but it doesn't support L2VPNv3
 l2vpn
  xconnect group examples
  p2p example1
  interface TenGigE0/7/0/6.5
  interface GigabitEthernet0/4/0/30

The only other work around i can think of is to backhaul the need Switch 
subinterface to a subinterface on our PE router then having a xcossover cable 
between the two interfaces on our PE. But i am not a fan of this idea of mine. 
So it would look like the following
SWg1/2.3000EoMPLS--PE1g0/0/0.10
Xconnect cable between the GE interface on our PE1 or using the connect command.
SWg1/3.100EoMPLS--PE1g0/0/1.10




Below is an example of how our switch is configured for each carrier.

interface GigabitEthernet1/2
no ip address
!
interface GigabitEthernet1/2.111
 description Internet Customer
 ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet1/2.222
 description MPLS Customer
 ip vrf forwarding L3VPN-CUST1
 ip address 2.2.2.2 255.255.255.252
!
interface GigabitEthernet1/2.333
 description EoMPLS Customer
 encapsulation dot1Q 2000
 xconnect 192.168.0.1 1 encapsulation mpls
!
Interface GigabitEthernet1/2.3000
!!Need to connect to 
GigabitEthernet1/3.100
encapsulation dot1Q 3000
!
interface GigabitEthernet1/3
no ip address
!
Interface GigabitEthernet1/3.100
Need to connect to G1/2.3000
encapsulation dot1Q 100



From: Jason Lixfeld [ja...@lixfeld.ca]
Sent: Sunday, June 17, 2012 12:48 AM
To: Erik Sundberg
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] 6500 L2 Switch Traffic locally between two SubInterfaces 
on different ports?

conf t
connect ?

?

--

Sent from my mobile device


On 2012-06-17, at 1:09 AM, Erik Sundberg esundb...@nitelusa.com wrote:

 I need to switch traffic at L2 between two sub interfaces G1/2.3000 and 
 G1/3.100

 I was thinking I can do this with EoMPLS but no so much I get the 
 following error and I understand why.

 SWITCH(config)#int g1/3.100
 SWITCH(config-subif)#encapsulation dot1Q 100
 SWITCH(config-subif)#xconnect 192.168.0.2 3 encapsulation mpls
 Local switching to peer address 192.168.0.2 is not supported

 Is there any way to switch L2 traffic between two subinterface on the same of 
 different ports?




 Cisco 6500 Sup720-3bxl using WS-x6724-SFP module, 
 s72033_rp-ADVIPSERVICESK9_WAN-M, Version 12.2(33)SXH8b
 -


 interface GigabitEthernet1/2
 no ip address
 !
 interface GigabitEthernet1/2.2000
 !To other MPLS Device on network EoMPLS
 encapsulation dot1Q 2000
 xconnect 192.168.0.1 1 encapsulation mpls
 !
 Interface GigabitEthernet1/2.3000
 !!Need to connect to 
 GigabitEthernet1/3.100
 encapsulation dot1Q 3000
 !
 interface GigabitEthernet1/3
 no ip address
 !
 Interface GigabitEthernet1/3.100
 Need to connect to G1/2.3000
 encapsulation dot1Q 100

 Thanks

 Erik



 
 CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
 previous e-mail messages attached to it may contain confidential information 
 that is legally privileged. If you are not the intended recipient, or a 
 person responsible for delivering it to the intended recipient, you are 
 hereby notified that any disclosure, copying, distribution or use of any of 
 the information contained in or attached to this transmission is STRICTLY 
 PROHIBITED. If you have received this transmission in error please notify the 
 sender immediately by replying to this e-mail. You must destroy the original 
 transmission and its attachments without reading or saving in any manner. 
 Thank you.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential

[c-nsp] 6500 L2 Switch Traffic locally between two SubInterfaces on different ports?

[Erik Sundberg]

I need to switch traffic at L2 between two sub interfaces G1/2.3000 and G1/3.100

I was thinking I can do this with EoMPLS but no so much I get the following 
error and I understand why.

SWITCH(config)#int g1/3.100
SWITCH(config-subif)#encapsulation dot1Q 100
SWITCH(config-subif)#xconnect 192.168.0.2 3 encapsulation mpls
Local switching to peer address 192.168.0.2 is not supported

Is there any way to switch L2 traffic between two subinterface on the same of 
different ports?




Cisco 6500 Sup720-3bxl using WS-x6724-SFP module, 
s72033_rp-ADVIPSERVICESK9_WAN-M, Version 12.2(33)SXH8b
-


interface GigabitEthernet1/2
 no ip address
!
interface GigabitEthernet1/2.2000
!To other MPLS Device on network EoMPLS
encapsulation dot1Q 2000
xconnect 192.168.0.1 1 encapsulation mpls
!
Interface GigabitEthernet1/2.3000
!!Need to connect to 
GigabitEthernet1/3.100
encapsulation dot1Q 3000
!
interface GigabitEthernet1/3
 no ip address
!
Interface GigabitEthernet1/3.100
Need to connect to G1/2.3000
encapsulation dot1Q 100

Thanks

Erik




CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASA5510 - show vpn-sessiondb l2l - Question

[Erik Sundberg]

When I do a show vpn-sessiondb l2l for  my one peer Encryption and hashing alg 
is repeated 3 times

Encryption   : AES256 AES256 AES256   Hashing  : SHA1 SHA1 SHA1

The Remote side of the VPN shows the following

Encryption   : AES256 Hashing  : SHA1

Does anyone know why this happening config issue or output bug?




FW# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Index: 42 IP Addr  : 1.1.1.1
Protocol : IKEv1 IPsec
Encryption   : AES256 AES256 AES256   Hashing  : SHA1 SHA1 SHA1
Bytes Tx : 35014  Bytes Rx : 12693
Login Time   : 11:11:04 CDT Mon Jun 4 2012
Duration : 0h:00m:29s



VPN Config
--

Local Firewall: ASA5510, 8.4.3
Remote Firewall: ASA5510, 8.2.1


crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map mymap 100 match address VPN-VPNACL
crypto map mymap 100 set peer 1.1.1.1
crypto map mymap 100 set ikev1 transform-set ESP-AES256-SHA
crypto map mymap interface outside

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

group-policy L2LVPN internal
group-policy L2LVPN attributes
vpn-idle-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ikev1 l2tp-ipsec

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy L2LVPN
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *
isakmp keepalive threshold 10 retry 5


Thanks

Erik




CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASA5510 - show vpn-sessiondb l2l - Question

[Erik Sundberg]

When I do a show vpn-sessiondb l2l for  my one peer Encryption and hashing alg 
is repeated 3 times

Encryption   : AES256 AES256 AES256   Hashing  : SHA1 SHA1 SHA1

The Remote side of the VPN shows the following

Encryption   : AES256 Hashing  : SHA1

Does anyone know why this happening config issue or output bug?




FW# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Index: 42 IP Addr  : 1.1.1.1
Protocol : IKEv1 IPsec
Encryption   : AES256 AES256 AES256   Hashing  : SHA1 SHA1 SHA1
Bytes Tx : 35014  Bytes Rx : 12693
Login Time   : 11:11:04 CDT Mon Jun 4 2012
Duration : 0h:00m:29s



VPN Config
--

Local Firewall: ASA5510, 8.4.3
Remote Firewall: ASA5510, 8.2.1


crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map mymap 100 match address VPN-VPNACL
crypto map mymap 100 set peer 1.1.1.1
crypto map mymap 100 set ikev1 transform-set ESP-AES256-SHA
crypto map mymap interface outside

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

group-policy L2LVPN internal
group-policy L2LVPN attributes
vpn-idle-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ikev1 l2tp-ipsec

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy L2LVPN
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *
isakmp keepalive threshold 10 retry 5


Thanks

Erik




CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Config Backups

[Erik Sundberg]

Quick question/poll

What is everyone using for router/switch/firewall config backups?

Is rancid still the one to use?

Thanks

Erik



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Config Backups

[Erik Sundberg]

Thanks everyone, I just finished installing rancid and have it up and running 
already.

What web front end are you using to browse the CVS tree?


Thanks

Erik



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] A switch with PoE support and powered by 48V DC

[Erik Sundberg]

David,

Check out the Cisco Switch Catalog Doc. It covers all Cisco switches by models 
and specs in one place and list the power options too.

http://www.cisco.com/en/US/prod/switches/ps5718/ps708/networking_solutions_products_genericcontent0900aecd805f0955.pdf

Erik

-Original Message-
From: cisco-nsp-boun...@puck.nether.net 
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of David Farrell
Sent: Friday, March 02, 2012 10:10 AM
To: c-nsp
Subject: Re: [c-nsp] A switch with PoE support and powered by 48V DC


On 02/03/2012 14:55, David Farrell wrote:

 On 02/03/2012 14:50, David Farrell wrote:
 On 02/03/2012 10:01, Victor Sudakov wrote:
 Colleagues,

 I need a switch with PoE support and powered by 48V DC, do you know of
 such?

 TIA for any advice.

 Hi Victor,

 If you are looking for PoE access switches, I believe the 3560-E and
 -X series might be worth looking at as there are some DC power
 options for that series.

 David.

 The ME3600X/ME3800X also have DC power options.

 David.
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/
However, no PoE in ME switches (it's definitely Friday afternoon with me).

David.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco Router - L2L VPN and Remote Access VPN on same Router Example

[Erik Sundberg]

Does anyone have an example of a Cisco Router that has a L2L VPN and a Remote 
Access VPN with xAuth?

I can get one or the other working, but not both. For some reason the L2L VPN 
want to use XAuth cause it not to work.

Just need the crypt * and the aaa * commands.

Thanks

Erik




CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] VRF import default route from global routing table on the Same PE with internet and NNI to a provider

[Erik Sundberg]

I am trying to figure a way to import a default route from the global routing 
table into a customer's VRF to provide internet access. This customer's site is 
on another's provider network that we interconnect with using a NNI and option 
b.

Our PE has MPLS L3 VPNs, NNI Link to a provider, and full internet routes.

So here is the layout

Cust---Provider1---NNI_LINKPEInternet


So I see three ways of doing this.

1. Configuring a Internet gateway and attach it off the PE using vlans
   Cust-Provider--NNI_LINK---PE---dot1qtrunk--InternetGateway--PE--Internet


PE G0/0 Vlan10
vrf CUST
ip addr 10.1.1.2/30

Ineternetgateway G0/0 vlan 10
No vrf
Ip addr 10.1.1.1/30

Internetgateway G0/1
Ip addr 2.2.2.2/30

PE G0/1
IP addr 2.2.2.1/30

2. I know the global commands won't work because that requires a dedicated 
Internet Gateway Router and the route back to the customer's CE won't work 
because of the NNI Link and the customer is not directly attached to our PE

3. Loopback Cable on the PE one side in the vrf and the other in the internet 
routing table.
G0/0.10  MPLS VRF Interface
Vlan 10
Vrf cust
Ip addr 10.1.1.2/30

G0/1.10  Internet Routing
Vlan 10
Ip addr 10.1.1.1/30

If there is another way to do this let me know.


Thanks in advance.

Erik




CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/