Re: [c-nsp] Third party optics
On 07.09.2021 20:04, harbor235 wrote: > How are your organizations dealing with Cisco equipment and usage of third > party optics? > 1) Cisco or "third party"? >2) Cisco policy regarding third party components? Third party only ... we use programmable optics, which we can flash ourselves ... saves a lot on inventory, as we can always change to Juniper (which typically don't care about the programming) or any other vendor in case a customer needs something on short notice ... > Is it worth the risk? Risk? Not really any risk there ... in 20+ years of using third party optics/SFPs, we've never had an issue with any ... only situation, as others have stated, could be when opening a ticket with TAC and the optics aren't reported as Cisco ... Weird side note: we bought some originally Cisco DAC cables for a customer w/ Nexus 5k5/2k2 switches ... while the optics were 3rd party and identified by the system as original Cisco, the original Cisco DACs are reported as being non-Cisco ... those cables were from our regular Cisco distributor, I highly doubt they delivered fake 3rd party cables ... (also, they've been working now for 8+ years, so either way, no complaint here ...) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] License conversion to smart lic on ASR920?
--- Begin Message --- Hi, I have an ASR920 with local licenses, which we would like to convert to smart licensing. We've done this many times for other devices (ISR1100, 4300 etc.), so we're not exactly new to the process. Smart Licensing is enabled on the 920, the device is registered and has attempted to get the currently (local) licenses from the server. Anyway, the "license smart conversion" command is not available, all I get are the commands clear, deregister, export, factory, register, renew and send. What am I missing here? IOS version is 16.12.5 ... Thanks, -garry --- End Message --- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Mobility Express and 700/1600/1700 series AP?
On 09.02.2021 17:15, Jeremy Bresley wrote: From the release notes for 8.10, the 700s and 1700s should work as subordinate APs, the 1600s are not supported in anything past 8.5. https://www.cisco.com/c/en/us/td/docs/wireless/access_point/mob_exp/810/release_notes/b_ME_RN_810.html Ah, thanks! Didn't find the image names for the 1700/700 series APs anywhere, so I assumed they too weren't supported anymore. The older model controllers (2504/5508/7510) aren't supported on anything past 8.5, and won't support any APs newer than the 1800/2800/3800 series. Also be aware that the 2504s LDoS date is April 30, 2023, so it's only got about 2 years left of any support at all. Yes, also the customer's WLC isn't very new, so replacing it with a complete ME-setup might be advisable. The requirements for the setup are rather low, so this solution would be well sufficient. Only having to replace the 1600 APs would make the choice easier of course ... Thanks for the info ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Mobility Express and 700/1600/1700 series AP?
Hi, I have a customer that has an old 2504 WLC in production, with a zoo of different AP models, mostly 1800 series, but also a total of 11 aforementioned model series. At another site I had 1600 series APs running in mobility express up with version 8.5, but it appears those models are not supported in 8.8/8.10 ... or is there an image bundle available that I wasn't able to find that still includes some/all of those older APs? As he will need to cover additional areas of the installation, and the 2504 has almost exhausted its licensed AP #, and from what I know am not able to order any additional AP licenses anymore (apart from the physical age of the WLC), I'd like to just replace the AP by moving the controller part over to an 1832, which can control up to 75 APs ... Thanks, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 4000 series (4461) as a BGP router?
On 23.10.2019 13:50, Patrick M. Hausen wrote: > Hi all, > > would you recommend the 4461 to run a handful of > full feeds for v4 and v6? The model seems to be quite > affordable compared to ASR 9000 series routers and > throughput is not our main concern for upstream. I guess it partly depends on the line speed you use. As for BGP, we have at least one customer where we're running 4431 (with 8GB RAM) with dual full feed ... works fine for a 500G uplink ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 1142 keeps downloading same IOS from WLC
Hi, I'm out of ideas and options ... on a system that already has several APs of different models, and to which I have (remotely) already connected another 1142 successfully, I tried to migrate another 1142 from standalone to CAPWAP. After putting an appropriate starter image on it (c1140-k9w8-tar.152-4.JA1.tar), it connected to the WLC (2504 w/ 8.3.133.0) and downloaded a newer image (15.3.3) ... all was fine up to here ... anyway, after reloading the AP, it once again started downloading the same image again. And again. And again. Here's a partial dump of the console messages: *Dec 12 14:23:37.032: Currently running a Release Image validate_sha2_block: Failed to get certificate chain *Dec 12 14:23:37.049: Using SHA-1 signed certificate for image signing validation.%Default route without gateway, if not a point-to-point interface, may impact performance *Dec 12 14:23:41.760: AP image integrity check PASSED *Dec 12 14:23:41.843: validate_sha2_block:No SHA2 Block present on this AP. *Dec 12 14:23:41.879: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Dec 12 14:23:41.879: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset *Dec 12 14:23:51.912: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 0 CLI Request Triggered Translating "CISCO-CAPWAP-CONTROLLER"...domain server (192.168.11.15) examining image... extracting info (289 bytes) Image info: Version Suffix: k9w8-.153-3.JBB6 Image Name: c1140-k9w8-mx.153-3.JBB6 Version Directory: c1140-k9w8-mx.153-3.JBB6 Ios Image Size: 8468992 Total Image Size: 8765952 Image Feature: WIRELESS LAN|LWAPP Image Family: C1140 Wireless Switch Management Version: 8.1.131.0 MwarVersion:08018300.First AP Supported Version:05020200. Image version check passed Extracting files... c1140-k9w8-mx.153-3.JBB6/ (directory) 0 (bytes) extracting c1140-k9w8-mx.153-3.JBB6/info (289 bytes) extracting c1140-k9w8-mx.153-3.JBB6/T5.bin (23836 bytes) *Dec 12 14:50:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.30.1.100 peer_port: 5246 *Dec 12 14:50:55.504: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.30.1.100 peer_port: 5246 *Dec 12 14:50:55.505: %CAPWAP-5-SENDJOIN: sending Join Request to 172.30.1.100perform archive download capwap:/c1140 tar file extracting c1140-k9w8-mx.153-3.JBB6/c1140-k9w8-xx.153-3.JBB6 (8307214 bytes) *Dec 12 14:50:55.559: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller. *Dec 12 14:51:05.980: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source I found documents on expired certificates (which do not seem to be the cause here ... added the "allow expired certs" option on the WLC, but that didn't change). From what I can tell, the AP connects just fine ... just don't understand what image it is looking for that is "not found on AP". On the other 1142 that is working, I noticed it is running a different image (that it also got from the controller) - it has c1140-k9w8-mx.153-3.JD11, while the one not working keeps downloading c1140-k9w8-mx.153-3.JBB6 ... Can anybody give me a hint as what is going wrong here, and how to fix it? Thanks in advance! -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR920 Image
Hi, > Hi Dino, > > there are release notes available as usual: > http://www.cisco.com/c/en/us/td/docs/routers/asr920/release/notes/ASR920_rel_notes.html > ... but don't expect 3.18 to work flawlessly ... we just had to go back down to a newer 3.16 as the 3.18 had some issues we couldn't live with ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** How to use IPs from the same network on two separate interfaces?
On 16.07.2016 13:11, Brandon Orwell wrote: GigabitEthernet0/0 contains an IP address that is connected to our provider/BGP drop; Why use part of your /24 or larger to do the connection to your ISP with? This is not how it should be done ... When I try to assign .252 to GE0/0 and .1 to GE0/1, I get the usual errors about the subnet already existing on another interface. How do I go about doing this? How do I assign IP in A.B.C, such as Don't. Just don't. If you have overlapping network ranges, all kinds of things can - and will - go wrong, even if you trick the router into making it work ... ask your provider to assign a transfer network outside of your /24 or whatever for the uplink (e.g. something between a /29 to /31), you'll save yourself a lot of headaches. N.b.: You could do something like that with VRF routing, which your router would need to support. possible? I am imagining something to do with NAT and matching response with a given source IP for certain ICMP packets (but this wouldn't work for, say, UDP traceroute?). Any ideas there either? Yes, 1:1 NAT would work, too ... but this adds to the strain of the router, as it has to rewrite every single packet it forwards, instead of just pushing it through with CEF. -garry --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** Re: OT: Gauging interest for "smart" Terminal/Console server
> Something like https://freetserv.github.io ? Yup. Though I would have designed it somewhat less modular ... ;) Tnx for the link! -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] OT: Gauging interest for "smart" Terminal/Console server
Just out of curiosity ... I've been experimenting with some alternatives to either "old" 250x-series Cisco console servers, or other brand solutions in order to cover our requirements for in-band/OOB management access to our DC infrastructure. While the Cisco console server is a viable, working solution, the old routers are getting both hard to get and aging, too, and alternative NM cards aren't exactly cheap (plus putting a router in the rack to use them in might not be the technically and economical solution). Other solutions also work, but are usually either not low(er) cost, or not flexible. I've did some proof-of-concept setups based on micro-servers (like RasPi) and USB UARTs, which turned out quite nicely, allowing for cool features (like e.g. forwarding all incoming data to a syslog server, or implementing some automation, etc.) With that basis, I was thinking about designing a circuit that will allow for a high-density (1U) setup with 24 or even 48 serial ports, connectable to a user-supplied server via a USB port (though a 48 port solution might be better connected through two ports). A (halfway) careful first estimate could result in cost somewhere in the range of 200-300$ for a finished product with 24 ports. Is this something - both from a technical as well as financial POV - that folks might be interested in? tnx for any feedback, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
Hi, > On Wed, 2016-02-10 at 08:06 -0800, ps...@cisco.com wrote: >> Cisco Security Advisory: Cisco ASA Software IKEv1 and IKEv2 Buffer >> Overflow Vulnerability >> >> Advisory ID: cisco-sa-20160210-asa-ike > Poor bastards stuck at 8.2 (like us) might be relieved to know that > there actually is a 8.2(5)59 version with the fix. Reading the SA page > I got the impression that there was no fixed software for 8.2(5). Thanks for the find, same situation we were in (well, several of our customers rather) - reading the advisory, it clearly states anything 8.x except 8.4 is recommended to go to 9.1 (yeah, right! Not opening that can^H^H^H crate of worms! Or more like Pandora's box?). Apart from at least one system that only has 256M of RAM (and therefore can't go to anything higher than 8.2 AFAIK), even going to the mentioned 8.4.7(30) caused some problems due to incorrectly (or incomplete) config migration for several systems ... of course it could be fixed, but still ... And yes, the systems should be kept more current, but seeing what happens when you do update more or less confirms the old saying "never change a running system" ... sadly ... Still, if Cisco publishes an interim that fixes this disastrous flaw and is not at least following up on their announcement (8.2.5(59) was released 3 days after the initial notification was published), it's sort of a pain for users ... even the advisory on the web page hasn't been updated to at least list the option of using the interim ... :( -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** Equipment for a large-ish LAN event
Hi, > This year, we are looking into some equipment that slightly out of our > usual expertise. Usually, we target high-density stackable switches > like a 3650/3750/3850 with 48 GigE and 4 SFP for our 10G core. We > design our network around small "islands" of players all linked with > each other through a 2x10G fiber network. Everyone is assigned a > public address and we route everyone out through our core switch. Sorry, can't really supply you with a turn-key solution, especially as I feel I don't have all the information involved to make an educated guess on a decent setup, but maybe you could get in contact with the CCC crew in Germany (http//ccc.de), they organize rather large events multiple times a year, with several thousand users, so they may be able to give you a few hints as to possible pitfalls ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 2960S & supported EtherTypes?
Hi, we were trying to move some QinQ frames through a location and seem to have some problems ... before we tear everything up and rebuild/redesign, does anyone have a pointer as to which EtherTypes the 2960S switches support? I tried to find some docs on it, but couldn't locate anything that would say it supports 9100 (or anything at all) Thanks, -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QinQ and Bridging
Hi, on a multi-site installation, I've got some additional requirements to implement. Currently, two site (CPE) have a tagged ethernet service to a central site (PE). Now, apart from the L3 traffic, I need to bridge an additional VLAN from site 2 to site 1 in order to provide a guest WLAN which is terminated through a firewall at site 1. Our PE currently is an ASR1000 series router, the CPEs are 1941 routers with Security IOS licenses and additional 4-port switching card. configuring the QinQ as such works fine, e.g. with CPE configure with this: |interface GigabitEthernet0/1.61400 encapsulation dot1Q 614 second-dot1q 201 ip address 10.99.98.2 255.255.255.0 bridge-group 201| and PE with |interface GigabitEthernet0/1.61400 encapsulation dot1Q 614 second-dot1q 201 ip address 10.99.98.1 255.255.255.0 bridge-group 201| doing a ping works fine, therefore I'd expect the actual QinQ stuff working. On the CPE, I have also configured (for testing purposes) one of the switch interfaces on each site router as "switchport access vlan201" , then added the "int vlan 201" also into bridge-group 201. IRB is active, bridge-group 201 is set to protocol IEEE. On the PE I have configured the two QinQ subinterfaces also into the same bridge-group. Anyway, none of the broadcasts or other L2 stuff seems to be transported between the sites over the QinQ bridge broup. I assume I'm just missing some minor thing here, but after checking docs and examples, I'm sort of out of ideas ... none of the docs I found use the combination of QinQ and bridge groups, so I'm not even sure if this doesn't work by design ... Any hints or ideas appreciated ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Replacement front for WLC / Lobby Amabassador?
Hi, I was looking into the Cisco WLC (2504) a bit, specifically the webauth ... I have it working quite nicely, though I came across one minor gripe - a lobby admin can easily create a guest account, but the WLC does not provide any way of creating a voucher printout/access sheet ... sure one could use some external Radius auth or similar, but it seems pretty stupid that there is no provision included to just create a simple web page that has e.g. a site specific layout with all the relevant information ... Is there any "small and simple" solution for this problem? I sure do not want to go out and buy a license for the Cisco Prime Infrastructure VM appliance, which has the option to print the access info sheet ... seems to me like the print option was left out on purpose ... :( One alternativ might be a simple frontend that uses a simple telnet to the WLC to create a guest user and creates the printer output ... ?! Hints appreciated, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** Re: ASR920 - ISR4431
> The ASR-920-12CZ-A comes with 6 of the 12 1Gb ports enabled, no need for the > 6 port license if you need less than 6 ports. Actually, if there is ANY chance of needing the additional ports (either 1G or 10G) in the future, you'd save money buying them on the initial purchase ... it is cheaper than either the 6-Port-1G or the 2-Port-10G Adder License ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** Re: Mixing 2960S and X in stack
Hi, > On Sun, May 31, 2015 at 07:41:14PM +0200, Garry wrote: >> A customer of ours needed to extend a rack's switch ports, which at that >> point consisted of a stack of two 2960S-LPD-L switches. The new switch >> he set up was a 2960X-LPD-L. Anyway, contrary to what I would have >> expected, neither of the stacking ports on the S and X switches came up. > Hhaha... welcome to hell. > > You need to set > > (config)#switch stack port-speed ? > 10 Change stack speed to 10G With Gert's hints, everything is now running well ... got the three 2960's TenGig ports (one each) connected to a VPC on two Nexus 5548 switches, seems to run smoothly from what I can tell at the moment ... at least no reports of problems with either VoIP or the PCs connected to them over two working days ... Thanks again for the help! -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Mixing 2960S and X in stack
Hi, A customer of ours needed to extend a rack's switch ports, which at that point consisted of a stack of two 2960S-LPD-L switches. The new switch he set up was a 2960X-LPD-L. Anyway, contrary to what I would have expected, neither of the stacking ports on the S and X switches came up. As the S switches had a rather old 12.2 IOS, I did an update to the recommended 15.0 SE IOS, which again didn't give me any stacking ports in state up. Asking around, somebody confirmed they had a mixture of S and X switches, albeit with an EX train of the IOS. So, I again updated the S' IOS to the current ED release of the EX train, but still neither of the switches' stacking even showed any positive change. Is there anything our customer could be doing wrong, or anything I need to watch out for as far as configuration goes? I even tried to manually provision the X switch on the stack, still no improvement ... Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** Re: ASR902 vs ME3800X
On 23.03.2015 22:37, Gert Doering wrote: > Hi, > > On Mon, Mar 23, 2015 at 01:22:59PM -0600, Tim Densmore wrote: >> how it's the upgrade path from an me3800x? I can see that they have >> similar stats in some areas, but I'm having a hard time with the idea of >> a router being the next step up from a switch, especially given that >> we're looking at a quote that's around 4x less than what we have for >> 3800s. > When comparing prices, don't overlook the licenses - from what I could > find, the 920 is pay-as-you-grow, so you need an extra license to use > all ports. True, but checking the price list, you'll find that buying the full license as a bundle option on the initial box will run less than a partial license later on ... (full license is 1k$, upgrades later will run 1.5k$ or more IIRC) We're currently working on our core/backbone/PE upgrade of our 4 core sites, and after some thinking and planning, as well as a call to our $C technical support, have decided to go with 903's (albeit single RSP for now, but dual box per site) as core devices, and 920-12 for the PE /MPLS aggregation device. Other $C devices fell short in either missing features (mostly), or way to pricey for our size and requirements. As for the 920, we were really surprised they were as cheap as they are ... for a "fully loaded" 920-12CZ box with Advanced Metro IP Access license and license for all 12 1G and 2 10G ports (base only comes with license for 6 1G ports), the list price adds up to 8K$ ... 3800 series are way beyond that ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Problem with VPN between ASA and Bintec
Hi, on a VPN connection we are running we are intermittently experiencing some problems. Local system is a Cisco ASA cluster (Active/Passive HA), OS is 8.3(2)37, remote end is a Bintec device, sorry, no more details on the exact model. The VPN comes up fine as such and works for a while. Occasionally, the VPN tunnel stops working, though we do not have further information on what the root cause of the problem could be. Anyway, in that situation, while the tunnel looks like it's up on the Bintec side, no traffic is transmitted anymore. By re-initiating the VPN on the Bintec, the tunnel is setup again and will work. We have already set up a backup tunnel, which has mitigated the problem somewhat, but on occasion both tunnels will fail and need to be set up again. Another problem is that usually we are not informed of the failure, so debug information is rather scarce. I can not say what state the local side of the tunnels is in in that situation. Due to the fact that the connection is required for card payment information, re-establishing a working connection is urgent, so keeping it down for debugging purposes is more or less out of the question. Has anybody here seen this problem in a similar situation and could point me towards a solution? Thanks, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Traffic engineering in mixed OSPF/iBGP environment
Hi, I've been trying to figure this out for a while now, but can't get a grasp on how to get this to work the way I want to ... In essence, here's the relevant part as a small drawing: CPR1--CPR2 | | PER1 VSwitch | |\ PR1| \ : | CPR3..CPR6 PRn| \ /\___DSLGW-CPR7..CPR12 \ / CoreR1---CustomerFW--Internet We have a customer network with a redundant connectivity, running as a distinct MPLS VRF in our backbone. Both links are terminated with a separate router (CPR1 & 2). Link 1 at CPR2 goes to a virtual WAN switch with additional sites as well as a link to our backbone (CoreR1). We have OSPF running in that broadcast domain, as well as between the two CPR1/2 routers, distributing the different subnets that are reachable. Link 2 between CPR1 and PER1 is also running OSPF, though in the MPLS backbone, routes from the VRFs are learned through a route reflector; PER1 redistributes the RR routes to CPR1 via OSPF. Additionally, there are some DSL locations which are also terminated through another router at the CoreR1 location. Again, locally the routes are learned through OSPF and redistributed to the BGP RR. At this point, all routing and redundancy is working fine. If links go down, routing is recalculated and converges in satisfactory time. As for the problem I have: the customer is running applications at a service provider that is connected to the network via CPR3. Traffic from CPR1/CPR2 as well as the other customer locations correctly take the route through the VSwitch. Now, traffic to the Internet (in essence everything that is not a connected destination inside the VRF but the default route) from CPR1/CPR2 is supposed to be routed via the PER1... connection, utilizing the otherwise unused backup link. This is where I'm having trouble. If the whole network were running on OSPF, putting a higher OSPF cost on the CoreR1 towards the VSwitch link would more or less ensure that the link would only be used as a backup, otherwise CPR1 has PER1 as lower cost towards the CustomerFW, while the traffic to CPR3 is still cheaper towards the VSwitch. But with the BGP-redistributed routes at the PER1-CPR1 link, the OSPF cost metrics do not help. I've already tried messing around with the redistribute statements a bit, but even with altering the BGP-learned routes to be imported to OSPF as E2 routes, the routing still kept the vswitch routing up. I'm somewhat out of ideas on how to implement this while still keeping redundancies operational (with either traffic able to be routed via either link) and not using error-prone hacks ... any pointers? Thanks, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** Replacing 3750X stack
On 02.05.2014 02:20, CiscoNSP List wrote: > Hi, > > We have a 3750X stack (2 switches) doing pure L2 at a small POP (Acting as a > "core" switch) - The small buffers are causing a lot of performance issues, > so we are looking to upgrade them. > Not sure about your feature requirements, but have you thought about a Nexus 5500/2200 combo? Alternatively, the 2960X series provides pretty decent features (with the XR even being able to do a good set of L3) with up to eight device stacking at a rather competitive pricing (especially when compared to the modular switches) ... -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 802.1x radius
On 29.03.2014 20:13, Alan Buxey wrote: > depends on your implementation and architecturebut FreeRADIUS is probably > what you're looking for. > > Is there a well working, understandable howto somewhere? I've tried setting this up for a while, but somehow can't get it to work ... Radius auth for the web interface works fine, but I just can't get .1x to work ... :( -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird problem with 2960S and desktop switch
Just a followup on this problem ... I was on site, and it turns out the desktop switch indeed tried to take over as root bridge of the STP. Anyway, even when filtering the BPDUs on the incoming port, the main switch still ceased doing any network forwarding, not sure what was going on exactly. Anyway, replacing the switch with an identical one (apart from not knowing what's configured on it) fixed the problem for whatever reason. Weird thing about the root bridge is, the existing main switch already used the higher priority, so even considering lower MAC address, the main switch should have remained being the root bridge, as the desktop switch was elected with default priority ... We will look into the config of the desktop switch in our lab, possibly finding out what is wrong here ... for now the customer site is at least working as intended ... Tnx to all who replied with their thoughts and ideas ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** Re: Weird problem with 2960S and desktop switch
On 08.01.2014 11:07, Peter Rathlev wrote: > If the error recovered by itself after 40-50 seconds it might "just" > have been an STP event. Maybe a root election. If things come back by No, didn't seem to fix itself as long as the switch was connected ... > If the problem didn't resolve itself until the switch was disconnected > then it might very well have been a loop. You would very probably see a > lot of output drops on all interfaces with a loop. Output drops are at 0 for the port ... only one port has a (relatively) significant number of drops, and that's only at 1346 ... (unusual for a 100Full port, but ...) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** Re: Weird problem with 2960S and desktop switch
On 08.01.2014 09:57, Peter Rathlev wrote: > On Wed, 2014-01-08 at 09:37 +0100, Garry wrote: >> After shut/no shut, the port again went down due to BPDU. >> Disabling BPDU guard caused the whole switch to lock up while the >> desktop switch was connected, even though checking the logs after >> removing the desktop switch (and a bit of additional waiting time, in >> which I assume spanning tree came back up) did not show any errors or >> messages between the int up and down of that port. > Are you saying you had a loop (when BPDU Guard was disabled) or not? I do not know what happened, apart from the fact that the whole switch got unresponsive both for remote management, as well as local forwarding when I put the "spanning-tree bpduguard disable" in the port and the switch was connected to the port. According to the customer, there were no additional lines connected to the desktop switch at that time. So, assuming this was true, there shouldn't have been any loop effects been caused. > > If you had a loop (confirmed by observing e.g. fully utilized links > everywhere) even though the physical setup doesn't seem to contain loops > you might have a malfunctioning switch among your devices. > > Otherwise it sound like BPDU Guard just does what you have asked it > to. :-) > > If you don't have "spanning-tree bpduguard enable" configured on the This is configured: spanning-tree portfast bpduguard default errdisable recovery cause bpduguard Apart from the fact that the default BPDU guard does as it is supposed to, my actual problem is why the switch goes down when I remove it on that port, thus allowing the switch to be connected ... I reckon I might have to go on site and check on the console when the switch is connected (and BPDU guard disabled) to find out whether there are any hints as to what is going wrong ... Tnx, -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Weird problem with 2960S and desktop switch
Hi, I've run into a strange problem at a customer that I can't really get a grip on ... At the customer site (remote), there's a stack of two 2960S switches, running a flat setup (no VLANs for customer pointing ports), so everything is access VLAN 1. At some areas of the customer location, not enough ethernet ports were available, so they set up a desktop switch to hook up additionals PCs or phones. Anyway, when they did, the port went down as err-disabled due to BPDU guard. Suspecting an accidental loop, I had the customer disconnect all downlink ports from the desktop switch, thereby removing and chance of having a loop. After shut/no shut, the port again went down due to BPDU. Disabling BPDU guard caused the whole switch to lock up while the desktop switch was connected, even though checking the logs after removing the desktop switch (and a bit of additional waiting time, in which I assume spanning tree came back up) did not show any errors or messages between the int up and down of that port. What am I missing here? Tnx, -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Is this possible with OSPF?
Hi, I have a remote site connected via two links at separate places in our network. One link (stm1) is the primary route, the second (50M) is mostly backup link. So far it's rather easy, using OSPF cost entries in the interfaces will take care of that. Anyway, the backup link also has a couple of other sites connected in a /27 broadcast net (via a virtual switch in the WAN). Those sites (which only have that one uplink) announce local addresses (e.g. loopback interfaces) that are used for VPN tunnels. Those IPs should be routed via this vswitch link instead of the primary link. Which of course means that by setting the OSPF cost on the interface, the priority would be lowered, and the routing via the regular link would be used ... Is there any way (route maps?) to alter the OSPF cost just for certain prefixes? I could probably use some tracking and stuff to use static routes with lower admin cost to get similar results, but that would lower convergence times in case of link failures (I'm using 3 hellos per second for quick failover of the links) Tnx, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** Advice - c7200VXR with 2 bgp tables and peering fabric
On 06.06.2013 00:49, Eric A Louie wrote: > I have a c7204VXR NPE-G1 1GB RAM 6 GigE (3 on the NP, 1 on the I/O, and 2 > PA-GE). Passing about 150Gbps of traffic. It's taking a full eBGP feed > (470k routes), and connected to a peering fabric (30k routes so far). > > When I turned up the peering fabric, I spiked the cpu for about 5 minutes and > it settled down nicely. CPU utilization now is 25% max on core1, 20% on > core2. > > I need to enable iBGP on it. It's peer will be another c7204 (NPE-G1, 1GB, 3 > GigE) with a full BGP feed (450k routes). I have about 250Mbps backhaul link > between the routers. In regular day-to-day operation, it will most likely run nicely, with the expectable and documented bandwidth limits ... using it a an Internet exchange router can push the CPU performance a bit if you'd have lots of peering sessions, as well as when building the initial tables ... do keep in mind that not the bandwidth may be a limiting factor, but the number of packets ... being hit with even a small to moderate UDP flood will quickly bring 7200 routers down ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Free CCNA/CCNP Video Training project on Kickstarter
Hi, came across this recently ... http://www.kickstarter.com/projects/crouthamela/free-cisco-ccna-video-training Sounds interesting, already went over the first two goals ... just about 1300$ left to get the CCNP videos done ... I'll probably chip in, seems a worthy cause ... .garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** SFPs for Nexus
On 28.03.2013 14:36, Shane Heupel wrote: Is anyone using non-branded SFPs in their Nexus switches? We have purchased some intel multi-rate SFPs and are curious if they would work in the Nexus. Thus far, we've been able to get the ports to come up at 1Gig but can't get them to work at 10Gig. If we put the SFPs in a 4948 10Gig port they come up at 10Gig. Just curious if anyone else might have run into a similar issue. What do you mean with "multi-rate SFPs"? Nexus switches (5500 anyway) will take both SFP and SFP+ modules. A customer of ours has a pair of 5548U devices, in which we are running both types as OEM models (albeit, Cisco-programmed) without any problems. The Nexus will even report them as genuine Cisco :) (except for the copper 10G connectors, which are original Cisco, but are reported as not being that) If you have some SFPs which can be used as either 1G or 10G (never heard of any), given the SFP/SFP+ combination ports on the Nexus, I would imagine this could lead to some unpredictable behavior ... get some fixed 10G SFP+ and you should be safe ... -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** RE: IPSEC over NAT - what am I missing?
On 25.01.2013 18:15, Antonio Soares wrote: Remove AH from the equation and it should work. For example, change your Transform Set to this: crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac I'm not sure but maybe NAT-T doesn't work with AH. Did more more tests - turns out after all that the AH seems to be the cause of the problem ... got the GNS3 setup to work with NAT by removing the AH part from the transform set, so your idea was dead on! Now back to the real life setup and hopefully that will also work ... Thanks! -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** RE: IPSEC over NAT - what am I missing?
On 25.01.2013 18:15, Antonio Soares wrote: Remove AH from the equation and it should work. For example, change your Transform Set to this: crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac I'm not sure but maybe NAT-T doesn't work with AH. Tried, didn't change anything though ... Tnx, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IPSEC over NAT - what am I missing?
#send errors 0, #recv errors 0 local crypto endpt.: 192.168.150.160, remote crypto endpt.: 192.168.150.190 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xBD4A7DDC(3175775708) On the gateway, I see the NAT translation correctly: Pro Inside global Inside local Outside local Outside global udp 192.168.150.190:4500 192.168.2.2:4500 192.168.150.160:4500 192.168.150.160:4500 Site B notices it's behind NAT and switches to UDP 4500 correctly. Anyway, I do get errors on either side: *Mar 1 01:41:25: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.150.160, prot=50, spi=0x3204(839122944), srcaddr=192.168.150.190 and *Mar 1 01:29:58: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.2.2, prot=50, spi=0x3204(839122944), srcaddr=192.168.150.160 Disabling NAT and clear ISAKMP, everything works as expected: SiteB#clear crypto isa SiteB#clear crypto sa SiteB#ping 105.1.5.70 source fa1/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 105.1.5.70, timeout is 2 seconds: Packet sent with a source address of 106.1.5.2 . What am I missing here Help appreciated, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] nexus 5548 versus C4900M
On 21.11.2012 08:55, Holemans Wim wrote: We have a service cluster build around a C4900M : it concentrates a mix of 10G (intercampus) connections and 1G connections (some backup lines and central services such as DNS, VPN servers,...) This works fine but to be able to connect all these, I had to add the 20 port 10/100/1000 UTP card and the extra 8x 10G card (with X2 convertor to provide for fiber SFPs). At the time that seemed a good and reasonable priced solution. This C4900M only does L2 traffic for the moment but will do some minor static (500Mb) IPv4 L3 routing in the near future. Now I have to create a new, similar service cluster. The first idea was to copy the setup but as we are also looking at Nexus for our datacenter, I noticed the Nexus 5548UP. This gives you out-of-the-box 32 1G/10G ports and costs (based on the prices I have seen) 25% less than the above C4900M configuration. Anyone has a reason why we should stick to the C4900M (or maybe similar C4500 solution) and not put a Nexus in place, apart from the obvious differences between IOS and NXOS for management ? I think, when adding the L3 card to the Nexus, the 25% price difference will disappear but are there any limits you see (arp table, mac address table size, buffering, IPv6 support..) that would take the Nexus out of the picture ? We have a dual-5548P/L3+quad-2248 setup at a customer site, with some 20 2960 switches (1G and 10G versions) for access switches ... apart from some initial problems the setup is very nice and performing well ... when the project was initially looked at, the original setup (only one 5548 + 2 2248) was about half of what a comparable setup with required interface cards would have been with a 6500, except that the Nexus delivers the 960Gig L2 forwarding non-blocking, which the 6500 setup wouldn't have been able to do at the time, as its 10G cards are oversubscribed. 4500 series setups will be cheaper than a 6500 solution, but you will not have the performance of the Nexus, and I doubt that the price difference would be in favor of the 4500 ... In general, I reckon your choice depends on the actual usage - as a datacenter/campus switch, the Nexus has a definite price- and performance-advantage. If you will need to do non-ethernet ports, a modular switch/router like the Catalyst 4500/6500 will be the better choice ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Chane subinterface MTU
On 05.11.2012 19:40, Darren O'Connor wrote: All. Is it possible to change the subinterface MTU to be different than another subinterface on the same physical port? I've got no problem doing this on my Brocade XMR kit. The Cisco always pulls the MTU form the physical interface and I've found no way to have a different one. You can configure the IP MTU for the interface and/or subinterfaces ... just like you can configure MPLS MTU, etc ... should do what you need ... just make sure the physical MTU is set large enough (IOS will ensure you can't exceed the physical interface's MTU) -garrry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Chane subinterface MTU
On 05.11.2012 19:40, Darren O'Connor wrote: All. Is it possible to change the subinterface MTU to be different than another subinterface on the same physical port? I've got no problem doing this on my Brocade XMR kit. The Cisco always pulls the MTU form the physical interface and I've found no way to have a different one. You can configure the IP MTU for the interface and/or subinterfaces ... just like you can configure MPLS MTU, etc ... should do what you need ... just make sure the physical MTU is set large enough (IOS will ensure you can't exceed the physical interface's MTU) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 10G Routing/Forwarding
Hi, a customer of ours has inquired about a 10G-capable device to be used as sort of a "router on a stick" in their LAN. They currently still use a Novell Netware VM to do the L3 forwarding between multiple subnets, and would like to replace this with some piece of hardware instead. I've been looking around at different $C devices that might be able to do this at a decent price-point, and have come up with the ME3600X ... at a list price of approx. 12k$ (switch plus 10G license) this seems one of the more affordable 10G-capable devices from Cisco. Cisco Presales has confirmed that it will do 44Gbit/s both L2 and L3 ... Are there any other device in that price range that could be used for this? 1-2 10GE ports and L3 capable of course ... dynamic routes aren't really necessary, neither are ACL etc ... Thanks, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] MPLS over GRE/IPSEC
On 08.08.2012 07:14, Arie Vayner (avayner) wrote: > I would recommend looking at the lower end ASR1Ks for that... Maybe ASR1001... > According to this Cisco doc: http://www.ccsleeds.co.uk/kb/routers/cisco-vpn-throughput-comparison-doc.pdf a 7200VXR G2 comes close to doing 1G (with 950 for either 3DES or AES), with an ASR1k with at least ESP-5G doing up to 1.8G/s ... surprised it is able to push that much ... :) Alternatively, an ASA 5580-20 is rated at doing a maximum of 1G VPN ... albeit, not with any MPLS (unless the higher boxes have something in there now) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: 2960S
On 02.08.2012 18:07, Scott Voll wrote: > Anyone using the 2960S series switches? > > Comments good, bad, or otherwise? > > We are looking at using them to replace our 3560's in the IDF's. > > Straight layer 2. We will stack them. Currently we are not doing any IPv6 > but are planning for in in 2013. Have several 2960S ourselves, and some 30+ at a customer as distribution layer ... solid switches, decently priced with good features available in most any combination you may need ... haven't had any problems in the year they've been in operations ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 10G Aggregation?
On 17.07.2012 16:23, Jeffrey Ollie wrote: > I'm wondering what people think of the 4500X for 10G aggregation. Due > to the way my fiber is laid out, I need to aggregate the uplinks from > 6 buildings back to my core. Currently I'm using a 3550-12G to > aggregate the current 1G uplinks but I'm going to be starting the > process of upgrading the access switches in these buildings to 2960S > switches soon and would like to take advantage of the 10G uplinks. > Extreme performance isn't a requirement, and I'll probably skip L3 as > well and leave the routing to the Nexus 5548s in the core. If you > don't like the 4500X what other Cisco switch might you recommend? >From a price- and performance-view, you may want to take a look at the Nexus 5500 series ... depending on what all you want to do with your core switch, it will not only outperform the 4500 (and even 6500) series, but will most likely be quite a bit cheaper ... eg. 5548 has 32 built-in SFP/SFP+ ports with one expansion slot for additional 16 SFP/SFP+ ports. If you need L3, make sure you don't forget to get the L3 card (which pushes up to 160Gbit/s) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Problem w/ ASR1001
On 17.07.2012 04:36, Mack McBride wrote: > Intermittent low power (brown out) can give very odd behavior. > An on-line/inline UPS would filter these out while an off-line/standby UPS > may not catch the issues. > Due to slight differences in the actual ratings of the various components > (+-10% usual on capacitors) > one device may have issues while another does not. This may not be the case > but it is at least worth investigating. Rather unlikely - for one, none of our other devices connected in that data center are experiencing any problems, most of which do come with a certain degree of power monitoring (two ASR1001, 3825, 2x 2960S multiple servers with management cards, etc.) - plus, on a general input power problem, I would assume all power levels would dip, not just single feeds ... especially with massive dips I've seen in the env history (nominal 3V, measured <1V, etc.) I also assume the DC management has a close eye and monitoring hardware to ensure their power levels are correct ;) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Problem w/ ASR1001
On 16.07.2012 13:54, chris stand wrote: > Just to rule 100% power issues out - do you have these on any sort of UPS ? > perhaps one with monitoring capabilities. > No, they are on a two separate circuits provided by the housing which both are UPS/generator buffered (separate modules, too). As I said though, the second 1001 is also on the same circuits, so it ought to display at least similar problems ... Also, if it's a general problem on the feed, shouldn't all output voltages have the problems at the same time, and not on one output voltage for some time, while all the others are fine, then on a different for a while, with again all other voltages OK? Weird ... Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Problem w/ ASR1001 power levels
Hi, we have several ASR1001 routers running at our locations ... so far, everything is fine, though two months ago one router started complaining about environment sensors. Checking the router, we noticed that several voltages displayed by the "show env" command would occasionally be either below or over the "normal" voltage range, though rarely more than one voltage would show variances at the same time. As we still had another 1001 in our lab waiting to be deployed, we switched out the power supplies between the two. Afterwards, neither of the two showed any more fluctuations. About two weeks ago, another 1001 at a remote site also started complaining about environment, again displaying the same erratic behavior on different power levels ... e.g., on Jul 10, V2: VDD kept bouncing between low and normal for some time, but no more alerts since 15:01. Instead, V1: 12v kept bouncing on July 12 for some time, but fine since 18:27. Currently. V1: VMF is showing the same behavior. I'm not exactly sure which voltages are what, but I presume I can rule out external power supply problems, as a second 1001 at the same site and connected to the same two power feeds does not show any of these problems. Has anybody here experienced a similar problem? Tnx, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1001 Software
On 23.04.2012 18:19, Nick Colton wrote: > Turning up Cisco ASR 1001's on our network and I wanted to see what > firmware others were running in production. asr1001-universalk9.03.04.01.S.151-3.S1.bin Using mainly BGP, OSPF, VRF with a few minor ACLs. Current uptime ~4 months since we took them into production ... no known problems yet ... Two newer 1001's we've just took into production came with a slightly older version, asr1001-universalk9.03.04.00.S.151-3.S.bin ... probably will be updating these before the site goes into production ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] *** GMX Spamverdacht *** Re: 2960S IOS
On 21.03.2012 00:52, Thomason, Simon wrote: > Not certain if anyone is looking into smart install or vstack but when you go > to 15 train you get a few nicer features which is one of the reasons we have > gone into the 15 train where we can. > Anybody have a link to the changes? One thing we've run across that's not so nice on the 2960S is the limit of 6 port channels per stack - has that changed? Tnx, garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASA 5510 and Fortigate 80C
On 23.02.2012 16:47, Hemal Shah wrote: > Hi > I am testing functionality between ASA 5510 and Fortigate 80C. > I am creating site-to-Site (IPSEC) VPN between two devices. > Do any one has configuration or suggestion to complete this task? > Did you check the Fortinet Knowledgebase? They've got a pretty extensive set of samples for all kinds of config combinations ... apart from that, having set up VPNs with both boxes, I don't think there's much to watch out for here ... should be pretty much straight forward ... what problems do you have with it? -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Nexus 5596 architecture
On 27.01.2012 02:30, Jiri Prochazka wrote: > Hi, > > we are considering investment in a few Nexus 5596 switches. All Cisco > documents say it has 96 non-blocking 10G ports (for L2). Is it _really_ > true? Can the switch reach throughput of 960 Gbps regardless the traffic > distribution? Is't there some hidden limitaion, which is not presented > by Cisco? :-) I've heard some rumors about this, but nothing particular. > > First thig which comes to my mind is a doubt, if all three expansion > modules really do have 160 Gbps connection to the fabric.. Actually, the 5596 is rated at 1920 Gbps (5548: 960 Gbps) IIRC, so one would assume it is non-blocking ... Please do note that any L3 forwarding without the L3 card will be blindingly slow and prone to packetloss ... Maybe this document can shed some additional light on the issue ... description of the 5500 architecture ... http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/ps11215/white_paper_c11-622479.html "The UPC manages eight ports of 1 and 10 Gigabit Ethernet or eight ports of 1/2/4/8-Gbps Fibre Channel. It is responsible for all packet processing and forwarding on ingress and egress ports. Each port in the UPC has a dedicated data path. Each data path connects to UCF through a dedicated fabric interface at 12 Gbps. This 20 percent over-speed rate helps ensure line-rate throughput regardless of the internal packet headers imposed by the ASICs." "The UCF is a single-stage, high-performance 100-by-100 nonblocking crossbar with an integrated scheduler (Figure 9). The single-stage fabric allows a single crossbar fabric scheduler to have full visibility into the entire system and therefore make optimal scheduling decisions without building congestion within the switch." Of course this is a (somewhat aged - still speaking of "upcoming 5596" and "1G Support in Q1CY11") tech doc from Cisco, so I suppose they would not divulge any "hidden issues" ... We have a customer with a 5548 and 4 FEXes, no issues to date, though they're not really pushing the system ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sporadic loss of LDP neighbor ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12.12.2011 09:27, Mark Tinka wrote: > On Monday, December 12, 2011 03:38:56 PM Garry wrote: > >> Dec 11 22:59:31: %LDP-5-NBRCHG: LDP Neighbor [BB1]:0 is DOWN >> (Received error notification from peer: Holddown time expired) >> Dec 11 22:59:52: %LDP-5-NBRCHG: LDP Neighbor [BB3]:0 is DOWN >> (Discovery Hello Hold Timer expired) Dec 11 23:00:00: >> %LDP-5-NBRCHG: LDP Neighbor [BB3] is UP Dec 11 23:00:27: >> %LDP-5-NBRCHG: LDP Neighbor [BB1]:0 is UP > > Are you seeing high CPU utilization on the affected routers, even > if transient? I've seen high CPU before, but never in time to discern whether the CPU was cause or effect ... just this afternoon I was able to catch one of the outages in time to cross-check multiple places, mainly the logs and cpu history, which clearly showed that the egg was there before the hen - or rather, 100% cpu for ~2min followed by the LDP (and other) outages ... problem is, I can't yet pin-point the cause of the CPU load - guess I will have to set up a cron job to pull "show proc cpu sort 5min" outputs every couple minutes and check which process is the cause for the cpu load ... hopefully ... (even as I prepare to drop the 7200's from the essential places, I even see 10% cpu at the same time on the ASR routers, which is pretty high compared to the ~1% they usually have ... so I want to solve the problem cause, not the effect ...) Tnx, garry -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO61Y4AAoJEMke62kOY/2CshYIAIXZoPZrlWZ54s/j7nzzqATW hYStVQViiLuvIE27ue4Nk5LNGpJj8oBLH9h37NydwetGd2/z9xTZUl+YLbEZ+9MB Ds+yxA20GCV41KoaQ9emafhsruv0j8MgatgaZ1F4WG0oZFFsifRSJcLAmePSHieN 86qkVAIbP0TC57lpeTzUyz50lX3JlvNRiuOKZsmfnQeyLFPwz0N2KKHAVlYPW8kr bBsfs/uSJqEEEJJKCt9Hn79OVVa3L+wySgiqSwa/fwZUr8e8Gl6srF3LC/DtvkML K/Qokn4vMUMJvvW7AQONDh6TMbo7vYPlWXeQQ975N2JVE/Mow/OH3E5CG8djGlI= =BUp+ -END PGP SIGNATURE- ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommendation for small GBit router
On 16.12.2011 00:25, "Rolf Hanßen" wrote: > Hello, > > I am looking for a stable, reliable router / Layer3 switch that can do the > following: > -forward at least 1GBit / 1Mpps [..] Rolf, sorry to say, but for the price range of 3000€ you'll have a hard time finding anything, even used, that has both the "Cisco" name tag and the 1Gbit L3 forwarding ability ... especially with all the additional features ... you can't expect an enterprise, high-end product for a SoHo/Mid-Range price ... I second the ASR 1001 option, nice box with lots of performance for relatively good price, be aware of the limits in BGP (500k prefixes IIRC ?) though ... but as you wrote, you don't need a full table, so that shouldn't be a problem. Not sure how much of a performance hit the Netflow will be once you are actually pushing the 1G through the box ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RANCID Alternative - was HEADS UP: vlan_mgr crashing in NX-OS 5.2(3)
On 13.12.2011 12:01, Daniel Hooper wrote: > Just on the topic of rancid and Cisco, I've seen a couple of > alternative methods posted around the place recently of different ways > to keep a device config backed up and was just curious as to whether > people are using these instead of rancid? I usually use a self-programmed script that uses SNMP to initiate copying of the config to a tftp server, then versioning that file into RCS. Anyway, I couldn't get that to work with either the old-style MIB, nor the Cisco-Copy-Config-Mib, so I resorted to using rsh to initiate copying of the config to the server, then using the existing logic of the script to archive it ... was pretty easy to set up, just had to add the key for the SSH connection to the Nexus ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Sporadic loss of LDP neighbor ...
On 12.12.2011 09:16, Robert Raszuk wrote: > Garry, > > Do you see the same with "mpls ldp targeted-sessions" enabled (even for > normal LDP p2p peers) ? At least this is something I would try first ... Neither the 7200s nor the ASR support this command ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Sporadic loss of LDP neighbor ...
Hi *, I've been fighting this problem for quite a while, need some ideas from the collective intelligence ... On of our backbone locations has multiple routers that have worked fine for quite a while ... during the last couple months, we've been experiencing some sporadic failures in the LAN which I've not been able to pin-point any logical reason for ... Basic setup is this ... currently, three 7200 routers (2x NPE300 VXR [BB1 & 2], 1x NPE150 [BB3] for a couple of L2TP wireless links). We've added an AS1002F [Core1] to that as new primary router for the location about a year ago (running a 300M link to our core uplink, 1G dark fiber link to another backbone location). All of our backbone is running with MPLS enabled (multiple VRFs for MPLS-VPNs). Everything fine up until something like 2-3 months ago (don't have an exact date, otherwise it might be easier to get some correlations to other changes in the configs or infrastructure). Then it started with sporadic losses of the LAN interconnections, like this: (log excerpt from BB2) Dec 11 22:59:31: %LDP-5-NBRCHG: LDP Neighbor [BB1]:0 is DOWN (Received error notification from peer: Holddown time expired) Dec 11 22:59:52: %LDP-5-NBRCHG: LDP Neighbor [BB3]:0 is DOWN (Discovery Hello Hold Timer expired) Dec 11 23:00:00: %LDP-5-NBRCHG: LDP Neighbor [BB3] is UP Dec 11 23:00:27: %LDP-5-NBRCHG: LDP Neighbor [BB1]:0 is UP These interruptions (at least the timestamps between down and up) sometimes only last 3-4 seconds, the BB1 one above with almost a minute is just about the longest I've seen to date. Of course this disrupts routing to a certain degree ... sometimes even bad enough to take down iBGP/eBGP multihop connections. Now, at two other backbone locations, we have more or less the identical setup, without any of these problems. I've already compared interface configs, but everything seems identical (apart from IP addresses of course). Problem here is that it's impossible to analyze any of the problem causes, as for one the problems occur without any predictable interval, and they're to short to react to the loss of connection in time ... I've tried activating some debugs on the router, but couldn't get any helpful information out of it (at least nothing I could identify) We've recently added an ASR1001 to the site, which (together with the 1002F) will be used to replace two 7200 routers, and already moved about half of the existing VLANs of the site (~20 of the 40+) to the ASRs. Didn't change much, though the interval of the interruptions went to maybe once every 2 or 3 days (from 1-2 per day). One thing I did notice is that mostly BB1 router is involved, with 1-2 times out of three BB2 also losing LDP connection at the same time, and BB3 usually not showing any problems reaching either of the Core routers. BB1 and BB2 will also lose connectivity to each other most of the time, albeit not always. In attempting to locate the cause, we already moved BB1 to the same switch as Core1&2, with no results. Needless to say that there are no disruptions on Layer 2, at least not as far as could be seen in the logs. If these problems had manifested themselves when we installed the first ASR, I'd say it's something in the IOS versions that might be incompatible, but everything ran fine for something like 9 months, so that shouldn't be it. I've tried going through config diffs from 4-6 months ago and now, but couldn't find any changes that should break MPLS on the LAN layer. Anybody have any idea at what might be causing this, or what I should check into to get to the cause of this problem? Here's some excerpts from the router configs: BB1: interface GigabitEthernet3/0 mtu 1500 no ip redirects ip route-cache flow negotiation auto mpls label protocol ldp tag-switching mtu 1520 tag-switching ip BB2: identical settings Core1: interface GigabitEthernet0/0/0 no ip redirects ip flow ingress negotiation auto mpls ip mpls label protocol ldp mpls mtu 1520 Thanks, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] auto versioning of device configs, ala RANCID or ??
On 08.12.2011 19:59, Peter Rathlev wrote: > We use regular polling of variable in CISCO-CONFIG-MAN-MIB > (ccmHistoryRunningLastChanged and ccmHistoryStartupLastChanged) and > backup via OLD-CISCO-SYS-MIB::writeNet. It works very well and makes it > easy to customize. Talking about using SNMP to initiate writing a config - this works fine on many Cisco devices, but fails on ASR1001 (works on our 1002F) and Nexus 5548 ... anybody know the updated MIB entry that does the same thing? Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] QoS on WLAN
Hi, I've been trying to find some white paper on this, but maybe I'm trying to do the wrong thing, can't seem to come up with any helpful docs ... I have a site-to-site WLAN link using two 1242 APs. I'm bridging multiple VLANs over that link, mainly a data and a VoIP VLAN. So far, everything is working fine, with a net speed of about 19mbit. In order to ensure enough bandwidth for the VoIP VLAN, I would like to either reserve some amount of bandwidth on the bridge for the VoIP VLAN, or set QoS to prefer transmission of the VoIP packets ... I guess I could shape the data VLAN to a smaller amount of throughput, but in case of bad weather, this might still be too much, so QoS should be the cleaner solution. Is there some simple way to tell the 1242's to tag and prefer all of the VoIP VLAN? Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco and third party transceivers
On 30.09.2011 01:39, Martin T wrote: > Jason, > I agree that preferring Cisco branded SFP's gives a sort of quality > guarantee. According to a friend of mine, those SFP's were bought from > a electronics market in Moscow: > > http://img.nag.ru/images/18388/101019342.gif > http://img.nag.ru/images/18388/138043329.jpeg > http://img.nag.ru/images/18640/2112514702.jpg > http://img.nag.ru/images/18640/2054988461.jpeg > > ..but manufactured in Asia. On the other hand, there are manufacturers > like Finisar, Prolabs, Agilent etc, which make decent transceivers as > much as I have experience. In addition, according to this article: > http://www.lightreading.com/document.asp?doc_id=102950 ..Cisco buys > SFP directly from Finisar. Do you see a difference in "Cisco branded > Finisar SFP" and "Finisar SFP" other than content of EEPROM? I've one time had a Finisar-labeled and Cisco-labeled SFP in hands ... you could see they were most likely identical from the PCB routing ... We've had a good OEM/compatible place for several years now, bought something like 100+ optics in all sizes and speeds (SFP MM/SM, X2, SFP+ MM/SM), of which some have been operating for 4+ years without any glitch ... even have 3 years warranty on them, compared to the "official" 3 months from Cisco or the minimum legal warranty of 2 years for the original Cisco SFPs. Interesting side note: in a customer Nexus 5548 we've recently put some 20+ SFPs in (1 and 10G) - along with four copper 10G links for NX2248. Interestingly, the OEM SFP/SFP+ were recognized as "original" (no warning, even without "unsupported transceiver"), but the _original_ Cisco copper SFP+ link cables are shown as third party ... (I must assume they are original, as they were purchased directly from an official reseller, and the prices match up to the OIP we set up for the project). -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] MAC loop in REP network
Hi, I've had a problem on a pair of 4500 switches with a MAC address. We first noticed the CPU being at 99%, and upon investigating, noticed one switch complained about a flapping MAC address. Further examination showed that the two switches showed the MAC being advertised from the other's TenGB interface - they're running with dual TenG in a REP loop. Now while there are lots of VLANs and devices connected to the two switches, it only happened with one single MAC on one VLAN. Examining the REP structure resulted in this output: switch1#show rep topology REP Segment 1 BridgeName PortName Edge Role -- switch1.fd3 Te4/1 Pri Alt switch2.fd3 Te4/1 Open switch2.fd3 Te3/1 Open switch1.fd3 Te3/1 Sec Open (same for both) DIsplaying the detailed version showed this: REP Segment 1 switch1.fd3, Te4/1 (Primary Edge) Alternate Port, some vlans blocked Bridge MAC: 0023.5ef0.d2c0 Port Number: 0100 Port Priority: 050 Neighbor Number: 1 / [-4] [..] switch1.fd3, Te3/1 (Secondary Edge) Open Port, all vlans forwarding Bridge MAC: 0023.5ef0.d2c0 Port Number: 0C0 Port Priority: 010 Neighbor Number: 4 / [-1] (same for both switches) Switch1 is the one that has the MAC that was flapping, between a portchannel that is physically connected to the device sourcing that mac, and the Ten3/1 interface. The second switch showed the MAC being sourced on Ten4/1. I temporarily "fixed" this flapping as well as the high CPU load by blocking the VLAN in question on one of the TenG interfaces ... Here's the port configs: interface TenGigabitEthernet3/1 switchport trunk encapsulation dot1q switchport mode trunk rep segment 1 edge preferred rep preempt delay 15 interface TenGigabitEthernet4/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1-212,214-4094 <- did this to mitigate the loop problem switchport mode trunk rep segment 1 edge preferred rep preempt delay 15 Switch2: interface TenGigabitEthernet3/1 switchport trunk encapsulation dot1q switchport mode trunk rep segment 1 rep preempt delay 15 interface TenGigabitEthernet4/1 switchport trunk encapsulation dot1q switchport mode trunk rep segment 1 rep preempt delay 15 Any idea what's going wrong here? This only started when we added a port with access to VLAN 213 on switch2 ... Tnx, -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Funny problem w/ SFP link on Nexus 5548
On 22.09.2011 07:45, quinn snyder wrote: > garry -- please see inline. > > regards, > q. > > On Thu, 22 Sep 2011, Garry wrote: > >> On 21.09.2011 23:27, vinny_abe...@dell.com wrote: >>> Is Gig-E auto negotiation set the same on both devices? It sounds >>> kind of like the Nortel has Gig-E auto negotiation disabled, so it >>> will show link as soon as it sees light. Your NX might be trying to >>> auto negotiate which won't work if the other side isn't doing it as >>> well. Maybe try disabling auto neg on the NX. >> >> The port is configured to "speed 1000", which AFAIK required if you use >> 1G SFPs instead of the default 10G ones ... is there anything else to >> changes/disable? > > yes -- this in regards to the configuration on the n5.5k. however, i > believe that the original question was not in regards to the speed > setting on the port, but to the negotiation of the interface itself, > either needing to be disabled on the n5.5k or enabled on the nortel. > something along the lines of 'no negotiation auto' or so. > i believe the following url has something regarding this on the new > nx-os versions.[0] Checked the docs, the negotiation disable feature is available from 5.0.3N2, of course the N5K5 here had 5.0.3N1 ... ;) Doing the upgrade now, should see if that's the cause of the problem ... I remember a similar problem on a 3560 which we had to disable the auto neg, though I believe it at least said something in the logs ... so that was easier to pinpoint... Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Funny problem w/ SFP link on Nexus 5548
On 21.09.2011 23:27, vinny_abe...@dell.com wrote: > Is Gig-E auto negotiation set the same on both devices? It sounds kind of > like the Nortel has Gig-E auto negotiation disabled, so it will show link as > soon as it sees light. Your NX might be trying to auto negotiate which won't > work if the other side isn't doing it as well. Maybe try disabling auto neg > on the NX. The port is configured to "speed 1000", which AFAIK required if you use 1G SFPs instead of the default 10G ones ... is there anything else to changes/disable? As the same SFP works with the 2960S, and the same SFP works in the NX for a link to a 2960S (on the same port even), there must be some difference in the way the NX and the 2960S handles the port ... also, there are no messages at all in the logs or on the console when I hook up the Nortel switch ... I reckon if I can't get it to work with the NX, I might as well just hook up the link via the stacked 2960S, even though it's not originally there for that ... but with the dual 10G-Link I have to the 2960, it has enough BW to spare for the temporary connection ... that 10 year old Nortel gear is going back to Cisco anyway once all the connections are moved over ... trade-ins are nice ... save money, get rid of junk HW ;) Tnx, -Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Funny problem w/ SFP link on Nexus 5548
On 22.09.2011 03:28, Chuck Church wrote: > Anything showing up in the Cisco log? I'm not sure about the 5548, but on Nothing at all ... > the 5010/5020s, only certain ports will do both 1 gig and 10 gig. Not sure Yup, 1-8 on one, 1-16 on the other ... tried with the working ETH1/5 that's used for a 2960S connection, same result ... > if a non-1 gig capable port would accept the speed 1000 command. Those > symptoms sound like the speed 1000 is actually missing. Do the SPFs on each > side have matching wavelength? As mentioned, moving the same sfp/cable over to the 2960 the link comes up immediately ... Tnx, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Funny problem w/ SFP link on Nexus 5548
Hi,
I'm currently at a customer who got a 5548 with 2248 FEX and several
2960S connected to the 5548, everything working fine. Anyway, in order
to migrate from the old switch infrastructure, we tried to interconnect
them to the 5548, which is where my problem started - the link just
won't go up on the NX ...
The other side is a Nortel core switch, with 8616SXE card for fiber
links. On the Nortel, the link light goes on when I connect the
switches, but the Nexus doesn't do anything. SFPs are the same as for
the links to the 2960S, OEM/compatible 1G optics. Ports are configured
for 1G ("speed 1000"), same as for the 2960S. When I put the same SFP in
a 2960S, the link comes up at once.
What am I missing here?
Thanks, Garry
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] off-topic NMS Suggestion
On 18.05.2011 16:47, Jason Gurtz wrote:
> licensing issues. If it were a free or open source application this would
> be expected. In the commercial world, a bit more polish is expected of a
> $30K piece of software. Make sure you budget for this kind of time or
> level of support if you go there.
Wow ... paying 30k and not even able to do the basic admin yourself? At
prices like that, you could go full commercial support contract on
OpenNMS, and have a true enterprise-grade NMS, while being able to get
all the basic and advanced stuff done yourself ... and not worry about
system performance every time you add a couple nodes ... ("expecting"
higher cost for maintenance on Open Source software is pretty
prejudicial IMHO...)
-garry
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] increase speed in switch port
On 21.04.2011 16:21, Deric Kwok wrote: > Thank you > > I also heard the trunk can help it. Do you have this experience? Beware, there is an inconsistency in naming here ... many manufacturers speak of combining multiple physical links to one logical link by calling it "trunking". In Cisco names, a trunk is just a Multi-VLAN capable port (by default, all available VLANs of a switch, though this can be limited to certain VLANs of course). Some manufacturers may also call it (channel) bonding ... So any time you hear anybody talk of trunks, make sure you're all on the same grounds as far as the meaning goes. Cisco calls this EtherChannels, or in Configuration terms, Port-Channels. By configuring a channel group on multiple interfaces, you combine their bandwidths, e.g.: interface GigabitEthernet6/1 channel-protocol lacp channel-group 1 mode active interface GigabitEthernet7/1 channel-protocol lacp channel-group 1 mode active You then configure the logical channel as a separate interface, e.g. in this case interface Port-channel1 ... -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-ish solution for L2 interfaces?
On 06.04.2011 18:16, randal k wrote: > NSP'ers, > > For unfortunate reasons I am asking the collective if there is a way to do > VRF-lite style segragation for layer-2 interfaces. Situation is that I have > a 6509, and I need to make a single blade on the chassis have a completely > separate VLAN database from the rest of the chassis, effectively letting me > use a VLAN twice on the chassis without allowing them to talk to each other. Could something like the UNI/NNI port types that are used on ME-switches like the ME3400 be a possibility? If you have a switch with several ports configured as UNI ports in the same VLAN, they won't be able to talk to each other, even though they are in the same VLAN. All traffic is required to go out via NNI uplink ports ... (not sure whether this feature is available on the 6500 series though) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] CSC & AD/DC-based user authentication
Hi, we've been asked by a customer to configure their CSC with the new user/group web filtering features. I've seen them in the current version of the CSC software, but have never used them to date, apart from some tests with IP-based filtering which I got to work ... As we ourselves do not have any ADS or DC running here, I can't give it a try beforehand ... has anybody here successfully rolled out this feature? After some digging, I came up with a $C doc about how to configure it, but it appears a bit sketchy to me ... unless they really managed to make it that easy to set up ... is there anything to watch out for? I was going to install the client on the customer's ADS directly, which is recommended in the document ... Tnx, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASA VPN migration
Hi, I have a customer ASA which needs to migrate VPNs from one network IP to another. In order to keep outages down to a minimum, VPNs are to be migrated one by one. I was wondering if this is at all possible ... to start off with, I'd have to set up a second outside interface (which in itself works, tagging it on another VLAN, and setting up the router with another VLAN link). But with no PBR available, I'm not sure if the routing to the outside will even work correctly ... and even if that does work, would the ASA even be able to source VPNs from multiple IP addresses... So, should I just ditch the whole idea and tell the customer to just get the remote sites organized so they can be migrated in a batch? (which would be my intent to start off with) -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router/switch recommendations for colocation
On 28.01.2011 07:18, Jim Berwick wrote: > Hello, > > Hoping someone can offer advice on hardware. We're going to be > offering bandwidth to our colo customers. Initially we're bringing in > a single 100mbit connection (Level3) but planning to add a Verizon > circuit in the near future and do BGP (full routes from both > providers). We're looking for something to terminate the internet as > well as the customer connections. > > Looking for a switch that can do ingress and egress rate shaping (or > thinking of a 3750 stack and handling rate shaping on the router > upstream), and a router/switch that can handle full BGP tables from at > least two providers. We need something either fully redundant (dual > SUP, power supply, etc), or two units with HSRP. > > The idea that was put on the table already is a 3750 stack (two > switches, feeding each customer two connections) uplinked to two 3845s > to handle layer 3 routing of the customer VLANs and the BGP sessions. > My concern with that setup is the 3845 being able to handle two full > BGP tables. With a decent ram upgrade, that shouldn't be the problem .. forwarding though might be the important issue with the 3845. What bandwidths do you expect to handle? Check out Cisco's router performance sheet for a rough estimate of how much throughput you can get out of the routers ... According to it, the 3845 is rated at 500kpps, which ought to be enough to handle two 100mbit uplinks ... you might want to look into maybe a 7301, which can handle twice the throughput (~1mpps) and is only 1RU ... price-wise it's not that much difference (List price of 18k$ for the 7301, 13k$ for the 3845). Or even better, look into an ASR1002F, which is 20k$, but is rated at 4.4mpps and has 4xGE ... (and has more memory and flash on board) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Upgrading IOS to crypto image
On 04.01.2011 01:05, Peter Rathlev wrote: > AFAICT there's no product sold for going from a non-K9 version to a > K9-enabled version of any software. > > Of course, only way to be certain is asking Cisco. AFAIK, crypto isn't a "paid feature", but rather standard, with non-crypto version only being made available for export purposes ... (FTP-server usually only had the non-crypto available, with crypto only through web interface download ...) So if you're eligible for IOS downloads, you should be able and allowed to get the k9 and install it ... (hurry, Jan 10 is nearing fast!) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Console server
On 02.01.2011 04:58, Aaron wrote: > You can get SSH for 2511. Use 12.0s. > Yes it would be an old image (12.0(21 or so)) 12.0 doesn't seem to be available for download anymore, even under the "deferred" section of the download tool ... Newest version (well, highest version anyway) available is 12.3.26, though no "k9" in the filename ... IP plus seems to be the highest feature version ... there's some 12.1 "SEC" versions available, 56bit only though ... Oh well, we can get around without SSH, limited access to our management VLAN ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Console server
On 30.12.2010 21:02, Jay Nakamura wrote: > Do anyone have recommendation on console server? I have about 10 > devices per location I want console port connected for remote access > in case of emergency. I don't need a modem or cell card or anything. > IP/Ethernet access, preferably able to ssh into it plus web access > will be nice.(Web access that doesn't lock you down to IE) I was > looking at Avocent but getting feedbak on actual field experience is > so much more reliable than reading through specs and marketing > garbage. Try picking up some used 2511 routers ... they work fine, and with 16 ports, you'd still have a couple ports to spare ... just used the old blue rollover-cables to connect to the other devices ... upside is they're cheap, reliable, low-power usage, only single RU. Downside, only rather old IOS versions are available, so no SSH or web interface. -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Legitimate Access to IOS for Legacy/EOL devices
On 21.12.2010 12:00, Gert Doering wrote: > Hi, > > On Tue, Dec 21, 2010 at 10:46:09AM -, Antonio Soares wrote: >> "Starting 10th January, 2011, software downloads on Cisco.com will be >> verified against Products registered on your Services contract. Attempts to >> download Software for Products not registered on your Services contract will >> not be permitted." > Heh, not even the customer impairment service is shipping on time. > > What sort of customer service is that? +1 I reckon starting Jan 10 the support crew will have a lot of work assigning customer accounts to service contracts ... sort of like a DDoS ;) Wonder if they'll still be able to do some real work ;) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Backup Interface & IPv6 - why is Cisco sleeping?
Just noticed, looks like they even messed up the IPv4 part in conjunction with standby IPs ... e.g.: int g0/0/0 ip add 172.20.0.10 255.255.255.0 backup-interface g0/0/1 int g0/0/1 ip add 172.20.0.10 255.255.255.0 This config of course works fine ... attempting to add this: int g0/0/0 standby 1 ip 172.20.0.1 results in: % 172.20.0.1 overlaps with GigabitEthernet0/0/1 d'oh ... of course, after all it's the _BACKUP_ interface ... using a different subnet would defeat the meaning of a backup interface ... Btw, this still works in e.g. 12.4(17a) on a 7200 ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Backup Interface & IPv6 - why is Cisco sleeping?
On 15.12.2010 14:13, Ian Henderson wrote: > On 15/12/2010, at 1:54 AM, Garry wrote: > >> I'm really starting to >> wonder whether we're the only ones on this earth still using a dual >> switch config for our routers for redundancy purposes ... > > So you're using backup interface for two Ethernet interfaces, both facing the > same switched network? Cool - haven't seen backup interfaces since they were > used to dial ISDN terminal adaptors. Is anyone else out there doing this? Out > of curiosity, what kind of failover time do you get for IPv4? Does it swap > the MAC address too? No, different MAC addresses ... switchover time is something like 2-3 seconds with appropriate settings on the switch port (portfast, otherwise STP would require a longer wait time until the port is enabled) -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Backup Interface & IPv6 - why is Cisco sleeping?
On 15.12.2010 08:29, Arie Vayner (avayner) wrote: > Garry, > > It could be related to CSCth59072 "Backup interface up instead of > standby" which affects the ASR1K. > The latest 15.0(1)S version (03.01.02.S.150-1.S2) should have the fix... Not sure about the exact extent of this bug, but I'm not having any trouble with the interface not switching over between main and backup ... more a Layer 3 bug/oversight than L1/L2 ... Tried on both 03.01.01 and 03.01.02 ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Backup Interface & IPv6 - why is Cisco sleeping?
On 14.12.2010 17:47, Seth Mattinen wrote: > > ipv6 address 2001:0DB8:107:400::1/64 anycast > > This will suppress duplicate address detection. Nope, doesn't work either ... used the anycast option on both interfaces, still get the warning on the standby interface, or error when using it on it when in backup mode active ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Backup Interface & IPv6 - why is Cisco sleeping?
Having just installed a set of nice ASR1k boxes with rather new IOS, I noticed Cisco has still (after many years and many IOS releases) not managed to get Backup Interfaces & IPv6 to work with each other ... or I'm missing something ... but while IPv4 addresses on backup interfaces work just fine, IPv6 config will lead to the backup interface to no come up due to the IP address overlapping with the IP address of the primary interface (what a surprise - it's the BACKUP INTERFACE, for crying out loud ...) With Cisco presenting themselves and their hardware oh so v6-ready (which they are for most parts I guess - all other features at least we require for production use seem perfectly fine), I'm really starting to wonder whether we're the only ones on this earth still using a dual switch config for our routers for redundancy purposes ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 876 & Siemens DSLAM @ aDSL2+ ?
On 13.12.2010 14:46, Dominik Bay wrote: >> In our extensive testing with BT (British Telecom) we have found >> 4.0.015 to be pretty poor, the version we are currently shipping out >> on ADSL2 CE's is 4.0.209 > As there was a question specifically for DTAG DSLAM support, I > suggested 4.0.015 as this in known to be working and sort-of certified > with DTAG. Nevertheless 4.0.209 could work too. Tried looking on cisco.com for those firmwares, but at least they are not listed under the 870 series routers ... is the firmware available through the general download page, or do I have to got through TAC? Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 876 & Siemens DSLAM @ aDSL2+ ?
On 13.12.2010 13:59, David Rothera wrote: > Could you run a 'sh dsl int at0' and paste the input. I have pretty much > every single DSL firmware for the 877 including ones that drastically improve > ADSL2 performance but I'm not too sure if the 876 takes the same firmware... The 877 (which is for Annex-A) most likely uses a different DSL firmware than 876 (Annex-B) ... Init FW: init_AMR-3.0.014_no_bist.bin Operation FW:AMR-3.0.014.bin FW Source: embedded FW Version: 3.0.14 Tnx, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 876 & Siemens DSLAM @ aDSL2+ ?
Hi, one of our customers has just had an outage, possibly after some maintenance done by German Telekom. Line went down, no DSL sync anymore. After some tests Telekom reduced the line to 6M instead of the 16M which were originally booked (and worked), line came back up. Seeing that the DSL firmware on regular images is something like 1 1/2 to 2 years old I was wondering whether there are any newer versions around, or if it's something that could be altered in the config in order to get the 16M mode to work again ... Thanks, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Legitimate Access to IOS for Legacy/EOL devices
On 20.11.2010 12:26, Gert Doering wrote: > > ... and have managed to get that service contract attached to the CCO > username that you've used for logging in. > > Now this might sound like a minor nit, but for us, it's major pains - > whenever we put a new device under contract, it seems to end up having > a new contract number, and then the whole team goes and spends non-trivial > amount of time attaching this new contract number to their respective > CCO accounts... > > This is all such a waste of human life time. Amen to that! Guess TAC needs to get flooded with requests for IOS-Images - no telling though whether that will help in the end ... of course this will also hurt people who actually need /real/ TAC support ... :( -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1k IOS recommendation
On 19.11.2010 09:32, Elmar K. Bins wrote: > g...@greenie.muc.de (Gert Doering) wrote: > >>> currently, there's 2.4 through 2.6 and 3.1S available for download, >> Rest assured, this problem is going to be solved. > I guess what you mean is that the part with the accessibility is going to > be solved, right? ;-) Most likely, which is why I already downloaded 5 images ;) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR1k IOS recommendation
Hi, we'll be receiving two ASR1k boxes these days (another one to be ordered shortly), and I was wondering which IOS I should be using ... we did some tests on a router provided by Cisco, which hasn't been long ago, and it seems like they're rolling out new version daily ... currently, there's 2.4 through 2.6 and 3.1S available for download, with different minor versions ... requirements are "regular" stuff like BGP, OSPF, MPLS support ... any comments as to which release would be the "most stable"? Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Multilink PPP Over Multiple LNS(es)
On 17.11.2010 16:17, Dominic Ogbonna wrote: > (a.) Let's say you have two LNS(es): Lns-1 and Lns-2 > (b.) Let's say each builds its own transport L2TP tunnel back to the LAC(s), > perhaps via redundant circuits > (c.) Let's say the LAC(s) religiously round-robin between the two LNS(es) > > In the above scenario, what would be the best practice for supporting > Multilink PPPOE / Bonded ADSL on the LNS? > > I ask because, if you enable multi-link on both LNS(es), you obviously end > up with multilink bundles where the L2TP session is split between two L2TP > tunnels - one link authenticating to one LNS/tunnel, the other > authenticating to a different LNS/tunnel, leading to all kinds of routing > and network weirdness, especially when one of the multilink member-links > drops. > > For LNS box, we are talking two Cisco 7206 with NPE-G2, so Multi-Chassis LNS > is not an option. SBGP will work out fine ... had it running with four routers (2 7206, 2 3825) without any problem ... upon incoming connection, the LNS will check with the other SBGP boxes to see whether it's an additional connection ... if not, it will just keep the connection with itself, otherwise it will forward the connection via L2TP to the LNS that already has one or multiple connections for that remote site ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Unstable IOS Version for LNS on Cisco 7206 NPE-G2
On 10.11.2010 20:33, Dominic Ogbonna wrote: > Does anyone have any thoughts as to what could be wrong? Any suggestion for > IOS version? Are you sure it's not something in the HW? Apart from that, not running on a G2 but multiple 3825, and probably a bit outdated, but we've not had any problems with 12.4(15)T1 ... Quote:dsl-gw3.ffm1 uptime is 3 years, 1 week, 5 days, 8 hours, 2 minutes Receiving DSL connections via L2TP over LAN, and doing lots of MPLS/VRFs with it ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP-Check of DMVPN Tunnels?
On 03.11.2010 20:22, Jonathan Herbert wrote: > We just run an IGP and query throughput on the Tu interfaces. If the > crypto > socket is down, you'll end up with rxbps = 0. Seems to work well. The problem is that both Spoke->Hub connections run through the same DMVPN tunnel interface ... and I would prefer not to complicate the configuration by adding additional tunnels ... :) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] SNMP-Check of DMVPN Tunnels?
Hi, we've set up a customer with a DMVPN with multiple sites, including redundant routers and links. Now, using regular Layer3 methods, it's not possible to check whether a DMVPN link is up or not, e.g.: Site A has two Hub routers, Site B has two spoke routers. Both Spoke routers connect to both hub routers. EIGRP takes care of the routing, preferring the link between the two primary routers. Using ICMP, all I can see is that I can reach both spoke router's DMVPN IPs. I can't tell though, whether B2 has an active tunnel to A2, as the routing via A1-B1 link. Are there any SNMP fields I can query to see whether the links are up? Tnx, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Routing performance of ME3400
On 27.10.2010 16:42, Eric Van Tol wrote: > Hello, > Check your SDM template - you probably have it set to 'layer-2' when it > should be 'default' for layer 3 routing. Customer confirmed ... did some more performance tests, switch is now operating at decent performance ... :) Thanks again for the hint! s...@cks though that the option isn't shown in the config ... -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Routing performance of ME3400
Eric, Dmitry, On 27.10.2010 16:42, Eric Van Tol wrote: > Hello, > Check your SDM template - you probably have it set to 'layer-2' when it > should be 'default' for layer 3 routing. Thanks, this fixed the ME's behavior in my test setup, problem is the switch I have running at the customer site already has the "sdm default" config on it ... though, it might be that the second switch (which has the redundant line on it, and should only be used when the primary switch fails) is somehow causing some problems, it still had the layer2 setting ... I have updated the config on that one, and will have to do some tests to see whether it works better now ... Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Routing performance of ME3400
Hi, I'm trying to pinpoint a problem with a customer site ... it's hooked up via dual 1G SM to a central 4500. There are multiple VLANs connected. Weird thing is this: VLAN 999 is distributed on L2 between three sites - the customer, the site with the 4500, and the backbone site. All three boxes have L3 addresses in that VLAN. VLAN 1999 is used only at the customer site, with its own IP subnet. The backbone site has additional VLANs, one of which has a Linux server. When I hook up a PC to the customer site switch, using VLAN 999 and another IP out of the VLAN, doing an iperf run results in "appropriate" throughput in either direction (server only has 100M, so the 95-98mbit iperf reports should be OK). In this setup, the ME3400 only does L2 with the packets. Doing the same using VLAN 1999, with an IP out of that IP range, and the ME3400 doing L3 forwarding, incoming (towards the customer site) traffic throughput drops to something like 30-50Mbit, while outgoing throughput results in a constant (!) 16777 kbit. Remember, this is still on a 2GB PortChannel in uplink! Even worse, on bidirectional traffic (incoming 30mbit e.g.), output even drops further, as if there were some Halfduplex issue (which there isn't, at least not on any interface involved, checked everything multiple times). Could it be that the ME3400, albeit having the "largest" IOS on it (metro-ipacess) for BGP etc., is severely limited as far as L3 performance goes? Also, I'm sporadically seeing this error: *Mar 1 00:41:15.366: %PLATFORM_UCAST-4-PREFIX: One or more, more specific prefixes could not be programmed into TCAM and are being covered by a less specific prefix, and the packets may be software forwarded I did a "show platform ip unicast failed route" and got this output: Entries covered by Actual default route(0.0.0.0/0) 240.0.0.0/4 Tbl:0 : Cover:0.0.0.0/0 Tbl:0 0.0.0.0/8 Tbl:0 : Cover:0.0.0.0/0 Tbl:0 127.0.0.0/8 Tbl:0 : Cover:0.0.0.0/0 Tbl:0 x.x.y.0/24 Tbl:0 : Cover:0.0.0.0/0 Tbl:0 x.x.x.y/29 Tbl:0 : Cover:0.0.0.0/0 Tbl:0 Total of 5 entries covered by 0.0.0.0/0 Tbl:0 Entries covered by Actual default route(0.0.0.0/0) 240.0.0.0/4 Tbl:1 : Cover:0.0.0.0/0 Tbl:1 0.0.0.0/8 Tbl:1 : Cover:0.0.0.0/0 Tbl:1 127.0.0.0/8 Tbl:1 : Cover:0.0.0.0/0 Tbl:1 Total of 3 entries covered by 0.0.0.0/0 Tbl:1 Entries covered by Actual default route(0.0.0.0/0) 240.0.0.0/4 Tbl:2 : Cover:0.0.0.0/0 Tbl:2 0.0.0.0/8 Tbl:2 : Cover:0.0.0.0/0 Tbl:2 127.0.0.0/8 Tbl:2 : Cover:0.0.0.0/0 Tbl:2 10.10.0.0/16 Tbl:2 : Cover:0.0.0.0/0 Tbl:2 Total of 4 entries covered by 0.0.0.0/0 Tbl:2 Checking Cisco's docs, the "recommended action" isn't really useful: Quote: "Recommended ActionNo action is required. " Great. So seeing that CPU might be used for L3 forwarding does not warrant any action? Seeing that 0/8 route there has me somewhat worried, but what might cause the performance hit is the other two network routes listed as being covered by 0/0 ... any comments on this? Can I avoid it somehow? Anyway, the customer site at the moment does not report this error, but performance is still bad, so I reckon it's not necessarily caused by this ... Hints appreciated! Tnx, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C892 & PPPoE on VLANs
On 30.09.2010 00:45, Łukasz Bromirski wrote: > > It works the same with regards to switch ports, however the WLAN AP > is autonomous. > > You can configure up to 14 VLANs (Table 3): > http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78-519930.html > > Thanks! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] C892 & PPPoE on VLANs
Hi, just wondering, as we haven't had any of these yet and I don't want to get surprised if I order one ... I was looking at the 892 mainly due to the rather high throughput rating if 50+ MBit/s (compared to ~16MBit on the 870 series). Looks to be nice, just want to ensure it does handle its switch ports (it has 8 FE-TX ports) as the 870/880 series does ... I need to hook up something like 2-3 PPPoE-connections to the router, which we usually do using vlan 2 through n and then configuring each vlan interface for doing the actual dialup through a dialer interface ... I would expect the 890 series to work the same ... anybody happen to have any experience yet? Or is there a limitation to the number of vlans? Tnx, -garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR1000 Routes on ESP2.5 ESP5
On 21.09.2010 07:35, Lukasz Bromirski wrote: > On 2010-09-21 01:31, David Blundell wrote: > >> I am trying to find the number of routes that an ASR1002-F (embedded >> ESP2.5) and an ASR-1002 with ESP5 can handle. > > ASR1002-F and ASR-1002 can both handle 512k IPv4 prefixes maximum, > 128k IPv6 prefixes maximum or a mix of these. The change in marking > of the ESP from 5 to 2.5 comes from the fact that the useable > bandwidth was halved, not the system capacity to store data. Whoa ... and $C is marketing this box (1002F) as a provider box? I was looking into junking a couple 7200VXR for them, but seeing our current prefix total already well above 300k on the internet, I'm sort of worried whether this is a good idea ... at least for the one that was going to do our DECIX peering ... add to that VRF prefixes that may also be present ... with the v4 exhaustion, I reckon the Internet will most likely be at a combined 500k prefixes between v4 and v6 in a year ... is $C really this short-sighted? OTOH, the 1002F will of course still be a nice box in the IGP area in the event it's not sufficient for the uplink ... -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recommendation request for gateway router specs
On 31.08.2010 09:01, Ziv Leyes wrote: > The 7200 VXR may be a good choice, lower price than ASR and still deliver > what you need. > In case you don't really need all the expansions options perhaps a 7206 is > too "big" for you in matters of rack space and you can go for a 7204 or even > a 7201, same machine, less space. Not wanting to nit-pick here, but the 7204 and 7206 are the same routers, same box, just two less backplane slots ... so no space saving there ... ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] PPTP through Router NAT?
Hi, I've been trying to get this to work, doesn't seem to check out ... I've got a customer with an MPLS VPN to several locations. The MPLS is handed to the internet at our central MPLS firewall, 3825 w/ FW-IOS. Customer hosts are PATed through it with a single IP. ip nat pool CUSTNAT x.x.x.x x.x.x.x netmask 255.255.255.0 ip nat source list VRFCUST pool CUSTNAT vrf CUST (with VRFCUST containing a list of customer internal networks) I've already ran a packet debug and saw the outgoing and returning packets, with correct NAT. None the less, the communication doesn't work out, PPTP isn't set up correctly. I assume the customer has used the right authentication information. On ASA/PIX I know a simple "fixup protocol pptp 1714" will get the VPN running. Checking several documents on Router configs, I've mostly found docs explaining how to make an internal PPTP server available to external users. Couldn't seem to find one that was about doing it the other way around ... one was going on about using CBAC, but wasn't complete as far as documenting everything that would be required to get it running ... What part am I missing here? (and why can't M$hit finally ditch that abomination of a protocol for something more secure and standardized ...) Tnx, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] quick VTP question.
On 05.08.2010 02:09, Troy Beisigl wrote: > After reading up on VTP server configurations at Cisco, I wanted to > get someone's real life experience sign off on this. Whatever you do, make sure you set up VTP passwords ... we had an instance where a switch was not configured for VTP password ... when an additional uplink provider was hooked up, their switch sent a VTP update, overwriting the customer switch's vlan config ... talk about having fun ... ;) -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] "unsupported-transceiver" on routers?
Hi, wondering, is there a version of the Cisco switch command "service unsupported-transceiver" for routers? (3825) I've had a case where a customer had an SFP failure and only had some third party SFPs flying around, which of course wouldn't work (they do in Cisco switches with the option set), so I had to have someone drive over to get them a replacement ... :( Sucks ... Tnx, -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Recieving Dying Gasp notifications
On 15.06.2010 18:27, Kaegler, Mike wrote: > I have a few remote sites which can be prone to power failures. For > various reasons, implementing UPSs with management cards is not suitable > and/or desirable. > > The remote equipment all supports Dying Gasp, however, but I cannot seem > to find a way to make my 7200s, 3800s, or 2600s to receive the DG > notifications. Google seems to indicate that only the CRS-1 will do it. > > This seems a pretty simple & low-cost feature... is there truly no Cisco > support for receiving DG on sub-million-dollar routers? > -porkchop > Just my €0.02, but if the site is important enough for you to "hope" for the site to send a last millisecond notification, it should be important enough to invest a couple bucks on a remote management capable UPS ... not just for power outages, but rather for protecting the hardware from voltage spikes, or erratic behavior due to other power problems ... -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Real life performance of NPE G1/G2?
Hi, I was wondering, what real life performance can one expect from an NPE G1, considering mostly vanilla IP routing/forwarding? (no ACLs, no VPNs, running CEF and MPLS VRFs, OSPF/iBGP for routing protocol, and utilizing the integrated Gbit interfaces as well as 1-2 STM1 PAs on the 7200 VXR chassis) I know the performance charts from Cisco talk about 1 MPPS for the G1, which equals to ~640 Mbit throughput @ 64 bytes per packet - to what extent is that "worst case"? I know on the NPE300/400 cards, the "worst case" throughput pretty much is the real life throughput - does the G1 perform better by using HW forwarding? I would like to see some real throughput in the 1Gbit/s range, assuming that flows that could fill it up rarely use 64bytes per packet, but 1k and upward ... Thanks, -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Redundant VPN w/ Cisco Routers
Hi, I've received a request about setting up a redundant VPN between two sites ... remote site has two routers connected to two separate lines, one with static IP, the other dynamic. Local site has a single router with two links, both static IPs. HW used is a 1841 locally, remote has an 887 and 878 ... As I can't use the same internal IP ranges for both VPNs, I was thinking about setting up something along this idea: - put in some loopback IP, e.g.: 10.0.0.1 for local site, 10.0.1.1 for remote router 1, 10.0.1.2 for remote router 2 - set up IPSEC VPNs for 10.0.0.1-10.0.1.1 and 10.0.0.1-10.0.1.2 - run GRE tunnels over those IPSEC tunnels - use some IGP over the tunnel (and between the two remote routers) to route the actual LANs Does this sound like a feasible solution, or is there a better way to set this up? I've looked around a bit on the 'net, but apart from some people asking for similar solutions (and usually not getting an answer) I couldn't find anything ... Tnx, Garry ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] asa csc 10 performance ...
... or rather lack thereof ... We have several customers running 5510 w/ CSC 10 ... most of them only use them on rather slow lines, like 2-6M aDSL or 2-4M sDSL ... another one has a CSC20, running on our backbone w/ 100M ethernet uplink, also without any noticeable problems ... One customer though has a 34M E3 link, with very decent performance (downloads are very near the theoretical speed when going directly through without CSC scanning). Anyway, when the CSC scanning is activated, delays for html access are pretty s...@tty ... whereas a page with a dozen or two images may load within a second or two regularly, with the CSC scan this slows down to 15 seconds or more ... I've set up another 5510 w/CSC10, using mostly default settings for the CSC policy rules, moving everything through the default policy (DNS etc.), and a seperate rule for HTML/FTP/SMTP traffic ... even with low utilization (<1Mbit/s throughput on the FW at the time of initial loading), page loads slow down as our customer also experiences ... With the CSC10 being sold as suitable for up to 250 (?) users, I don't see how a single user's access can be this taxing on the CPU that it causes such delays ... I've tried this with both 6.2.1599 as well as the current 6.3 version of the CSC software. Tried with both web site classification on and off. It seems that with the scanning enabled, access that usually happens more or less in parallel by the browser, whereas way more sequential when CSC scan is enabled ... With the rather limited amount of configuration options (as far as performance tuning goes) in the ASDM interface, I don't think I should have configured anything wrong ... I am open to suggestions though ;) Anybody else came across this problem? Tnx, -gg ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
