Re: [c-nsp] Full Duplex
On 11/18/14, 2:16 AM, M K wrote: > Hi all , we were arguing about the full duplex FE interface and it's speedIs > it true that this interface can handle 100Mbps send and 100Mbps receive at > the same time? like it is 200Mbps ? To be more precise, the throughput in either direction is limited to 100 Mbps but traffic can flow in both directions at the same time. If you have an expressway with lanes in both directions and a speed limit of 100 MPH, you don't call it a 200 MPH expressway. (That's full-duplex). If you have a single-lane road with a speed limit of 100 MPH then you can transmit at up to 100 MPH in one direction at a time. Attempting to transmit in both directions at the same time results in what is referred to as a collision. Collisions reduce throughput as the debris must be cleaned up and then retried. Salespeople have been known to refer to T-1 circuits as 3Mbits/s and 100Mbps full-duplex Ethernet as 200 Mbits/s. This is considered to be nitrogen-rich organic fertilizer by those with clue. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Full Duplex
On 11/18/14, 2:16 AM, M K wrote: > Hi all , we were arguing about the full duplex FE interface and it's speedIs > it true that this interface can handle 100Mbps send and 100Mbps receive at > the same time? like it is 200Mbps ? Only if you are a salesperson. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco bug locator?
Does anyone have a current URL for the Cisco bug toolkit that works the right way around? The link on their website now only allows you to enter a bug ID. I am looking for the original bug tool that is actually useful, where you specify the IOS version, platform, and nature of the bug, and it then gives you the bug ID. This one is kind of useless. https://tools.cisco.com/bugsearch -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP route won't advertise
On 2/27/13 4:07 PM, Jerry Bacon wrote: > I've tried with and without next-hop-self on R3, it doesn't seem to make > any difference. On R3, do you have next-hop-self to neighbor R1 and vice-versa? > On R1, I have: > > ip as-path access-list 16 permit ^$ > ip as-path access-list 16 permit ^11xx1 > ip as-path access-list 16 deny _11xx1_ > ip as-path access-list 16 permit .* > On R4, I have: > > ip as-path access-list 10 permit ^11xx1 > ip as-path access-list 10 deny _11xx1_ > ip as-path access-list 10 permit .* You could simplify that to: ip as-path access-list 10 deny _11xx1_ ip as-path access-list 10 permit .* <- Dangerous outbound to transit connections. Do you have any IP or prefix-list filters in place? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP route won't advertise
On 2/27/13 3:24 PM, Jerry Bacon wrote: > R1#sh ip bgp a.b.c.0/22 > BGP routing table entry for a.b.c.0/22, version 406152 > Bestpath Modifiers: always-compare-med, deterministic-med > Paths: (1 available, best #1) > Not advertised to any peer > 11xx1 > x.y.z.242 (metric 143360) from x.y.z.242 (x.y.z.242) > Origin IGP, metric 0, localpref 100, valid, internal, best > > None of the issues that I have been able to find that might cause this > behaviour seem to apply. Any ideas on what more to look for? No IGP route to x.y.z.242 from R1 and BGP synchronization enabled? Prefix-list or AS-path filter list on your EBGP neighbor on R1? Next hop of R3 not reachable from EBGP neighbor (need next-hop-self?) No-export community getting applied by a route-map? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco s0/1/0 T-1 is up but not showing up in route table
On 1/31/13 4:10 PM, false wrote: > Here is the output from "debug ppp negotiation". I'd say no one is responding > on the other end.(??) Thoughts? Agreed. If you are in control of the other end, take a look there. If you aren't, open a trouble ticket with them. You need to troubleshoot this problem in conjunction with the other end of the circuit. > Jan 31 14:12:52.181 CST: %LINK-3-UPDOWN: Interface Serial0/1/0, changed state > to > up > 000401: Jan 31 14:12:52.181 CST: Se0/1/0 PPP: Using default call direction > 000402: Jan 31 14:12:52.185 CST: Se0/1/0 PPP: Treating connection as a > dedicated > line > 000403: Jan 31 14:12:52.185 CST: Se0/1/0 PPP: Session handle[4F0E] > Session i > d[9] > 000404: Jan 31 14:12:52.185 CST: Se0/1/0 PPP: Phase is ESTABLISHING, Active > Open > > 000405: Jan 31 14:12:52.185 CST: Se0/1/0 LCP: O CONFREQ [Closed] id 8 len 10 > 000406: Jan 31 14:12:52.185 CST: Se0/1/0 LCP:MagicNumber 0x60279E3E > (0x05066 > 0279E3E) > 000407: Jan 31 14:12:54.180 CST: Se0/1/0 LCP: Timeout: State REQsent > 000408: Jan 31 14:12:54.180 CST: Se0/1/0 LCP: O CONFREQ [REQsent] id 9 len 10 > 000409: Jan 31 14:12:54.180 CST: Se0/1/0 LCP:MagicNumber 0x60279E3E > (0x05066 > 0279E3E) > 000410: Jan 31 14:12:56.196 CST: Se0/1/0 LCP: Timeout: State REQsent > 000411: Jan 31 14:12:56.196 CST: Se0/1/0 LCP: O CONFREQ [REQsent] id 10 len 10 > 000412: Jan 31 14:12:56.196 CST: Se0/1/0 LCP:MagicNumber 0x60279E3E > (0x05066 > 0279E3E) > 000413: Jan 31 14:12:58.212 CST: Se0/1/0 LCP: Timeout: State REQsent > 000414: Jan 31 14:12:58.212 CST: Se0/1/0 LCP: O CONFREQ [REQsent] id 11 len 10 > 000415: Jan 31 14:12:58.212 CST: Se0/1/0 LCP:MagicNumber 0x60279E3E > (0x05066 > 0279E3E) > 000416: Jan 31 14:13:00.228 CST: Se0/1/0 LCP: Timeout: State REQsent > 000417: Jan 31 14:13:00.228 CST: Se0/1/0 LCP: O CONFREQ [REQsent] id 12 len 10 > 000418: Jan 31 14:13:00.228 CST: Se0/1/0 LCP:MagicNumber 0x60279E3E > (0x05066 > 0279E3E) > 000419: Jan 31 14:13:02.243 CST: Se0/1/0 LCP: Timeout: State REQsent > 000420: Jan 31 14:13:02.243 CST: Se0/1/0 LCP: O CONFREQ [REQsent] id 13 len 10 > 000421: Jan 31 14:13:02.243 CST: Se0/1/0 LCP:MagicNumber 0x60279E3E > (0x05066 > 0279E3E) > 000422: Jan 31 14:13:04.259 CST: Se0/1/0 LCP: Timeout: State REQsent > 000423: Jan 31 14:13:04.259 CST: Se0/1/0 LCP: O CONFREQ [REQsent] id 14 len 10 > 000424: Jan 31 14:13:04.259 CST: Se0/1/0 LCP:MagicNumber 0x60279E3E > (0x05066 > 0279E3E) > 000425: Jan 31 14:13:06.275 CST: Se0/1/0 LCP: Timeout: State REQsent > 000426: Jan 31 14:13:06.275 CST: Se0/1/0 LCP: O CONFREQ [REQsent] id 15 len 10 > 000427: Jan 31 14:13:06.275 CST: Se0/1/0 LCP:MagicNumber 0x60279E3E > (0x05066 > 0279E3E) > 000428: Jan 31 14:13:08.291 CST: Se0/1/0 LCP: Timeout: State REQsent > 000429: Jan 31 14:13:08.291 CST: Se0/1/0 LCP: O CONFREQ [REQsent] id 16 len 10 > 000430: Jan 31 14:13:08.291 CST: Se0/1/0 LCP:MagicNumber 0x60279E3E > (0x05066 > 0279E3E) > 000431: Jan 31 14:13:09.535 CST: %SYS-5-CONFIG_I: Configured from console by > adm > in on vty0 (192.168.2.138) > 000432: Jan 31 14:13:10.307 CST: Se0/1/0 LCP: Timeout: State REQsent > 000433: Jan 31 14:13:10.307 CST: Se0/1/0 LCP: O CONFREQ [REQsent] id 17 len 10 > 000434: Jan 31 14:13:10.307 CST: Se0/1/0 LCP:MagicNumber 0x60279E3E > (0x05066 > 0279E3E) > > --- On Thu, 1/31/13, Jay Hennigan wrote: > >> From: Jay Hennigan >> Subject: Re: [c-nsp] Cisco s0/1/0 T-1 is up but not showing up in route table >> To: cisco-nsp@puck.nether.net >> Date: Thursday, January 31, 2013, 11:45 AM >> On 1/31/13 8:57 AM, false wrote: >>> I cannot ping the far end. The int s0/1/0 output shows >> up/up. The "sh service-module serial 0/1/0" output listed >> below shows the T1 is up with the correct framing, >> etc. The "sh diag" output below looks to be clean. >> Here is the output for "sh int s0/1/0" as well. I am totally >> at a loss here. Any ideas? Thank you >>> >>> sh int s0/1/0 >>> Serial0/1/0 is up, line protocol is up >>>Hardware is GT96K with integrated T1 >> CSU/DSU >>>Internet address is x.x.x.x/30 >>>MTU 1500 bytes, BW 1536 Kbit/sec, DLY >> 2 usec, >>> reliability 255/255, txload 1/255, >> rxload 1/255 >>>Encapsulation PPP, LCP Open >>>Listen: IPCP, CDPCP, loopback not set >> ^ >> >> This should be Open: IPCP >> >> What does the other end look like? Is its IP >> configured correctly, >> static address of the other side of the /30 ? >> >> What do you see with "deb
Re: [c-nsp] Cisco s0/1/0 T-1 is up but not showing up in route table
On 1/31/13 8:57 AM, false wrote: > I cannot ping the far end. The int s0/1/0 output shows up/up. The "sh > service-module serial 0/1/0" output listed below shows the T1 is up with the > correct framing, etc. The "sh diag" output below looks to be clean. Here is > the output for "sh int s0/1/0" as well. I am totally at a loss here. Any > ideas? Thank you > > sh int s0/1/0 > Serial0/1/0 is up, line protocol is up > Hardware is GT96K with integrated T1 CSU/DSU > Internet address is x.x.x.x/30 > MTU 1500 bytes, BW 1536 Kbit/sec, DLY 2 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation PPP, LCP Open > Listen: IPCP, CDPCP, loopback not set ^ This should be Open: IPCP What does the other end look like? Is its IP configured correctly, static address of the other side of the /30 ? What do you see with "debug ppp negotiation"? This should give you a hint as to where the problem lies. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco s0/1/0 T-1 is up but not showing up in route table
On 1/30/13 2:52 PM, false wrote: > The T-1 seems to be up from a Layer-2 perspective. Something is wrong with my > routing though. The interface does NOT show up in the “sh ip route? Output. > I would expect to see it as a directly connected interface but it isn't > there. The card is in “slot 1” so I’m thinking that may have something to do > with but that’s just a hunch. We also have a 9-port switch in the router as > well. “Sh diag” looks clean too. Any ideas? What does "show interface" display for line protocol? Try: interface Serial0/1/0 encapsulation ppp service-module t1 timeslots 1-24 speed 64 service-module t1 framing esf service-module t1 linecode b8zs -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mpls ip creating traffic disturbance(s)
On 1/17/13 12:40 AM, Adam Vitkovsky wrote: >> So ospf summary-address statements will break MPLS? > In MPLS core all that matters is the reachability from one PE loopback to > other PE loopback (/32 prefixes), actually nothing else needs to be > advertised by OSPF > So if all of a sudden you'll replace the /32 loopback prefix with a summary > prefix you'll basically break the label switched path between the PEs That explains the point a lot better. "Any network that depends on an interface (including a loopback interface) being reachable will break if the interface isn't reachable", makes perfect sense. "Summarization breaks MPLS", that's kind of a head-scratcher. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco interface shutdown detection, how is possible?
On 1/5/13 3:44 AM, h bagade wrote: > Hi all, > > I was wondering how Cisco routers could detect the directly connected > interface at the other end is shutdown! > > there are two general possibility on my point of view: > 1- the other device is sending special information before shutting down the > interface. > 2- there are some method of polling which is done periodically and based on > the answer, the router detect the interface is up or no! Some of this depends on the layer 2 protocol (Ethernet vs. DS-3 for example) but in most cases there isn't any detectable difference between the remote end being administratively shut down and a failure of the interconnecting medium. The exception is that in some metro ethernet scenarios you can use OAM to capture dying-gasp, error disable, or shutdown events. It isn't a periodic poll, but rather like a one-time "Going down now!", your scenario 1. > As Cisco router is not able to detect the interface shutdown on the other > side when connected to some other device, not Cisco like unix systems, it > seems, it has some sort of protocol for detection which is number 2 of > above guesses! The router will absolutely detect the lack of line protocol and carrier and flag the link as down but this would be the case whether the remote side is administratively shut down or the cable is just unplugged. > could you please help me on this? Or provide me a scenario witch I could > find out if any packet is transmitted between Cisco routers to inform the > interface shutdown! See: http://www.cisco.com/en/US/docs/switches/metro/me3400/software/release/12.2_46_se/configuration/guide/swoam.pdf -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7206 NVRAM issue
On 12/26/12 2:09 PM, Joseph Mays wrote: > Got a used 7206 I am trying to bring back to life. It seems to be able to > read the PCMCIA card in the slot okay, but after a power cycle it loses > config and claims the NVRAM is corrupt, throwing me to rommon. From there I > can tell it to boot from disk0 and it boots alright from the PCMCIA card into > the default config. Needless to say, any config I have entered gets lost. > Which NVRAM is it referring to? The 4 meg on the motherboard? Is there anyway > to clear and reset that, or does it just need to be replaced? > > Warning: monitor nvram area is corrupt ... using default values > C7200 platform with 131072 Kbytes of main memory > > [after a power cycle] > > System Bootstrap, Version 12.2(4r)B, RELEASE SOFTWARE (fc1) > TAC Support: http://www.cisco.com/tac > Copyright (c) 2002 by cisco Systems, Inc. > > Warning: monitor nvram area is corrupt ... using default values > C7200 platform with 131072 Kbytes of main memory It may be the battery on the I/O module. Some are a soldered-in coin battery and others are built in to a Dallas/Mostek/Maxim chip that is also used for the clock/calendar. If soldered in, you can replace the battery if handy with a soldering iron. If the Dallas chip, get a DS1248Y-70 from Mouser and replace it, then re-initialize. Repeat in about six to ten years, less if you leave the box unplugged for a very long time. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP SLA issue
On 12/5/12 9:10 PM, Ali Sumsam wrote: > Hi All, > I have a very simple configuration I am having problem with. > > track 2 rtr 1 reachability > ! > ip sla 1 > icmp-echo 10.1.18.49 source-ip 10.0.254.30 > timeout 500 > frequency 3 > ip sla schedule 1 life forever start-time now > ! > ip route 0.0.0.0 0.0.0.0 10.0.254.25 50 track 2 > ip route 0.0.0.0 0.0.0.0 10.0.254.17 80 > ! > > Sometimes even if i can ping 10.1.18.49 with the source ip of 10.0.254.30 > successfully but that track says its down. what could be the reason. A single missed ping or high CPU causing latency >500 ms could be two reasons. Try: track 2 rtr 1 reachability delay down 10 up 60 This will require three consecutive missed pings (at frequency 3) to flag the primary route down, about 10 seconds, and require it to be up for 60 seconds before declaring it good. For serial links and the like this will prevent nuisance flapping while ensuring that a marginal link stays down. Tweak as needed for relatively rapid detection of a down link and ensuring stability before cutting back. If you want failover within three or four seconds, increase frequency to 1 and change delay down to 3 or 4, for example. show track 2 and show ip sla statistics 1 detail may give more info on what is going on in your particular case. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 2851 Wiping Flash?
On 11/27/12 5:00 AM, Skeeve Stevens wrote: > Hey guys, [snip] > === > > *On the 2851 I cant:* > > BDR-A#copy run q > Destination filename [q]? > Erase flash: before copying? [confirm] > Erasing the flash filesystem will remove all files! Continue? [confirm] > Erasing device... > ee > ...erased > Erase of flash: complete Type the letter "n" (as in "no") when asked to confirm erasure. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF redist customer routes
On 11/12/12 9:55 PM, CiscoNSP_list CiscoNSP_list wrote: > Thanks Jay - We already run iBGP(Full mesh under VPNv4) across our POPs > for vrf solutionshow best to migrate our customer routes from > ospf->iBGP? (And how to separate our infrastructure IPs(Keep in OSPF)) Without knowing the details of your network it's going to be tough to go step-by-step. Assuming that you already have loopbacks on your routers in OSPF, BGP points to the loopbacks, and that you have full mesh iBGP or route reflectors in the global table, start with one router and redistribute static and connected into BGP. Use a route map limiting redistribution to customer prefixes or a single customer prefix for testing. The same route map can inject communities as needed (no-export would likely be nice). These would be in the global table unless in a VRF but you're already doing that. Take that prefix out of OSPF and verify that it propagates to your POPs, is reachable throughout your network and doesn't leak outside your AS. Repeat until you have all OSPF customer routes removed from a single router, then on to the next. iBGP is distance 200 and OSPF is 110 so you won't see the BGP route in the forwarding table until you remove the OSPF one. >> Customers with redundant connections can use a private AS into iBGP or >> tracked floating statics redistributed. > > A lot of our customers CE's dont support BGP (Or require a license > upgrade)...so we are stuck(to a degree) with having to support OSPF? For non-redundant customers a static default at the customer edge is all that you need. For redundant customers either upgrade to BGP at the CE or use a floating static for the backup with the inverse at the PE. For backup routes we use a tagged floating static distance >200 on the PE and a route map to match the tag, set weight to 0 and de-pref local pref so that the backup doesn't propagate until the primary goes down. And as Andrew pointed out, if you use a private AS for BGP to the customer prem, then it is actually eBGP. I seem to recall a fairly good presentation writeup on OSPF-BGP migration in the NANOG archives but a quick search comes up empty. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF redist customer routes
On 11/12/12 8:48 PM, CiscoNSP_list CiscoNSP_list wrote: > > Hi Guys, > We currently run OSPF across our POPs - redistributing connected + static > subnets. > So, provision a customer tail, and all POPs know about the new subnetand > also if we statically route an additional subnet to a customer, all other > POP's are updated. > Our issue is if we need to run OSPF to the customer(eg if they have redundant > connections), and they require an additional subnet(So they advertise the > additional subnet back to us via OSPF), the only POP that is "aware" of the > advertised additional subnet is the one that has the OSPF session to the > customer - All our other POP's dont see this advertisement as it is within a > different OSPF process to our "Internal" OSPF process - Solution is to > redistribute ospf process(customer) in our "Internal" OSPF...but we also have > to use route-map/acl to ensure they dont potentially blackhole us(by > advertising something back to us that they shouldnt)Is there a "better" > way to be doing this? As having to redistribute customer ospf/controlling > that redist with route-map/acl just doesnt seem like a "good" solution?(At > the very least, it's terrible to manage) I would suggest migrating to iBGP for customer routes, redistributing connected and static into iBGP much like you do now for OSPF. You are going to run in to scalability problems with OSPF for customer routes. Keep OSPF for your infrastructure but not for customer routes. You really don't want your infrastructure routing process recalculating every time a customer serial link flaps or a customer has a power blip. Customers with redundant connections can use a private AS into iBGP or tracked floating statics redistributed. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Duplicate IP's.
On 10/29/12 8:40 AM, Scott Voll wrote: > We have VM's and now Desktops that are getting Duplicate IP errors on boot > up when they have a static IP configured (and there is not duplicate IP). Does the duplicate IP error show the MAC address of the conflicting device? If so, what have you done to track it down on the network? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] proxy arp?
On 10/12/12 10:52 AM, Scott Voll wrote: > what "could" break if I turn Proxy arp off on my inside or DMZ interface of > my ASA? Usually things that are misconfigured in the first place like inconsistent subnet masks, missing or wrong routes, etc. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 1000BASE-BX
On 9/26/12 2:13 PM, Tim Durack wrote: > Didn't want to find out later that most people took U as meaning > facing towards Upstream or something stupid like that :-) Oh, like FXS and FXO ? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vijay gore has invited you to open a Google mail account
On 8/31/12 2:33 AM, vijay gore wrote: > Gmail is Google's free email service, built on the idea that email can be > intuitive, efficient, and fun. Gmail has: > > *Less spam* > Keep unwanted messages out of your inbox with Google's innovative > technology. Oh the irony... How do all of the other people in your address book that Gmail phished feel about the "less spam" they're getting? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help with ACL Rule
On 5/19/12 2:01 AM, Sam wrote: > Guys > > Tried this and I cant get it to work they it should > > What I need to do is block access to a server for all ports bar the ips on > our network > > Server = 101.31.7.11 > > Our IPS = 101.97.214/23, 101.45.120/24 and external ip of say 210.11.23.12 > > Driving me insane!!! If the server is the only host on the interface, it's relatively easy. access-list 10 permit 101.97.214.0 0.0.1.255 access-list 10 permit 101.45.120.0 0.0.0.255 access-list 10 permit host 210.11.23.12 interface [server-out] ip access-group 10 out If there are other hosts on the subnet in addition to the server that are to receive all traffic, it gets a bit trickier. Here we specifically allow the traffic to the server from the desired networks, then deny all other traffic to the server, then allow all other traffic to the rest of the subnet. Don't forget that there is an implicit (not shown or configured) deny all rule at the end of the access list. The access-list rules are processed in order. The access-group on an interface is applied in or out as seen by the interface. You could apply the lists "in" on all of the interfaces other than the one facing the server or "out" on the one facing the server. access-list 101 permit ip 101.97.214.0 0.0.1.255 any access-list 101 permit ip 101.45.120.0 0.0.0.255 any access-list 101 permit ip host 210.11.23.12 any access-list 101 deny ip any host 101.31.7.11 access-list 101 permit ip any any interface [server-out] ip access-group 101 out > Can you apply more then 1 access-list to an interface > > Access-list 101 in > Access-list 102 in Not in the same direction. You can have one list controlling traffic going into an interface and another one controlling traffic leaving the interface. > So I can share acl 102 on multiple interfaces You can, if you want the identical policy to apply to multiple interfaces. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Call rejeciton from Cisco
On 5/15/12 11:16 AM, Joseph Mays wrote: > Disregard. I figured out how to get it to set the plan and type, but it's > still having the same problem. > > 027800: 1w0d: ISDN Se1/0:24:23 Q931: TX -> RELEASE_COMP pd = 8 callref = > 0x802D > Cause i = 0x82E418 - Invalid information element contents Invalid information element contents is often a switch type mismatch. Could also be CNAM being delivered in the wrong format. What does "debug isdn q931" show? Kind of noisy but "debug isdn q931 detail" may turn up something if regular q931 doesn't. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Possible to trunk over Serial or DSL?
On 5/9/12 4:28 AM, Darren O'Connor wrote: > Hi all. > > I'm trying to find a possible way to run dot1q tags over serial and/or > dsl interfaces. I could trunk over E1's on my old Riverstone kit without > a problem, but I can't find a way to do it with a Cisco box. For serial interfaces you can run frame-relay encapsulation and map VLANs to PVCs. For DSL, if you control the DSLAM you can do something similar mapping VLANs to ATM VP/VCs. Other solutions include tunneling, pseudowire, etc. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] synchronisation
On 4/22/12 8:56 PM, ujjwal maghaiya wrote: > what is the type of synchronisation in CISCO devices, > Time synchronisationo or Frequency synchronisation or both??? > Depends on the context. NTP is time synchronization. (Clock/calendar time) T1 clocking is frequency synchronization. BGP/IGP synchronization is an entirely different animal. And from a practical standpoint, time synchronization and frequency synchronization are essentially the same thing. Frequency is nothing more than a measure of events per unit time. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Possible T1 clocking problem.
On 4/17/12 11:46 AM, Joseph Mays wrote: > We're setting up an HDSL4 t1 across two copper pairs. This is the first time > I've ever turned up a T1 that was not telco provided. The smartjacks show the > T1 as up (and extremely good quality, actually, strong signal and not a > single bit error). On the CO side the T1 goes to a T3 multiplexer which is > plugged into a channelized T3 card in an AS5400. On the remote end the T1 is > plugged into T1 WIC in a 2600. > > Both ends show the T1 interface up, line protocol is down. Encapsulation is > PPP, but all I ever see are errors. I've confirmed the wiring and every other > aspect of the physical layer. > > Here is the show interface info from the AS5400 6 minutes after clearing > counters on the interface. Clocking problems will usually come up but show slips. Things to check: Framing - B8ZS throughout (including the mux ports)? Linecode - ESF throughout? And a fat-finger that had us going for a while, staring at it wasn't immediately obvious... "timeslots 24" isn't the same as "timeslots 1-24". :-) -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IP helper-address source from loopback?
On 3/19/12 11:56 PM, Arie Vayner (avayner) wrote: > Jay, > > Take a look here... I think this should do the trick. > http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcps > ervidlink_mcp.html#wp1058967 > > Arie It indeed does! It's only in the SE train, so now I need to analyze how much I want this and what might break... -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] IP helper-address source from loopback?
We have a setup where an external global DHCP server is used to assign pools within a few VRFs on 7206VXR, IOS 12.4. Interface configuration looks like this: interface Port-channel1.3004 description Test encapsulation dot1Q 3004 ip vrf forwarding net21 ip address 10.21.97.126 255.255.255.192 ip helper-address global w.x.y.z We're using option 82 to communicate the vrf subnet information and it all works well. The problem that I'm trying to solve is to use a loopback as the global source interface from which the DHCP requests originate. With the above configuration the router uses the closest egress interface to the DHCP server. This is quite usable but I'd prefer it originate on a loopback for cleanliness and redundancy. IOS has tweaks to manipulate the source address of telnet, RADIUS, ftp, tftp, rcmd, and the like but I don't see an obvious way to specify the source of the DHCP relay packets. I'm considering attempting a local route-map as a possible solution but that seems like a pretty big hammer for a small tweak if it works at all. Any suggestions from the assorted Cisco wizards? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback IP set to .255 - 6500 responds to ICMP echo-request from wrong interface
On 12/31/11 9:33 PM, Eric Rosenberry wrote: > I am scratching my head here wondering if I have run into a Cisco bug, or > somehow intended weird behavior... > > I set the loopback IP's for a pair of 6500's (Sup720-3CXL's) to adjacent > IP's and have *identical* config's on them (sans their interface and > loopback IP's). > > One of them is 216.x.x.254 and the other is 216.x.x.255. If the mask of 216.x.x is /24 or longer, then .255 will be a broadcast address and the ping response will be from one or more host addresses on the subnet. If the second x of 216.x.x is odd, then the same issue will pertain to shorter masks, binary math will tell you which. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] WS-C2970G-24TS as access switches
On 12/28/11 11:02 AM, Mike wrote: > I was using these for exactly the same reasons stated above. This year, > I have had three seperate instances where the switch had to lose power > (move, re-work pwr arrangements, etc), and all three times the PSU > apparently gave up the ghost and refused to power back up. Nothing > 'happened' funny power wise, not zapped or otherwise mistreated in any > way. I think these units were of a vintage vulnerable to the bad > chineese capacitor problem and I think whatever cap in the psu just went > fizzle while it was operating, which would let the units continue > running but once it lost power, would prevent a successful full power on > start up. This is a very common failure mode with some types of switching power supplies. It is typically a resistor and not a capacitor. We saw a lot of it with the power bricks supplied with Fujitsu DSL modems a few years ago. It's real fun when there's a widespread power outage and customers all over town are down once power is restored. There's a high value resistor, typically in the hundreds of kilo-ohms used to "kick-start" the switcher. Once it's going, the resistor isn't needed until power is removed and restored. These typically fail open. If the gear is worth salvaging or if it's crucial to get it back online while waiting for a replacement, I typically replace these with a resistor of substantially higher power rating than the original. > I was able to find and deploy the rps-675 (redundant power) after being > burned this way three times, and it came in damm handy because there was > a 4th event (another burned up 2970 psu) and this time the 675 kept it > running till I was able to have an orderly replacement and maintinence > window (with a 3560). I would reccomend deploying the rps units if you > are going to use any cisco products with single power supply, but > especially if you're going to be using the 2970's which have proven (in > my shop) to be a (literally) dying breed. These power supplies are commodity items from Chinese manufacturers that are used in a variety of gear, not just Cisco switches. You can often Google the part number on the power supply brick itself and find replacements. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] shaping w/sub interfaces - drops
On 12/21/11 11:11 AM, Dan Letkeman wrote: > Hello, > > I'm wondering if its possible to eliminate drops using shaping? I > have a sub interface set-up for guest access and I want to limit all > access to 3mbps and http access to 2mbps. If I apply a policy to the > sub interface I continuously see drops on the http class when it runs > in and around 2mbps. Its just web browsing so I don't ever want to > drop the packets just retransmit. When you limit traffic by any means you may have the choice to either delay the excess packets or drop them. Delaying the packets means storing them in a buffer until the traffic falls below the limit, then forwarding them. The buffers have a limited size. If there is more traffic than the buffers can hold, it will eventually be dropped. There is lots of discussion and several examples regarding this with "leaky bucket" analogies. So if there is more traffic than the configured shape rate (or more traffic than the physical medium can handle) it will get dropped either immediately or when the buffers fill up depending on configuration, amount of memory, etc. Upper-layer protocols such as TCP can mitigate this by slowing the input rate when drops are detected. But if there is more traffic coming in than the buffers, shape limit, or outbound medium can handle, it must get dropped. There's nowhere else for it to go. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OER Question
On 12/8/11 2:27 AM, M K wrote: > Hi , please guys anyone do not want to help can save his words for himself !! > i heard about this forum and a lot of people who told me about it received a > lot of help > i already have a solution but i am not sure if its complete This looks like a homework or certification practice question. If so, groupstudy.com is your best place to ask it as others have suggested. If this is a real production network, what behavior are you expecting and what behavior are you getting? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] HSRP and removing connected route
On 12/8/11 12:23 PM, Jay Nakamura wrote: > So, the situation is this. > > Let's say I have a topology where there are two routers, each router > connected to separate switches, and the two switches are connected to > a gigabit ethernet WAN. Just to each other or to other resources on the WAN? > One router and switch is in one city, other router and switch is in > another city. > > There is a VLAN that spans the two routers, two switches and servers > hosted in one city. Somewhat confused here, as previously you indicated that there was one router/switch pair in each city. Or is it router/switch A along with servers in city A and router/switch B in city B that wants to reach the servers in city A? > I have the VLAN on HSRP between the two routers. > > The problem is this. When the gigabit WAN goes down, the one end of > the router without the host will still try to route that traffic out > it's VLAN. Is there a way to prevent that by using IP SLA or track > command or some other trick? Perhaps shutdown the subinterface auto > magically? (Although, if it shuts it down, I am not sure how it will > detect that the service is back up) Is there a backup route via another path for the orphaned remote city to reach the servers? If the link goes down, HSRP will fail to see heartbeats and both routers will assume the virtual IP and primary role. This may not be what you want, but if the orphaned end is connected to nothing it probably won't hurt anything. You probably want to use preempt if you want one router to be "sticky" as primary after a failure and recovery. You can certainly use IP SLA and track to pull down a static route should the other end not be pingable. Unless there's a backup path it won't do anything useful, though. I wouldn't shut down the VLAN unless you WANT to have to manually bring it back up after a failure. > Or is there something I am not thinking of I should be doing other than HSRP? If a host on the WAN link that is critical to reach is a router you can run a routing protocol over it such as OSPF. Depending on exactly what the problem is that you're trying to solve you might also be able to use a routing protocol instead of HSRP just between the pair to determine what do do in case of a link failure. Things to consider are other potential failure modes, convergence time, scalability and growth. HSRP with IP/SLA and track are probably fine for a pair of devices, but if you expect this to grow to other sites you might want to consider a routing protocol. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OER Question
On 12/7/11 12:17 AM, M K wrote: > > Hi all , Bruce i am asking on the best Cisco forum , is that wrong See, read, and absorb: http://catb.org/~esr/faqs/smart-questions.html In particular... http://catb.org/~esr/faqs/smart-questions.html#homework Note that in the context of the above articles, "hacker" is defined here: http://www.ietf.org/rfc/rfc1392.txt -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Resolve the FQDN of the URL published in web VPN in ASA
On 11/26/11 11:24 AM, Farooq Razzaque wrote: > > > Dear All, > > I have the requirement to resolve the FQDN of the URL published in web VPN in > ASA. > > When remote users connect to web vpn then they access one URL (https://fully > qualified domain name:7004/console-selfservice) which is published in Web > VPN and which is accessible through FQDN. So how i can resolve the FQDN > against. > > Can we done this on ASA. or can we configure Web VPN so that when remote > users connect to VPN they can get DNS server IP to resolve the FQDN Does the FQDN point to the same IP for all users? Is the base domain a standard registered name? If yes to both, you can just publish it in your regular DNS A records and any resolver worldwide should be able to find it recursively. If it points to different IPs then what mechanism determines this? If a private domain name like [whatever].local, consider also creating a public one. There's nothing preventing you from publishing a public A record that resolves to private RFC1918 space. It won't be useful to those who aren't connected to your private network but that shouldn't matter. You can also have two variants such as host.example.net -> public IP and host.vpn.example.net -> private IP. Or if the ASA is assigning DHCP to the remote users it can direct them to a specific name server that has the appropriate zone file. I'm not 100% clear on exactly what the problem is that you are trying to solve. If it's more complex than this, please provide more detail. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF issue
On 11/16/11 3:28 PM, John Elliot wrote: > Hi Guys - Just following up on this issue...Carrier is stating that they > are not filtering multicast(support case is still open, but we appear to > be getting nowhere) > > If I ping 224.0.0.5 from R2, I do not get a response from R1 via the > "new" link - Also, debugging icmp on r1, I only see requests from R2 via > the existing(working) link, so the multicast pings are not reaching R1 > via the "new" link. If you ping 224.0.0.5 from a router connected to R1 on a different link, do you get a response? (I suspect your carrier is indeed filtering multicast.) > R1(7206 w/ G1) connects via trunk to 3750(As portchan), and the carrier > hand-off is via trunk port on the same 3750 - The switch is not doing > any L3, has no filtering of multicast enabled...Am I seeing a potential > ios bug? Verify that R1 is indeed communicating on 224.0.0.5 on the interface facing the carrier, then beat on them until they fix it. If it isn't and should be (no passive-interface or something misconfigured), then maybe an IOS bug. I suspect the carrier. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OSPF issue
On 11/12/11 3:26 PM, John Elliot wrote: Ok - enabling point-to-point on each of the "new" ints on R1+R2, and it now doesnt form adj. R1 no longer sees R2 in neighbors via "new" Int: Neighbor ID Pri State Dead Time Address Interfacexxx.xxx.76.2481 FULL/DR 00:00:35xxx.xxx.66.2 FastEthernet3/0 R2 is stuck in init: Neighbor ID Pri State Dead Time Address Interfacexxx.xxx.76.2380 INIT/ -00:00:36xxx.xxx.66.61 Port-channel1.87 xxx.xxx.76.2381 FULL/BDR00:00:30xxx.xxx.66.1 Port-channel1.86 Based on your previous post re multicast pings, it may be that your provider isn't passing multicast. If this is the case you can either get them to fix this (best) or statically assign neighbors in router config mode (sort of an ugly hack). The results of "show ip ospf interface [interface name]" on both sides after configuring point-to-point on the interfaces would be useful information. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 7200 router with AAA problem and nvram corruption
On 10/8/11 8:51 AM, root net wrote: > Hello, > > Just want to confirm what should be done. I have a router that resulted in a > bad NPE 225. Had a spare NPE 225 but it wouldn't work for some strange > reason. So had an old NPE 150 laying around so inserted. When the router > came backup noticed that a message flashed nvram corrupt on console. All > circuits came up lovely but now I can't access the router to possibly move > circuits to different router. The NVRAM is actually a battery-backed SRAM. Some are like the early Sun boxes with a Dallas/Mostek chip. It looks like a tall DIP chip. Others are SRAM and a coin battery. This also can keep the time-of-day clock going when the box is powered down. They are supposed to last 10 years but your mileage may vary. I suspect this will be happening more and more as the boxes age. The NVRAM holds the configuration as well as a few other variables such as if-index persistence, some environmental data, etc. The NVRAM isn't on the NPE unless you're using a NPE-G1 or NPE-G2. It's on the I/O module on all others. Its battery is likely dead and hence it has lost its checksum. I seem to recall a means from monitor mode to clear/reset it but it's one of those obscure commands and I'm unable to locate it right now via search. Not the kind of thing you want to do other than in a situation like the one you're in. You may be able to just go into password recovery and then write the configuration in order to restore it. I'm surprised that all circuits came up lovely, as the corrupt NVRAM is where the configuration is saved. I wouldn't count on it remembering its configuration again. RANCID is your friend > I have the router configured with AAA for local and no backup > authentication. (Silly) > > What should be the steps I take to recover access to router so I can setup > AAA for local and backup auth? Replace the I/O module or the NVRAM if you want to try -- see below. Copy your configuration from backup (you do have a backup?), and you're good. You'll have this problem every time the power is removed from the box until you replace the battery. The Mostek chips are still available as are the coin batteries. If you've got the soldered-in battery on little legs, it can be replaced but it's tricky. Best to make friends with someone who does PCB rework if you're not skilled at soldering, or just get a replacement I/O module with a fairly recent date code so you don't get bit again for a while. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2800 series IOS versions.
On 10/4/11 4:00 PM, Keith wrote: > > Have a 2811 and a 2801. > > The 2801 runs this: > > c2801-ipbase-mz.124-1c.bin > > The 2811 runs: > > c2800nm-ipbase-mz.123-8.T5.bin > > What does the nm part of the version mean on the 2811? The nm means that it supports network modules (the trapezoidal plug-ins for expansion). All of the 28xx series except the 2801 support these. I've never tried it but suspect that IOS between the two is not going to be interchangeable. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] LACP in 7206VXR with NPE-G1
I'm running IOS 12.4-12c advanced IP services. LACP is supposedly supported, and I can create a port-channel and add the gigabit ethernet interfaces to it. However, I can't find any of the LACP configuration commands such as mode active/passive, system-ID, etc. Any help would be appreciated. I suspect I need a different IOS or possibly feature set, but have tried several with no success. Bug toolkit returns nothing obvious. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Scary security alert, and what is a "Warranty CD"?
http://www.cisco.com/warp/public/707/cisco-sr-20110803-cd.shtml -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7206VXR 23-inch rack brackets?
My Google-fu is failing me, or such items are made of unobtanium. Does Cisco make a rack-mount kit for 7200 routers going into 23-inch telco racks? If so can someone provide a part number? If not, I can use aftermarket filler brackets but I would prefer the cleaner installation of stock brackets. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Transport PVCs using pseudowire?
On 6/29/11 8:01 AM, Antonio Prado wrote: > hello, > > what would be the best practice to deliver to a router of an ISP some > PVCs you have configured on an ATM OC3 installed on your c7206 NPEG2? > > in other words, that ISP would like to carry some dsl customers on its > own router and to assign them its own IPs without dealing with atm > interfaces. > > wondering if pseudowire could help here. What is your transport to that ISP? If ethernet, VLANs would be the most logical choice. If a serial link such as a DS3, you could use frame-relay encapsulation and a PVC per customer. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3 Switch as a BGP Gateway
On 6/27/11 1:30 PM, Murphy, Jay, DOH wrote: > How about when you stack them as a logical switch. Couldn't one leverage the > memory and processing of the stacking? If you're taking just a default eBGP route from each external neighbor and using multi-homing as a primary/failover, you can get away with it. "Multi-homed BGP gateway" in your original post implies taking at least a partial table from a diversity of transit providers and/or peers, and these switches just aren't capable of dealing with anywhere near that many routes. > -Original Message- > From: cisco-nsp-boun...@puck.nether.net > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Jay Hennigan > Sent: Monday, June 27, 2011 1:11 PM > To: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] L3 Switch as a BGP Gateway > > On 6/27/11 11:59 AM, Jason Greenberg wrote: >> Can someone advise me as to why a 3750 L3 Switch (Metro Model) wouldn't >> outperform a 7300 series router as a multi-homed BGP gateway? ISRs and >> Enterprise class routers are still quite a bit more expensive than the L3 >> Switches, but I'm starting to not understand why. I understand that L3 >> switches are less feature rich on the routing end, but suppose that our ASAs >> are doing most of the complicated filtering.I know it doesn't sound >> "right" to have a 3750G used in this manner, but I am having a hard time >> finding any real reason why not to do it. > > The memory and number of routes are far too small to use these as a > border router. Generally adequate for iBGP to inject customer routes > into your network but way too little for an Internet-facing border. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] L3 Switch as a BGP Gateway
On 6/27/11 11:59 AM, Jason Greenberg wrote: > Can someone advise me as to why a 3750 L3 Switch (Metro Model) wouldn't > outperform a 7300 series router as a multi-homed BGP gateway? ISRs and > Enterprise class routers are still quite a bit more expensive than the L3 > Switches, but I'm starting to not understand why. I understand that L3 > switches are less feature rich on the routing end, but suppose that our ASAs > are doing most of the complicated filtering.I know it doesn't sound > "right" to have a 3750G used in this manner, but I am having a hard time > finding any real reason why not to do it. The memory and number of routes are far too small to use these as a border router. Generally adequate for iBGP to inject customer routes into your network but way too little for an Internet-facing border. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IAD 2431, auto dial on pick up of handset?
On 6/23/11 10:25 AM, Scott Granados wrote: > Hi, > > Been googling but haven't found a good example to work with. Does anyone > have an example configuration for a Cisco IAD device so that when a user > picks up an attached handset it auto dials a number. This is for a outside > office phone to ring in to the building type arrangement. Any pointers / > config snippets would be appreciated. voice port 2/0 connection plar 18005551212 PLAR = Private Line Auto Ringdown (dial on going off-hook) -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Invitation to connect on LinkedIn
> I'd like to add you to my professional network on LinkedIn. FAIL List ops, you might want to firewall this as well as the similar cruft from Facebook, etc. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cases to lock a switch -- physical layer protection?
On 4/19/11 6:22 AM, Furnish, Trever G wrote: > Hello, > > I have a particularly sensitive scenario where I need to allow access to > other hardware within a rack but ensure that no one is able to > physically modify connections to the top-of-rack switch and ASA. I > would love to find an in-rack-mountable case to go around the Cisco > gear, in the same way that telco's commonly protect smartjack shelves. The most common telco smartjack enclosure I've seen Verizon use here is the type that holds four cards. It has a plexiglas door with an Ace style lock on the top. And there are two Phillips screws on the bottom of the door for those who don't have the key. > Can anyone recommend such a case or similar protective measure? If you have something custom made, use Medeco locks, welded construction, and ensure that the mounting hardware is protected by the locking mechanism. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PA-2T3+ vs PA-MC-2T3
On 1/28/11 12:11 AM, Christopher Wolff wrote: > Hello, > > I'm looking at setting up a 7206vxr/NPEG1 with two DS3 BGP peers and > I'm wondering if there's any substantial difference between the > PA-2T3+ and the PA-MC-2T3. Thanks in advance. Yes, very much difference. The PA-2T3+ is used for clear-channel DS3. The PA-MC-2T3 is used with a mux to split each DS3 into 28 individual T1s. For your purpose you want the PA-2T3+. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Strange T3 failure on 7206
We got an alarm that a T3 to a customer was down. PE router showed interface up, line protocol down. CE router showed down/down. Provider side goes to an Adtran Opti-mux out OC-12 to Verizon, customer end is a Verizon mux on premise. Called Vz and they claimed it was CPE, they saw "idle loop" towards our 7206 CE router. We shut/no-shut the interface and rebooted the 7206, no joy. I'm not familiar with the term "idle loop", we were showing receive LOS and sending RAI. Customer IT guy came on site and saw CLOS on Verizon mux, alarm light on 7206. He disconnected the cable and put a coax loop towards the 7206. Interface came up-looped right away. Reconnected to Verizon mux and everything came back up nice and happy. That's what is bugging me. Circuit has been running fine for months. -- -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Outbound Load balancing using eBGP
On 12/22/10 2:33 PM, RAZ MUHAMMAD wrote: > I would appreciate if someone can shed some further light on using the > default route or full routing table scenario while multi homed. In this case > hardware is not an issue, I am trying to assess the operational, > differences, or the outcome in terms of traffic patterns. Outbound is easier than inbound. In general, use a route map to set local preference or another attribute based on as-path and apply to each neighbor. Say you're multi-homed to AS100 and AS200. You would do something like: ip as-path access-list 100 deny _200_ ip as-path access-list 100 permit _100$ ip as-path access-list 100 permit _100_[0-9]+$ ip as-path access-list 100 permit _100_[0-9]+_[0-9]+$ ip as-path access-list 200 deny _100_ ip as-path access-list 200 permit _200$ ip as-path access-list 200 permit _200_[0-9]+$ ip as-path access-list 200 permit _200_[0-9]+_[0-9]+$ Then towards your AS100 neighbor apply a route-map to bump local-pref to a value of 110 any inbound announcements matching as-path 100, likewise same on AS200 for as-path 200. All else matches the default local-pref of 100. Other traffic will use the regular BGP metrics to choose a path. This sends your traffic to AS100 targets, its customers, and second level out the link to AS100 and likewise for AS200. If you lose either link, the other will pick up all traffic. After a while you'll get a sense of how well balanced things are and you can tweak the lists to prefer one path or the other for portions of your outbound traffic to other networks. For example, if AS200 is only taking 20% of your outbound traffic and you send quite a bit to AS300, then add a permit to as-path list 200 to prefer sending AS300 traffic out that path. Don't try to dynamically load-balance individual flows between your two neighbors. You'll have horrible issues with packets out of order and things will get very ugly. You'll never get anywhere close to an exact 50-50 balance and it will vary a lot depending on what destinations become popular and unpopular with your customers at what time of day, etc. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Service Password Recovery
On 11/18/10 2:28 AM, si...@pitwood.org wrote: > It might have something to do with the version? > > CAT2924Switch#sh run > Building configuration... > > Current configuration: > ! > version 12.0 > no service pad > service timestamps debug uptime > service timestamps log uptime > no service password-encryption password-encryption != password-recovery And password-encryption == password-encryption only for very small values of encryption. This really should be called password-obfuscation as it is trivial to reverse. The original poster didn't specify the specific problem he was trying to solve. If the bad guys have unmonitored physical access to the switch they could swap it out with their own device entirely even if the configuration is locked down. It's not like 2924XLs are expensive or hard to get. Mitigate with RANCID, etc. If the concern is that the same access password on the switch which could be recovered is used elsewhere in the OP's network and bad guys recovering that password could use it to attack other devices... Don't do that, then. Mitigate with unique passwords, TACACS+, etc. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] No Service Password Recovery
On 11/17/10 2:10 PM, Skeeve Stevens wrote: > Hey all, > > I've been googling and ciscocom searching and have found nothing so far. > > I was to 'no service password-recovery' on a old Catalyst 2924. Does anyone > know of a way? > > It is in a delicate environment and it doesn't support 'secret', so if its > password recovered people would be able to crack the 'password' level > passwords. If the bad guys have access to its power cord and console port, it's pretty much game over anyway, but you can mitigate with... * AAA to a remote tacacs+ server. * Sync with NTP and use RANCID to track config changes and/or last save. * Unique passwords for that device. * It should support enable secret even if not password secret. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DS3 Nubie
On 9/24/10 11:56 AM, Jeff Wojciechowski wrote: > All: > > We are considering upgrading one of our circuits to a fractional DS3 and > would just like query the experts on the list to make sure that I have all my > bases covered here if we go down the DS3 route as I have never touched DS3 > before... > > I am considering using the following equipment: > > 3925 Router + NM-1T3/E3 + SM-NM-ADPTR (per > http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps4909/product_data_sheet09186a008010fba2_ps282_Products_Data_Sheet.html) > > That part seems pretty straightforward (but please correct me if I am wrong). > Can I safely assume that since the carriers proposal doesn't mention ATM that > I don't need NM-1A-T3/E3? > > Then from DMARC to my router I need to use 734 type cable with 75 Ohm BNC > connectors (per tread from yesterday). > > Am I missing anything? This may seem obvious to anyone who has done this before but may be worth mentioning... The DS-3 signal operates uses a separate co-axial cable for each direction of transmission, so you will want a dual 734-type cable (two BNC connectors on each end, two physical co-ax cables.) The usual clocking, framing, etc. issues that apply to T-1 and other serial links apply. Exactly one clock source, framing must match on both ends, etc. Generally, C-bit is used for data pipes, M13 for T1s muxed up to T3. For fractional, you may have to work with your carrier for CSU-type settings and the like, but this is all configurable on the Cisco gear. Some carriers configure the CSU to make the pipe "fractional" and others just limit the throughput in software and leave the physical media at the full line rate. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DS3 Length over RG-6 or RG-59
On 9/22/10 1:31 PM, Peder wrote: > Does anybody have a good rule of thumb as to what type of coax to use for > DS3 over various distances? I know it has to be 75ohm, but have read it can > be RG-59 or RG-6. Also, on the RG-59 I have seen solid core and braided. > We have to run a cable about 250' to the telco equipment thru a messy > ceiling, so we only want to do it once with the correct cable. In the lab, > we just use cheap RG-59 but I don't know if it will have issues over a > distance of 250'. Thanks. I would recommend 734 type cable which is designed for DS3. It is similar in size to RG-59 but made to better tolerances than you're likely to find in RG-59. It's available in figure-8 twin configuration specifically for DS3 transmit/receive. The cable you'll typically find these days sold as RG-59 is designed for TV distribution and often has copper-clad steel center conductor instead of pure copper as well as aluminum foil shield with drain wires instead of copper braid. Terminating this stuff with BNC connectors is a pain. It's designed for the F-type connectors used in cable TV. Also ensure that you use 75-ohm BNC connectors. The insulator is shaped differently than the normal 50-ohm type commonly available. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Plea for [snip]
On 8/17/10 12:46 PM, Nick Hilliard wrote: > I don't think you'd be saying this if half of California were under > water (about the size affected in .pk), two thirds the population of CA > were displaced by these floods, with 2000 dead, cholera breaking out, > starvation looming for 6 million people due to the country's > bread-basket being washed into the ocean and the United Nations calling > it the worst humanitarian disaster in living memory. And the situation is very well publicized worldwide. Network news, print newspapers, radio, television, portal sites such as Yahoo and CNN, Red Cross campaigns, etc. I very seriously doubt that anyone on this list is learning about the situation here for the first time. > And another thing: given the circumstances, equating Asif Gul Khan's > email with spam is nauseously crass. If Asif and the rest of us are members of multiple technical lists, would it be appropriate for all of us to see this same message over and over on each of them? And if others are in the affected area, is it appropriate for each of them to post similar pleas to each and every mailing list to which they belong, regardless of the purpose of the list? As a data point, according to the archives this is the first and only post Asif has made to the list in over a year. I only checked back as far as August 2009. > disgusted, It is a slippery slope. His is a worthy cause. People are in need, no question about it. However if everyone with a worthy cause posted to every unrelated forum, the signal-to-noise would become overwhelming. Where would you draw the line? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] OT: Plea for [snip]
On 8/17/10 2:46 AM, Asif Gul Khan wrote: [snipped plea for charitable donations] By definition, this list is email. By definition, it is bulk. Pleas for donations for charitable causes, no matter how worthy, in my opinion and understanding of the purpose and charter of this list are by definition unsolicited here. Unsolicited bulk email by definition is spam. In the spirit of the Boulder Pledge, I would encourage the subscribers of this list to donate to charities that do not participate in or condone network abuse in their promotional efforts. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PBR
On 7/25/10 12:38 PM, Gary Smith wrote: > So, to start setting this up - everything is currently running over > Dialer0. ATM0/2/0 is up over Di1, but there's no route for it. > > VLAN10 is 192.168.10.0/24, so creating an access list as per this: > > ip access-list extended Network10 > permit tcp any 192.168.10.0 0.0.0.255 > permit tcp 192.168.10.0 0.0.0.255 any > > Then... > > route-map PBR_Network10 permit 10 > match ip address Network10 > set interface Dialer1 > > interface Fa0/0.10 >description Network10Uplink >ip policy route-map PBR_Network10 > > ip route 0.0.0.0 0.0.0.0 Dialer1 10 > > As I understand it, this should work - however, from the outside, trying > to ping the address of Di1 results in no replies. Also, VLAN10 can't > route over the connection, instead still routing over Di0. > > What am I doing wrong? Your access list matches TCP. Your ping is ICMP. If you want all traffic on that interface to go via PBR change the ACL to match IP and not TCP. As you're matching on source IP you can use a standard ACL. If everything coming in on Fa0/0.10 is to go to dialer1, you may not need a match statement in the route-map at all. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CRC fixing
On 7/8/10 11:57 PM, vijay gore wrote: > hi, > > heavy CRC error generating on serial link, > > anyone can tell me reason ?? solution ?? Most likely physical layer issues. Wet copper cable pairs (T-1), dirty fiber (optical), etc. Can you be more specific as to the nature of the link such as speed, internal cable or purchased WAN link from a carrier, etc.? You'll likely have to take it out of service and run loopback tests to isolate and repair the problem. If this is a new circuit turn-up it could be a configuration issue such as framing, linecode, clocking, etc. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SDR
On 7/7/10 1:35 PM, Guillaume FORTAINE wrote: > http://www.wirelessinnovation.org > > On 07/07/2010 04:39 PM, My Name wrote: >> Is anyone using SDR? any problems , lessons learned, or best practices >> you can share? There's an app for that! http://digitalconfections.com/ -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500/Sup720 losing "startup-config"
On 7/5/10 5:29 AM, Youssef Bengelloun-Zahr wrote: > Hello Peter, > > Could you share the address from where you got theese pls ? > > Could be useful someday, you never know ;-) A CR1225 lithium cell? Most drugstores, Radio Shack, camera shop, etc. >> Follow-up: We changed the lithium cell (CR1225) and everything looks >> fine now. The batteries are inexpensive. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Looping up far end smartjack
On 6/28/10 7:37 PM, Richey wrote: > Will the card respond to loop codes even if the router is in ronmon? The NIU will respond to loop codes regardless of the state of the router. The router doesn't even need to be connected. CSUs that are integrated into a WIC will probably not respond if the router is in rommon, although I haven't tried it. I believe that some microcode needs to load from IOS to make the WIC functional. Old-school external CSUs like the Adtran TSU will loop regardless of the state of the router. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Looping up far end smartjack
On 6/28/10 4:00 PM, Adam Korab wrote: > On Thu, Jun 24, 2010 at 9:17 AM, Richey wrote: > >> I was hoping to avoid having to go to the colo late at night. We did >> finally hear from the customer. A breaker had tripped and they person on >> duty had no idea where the breakers were in the building. >> >> > T1 duty was long ago in a galaxy far away for me...but aren't NIUs all > line-powered? That is, wouldn't you want to loop the remote CSU/DSU anyway > to confirm power? Can't speak for all, but every T1 NIU I've seen has been powered from central office battery over the same pair(s) that deliver the T1 signal. So, ability to loop the NIU verifies that the telco span to the premise and the NIU itself are working. If the NIU loops up and the CSU doesn't, then the most likely issues are local utility power or inside wiring. If neither loops, it's most likely a trouble with the telco pair(s) between the CO and the NIU, aka backhoe fade. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Alert: Correction
On 6/18/10 2:43 PM, Nate Carlson wrote: > I do wonder if it's a competitor who is being very smart about trying to > *dis*courage people from going with Blue Cat. Possible but seems unlikely. Any competitor going to that extent wouldn't post it under such an obviously fraudulent address. > any vendor that will > actually whine at you for writing truthful posts about their gear isn't > going to get my business. Times ten for any vendor who would actually whine at someone's boss for writing truthful posts about their gear. Directing an inquiry to the real CIO/VP asking "Did you really do this?" and "If so, why the ridiculous pseudonym?" could possibly get Jason into even more trouble than he may be in now. It could also be someone with a personal grudge against Jason or trying to pull a prank on him. If indeed the University of Toledo is under pressure from a Bluecat landshark to issue a retraction, one would think that they would do one of the following: 1: Post a link to a retraction on their website thus proving that it is real. 2: Post the retraction from a real University of Toledo address. 3: Ask Jason to post the retraction. The bogus address really puts it over the top. I probably wouldn't have remembered the name "Bluecat" from a single thread so long ago but I will now. If it was a competitor, it worked. On the other hand, if Bluecat is that sleazy, and the real CIO/VP is really smart then he did exactly what they asked, fully knowing the outcome. He and Jason are together in a bar having drinks and laughing about Bluecat right now. One can always hope. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Scanner running amok
On 6/17/10 6:10 AM, Gordon Bezzina wrote: > Hi, > > Following yesterday's issue with BGP full feed, I have updated the IOS from > SRD3 to SRE1 on the > Cisco 7606 (RSP720-3CXL). The BGP continuous resets have been resolved but > now I have a mad > BGP Scanner. > > It is running constantly consuming over 60% of my CPU. > > also it is sending lots and lot of updates to a number of my peers. > Basically > I have a particular peer who was sent 6,000,000 updates in 6 hours! External peer? Are you accidentally leaking routes from your external peers to each other? Does "show ip bgp nei w.x.y.z advertised-routes" for all of your external peers just have your prefixes? If not, you'll want to fix this. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Alert: Correction
On 6/17/10 5:01 AM, Jun Kemail wrote: > An employee of The University of Toledo, Jason Mishka, transmitted a message > to this listserv on January 15, 2010, giving his personal opinion about > Bluecat Networks products. It has since been published on other listservs > and re-transmitted without authorization to other sites/forums. His > assessments and statements are his opinion and NOT that of The University of > Toledo. If he gave his personal opinion, why does the University of Toledo care? It's not your bell to try to unring. If you disapprove of your employees expressing their personal opinions, then discipline or fire them. And let prospective employees know in advance that you do so. The smart ones may choose to seek work elsewhere. > The University of Toledo does not agree with or support his > opinion. Did he or you ever state that you did? Does the University of Toledo try to censor everyone publishing an opinion with which it disagrees, or just Mr. Mishka? > Businesses deciding whether to utilize Bluecat Networks products > should not rely upon his opinion message in any way. Why not? Is it factually inaccurate? > We would appreciate it > if all remarks were disregarded and if possible, removed from the listserv. Good luck with that. Your comments have almost certainly had the opposite effect. Raise your hand if you, like me, just entered "Jason Mishka Bluecat" or similar into your favorite search engine and had never read or had long forgotten the five-month-old original post. This isn't by any chance a troll with a misplaced space, is it? Or is the real VP/CIO of the University of Toledo named Jun Kemail and the University's policy is to post official statements via Gmail? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] TACACS+ for console problem
On 5/30/10 9:17 PM, ambedkar wrote: > After searching in the internet, i got one solution says use the named list > as below. > > aaa authentication login CONSOLE line > & > > line con 0 > password cisco > login authentication CONSOLE. > > With this configuration, i am able to login the switch, but it is taking the > console password instead of line password which is defined in the command. The word "line" in that command means that it will use the password defined for that line (in this case con 0, which is "cisco"). You could have a different line password for the VTY if you choose. > Then, i have tested the command : > aaa authentication login CONSOLE none. > > Which means no authentication required, but it still asking for the password, > which is console password. Try " no login" on the console line configuration if you want this behavior. > Then i have removed aaa commands from config mode and line console mode. > i have used only console password. still it is working, then what is the > significance of aaa commands for console. The significance is the same as for vty lines. If physical access to the device and its console port is secure, many people will use local (username and password) or line (password only) authentication for the console so that they can configure and/or troubleshoot the box locally if the TACACS server is unreachable or misbehaving. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] How to Remove E-mail
On 5/26/10 8:08 AM, Thiago - Renatec wrote: > How to remove my e-mail from this list? > > Thanks, > > Thiago > ___ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp Click ^^^this^^^ link (directly above), follow the clues. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Apple Mac + iPhone = strange network loop?
On 5/25/10 8:28 AM, Peter Rathlev wrote: > 002660: May 21 09:16:50.426 CEST: %HSRP-4-BADAUTH: Bad authentication > from 10.100.0.134, group 22, remote state Standby > > It turns out this (10.100.0.134) is the IP address of the MacBook. > Capturing the traffic, we can see that it is exactly the HSRP hellos, > but just with the IP address replaced, a la NAT. > > Without HSRP authentication (we tried that too!) it actually "steals" > the primary role, i.e. when it "reflects" the primary router's hello the > two real routers assume a "Standby" role. > > It doesn't cause broadcast loops or anything, so it seems to only > forward/bridge unicast packets. > > Apart from telling people not to connect their wonderful Apple devices > in this way, what can we do? :-) Make sure that you use HSRP authentication everywhere. Have the Apple customers open bug reports with Apple, and suggest that they mention "Cisco HSRP protocol conflict" in their reports. Be prepared to wait a while for Apple to realize the issue, do regression testing, and roll it out in their next updates. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 20 second packet delay
On 5/12/10 2:28 PM, Raymond Lucas wrote: > > Well, this was a new one for me. One way packet delay of around 20 seconds > on a single link. I had never thought it was possible, but just when you > think you've seen it all... You must not be familiar with RFC1149. > Ignoring the specifics of the up/down events and even if it was the Cisco > or Ericsson kit that was at fault, has anyone ever seen packets held up for > 20 seconds across a link? http://www.blug.linux.no/rfc1149/ shows ping times in the thousands of seconds. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] USB to Serial Converter recommendation
On 4/21/10 1:15 AM, Youssef Bengelloun-Zahr wrote: > Could anyone recommend a USB to Serial Converter that : > > - is compatible Mac OS X, > > - is compatible with minicom (or else), > > *- knows how to send breaks (the must have feature),* I use the Keyspan USA-19HS, does all of the above quite well, it just works. No complaints. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Unicast traffic being sent to every port? Aging issue?
On 3/22/10 7:03 PM, Ray Van Dolson wrote: > We have two Dell PowerConnect M6220 switches (A1 and B1). They are not > cross-connected, but both have uplinks to the same subnet: > > zfs1 > / >++ >| A1 |-| >++ +---+ > | Cisco |--- linux1 >++ +---+ >| B1 |-| >++ > / \ > esx1 esx2 > > There's a host hanging off of A1 (zfs1) and several ESX hosts hanging > off of B1 (esx1, esx2, etc). There's a host linux1 hanging off the > Cisco as well (actually many hosts, but for the sake of description > > What's happening is, esx1/2 beging talking to zfs1. All is well for a > while... but at some point, zfs1's MAC address expires from the CAM on > the switch (I guess that is what is happening). > > At that point, the Cisco begins forwarding the unicast packets to all > its ports. The result -- linux1, and all other hosts see the packets. > Occasionally, when we're dealing with a lot of traffic, this seriously > impacts performance. Is the Cisco a router or a layer 2 switch? All hosts in the same IP subnet? Subnet masks all match? Nothing doing proxy-arp? > My question here is.. what is the _right_ way to deal with this? This > "flooding" can continue for many minutes at a time.. it isn't until an > ARP reply eminates from zfs1 that the CAM table is populated again and > the broadcasting stops. If these are layer 2 switches, ARP won't have anything to do with it. If zfs1's MAC expires from the MAC address table on the cisco, it will flood the next packet for that MAC. A1 will forward it to zfs1 or flood if it too has expired the MAC. When zfs1 replies, A1 forwards the reply to the cisco. At that point, the cisco should re-install the MAC into its address table and the flooding cease. This should happen with a single packet. Does this happen with any other hosts behind A1? Any interface errors on any of the devices? > I wonder if zfs1 would send back an ARP response quicker were it not > behind an additional switch (the PowerConnect)... If layer 2 switches, ARP doesn't have anything to do with it. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Balancing
On 3/21/10 9:53 PM, Chris Gotstein wrote: > It's actually both, but i'm mostly concerned with inbound traffic. Inbound is trickier than outbound. Many carriers offer a list of BGP communities which can be used to influence how they treat your advertisements, either by manipulating local preference, prepending, or both. Many are listed here: http://onesc.net/communities/ but ask your upstreams to be sure. Make small changes slowly. Verify with external looking-glass sites to ensure that you're getting the results you want. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Using switchport 802.1q for a point-to-point instead of routed /30
Rick Kunkel wrote: Hello all... The connection between the two location is ethnernet, and the hardware is (well, will be as soon as we upgrade out of a 7200) a 6509 on either side, and I think it'd be pretty cool to run an 802.1q trunk between them using 6509 switchports instead of routed ports. However, I've got some problems, or at least I'm having trouble wrapping my brain around some things... 1. In the interests of keeping things simple, is it a "bad" idea to use an 802.1q trunk for backbone connectivity? One thing to consider is contention for the link among the VLANs. You'll want some form of QoS and/or rate limiting to ensure that a particular VLAN can't choke the link. 2. I'd normally set up this kind of point-to-point link using a /30, using interfaces in "routed" mode, and assigning the addresses to the interfaces on each end of the link. If using and 802.1q trunk with interafaces in "switchport" mode, would it be advisable to use loopback interfaces for these addresses instead? 3. I'm used to having the customer's gateway set on that Gigabit subinterface, as above. But if I want this customer to have their stuff on the same VLAN in both locations, AFAIK, I should set switchport access VLAN 80 on both their access ports. I'm then stuck figuring out where to put the gateway address for their IP space. Again, would loopback interfaces be good candidates for this? Or perhaps a VLAN interface, as weird as that seems to me? A VLAN interface is what I would use here. You're providing a layer 2 connection between the two customer locations so their IP-layer addresses won't show up in your routing table at all. The VLAN interface is needed as the gateway, with whatever subnet mask is appropriate for the customer's network needs. See below for why this may not be a good idea. 4. My motivation for doing any of this in the first place, as opposed to a simple /30 point-to-point interface, is to allow customers to have access to layer 2 across our network, whether it be for internal use or for purchasing third-party connectivity. Is it "acceptable" to use our single point-to-point ethernet for this, or should I be using a separate network for this entirely? As a rule, a hybrid solution with layer 2 across the customer endpoints with a layer 3 gateway to the Internet on a VLAN interface doesn't scale very well. If the customer wants their own firewall there are issues. It isn't unusual for them to have a lot of internal traffic (file server, etc.) with lower Internet needs. Metering this for billing can be an issue. What we usually do in this scenario is to provide a layer 2 VLAN bridge on one VLAN for the customer's internal network. Then, on a separate VLAN, provide Internet access to one location. The customer can then put their own NAT firewall between the two VLANs. For scaling among more than two customer locations and cutting down broadcast noise, consider MPLS with a VRF per customer and offer them a private routed layer 3 network. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 3560g PoE issue
Nilesh Sawant wrote: Hi, I am observing the problem with 48 ports 3560G in LAN infrastructure. We have alcatel IP phone which are connected to 3560G switches. Sometimes these IP phone are not getting power up , after restarting the switch IP phone gets power up. As per cisco theory it's deliver average 7.7w on all 48 ports or 15.4 w on 24 ports. i tried shut, no shut after IP phones gets power down, also tries to allocate 10-14w power on that particular interface, but no use. What could be the issue ? Not sure about Alcatel, but we have seen a similar issue with some Polycom phones. The Polycom phones have the capability of adding "sidecar" units with additional display and buttons for DSS/BLF and the like. Even with no sidecars installed, the phones default to having the sidecar power enabled and as such request the full 15.4 watts from the switch. The Cisco switch will detect the requested power as 15.4 and deny power to additional phones once the aggregate power limit is reached based on this calculation. A configuration setting on the phone allows one to disable sidecar power and once this is done the phone requests a more reasonable six watts. In this mode all ports can be used. Keep in mind that TTBOMK power calculations in the switch are done by layer 2 messages indicating desired power from the connected device and not by an ammeter in the switch measuring actual power consumption. Check your Alcatel phones and see if they are capable of powering accessories that you aren't using. If so and you can disable this capability the phones may then negotiate with the switch to deliver less power and allow the use of more/all ports. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bandwidth Statement - Tunnel Interface
sky vader wrote: Hi, Just curious, since the default bandwidth for tunnel interface is 9k (cisco platform), does that mean the maximum bandwidth I can have is 9k? No. What's the purpose of setting bandwidth statement on a tunnel interface? Does that mean I get bandwidth that is set or what the router will report via snmp? Three things come to mind, there are likely other subtle ones... 1. Dynamic routing protocols use the interface bandwidth for path selection. Manually specifying the bandwidth to something sane for the physical path over which the tunnel rides may be needed for proper route selection. 2. MRTG and similar tools will use the configured bandwidth as the default maximum for graphing and analysis purposes. Leaving it at 9K is likely to result in graphs topped at that value. SNMP of the actual traffic counts will be accurate, but configuration tools of graphing software will get the configured bandwidth on setup and may behave as if this is the physical limit. 3. QoS and traffic shaping applied to the interface will use the configured bandwidth for percentage calculations and the like. This will almost certainly cause results that aren't what you expect unless the tunnel is running over a dialup link. If you are doing none of these, then the configured bandwidth statement really doesn't affect anything in terms of operation that I've noticed. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Coax E1 over IP
Peter Rathlev wrote: On Thu, 2009-11-19 at 13:23 +0100, Aled Morris wrote: Have you looked at NM-CEM-4TE1 for the 2800? I've looked briefly at it, but it only seems to have RJ45 connectors[1], not BNC for coax. Otherwise it seems to fit the purpose. What can one do to take an E1 circuit from coax? Use the Cisco part number CAB-E1-RJ45BNC= or generic equivalent to connect to the RJ-45 on the router and the BNC connectors on the E1 smartjack. -- -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Liberation Movement???
christian koch wrote: looks as if its working based on the activity in this thread... Or not. The concept is to build suspense and get the vict^H^H^H^Hreaders to think it's something cool. If two weeks ahead of time the grassroots is revealed to be Astroturf spun by a marketing outfit and the viral aspect is shown to be malignant, it may not have the desired effect. If it was known 15 days ahead of time that the kid was hiding in a box and not in the balloon, the TV coverage would have been a lot less intense. If you're targeting techies pretending to be a techie and are shown to be a sales guy before you make your pitch it's a lot harder sell. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Will this work?
Richey wrote: I've been asked if this will work. I would think that it would but I would like a second opinion. 7206 VXR with an NPE-400, 512Mb ram, C7200 I/O 2FE/E card and two PA-MC-T3s. The PA-MC-T3s are 90 Bandwidth points each and the I/O controller counts as 400. There would be some MLPPP Bundles and some basic QOS. The only ACLs in the box would be to protect the box it's self and the occasional SMTP block for a user that won't clean up their network. We have several of this exact setup as customer T1 aggregation routers with no issues. We're using OSPF for the infrastructure and iBGP for customer routes. NPE300 will even work as long as you don't have a large percentage of the T1s as multilink. Put your PA-MC-T3s in the even numbered slots. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Invitation to connect on LinkedIn
Alex Balashov wrote: Fail. Fail indeed. Why anyone would provide their email password to sites which guarantee to spam every address they can find 1s surprising. Why anyone on this list would do so is mind-boggling. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 7206 VXR router
Scott Granados wrote: Better worded, a common issue with vendor C is that they have processors that the interfaces can't keep up with. Other vendors including one that starts with a J have fewer issues in this area.;) I think you have it bass-ackwards. There are interfaces that the processors can't keep up with. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cisco 7206 VXR router
Detter Werner wrote: Hi Jack, you can't add eight 100Mbit-Interfaces additionally. The NPE-G1 has 3 build-in Gbit-Ports, the 7206VXR chassis is able to handle 6 additional Cards. One 100MBit FE-Card (PA-FE-TX/FX) allocates 200 Bandwith Points, a 2-Port FE-Card (PA-2FE-TX/FX) allocates 400 BW-Points. So, you probably have to buy four PA-2FE-TX/FX-Cards (if you cannot use the build-in Gbit-Ports for your purposes *or* if you can use them buy 5 PA-FE-TX/FX-Cards :-) I would buy a switch with at least one Gbit port and eight FE ports and trunk to VLANs. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] "Enhanced" download procedure - Cisco contact info
I have opened a dialog and have gotten what seem to be reasonable responses from this person, who seems interested in our feedback. Oscar Bauer - ba...@cisco.com However, I just about had a "Joe Wilson moment" when he sent me the following: "While we have seen some customers have challenges with the new Java requirements, once we have been able to assist them getting their configurations setup correctly most of them are happy with the new changes." Please send him a polite note. There's always hope. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] "Enhanced" download procedure
Church, Charles wrote: It looks like it needs unrestricted access so that it can access your file system, since it presents its own file manager looking thing so you can pick where to save the files. No way to know for sure though. But every browser has a built-in download utility so this is worthless complexity and a potential security hole. It also completely breaks lynx and wget, and the benefits are exactly what? Do the people at Cisco have any idea that this so-called improvement is actually a hindrance? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] "Enhanced" download procedure
Tassos Chatzithomaoglou wrote: It should work after you allow it. Why should I need to allow "Unrestricted access" to my computer in order to download a file? What exactly is that Java applet doing? Could it do something malicious? How do you know for sure? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] "Enhanced" download procedure
What the #$^&$...@# is going on with Cisco's download site? It completely hangs Firefox with some shopping cart java thing. And this is downright scary: http://www.west.net/~jay/images/cisco-wants-root.png Enhanced downloads, brought to you by the same people who brought us enhanced interrogation? Is there a workaround? What happened to our friend kobayashi ? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router on a stick with multiple bridged interfaces
Robert Johnson wrote: Hello Cisco experts, Here's today's question. I have a simple router on a stick with a fastethernet interface and multiple 802.1Q subinterfaces connected to a layer 2 switchport in trunk mode. Now say I want to add another switch with the same group of VLANs as the first switch, bridged to the first switch. Instead of connecting the new switch to a trunk port on the existing switch, I'd like to attach it to a router interface. So essentially I want two router interfaces that are transparently bridged, with the ability to attach routed 802.1Q subinterfaces to both interfaces simultaneously. What's the best way to do this? Turn on IRB in the router. Configure a bridge group for each VLAN. Remove the IP configuration from the dot1q subinterfaces. Add the IP configuration to the BVI for each VLAN. Assign the subinterfaces to the appropriate bridge groups on both physical interfaces. Consider possible spanning tree issues should someone bridge VLANs the two switches accidentally or if you want to intentionally trunk between them for interface redundancy. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Question for PA OC3 guru?
Security Team wrote: I have a telco that wants to hand me an OC3 on which there will be 3 DS3's, all doing different things. One will be a clear channel (pt-pt) DS3, one will contain 28 T1's in the DS1 time slots of the DS3, and one will be unused for the time being. I want to buy a PA card to use in a 7200VXR and found the single-mode fiber one PA-POS-OC3SMI. My question is will this card allow me to take the T1 timeslots of the #2 DS3 and use them like I do elsewhere in a PC-MC-T3 card? Ala: ! ! 1 Channelized T3 port(s) ! controller T3 1/0/0 t1 1 channel-group 0 timeslots 1-24 t1 2 channel-group 0 timeslots 1-24 t1 3 channel-group 0 timeslots 1-24 No such PA. Your best bet is a mux of some sort such as Adtran Optimux, and a then use a PA-T3 and a PA-MC-T3 in the router. I believe that the latest versions of the PA-MC-2T3 are capable of supporting both a clear channel T3 and a channelized one, but if you have an extra PA slot you'll find that the cost of a PA-T3 and a PA-MC-T3 will be a lot less than using one circuit of a dual PA-MC-T3 for a clear channel circuit. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] DS3 circuit error
Oddiraju, Kiran @ London SMC wrote: Hi Guys, Our T3 controller is down and the SP has asked me what I am seeing on my end. Below is the show controllers command on my router. Could you tell me where the problem is based on the output below? Router#sh controllers t3 T3 3/0 is down. Applique type is Subrate T3 Description: Carrier_Circuit_ID Transmitter is sending remote alarm. You are sending a signal to the other end reporting that the signal that you are receiving is unacceptable. This is happening because... Receiver is getting AIS. You are receiving all 1s from the other end. Typically, this means that there is a problem with the equipment sending toward you. Something upstream has lost signal and is sending an AIS (Alarm Indication Signal) to you. You respond by sending RAI (Remote Alarm Indicator) notifying the other end of the bad signal that you are receiving. More info here: http://www.cisco.com/en/US/tech/tk713/tk628/technologies_tech_note09186a0080344194.shtml which shortens to: http://tinyurl.com/r6jvzo -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mailing list vs. web site (WAS: Re: SFC DOWN)
John Osmon wrote: Let me preafce my words with the thought that I find the most of the new wikis, forums, and whatnots are poor substitutes for searchable text archives. Agreed. However, I learned most of my foundation material from Usenet in the late 80s and early 90s, so I might be biased... Ditto. On Sun, Aug 02, 2009 at 06:51:07AM -0700, e ninja wrote: Gert, So if we apply your thought process, there is no value in capturing and organizing re-usable intellectual capital? I guess you must think Wikipedia is useless and we should just trawl through the web and layers of email threads to find simple answers to questions that have already been answered? You're putting words in Gert's mouth suggesting he derides the valuable (free) services available. I've never met Gert, but would buy him a beer if I found we were in the same room. Gert and others have helped me (and others) countless times without need of any of the tools you espouse -- so there is already value present without need for more work... Agreed, and I'd buy him two. Issues brought to this list should be discussed on this list and hopefully resolved on this list. A "Go over there for the answer" response fragments discussion and actually tends to make future searches for the same information less likely to succeed as information on the web changes, links break, etc. A response of "Go over there for the answer" from someone with a vested interest in "Over there" is nothing more than an advertisement for "Over there". Back to the main point: There is value -- but who has to exert energy, and who reaps the benefits? Those looking for the information have to exert the energy, those trying to commercialize it reap the benefits. The value of any list is to share knowledge. If there are free tools out there like mysolvr (a user-generated knowledge-base), that also allows us to go the extra mile of documenting and organizing re-usable know-how for the benefit of others, it is worth the effort. Yes, there is likely value in organizing the info. However, is the marginal value greater than the marginal cost? I'm of the opinion that most of the people reading this list and the archives believe that it works well as it is. Agreed. We have to work smarter, not harder. Absolutely! However, I think that you've got a hard hill in front of you trying to change the behavior of people using this list. And the smart way to work is to avoid fragmenting the information. The hard way is to fragment it among diffuse sites. The ethical way is to resist hijacking threads to promote one's own website. A smarter approach might be to start moving the data to your preferred site on your own. Perhaps even building automated tools to do so. If your idea catches on, you could very well end up with a reputation and following like Jared and/or Gert. Until that occurs, I have doubts that the wealth of info on cisco-nsp will be transferred to another medium... He doesn't want to move the information to his site on his own. He wants us to do it for him. This began over a year ago with scraping cisco-nsp for email addresses and spamming them with "invitations". It went mostly under-the-radar until his spambot went nuts and flooded its victims with multiple invitations at once. Faded under the radar again and now he's back hawking the sister site. (With that said, I'd be happy to be proven wrong -- more knowledge is better! I don't, however, think that I'd get enough out of the process to spend my time doing any of the prep work...) Agreed. And it fragments the information. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SFC DOWN
Gert Doering wrote: Contributors to this list should just post to this list. Archives are available in many places, google will find the answers, and it's not necessary to go to a separate web site (which is likely to profit from it in some way) to get answers to questions posted *here*. The value of this list is not "post links to web sites". Agreed 100%. FYI, "Mysolvr" is the same "Pingsta" outfit that scraped addresses from this list and spammed them repeatedly a while back. http://www.google.com/search?q=pingsta+spam -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Splicing a roll-over cable
Steve Bertrand wrote: Hi all, I've finally got some new routers in that I'll be using for testing (the IPv6 BGP route-reflector situation is on the top of the list). The lab area is very close to my workstation. Before I have the devices connected to a network, I prefer to use my workstation to copy config snips et-al to the devices. Oftentimes, I'll use a lab pc to do similar jobs, so I unplug the console cable from the device from my workstation serial port and connect to a lab pc serial port. I don't know much (ie. anything) about the electrical properties of a serial pc interface, so I thought I'd ask whether it would do any harm to 'splice' into a roll-over cable so the input/output from the console can be used simultaneously from multiple command stations, without having to do the physical unplug/replug. Essentially, I'd like keystrokes to be seen on one monitor that is connected to the console that is typed on another device connected to the same console port. RS-232 drivers should have sufficient current to drive two receivers, but two drivers in parallel will tend to pull the line in opposite directions. In other words, if you connect the router's send line and ground to both monitors, the output can be displayed on both simultaneously. You probably won't see the command input on the second one, however. Two keyboards driving the router isn't going to work well, probably not at all. VNC on the PCs might be a better choice to solve this problem. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Extended demarc
james edwards wrote: What is a real word limit on how far you can extend the demarc ? This is on Cat5e cable. I get wildly different figures from Google. What underlying protocol? Ethernet? T1? ADSL? BRI? That's why the figures are wildly different. :-) -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] CPU comparison - bridge vs. route on 7206?
Rodney Dunn wrote: The PA-GE has issues at higher speeds. You should move to L2TPV3 and see if it's better in regards to performance. Your best would be pure L3 forwarding. If the PA-GE is the issue you will have to get off that PA. What happens if you move it to one of the onboard GigE ports on the NPE-400? There aren't any onboard gigE ports on an NPE-400. You need NPE-G1 for those. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Fun with interface counters.
Drew Weaver wrote: I assume this is either a bug, or something else equally enjoyable. Today, I noticed that one of our switches was acting up, so I logged into it and did the usual show interfaces, sh proc cpu sort, etc etc. I noticed that the switch's uplink interface indicated that it was doing 700Mbps to the router it is connected to, the router indicated that it was only getting 200Mbps from the switch. So either there is a counter bug, or the switch was sending traffic that was being dropped by the router or dropped later by the switch (after it was counted?), or something else equally amusing? Does anyone have any thoughts on this/seen this before? The default interval for updating the counters is five minutes. If the traffic is bursty it isn't unusual for the interface counters to disagree, sometimes substantially. I believe that the load interval timer starts on boot or when counters are cleared on the interface so don't expect them to line up with NTP. For faster response and better granularity you can use the "load-interval [seconds]" interface-level command. Minimum supported value is 30 seconds. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500/SUP32 - RP ROMMON upgrade?
Dale Shaw wrote: I'm curious about how many people out there manage ROMMON/bootflash images in the same way the 'main' image is managed. In one customer network, there are tens of 7200s running 12.4T code with 12.3-based boot code. The same network has 20+ 6500s (sup32/sup720) running various 12.2(18)SXF images and I doubt anyone's ever given a second thought to 'auxiliary' code like ROMMON or any other flashable components. So, is stuff like ROMMON a set-and-forget or never-even-thought-about-it thing for you, or do you actively track image availability and factor upgrades in to your broader platform management activities? Is it considered good practice, for example, to match 7200 series boot flash revs with the main image, or does this fall into the "if it ain't broke, .." category? 7200s have three places where code is stored, ROMMON, Bootflash, and the main image. ROMMON is a physical "Yank this chip out of its socket and replace it with another chip" so not flashable. Not DIY unless you have an EPROM burner and a factory chip with newer code to dump. I typically don't worry about bootflash unless there's a compatibility issue with that and a newer IOS, but this is indeed flashable and images are available on CCO. On smaller platforms the ROMMON and bootflash are combined onto a single BootROM. This is also a "Yank the physical chip and replace it" type of thing. Occasionally this needs to be upgraded when newer code becomes too large for the original design to address, but it's been a long time since I've needed to deal with it, IIRC the 2500 and maybe early 2600 series routers. In my experience on most platforms these are "set and forget", but I don't have a lot of hands-on with the 6500. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] heat fins popping loose on WS-X67xx cards
In the past 9 days I've found that 3 of our Catalyst 6500 WS-X67xx cards (2 WS-X6748-GE-TX & 1 WS-X6748-SFP) had dislodged heat fins. The fins are supposed to be tethered by a spring hooked into a small wire loop which seems to be soldered onto the circuit board. In the case at hand the wire loop pulls out of the board & the heat fin then flops around free & in 1 case the wire loop was rattling around on the card. Not good. I'm trying to determine if this is a systemic problem or just a fluke. It seems like a design flaw, with the spring being too much for the soldered wire loop. Has anybody else seen this? If so, with how many cards & of what types? It sounds like a design flaw. The spring force on the loop is upward. Heat from the chip is conducted to the fins, the spring, and the loop which softens the solder. Tension on the loop pulls it out. They probably need to come up with a different means of attaching the loop, maybe a stamped part with a base on the underside of the board, or at the least use a high-melting-point solder for that attachment point. -- -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Bandwidth displayed on Tunnel interfaces
Steve Bertrand wrote: Hi all, I've got a few protocol 41 tunnels configured on a few different routers, all for IPv6 only. Some of the tunnels are used for BGP peering with transit providers, and the rest join my PoPs together. If I understand the Cisco documentation correctly, the "BW" is used exclusively for link metric/cost, but it also shows up in my MRTG graphs and skews the percentage results. Since these tunnels operate on top of the same underlying connection type as the IPv4 infrastructure, I'd like to set the bandwidth manually to the same setting as the interface type the tunnel is connected over (or better yet, set it globally for all tunnel interfaces). AFAICT, doing this won't have any operational impact other than what it would normally have on an IGP (which is fine, because all IGP is over direct Ethernet), and fixing my graphing/statistical applications. Can I get some feedback on whether my thinking is correct? Tunnel bandwidth should be 100Mb: pe2-fibre#sh int tun5 Tunnel5 is up, line protocol is up Hardware is Tunnel Description: IPv6 BGP Tunnel to he.net MTU 1514 bytes, BW 9 Kbit, DLY 50 usec, reliability 255/255, txload 18/255, rxload 163/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 208.70.111.131, destination 216.218.229.118 Tunnel protocol/transport IPv6/IP Tunnel TTL 255 Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Correct. conf t int tu5 bandwidth 10 ^Z wr -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP Config
Alain Camille wrote: My ISP will be maintaining the BGP configuration for my organization.. I need a minimal BGP configuration on my core device that will allow connectivity to the ISP. Looking for some direction. Thanks. Are you connected to a single ISP at a single geographic location? If so it probably isn't worth the effort. If you are connected to multiple ISPs, the BGP configuration may not be so minimal and you'll likely want to engage the services of someone knowledgeable in the field to configure and maintain as needed. Do you have an AS (Autonomous System) number assigned by your regional registry? Do you have portable IP space? If both are no, and you're only connected to one ISP, you almost certainly don't need to run BGP. A simple default route to your ISP will suffice. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] What cisco line cards support DS3 over RJ45 interface
nbernad...@gallantsys.com wrote: Please let me know if you know the cisco line card(s) that support DS3 over RJ45 interface. None of them. DS3 is delivered on a pair of 75-ohm BNC connectors. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] BGP and OSPF - redesign
ch...@lavin-llc.com wrote: Along the lines of the recent discussions about eBGP, iBGP and OSPF intertwined routing, I have a redesign to deal with. An enterprise solution that currently runs eBGP, iBGP and OSPF with the iBGP and OSPF fully mixed. By that I mean there lacks a policy of seperating the two. Rather than having OSPF carry only the required /32s for the purpose of building the full iBGP mesh, OSPF and BGP are contributing to the forwarding tables for all traffic. This is causing some odd and unpredictable behavior for route announcements and path selection. The problem I'm struggling with is how to transition the routes out of OSPF so that iBGP is used to carry the traffic, thus reducing OSPF based routes to only be responsible for building the full iBGP mesh. Most of the appropriate goodies are in place, like locked in router-id's and no synch. But the jenga-like configurations of redistribution and network statements make for a mind bending exercise for trying to migrate to the ISP Essentials formula. Here's how we did it. 1. Originally we had infrastructure participating in OSPF, redistributing connected and static customer routes into OSPF. BGP was primarily used externally. iBGP was used only to interconnect border routers. We found the OSPF tables getting bloated. Reconvergence after a link flap was painful and rippled through routers that shouldn't have been affected. 2. At each site we brought all routers into iBGP. Non-borders got a filter-list that included just local origin and downstream customer ASes. This so as not to overwhelm small routers with full tables. If you have several routers per site, it's more scalable with peer-groups and route reflectors. All iBGP should be done to loopbacks, and the loopbacks should be routed throughout your AS via OSPF. Configure next-hop-self and send-community. We then carefully redistributed static and connected routes into iBGP with a route-map, thusly: router bgp [] redistribute connected route-map cust-to-bgp redistribute static route-map cust-to-bgp ... route-map cust-to-bgp permit 10 match ip address prefix-list local-nets set origin igp set community no-export ... ip prefix-list local-nets description Customer allocations ip prefix-list local-nets seq 10 permit /nn le 32 At this point all routers should have your customer networks in their BGP tables. As iBGP has an AD of 200 and OSPF is 110, the routes to the customer networks will still show up as OSPF external in the IP routing tables. 3. Verify that the links interconnecting the routers and the loopbacks show as OSPF routes (not OSPF E1 or E2). Verify, one router at a time, that customer routes redistributed into OSPF are in the BGP tables of other routers in your AS pointing to the loopback. Verify that you aren't spewing all of these small subnets to your eBGP neighbors. (That's what the no-export and send-community are for.) 4. "No out" the redistribute statements for connected and static in your router OSPF, one router at a time. You can set up a continuous ping to a customer target on a different router and you probably won't even lose a packet if you've checked everything first and your CPU is below 90%. 5. Verify that your customer routes are now shown in the routing table as BGP. 6. Verify that your OSPF routes are now lean and mean, with just infrastructure links and loopbacks. -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Channelized DS3 over SM fiber handoff
Michael Ulitskiy wrote: Hello, We will need to terminate channelized DS3 circuit in 7200VXR router. The problem is that DS3 is given to us by telco (Verizon) as a single-mode fiber. I have no experience with this kind of setup and actually limited experience with DS3 circuits. Has anybody done this before? How it's usually done? Is there a DS3 PA with fiber interface for 7200 routers (I don't see any) or I should use a media converter with PA-MC-T3? If so, can you recommend one? It seems that many media converters use proprietary DS3 encoding scheme and must be used in pairs (or at least I've been told so), but telco is unable to give us any recommendation on how we should terminate it on our end. If anyone could share the experience on terminating DS3 over fiber handoff from Verizon, East Coast, I'd greatly appreciate it. Any pointers to appropriate documentation/tutorials/howtos/etc are also very welcome. Thanks a lot, I've never seen a telco hand off a DS-3 as fiber. Always a pair of 75-ohm coaxial cables on BNC connectors. Typically it comes in to the customer premise as a SONET fiber connection and a carrier-owned MUX and NID is installed with the customer handoff as co-ax. You would need to know the exact make and model of the hardware at the other end of the link to procure a compatible media converter if they are really terminating a DS-3 this way. And good luck when you have a case of trouble, the blame game on this one will not be fun. Are you sure they're finished with the provisioning and that there isn't another group scheduled to install equipment? -- Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/