Re: [c-nsp] big uptime - what you got ?
Am 10.02.2020 um 16:35 schrieb Aaron Gould : > > Holy cow! Beat that > > dsw2-4503#sh ver | in uptime > > dsw2-4503 uptime is 11 years, 2 weeks, 1 day, 23 hours, 3 minutes > > dsw2-4503#sh ver | in IOS > > Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), > Version 12.2(31)SGA1, RELEASE SOFTWARE (fc3) Almost ... ;-) Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE2, RELEASE SOFTWARE (fc2) switch13 uptime is 10 years, 28 weeks, 5 days, 8 hours, 16 minutes System restarted at 08:28:14 CEST Sun Jul 26 2009 Kind regards, Patrick -- punkt.de GmbH Patrick M. Hausen .infrastructure Kaiserallee 13a 76133 Karlsruhe Tel. +49 721 9109500 https://infrastructure.punkt.de i...@punkt.de AG Mannheim 108285 Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 4000 series (4461) as a BGP router?
Hi! > Am 29.10.2019 um 10:25 schrieb > : > Since you don't need throughput maybe vMX/cRDP or vXR 9000 with just couple > of gig of licenses would be an option? > That way you'll get all the internet proven BGP stack offered by the big > boxes for fraction of the price tailored to your BW needs. > But yes there's the who manages the server part unfortunately… Managing servers is our core business and we are actively investigating separating layers 2 and 3 again and using something like the BSD router project for upstream BGP. Have been running router-on-a-stick for years, the 6500 were our first integrated platform. So thanks ;-) Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 4000 series (4461) as a BGP router?
Hi Mark, > Am 28.10.2019 um 15:42 schrieb Mark Tinka : > It doesn't immediately strike me that you have spent any time speaking > with Juniper or one of their partners about your needs and what product > in their arsenal comes close to your requirements. Because I wanted an unbiased field tested recommendation. But you do have a point here - probably that will be my next step. Kind regards, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 4000 series (4461) as a BGP router?
Hi! > Am 28.10.2019 um 09:40 schrieb Saku Ytti : > That'll set you back about the same as new MX204, you need to be > really committed CSCO shop to go with ASR9001. I would not consider > that at all, even if it had to be Cisco. Thanks for that recommendation. I’m not allergic to Juniper nor any other vendor, although it is traditional IOS that I know inside-out. But I do know my basics, so switching product is not an issue, really. When I look at Juniper I quickly find this: https://www.juniper.net/us/en/products-services/routing/mx-series/datasheets/1000597.page And here - just like Cisco - they feature all sorts of fancy numbers that are all completely irrelevant to us. The smallest platform in that table features four times the peak bandwidth we *could* use with our 5x 1G/s connections, which we are currently utilizing at less than 500 M/s in total ... Yet the only numbers I am really interested in are: How many routes will each of these systems hold in the data plane? And how many full-feed BGP peers can it handle in the control plane? And these are not in this effing table! This is frustrating … Kind regards, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco 4000 series (4461) as a BGP router?
Hi all, > Am 27.10.2019 um 01:36 schrieb Łukasz Bromirski : > >> On 23 Oct 2019, at 13:50, Patrick M. Hausen wrote: >> >> Hi all, >> >> would you recommend the 4461 to run a handful of >> full feeds for v4 and v6? The model seems to be quite >> affordable compared to ASR 9000 series routers and >> throughput is not our main concern for upstream. > > It will do fine. Memory and performance shouldn’t be an issue until you > reach around 7Gbps (with BOOST license, if you’re not running virtual > containers). > > If that’s not enough, consider ASR 1001X/1001HX. Our supplier recommended refurbished 9001 or 9006 to get the best bang for the buck. Would you agree with that? Could someone kindly clue me in about the 32bit vs 64bit platform „issue“ if there is one? I would not want to invest into a platform with EOL already on the horizon. Those 6500 have been running way too long. Pointers of course welcome. Thanks in advance, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco 4000 series (4461) as a BGP router?
Hi all, would you recommend the 4461 to run a handful of full feeds for v4 and v6? The model seems to be quite affordable compared to ASR 9000 series routers and throughput is not our main concern for upstream. Thanks, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Experience with Lenovo switching, anyone?
Thanks to everyone who responded. We will look into Lenovo CNOS gear. The switches are easily available through one of our established channels and very attractively priced. I’ll report how that goes … Kind regards, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Experience with Lenovo switching, anyone?
Hi! > Am 21.06.2019 um 20:05 schrieb Gert Doering : > What features do you need? "Switching" or "full L3 routing"? And > if routing, how large the table? Switching. A new layer 2 „fabric“ for our data centre. I’m planning to go back to a router-on-a-stick design and separate routing and switching … If routing is available and stable, it would not hurt, of course. OSPF for v4 and v6, strictly IGP, definitely no uplink. Table size? Well, how many routes can you put into a v4 /20 …? ;-) Similar for v6, so „couple of dozen“ to „couple of hundred“. Less than 1000 routes definitely. > We've moved to Arista for the "1RU, lots of 10/25GE ports, MLAG" > places in our network, and we are very happy. Stuff works like a > breeze - and if it doesn't (we found a bug with IPv6 and OSPFv3, > of course) ATAC is really pleasant to work with. Turned out to be too expensive for us. 1 G/s more than enough as edge connectivity for servers, not that much „hyperconvergence“ going on, yet. That’s why it does not pay (yet) to have higher bandwidth at the ToR. So I’m looking for 2-3k for a ToR switch - upper limit. We are replacing refurbished Cisco gear that came at 600 per 48 1G ports with 2 10G uplinks. It’s really hard to find current manageable gear for our size ... Thanks, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Experience with Lenovo switching, anyone?
Hi all, we are looking for alternatives to the two large vendors that are cost efficient for a small hosting company. Does anyone have practical experience with Lenovo ENOS and is willing to share? With a limited budget we prefer to cut features rather than stability ;-) Yet multi-chassis (at least dual-chassis) LACP or similar or some modern „fabric“ architecture are necessary. I don’t want to go back to only STP … Kind regards, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cat6800 sup6T
Hi all, > Am 10.07.2018 um 18:05 schrieb Charles Spurgeon > : > If you want 5 years of active support then you should probably > consider the Catalyst 9000 series (NOT Nexus 9k and thanks for the > model number confusion, Cisco). If you want multiple sups and slots > then the Cat9400 would be the model of interest. However, note that > the Cat9500 supports "stackwise virtual" which claims to be a VSS > replacement. we, too, are still looking for an affordable replacement for our Cat6k switches. While the 9k series looks interesting for data centre switching, I fear they won't do BGP with the global routing table? https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9500-series-switches/data_sheet-c78-738978.html Total number of IPv4 routes (Address Resolution Protocol [ARP] plus learned routes) Up to 212,000 indirect + direct* Up to 90,000 host/ARP* If this is indeed the number of routes the system can hold, that won't do. I wonder where those 16 GB of DRAM go with a measly 200k prefixes ... Or am I missing something? Since our Cat6k are not limited by switching performance but simply by the size of the routing table, we are looking into data centre switches for layer2/3 that hopefully consume less power and into Quagga or similar solutions for external connectivity. With 300 Mbit/s aggregate external traffic an amd64 based server should easily handle that. Kind regards Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] line con 0 as terminal server on Cat6500?
Hi all, > Am 19.05.2018 um 18:52 schrieb Lee : > It's been several years since I've seen a 6500, but I doubt things > have changed. There's two boot registers on the 6500 - the switch > processor and the route processor. The switch boots up first and then > hands off to the route processor, so under normal circumstances > show boot > shows the boot variables for the route processor & [maybe not the > correct syntax] > remote command switch show boot > shows the boot variables for the switch processor. > > So if the SP confreg = 0x0 when the box reboots it stays in rommon > even if the RP confreg = 0x2102 Thanks for reminding me that this platform acts a bit schizophrenic at times ;-) And of course you nailed it. Standby chassis switch processor: Configuration register is 0x2100 (will be 0x2102 at next reload) I think it's pretty odd that a controlled reload is required to save the new setting. We did that in a maintenance window and now all 4 registers of our VSS are set to 0x2102. Thanks Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] line con 0 as terminal server on Cat6500?
Hi! > Am 18.05.2018 um 09:00 schrieb joshd : > If the good cat6500 had an aux port, you could go from aux->con of the bad > switchbut I don't think cat6500s have an aux port. Precisely - the VS-S720-10G doesn't have an aux port. The question is if I can use the con port in the same fashion and if yes, how? Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] line con 0 as terminal server on Cat6500?
Hi all, last weekend one switch in our VSS pair failed. Redundancy/VSS did work and we kept our connectivity besides a couple of hosts that only have a single uplink and were connected to that particular chassis. When I came to the data centre I found the failed chassis in rommon. A simple "boot" command restored everything to working order. Now to spare me that drive in case that happens again - is it possible to use the console port of a working Catalyst 6500 to act as a terminal server for the other one? We have quite a lot of spare rollover cables ;-) I found these instructions but I think I'm missing something: https://www.cisco.com/c/en/us/support/docs/dial-access/asynchronous-connections/5466-comm-server.html ip host other 2000 1.2.3.4 Core2#telnet 1.2.3.4 2000 Trying 1.2.3.4, 2000 ... % Connection refused by remote host I used the real IP address of looppback0, of course. Side note/question: any idea what could cause a Cat6500 VS-S720-10G to fail, reset (I can understand *that*) and then not boot into IOS and stay in rommon? Standby BOOT variable = sup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1;disk0:s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin,1; Standby Configuration register is 0x2102 Core2#dir slavesup-bootdisk: ... s72033-adventerprisek9_wan-mz.122-33.SXJ10.bin Thanks! Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Kaiserallee 13a Tel.: 0721 9109-0 Fax: -100 76133 Karlsruhe i...@punkt.de http://punkt.de AG Mannheim 108285 Gf: Juergen Egeling ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1k vs 9k as a non-transit BGP router with full tables?
Hi, > Am 03.08.2017 um 23:58 schrieb Łukasz Bromirski : > For that kind of scenario, Sup720-10GE can still do it’s job if > You use Selective Route Download. You don’t need full tables as > Spotify’s SIR project have shown. You’re even better than Spotify, > as You’re end station for the traffic, not transit as I understood. > Just take a look here (and read on): > https://labs.spotify.com/2016/01/26/sdn-internet-router-part-1/ Great link, thanks! > Also, try to stick to 15.xS lines. It seems You’re doing quite simple things > and there’s no real value in staying on 12.2(33) line unless some > hardware dependencies. 15.xS fails with continuously resetting the BGP process as soon as the second full feed is activated due to memory allocation failures. That's why I specifically downgraded our switches at 5am this morning :-/ At the moment 6 peers, 4x full feed, everything running fine. RP memory at 90% utilization, though. TCAM 78% v4, 39% v6. > BTW, you can upgrade RAM on 720-10GE to 2GB. This is of course not > officially supported, but as You’re anyway running on refubrished equipment, > you don’t care that much. Just remember to upgrade both RP and SP > memory, as in theory with this Sup you wouldn’t need to care anymore > as SP is just a stub, but may actually play buffer allocation tricks > and if there’s disrepancy between RP and SP RAM size, you may > run into trouble (RP loosing SP, stalling and then rebooting on > watchdog - it isn’t pretty and for sure - not predictable). Another great advice - thanks again. Patrick signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1k vs 9k as a non-transit BGP router with full tables?
Hi! > As for comparisions - 1001/1002/1002F are no longer in game, > and while they perform decently for control plane, even first gen ASR 9k’s > (like 9001/9001S and RP1s for 9006/9010) will beat them unless you > go for RR role in a specific config (SRD) - as Ytti mentioned, BGP on > 32 bit IOS-XR has memory limitations per process. This is not > Patrick use case however I believe. The use case is simply "full tables BGP" with currently 4x 1GB/s uplinks and possibly 6 in the near future. Upgrade to something 10G-ish not planned at the moment. 300-400 Mbit/s aggregate traffic across all uplinks currently. So we are too memory heavy for the C6500 (SUP720-10G) and then there's the TCAM limitation ... although our bandwidth requirements are rather small. And then the C6500 definitely starts to rot - I wonder if I will ever get anything beyond 12.2(33)SXJ10 if (when!) the next remote security bug hits. > Going back to original question - if that’s going to be refubrished unit, > 9001 propably fits the bill in the best way. 9904 in the new data center > is propably the best choice given your requirements. Yeah, the 9904 looks quite nice. Don't know if it's available refurbished, already. The 9001 would probably cost us 3 to 4 times as much per box as the 1001-X. I haven't received a written quote yet and I'm unsure about the cost if the 20G and 2x10GE licenses. We'll see. > Stay off the ASR9k cluster licenses BTW :) You don’t need them for > your use case. So I figured already. The new boxes will be all layer 3, so no need to mess with VSS and sons to get multi-chassis portchannel etc. Thanks to all for your valuable input. I'll report what we got ;-) Patrick signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1k vs 9k as a non-transit BGP router with full tables?
Hi, > Am 02.08.2017 um 21:24 schrieb Mark Tinka : > On 2/Aug/17 19:07, quinn snyder wrote: >> as a point of correction — iirc — asr1002x is running closer to an rp2. i >> don’t have one available to me at the moment, but i believe the code >> indicates as such. comparing the ram, route, etc numbers leads me to >> believe this is true. >> >> >> based on what i’m reading — the asr1002hx is closer to an rp3-based >> platform, again — comparing the numbers. i could be wrong on this. > > I could get into it, but hopefully this helps: > > > http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/data_sheet_c78-441072.html The 1001-X as well as the 1002-X both come with 8 GB memory as a default and are expandable to 16 GB. If the limits in the data sheet you linked hold for the embedded platforms all the same, they must have an RP2. Yet I still have to find a document stating that explicitly. Patrick signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1k vs 9k as a non-transit BGP router with full tables?
Hi, all, > Am 02.08.2017 um 12:24 schrieb Mark Tinka : > It depends; there are different ASR1002's. > > The ASR1002-X and the ASR1002-HX. > > The ASR1002-X is older, and runs the RP1, which is the slower one. We use > them for a bit of peering, and it's not bad - certainly better than the MX80 > and MX104's RE's. > > The ASR1002-HX is on RP2. > > Stay away from the ASR1002 or ASR1002-F. Those are too old for life. And in typical Cisco style we've all come to love it's really hard to find a single table with the relevant performance figures for all the different models. :-( pps/bps - yes, routes - no. I finally found this: http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/datasheet-c78-731640.html Summary: Cisco ASR 1002-HX with Integrated ESP Module Up to: 4,000,000 IPv4 or 4,000,000 IPv6 routes Multicast: 100,000 routes and 44,000 groups Cisco ASR 1001-HX with Integrated ESP Module Up to: 1,000,000 IPv4 or 1,000,000 IPv6 routes with 8-GB memory 3,500,000 IPv4 or 3,000,000 IPv6 routes with 16-GB memory Multicast: 64,000 routes and 4000 groups Cisco ASR 1001-X with Integrated ESP Module and 8-GB Memory Up to: 1,000,000 IPv4 or 1,000,000 IPv6 routes with 8-GB memory 3,500,000 IPv4 or 3,000,000 IPv6 routes with 16-GB memory Multicast: 100,000 routes and 4,000 groups Cisco ASR 1002-X with Integrated 36-Gbps ESP Module and 8-GB Memory Up to: 500,000 IPv4 or 500,000 IPv6 routes with 4-GB memory 1,000,000 IPv4 or 1,000,000 IPv6 routes with 8-GB memory 3,500,000 IPv4 or 3,000,000 IPv6 routes with 16-GB memory Multicast: 64,000 routes and 4,000 groups So ... as long as it's at least a 1001-X with 16 GB of memory we should be good to go. The "up to 20 Gbps" are definitely enough for now. Thanks, guys, I'll continue to discuss details and prices with my supplier. Patrick signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ASR 1k vs 9k as a non-transit BGP router with full tables?
Hi all, > Am 02.08.2017 um 12:05 schrieb Mark Tinka : > On 2/Aug/17 11:58, Gert Doering wrote: >> This is what we currently do for "BGP edge", and I totally love the >> box. Even though software updates are as annoying, mostly because the >> flash disk is so slw so the fairly complex processes take ages, >> and then a bit. >> > > Indeed. > > I also find the ASR9001 a lot slower than the ASR1000 (RP2). But it's not as > bad as the PPC-based MX's. My preferred supplier just called in telling me that ASR 9001 are way more expensive currently than, say, ASR 1002 with RP2. I'll get a quote later today. ASR 9006 OTOH are rather cheap for their capabilities he claims - but definitely too big for the current project. Possibly for the new data centre ... So, any remarks about the 1002? Thanks, Patrick signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ASR 1k vs 9k as a non-transit BGP router with full tables?
Hi all, seems like I'll finally have to bite the bullet and move BGP routing off of our Catalyst 6500. For the moment we plan a gradual migration by connecting a pair of as-small-as-sufficient routers, not switches, to the existing infrastructure to run BGP to our transit providers and leave the layer2 network in place for now. Estimate is that the C6500 will be capable of running layer 2 plus IGP (OSPF in our case) for another year or so. We plan to move to a new data centre in that time frame, so we can build everything from scratch at the new location. For this time frame I need reliable BGP routing at the old location with a modest investment. ASR 9001 looks like a candidate, 4x 10GE and one 20x 1GE line card are definitely sufficient for the foreseeable future. Are there any licensing pitfalls I need to be aware of with refurbished hardware and IOS-XR? Can anybody share experience with the "cluster" license and feature for these switches? According to our supplier they feature 8 GB of memory and "a couple of millions of routes (v4 and v6)" - correct? Is there a viable alternative in the ASR 1k line of products? 2 rack units and low power consumption preferred. And availability in the secondary market, of course ... Any completely different product I overlooked? Thanks in advance for your input. Patrick signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Looking-glass software?
Hi all, > Am 19.05.2017 um 09:23 schrieb Patrick M. Hausen : > > Either the one bundled with rancid works [...] 2 things one needs to fix to make the rancid 3.6.2 LG work: - change startform and endform to start_form and end_form, respectively - add $CGI::LIST_CONTEXT_WARN = 0; to lgform.cgi and lg.cgi The latter might pose a security risk if the LG is public. I don't know enough perl to judge. Patrick signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Looking-glass software?
Morning, > Am 18.05.2017 um 21:08 schrieb Saku Ytti : > > On 18 May 2017 at 21:47, Patrick M. Hausen wrote: >> I am in no way planning to make this public. We have had routerproxy in >> place as a convenient tool for our own admins, specifically the ones who >> are not IOS gurus and just want to look up stuff, not configure the systems. > > I get that, but you shouldn't use system() or back-ticks ever, > regardless security posture. Because it is 0 cost to do this right > (e.g. popen) versus wrong, so you have no upside on the wrong way. > Also, you may intend it internal use only, but then you leave the > company, and customer RFP mandates looking glass, and fastest way to > do it, is to expose the NOC tool to customer. I know - but honestly I wasn't planning to code one myself. And of course the comments about private tools suddenly turning public years later are spot-on. Either the one bundled with rancid works or I'll "fix it in the documentation" and do a write up for my colleagues on how to do it with SSH and the CLI. Might serve as a cheat sheet for myself in situations of sudden pressure, too ;-) Thanks for all hints. Patrick signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Looking-glass software?
Hi, all, > Am 18.05.2017 um 17:26 schrieb Saku Ytti : > > I don't think anyone who should write their own looking glass needs to > be shown example how to do it. > > You are literally allowing anyone to inject data to your > control-plane, it needs to be done right. I can immediately say you're > not doing it right because you're not passing binary and arguments > separately. I am in no way planning to make this public. We have had routerproxy in place as a convenient tool for our own admins, specifically the ones who are not IOS gurus and just want to look up stuff, not configure the systems. Kind regards, Patrick signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Looking-glass software?
Hi, all can anyone recommend a free looking-glass tool to run on my own NOC server for my own core routers? My problem is finding a software that is preferably written in Perl or PHP and * not unmaintained for years * breaking with current versions (5.24) of Perl * only supporting telnet instead of ssh * ... I've been spending almost a day already chasing dead links on historic sites like traceroute.org, downloading, configuring, testing ... So, any hints? I had set up routerproxy to hand my less IOS-savvy colleagues a tool to quickly check some things, but that one goes in the "breaks with Perl 5.24" category ... Thanks! Patrick signature.asc Description: Message signed with OpenPGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat 6500: WS-X6748-SFP and VSS?
Hey, guys, turned out it was pilot error and lack of experience with VSS. Somehow I messed up the port-channel config for the VSL at a time when I did not (yet) have dual-active detection configured and the standby switch was in recovery mode. Hence all interfaces disabled. Duh! Fixed today via serial console, everything looks good, now. Thanks to all who took the time to give advice. Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat 6500: WS-X6748-SFP and VSS?
Hi all, > Am 16.01.2017 um 15:36 schrieb Patrick M. Hausen : > In the release notes for IOS 15.1SY I found this remark about > supported Gigabit Ethernet modules: > > WS-X6748-SFP > with WS-F6700-DFC3CXL , WS-F6700-DFC3C , WS-F6700-DFC3BXL (not supported in > virtual switch mode) Sorry, I have to rephrase my question after a second look: WS-X6748-SFP (with WS-F6700-DFC3CXL , WS-F6700-DFC3C , WS-F6700-DFC3BXL (not supported in virtual switch mode) WS-F6700-DFC3B (not supported in virtual switch mode) or WS-F6700-CFC ) So I think this reads as: WS-X6748-SFP with DFC-3CXL or DFC3C supported with DFC3BXL or DFC3B supported, but no VSS Am I reading this correctly? I yes, I have a different problem alltogether. I upgraded two of our core switches from Sup720-3BXL to Sup720-10GE with PFC-3CXL, then upgraded all the DFCs on the line cards and installed IOS 15.1(2)SY9. None of the copper Gigabit interfaces work. All show "down, line protocol is down (notconnect)" regardless of the connection. Any ideas on how to proceed from here? BTW: this includes Gi1/1/3 and Gi2/1/3 - the copper interfaces in the supervisor engines. Not only on the 6748 linecards. Thanks Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat 6500: WS-X6748-SFP and VSS?
Hi! > Am 16.01.2017 um 15:39 schrieb Charles Mills : > > There's also a weird bug that I don't believe to be fixed that causes traffic > to black hole periodically if you do the VSL links on line cards. > > Bssically the mac address of the default gateway for certain vlans will show > up on random ports. Usually x/y/38 but can be any. Made my life a living > hell until we figured it out. > > Only do your VSL on the supervisor. I do. The problem is not with VSS per se. All 48 ports on my line card show "down, line protocol is down (notconnect)" even with connections that were working before I converted the switch to VSS. Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cat 6500: WS-X6748-SFP and VSS?
Hi all, In the release notes for IOS 15.1SY I found this remark about supported Gigabit Ethernet modules: WS-X6748-SFP with WS-F6700-DFC3CXL , WS-F6700-DFC3C , WS-F6700-DFC3BXL (not supported in virtual switch mode) Does anyone know if this restriction is there to stay? Or a fundamental reason for it's existence? Oddly I cannot find anything about supported hardware in the release notes for 12.2.33-SXJ - only a list of resolved caveats. If I'm stuck with it, what would be an alternative Gigabit Ethernet module to go with a Sup720-10GE with PFC-3CXL? Thanks! Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 720-3BXL IOS 15
Hi, > Am 17.11.2016 um 09:17 schrieb Paul : > > Full BGP table will not fit in RAM on a sup720 (1g max :/) with 15.x code, on > 7600 or 6500 doesn't matter. Would you say this applies in the general case or only if you still have "soft-reconfiguration inbound" enabled - which we don't. Thanks, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] "safe harbor" - reliable statement about expected sw quality?
Hi, > Am 17.11.2016 um 11:26 schrieb Lukas Tribus : >> Does the missing "star" imply I can expect less reliability >> from SXJ10 compared to SXJ7? > > No (and actually the "star" is on 15.1.2-SY9, which is the suggested > IOS you should be running on new deployments). > > Just because the latter has a certification while the former doesn't, > doesn't imply the latter is more stable. > > In fact SXJ7 has 4 publicly known vulnerabilities, so I would strongly > suggest to run SXJ10 (if you have to stay on the SXJ train, that is). Thanks. That explained it quite well. I'm planning to stay on SXJ beacuse of the purported memory issues with 15.x and full feeds. Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] "safe harbor" - reliable statement about expected sw quality?
Hi, all, I don't quite get what precisely Cisco is stating with those little stars and the "safe harbor" label for IOS releases. E.g. 122-33.SXJ7 is the last 12.2 release for the Cat6500 labelled this way. Yet, if you look up the release notes for the *current* release, which is 122-33.SXJ10, they mention some resolved caveats that I think I definitely want on my switches, like e.g. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCum94811 Does the missing "star" imply I can expect less reliability from SXJ10 compared to SXJ7? Anyone with a crystal ball able to share some insight? Thanks, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat6500 VLAN cannot be assigned to a routed port sub-if?
Good morning, > Am 19.09.2016 um 09:52 schrieb Peter Rathlev : > > On Sat, 2016-09-17 at 14:24 +0200, Łukasz Bromirski wrote: >>> On 16 Sep 2016, at 17:32, Nick Cutting wrote: >>> Depends on supervisor - With sup 2t - you could reuse vlans on >>> subinterfaces, here is 2 subinterfaces on different ports, and an >>> SVI all on vlan 281 >>> >>> ! >>> interface Vlan281 >>> no ip address >>> shutdown >>> end >>> ! >>> interface TenGigabitEthernet2/5/9.281 >>> encapsulation dot1Q 281 >>> end >>> ! >>> interface TenGigabitEthernet2/5/8.281 >>> encapsulation dot1Q 281 >>> end >> >> That’s actually config that will work with all Supervisors, wrong >> example :) > > Nick is right, the config he showed would not work on Sup720 or > earlier. And it wouldn't matter if VTP was enabled or not. If the VLAN > exists "switched" then the first "encapsulation dot1q" command will be > rejected with "Command rejected: VLAN already in use by interface > Vlan". Trying to create more than two subinterfaces using the same > VLAN (on different interfaces of course) is rejected with "Command > rejected: VLAN not available". Correct. My problem is that I have a new peering partner and his VLANs are already in use on my side. On the "toy" platforms like 1812 or a FreeBSD or Linux host it's straightforward to just create a subinterface with the appropriate tags attached to the packets. So I thought I could do the same on my Cat6500. I just found out about VLAN mapping: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vlans.html#wp1044990 This *would* do the trick for me, if it wasn't for the fact that the mapping is applied to all 12 ports in a port group. And since the VLAN is in use there are of course ports where I don't want to map it ... *argh* Can't they implement a single advanced feature in an unsurprising manner? Thanks for all your help Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cat6500 VLAN cannot be assigned to a routed port sub-if?
Hi! > Am 16.09.2016 um 13:08 schrieb Curtis Piehler : > > If the card is switching type card then yes it does care and draws from the > internal VLAN database. The true routed cards (SPA) are not part of the > internal VLAN database. I ran into this on 7600 routers with WS line cards. > However the SPA cards in the chassis did not draw from the internal VLAN > pool. I get it, thanks. I expected the SP and the RP to be orthogonal to each other ... Possibly my partner on the other end can do something with VLAN rewriting ... *sigh* Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cat6500 VLAN cannot be assigned to a routed port sub-if?
Hi, all, I just stumbled into a minor POLA violation here: (at least I'm astonished ;-) Core1(config-subif)#int gi4/9.100 Core1(config-subif)#encapsulation dot1Q 100 Command rejected: VLAN 100 cannot be allocated. VLANs 1-1005 are VTP VLANs VTP mode is client or server and must be changed to Transparent/Off to use VLANs 1-1005 Yes, of course. I do have VTP. And a VTP database. Including VLAN 100. But this is for *switched* ports like so: int gi4/... switchport switchport access VLAN 100 int VLAN100 ip address ... But *router* ports on the same platform should (IMHO) not care about all of this. I mean, just create the sub-if and attach a tag to every packet, will ya? Is there any way to accomplish what I'm trying? Other than moving the connection in question to a completely different chassis? Any hints greatly appreciated. Thanks. Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VTP doubt
Hello, > Am 16.06.2016 um 18:52 schrieb james list : > > Hi > I've two 6500 (6500-A and 6500-B) in production as VTP server, access > switch are 3750 or 4500 as VTP clients. > > Today if I add manually a vlan on one of the two VTP server (ie on 6500-A) > it's propagated to the other server (6500-B) and clients. > > The question is: do I've to add manually on both VTP servers or just one is > enough to keep redundancy ? Only one. If both C6500 are in server mode they will synchronize and save the VTP data. You can check the status like this: Core1#sh vtp status VTP Version : 3 (capable) Configuration Revision : 199 Maximum VLANs supported locally : 1005 Number of existing VLANs: 55 VTP Operating Mode : Server [...] If the configuration revision on both servers is the same, they are in sync. It doesn't matter on which you add the new VLAN. > If VTP server (6500-A) is broken down for any reason, does 6500-B still > know the vlan added before only on 6500-B and continue to propagate to > clients ? Yes, it will. A popular way to shoot yourself in the foot is to bring a new system into your VTP domain that has been used before and has got: * VTP server mode enabled * VTP data with a revision higher than your exisiting equipment Plug in for instant fun :-) Been there, ... Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500/7600 TCAM Usage
Hi, Saku, > Am 03.06.2016 um 09:10 schrieb Saku Ytti : > Not all platforms use TCAMs. Lot of Juniper kit, like MX, QFX10k, PTX > use various types of DRAM solution, this makes FIB usually not your > bottleneck, search time to larger database becomes an issue too. > Most SP scale routers, MX, ASR9k, ALU^H^H^HNokia SR, Huawei NE etc can > hit several million in FIB. Ah ... thanks. >> With RIRs handing out ever smaller prefixes I expect >> the IPv4 address space fragmentation to accelerate. > > RIRs are mostly handing static prefix sizes now, not ever smaller. But > they are smaller than historically. Sorry, but that's just semantics, IMHO. When we startet to apply as a new LIR, the then current allocation from RIPE was /19. When we finished the process we got a /20. Today they are handing out /22. I'd call that "ever smaller". Trading of IPv4 addresses will further increase the number of /24s in the DFZ. Or smaller, even - people come up with gross hacks all the time. >> I did not yet take the time to browse individual datasheets >> of gear that is supposedly "bigger" than a 65k. >> >> Some pointers would be most welcome. > > You're asking what platform you should buy? Usually people pay > thousands of dollars to consultants to figure that out. No. Just some pointers to one platform or another that tackles the above problem. As I said I did spend time to search, unsuccessfully, though. E.g. after Gerd's answer I looked up the ASR9k family from Cisco. I cannot find that 4M routes figure anywhere in the datasheets. > Without knowing your specs, I'd buy ALU SR, JNPR PTX or JNPR MX. :-) Of course. No, no free consulting required here. I stil have some time to give some homework to various vendors. Besides, our supplier for secondary market Cisco gear is quite knowledgeable, too. And not limited to Cisco. I'm really interested in how vendors address the problem of fixed TCAMs in a general way, because any fixed size will be too small, eventually. Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500/7600 TCAM Usage
Hi, > I'd stick to "only partial table" - while the XL TCAM is big enough for > "more", the CPU is still slow, and full BGP on that box is stretching > the limits quite a bit (we have a few still running with ~450k v4 routes, > and peer restarts do cause too much CPU load for my taste). OK. We were quite satisfied with 2 full feeds on each of 2 boxes. I will reconsider. > ASR9k goes to 4M prefix... plus incredibly fast BGP implementation. > > It has other warts, of course, like "it's a router, so it has few ports > and those are expensive". OK, that's some specific gear to start with (studying specs). Thanks. Given our current bandwidth needs, we could go with a single 10G or 40G interface and a router-on-a-stick architecture. ;-) >> Or can one get around those rather arbitrary hard limits >> completely? Is it possible to e.g. have a TCAM with timestamps >> associated to entries, so one can employ a TCAM as >> a route cache in LRU fashion and process-switch everything >> new/unknown? > > It would certainly be possible. Would vendors be interested in spending > money to let you run their old and now cheap coming from the second-hand > market gear longer? Answer yourself :-) That question was rather about new gear and architectures. Are there vendors/products going that route? AFAIK TCAM is fundamentally expensive and power-hungry. So I'd expect *someone* to at least explore that route. Even with the VSS upgrade we expect another 2 years or so of productive life for our 65k, not more. At the current state of white-box switching, SDN, and what-have-you, we decided to buy us some more time to watch the market, first. Kind regards, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500/7600 TCAM Usage
Good morning, interesting read. Of course running on SUP-720 based gear we are fully aware of the issue. When the DFZ was about to hit 500k IPv4 prefixes we limited the AS path length and currently receive default routes from our peers. Now that we are planning to replace our supervisor engines (3BXL) with VSS capable ones (10G-3CXL) I'm pondering to repartition TCAM for 768k IPv4 and 128k IPv6 and to go back to full tables. Of course monitoring the usage closely. ;-) I'm not asking for a time estimate when we will hit that limit. DFZ is at slightly over 600k v4 and about 30k v6, currently. And predictions are difficult, especially about the future. What puzzles me is: how do vendors go about that in the long run? I have been using my search engine of least distrust to no avail. Which platforms offer vastly bigger TCAMs, like at least twofold, better an order of magnitude? With RIRs handing out ever smaller prefixes I expect the IPv4 address space fragmentation to accelerate. Or can one get around those rather arbitrary hard limits completely? Is it possible to e.g. have a TCAM with timestamps associated to entries, so one can employ a TCAM as a route cache in LRU fashion and process-switch everything new/unknown? As I said I was searching for some general information on the topic but all I found were blog entries on the precise problem we face with the 6500 platform. What's next? I did not yet take the time to browse individual datasheets of gear that is supposedly "bigger" than a 65k. Some pointers would be most welcome. Thanks, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] what the heck is "ip forward-protocol nd" good for
Hi, all, > Am 07.04.2016 um 13:03 schrieb Mattias Gyllenvarg : > > Yeah, This was discussed some time ago when they where planning on IOS 15 > and checked what we wanted here on the list. > > I asked for a global "modern standards/defaults" but no go. > Or legacy-default-off. > Nothing fancy, just like the above. No proxy-arp etc etc, stuff left behind > the last millenia. Be grateful we do not need to explicitly configure ip classless ip subnet-zero ;-) Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Output drops on 2960
Hi, all, > Am 10.02.2016 um 08:45 schrieb Antoine Monnier : > > (sorry keyboard issues) > > I am wondering what is the driver for this > running-for-latest-feature-while-code-is-unusable approach? > surely customers are not asking for that, are they? should customer > requirements not be the main drivers? Not if the person making the buying decision is not the engineer who gets to deploy the product in the end. Hence "time to market“ and "requirements“ in Powerpoint. Kind regards Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Question for the Germans - Telekom VoIP subscriber lines, anyone?
Hi, all, sorry for flooding the list, but I am definitely at the end of my wits. As people here resident in Germany will probably know German Telekom is discontinuing analog and ISDN phone lines in favor of VoIP. I have been talking to their call-centre phone support for hours, callbacks were promised that never happened ... Please, does anybody know how these new VoIP lines work on the network layer? And how I can configure my own, preferrably Cisco, equipment to drive them? Thanks in advance, Patrick P.S. If you know the answer please contact me directly, I will write a summary for the list archives. -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Spanning Tree works great - except when it doesn't
Hi, Nick, > Am 15.10.2015 um 13:43 schrieb Nick Cutting : > I came across a curly one like this a few months back - turned out the STP > handling of native VLan frames VS a non-created but configured native vlan on > the downstream switch port. > The downstream switchport was also configured for native vlan of 999 - BUT > vlan999 was not created in the vlan database so defaulted to expecting STP > frames untagged I think - it was something like that. You nailed it! for some reason that I now need to investigate I do not have VLAN 999 in my VLAN database. *argh* Thanks, everyone. Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Spanning Tree works great - except when it doesn't
Hello, first, thanks for all the questions. Precisely the kind of help I hoped for. While I'm really fluent with BGP and OSPF, I do not even know all the features you mention. STP has always "just worked" for us. OK, now for some more details ... > Am 15.10.2015 um 12:11 schrieb daniel@reaper.nu: > > What protocol are you running? RPVST+ or MST? PVST spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id > What were the port roles when the loop formed? Sorry - what's a port role? > Did you have the default bridge priority on the new switch? Yes, and I can prove it ;-) VLAN0001 Bridge ID Priority32769 (priority 32768 sys-id-ext 1) VLAN0002 Bridge ID Priority32770 (priority 32768 sys-id-ext 2) ... VLAN1001 Bridge ID Priority33769 (priority 32768 sys-id-ext 1001) For all VLANs. > Is it possible that you had a unidirectional link? Possible, yes. I will check for that. Simply try to use the other trunk port only. - outside of business hours. > Copper or fibre for the trunk ports? Copper. > Any other STP features enabled? None that I know. > Root Guard? Loop Guard? BPDU filter? All at the IOS defaults. Whatever they may be. ;-) OK, what I know: no portfast or uplinkfast on the trunks, portfast only on the FE ports connected to servers. interface GigabitEthernet0/1 description Trunk zu Core 1 switchport trunk native vlan 999 switchport mode trunk ! interface GigabitEthernet0/2 description Trunk zu Core 2 switchport trunk native vlan 999 switchport mode trunk VLAN 999 is a dummy that has no active port or device anywhere, so one cannot accidentally inject traffic into VLAN 1 by connecting a server to a trunk port. > Did you verify the trunks were fully operational? Sort of. Trunks were up, VTP up and running, native VLAN identical on both ports on access switch and core - otherwise the trunk would not come up. Are there additional checks I can perform? > It won't be easy giving more advice until we can see the output from the > actual devices. Of course. I simply did not want to just dump the entire config into my first mail with all the probably irrelevant parts. I really appreciate your guidance, here. So, what "show xy" shall I use during the ~30 seconds I have when I'm at the data centre with both trunks plugged in - and come back with the output? > For your second question, there are lots of different options such as > stacking, VSS, VPC which can be used for less painful STP implementations. > Nothing is perfect though and you need to understand why you choose a certain > architecture. Then you also have FabricPath or TRILL to build L2 network not > relying on STP. LACP could work if the "core" switches are VSS ... which currently they are not. Possibly I read too much Greg Ferro, but I'm actually looking into TRILL and other Layer 2 multipathing protocols. The "problem" is that all products I can find are ten times as expensive as run-off-the-mill Cisco gear. 10k for a 48-port-1G access switch? *phew* ... If you wonder where I get these figures: http://pcmicrostore.com/arista-networks-7010t-48x-rj45-100-1000/cat-p/c/p7641704.html Kind regards, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Spanning Tree works great - except when it doesn't
Hi, all, we still rely on STP in our data centre. Top-of-rack switches are connected to two core switches with Gigabit configured as trunks. The two core switches have spanning-tree vlan 1-1005 priority 24576 and spanning-tree vlan 1-1005 priority 28672 respectively, to make sure the first one is the root with the second as a backup. Recently I replaced top-of-rack switch. Switched a WS-C2950T-24 for a WS-C2960-48TT-L. We have quite a few of those in operation, already buying them refurbished in the last couple of months. To my big surprise the new switch that I preconfigured and booted for minimal downtime, then just moved the cables, put both uplink/trunk ports into the forwarding state and quickly flooded the console with: 00:26:02: %SW_MATM-4-MACFLAP_NOTIF: Host 001e.f7f6.8f80 in vlan 1 is flapping between port Gi0/2 and port Gi0/1 00:26:03: %SW_MATM-4-MACFLAP_NOTIF: Host .0c9f.f001 in vlan 1 is flapping between port Gi0/1 and port Gi0/2 ... What the ...? For the moment I could only solve the problem by unplugging one of the trunks. I'm not quite sure if I really built a loop that would have brought my entire network down, but definitely all servers on that particular switch were unreachable - the switch was flooded and completely overloaded. The software on the new switch is Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE5, RELEASE SOFTWARE (fc1) How can I debug this? I have remote access to the misbehaving switch and the old one it replaced is on my desk. Of course I can provide configuration details, if needed. Activating the second uplink port is only possible for short periods of time, so I'd like to prepare as well as possible ;-) Thanks for any hints. Second with all the fun we have with STP and VTP: we are actively looking into products that can replace our layer 2/STP architecture. As far as I know there are products that can scale in a mesh and use all active links for traffic. But when I lookup, say, Brocade's line of switches, we are faced with price tags ... well. The 48-Port FE switches cost about a thousand when they were current hardware and we bought new. One switch supports 16 servers in our rack. Now we get them for 350 refurbished. Of course I would happily pay a thousand or two/three for a more modern architecture plus GE/10G-uplink instead of FE/GE-uplink. But all products I find seem to be in the 10k and more range. Which unfortunately is completely out of reach for an access switch for us. Any suggestions on what I should look for? Kind regards Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird config changes on C2621XM with AIM-VPN/BPII
Hi, all, I completely forgot to say thanks to all who replied. Now guess what - the problem just vanished. Kind regards Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Weird config changes on C2621XM with AIM-VPN/BPII
Hi, all we monitor all our Cisco gear with Rancid and archive configs in CVS. (http://www.shrubbery.net/rancid/) One chassis shows a change of config once a day, every day. Five minutes later at the next rancid run the change is reverted. 1st rancid message: --- !Interface: FastEthernet0/0, AMD Am79c977 !Interface: FastEthernet0/1, AMD Am79c977 ! !Slot 0: fru - !Slot 0: fru AIM-VPN/BPII - !Slot 0: type C2621XM 2FE Mainboard, 2 ports + !Slot 0: type C2621XM 2FE Mainboard, 3 ports !Slot 0: hvers 4.1 rev B0 - !Slot 0: hvers 1.0 rev B0 !Slot 0: part 73-7754-06, serial FOC09301B14 - !Slot 0: part 800-18029-01, serial FOC08260A1H + ! + !Slot 0/1: fru AIM-VPN/BPII + !Slot 0/1: type Unknown WAN + !Slot 0/1: hvers 1.0 rev B0 + !Slot 0/1: part 800-18029-01, serial FOC08260A1H ! !NAME: "2621XM chassis",DESCR: "2621XM chassis" !PID: !VID: 4.1 --- 2nd rancid message: --- !Interface: FastEthernet0/0, AMD Am79c977 !Interface: FastEthernet0/1, AMD Am79c977 ! !Slot 0: fru - !Slot 0: type C2621XM 2FE Mainboard, 3 ports + !Slot 0: fru AIM-VPN/BPII + !Slot 0: type C2621XM 2FE Mainboard, 2 ports !Slot 0: hvers 4.1 rev B0 + !Slot 0: hvers 1.0 rev B0 !Slot 0: part 73-7754-06, serial FOC09301B14 - ! - !Slot 0/1: fru AIM-VPN/BPII - !Slot 0/1: type Unknown WAN - !Slot 0/1: hvers 1.0 rev B0 - !Slot 0/1: part 800-18029-01, serial FOC08260A1H + !Slot 0: part 800-18029-01, serial FOC08260A1H ! !NAME: "2621XM chassis",DESCR: "2621XM chassis" !PID: !VID: 4.1 --- Any idea why the VPN AIS seems to go out have a beer precisely once a day? It's not in use, currently. But this is annoying to say the least and litters our CVS repository. Thanks Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6504-E IOS SSH/memory issues
Hi, Am 24.03.2014 um 14:28 schrieb Jared Mauch : > Track if things are holding the wrong amount of memory, eg: > Router#show proc mem sorted > > In my case on a 6500 the BGP Router is the largest. In our case, too. And the router in question is the box with 4 external BGP peers (2x v4, 2x v6) compared to the other one with only one uplink and therefore 2 peers. The BGP process is consuming nearly all of the available memory. Seems like the days of having soft reconfiguration inbound by default are over. At least on Cisco boxes with a mere 1 GB of memory. Never had a problem with that since we started talking BGP in 2001 ;-) Thanks for the suggestions, I'll schedule a maintenance window ... Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 6504-E IOS SSH/memory issues
Hi, all, in Saturday our Rancid started to complain that it could not log on to one of our core/uplink routers, anymore. Yet the system is generally alive and happily pushing packets - Nagios did not ring me about any link or service failing, so this came as a bit of a surprise. Turns out, SSH logins are not possible, anymore. Telnet and rsh work just fine. For each faile SSH login there is a line like this in the log: Mar 20 12:30:09.415: %AAA-3-ACCT_LOW_MEM_UID_FAIL: AAA unable to create UID for incoming calls due to insufficient processor memory Ah ... OK ... if it's failing in AAA, why does telnet still work? And the free memory doesn't look too bad, either: HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 477267E0 881661984 860385044212769401823528820933772 I/O8006710886421605604455032604545117645501532 Processor memory Alloc PCSize Blocks BytesWhat 0x4014A218 24 01 24XDR: mfib pltf group 0x4014A218 28 01 28XDR: mfib pltf group 0x4014A218 32 01 32XDR: mfib pltf group 0x401567F4 003808 01 003808Init 0x4016D4BC 24 01 24Init ... In the thousands of lines that follow, there are precisely 256 memory blocks allocated to the "SSH process". Is this a single process holding all that memory or are there 256 SSH processes, that are somewhat stuck/zombie because they are not terminated when the connection is closed? I admit that I rarely log off, but rather just close the window running my SSH connection. Bad admin. ;-) But any sane OS should timeout the TCP connection eventually and then terminate the process waiting on that socket. IOS version is 15.1(2)SY1 advanced enterprise. How can I proceed finding and eliminating the root cause? Rebooting the box to clean up is an option if planned ahead, but not a suitable permanent fix (i.e. rebooting regularly is out of the question). Thanks for any hints, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7200VXR to ASR upgrade
Hi, all, Am 19.02.2014 um 17:09 schrieb Mark Tinka : > If I'm looking for Nx 1Gbps ports for a reasonable cost (and > that can be supported by a meaty 10Gbps uplink) Secondary market Catalyst 6504-E with at least SUP720-3BXL? > in a small-sized form factor OK … :-) Kind regards, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 7200VXR to ASR upgrade
'Morning, Am 19.02.2014 um 18:04 schrieb Gert Doering : > On Wed, Feb 19, 2014 at 04:32:52PM +, Aled Morris wrote: >> They would but I believe "basic" BGP and OSPF are in IP BASE so it isn't >> needed in this case, unless you need some specific features like BFD or >> OSPFv3 for IPv6. > > *sigh*. There goes the promise "if an image has feature X for IPv4, and > X exists for IPv6, it will be in the same feature set". > > I *hate* it if they do that, make "feature X for IPv6" require a more > expensive license than for IPv4. Seconded. They specifically teach everyone at the RIPE classes, and I figure the same holds for the other RIRs: Don’t make IPv6 a separate product - you are selling "the Internet“ and IPv6 is an integral part of that just like v4. Seems like some product managers don’t attend the right classes ;-) :-/ Kind regards, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Search small replacement for Cisco 12k with ATM/OC3 interface
Hi, all, Am 20.01.2014 um 12:06 schrieb Rolf Hanßen : > I found on Ebay: > CISCO7204VXR + NPE400 + PWR7200-AC + C7200-I/O-2FE - 160 Euro > PA-A3-OC3SMI ATM Port Adapter (73-2427-04 / PA-A3-OC3SMI) - 40 Euro If you don’t mind buying equipment that is out of support as far as Cisco is concerned, you can go even smaller/cheaper: 2691 integrated services router NM-1A-OC3SMI I run 2 of them for exactly the same purpose: terminating legacy DSL lines. Latest IOS: 12.4(25d) Kind regards Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 2960S vlan ACL eating some L2 transit packets!?
Hi, Gert, Am 13.01.2014 um 17:36 schrieb Gert Doering : > Question 1: is that documented anywhere? ACLs on "interface vlan X" on >a layer2-only switch used to only apply to management traffic, >never ever to transit traffic http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/2960scg.pdf Looks to me like you are correct. pp. 31-18 ff. Bug? Best regards Patrick M. Hausen Leiter Netzwerke und Sicherheit -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vs isis routing levels
Hi, all, Am 20.12.2013 um 14:58 schrieb Arne Larsen / Region Nordjylland : > We are planning to resign our enterprise environment. > It's based on Cisco boxes running isis level1-2 routes > Would you keep this or would you make all level-2 routes. If your network is small enough to call for a single area, go all level-2. For the reason look here: http://blog.ipspace.net/2011/11/multi-level-is-is-in-single-area-think.html HTH Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6500 IPv6 redistribute with route-map?
Hi, all, Am 11.12.2013 um 20:16 schrieb Gert Doering : > Of course, if your network spans multiple 100s of routers, and 10.000s > of customer connections, there is no alternative - but for a network with > single-digit routers, and below 100 LSAs, "operational simplicity" wins, > and I am fully convinced that "adding RRs" is not on the "simplicity" > side of things. Gee - thanks. That was my gut feeling with the „VM“ recommendations all along. And that’s the reason why IS-IS wins *now* to get the migration to new hardware, a new IGP and IPv6 done in a controlled and timely manner. I will look into the RR stuff, nonetheless, as soon as I have the two 3825 to toy with. And - I’m confident I really nailed the redistribution mechanisms of OSPF vs. IS-IS now. It *is* all in Philip’s presentations or Cisco’s documentation and books all right, but you have to read the fine print very closely and draw some conclusions that are not explicitly written. E.g. the fact that OSPF does not carry all connected prefixes is just an operational peculiarity caused by the router ospf 1 network only.my.local.interface 0.0.0.0 area 0 instead of router ospf 1 network my.entire.as.range 0.0.15.255 area 0 In the latter case all connected interfaces *will* be injected as LSAs. And the latter is the textbook setup. Of course there is reason for the former setup and this is precisely the same reasoning Nick and Mark advocated. Carry only your backbone links *in* your IGP and redistribute everything else as external. Turns out I was doing this all along and I, too, don’t see much of a difference in using an IGP vs. iBGP to achieve this. My initial problem can be summarized as trying to force the OSPF mechanism on IS-IS while not being familiar with the latter *plus* not having rationalized *why* I was doing things that way, anymore. Now that I refreshed my memory and have come to a better understanding of IS-IS I’m looking forward to completing my setup. And I intend to write a short summary of connected route redistribution in OSPF vs. IS-IS for the benefit of all. Best regards Patrick P.S. It’s fun around here - can’t remember the last time I met a mailing list or newsgroup with discussions this open and constructive and such knowledgable and helpful people. -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] cheap core switch for a "hacker space" (nonprofit association)
Hi, all, Am 10.12.2013 um 21:19 schrieb Markus H : > I have found a Cisco Catalyst 4948-S to be less expensive on ebay than two > 3750G-24 (and both options are far cheaper than any Juniper EX on ebay). If you can get one cheap, go for it. My used gear supplier swears by them and I just bought three to finally start the first rack with 10G as a backbone interconnection and 1G to each server. Our current setup is 1G to the backbone and 100M to each server. (backbone links redundant, of course) One drawback - this thing is huge ;-) You will need 60cm or something deep of rackspace. Not a problem in a commercial environment with racks but could be a limiting factor in a private setup. More than twice as big as a 29xx or 37xx ... Kind regards Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6500 IPv6 redistribute with route-map?
Hi, Am 10.12.2013 um 20:13 schrieb Nick Hilliard : > On 10/12/2013 18:28, Patrick M. Hausen wrote: >> Can an IOS router serve as a route reflector? Once I have the C6500 in >> production I have two spare 3825 that feature 1 GB of RAM each and >> should thus have suficcient resources, specifically when they are not >> busy routing traffic, anymore. > > they would probably be very good for the job on a small network, yes. So my final plan is simple: - use IS-IS and eBGP now just as it is today (one single iBGP link between the two big boxes) - get new systems and v6 up and running - when all old systems and OSPF are retired, add route-reflector and iBGP (with a conveniently larger administrative distance than IS-IS by default) - narrow IS-IS to just the backbone links one external link at a time while watching the routes Doesn’t look like too much additional work to me given the size of my network. Thanks a lot - where are you located? I’d buy you and Mark a beer or two should we ever meet ;-) Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6500 IPv6 redistribute with route-map?
Am 10.12.2013 um 18:45 schrieb Patrick M. Hausen : > I see. I’m starting with 4 routers and I simply do not have the hardware > at hand *now* to implement something that critical to my network. > Of course a VM will do, but I do not have free virtual ressources with > sufficient redundancy, either. > ... > I will definitely set up a route reflector before putting another $BIGBOX > with full > tables into service. Or add another location. Or anything that actually > extends our > small single rack backbone. That much I see now … Can an IOS router serve as a route reflector? Once I have the C6500 in production I have two spare 3825 that feature 1 GB of RAM each and should thus have suficcient resources, specifically when they are not busy routing traffic, anymore. Thanks Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6500 IPv6 redistribute with route-map?
Hi, all, Am 10.12.2013 um 13:43 schrieb Justin M. Streiner : > On 10/Dec/2013 at 09:22:01 AM, Patrick M. Hausen wrote: >> I do have the knowledge and capacity to implement iBGP as my IGP >> *now*, except for the route reflectors suggested. Would you recommend >> that approach? I.e. going without the route reflectors and the communities >> first? It~Rs only 4-5 machines in total, after all, all Cisco. And no >> customers with BGP currently. > > Starting out with route reflectors is a good idea. It makes the network > easier to scale as needed. > > Doing a full IBGP mesh gets messy very quickly. Even if you use peer-groups > to simplify things, you're still dealing with a lot of IBGP sessions ((n * (n > - 1)) / 2 sessions). With 5 routers, that would mean 10 sessions. With 10 > routers, that would mean 45 sessions. Additionally, managing all of those > sessions can chew up a lot of resources on your routers. Anything you can > simplify will serve you well over time. I see. I’m starting with 4 routers and I simply do not have the hardware at hand *now* to implement something that critical to my network. Of course a VM will do, but I do not have free virtual ressources with sufficient redundancy, either. Of the 4 routers only 2 connect to different ASes via BGP, the other two 2961s are only there to provide a cheaper platform for ATM and G.703 links. (I reuse my old 3600 series OC3-Modules and some VWICs with these) The job of the IGP is to anounce the customer's subnets of those lines to the two big boxes and give the small ones a hand via default-information originate. It really is that simple. For now - you do have a point here ;-) But I don’t see our subscriber line business expanding. And the plan is to have IS-IS, external BGP and v6 up and running before Christmas. So it’s either full mesh or IS-IS - I will come to a decision tomorrow after toying with the not-yet-productive systems some more. Sorry if I seem resistant to sound advice, but I have to stick to my priorities and put learning even more great things beside IS-IS up for a little later. I will definitely set up a route reflector before putting another $BIGBOX with full tables into service. Or add another location. Or anything that actually extends our small single rack backbone. That much I see now … Thanks again for all help. Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6500 IPv6 redistribute with route-map?
Hi, all, Am 10.12.2013 um 14:10 schrieb Mark Tinka : > On Tuesday, December 10, 2013 11:31:55 AM Patrick M. Hausen > wrote: >> And OTOH again - why would I not want to carry < 100 LSAs >> in my IGP? > > Because you should always assume you will grow. Having to > re-design the network in the future (or worse, leaving that > to someone else) should be avoid whenever possible. I do have the knowledge and capacity to implement iBGP as my IGP *now*, except for the route reflectors suggested. Would you recommend that approach? I.e. going without the route reflectors and the communities first? It’s only 4-5 machines in total, after all, all Cisco. And no customers with BGP currently. Thanks Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6500 IPv6 redistribute with route-map?
Hi, Nick, Am 10.12.2013 um 10:43 schrieb Nick Hilliard : > On 10/12/2013 09:31, Patrick M. Hausen wrote: >> How can I connect them to the iBGP without them carrying full tables? >> Route-maps for the neighbor definitions? Is that really all it takes? >> >> And OTOH again - why would I not want to carry < 100 LSAs in my IGP? > > if it's 100 LSAs, there's not going to be much practical difference between > the two. > > If you want to do it with BGP, I'd recommend setting up a couple of VMs to > act as route reflectors (with e.g. bird or quagga or something) and > creating a very simple BGP community policy: tag your transit prefixes, > your peering prefixes and your internal prefixes using different community > values. Then you can use the route reflectors to control how the prefixes > are distributed around your network. It's a small amount of work, but it's > an approach that scales well in practice. OK … later :-) I’ll stick to an IGP right now. Our network really is that small. And the choice of OSPF was just a historical accident. In 1996 we started with PA address space from our single upstream, two LANs, a handful of dialin customers and one leased line customer. Everything was configured manually with static routes and the dialin links used a part of the LAN and proxy arp. Livingston Portmaster, anyone? ;-) In 1997 I successfully rolled out OSPF exactly the way I described. Had to connect Cisco and Livingston, so it was essentially the only choice. In 2000/2001 we became LIR, AS16188 and I introduced BGP into the mix. we had a maximum of about 2-300 LSAs in OSPF. I never thought of redesigning the IGP. It just worked. Today internet access as a product is mostly gone, it’s hosting instead, and so the number of prefixes continues to decrease. Kind regards, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6500 IPv6 redistribute with route-map?
Hi! Am 10.12.2013 um 10:14 schrieb Mark Tinka : > "passive-interface" in IS-IS basically means: > > - If an interface is defined as passive. > - Advertise whatever IP address is on it. > - But don't run IS-IS on it. Yep. That sums it up quite nicely, which is why I’m citing it just this once more. In OSPF it is the same *if* the connected prefix is part of the „network“ statement in your OSPF process. Which is the „traditional“ way of setting up an OSPF domain if you follow Moy et al. Most ISPs I know who run OSPF configure it the way I described with very narrow „network“ statements and explicit redistribution. Essentially my subscriber lines are from the IGP’s point of view not part of my AS and every router running subscriber lines is an ASBR. The prefixes are consecutively injected as AS external LSAs. BTW: this is the only way (as far as I know) how you *can* filter what goes in your link state database and what doesn’t. Despite the „traditional“ literature claiming that you cannot do that with OSPF at all. Which is of course correct but for AS external LSAs ;-) Thanks Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6500 IPv6 redistribute with route-map?
Hi, looks like I opened quite a can of worms, here … :-) Thanks to everybody for the valuable input. Am 10.12.2013 um 10:19 schrieb Nick Hilliard : > On 10/12/2013 08:42, Patrick M. Hausen wrote: >> I’ve been doing OSPF for quite some years and IMHO this is a perfectly valid >> and >> sane way to run an ISP with subscriber lines. And I know more than one >> competitor >> (friendly competition ;-) doing exactly the same. > > Why don't you use ibgp for this instead of filling your igp up with stuff > it doesn't need? Keep your IGP small - all the bloat belongs in bgp. I must admit, the thought never occured to me up until now. That’s what I thought IGPs were for. Use BGP to talk to your upstream, use a suitable link state IGP for your own network. Any hints/documents/links for starters? For example one question that immediately springs up: I have two redundant systems capable of running full tables. Both have links to upstreams plus an iBGP connection. I have additional routers with less memory and CPU that run subscriber lines and (currently) OSPF, later IS-IS as far as my planning goes. How can I connect them to the iBGP without them carrying full tables? Route-maps for the neighbor definitions? Is that really all it takes? And OTOH again - why would I not want to carry < 100 LSAs in my IGP? Kind regards Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6500 IPv6 redistribute with route-map?
Morning, Am 09.12.2013 um 16:26 schrieb Mark Tinka : > On Monday, December 09, 2013 03:05:17 PM Patrick M. Hausen > wrote: > >> Just to make sure i would not accidentally inject >> anything not belonging to my AS into my IGP. > > Why would you, if you're running IS-IS only on your internal > links? I do. You asked quite a few questions so instead of answering every single one I will try to summarize where I come from (OSPF) and what I intended to do with IS-IS. OK, picture two or more routers connected by some link (Ethernet) and each of them with some number of external links to customers (DSL/ATM in my case): > int fa0 > description internal link to neighbor router > ip address 192.168.0.1 255.255.255.252 > > router ospf 1 > passive-interface default > no passive interface fa0 > network 192.168.0.1 0.0.0.0 area 0 This enables OSPF on the link to my other router *only*. OSPF does not by default redistribute connected or static routes. The 0.0.0.0 looks insane but keep in mind that it’s an inverted (wildcard) mask so essentially it says /32. Now we add a link to a customer: > int ATM2/0.100 point-to-point > description customer’s DSL > ip unnumbered fa0 > pvc 1/100 In reality I use a loopback interface for the unnumbered interfaces, of course. No we only need to route the customer’s /29. > ip route 192.168.1.64 255.255.255.248 ATM2/0.100 Because of the very narrow configuration of the OSPF process I never need to worry about accidentaly running my IGP on a customer’s link. All I need to distribute that prefix across my network is: > router ospf 1 > redistribute static subnets Now a different layer 2 carrier and slightly different configuration for essentially the same effect but with bridged instead of routed PVCs: > int ATM1/0.100 point-to-point > description different DSL > ip address 192.168.1.73 255.255.255.248 > atm route-bridged ip > pvc 1/100 > encapsulation aal5snap To distribute this I need > router ospf 1 > redistribute connected subnets because OSPF does not by default redistribute connected passive interfaces. But possibly this router runs an external BGP link with an adress belonging to a different AS on *some* interface. Or an RFC 1918 address somewhere for out of band management [1]. So in reality it is: > router ospf 1 > redistribute connected subnets route-map redistribute-ospf With the route map restricting routes to my own /20 as I tried to do with IS-IS. I’ve been doing OSPF for quite some years and IMHO this is a perfectly valid and sane way to run an ISP with subscriber lines. And I know more than one competitor (friendly competition ;-) doing exactly the same. Now … as far as I found out yesterday … IS-IS *does* by default redistribute connected subnets even if they are on passive interfaces. Unless you use > no isis advertise-prefix on the interface level. For static subnets it’s the same as with OSPF. I can perfectly live with that, now that I know. I’m just wondering what the „redistribute connected“ command is for in the context of IS-IS, anyway ;-) Kind regards Patrick [1] getting rid of them currently in favor of official adresses and tight access-lists -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] C6500 IPv6 redistribute with route-map?
Hi, Lukas, Am 09.12.2013 um 14:43 schrieb Lukas Tribus : > Well, why don't you try to remove the redistribution completely: > > no redistribute connected route-map redistribute But I do want to redistribute all connected subnets into IS-IS. I just want to prevent addresses that do not belong to me from entering the IGP. Think of typing error, local transfer networks on BGP links that belong to my partner instead of me, and the like. Proved useful for v4 and I’m trying to keep it for > Perhaps, the network is redistributed by another mechanism and you are > looking at > the problem from the wrong angle. For that matter: passive-interface in ISIS > has > a different behavior than in OSPF. You nailed it - even if I remove redistribution alltogether, the route shows up on the peers. Thanks. That gives me a direction for further investigation and some reading. >> 12.2(33)SXI12 and 12.2(33)SXJ6 both show this behaviour. Am I missing >> something >> more general, here? Or can it be remotely possible that this is not yet >> implemented [tm]? > > I would suggest you give 15.1(2)SY a try. Didn’t IOS 15 introduce a completely new and rather burdensome licensing mechanism? http://etherealmind.com/ios-15-licensing-how-we-work/ If that article get’s it correctly, I’d rather avoid 15 as long as possible. Kind regards Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] C6500 IPv6 redistribute with route-map?
Hi, all, I’m in search of a little help with the setup of our new core routers. I’ve been running AS16188 and an internal v4 network for quite some years, so most tasks introducing v6 should be a piece of cake - or so I thought ;-) I’ve run a setup like this since I do not remember when: > router ospf 1 > redistribute connected subnets route-map ospf-redist > > route-map ospf-redist permit 10 > match ip address 10 > > access-list 10 remark OSPF redistribution > access-list 10 permit 217.29.32.0 0.0.15.255 > access-list 10 deny any Just to make sure i would not accidentally inject anything not belonging to my AS into my IGP. On the new systems this looks like this: > router isis IGP > redistribute connected route-map redistribute > > route-map redistribute permit 10 > match ip address redistribute > set metric 10 > route-map redistribute deny 20 > > ip access-list standard redistribute > permit 217.29.32.0 0.0.15.255 > deny any I do not intend to discuss the respective merits of OSPF vs. IS-IS right now. ;-) My idea was since I would need to introduce a new routing protocol, anyway, why not switch to IS-IS and run single-topology? The v4 config cited above does indeed work as it should. Now, let’s add v6: > router isis IGP > address-family ipv6 > redistribute connected route-map redistribute6 > exit-address-family > > route-map redistribute6 permit 10 > match ipv6 address redistribute6 > set metric 10 > route-map redistribute6 deny 20 > > ipv6 access-list redistribute6 > permit ipv6 2A00:B580::/32 any > deny ipv6 any any Redistribution per se is working fine. It’s the limitation to my own prefix (which I want) that does not work. If I introduce an arbitrary v6 address not belonging to me (the systems are not productive, yet), via, say, Loopback1, this will be distributed to all IS-IS peers despite the route-map. I first suspected my lack experience with v6 access-lists and tried various permutations of source/destination. Then prefix- instead of access-lists - to no avail. Then it dawned at me and I tried: > route-map redistribute6 deny 5 This should prevent any connected routes from being injected into IS-IS, right? Nope - all connected interfaces are visible on all peer routers. Looks like the IS-IS routing process is ignoring the route-map alltogether. 12.2(33)SXI12 and 12.2(33)SXJ6 both show this behaviour. Am I missing something more general, here? Or can it be remotely possible that this is not yet implemented [tm]? Thanks for any hints and best regards Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 i...@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 signature.asc Description: Message signed with OpenPGP using GPGMail ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
