Re: [c-nsp] Cisco L2TP Failed

[cnsp]

Hi,

a) i have hostname/password/authentication on dthe L2tp-classm matching the
central site

In some IOS Versions, the password must not be too long
(initally works fine, afer wr and reboot, the cisco7 representation was too
long)

b) starting with some IOS, I had to add
  ppp direction callout
to the int virt-ppp X
(and I also have "ppp authentication chap pap callin" on it

c) license issue (LIC-AIS-800 or so needed) ?

d) why using an 881 when a 1812 with internal power-supply performs better ?

e) I suggest putting either the dhcp-wan interface or the virtual-ppp
interface into a VRF to make routing easy


just my $0.01 

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] N9K traffic lost when redundant link comes up

[cnsp]

Hi, 

i have a pair of N9K-C93180YC-EX running nxos.9.3.1.bin connected with a LACP 
port-channel (pair of 100G Links). 
I got a pair of N9K-C9348GC-FXP running nxos.9.3.5.bin connect with a 
(single-100G Link) LACP post-channel to only one of the above switches.

I finally got more transceivers to create the missing redundant link(s) to the 
other one of the first switches , 
In a second LACP port-channel with just one single-100G Link. 

No Multi-Chassis LACP here, each device works stand-alone, 
spanning tree mode is MST, everywhere identically configured. 

Expected behaviour is: 
New link gets active, and 
if spanning tree finds this new link as "lower" it would block it. 
if spanning tree finds it "better" it should start to use it and block 
somewhere else. 

But monitoring was crying, and I found in the loggin: 
16:30:19 dsw2 %L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN: Disabling learning in vlan 
XXX for 120s due to too many mac moves 
16:32:19 dsw2 %L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN: Re-enabling learning in 
vlan XXX 

Yes, that was also the duration of the "outage", adding a redundant link leads 
two two minutes outage ☹ 

Cisco's error-messages finder tells me that there is nothing to do  ?!? 

Case opened, infos submitted, but two days (plus weekend) silence. 

Any idea what is happening and how I can avoid that (the fourth link wants to 
be plugged in). 

Will that happen when a link fails, STP unblocks an other link and therefor the 
switch relearns too much mac-addresses too fast

so I get again 2 minutes "down" instead of just 2..3 seconds ? 

The ancient C4900M did not show that behaviour... 

Any suggestions? 

Thank you for your patience, 

Jürgen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] disable or rate-limit icmp-unreachables IOS-XR

[cnsp]

Hi, 

when looking at amsix peering template, I found that generating of icmp
unreachables shall be disabled. 

Is that a good idea? Some say it breaks PMTU 
(so I am wondering why this was also present in a pppoe virtual-template
just seen on the list here). 

Also, several secure-your-network checklists insist on setting it on at
least all external interfaces. 

Or rate-limit 

RP/0/RSP0/CPU0:ASR9901(config)#icmp ipv4 rate-limit unreachable ? 
  <1-4294967295>  One ICMP unreachable message in x milliseconds(default is
500ms) 
  DF  Fragmentation needed and DF set (code4) 
  disable Disable rate limit of ICMP messages 
RP/0/RSP0/CPU0:ASR9901(config)# 

Is this "per chassis" so it will send maximum 2 icmp unreachable messages
per second ? 

What is a "good" value to keep things like PMTU working but also the device
happy ? 10ms ? 

Thank you for your help, 

Jürgen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9k RSP440

[cnsp]

> > What is everyones opinion of the 64bit XR? 
> 
> No particular opinion other than the fact that every new A9K deployment 
> here is eXR (64-bit) as new HW doesn't run on 32-bit anymore. 
> 
> A few things I noted: 


> 1b. access to 'admin' CLI context is noticeably slower in eXR, as admin
runs in 
> different (sysadmin-vm) VM. 
> However, recent eXR builds (6.5.1 and newer) appear to have improved 
> this quite a bit now, that it's not as bad. 

Yes, that is a real GREAT feature 
Docker processes crashing and respawning, 
Sometimes restarting the "Router" vm producing outages. 

One Workaround they gave me after half a year investigation 
exists (until you reboot the box), 
SMU for that is existent but will not solve the "real" problem 
they told be 
But create installing the SMU creates DOWNtime, 
And reading that there will be side-effects and 
No real instructions on how to recover from that will prevent me from 
Trying to patch anything on it. 

No real solution for that, while the PC-Linux folks had those problems 5
years ago, 
don’t know weather fixed or not. 

Support can not give correct working instructions for how to collect
logfiles from those virtual shit 
Or copy it between them since one and assume that one can ssh/scp between
them but sth. 
Is not setup the expected way on that expencive piece of junk 

Installing SMU from 6.5.1 to 6.5.3 too 2 weeks because of WRONG update
instructions 
And faulty assistance from TAC. 

The docs say that Patch-packages installation is incompatible with single
SMU installtation. 

Nothing learned from the people who did  engeneer real Operation-Systems
and patch/update procedures 
(for example SUNos ?)  but using hobbyist clash everything together for
their potential high end devices. 

Hardware for forwarding may be good, 
The "IOS-XR" with different syntax may be usefull, 
Marketing slides look great and "ISSU" etc. sound great 

But having >10% downtime and lots of time for debug sessions with TAC 
Poking in the nebula and not knowing what they do leads to the result that 
Getting the ASR9901 was a fault. 

Just my bad experience, 

Jürgen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco WLAN-Controller SNMP

[cnsp]

Hi, 
this is a little bit off-topic but perhaps someone solved this already: 

Regarding Cisco WLAN-Controllers and CAPWAP Access-points, 
I am seeking the snmp way to get the "NAT External IP Address" 
shown in the CLI output (and also visiblae in the web-interface): 

(Cisco Controller) >show ap config general JM-TEST 

Cisco AP Identifier.. 19 
Cisco AP Name JM-TEST 
Country code. DE  - Germany 
[...] 
MAC Address.. 7c:69:f6:04:9a:e2 
IP Address Configuration. DHCP 
IP Address... 192.168.33.169 
IP NetMask... 255.255.255.0 
Gateway IP Addr.. 192.168.33.254 
NAT External IP Address.. 21X.1X6.1X3.1XY:1481 
CAPWAP Path MTU.. 1485 
[...] 

I think it may bee in the CISCO-LWAPP-TUNNEL-MIB but a snmpwalk fails "index
not increasing" 
And many Variables are "NOT ACCESSIBLE" marked ind the .my file 
(and I do not know hov to use an unknow octett-string as an index) . 

Thank you for any ideas, 

Jürgen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NXOS output numeric

[cnsp]

Aloha, 

> Howdy, 
> 
> I had a quick question regarding NXOS, is there any way to run a command 
> and have it output numerically only? 

[...] 

> It would show a normal easily parsed number? For instance the number of 
> seconds since the last time the link flapped? 
> 
> If not are there any helper libraries for python that you guys have found
that 
> can handle these sorts of things before I create one? 

Why going thru CLI Text representation when you can read out the
corresponding snmp variable/counter ? 

OK it should be fun to be able to read that more directly from the embedded
linutz ... 

Just my 0.01 $ 

Juergen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco vpdn multihop

[cnsp]

> > I am cleaning up a cisco lac/tunnelswich/lns setup historically grown. 
> > 
> > Do I need the "vpdn multihop" statement on the final LNS 
> > which should only terminate the ppp sessions inside the l2tp tunnels 
> > and not forward them based on realm/domain-name/... in my setup? 
  
> Lol, my VPDN skills are, errm, rusty, but I recall the only scenario where 
> you 
> would need vpdn multihop on the final LNS is when you run them in a 
> MPP/SGBP group to terminate multilink-PPP sessions (in which case the final 
> LNS isn't actually final, so this makes perfect sense IMHO) 

Just a followup to ack that everything still works after removing 
the "vpdn multihop" statement from my final LNSes. 

(This was on 7201 and NPE-G2 with 122-33-SREx) 

Thank you for your hints, 

Juergen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Cisco vpdn multihop

[cnsp]

Hi, 

I am cleaning up a cisco lac/tunnelswich/lns setup historically grown. 

Do I need the "vpdn multihop" statement on the final LNS 
which should only terminate the ppp sessions inside the l2tp tunnels 
and not forward them based on realm/domain-name/... in my setup? 

One example in cisco's documentation has it on all three Devices 
while an other has it only on the tunnelswitch. 

(ok, I could test it in the night the hard way) 

Thank you for your advice on this, 

Juergen. 



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Mass-renaming interfaces

[cnsp]

I would avoid using gig 0/3 and would not bundle it with gig0/[012] . 

Gig0/0 0/1 0/2 are marvel SOCs build-in Ports 
while Gig0/3 together with the Mangement "Fas"0/0 are on a separate intel
ethernetcontrollerchip 
(with gig+(only)fas they try tonot oversubscribe the internal pci bus ) 
  
> One of my 7201 routers has four GigabitEthernet interfaces but uses only 
> two, one for IP uplink and another as client-sided downlink with multiple 
> sub-interfaces named like GigabitEthernet0/1.10 (encapsulation dot1Q). 
> 
> It need reconfiguration to use 2x1G port-channles. I already did such 
> reconfiguration for same 7201 router with small number of sub-interfaces 
> and know this is doable changing sub-interfaces from GigabitEthernet0/1.N 
> to Port-channel1.N 

Just my 0.01 $ 
Juergen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR920 LACP and xconnect

[cnsp]

Sorry, i think the behaviour is explainable. 
You have (I think, on both sides equivalent config) 
Two Gig Ports bundled with LACP to that prot-channel. 
For that, the switch speak link-local pakets to the neighbor device. 
Now , yo build that xconnect and ask to forward link-local pakets to the
remote. 
OK, device  does this. 
Recieving device does some fancy load blancing an therfor, LACP starts to
fail since . 
Either let the local switch handle the LACP Bundle and do not forward the
LACP packets 
Thru that xconnect, 
or build _two_ transparent xconnects/Eline/Epipe servicesso A-1 sees B-Side
1 and A-2 sees B-2 
and the LACP Pakets from A1 and A2 do not go all to B1 or mixed/loadbalaced
to B1 and B2 (end vice-versa). 
and _do_not_ bundle locally. 
Just my 0.01 $ 
Mit freundlichen Grüßen 
Kind regards 
Veuillez agréer mes salutations distinguées 
Met vriendelijke groet 
Jürgen Marenda. 
> -Ursprüngliche Nachricht- 
> Von: cisco-nsp mailto:cisco-nsp-boun...@puck.nether.net> > Im Auftrag von James 
> Bensley 
> Gesendet: Freitag, 21. August 2020 16:38 
> An: Eric Van Tol mailto:e...@atlantech.net> >;
cisco-nsp@puck.nether.net   
> Betreff: Re: [c-nsp] ASR920 LACP and xconnect 
> 
> On Thu, 20 Aug 2020 at 19:16, Eric Van Tol mailto:e...@atlantech.net> > wrote: 
> > Interface configs: 
> > 
> > interface GigabitEthernet0/0/0 
> > mtu 1600 
> > no ip address 
> > load-interval 30 
> > negotiation auto 
> > channel-group 1 mode active 
> > ! 
> > 
> > interface GigabitEthernet0/0/1 
> > mtu 1600 
> > no ip address 
> > load-interval 30 
> > negotiation auto 
> > channel-group 1 mode active 
> > ! 
> > interface Port-channel1 
> > mtu 1600 
> > no ip address 
> > load-interval 30 
> > negotiation auto 
> > no keepalive 
> > service instance 1 ethernet 
> >   encapsulation default 
> >   l2protocol peer lacp 
> >   xconnect x.x.x.x 1234 encapsulation mpls pw-class Raw-Mode-VC5 
> >mtu 1600 
> 
> What happens if you change each interface to be "channel-group 1 mode on" 
> and remove "l2protocol peer lacp" to disable LACP and remove it from the 
> equation? 
> 
> Cheers, 
> James. 
> ___ 
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
  
> https://puck.nether.net/mailman/listinfo/cisco-nsp 
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Devil's Advocate - Segment Routing, Why?

[cnsp]

> I've been told Merak is very nice...  if all you're interested in is "sell
to 
> Enterprise customers and make lots of cash". 

We asked the sales-person weather that meraki devices can handle ipv6 
(as customer traffic) and for the cloudy management access (in an ipv4 free
world) 
But they did not know this, told us they will ask, but we did not get any
answer yet ... 

Juergen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ASR9001 ASR9901 IOS-XR IPv6 filtering

[cnsp]

Thank you for sharing your experience and the concrete example . 
Also good to know that I am not the only one trying to filter 
 up-streams/peerings and of course the customer's traffic. 

Sorry for the late "thanks", I had to collect logs and dump 
from the 9901 ☹ again, 
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs53433 
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu49346 
with - for this list - a trivial configuration. 
Worst cisco experience for the last 10 years. 

Mit freundlichen Grüßen 
Kind regards 
Veuillez agréer mes salutations distinguées 
Met vriendelijke groet 

Jürgen Marenda. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR9001 ASR9901 IOS-XR IPv6 filtering

[cnsp]

Hi List, 

I would like to filter the incoming IPv6 traffic from upstream and peering 
relatively strong like I do it for IPv4 
(no martian src allowed, 
 Traffic on the link to upstream/peerinc allowed, 
 my and customers prefixes allowed as dst ). 

Having link-local addresses will complicate this , 
also the ND etc. 
So I came up to a relatively long ACL and big question-marks: 

1. With classical IOS, "IP" Rules include  icmp, udp, tcp ,... 
   Is this also true on IOS-XR for IPv6 ? 

2. On  the Neighbor Discovery ets stuff  is src and dst allway link-lokal 
or must I allow explicit the four pairs LL-LL LL-real real-LL real-real ? 

3. will that ACL work on the mentioned devices in Hardware 
or is it done in software slowing down everything ? 

With 1. And 2. I could probably short the sketch below down 
and avoid unspecific icmp "any any "rules 

!== 
ipv6 access-list AL6-FILTER-IN 
! from http://www.bgp4all.com.au/pfs/_media/workshops/12-ipv6-security.pdf 
2000 permit icmpv6 any any echo-reply 
2010 permit icmpv6 any any echo-request 
2020 permit icmpv6 any any 1 3 
2030 permit icmpv6 any any 1 4 
2040 permit icmpv6 any any packet-too-big 
2050 permit icmpv6 any any time-exceeded 
2060 permit icmpv6 any any parameter-problem 
! not accepted 2070 permit icmpv6 any any mld-query 
! not accepted 2080 permit icmpv6 any any mld-reduction 
! not accepted 2090 permit icmpv6 any any mld-report 
2100 permit icmpv6 any any nd-na 
2110 permit icmpv6 any any nd-ns 
2120 permit icmpv6 any any router-solicitation 

!HSRP 2200 permit udp FE80::/16 eq 2029 host FF02::66 eq 2029 

2900 deny icmpv9 any any 
! 
! tmp block bad src 
3000 deny ipv6 2605:9880:300::/48 any 
! 
! transit to upstreams and peering 
6000 permit ipv6 2001:qwer::1234/126 2001:qwer::1234/126 
6020 permit ipv6 2001:789::/64 2001:789::/64 
6030 permit ipv6 2001:asdf:ghjk:uiop::/64 2001:asdf:ghjk:uiop::/64 
! 
!! my and customers ipv6 ranges src 
! wrong direction 
!7000 permit ipv6 2a00::/32 any 
!7100 permit ipv6 2a01:asdf::/32 any 
! 
! my and customers ipv6 ranges dst 
8000 permit ipv6 any 2a00:::/32 
8100 permit ipv6 any 2a01:asdf::/32 
! 
9000 deny ipv6 any any 
! 
!== 

Thank you for suggestions on how do do this "right", 

Juergen. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EVPN/VXLAN on ASR9001 - BGP announcements not working

[cnsp]

> On Mon, 4 May 2020 at 12:15,  wrote:
> 
> > Just my 0.01$
> 
> Can I get a refund?

 just come and collect a ningi in my shed on Kakafroon Kappa,
but beware the vogon's.

Yes, you'll get a free  Pan Galactic Gargle Blaster.

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] EVPN/VXLAN on ASR9001 - BGP announcements not working

[cnsp]

>[...] 
> DC-folks# This STP sucks, let's MC-LAG/VSS everything, ok that sucks let's
do 
> TRILL et, al., that sucked let's do VXLAN, wait, how do we do CP-based mac

> learning? Let's do EVPN VXLAN, Oh has anyone reserved VXLAN header field 
> that can be used for micro-segmentation? Tumbleweed ... 
> SP-folks# no way we'll have STP to core, let's sue VPLS, that sucked let's
use 
> EVPN/PBB-EVPN.. 
> 
> adam 

Today everything must  go over https (like dns, ...) 
but do not forget to use XML to over bloat everything 
and use at least TLS Rev. 9.11 . 

Will be punted into the dollar-note big cards (Hollerith) (80 Characters
wide) 
Fragmentation will be managed by punting a "C" in Column 5 . 

So we will soon see MPLS over HTTPS with fancy XML-Schemes- 
Network-devices will be CHROMOS-Browser-Devices, 
Don't think of performance or saleable implementation in hardware, 
When that would be ready, the standard has been obsoleted and replaced by 

Just my 0.01$ 

Juergen 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] IOS-XR on ASR9[09]001 ip local policy route-map equivalent

[cnsp]

Hi, 

is there an equivalent to IOS "ip local policy route-map ..." on IOS-XR ? 

i tried hard to g00gle it but did not get usefull results , 
my search term formulator nose has a cold 

Mit freundlichen Grüßen 
Kind regards 
Veuillez agréer mes salutations distinguées 
Met vriendelijke groet 

Jürgen Marenda. 

BTW, happy new year etc. 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] new ASR9901 ios update / full

[cnsp]

> So i did continue and no it is 99-100% full, "install add source ..."
> works but "install activate ..." aborts.
> 
> I do not have "userfiles" on it, i did but the ios,tar,smu's onto "harddisk:" 
> .
> I did not find any hint how to make space there, i tried
> 
> "clear configuration commits oldest 100"
> "install remove inactive all synchronous"
> 
> But this did not help 

What helped was 

# install deactivate superseded sync
# install commit sync

I found that in an older IOS-XR documentation, not in the current.

When istalling  SMU's in release-date order,
 asr9k-x64-6.5.3.CSCvn74595.tar
results in ssh not working,
going back removes my three ssh config lines
(good to have the serial CON to entert hem again).

After installing all the other SMUs i tried again,
and this time i had no problems.

In the corresponding Readme are some dependencies mentioned
But i was unable to locate them by their name/number.

And after all was over,
i did again
# install deactivate superseded sync
# install commit sync

Plus

# install remove inactive all sync
# install commit sync 

"run df -k" show root at 77% .

So i am now thru with this,
i am some dekandes older, my hair went gray .

Probably tomorrow a big bug will be found so an other IOS-XR version ist he new 
"recommanded" ☹

BTW, TAC was no help on this.

Thank you for your kind help,

Jürgen Marenda.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] new ASR9901 ios update problem

[cnsp]

Thanks fort he flowers,  Aaron!

Now i got stuck in those patches called SMU.

Not only the mentioned time-consuming (each reload takes 15..20 minutes) is 
boring,
But after installing most of the SMUs and ony 5..7 remaining from the bunch of 
80+-5 SMUs,
the X device tells me on its console port, that the root filesystem is over 
80% or more full.

LC/0/0/CPU0:Nov  2 12:47:56.505 CET: resmon[290]: %HA-HA_WD-3-DISK_ALARM_ALERT 
: A monitored device / ( rootfs:/ ) is above 80% utilization. Current 
utilization = 80. Please remove unwanted user files and configuration rollback 
points.

Googling for this i found

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-xr-software/116332-maintain-ios-xr-smu-00.html
[...]
Bootflash is above 80% utilization

The following message may appear after SMU installation.
RP/0/RSP0/CPU0:Jul  9 17:40:37.959 : wdsysmon[447]: %HA-HA_WD-4-DISK_WARN : A 
monitored device /bootflash: is above 80% utilization. Current utilization = 
89.  Please remove unwanted user files and configuration rollback points.
This message can be safely ignored.
As per design it is expected that IOS-XR will keep up to two MBIs on the 
bootflash following SMU install(s). At subsequent SMU install(s), if the 
bootflash space required by the new package(s) is not available, IOS-XR will 
clean up automatically old MBIs to make space for the new MBI package.
[...]

So i did continue and no it is 99-100% full, "install add source ..."
works but "install activate ..." aborts.

I do not have "userfiles" on it, i did but the ios,tar,smu's onto "harddisk:" .
I did not find any hint how to make space there,
i tried

"clear configuration commits oldest 100"

"install remove inactive all synchronous"

But this did not help.

#show install log 250 detail
Sat Nov  2 12:56:50.744 CET
Nov 02 09:56:57 Install operation 250 started by jm:
  install activate id 249 
Nov 02 09:56:57 Package list:
Nov 02 09:56:57 asr9k-mgbl-x64-2.0.0.4-r653.CSCvr46090.x86_64
Nov 02 09:57:01 Action 1: install prepare action started
Nov 02 09:57:03 Install operation will continue in the background
Nov 02 09:57:03 The prepared software is set to be activated with process 
restart
Nov 02 09:57:47 Start preparing software for local installation
Nov 02 09:57:59 Action 1: install prepare action completed successfully
Nov 02 09:58:00 Action 2: install activate action started
Nov 02 09:58:00 The software will be activated with process restart
Nov 02 09:58:01 Activating XR packages
Nov 02 09:59:12 Node 0/RSP0/CPU0 encountered error(s) during operation. Please 
check 'show install log 250 detail' for error details
Nov 02 09:59:12 

Error stack for location 0/RSP0/CPU0

1# Available disk space(including additional buffer 104857600) 
215699456 is not sufficient for rpm installation of archive size 110199132 
2# failed to load files from ldpath (new)

Please collect 'show tech-support install one-showtech' from XR and 
'show tech-support ctrace' from Admin and pass this information to your TAC 
representative for support.


Nov 02 09:59:12 Agent on the lead has err'ed during SWC_BEGIN Aborting the 
operation
Nov 02 09:59:12 Action 2: install activate action aborted
Nov 02 10:00:21 Install operation 250 aborted
Nov 02 10:00:21 Ending operation 250

I submitted the output from 'show tech-support install one-showtech' to my TAC 
case
But i have not found out how to move the "admin'show tech-support ctrace'" 
output
out of the box. Looks like admin-harddisk: is not the same as harddisk:
and also admin copy does not know ftp as destination (and i believe it will not 
work
with my mgmt-vrf, ip information is a stange 192.168.0.4 not my mgmt-ip, )
Very very strange ☹

BTW, When i was at the approx. 80% SMU installation point,
i got the hint from tac that i can untar the SMUs,
and bundle them (without the .txt files) in one tape-archive to get it   
installed faster.
Way too late after 3 days of work

Looks that the documentation on how to upgrade the box has never been tested
(and in/output captured)
and also, no-one had ever tried to add all recommended patches.

Any idea on what is blocking space on / and can be removed ?

Repartiion and install from scratch ?
RMA it and get a refurbished device with scratches 
instead of this expensive brand new garbage ?


I am also a little bit afraid on using such a thing for production.,
Thought version 6.5 would be matured and procedures well documented
And the TAC people can give me concrete answers not generic blarney.

->sigh<-

Jürgen Marenda.

> -Ursprüngliche Nachricht-
> Von: Aaron Gould 
> Btw, good job, and thanks Jürgen for the informative and detailed instruction
> on XR upgrade.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.n

Re: [c-nsp] new ASR9901 ios update problem

[cnsp]

Hi, i got some help from TAC on this,
So i manged the upgrade (but the patches "SMU"s are still waiting)

Here is a (not really) short summary  of the steps i did
(may be thats not the optimal/fastes procedure):




1. i have working serial console access (115200-8N1)

2. i have an account "jm" with the same rights as "admin"
   so i must not type "admin" in front of each command i believe

3. the first Management-Ethernet "MgmtEth0/RSP0/CPU0/0" 
   is in vrf mgmt with ip 10.10.50.22 /24

4. my ftp/tftp/... server is on the same (v)lan and has the ip 10.10.50.84
   so direct connection and no router/NAT/... in the way

5. username:password for ftp in this text used is cisco:ciscopass 

6. i did the steps 1,3
   and skipped step 2 
   from the PDF ASR9K_IOS-XR-64-bit_Upgrade_MOP_6.5.3.pdf 
   found in  ASR9K-x64-docs-6.5.3.tar
   since i upgrade only from 6.5.2 to 6.5.3
   where no "bridge" package installation is nessassary

   (in that tar-ball are not the linux-manpages for the box)

7. i put the files
   asr9k-mini-x64-6.5.3.iso
   ASR9K-x64-iosxr-px-k9-6.5.3.tar
   onto the ftp-server in directory ASR9901/6.5.3/ i
   (relative to user cisco's basedirectory)

8. i put the "x64" and "sysadmin" smus
   onto the ftp-server in directory ASR9901/6.5.3/smu/

9. Trying method "4.2" from the pdf above,
   "install" does not know the command "upgrade" or "update"

   When entering "run" or "admin" "run" the install command
   has "update" "upgrade" options but does not know how to ftp out,
   due to unknow syntax i could not find out how to use a vrf.
   
   Also setting ftp source-interface etc in the config did not help.

   doing ifconfig does not show my Management-ethernet 
   but some strange internal vlans...

10. Trying method "4.1" .

10.1. makeing directories on the "harddisk:"

  mkdir harddisk:/sw
  mkdir harddisk:/sw/6.5.3
  mkdir harddisk:/sw/6.5.3/smu
  cd harddisk:/sw/6.5.3

10.2. copying files from ftp-server 
  
  copy
ftp://cisco:ciscopass@10.10.50.84;mgmt/ASR9901/6.5.3/asr9k-mini-x64-6.5.3.is
o harddisk:/sw/6.5.3/

  copy
ftp://cisco:ciscopass@10.10.50.84;mgmt/ASR9901/6.5.3/ASR9K-x64-iosxr-px-k9-6
.5.3.tar harddisk:/sw/6.5.3/

10.3. install add source harddisk:/sw/6.5.3/ asr9k-mini-x64-6.5.3.iso
  --^ here is a needed space between
...6.5.3/ and asr9...
   
  ...Install operation 13 finished successfully

10.4. install add source harddisk:/sw/6.5.3/ ASR9K-x64-iosxr-px-k9-6.5.3.tar
  --^ here is a needed space between
...6.5.3/ and ASR9...

  ...Install operation 14 finished successfully

10.5. install prepare id 13 14

 Both Install opertion numbers from above together

 shwo install request
 show install log 15 detail

fast going to 40%, then long waiting (15 minutes)

... Install operation 15 finished successfully

10.6 install activate

...  Action 1: install activate action completed successfully
 Action 1: install activate action completed successfully
 Install operation 16 finished successfully
 Ending operation 16

10.7. maschine boots automatically

  and after around 15 minutes, all the interfaces are again there.

10.8. login (iff not done)

10.9. install commit

  ... Install operation 18 finished successfully

10.10. again doing Part 2 of the upgrade PDF

10.11.  install remove inactive all

10.12. and a final reload

That was it.

==

Now i need a nice way to get the SMUs installed without headache.

BTW, the "px" are for the 32Bit (for example) ASR9001 devices "classic XR"
"cXR"
the "x64" and the "sysadm" are for the 64Bit (for example) ASR9901 devices
"enhanced XR" "eXR" so i was told in my TAC case. 

I wonder why i find them all mixed up when i first select the one or other
in cisco-support-download section.

==

missing output of my mgmt-vrf in IOS-XR 6.5.2 
when i was typeing "show vrf all"
was a bug disappearing afer the upgrade to 6.5.3.

==


Jürgen Marenda.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] new ASR9901 ios update problem

[cnsp]

Hi,

the asr9k series is quite new for me, so sorry for asking silly beginners
questions.

i found a box with an asr9901 in my office.
It is loaded with IOS-XR x64 6.5.2 .
Cisco-download recommends 6.5.3 ,
so i downloaded that several Gbyte .

(or should I use 6.6.x ?)

I was seeking instructions on how to do the update,
and found a pdf on this subject in the ...docs..tarball.

Fine, I thought.

The asr9901 is currently connected with the first mgmt-ethernet 
to my mgmt-vlan where I have a tftp/ftp/syslog/... server
As allways, that interface is in it's own vrf.

Also I can connect to the CON port from a serial-line-terminalserver.

First "problem": "show vrf ?" or "show vrf all" does not show it.
(while my older asr9001 currently running 6.1.4 code does)

Second "problem": how to formulate the URLs with vrf ?
I have tried ftp://user:pass@10.11.12.13;mgmt/rhabarbar/6-5-3/
But this seems to not work (for example to save the running config to ftp
server).

I went thru the instructions on how to upgrade .

In Method 4.1 "classical" way I need the "iso" but cannt find what to do
with it.

So I tried to use Method 4.2 "install upgrade" ,
Put the files into my ftp-server
I found that "install" does not have the option update or upgrade 
So I cannot do this.

(also, in the screenshots of that update-document,
 is output referring 6.3.3 iso file, I don't want to mix things)

I have an open TAC case on that, 
but did not hear anything from them for the last 50 hour.
Since the mashine is not doing real work,
What is the fool-safe way for upgrading it?

Pre-final question is regarding the patches called "SMU".
There seem to be three sorts of it:
"x64" "px" and "sysadmin" .
"x64" is good for the 9901, "px" for the 9001 (32bit) and "sysadmin" for
both ?

The Method 4.2 tells me to put (all?) the SMUs into the same
Directory as the .iso and an unpacked tar file .
Is that ok? I saw some slides on it, and that looked like I should 
Sort this in some kind of directory structure, which was not clearly
defined.

Can the installation of the SMUs be done later, 
will the device find out by itself in which order
To install them?

Last question is, weather I should update the older asr9001 
also to 6.5.3 to have bugs^Wfeatures in sync ?

( _must_ they have call-home/smart-licensing/ enabled ?)

Sorry again for beginners questions,
now everyone knows that I'm too stupid for those devices.

Thank you for your patience reading this and your kind help

Jürgen Marenda.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Has there been a Cisco network device with GE management port while other ports are FE or lower?

[cnsp]

> > Also - the only other place you might see it is on a 8xx series
> router.
>
> Yes, for example in Cisco 891, which has a 1GigE WAN port:
> https://i.ebayimg.com/images/i/112239287188-0-1/s-l1000.jpg
>
>
> In summary, if GigabitEthernet0 is not the only GigabitEthernet port,
> then it is definitely a management Ethernet interface. If
> GigabitEthernet0 is the only GigabitEthernet port, then it is
> impossible to say, if it is a management port(for example, CSR running
> IOS XE 3.10S or ASR with slower/non-ethernet line cards) or
> non-management port(for example, some Cisco 800 series models)?

No
Again, here comes the famous 800 Series:
C891F and C89[67]VA have a 8 port Gigethernet-switch (no longer the FE
Switch form the not so famous 89[12] ), one GE WAN Port (combo) and one FE
WAN Port.
Gig0 is here one of the embedded switch-ports, while the WAN Port ist Gig8 .
There is no special (feature-fewer) "Mangement" Port where varying named
(not changeable) VRFs are hardcoded.

Juergen.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ASR920 l2cp over mpls xconnect

[cnsp]

Hi,

i got two ethernet-links, 
- one between me-3800'x and 
- one between me-3800 and asr920.
They have been created doing mpls-xconnect's.

Connecting my own "CE2.0" CPE's, 
- on the first link, my OAM's find their way, everything OK.
- On the Circuit with the asr920, the OAM's don't come out on the other end,
  so my NNI Ports are marked "down".
  (disabling OAM, LLDP neighborhood comes up, my inband-mgmt is working,
...)

I do not have access to those devices from our carrier,
and have not got exact model and IOS Version.
Is there any special to configure? 
Something like "l2cp tunnel all" ?

(I found "transparent-cfm" but this is in the context of
CarrierEthernetConfig and not MPLS.)

I hope that STP BPDUs will be transported (in both directions) over that
xconnect.

Thank you for any ideas,

Juergen.






___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DHCP server

[cnsp]

How many physical interfaces/ports?

A c891f could be sufficient...

Jürgen.
-Original Message-
Dear experts,
a customer of mine as an old C7200 acting as DHCP server and wants to
replace it with an IOS device in order to port configuration 1:1.

He asked for a solution which is not so expensive, I'm thinking to ASR1k or
CAT9k, do you have any other suggestion ?

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] NPE-G1s don't want to talk to each other over copper?

[cnsp]

> 802.3-2008 40.4.4 says:
> 
> > Implementation of an automatic MDI/MDI-X configuration is optional
> for 1000BASE-T devices.

Just downloaded 802.3-2012 from the IEEE,
In Section3  40.8.2 (p269) explains, or tries to.
There is also the pinout for the two Variants, (incompatible to 10/100baseT
Xover).

So Iff you want to have autoneg OFF, you must use
the correct wiring. Switch MDI-X, device MDI,
if both are the same you must make use of the magic 1000baseT-crossover
Cable
at the farest possible end (so at the end-device, not on the switch, 
not between any patchpanels on the way).

If you have autoneg ON, the pairs will be matched,
so normally, you can use simple straight patch-cords.


Hey, tomorrow I will call my local dealer for an GigabitCrossover Cable.
"I need a 5 feet 1000BaseT Crossover Cable Class D (for you: CAT5) 
 according to IEEE Std 802.3-2012 Section Three"
He will think I got mad.
Or he will tell me: "Well, that's a relative new version of the standard,
So those cables are quite expensive, we do not have much on stock her, oops,
Currently sold out."

Juergen.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Transparent WAN Encryption

[cnsp]

Many of those devices do think that the WAN "Ethernet" is
Bit-transparent, not paket-oriented, unlimited MTU...

In Reality, those "Ethernet"Links are MTU-Limited, often with an
"Ethernet"MTU
of just 1500 or sometimes plus 1 or 2 VLAN Tags. Full-Stop. 
No Space for Additional information,encryption header, etc.

Or for "jumbo Frames" found in iscsi etc. applications.

BUT You need your Ethernet-crypto device to solve this,
So when my switches on both ends have an MTU of 9216 Bytes
I would like the crypto-device to transport this even over the
"ethernet" link with an MTU of 1371 .

Very ew of the Products solve that,
so take Care in selecting your Product,
"simple" Products think that you own a dark-fibre
where they can to anything 
But in reality, you just have a paket-switched link
with singlemode-fibres on both ends.

> I'm looking for the simplest way to do it. Most customers have L2
> connections between Data Centers. The edge device controlled by the
> customer is a Layer 2 Switch. The mechanisms like IPSec, GETVPN,
> FlexVPN, an so on, need a router in the edge. This implies modification
> of the customer's topologies. L2 encryption seems the perfect solution
> and it seems there are several options on the market.

You can use Cisco-"routers" to build an encrypting, 
transparent Ethernet-link, bridging every paket including STP CDP LLDP ...
Needs some CPU on the router, that sets the limits, 
but this works well, even with limited links.

> Regards,
> 
> Antonio Soares, CCIE #18473 (RS/SP)
> amsoa...@netcabo.pt
> http://www.ccie18473.net
> 
> 
> 
> -Original Message-
> From: Jeff Orr [mailto:j...@communicorr.com]
> Sent: domingo, 2 de Fevereiro de 2014 17:25
> To: Antonio Soares
> Cc: 
> Subject: Re: [c-nsp] Transparent WAN Encryption
> 
> If you are using a private MPLS (I.e. Not over Internet) & have Cisco
> CE routers consider GETVPN.
> 
> For the reasons you mentioned, we as a customer went this direction.
> We needed to ensure our WAN (150 sites/multiple data centers)traveling
> across a variety of links/providers including DS1/DS3/Metro-e is
> secure.
> 
> It has really scaled & worked well. GETVPN is VRF aware & can function
> on the PE side as well.
> 
> -jeff
> 
> Sent from my AT&T iPhone
> 
> > On Feb 1, 2014, at 9:16 PM, Antonio Soares 
> wrote:
> >
> > Hello group,
> >
> >
> >
> > Service Provider WAN links are not secure anymore and I have more and
> > more enterprise customer asking transparent WAN encryption solutions.
> > I came across these two products:
> >
> >
> >
> > EncryptTight:
> >
> >
> >
> > http://www.blackbox.com/Store/Results.aspx/Networking/Security-
> Optimiz
> > ation/
> > Encryption/n-4294953119
> >
> >
> >
> > TrustNet:
> >
> >
> >
> > http://www.certesnetworks.com/securitysolutions/wan-encryption.html
> >
> >
> >
> > Anyone has experience with these products ? This seems the ideal
> solution.
> > The networks remain exactly the same as they were, we simply add
> these
> > devices to do their job.
> >
> >
> >
> >
> >
> > Thanks.
> >
> >
> >
> > Regards,
> >
> >
> >
> > Antonio Soares, CCIE #18473 (RS/SP)
> > amsoa...@netcabo.pt
> >
> > http://www.ccie18473.net 
> >
> >
> >
> >
> >
> >
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PPPoE Session

[cnsp]

 

Thanks for the reply

U mean the timeout absolute 1400 0 , for example for 24 hours it should be
1440 ?

 

Yes, you got it J !

 

It is "timeout absolute  " ,

1day = 24 hours = 24*60 = 1440 minutes plus 0 seconds. 

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] PPPoE Session

[cnsp]

> Hi all
> Can I control the session timeout via CLI ? i.e. I want each
> PPPoE session to be disconnected automatically after for example 24
> hours?

Yes We Can:
!
int dialer 3
! ...
 encapsulation ppp
 dialer pool 2
 dialer-group 1
 dialer idle-timeout 0
 dialer persistent
 no cdp enable
 keepalive 30
 ppp authentication chap ...
 ppp chap ...
! ...
! 
 timeout absolute 1400 0
!
!


On the central side,
You can put it into an interface virtual-template
or set it thru AAA (radiator can calculate the value
to fix the automatic disconnection to a given time.

Hope this help's,

Juergen.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] how to overwrite L2TP multihop NAS-IP-Address

[cnsp]

Hi,

On an l2tp multihop broadband dialin environment,
I would like to overwrite the "NAS-IP-address" (attribute 4) 
tunneled somehow inside L2TP from the carriers first 
Broadband-router showing up in my LNS'es radius-requests
to reflect _my_ border-gateway not _theirs_ .

I found a way to override it in the local generated
Radius-requests, but this does not change anything
on the next LNS; there I can see again the original value. 

Currently working with NPE-G1/G2 with 12.2(33)SRE5 ,

Any ideas/suggestions ?

Juergen.




___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] cheap core switch for a "hacker space" (nonprofit association)

[cnsp]

The generated hot air is good for
drying the laundry in my cellar.

I was first unsure wether the air-humidity would harm,
but my home-servers still survive.

The depth of my rack is ok (HP/Compaq)
but it was hard to find one less than 1,8 m .

Boing...Ouch my head...allways duck when going thru doors.

Just my 0.01$
Juergen.

> Am 10.12.2013 um 21:19 schrieb Markus H :
> > I have found a Cisco Catalyst 4948-S to be less expensive on ebay
> than
> > two
> > 3750G-24 (and both options are far cheaper than any Juniper EX on
> ebay).
> [...]
> One drawback - this thing is huge ;-) You will need 60cm or something
> deep of rackspace. Not a problem in a commercial environment with racks
> but could be a limiting factor in a private setup. More than twice as
> big as a 29xx or 37xx ...



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Third party transceivers that fail only with new, NX-OS 6.2.2a on sup-2E

[cnsp]

Things will get worse if they start to solder
crytoprocs with mask-programmed vendor-signed certificates 
into the gbic/sfp/.. instead of the serial eeprom.

Also the real-time clock helps to limit the lifetime of
devices to just a little longer than warrenty time.

"show transceiver lifetime remaining"
"show transceiver certificate path"

(for those on h3c-omware: "display transceiver ...")

Just my 0.01 $,

Juergen.

> On 11/19/2013 11:57 PM, Jared Mauch wrote:
> >+1 to that.  We recently ran across some 3rd-party CODED DOM-
> supporting
> >optics that have worked (thus far) in both Ciscos and Brocades.  When
> >you can issue a "show int trans" and get results from 3rd-parties
> while
> >Ciscos remain silent, it speaks volumes :)
> 
> Exactly,
> We use a local vendor and have a guy there who can code just about
> anything into the firmware for us so we never have problems with
> unsupported transceivers and the "show int trans" or "sh controller"
> pops out plethora of useful information, we use XFP, SFP+ and SFP in
> different platforms no with issues whatsoever.
> And the prices are just incomparable to Cisco prices.
> 
> adam

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400

[cnsp]

That are good news,
since 720x seem to be EOL etc.

So with "supported" Hardware for the next years,
replacement for the 7206VXR/NPE400 G1 G2 or 7201 7301
may be either ASR or 3925E .

But what happens with traffic which needs to be fragmented?
How does the 29xx 39xx perform?

>From the 870's I know that I get just 3.x Mbit/s traffix thru
if I use an l2tpv3 with ipesc 
and every "wan" paket needs to be fragmented with the l2tp and ipesc
overhead
(CPU load is then 100%)

The 892 is at 8.3 Mbit/s LAN and 10Mbit/s WAN (lstpv3 over ipsec)
at 34 % CPU so I think it can handle 25 Mbit/s for this scenario.

How do the 29x/39xx behave ?

> we just this year went through similar migrations - we had 2 7206 w/npe
> G2.  BGP 400K routes replaced them with 3925s - which seemed overkill
> at the time - still is.
> 
> Internally as we are moving 10M to 1G circuits to new gear we are going
> with 29xx and 4451s at the core ( we thought about the ASR and like its
> performance, the 4451 emulates the ASR chip but the 4451 seems to be
> more flexible in terms of features.
> 
> We hooked up to 2921 back to back and did some iperf/ftp traffic flows
> with NAT and got well over 500Mb through it .
> Your mileage of course will vary .. NAT, QOS, IPSEC, 


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400

[cnsp]

> > As someone else had suggested, the NPE-G2 is good too, but if you
> need
> > to support more PA's (especially non-Ethernet, which tax the fabric
> > less), it's not that scalable.
> 
> I meant the 7201, of course (which is, essentially, an NPE-
> G2 with an extra Gig-E port).
> 
> Mark.

But that extra Gig port is shared hardware with the FAS Management Port,
(which could be Gig...). it's another chipset than the other three
CPU?-Ports,
and it's not performing very well :-(

just my 0.01$,

Juergen



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400

[cnsp]

Hi,

I would tend to use the compact two power-supply 7201,
instead of putting an (equal expensive) NPE-G2 into and old
Chassis, but isn't all that hardware EOL ?

NPE-G1 _was_ fine until they started to die one-by-one
out of the blue.

Had seen 2821 with just 3 BGP sessions, everything very slow,
3825/45 are much faster;
so with current (lower-cost) Cisco Routers
i think an 3925 would perform much better than an 2921 and be worth it
(but currently not tested myself).
Hmm looking at the datashit, the 3925-E would be the choice.

While marketing Material says ISR-2 29xx WAN up to 75 MBps,
They write for the ISR-2 39xx WAN up to 350 MBps.
So the choice will be clear on the 39xx side,
Even no fancy-advanced-firewall-filter-whateverelse Features are used.


OK, a much better fitting replacement for 7206VXR is the ASR1002-X ...


Just my 0.01 $,

Juergen.

> -Ursprüngliche Nachricht-
> Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag
> von Adam Greene
> Gesendet: lundi 11 novembre 2013 19:42
> An: 'Scott Granados'
> Cc: cisco-nsp@puck.nether.net
> Betreff: Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400
> 
> Well, the 7206VXR rebooted unexpectedly a few days ago, with a "System
> returned to ROM by error - an Error Interrupt" which usually implies a
> hardware issue of some kind. I reseated all components and removed
> unused cards to minimize issues, but the thought did cross my mind to
> avoid the complications of troubleshooting 10yr+ old hardware and
> replacing components with used parts, by going with something brand
> spanking new.
> 
> -Original Message-
> From: Scott Granados [mailto:sc...@granados-llc.net]
> Sent: Monday, November 11, 2013 12:32 PM
> To: Adam Greene
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] Cisco2921 vs 7206VXR/NPE-400
> 
> Why not an NPE G1 or G2 for the same 7206?
> 
> On Nov 11, 2013, at 11:27 AM, Adam Greene 
> wrote:
> 
> > Hi guys.
> >
> > We're considering replacing our 7206VXR/NPE-400 (512MB RAM) with some
> > newer hardware.
> >
> > We take a single full routing table, have (1) OSPF and (4) BGP peers,
> > and currently push about 70M aggregate.
> >
> > We're considering a 2921 because it has 1GB RAM and can do 480k PPS /
> > 245M throughput compared with the NPE-400's 420k PPS / 215M.
> >
> > What I'm not clear on is CPU speed. The NPE-400 looks like it's a
> > 300MHz processor. Does someone know how fast the 2921's CPU is?
> >
> > Thanks,
> >
> > Adam
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ip tcp adjust-mss

[cnsp]

Hi, this looks like a CPE-device
With static IP-adresses and routing. 

You may really want to set "ip tcp adjust-mss 1280"
on _both_ your WAN and your (probably natted) LAN (L3) Interfaces.
(_both_ sides, yes !)

This will help you in most cases with
MTU restrictions on 
- your link
- home-"web"servers behind Broadband links
etc.

Yes, the value is not optimized but very computerish ( 2**10 + 2**8 ), 
but it is good for
- pppoe (1500-8=1492)
- l2tp forwarded dial-in sessions (l2tp overhead+pppoe leads to 1456)
- even with an additional vlan tag ( so MTU will be 1452 found in most 
literature)
- some other tunneled environments

Iff you are an ISP, 
you will configure this _only_ on the virtual-template interfaces
on your LNSes for broadband-termination .

Keep it out of your core,
You will not want to modify your valued customer's ip packets
in your core network; here you want to use a MTU greater than 1500
while on your BGP up/downstreams will stay at Ethernet-default 1500 .

Sorry, very conservative, but will avoid may problems.

Just my 0.01 $ on this

Juergen.

> -Ursprüngliche Nachricht-
> Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag
> von Methsri Wickramarathna
> Gesendet: lundi 4 novembre 2013 17:55
> An: Pete Lumbis
> Cc: cisco-nsp@puck.nether.net
> Betreff: Re: [c-nsp] ip tcp adjust-mss
> 
> Thanks Pete,
> 
> If not a problem can any one look in to following mturoute taken ??? :)
> 
> E:\>mturoute -t www.ubnt.com
> mturoute to www.ubnt.com, 30 hops max, variable sized packets
> * ICMP Fragmentation is not permitted. *
> * Speed optimization is enabled. *
> * Maximum payload is 1 bytes. *
>  1  +-  host: 116.12.78.1  max: 1500 bytes
[...]


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF Over FR

[cnsp]

- ensure you HUB will be DR by setting ospf priority on the interface level
  probably you which set this to "zero" on the spokes or a very low value.

- correct the network statements,
  i think it should read " network 192.168.123.0 0.0.0.255 area 0 "
  for the FR-interface , using the broadcast-emulation of frame-relay.

  Otherwise, one single network 0.0.0.0 0.0.0.0 area 0 
  should catch'em all...

- is the ospf interface type correct thru automagic ?

- and probably the frame-relay-"switch" is just broken.

  Test connectivity betweek each router-pair
  with loopback interfaces and static routes.


> -Ursprüngliche Nachricht-
> Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag
> von M K
> Gesendet: dimanche 6 octobre 2013 17:08
> An: cisco-nsp@puck.nether.net
> Betreff: [c-nsp] OSPF Over FR
> 
> Hi , I have three routers R1 , R2 and R3R1 is the hub and is configured
> as below R1#sh run int s0/0.123Building configuration...
> Current configuration : 201 bytes!interface Serial0/0.123 multipoint ip
> address 192.168.123.1 255.255.255.0 snmp trap link-status frame-relay
> map ip 192.168.123.3 103 broadcast frame-relay map ip 192.168.123.2 102
> broadcast R1#sh run | sec router ospfrouter ospf 1 router-id 1.1.1.1
> log-adjacency-changes network 1.1.1.1 0.0.0.0 area 0 network
> 192.168.14.1 0.0.0.0 area 0 network 192.168.123.1 0.0.0.0 area 0
> neighbor 192.168.123.2 neighbor 192.168.123.3 R2#sh run int s0/0
> Building configuration...
> Current configuration : 190 bytes!interface Serial0/0 ip address
> 192.168.123.2 255.255.255.0 encapsulation frame-relay clock rate
> 200 frame-relay map ip 192.168.123.1 201 broadcast no frame-relay
> inverse-arpend R2#R2#R2#sh run | sec router ospfrouter ospf 1 router-id
> 2.2.2.2 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 0 network
> 192.168.123.2 0.0.0.0 area 0 neighbor 192.168.123.1 R3#sh run int
> s0/0Building configuration...
> Current configuration : 190 bytes!interface Serial0/0 ip address
> 192.168.123.3 255.255.255.0 encapsulation frame-relay clock rate
> 200 frame-relay map ip 192.168.123.1 301 broadcast no frame-relay
> inverse-arpend R3#sh run | sec router ospfrouter ospf 1 router-id
> 3.3.3.3 log-adjacency-changes network 3.3.3.3 0.0.0.0 area 0 network
> 192.168.123.3 0.0.0.0 area 0 neighbor 192.168.123.1 Why on R1 i cannot
> receive anything from R2 ?
> R1#sh ip route ospf  3.0.0.0/24 is subnetted, 1 subnetsO
> 3.3.3.0 [110/65] via 192.168.123.3, 00:06:21, Serial0/0.123
> Even though the neighborship is up ?
> Thanks
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] IP nat translation

[cnsp]

> How do I change the dynamic time out ?

For example:

ip nat translation timeout 60
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 10
ip nat translation syn-timeout 10
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 10

Values to be discussed...

Iff you use reflexive ACL, 
you should set their timeouts nearby, I think greater.

> > IIRC on router IOS the defaults are:
> > 24 hrs for tcp unless a rst or fin is seen non-dns udp is 5 mins;
> dns:
> > 1 min Only static entries remain indefinitely - as long as it is
> > present in config.

Just my $0.01

Juergen.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] separate two directly connected networks on a Cisco 1800 series ISR?

[cnsp]

> What is the best approach here? Stick with this NAT solution described
> above? Something completely different to separate two networks behind
> the same router?

To avoide the hide nat of your vlan5 so you can see the true src-ip,
you may try to use reflexive access-lists to temporarily allow
the back-traffic from vlan10 to vlan5 .

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] QoS

[cnsp]

Hi,

It depends on the mode your telnet is working:

If it's sending LINE-by-LINE, then you will see fewer pakets and bytes,
and longer contents (for example, your password sent in clear thru telnet
protocol)
will cause bigger packets, or even more of them if contents does not fit
into one. 
But Normally, a line of say 80 characters will fit into one paket.

If it's sending letter-by-letter, you will see more pakets and bytes because
of the overhead.

I don't think that this answers your RealQuestion(TM) , but i 
Hope this help's,

Juergen.

> -Ursprüngliche Nachricht-
> Von: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] Im Auftrag
> von M K
> Gesendet: mardi 30 juillet 2013 02:26
> An: Tony; cisco-nsp@puck.nether.net
> Betreff: Re: [c-nsp] QoS
> 
> Hi and sorry for the late replyNo , it's not a tricky question I want
> to understand how the counts are calculated , if I entered a larger
> password will it really matters?
> 
> Date: Thu, 25 Jul 2013 03:09:26 -0700
> From: td_mi...@yahoo.com
> Subject: Re: [c-nsp] QoS
> To: gunner_...@live.com; cisco-nsp@puck.nether.net
> 
> Is this a trick question ?
> 
> Every time it sees a packet that matches the criteria you have
> specified and is put into your class it increments the "packets"
> counter by 1 and adds the size of the packet to the "bytes" counter.
> 
> What is or isn't happening that you're concerned about ?
> 
> regards,
> Tony.
> 
> From: M K 
>  To: "cisco-nsp@puck.nether.net" 
>  Sent: Tuesday, 23 July 2013 8:10 PM
>  Subject: [c-nsp] QoS
> 
> Hi allI have configured QoS between two sites across my backbone , the
> classification was done based on telnet traffic and the marking was
> done based on the precedence valueI have configured to mark all telnet
> traffic with precedence value of 3 and I received it fine without any
> issues
> Now my question is as belowWhen I first wrote telnet 7.7.7.7 and
> checked the output of show policy-map interface fastEthernet 1/0 | inc
> Class|packet
> telnet 7.7.7.7Class-map: PRECEDENCE_3 (match-all)9 packets,
> 520 bytesUsername : ciscoClass-map: PRECEDENCE_3 (match-all)
> 16 packets, 905
>  bytesPassword : ciscoClass-map: PRECEDENCE_3 (match-all)23
> packets, 1290 bytesR7>exitClass-map: PRECEDENCE_3 (match-all)
> 30 packets, 1674 bytes
> I want to know what is the methodology used to count these numbers ?
> Thanks
> 

> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ICMP "echo reply" packages received over IPsec tunnel don't reach IOS ping utility

[cnsp]

> Hi,
> 
> I have an IPsec tunnel between Cisco 1841 and ZyXEL routers over public
> Internet. I do not have access to ZyXEL router. According to "show
> crypto session" IPsec tunnel is up and active. This IPsec tunnel
> connects 192.168.157.0/24 and 192.168.136.0/24 networks over the
> Internet. Now if I send an ICMP "echo request" message from Cisco
> router to ZyXEL router, I will not receive an ICMP "echo reply":
> 
> r1#ping 192.168.136.2 source 192.168.157.1 repeat 1
> 
> Type escape sequence to abort.
> Sending 1, 100-byte ICMP Echos to 192.168.136.2, timeout is 2 seconds:
> Packet sent with a source address of 192.168.157.1 .
> Success rate is 0 percent (0/1)
> r1#
> 
> ..but for some reason "packets in" and "packets out" counters in "sh
> crypto engine accelerator statistic" output are incremented by two.
> This should indicate that router received the ICMP "echo reply" and it
> was processed by onboard VPN module. If I ping an IP address in
> 192.168.136.0/24 network, which is not configured(for example
> 192.168.136.123), then "packets in" and "packets out" counters in "sh
> crypto engine accelerator statistic" are incremented by one. In
> addition, if I configure an ACL to WAN interface on Cisco router, I can
> see ingress ESP packets from this particular ZyXEL router. As I said,
> its on Cisco 1841 router and I'm using onboard hardware VPN module. IOS
> image is c1841-advsecurityk9-mz.124-24.T6.bin. I checked the open
> caveats and bugs for this particular IOS, but did not find anything.
> 
> Any ideas what might cause such behavior? Or am I doing something
> wrong?

Enable ip flow ingres and ip flow egres on the c1841 to see
the pakets with s hip cache flow (you need globally ip cef, of course),
esp. src and dst ip addresses.

Perhaps the zyxel NATtes the paket to the remote router,
Or sends an icmp admin. Prohibited back thru the vpn tunnel ?

BTW, you could not ping a PIX'es LAN Interface thru vpn-tunnel,
While it works fine between two cisco routers.

You know: real Routers , not "firewalls".



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] OSPF admin distance not working on IOS-XR.

[cnsp]

Hi, I am not too familiar with IOS XR but with normal IOS,
(carefully) setting the ospf cost 
helps to avoid load-balancing thru equal-cost 
(but not equal bandwidth) paths to create an main/backup scenario:

!
interface Bundle-Ether2
 ip ospf cost 4
!

 
> Hello,
> 
> We are trying to change the administrative distance on one of the OSPF
> neighbors of our router and no matter what it is set to, the value does
> not seem to change.
> 
> #sh ip route x.x.0.102
> Thu Apr  4 02:36:05.122
> 
> Routing entry for x.x.0.102/32
>   Known via "ospf 12345", distance 110, metric 2, type intra area
>   Installed Apr  4 02:14:55.059 for 00:21:10
>   Routing Descriptor Blocks
> x.x.25.19, from x.x.0.102, via Bundle-Ether1
>   Route metric is 2
> x.x.25.34, from x.x.0.102, via Bundle-Ether2
>   Route metric is 2
>   No advertising protos.
> 
> #sh route ospf | incl x.x.0.102
> Thu Apr  4 03:31:36.554
> Ox.x.0.102/32 [110/2] via x.x.25.34, 01:16:40, Bundle-Ether2
> 
> 
> The issue here is that we are trying to avoid sending a majority of our
> traffic through Bundle-Ether2 which it seems OSPF has decided is the
> best Path. The 0.102 address is a loopback interface of a neighbor
> (6500b) directly connected to Bundle-Ether1, where Bundle-Ether2 is
> connected to 6500a with less capacity on it's links. This is causing
> the links on
> bundle2 to get saturated at peak times.
> 
> XR-bundle2--->6500a--->6500b
> XR-bundle1--->6500b--->6500a

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Switching Loops

[cnsp]

Get a special device for this kind of problem,
for example
www.knipex.com 
Products > Cable and Wire Rope Shears > Cable Shears  
95 26 165 Cable Shears with opening spring
EAN 4003773069980

> > Hi I was wondering if I can avoid switching loops without turning on
> spanning tree ?I have two connections between two switches and they are
> configured as access in the same vlan , and i do not want to configure
> spanning tree , how to avoid loops ?
> 
> Easy: Pull one of the cables.
> 

You may want to use LACP, but a device not speaking STP seldom speaks LACP.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] DHCP Forwarding Strategy

[cnsp]

> So is there anything I am missing? Is there any good documentation on
> what information forwarded DHCP requests have by default or what things
> I can add (besides the quite useless port number where the request came
> in)?

Look at 

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/1
2.2_25_see/configuration/guide/swdhcp82.html#wp1148846

and upgrade your 3550's to at least 12.2(25) 
and you will be able to get the vlan-id .

( 12.2(44)SE6 is nearly current )

Hope this help's,

Juergen.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Option 82

[cnsp]

On Thu, Mar 07, 2013 at 02:11:16PM +0200, M K wrote:
> Hi all
> What smaller Cisco device that supports DHCP option 82

ip dhcp relay information option

To enable the system to insert a Dynamic Host Configuration Protocol (DHCP)
relay agent information option in forwarded BOOTREQUEST messages to a DHCP
server, use the ip dhcp relay information option command in global
configuration mode. To disable inserting relay information into forwarded
BOOTREQUEST messages, use the no form of this command.

present in Cisco 1812, 12.4(24)T7
or even (smaller) Cisco 831, 12.4(25b)

Hope this help's,

Juergen.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MSTP issue. Isolation of core switch

[cnsp]

Hello!

Thanks for you response.

As I know MSTP does not send MSTI's information in separate BPDUs, this
information is piggybacked into the IST's BPDUs using special M-Record
fields.



They are all send UNTAGGED.

They may be filtered (bpdufilter enable) or Carrier-Eqiupment may be
configured not to forward them

(may not be configured to forward them).

To have alle vlans in one instance just don't map them, they will all in
instance 0 .

So, I can have multiple MSTI or one with whole vlan range (1-4096) no
matter. Also we not planned to use some load share mechanism, so i did not
see any sense in multiple instance.

In any case, BPDU will be propagated in MST0 (Internal Spanning Tree) and
will consist of such components as configuration name, revision number and a
hash value calculated over VLANs to MSTI mapping table contents

To form one region, the hash must be same, so the mapping/name/revision must
be identical.


The configuration name and revision parapeters have sense if we used
multiple instase (maybe i'm wrong). But this is not acceptable for us now.



They are mandatory. Did not work on my first 6 switches with MST-config
without name and revision.


I think that this problem may apear due very large L2 segment. So value "Max
Hops"  exhausts itself in some cases.
As a result sw-core receives BPDU 0 and after that  happens  the following
scenario

sw-Core ceases to receive BPDU from all neighbors and and decides that he is
root.
Upstream switches sends superior root bridge information to the sw-Core
bridge but receives the BPDUs with Designated bit set, the upstream switch
concludes that the downstream does not hear its BPDU's. The upstream switch
then blocks the downstream port and marks it as STP dispute link

BUT Why sw-CORE ceases to receive BPDU from ALL neighbors?  - a mystery.



If your sw-core is HP than I would tell you "enable spanning-tree"  it's off
by default.

Filter -Y see above

Wll show spannint-tree tell you that running stp version IS MST ?

(you can have mst config and pvrstp running,

Show mst config will shot it even when pvst is active.)

 

So what Switches do you use?

Ensure identical MST configuration with name and revsion (textual identical
on all switches helps a lot)

And that all your switches have STP/MST running.

Having WAN links with carrier-CPE'S/NT's  ensure sufficient MTU and
forwarding of BPDU's 

(and packet with destination-MAC=local-special-MAC-Address)

Enable UDLD aggressive to find one-way links and disable them.

 

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MSTP issue. Isolation of core switch

[cnsp]

On Wed, Jan 09, 2013 at 06:41:34PM +0200, Andrey Teslenko wrote:
> Hello!
> We have a large L2 network with one MSTI region and few ring topologies.
> 
> The topology looks like this:
[...]
> It all started after the closure 10G ring.
> 
> In general periodically from all sides sw-Core sees 'BPDU received 0'.
> 
> Neighbors in the 0-th (CST) instance sees the packages, but in the 1-st
> (operating) no.
> 
> After that  they put the ports into position 'blk disput'.
> It is understandable, because sw-core does not see BPDU from them, so it
> can not answer.
> 
> Here is configuration of MSTP
> 
> spanning-tree mode mst
> spanning-tree logging
> spanning-tree extend system-id
> !
> spanning-tree mst configuration
>  instance 1 vlan 1-4094


Give it a Name and a Revision Number.
dont forget to ACTIVATE the new revision !

On All switches identical mst configuration
(name, revision, mapping).

Remember you may need to reload after a wr mem to change
spanning tree version/mode.


> *show spanning-tree mst*
> 
> # MST0   vlans mapped:   none

[...]

You wont see here anything since all your vlans have been mapped to
instance 1, not to instance 0 .


For Example:

!
spanning-tree mode mst
spanning-tree logging
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
spanning-tree mst configuration
 name MAGIC
  revision 2
  instance 1 vlan 500,600,900
  instance 2 vlan 501-599
  instance 3 vlan 700-799
  instance 4 vlan 100
  instance 5 vlan 800-899
  instance 6 vlan 601-699
  !
! all other vlans will be in instance 0
  !
 spanning-tree mst 2-3 priority 28672
 spanning-tree mst 5 priority 24576
!

Maybe that vtp version 3 (on cisco) helps you in distributing the instance 
mapping.

You may want to set the priorities to ensure which switch is your primary and 
second root,
else they will elect /compute on an fancy mac-adress iand interface speed based 
algorithm.

So do this explicite for each instance.

Remember that some Vendors Switches need to have the vlans created
(or will do it for you exceeding capabilities)
and others not.


... and iff you have cisco switches powerfull enought,
run per-vlan (rapid) spanning tree. This prevents you from getting a knot in 
the head
and a lot of fun debugging mst.

Hope this help's,

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] WLC with DHCP relay not working on in VRF

[cnsp]

Hi,

Maybe a
"(no) ip dhcp vrf connected" problem ?
see https://supportforums.cisco.com/message/631964#631964

vrf in debug output is VRF_Guest and does not find an address-pool
so you should define one...; 
but your config-example's vrf is named Guests 


> -Ursprüngliche Nachricht-
> Von: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] Im Auftrag von Nasir Shaikh
> Gesendet: jeudi 6 décembre 2012 16:42
> An: cisco-nsp@puck.nether.net
> Betreff: [c-nsp] WLC with DHCP relay not working on in VRF
> 
> Hi,
> 
> I encountered a problem whereby I have a  Guest-LAN placed in the VRF
> and a guest tries to connect via a WLC which is configured as a dhcp-
> relay. The guest does not get any IP address assigned by DHCP.
> 
> Apparently the DHCP server functionality does not work properly in the
> VRF when a DHCP-relay is used, see below debug.
> 
> First I thought it might be a bug in 12.4(20)T3 on the 2851 and 3845 on
> which I encountered the issue but had the same result on a 3945E
> running
> 15.1 so it seems on all IOS's
> 
> Problem does not occur when using autonomous APs.
> 
> WITH THE VRF we see the following debug info:
> 
> Dec  6 13:42:16.829 CET: DHCPD: Sending notification of DISCOVER:
> Dec  6 13:42:16.829 CET:   DHCPD: htype 1 chaddr f87b.7a04.db2d
> Dec  6 13:42:16.829 CET:   DHCPD: remote id 020ac0a80a02000300c0
> Dec  6 13:42:16.829 CET:   DHCPD: circuit id 
> Dec  6 13:42:16.829 CET:   DHCPD: table id 1 = vrf VRF_Guest
> Dec  6 13:42:16.829 CET: DHCPD: DHCPDISCOVER received from client
> f87b.7a04.db2d through relay 192.168.9.193.
> Dec  6 13:42:16.829 CET: DHCPD: Seeing if there is an internally
> specified pool class:
> Dec  6 13:42:16.829 CET:   DHCPD: htype 1 chaddr f87b.7a04.db2d
> Dec  6 13:42:16.829 CET:   DHCPD: remote id 020ac0a80a02000300c0 
> Dec  6 13:42:16.829 CET:   DHCPD: circuit id  
> Dec  6 13:42:16.829 CET:   DHCPD: table id 1 = vrf VRF_Guest 
> Dec  6 13:42:16.829 CET: DHCPD: there is no address pool for
> 192.168.9.193.
> 
> 
> 
> WITHOUT THE VRF we see the following debug info:
> 
> Dec  6 14:46:05.413 CET: DHCPD: Sending notification of DISCOVER:
> Dec  6 14:46:05.417 CET:   DHCPD: htype 1 chaddr f87b.7a04.db2d
> Dec  6 14:46:05.417 CET:   DHCPD: remote id 020ac0a80a02000300c0
> Dec  6 14:46:05.417 CET:   DHCPD: circuit id 
> Dec  6 14:46:05.417 CET: DHCPD: DHCPDISCOVER received from client
> f87b.7a04.db2d through relay 192.168.9.193.
> Dec  6 14:46:05.417 CET: DHCPD: Seeing if there is an internally
> specified pool class:
> Dec  6 14:46:05.417 CET:   DHCPD: htype 1 chaddr f87b.7a04.db2d
> Dec  6 14:46:05.417 CET:   DHCPD: remote id 020ac0a80a02000300c0
> Dec  6 14:46:05.417 CET:   DHCPD: circuit id 
> Dec  6 14:46:05.417 CET: DHCPD: Allocate an address without class
> information (192.168.8.0)
> Dec  6 14:46:07.417 CET: DHCPD: Adding binding to radix tree
> (192.168.8.3)
> Dec  6 14:46:07.417 CET: DHCPD: Adding binding to hash tree
> Dec  6 14:46:07.417 CET: DHCPD: assigned IP address 192.168.8.3 to
> client f87b.7a04.db2d.
> Dec  6 14:46:07.417 CET: DHCPD: Sending DHCPOFFER to client
> f87b.7a04.db2d (192.168.8.3). 
> 
> Config is straightforward.
> 
> ip dhcp pool Guests
> vrf Guests
> import all
> network 192.168.8.0 255.255.252.0
> default-router 192.168.10.1
>  dns-server 8.8.8.8 8.8.4.4
>  lease 0 4
> !
> 
> interface Vlan192
> description Guest access Internet (ISP Speed = 120M)
> ip forwarding vrf Guests
> ip address 192.168.10.2 255.255.252.0
> ip access-group 192 in
> 
> Any ideas?
> 
> Regards
> Nasir


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] 7200 npe-g2 lacp

[cnsp]

> -Ursprüngliche Nachricht-
> Von: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] Im Auftrag von Darren O'Connor
> Gesendet: mercredi 10 octobre 2012 17:53
> An: cisco-nsp@puck.nether.net
> Betreff: [c-nsp] 7200 npe-g2 lacp
> 
> I can see this platform supports etherchannel, but does it support
> lacp?
> 
> I think now, but wanted to check

Looked at a 7201 c7200p-spservicesk9-mz.122-33.SRE6.bin

Configuring an int port-channel 1 
and putting the currently unused gig0/3 into channelgroup 1
results in flapping of the mgmt interface fas0/0 (o.k, it's the same
controller-chip as for gig0/3):

%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state
to down
%SYS-5-CONFIG_I: Configured from console by jm on vty0 
%LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
%ENTITY_ALARM-6-INFO: ASSERT CRITICAL Fa0/0 Physical Port Link Down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed
state to down
%LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
%ENTITY_ALARM-6-INFO: CLEAR CRITICAL Fa0/0 Physical Port Link Down
GigabitEthernet0/3 added as member-1 to port-channel1
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed
state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state
to up
GigabitEthernet0/3 taken out of port-channel1
%LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
%ENTITY_ALARM-6-INFO: ASSERT CRITICAL Fa0/0 Physical Port Link Down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state
to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed
state to down
%LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
%ENTITY_ALARM-6-INFO: CLEAR CRITICAL Fa0/0 Physical Port Link Down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed
state to up
%LINK-5-CHANGED: Interface Port-channel1, changed state to administratively
down
%SYS-5-CONFIG_I: Configured from console by jm on vty0

Hope the other two "CPU" Gig Ports do not flap when you
configure one of them to go into a port-channel. 
Ok, yes, I know, the NPE-G2 does not have the Gig0/3 port.

Not found any hint on lacp, seems to be a static thing.

Hope this help's,

Juergen.



___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Security Advisories for DHCP

[cnsp]

> Hi,
> 
> Is there a general problem with Cisco and DHCP? Did get a lot of SA's
> regarding DHCP and nearly any OS!

Just starting at IOS 12.5 aehm 15.0 ,
They claim that the 12.0 12.2 12.3 12.4 based releases are not affected.

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] l2tpv3

[cnsp]

Hi,

L2tpv3 does not work well with the embedded switch-ports on the 870/1800
Routers since they tend to collect the stp/dot-q/.. pakets.

With 1812 and the two "real" Fastethernet ports, Stp and also
full-ethernetframe  including dot-q tags get transmitted.

So I used one of the switch-ports in vlan1 for the IP Transport connection.
IOS was c181x-adventerprisek9-mz.124-9.T.bin
H
With this IOS you can use the ip-adress of the LAN interface for the L2tpv3.
So you are not bound to have a loopback interface, as seen in later IOses.

Probably, the "WAN" "Internet" Port of an 871 may work, but Those devices
have an external power-supply.

With the 180[123]/1811/1812, you have at least one real FastEthernet Port
for the "internet-crossover" Cable; embedded xDSL Modem or second FAS
(1811/1812) for the WAN Connection and a crypto-copro for the encryption of
that Cable.

Hope this help's,

Juergen.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] l2tpv3

[cnsp]

Hi,

L2tpv3 does not work well with the embedded switch-ports on the 870/1800
Routers since they tend to collect the stp/dot-q/.. pakets.

With 1812 and the two "real" Fastethernet ports,
Stp and also full-ethernetframe  including dot-q tags get transmitted.

So I used one of the switch-ports in vlan1 for the IP Transport connection.
IOS was c181x-adventerprisek9-mz.124-9.T.bin

With this IOS you can use the ip-adress of the LAN interface for the L2tpv3.
So you are not bound to have a loopback interface, as seen in later IOses.

Probably, the "WAN" "Internet" Port of an 871 may work, but
Those devices have an external power-supply.

With the 180[123]/1811/1812, you have at least one real FastEthernet Port
for the "internet-crossover" Cable; embedded xDSL Modem or second FAS
(1811/1812)
for the WAN Connection and a crypto-copro for the encryption of that Cable.

Hope this help's,

Juergen.

> -Ursprüngliche Nachricht-
> Von: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] Im Auftrag von Aaron
> Gesendet: jeudi 30 août 2012 18:32
> An: 'Arie Vayner (avayner)'; cisco-nsp@puck.nether.net
> Betreff: Re: [c-nsp] l2tpv3
> 
> Also, can I have a mesh of tunnels between (3) different endpoints, so
> 3 different cisco 800's with (2) tunnels per 800 to the other (2)
> 800's, such that (3) lan switches hanging off the lan side of the 800's
> appear to be all
> 3 meshed together AND PASS STP/CDP/VTP, etc ?
> 
> Aaron
> 
> 
> -Original Message-
> From: Arie Vayner (avayner) [mailto:avay...@cisco.com]
> Sent: Thursday, August 30, 2012 10:57 AM
> To: Aaron; cisco-nsp@puck.nether.net
> Subject: RE: [c-nsp] l2tpv3
> 
> Aaron,
> 
> You should be able to deploy L2TPv3 with the smaller ISR routers... The
> 800 series support it (not sure what software feature set is needed...)
> 
> Arie
> 
> -Original Message-
> From:
> cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net]
> On Behalf Of Aaron
> Sent: Thursday, August 30, 2012 08:27
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] l2tpv3
> 
> What is the smallest/cheapest cisco router that supports L2TPv3?
> 
> I work at an isp and have small/medium sized businesses that
> occasionally want transparent lan connectivity between their sites
> (which are connected via FTTH, DSL, Cable Modem).
> 
> Is L2TPv3 tunneling the way to go for something like that ?
> 
> I don't really want to set up all kinds of qinq or mpls l2vpn's in my
> core if I can avoid it.
> 
> Also, tunneling endpoints at the customer premise seems that the
> dslam/olt/cmts would not have to be wise at all about the tunneling
> architecture. 
> 
> Lemme know your thoughts/suggestions please
> Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] l2tpv3

[cnsp]

Hi,

L2tpv3 does not work well with the embedded switch-ports on the 870/1800
Routers since they tend to collect the stp/dot-q/.. pakets.

With 1812 and the two "real" Fastethernet ports,
Stp and also full-ethernetframe  including dot-q tags get transmitted.

So I used one of the switch-ports in vlan1 for the IP Transport connection.
IOS was c181x-adventerprisek9-mz.124-9.T.bin

With this IOS you can use the ip-adress of the LAN interface for the L2tpv3.
So you are not bound to have a loopback interface, as seen in later IOses.

Probably, the "WAN" "Internet" Port of an 871 may work, but
Those devices have an external power-supply.

With the 180[123]/1811/1812, you have at least one real FastEthernet Port
for the "internet-crossover" Cable; embedded xDSL Modem or second FAS
(1811/1812)
for the WAN Connection and a crypto-copro for the encryption of that Cable.

Hope this help's,

Juergen.

> -Ursprüngliche Nachricht-
> Von: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net] Im Auftrag von Aaron
> Gesendet: jeudi 30 août 2012 18:32
> An: 'Arie Vayner (avayner)'; cisco-nsp@puck.nether.net
> Betreff: Re: [c-nsp] l2tpv3
> 
> Also, can I have a mesh of tunnels between (3) different endpoints, so
> 3 different cisco 800's with (2) tunnels per 800 to the other (2)
> 800's, such that (3) lan switches hanging off the lan side of the 800's
> appear to be all
> 3 meshed together AND PASS STP/CDP/VTP, etc ?
> 
> Aaron
> 
> 
> -Original Message-
> From: Arie Vayner (avayner) [mailto:avay...@cisco.com]
> Sent: Thursday, August 30, 2012 10:57 AM
> To: Aaron; cisco-nsp@puck.nether.net
> Subject: RE: [c-nsp] l2tpv3
> 
> Aaron,
> 
> You should be able to deploy L2TPv3 with the smaller ISR routers... The
> 800 series support it (not sure what software feature set is needed...)
> 
> Arie
> 
> -Original Message-
> From:
> cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
> boun...@puck.nether.net]
> On Behalf Of Aaron
> Sent: Thursday, August 30, 2012 08:27
> To: cisco-nsp@puck.nether.net
> Subject: [c-nsp] l2tpv3
> 
> What is the smallest/cheapest cisco router that supports L2TPv3?
> 
> I work at an isp and have small/medium sized businesses that
> occasionally want transparent lan connectivity between their sites
> (which are connected via FTTH, DSL, Cable Modem).
> 
> Is L2TPv3 tunneling the way to go for something like that ?
> 
> I don't really want to set up all kinds of qinq or mpls l2vpn's in my
> core if I can avoid it.
> 
> Also, tunneling endpoints at the customer premise seems that the
> dslam/olt/cmts would not have to be wise at all about the tunneling
> architecture. 
> 
> Lemme know your thoughts/suggestions please
> Aaron


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Anycast//DNS - BGP

[cnsp]

Hi,

it isn't quite that easy. Never heard before about the diverse-path feature on 
Cisco for RRs, but looking at your link it looks like to have this probably 
limiting restriction in most setups:
'Path diversity is configured within an AS, within a single RR cluster. That 
is, the RR will advertise the diverse path to its RR client peers only.'

In case you have one RR cluster per datacenter and multiple DNS anycast servers 
per datacenter, only the best path per datacenter will be distributed to the 
iBGP full-mesh and only the local DC routers will know about local multiple 
paths. In case the backbone routers connected to the DC can directly reach all 
DC routers, only one of the DNS anycast servers will be contacted (assuming the 
anycast servers are connected to different DC distribution routers). So no 
traffic balancing will happen for traffic comming from your backbone-routers 
(part of the full mesh).

If you use a global RR cluster for all datacenters, even traffic distribution 
accross severall datacenters won't happen if your setup includes full-meshed 
iBGP peers.

So it's not only turning that feature on on your RRs, but you'll have to 
consider how your RR-clusters are setup and how they are placed in your 
topology (for anycast it is more or less the same like trying to get BGP based 
multipathing to work in a RR environment).

Or did I miss something?

Cheers,
Matthias

On Fri, 04 May 2012 17:47:39 +0200
Robert Raszuk  wrote:

> Hi Henry,
> 
>  > Currently we have issues with the RR (Only select the main route)
> 
> That's an easy one to solve :)
> 
> Try using either add-paths or diverse-path on the RR. The latter is much 
> easier as it does not require upgrade of all of your BGP speakers !
> 
> http://goo.gl/KDjlg
> 
> Best,
> R.
> 
> > We want to work with DNS that are span geographical. Our DNS have the same 
> > IP.
> > We need to configure the Backbone IP (BGP) to distribute this IP (Anycast).
> > Could you have any examples over how to deployment Anycast?
> > Currently we have issues with the RR (Only select the main route)
> >
> > Thanks a lot!
> >
> > Henry
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] Constant output drops on etherchannel

[cnsp]

Depending on the network and the hardware(buffer space) output drops start at 
15-20% of linerate traffic. Hardware buffers on lower end switches are usually 
very low, so output drop happen very often.
One of the main problems leading to micro bursts (leading to buffer related 
output drops) is network synchronisation, e.g. systems tend to send out 
periodic packets at the same time (and synchronize over the time). For network 
protocols algorithms are implemented that avoid that synchronization, but on 
the application layer there are a lot of protocols, that tend to synchronize 
over the time (most of the time self developed protocols).
So, seeing problems at 92% linerate is normal, but with enough bad protocols 
running you can see the same probs at 20% linerate...

Bye,
Matthias

On Fri, 14 Jan 2011 13:18:23 -0500
Benjamin Lovell  wrote:

> Agreed would need some platform details but, in general, if you are seeing 
> port get to 92% then you can be pretty much sure that you are bursting to 
> 100% and dropping at times. 
> 
> -Ben
> 
> 
> On Jan 14, 2011, at 11:12 AM, Phil Mayers wrote:
> 
> > On 14/01/11 16:08, Dan Letkeman wrote:
> >> Hello,
> >> 
> >> I'm seeing many of our etherchannel's on different switches having output 
> >> drops:
> > 
> > Platform? IOS version? Config of the interface(s) (routed, SVI, etc.)
> > 
> >>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 
> >> 898085
> > 
> > Are you monitoring the traffic rate? Do the drops correspond to traffic 
> > bursts? Do you have QoS enabled?
> > 
> >> I also see that it usually uses one port of the etherchannel to a high
> >> degree, say 92% before it seems to push data through the other
> >> connection.
> > 
> > That's not necessarily unusual, depending on your etherchannel load 
> > balancing algorithm and traffic patterns. But you haven't really supplied 
> > enough info for people to help you.
> > ___
> > cisco-nsp mailing list  cisco-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/